Restrict RSLogix5000 Access But Allow HMI Tag Read/Write?

dabomb4097

Member
D
Join Date
Feb 2012
Location
Chicago, IL
Posts
24
Is it possible to partially restrict the types of communications allowed through a ControlLogix communications module?

Ideally I'd like something similar to the RSLogix5/PLC-5 controller password. You need a password to go online with the controller in RSLogix, but an HMI can still access tag data.

We have a large number of small air-gapped systems that we program with multiple individual laptops using local accounts. There is no central authentication for the programming computers or central network that all controllers are connected to. I don't think FactoryTalk Security will work without restricting each system to the local account on the particular laptop that set it up.

We have a very specialized application in a unique industry with a lot of very very odd restrictions on how systems are allowed to interact or be interconnected. So no, I can't put everything on an Active Directory to sync all the user accounts and use FactoryTalk Security or anything like that.
 
This sounds like a job for ordinary Logix CPU Security.

Once a controller has been Locked by the Logix CPU Security Tool, only a user who enters the password can access the controller for online monitoring/editing/modechanging, etc.

That tool is usually installed by default with RSLogix 5000 but it's a separately launched tool and is not integrated with the ordinary menus.

There are no differing degrees of access; a user who has the Password can do anything to the controller. It applies to network, serial, and USB connections.

This is a blunt instrument compared to the finely granular permissions that can be configured in the full-scale FactoryTalk Security system.

HMI Tag read/write services are unaffected by Logix CPU Security.
 
Beyond what rockwell provides, firewalls with deep packet inspection can add to your security levels. Tofino, which is part of Belden, may be able to enhance your perimeter protection with one of their devices. I know they have an EtherNet/ip device that can limit access to specific objects. The down sides are more complexity with more cost, and loss of flexibility. The upside is a hardware device that blocks traffic that a simple loss or sharing of the password cannot bypass.

I would expect your use case to be common so they would have support it, but I have not implemented exactly what you need so do not know for sure without calling them.
 
No Logix CPU Security became part of

Studio 5000 and I use security on ver 21!


The Logix platform, version 18 or later, provides Data Access Control through
two new tag attributes: External Access and Constant
Together, these attributes let you control access to tag data and help to safeguard tags by preventing
unwanted changes to their values.
For more information about Data Access Control see the
Logix5000 Controllers I/O and Tag Data Programming Guide
publication
1756 PM004

When securing controllers using version 20 or later of the application, only the
Network Directory is supported. If you are securing controllers using an earlier
version of the application, you can use either the FactoryTalk Local Directory or
the Network Directory. If you are trying to coordinate security across multiple
computers, you need a Network Directory implementation of FactoryTalk
Security. If all of your products reside on a single computer, you can use the Local
Directory. If you have a choice, you might want to use the Network Directory for
forward compatibility with version 20 and later. You can host the Network
Directory locally on each machine just like the Local Directory.
For more information about FactoryTalk Security, see the FactoryTalk Security System Configuration Guide
publication FTSEC QS001
 
Last edited:
All is not lost...TomBob Method!

dabomb4097 said:
Is it possible to partially restrict the types of communications allowed through a ControlLogix communications module?
Click to expand...

No.

dabomb4097 said:
...We have a large number of small air-gapped systems that we program with multiple individual laptops using local accounts. There is no central authentication for the programming computers or central network that all controllers are connected to. I don't think FactoryTalk Security will work without restricting each system to the local account on the particular laptop that set it up...

...I can't...use FactoryTalk Security or anything like that.
Click to expand...

In your case, you cannot use FactoryTalk Security in the normal FT Network Directory sense. However, and as you've stated is the case, if each of the programming computers is using a FT Local Directory, then there is one method, but whether it will suit your needs or not, I'll let you decide.

Rockwell came up with this method as a get around to not having the Logix CPU Security Tool while having to use FT Security...

I posted some info in another thread earlier this year...

Logix 5000 Security

The KBase Technote I linked in that thread has a "CPU Lock.pdf" at the bottom. This explains the "CPU Lock using FactoryTalk Security" method I'm referring to, but I like to call it the "TomBob" method. I'll let you figure out why yourself!

Regards,
George
 
Geospark said:
The KBase Technote I linked in that thread has a "CPU Lock.pdf" at the bottom. This explains the "CPU Lock using FactoryTalk Security" method I'm referring to, but I like to call it the "TomBob" method. I'll let you figure out why yourself!
Click to expand...

Argh, this is really a lot more complicated than it should be. I got an error trying to create the project, and found KB 475778. It says in reference to v20 controllers that "...the FactoryTalk Local Directory is not supported."

So apparently if I have v20 controllers, I can't use CPU Security Tool OR anything that uses a Local FactoryTalk Directory. I can only use a Network directory but I don't (and can't) have networked PC's or anything to serve as central server!

Can I store the network directory on a local drive and trick it into thinking its a "Network Directory" or something maybe?
 

Similar Topics

M
Restrict Access on FactoryTalk Administration Console?
Is there a way to restrict user access to the FactoryTalk Administration Console application itself? The app is installed on a computer that all...
Replies
1
Views
1,162
Dravik
D
S
create and restrict users rslogix 5000
Hi everyone, i have a problem with people who need to view plc logic also being able to edit and force, i need to restrict certain user groups to...
Replies
12
Views
3,600
PreLC
P
M
Restrict Access To Certain ControlLogix Controllers
We are trying to determine the best way to limit access to certain controllers when a vendor does a remote connection to our site. We currently...
Replies
6
Views
2,305
Phil Buchanan
Phil Buchanan
C
S7 - restrict analog output voltage
Hi I am getting a cpu 314c-2dp. I need to control hydraulic servo valves that need +/- 5V for proportional speed/direction. I am looking into...
Replies
2
Views
1,608
cjd1965
C
N
RSLogix5000 Software Install
Hi! So my problem is a little funky, I had Studio 5000 v 24 and 30 installed, but forgot to install RSLogix (which I cannot go without). Is there...
Replies
2
Views
124
NewPLCuser2024
N
Back
Top Bottom