Passwords for Controllogix (and other RA PLC's)

If you are using WAN's which are potentially insecure there are three layers of extra protection I have seen used in addition to the usual VPN client encryption schemes:

1. Use personal keygenerators such as "SafeWorld" offer.

SafeWorld

I only mention these guys because I happen to have one of their token generators in my left hand as I type this now.

2. You should be able to configure your VLAN's or VPN's to only open a port pinhole to RSLinx. The port numbers it uses are found here.

3. One particuarly anal administrator tied me down to the MAC address of my personal laptop. I'm not sure quite what tool he was using to do it, but he made sure that adding any new PC to the network could NOT happen without his say so.
 
Last edited:
cryptoguy23 said:
If there is a setting on the ControlLogix that limits management to authenticated RSMACC servers please let me know. I hope that I'm wrong because we need a high security solution. Right now the best we can do is use router configs to limit the IP addresses and ports that can reach the PLC.
Click to expand...

I may be behind in this conversation, but I believe there is exactly what you mentioned. I am not sure if this is the CPU lock that others mentioned or not. I will talk to my RA engineer and find out.
 
CPU Lock Update

I had a chance to get the straight information in a very interesting telephone call with the RA Product Managers. I will link to a longer blog entry on this later because there was some good info on future security direction.

One of the real problems RA needs to address the lack of security information and inconsistent information in the documentation and discussions with SE's.

Here is the straight scoop:

V3.0 of the CPU Lock tool with V15 of Logix supports setting the configuration thru any CIP path. The RA apnote referenced earlier in this thread that limited CPU Lock to the DF-1 interface is obsolete.

This is important because it allows a password to be placed on the more vulnerable Ethernet interface.

Of course this is far from ideal because it means a single, shared password and all or nothing access. Think of this as the same problem as phsyical locks and keys. It also is not integrated into the RS management solutions and must be run as a separate utility. Still better than nothing.

Rockwell has some interesting plans to do a lot better on the security front.
 
You need to install Logix CPU Security Tool.
It comes with R5K software and is browsable through RSLinx (Network, whatever you might have).
I am in the Pharma industry, and we have it in our SOP's to use this tool. If the PLC is secure, there is NO WAY to alter the code.
 
My understanding

My understanding of the RSMACC concept with RS Asset Security is just exactly what you are describing. I have not heard back from my RA engineer yet, but my thinking is that by securing a controller in the security server, you are blocking all access to the PLC, via any com port at all. The security server sets permissions on who can unsecure a controller at all with the actions setup and ACL lists. Basically, I guess my take was that RS Asset Security is the equivalent of the CPU lock, except that it handles the responsibility of unlocking the controller, and that all handshaking between controllers and HMI's, data collection systems, and the like are not affected. If I find this to be untrue, I will post here. I'm curious to see what you were told.
 
russrmartin said:
My understanding of the RSMACC concept with RS Asset Security is just exactly what you are describing. I have not heard back from my RA engineer yet, but my thinking is that by securing a controller in the security server, you are blocking all access to the PLC, via any com port at all. The security server sets permissions on who can unsecure a controller at all with the actions setup and ACL lists. Basically, I guess my take was that RS Asset Security is the equivalent of the CPU lock, except that it handles the responsibility of unlocking the controller, and that all handshaking between controllers and HMI's, data collection systems, and the like are not affected. If I find this to be untrue, I will post here. I'm curious to see what you were told.
Click to expand...

Unfortunately that is not true, and I've verified this with RA. Authentication to RSMACC or any RSAssetSecurity (FactoryTalk Security) is just to that software, it does not in turn authenticate to a Logix PLC. This is a 'future' plan, and why CPU Lock is important.

The documentation and sales pitch may be a bit deliberately confusing on this point.
 

Similar Topics

S
Need to add passwords
So I need to be able to give 10 people passwords to the machine and I need to make a log of when they are used. It's a Rockwell l71 processor and...
Replies
3
Views
892
Aardwizz
Aardwizz
geniusintraining
Mitsubishi GT Designer passwords
I have a customer that has a GT1575-VNBA and I think they are using GT Designer. They have the software and program for both the HMI and the PLC...
Replies
3
Views
2,334
parky
P
J
FactoryTalk View Studio *Used* Passwords
So I was compiling a new .Mer for a machine I don't have a need to login to all too often. I figured since I was compiling a new runtime for it...
Replies
8
Views
2,787
daba
D
B
Recovering Passwords from a FactoryTalk View ME Application ?
Good Morning , We have a machine with CompactLogix and a Panelview Plus 700. This machine is about a 2 years old , and nobody has the...
Replies
6
Views
7,100
nhatsen
N
A
GXWorks and Passwords
Hi I have been given the job of modifying a project written in GXworks, the system has 3 HMIs, and alarm messages are stored as strings in the...
Replies
6
Views
1,635
Andrew Hardy
A
Back
Top Bottom