BPyles,
I'm not sure what level your installed architecture is at, and whether it is even networked, or not, but I have mentioned this before here on the forum and perhaps it is pertinent to mention it here again...
Rockwell advocate you use a “defense-in-depth” security approach. This involves using both the physical and electronic security measures mentioned already, here, and in the linked thread by Ron, as well as other methods.
The basic philosophy is that no one measure alone can fully secure an Industrial Control System (ICS). A layered approach is best practice.
In achieving a “defense-in-depth” approach, an operational process is required to establish and maintain the security capability. This process includes:
1) Identify priorities (e.g. Availability, Integrity, Confidentiality)
2) Establish requirements (e.g. remote access must not impact control traffic, etc.)
3) Identify assets
4) Identify potential internal and external threats and risks
5) Understand capabilities required
6) Develop architecture
7) Develop and implement policies
Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. In other words, users should not implement security as a "bolt-on" component to the manufacturing process.
The “defense-in-depth” layers for securing manufacturing assets should include:
• Physical Security: This limits physical access of areas, control panels, devices, cabling, the control rooms and other locations to authorized personnel as well as escorts, and tracks visitors.
• Network Security: This includes the network infrastructure, such as firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers.
• Computer Hardening: This includes patch management and antivirus software as well as removal of unused applications, protocols and services.
• Application Security: This contains authentication, authorization and audit software.
• Device Hardening: This handles change management and restrictive access.
I'm not going to write, or rewrite a whitepaper on the subject, but you get the gist.
The point is that implementing passwords in the controllers is fine and not to be chuffed at. But this is only one electronic measure which can be implemented. You can also use FactoryTalk Security to limit lower level access users to certain features. There are of course other electronic measures, but to strengthen and compliment those, you can also use physical measures such as locking the controller port or switch ports. Locking the cabinet/enclosure. Locking the room or area if feasible, and on and on.
In other words, do not rule out or discount simple measures by just looking at their effectiveness with a singular mindset. Consider multiple measures and the cumulative effect they may have in securing your ICS to an adequate level.
Regards,
George