Restrict Access To Certain ControlLogix Controllers

mjp123gp

Member
M
Join Date
Mar 2012
Location
Savannah, GA
Posts
94
We are trying to determine the best way to limit access to certain controllers when a vendor does a remote connection to our site. We currently have a terminal sever setup that vendors use to do remote connections whenever they have to help troubleshoot remotely. This terminal server is also connected to our mill data collection network that has a connection to every machine in the mill. We are trying to get a setup that will allow a vendor to do their remote connection but only have access to their machines. All controllers will be control logix or compact logix.

An idea we had was to setup each users account with an ethernet driver in RSLinx with a list of the IP addresses they need to access then limit that user account in factory talk admin console to prevent them from changing any comm setups. I know we could setup source protection or passwords on the programs but we would like to keep it as simple as possible to prevent any connection issues with the E/I personnel onsite. We have the option to let the IT dept handle the issue but we would prefer to not get them involved.

What are some other options we have? How secure would the limiting RSlinx approach be? Any other ideas would be appreciated.



Thanks
 
If you're serious you probably need to start looking into a product like Factory Talk Assetcentre. I'm just getting familiar with it myself as it's in a new facility I am working in. You would probably need to get IT involved if you want to tie security into the credentials they use to log into the terminal server.

You're gonna pay $$$ for this solution, but it's probably the way to go.

I'm not sure how it handles someone uploading from a PLC.
 
You could potentially put a VPN endpoint on each machine, and then only have the VPNs from certain machines activated to the terminal server. That'd be an IT type solution, though, and probably cost even more than the software solution...
 
Get a software firewall that has a different configuration for each user, ie. one will block all comms to 10.3.5.7 and 10.3.5.8, but allow anything else.

My next suggestion would be a hardware firewall with user recognition, although depending on your setup this might require you to talk to the guys in IT. And by talk to I mean pay them however many internal dollars you need to pay IT.
 
At one customer site they have a VPN set up which allows me access to all of their machines, and the individual machine manufacturer's to only access the machines they supplied. It works well, but I have no idea how much it cost them to set up.

I totally understand not wanting to get IT involved - fortunately the IT guys at this site are pretty good - and are quite happy to keep clear of the PLC networks unless asked. Rare find, I know!
 
Just use the built in windows firewall and you won't take a performance hit. Windows firewall is all that's needed for this.

If you want granular actions on the PLC like they can go online and edit but they can't change from remote to program or set it so they can't force, etc then use Factory Talk Security.

But windows Firewall rule will allow access to only the IP addresses you specify for that user.
 
Paully's5.0 said:
If you're serious you probably need to start looking into a product like Factory Talk Assetcentre. I'm just getting familiar with it myself as it's in a new facility I am working in. You would probably need to get IT involved if you want to tie security into the credentials they use to log into the terminal server.

You're gonna pay $$$ for this solution, but it's probably the way to go.

I'm not sure how it handles someone uploading from a PLC.
Click to expand...

Just a small point but you don't need Asset Centre to have the security features as those features are simply FT Security which is built into almost all Rockwell Products now.

Asset Centre uses FT Security to do many of it's tasks but Asset Centre is not needed to get those security features.

I run Asset Centre and love it but only use it if you want to use it for revision control and disaster recovery.
 

Similar Topics

M
Restrict Access on FactoryTalk Administration Console?
Is there a way to restrict user access to the FactoryTalk Administration Console application itself? The app is installed on a computer that all...
Replies
1
Views
1,159
Dravik
D
D
Restrict RSLogix5000 Access But Allow HMI Tag Read/Write?
Is it possible to partially restrict the types of communications allowed through a ControlLogix communications module? Ideally I'd like something...
Replies
7
Views
3,319
dabomb4097
D
S
create and restrict users rslogix 5000
Hi everyone, i have a problem with people who need to view plc logic also being able to edit and force, i need to restrict certain user groups to...
Replies
12
Views
3,593
PreLC
P
C
S7 - restrict analog output voltage
Hi I am getting a cpu 314c-2dp. I need to control hydraulic servo valves that need +/- 5V for proportional speed/direction. I am looking into...
Replies
2
Views
1,606
cjd1965
C
A
I/O access error on S7-300
Hi Siemens guys! I am experiencing SF fault on our S7-300 (6ES7 315-2AH14-0AB0) CPU from time to time. I've checked the diagnostic buffer and...
Replies
13
Views
170
JesperMP
JesperMP
Back
Top Bottom