Hi Ron,
I appreciate your input.
I've heard good things about your wisdom and experience.
In the past with most of our other "high-tech" gadgets, the form of security used has mostly been knowledge. If you know how to get in and do something, you can. The systems are mostly protected from unauthorized users by the fact that others usually do not have the knowledge on how to get in and do anything. For the most part anyone that knows how to get into the systems, is highly skilled and is authorized to get in when they need to. Even now that most of the PLC's are on the company network, the potential is there for someone to get on a pc, run the appropriate software and gain access to a running process. This doesn't happen, because no one has a clue how to do it.
Not only is our primary plant control systems on a network, but we are also connected to plants in other states with identical machines. So far, my implementaion of passwords has been for Safety reasons and not Security. The passwords chosen have been more for machine identification then for user level authority. When I connect to a machine, I am comforted by the password validation as it confirms to me I have connected to where I really want to be.
After reading your suggestions, which I really do appreciate, I'm thinking some kind of Class Level logins could still be useful. I like the idea of connecting in a default "Read Only" mode which will allow 98% of users to do the troubleshooting they need to do, then if they need to make a register change, force an I/O or make logic changes, they still can do that after they have entered a different login password. This extra step adds a level of Safety that even the top authorized personnel could benefit from.
As for writing the access codes and passwords where they can be seen, the system as I described would be ok with that. In fact I currently have a line of 4 identical bagging machines numbered 1 thru 4. When connecting remotely using RSLogix, I am required to enter a password such as 1111, 2222, 3333, or 4444 depending on which machine I'm connecting to. I am sure this extra step will prevent a potential injury of a local operator someday. There is also a TCAM module connected to each machine directly and I have posted the corrosponding xxxx password next to it which the machine operator is required to enter anytime they make adjustments to some of the machine parameters.
With a new wave of trainees coming into our system, I would like to promote getting online to our live processes and allowing them to monitor the logic and practice troubleshooting. At this point I am comfortable doing that with the above proposed Password and Class logins.
Please continue to comment as I value others views on these matters.
Thanks
Rollie