Studio 5000 Logix Designer® is introducing a new way to control access to selected routines and add-on instructions using software licensing technology. Additionally, FactoryTalk® Security can now be used by machine builders and end users to enforce policies for accessing controllers and content. Come and learn about these new capabilities.
Use Case: Some control over who accesses content, but chief concern is simplicity
Solution: Password Based – Source Protection
Requires: Only Logix Designer
Ideal: Customers with few users
Use Case: I want flexible, manageable policies for who can access my content
Solution: FactoryTalk Security
Requires: Central Server. Similar to Windows Domain functionality. Can also restrict users not part of FactoryTalk Security.
Ideal:
OEM’s with many users with different permissions
Mid to Large end customers with many users with different permissions
Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system.
Normally when securing a controller’s project file, a Logical Name is created in the FactoryTalk Directory with the same name as the controller. This means that every time a new controller is secured, a new object is created in the factorytalk directory, and the security admin must do something with this logical name to ensure it has the correct security policies applied – put it in a particular Application or Area, or set its permissions directly.
This works OK in end user situations, but not well for machine builders.
Now, the security administration will create permission sets for large categories of controllers – based on product line, protection level, etc. – and when the product develop secures a project file, he’ll simply select the appropriate permission set to use. The directory does not get modified whether 1 or 1,000 controllers are secured with this permission set.
Before V28, when a controller was secured, when policies were established for routines, AOIs or tags, the same policies were used for all routines, AOIs or tags in the entire project.
In V28, permission sets can be applied to individual Routines, AOIs and Tags, meaning that different Routines, AOIs and Tags can have different policies.
Additionally, new actions were added to allow control over the viewing of Routines or AOIs.
Technicians can edit Routine1, view Routine2, but has not access to Routine3 for example.
For Tags, these permissions only control access within Logix Designer, not access from something like an HMI. This should be used in conjunction with External Access and Constant attributes.
Often, a machine builder wants to control access to a project file, but still give their end customer some level of access.
With Guest Users, this is possible. The machine builder will give the desired level of access to the pre-defined group called Guest Users. Then, any user who is log logged into the machine builder’s FactoryTalk directory will get the access given to Guest Users.
To use this function, the “Require Matching Security Authority ID for Authentication and Authorization” checkbox must be selected when securing the project file.
If the End User in the previous scenario wants to further limit access to the project file, they can specify a Secondary Security Authority.
So, if the Machine Builder specified that Guest Users are permitted to go online, but the end user wants to restrict this to only a particular set of users, they’ll use a Secondary Security Authority.
The Secondary Security Authority can only allow or deny things permitted to Guest Users – it can not allow actions that have been denied to Guest Users.
The FacotryTalk Directory used as the Secondary Security Authority must have the Permission Sets and/or logical name used in the project file.
A special account that can use temporary passwords is created ahead of time. Privileges are assigned to this account like any other account.
As part of defining the account, the admin specifies how long the temporary passwords work, and what groups of users are permitted to generate them.
A challenge response process is ued for getting a temporary password. Allows password to be created with only phone communication between the requestor and grantor.
The requestor must be a member of the directory in order to request and validate the password.
Use Case: I want the most secure protection possible for my intellectual property. Concern over external and internal theft of IP.
Solution: Licensed Based Source Protection
Requires: Activated Secure Device and Subscription to License Portal
Ideal:
OEM’s who have highly sensitive IP
End-Users in heavily regulated industries where theft or modification of content is a concern
Content Protection can exist together like multiple different locks on a door - complimentary
FactoryTalk Security
Password Source Protection
License Source/Execution Protection
Logix Projects can have all three variations of protection BUT you should select the right level of protection to meet your needs (see next slide)
Both License and Password cannot exist on the same routine or AOI
License source need USB and server ….and execution protection needs SD card with controller
Programmatic ability enable/disable via Message to “SELF”
Configurable “Masking” of Scrolled Fields 4-Char LCD
Knowledge Base article KB869648
Embedded Web Page Disable/Enable
Knowledge Base article KB869649, KB869651
Embedded EtherNet port Disable/Enable
Knowledge Base article KB869650, KB869652
The 5580 and 5380 series of controllers has a new capability to provide a user configurable masking of certain lines that come across the 4-Char LCD Display on the front of the controller to provide another layer of security.
Normal Operation of the LCD Display is as follows when scrolling:
1.) Controller Name (Processor_Name)
2.) Link Status (i.e. Link 1 - Down)
3.) Port Status (Port A - 192.168.1.1)
This ability to provide a user configurable masking of the display via a MSG to SELF.
This MSG to Self is a way that a controller can send a configuration message to itself to customize your controller display and add that additional layer of security for your application.
-------------------------------------------------------------------------------------------------------------
Line_MASK Decimal value: (i.e. a Source Element in a Message to SELF)
When 0 is set, default all on lines are shown
When 1 is set, the only thing shown is the IP Address (i.e. item 3 above)
When 2 is set, only Controller Name and Link Status are shown (1 & 2 above)
When 3 is set, (it also blanks the LCD most likely due to the bit pattern of both bits 0 and 1 being set at the same time)
NOTE: When you cycle power the default operation is NOT restored.
A download or reset message (i.e default values above) are needed to restore the default operation
upon a memory dump, it will clear out the MSG and settings that have the LCD blanked and the LCD will work again
The 5580 and 5380 series of controllers has a new capability to provide a user configurable disable/enable for the embedded web page of the controller to provide another layer of security.
Default for the webpage is enabled so there is nothing that you have to do in order to view the page.
However, if you desire to disable the web page a simple MSG to Self with the details called out in the Knowbase document can guide you through how to disable and then also enable it as well.
When disabled the browser will display the standards cannot find web page message that the browser uses to alert that the page cannot be reached.
NOTE: When you cycle power the default operation is NOT restored.
A download or reset message (i.e default values above) are needed to restore the default operation
Upon a memory dump, it will clear out the MSG and settings that have the Embedded Web Page enabled again.
The 5580 and 5380 series of controllers has a new capability to provide a user configurable disable/enable for the EtherNet port of the controller to provide another layer of security.
Default for the EtherNet port is enabled so there is nothing that you have to do in order to utilize the port out of the box.
However, if you desire to disable the EtherNet Port a simple MSG to Self with the details called out in the Knowbase document can guide you through how to disable and then also enable it as well.
NOTE: When you cycle power the default operation is NOT restored.
A download or reset message (i.e default values above) are needed to restore the default operation
Upon a memory dump, it will clear out the MSG and settings that have the EtherNet port will be enabled again.
All Language Editors support tracked group
All the properties in the routine will be part of the signature except the description, metadata, tag values, and the radix.
Major Components of each editor as follows
Ladder - Neutral Text
Function Block - Sheet Number and FBD Elements
Structured Text – Line Number and Neutral Text
SFC- Steps, Actions, Transitions, Branches, SBR/RET, Stops and Links
Changes to AOI’s or UDT’s associated as part of a tracked routine will be included as part of the signature.
Program and Task properties of a tracked routine are part of the signature
When an IO module is tracked configuration data becomes part of the signature
Communication modules will need to be tracked if communicating with tracked remote modules
Tags that are tracked need to be designated constant tags
The value of the constant tags will be monitored and any change in value will change the signature
Multiple tracked groups is deferred functionality
Logs are stored on the SD Card not the controller memory