Read only access to Compactlogix program Tags

Hi all,

For those that do, thanks for taking the time to read my post.
I have some experience, mainly self taught with Allen Bradley SLC & recently Compactlogix, so forgive me if my terminology is incorrect!!

I wonder if anyone can help me with this:

I have set up a small Ethernet/IP network consisting of 4 Micrologix 1100 and 1 CompactLogix 1769-L30ER main controller. The 1769 is controlling three machines each on their own routine.

A third party wants access to the network to monitor some tag values etc, but how do I stop them gaining control of the machines??? Can they access as read only? and if so, how?

Again, many thanks for taking the time to read this. It is my first post (of possibly many).

Munkey

One clean, isolated method would be a Red Lion Data station in the middle. You write to the data station, they read from it.

If your third-party controllers are in the Allen-Bradley family; you can look at the Produced/ Consumed Tags across Ethernet/IP.

Produced are "Produced" for the outside controllers (ie from your PLC to others)

Consumed and to be "Consumed" by your system (so read in from outside).

If you re using a structure data type such as a UDT- you can produced a "blank" copy which can zero down if a communication fault happens.

If you want to use Booleans- You will either have to write them into a DINT or make a UDT that is at least <=32 bits.


Regards

Daniel.

Copy the tags they need to read to a copy of the actual tag that the PLC never reads, it is only written to once per scan.


If they change the tag they access it will be changed back on the next scan and not interfere with your machine.

I think the OP's main hurdle here is that by giving the third party access to their network, they can't really control what that party does once connected. Sure, you could set up some produced/consumed tags or whatnot that are read-only, but once the third party is on the network, what's to stop them from loading up their own copy of Logix and making whatever changes they want to any PLC's on that network?

Ken Moore's suggestion might have merit. I'm not familiar enough with the Red Lion products to vouch for it confidently, but certainly if you can't trust the third party with network access, you will need to set up an isolated network that can't connect to the actual PLC network, and give the third party access to that network only. The Red Lion may have the ability to do that.

At a Siemens trade show I learned of a Data Diode that only allowed one way communication through the gateway.


Check this Google Search

I am using a modbus gateway from Prosoft for exactly this purpose. Its connected ETH I/P for me and Modbus TCP for them, but there are other options.

They get their own IP, sets of R and W registers and they can do anything they want with them. They aren't on my network but if I want I can pay attention to their registers and act on them.. or ignore them completely.