Allen-Bradley PLC security

SamW

Member
S
Join Date
May 2016
Location
Ludlow
Posts
9
Hi,

I have a problem which I'm hoping you can help me solve. We design and build equipment which is installed at a customer site, all equipment is controlled by an Allen Bradley PLC (typically an L33ER running v26 firmware). At present all our customers have access to Studio 5000 and their PLC programme, the more adventurous among them have taken to editing the programme, and at some point this is going to go disastrously and dangerously wrong.

We're now setting up security on the programme, these are our key aims:
1. Customers can no longer edit their PLC programme
2. We would like them to be able to view the programme in realtime in Studio 5000 for process monitoring that may not be available on the HMI
3. Our staff need to have access to the PLC and programme to carry out authorised edits.

At present all sites are set up as Local Stations rather than Network Stations.

I've been experimenting with the security settings, and at present this is the big issue I'm running into:

All Windows users with admin rights also have unrestricted access to the program. I want to set up a FactoryTalk user who has admin rights (and only we have the password), plus another user who can view but not edit the program. Windows access rights should have no bearing on this.

Am trawling through the Security user manual, but hoping that somebody on this forum can point me in the right direction.
 
Welcome to the forum.

If we were your customer and bought a machine from you , WE would own the program and should be able to modify it UNLESS the terms of software ownership was discussed up front before the contract was signed.

Here is what we do
the programmers have a full blown copy of logix 5000 and maintenance only has the read only version of the software.

in your case can you assign a password to run the full version and allow everyone else to run the view only portion? I'm still learning logix 5k so I am offering suggestions at this point. you may have to buy the full blown package for you and the read only version for your customer.
james
 
What James said is correct.

When a customer buys our machines they get a full copy of the program with all the rights. What they choose to do with it is up to them. Who they choose to give access to is with in the purview.

We document a complete install and start up package which includes a complete safety and operations review. Customer signs off on every step that they acknowledge and understand the inherent dangers of the machine, the precautions to take, and the training they need to give their operators. As well its quiet a process to access our PLC's, so if your into the program, your on a mission, and more then likely voided the warranty.

Our machines are pretty much self diagnosing. We can get away with phone support most of the time.

Actual conversation:
Maintenance supervisor, "John, these parts are not coming out clean anymore, and its only been running for six months".
Me, "Paul, go to the HMI, look at the top right corner, is there a flashing red lamp"
Supervisor" well yea"
ME " push the red lamp"
Supervisor " ok"
ME "Read the msg please"
Supervisor " CYCLE COUNT EXCEEDED....CHANGE BAG FILTERS"
ME "Paul"
Supervisor" Yea"
Me"Want me to come out and change your bag filters for you"

The really bad part is that the unit will e-mail him when its at 95% of any cycle count maintenance. We went over that again too.

Course when they totally toss the program, they pay us to do a remote recover of the machine and make it work again. That's about four hours of screen time, and another four for a complete start up and shake out.

But I digress.
 
Thanks for the responses. Our contract doesn't give them ownership of the programme, and we work in a regulated industry where the regulator has concerns over customers modifying the programme. With both these points in mind, we really do need to restrict access.

Take the point about installing the read only version of Studio 5000, this may be an option, but looking at our structure and relationship with our customers, I think the FactoryTalk security could offer a better solution.

Anyone else familiar with setting this up?
 
SamW said:
Thanks for the responses. Our contract doesn't give them ownership of the programme, and we work in a regulated industry where the regulator has concerns over customers modifying the programme. With both these points in mind, we really do need to restrict access.

Take the point about installing the read only version of Studio 5000, this may be an option, but looking at our structure and relationship with our customers, I think the FactoryTalk security could offer a better solution.

Anyone else familiar with setting this up?
Click to expand...

You can set up "Source Code Protection" on your projects.... you can choose whether or not individual logic routines are viewable when the SK.DAT file is not present on the PC.

To do this right-click each routine in "Tools->Security->Configure Source Protection", and choose "Protect Component(s) with Source Key", and "Make Viewable".

I use a dongle for activations, and my source key file is on that, so it remains with me at all times. You could of course use a USB memory stick for the same purpose, but it has to mount at the same drive letter each time.

