Does Denying Future Access Allow Online Edits

Secpcb

Member
Join Date
Jan 2015
Location
Detroit, Michigan
Posts
136
I have a line run by a SLC5/05 and had an issue with the line leader calling in an outside programmer, without any authorization, to make some changes to the PLC over the long weekend. He proceeded to erase hours of work I did to report every alarm condition - as the iFix HMI would only show one alarm it was programmed to only look for one alarm, then ignore any other alarms so the operator didn't know of them. That resulted in a full day's production being scrapped out.

The boss told me to put my program I had a copy of back in and said I could protect it. I set a password and, in case this guy knew the AB master password I unchecked "Allow Future Access."

I am able to go online, can download program changes - but if I try to do an online edit it errors when I click on verify & goes offline. I never lose communications with the SLC, and RSLinx shows online & OK (Ethernet driver)

Does denying future access lock out online edits or is something else going on?
 
Secpcb,

At my last jobsite, we had an automation procedure that had to be followed.
with NO exceptions.

A change was proposed.
It went to me as I was the controls engineer for review.
I then reviewed the tech data file for allowable changes with out authorization.
if the change was not in the tech data sheet, we had to have a meeting of the production supervisior, the one who wanted the change, maintenance, maintenance supervisor, quality, engineering, and safety to discuss the changes.

if everyone agreed, we made the change, ran a small sample (200) and quarantined the product until quality was happy. When they were satisfied, we ran full production.

in your case, the line leader would be terminated for having authorized changes and causing production losses.

regards,
james
 
Interesting...was the line leader able to cut the programmer a PO for the work??
 
Paully, no he couldn't issue a PO - he had to have purchasing issue one after the fact.

James, to alleviate this I have drawn up a "Contract Programmer Agreement" that is set for approval by the manager, which includes the items you listed - and more. And I am hoping for this leaders termination - but for the reason that all employees are forbidden from calling the owner (in Chemo therapy & not doing well) and he sneaks off with his cell phone to make suspicious calls to someone complaining about everything happening here, if anyone ever overhears him talking to the owner he is immediately out. (He deletes his call history at the end of the call - it's been checked)

Mickey, the odd part is I could do online edits before (I remember that post from before and did have those settings) and I didn't revert the changes - but I just checked and they were reverted to the defaults listed.
 
OG,

Just a thought, but would denying future access prevent someone that knows the Master Reset To Factory Defaults password from wiping it?
 
Yes I believe so. It won't get to the point where it asks for a password. The only way around this would be to clear the memory of the CPU.

OG
 
You could also setup Factory Talk security and it will give you very granular control over who can do what. If you are networked and wanted reporting at any point you could add FT Asset Centre to report on who changed what line by line and when each change happened.

This would also give you version control. It's helpful for when you are using outside contractors as well as staff programmers.
 
OEM Lock - Allow Future Access

Secpcb said:
...I remember that post from before and did have those settings) and I didn't revert the changes - but I just checked and they were reverted to the defaults listed.

Your answer just acknowledges the fact that those settings were defaulted and you "appear" to be moving on with other questions. But the above is not clear, to me, as to whether Mickey's good advice solved your issue, or not?

Did you change those CIP settings back and did it fix the Online Edits issue?

My guess is it did, or it should have, but you haven't said, either way?

=Secpcb said:
...Does denying future access lock out online edits or is something else going on?

Operaghost said:
No. It just requires that you have the source program on your PC...

That would be correct. You must have a matching offline copy of the program in the controller to view the routines and perform online edits.

Operaghost said:
...It prevents anyone that doesn't have the program from uploading it. It does not affect editing...

I'm sorry, but that would be incorrect.

You can upload the program. You can even download another program, overwriting the existing program. As for editing, with this feature enabled, you cannot perform online edits without a matching offline copy of the program. If you do have a matching copy, then yes, it does not affect online edits and you can perform them as normal.

A slight distinction...

This feature is known as OEM Lock. It is used by a programmer to source protect their routines, not block access to the controller. That is done by using password protection.

When you uncheck Allow Future Access, under Controller Properties>Compiler, and download that change into the controller, you are denying future access to the ladder routines for anyone who does not have a matching offline copy of the program.

A user can connect to the controller, upload the program using Create New File, and go online. While online, they cannot view the ladder routines. As the program normally defaults to LAD 2 open, this window will be blank with a message stating...

This program has been PROTECTED from user access!

They will get this message for all ladder routines attempted to be opened.

If they try to save the program, so as to have a matching offline copy, they will get a popup message...

This program has been PROTECTED from user access!
Program cannot be saved!

OEM_Lock.bmp


This prevents a user, without a matching copy, from viewing and editing the routines. That is all it is supposed to do.

All other aspects of the online program may be accessed and manipulated. For instance, all Data Files may be opened and their data values changed. Forces can be enabled and set in the Force Files. A user can even open the Controller Properties>Passwords tab and set a Password and Master Password. However, they cannot save any of these changes. Without a save, there is no correlation between the offline image in RSLogix 500 and online image in the controller. And as mentioned, they can even download another program, overwriting the source protected program in the controller. This, again, is because this feature is not meant to prevent a user from doing so.

OEM Lock = Routine Source Protection.

For future denial of controller access, we use passwords...

Secpcb said:
...would denying future access prevent someone that knows the Master Reset To Factory Defaults password from wiping it?

Operaghost said:
Yes I believe so. It won't get to the point where it asks for a password. The only way around this would be to clear the memory of the CPU.

Again OG, I'm sorry, but this is wide of the mark. Because you are slightly mixing up how it works you are a little off with your thinking.

