Does Denying Future Access Allow Online Edits

Secpcb said:
PBuchanon,
FactoryTalk security would be setup on my laptop, and if someone brings in their own laptop I am guessing it wouldn't matter then, would it? Just an extra step for me on my laptop? And this system is isolated from the company network, the only things connected to the Ethernet switch are the 5/05 & the iFix PC.

Thanks.
Click to expand...

FT Security would be setup on your laptop and the controller and will work even if the system is not connected to the network.

FT Security for example would let your login have full access and bubba the mechanic have view only access and an outside contractor view and force access only.
 
Just an update on this. I found if I deleted the password, and only denied future access, anyone trying to connect would not get a prompt that could put in the master reset password and wipe my program. I tested this on a spare rack and it was very easy to reset the PLC & put in another program - oddly though the reset to factory default did not revert the 5/05's IP address - it remained the same.

Also, to be a bit of a jerk, I added a line that now turns on a MCR Enable relay wired to a spare output that breaks the MCR loop. If the PLC is wiped physically and the old program put back in it will not be possible to turn on the MCR.

Also management has had a chat with the line leader and no outside programmer is to be called in without going through me or the maintenance supervisor.
 
Last edited:
Defense In Depth...

Secpcb said:
Just an update on this. I found if I deleted the password, and only denied future access, anyone trying to connect would not get a prompt that could put in the master reset password and wipe my program...
Click to expand...

I feel that you may have a false sense of security here. Not using a password is more secure, by your thinking. This is a little misguided. Remember, just because using a password exposes the password prompt so a person may enter a Clear Memory Password (not master reset password), does not mean that by simply removing that password, and hence the prompt, you are removing the ability for someone to clear the processor's memory.

Just remember what I wrote earlier on the Clear Memory Password...

Geospark said:
...Why is this password provided? Because, for the modular SLC controllers, if a user has walk up access then they can just as, but not quite as, easily pull the processor battery and short the GND and VBB to default the processor. The clear memory password just makes this task a bit simpler...
Click to expand...

If a person has walk up access to this controller, so as to attempt a factory reset, then the Clear Memory Password is not the only way they may attempt to do so. They could still physically pull the processor module and short the GND and VBB pins to factory reset it. If they are physically restricted, but can communicate with this controller over a network, then they could still connect to the OEM Locked, but unprotected controller, and download a blank or different program. Alternatively, they could connect and in RSLogix 500 use Comms>Clear Processor Memory. So, while using OEM Lock and no password protection, unless you are physically restricting access to the controller in every way, then someone could still effectively wipe your program from memory.

Remember, use a layered approach to security.

Secpcb said:
I tested this on a spare rack and it was very easy to reset the PLC & put in another program - oddly though the reset to factory default did not revert the 5/05's IP address...
Click to expand...

If by "reset the PLC" you mean that you cleared the memory using the Clear Memory Password...

When you clear the processor's memory, using either the Clear Memory Password or Comms>Clear Processor Memory, you are just clearing the processor's memory i.e. the program. You are not resetting the controller to factory default.

The embedded Ethernet port stores its configuration in its own separate memory. When you clear the processor's memory the Ethernet port's memory is left untouched. This allows the retention of its configuration so future communications are possible at the same node address. To overwrite the port's memory you would have to reconfigure it using one of the possible methods, such as BOOTP, or else download a program with a different Ethernet port configuration and select to overwrite the communications configuration for that Channel when prompted.

If you factory default the processor, by shorting the GND and VBB pins while the battery is removed, then both the processor and the Ethernet port's memory are cleared. You will then have to reconfigured valid Ethernet port settings before you can establish Ethernet communications.

Regards,
George
 

Similar Topics

A
Tank level rslogix 5000 program. I’ve got errors on rung 2,3,4. Do u see the problems? Also does my geq n les look right?
Replies
4
Views
200
drbitboy
drbitboy
S
Does anybody have Somachine V4.2 ?
I am trying to connect with a Schneider plc which has a firmware version only available in Somachine v4.2. In Machine expert After taking upload...
Replies
0
Views
112
sherlockmi
S
Bit_Bucket_07
Does anyone recognize these terminals?
They are installed in a control panel that was made in France and are intended for the termination of analog inputs. Each of the red capped...
Replies
4
Views
420
Robb B
R
F
GSV does nothing
So, I'm really just trying to get some experience by practicing with arrays. I'm using studio 5000 v33. I have one rung with an XIC bit that's...
Replies
5
Views
234
Culliham
C
P
What exactly does the BR bit do?
I tried researching but I still don't quite get it. As far as I understood, it's used after a function is called in STL and then if the function...
Replies
1
Views
145
JRW
JRW
Back
Top Bottom