The SK.DAT file is a plain text file that must contain the exact text that you specify as the "Source Key" for the routine.

Source protection is very flexible, in that you can have multiple levels of access, but anyone can read what is in the SK.DAT text file, so guard it well.

If the options are greyed out on the menus, then re-install the software, making sure you add the security components.

Added : If you add any new routines after configuring source key protection (SKP), you will need to reconfigure SKP for those new routines, they won't automatically inherit SKP from other protected routines.
 
Last edited:
SamW said:
Thanks for the responses. Our contract doesn't give them ownership of the programme, and we work in a regulated industry where the regulator has concerns over customers modifying the programme. With both these points in mind, we really do need to restrict access.

Take the point about installing the read only version of Studio 5000, this may be an option, but looking at our structure and relationship with our customers, I think the FactoryTalk security could offer a better solution.

Anyone else familiar with setting this up?
Click to expand...

Why don't more people simply put the mode keyswitch into the RUN position; remove the keyswitch; and hand that keyswitch over to a member of top management, and say:
"Here's the key. You control it. If something changes, it will be because YOU handed the key to SOMEONE, and that SOMEONE has been designated as the responsible party."
.
“Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.”
― Albert Einstein
 
jdbrandt said:
Why don't more people simply put the mode keyswitch into the RUN position; remove the keyswitch; and hand that keyswitch over to a member of top management, and say:
"Here's the key. You control it. If something changes, it will be because YOU handed the key to SOMEONE, and that SOMEONE has been designated as the responsible party."
Click to expand...

It took me less than five minutes to file a flat-bladed screwdriver to work the keyswitch in an emergency (like no-one could find a key). I've seen that many, I just filed into the shape I remembered, and it worked fine.
 
jdbrandt said:
Why don't more people simply put the mode keyswitch into the RUN position; remove the keyswitch; and hand that keyswitch over to a member of top management, and say:
"Here's the key. You control it. If something changes, it will be because YOU handed the key to SOMEONE, and that SOMEONE has been designated as the responsible party."
Click to expand...

Also, the OP is using a L33ER, which doesn't have a key switch. All they have is a small toggle witch behind a door on the front where the SD card goes.
 
No need to buy a special version of Logix and no need to implement source protection unless you have IP that you want to protect.

Setup FT Security it's already built into the product and it's made for the issue you have.

You can give certain logins read and write access and some logins read only access.

It's very granular so you can restrict forcing to only certain people and downloading to only certain people and so on.
 
Thanks, FT Security is the best solution for the problem we have right now. Have spent the last couple of days working with it and think I now have it figured out, got a few more tests to do before we roll out to live sites.

Once implemented, is it possible to track changes made by users? Would be really useful to know which of our engineers have been working on the program, and what they have changed.
 

Similar Topics

K
Places to sell surplus Allen Bradley PLC's and various other items
Hello, I am new here. I am trying to find good places to sell some surplus items that I have that isnt through ebay. Does anyone have any sources...
Replies
5
Views
333
tlf30
tlf30
E
Cimplicity OPC Communication with Allen Bradley L73 PLC
Hi good day Everyone, I have a cimplicity v10 project with 7 to 8k tags communicating with AB PLC through OPC and Rslinx classic. I have this...
Replies
3
Views
212
JunQ
J
D
Allen Bradley PLC 1756-L81E and EIP module 1756-EN2TR
I am using Allen Bradley PLC 1756-L81E and EIP module 1756-EN2TR for Ethernet/IP communication. My communication works fine but in Get-Attribute...
Replies
2
Views
197
Dsaxena
D
H
Allen bradley PLC MSG help
I have a network with 4 PLCs PLC1 is controllogix and PLCs 2-4 are compactlogix and they all need to communicate. The current way I have this...
Replies
8
Views
255
heatfireash
H
A
Allen Bradley ControlLogix PLC communication with Delta V DCS
Hi Everyone, I am currently trying to communicate ControlLogix PLCs via EtherNet/IP with Delta V DCS. There is a VIM2 card configured for...
Replies
1
Views
255
Ken Roach
Ken Roach
Back
Top Bottom