Enabling the OEM Lock, as we now know, just prevents access to the routines, nothing more. It will not prevent access to a Password protected controller. Only not having the Password will deny a user access. A user can gain access to the Password prompt, regardless of whether the OEM Lock is enabled, or not. They can also gain access to the Password prompt regardless of whether they have a matching copy of the program, or not.

If a user has also set a Password, and or Master Password, along with unchecking Allow Future Access, then a few scenarios may occur...

A user has a matching copy of the program and has the Password...

When they open the offline copy they are prompted for the Password and they enter it successfully and may then go online. They now have full access to the online program.

A user has a matching copy of the program but does not have the Password...

When they open the offline copy they are prompted for the Password and because they do not have it they cannot gain access to the online program. Alternatively, the user may enter the Clear Memory Password, resetting the controller to factory defaults.

A user does not have a matching copy of the program but does have the Password...

The user performs an upload using Create New File and is then prompted for the Password. They enter the Password and may then go online. They are now online with no access to the routines and cannot save the program. Alternatively, the user could enter the Clear Memory Password, resetting the controller to factory defaults.

A user does not have a matching copy of the program and does not have the Password...

The user performs an upload using Create New File and is then prompted for the Password. Because they do not have the Password they cannot gain access to the online program. Alternatively, the user can enter the Clear Memory Password, resetting the controller to factory defaults.

You can see from all these scenarios that in no case, and regardless of the OEM Lock, is a user restricted from attempting to enter an access Password or a reset Password.

To truly prevent access, which could result in someone resetting a controller, you would need to look at preventing physical access.



Regards,
George
 
Last edited:
Yes of course George is right. Been away from the SLC family for far too long. The Deny Future Access is an editing restriction. You can still upload but you are prevented from viewing the logic and prevented from saving. Also prevented from generating a report/printing.

Thanks George,

Brett
 
George,
Guess I skipped over it, but Yes - changing the CIP settings did solve the issue, and No - I did not change them back to the default settings (and I am the only one using the laptop)

And, just to check what is prohibited and what is possible, I am going to connect a different laptop that does not have the program on it and see what can be done.

PBuchanon,
FactoryTalk security would be setup on my laptop, and if someone brings in their own laptop I am guessing it wouldn't matter then, would it? Just an extra step for me on my laptop? And this system is isolated from the company network, the only things connected to the Ethernet switch are the 5/05 & the iFix PC.

Thanks.
 
Secpcb said:
George,
Guess I skipped over it, but Yes - changing the CIP settings did solve the issue, and No - I did not change them back to the default settings (and I am the only one using the laptop)...

Just to be clear, I didn't mean did you change them back to the defaults. I meant that once you found that they had "somehow" reverted to defaults, did you change them back as per the fix Mickey provided. The answer to that question is yes.

Either way, that's good to know and thank you. Now anyone reading this in the future can be certain that it solved that issue and also everyone here now can move forward more positively.

Secpcb said:
...And, just to check what is prohibited and what is possible, I am going to connect a different laptop that does not have the program on it and see what can be done...

If you want to be "clinical" in performing your trial then by all means use a different workstation. But you don't have to.

With OEM Lock already enabled in the controller and with a password set and acting as though you are a user without a matching copy of the program...

On your own workstation you can open RSLogix 500 and do not open the offline copy of the program as you don't have it for this trial. Perform a Comms>Who Active Go Online. Browse to your controller and select Upload and then use Create New File. You will be prompted for the password and because this user does not have the password you cannot go online.

If you do enter the correct password you can go online but with no access to the routines and so also no online editing.

But again, you will find that you will always have access to the password prompt.

Why is this password provided? Because, for the modular SLC controllers, if a user has walk up access then they can just as, but not quite as, easily pull the processor battery and short the GND and VBB to default the processor. The clear memory password just makes this task a bit simpler.

If you have contractors who can come on-site, with dubious authorization, and can gain walk up access to your control equipment, and could likely use that same dubious authorization to clear a processor's memory, without consultation with the on-site automation and programming administrator(s), such as yourself, then you need a multi-hardened approach.

"Defence in Depth" is Rockwell's recommendation for such situations where you use multi-layered security measures. You can use OEM Lock. Use passwords. Restrict physical access to the switch ports. Restrict access to the enclosure, room, or area to only properly authorized personnel. Escort contractors and monitor their movements and actions. Put procedures in place that certain personnel must follow before granting access or else there are consequences to be had (you are already working on this procedural aspect, which is good). Auditing changes is another step which also monitors the authorized personnel.

No one security measure is usually enough. Make sure you have enough layers to make it as difficult, if not impossible, for someone to do the same again.

I'm off today and the Sun is shining (doesn't happen too often around here!). So I'm going to enjoy it. I'll leave the FactoryTalk Security discussion to others. If I feel I have something to contribute at a later date, I might.

Regards,
George
 

Similar Topics

So, I'm really just trying to get some experience by practicing with arrays. I'm using studio 5000 v33. I have one rung with an XIC bit that's...
Replies
4
Views
76
I tried researching but I still don't quite get it. As far as I understood, it's used after a function is called in STL and then if the function...
Replies
1
Views
127
Today I was trying to install firmware update to new out of the box CompactLogix processor. CompactFLASH dialog box did not show any revisions...
Replies
10
Views
222
Hello Friends I am trying to connect to a Zebra printer. I can print the label with hyperterminal both by RS232 and TCP/IP. Now, I am trying to...
Replies
7
Views
219
My PLC (S7-1200) and HMI (KTP-1200 Basic) has been delivered on-site to the customer. To be able to do "off-line" updates to the code, I am using...
Replies
4
Views
197
Back
Top Bottom