how to secure your rockwell plc’s and enforce software change management using mdt autosave by...
TRANSCRIPT
How to secure your Rockwell PLC’s and enforce Software Change Management
using MDT AutoSaveBy Jacques Terblanche
Johnson Matthey
Agenda
IntroductionIntroductionIntroductionIntroduction
Project SolutionProject SolutionProject SolutionProject Solution
BenefitsBenefitsBenefitsBenefits
ConsiderationsConsiderationsConsiderationsConsiderations
SummarySummarySummarySummary
Background to the Project
► This project shows how to secure your Rockwell PLC’s at no additional cost using out the box solutions and how to implement software change management on PLC code using MDT’s AutoSave.
Project Goals
► Secure all Rockwell SLC and CLX PLC’s from:▪ Unauthorised online changes▪ Unauthorised access from a 3’rd party’s PC running
PLC Development software▪ Provide easy configuration to change security access
► Implement Software Change Management on PLC Code
Agenda
IntroductionIntroductionIntroductionIntroduction
Project SolutionProject SolutionProject SolutionProject Solution
BenefitsBenefitsBenefitsBenefits
ConsiderationsConsiderationsConsiderationsConsiderations
SummarySummarySummarySummary
Why AutoSave
► A need was identified to perform Software Change Management on all PLC code and to secure all PLC’s from unauthorised access
► A comparison was done between MDT AutoSave and Rockwell’s Factory Talk Asset Centre to determine the best solution to provide Change Management as well as securing PLC Processors
Which solution?
► AutoSave or Asset Centre?▪ Change Management▪ Archive of changes▪ Scheduled Compares▪ Locked programs
► AutoSave▪ InTouch Plugin▪ Archestra Plug-in
Why Software Change Management?
► Where is your latest backup▪ C:\Projects\PLC001 or z:\PLC Backups\
PLC001► Which file is the latest change
▪ 05_03_09_PLC001 or 06_03_09_PLC001► What was changed?
▪ Uhm can’t remember, that was 2 weeks ago
AutoSave
► Central location of all backups▪ Resides on AutoSave Server▪ Use normal IT backup methods to backup my
backup► Central Location to access all projects
▪ Launch AutoSave Client▪ Configured in tree structure to easily access
projects► Provides a revision history with comments
▪ Enforces comment
New features in AutoSave 5.04
► Spaces► Rearrange tree structure by moving areas
and programs► Why is this important
▪ Current structure is flat▪ Move option allows restructuring of Plant
model to represent a S95 model type
FactoryTalk Services Platform
► Where to find the Services Platform▪ RSLinx Classic Optional steps▪ Install FactoryTalk(R) Services Platform
► What is installed▪ Administration Console▪ Directory Configuration Wizard▪ Security Configuration▪ Emulator▪ Specify Directory Location
FactoryTalk AdministrationConsole
► Used to configure either Local or Network Security
► Provides central place to configure:▪ Users and Groups
• Use Local users or Active Directory Groups
▪ Networks and Devices• Configure for entire network
• Configure individually
▪ Computers• Add PC Nodes which will be used for Development as well as
nodes used to perform remote connections
▪ Policies
► Logix 5000▪ Set Administrator to configure Controller
Secure▪ Set Logical Name▪ Set Controller Security
► Logix 500▪ Set Controller Security
Configuring Security
Enabling Security for Logix 5000
► Install Emulator▪ Must be installed on all Development PC’s
► Enable Security Key▪ Run SetSectKeys and Enable RSLogix 5000
Security► Controller Properties
▪ Change Security Setting to RSI Security Server• Can be done Online to PLC
Enabling Security for Logix 500
► New install▪ Select Enable FactoryTalk Security during
install► Current Install
▪ Run setup again and select Security option► Securing the Controller
▪ Convert old Logix 500 projects to version 7 or later
▪ Enable Processor Secured from Controller Properties
▪ Download converted project to PLC
Configuring AutoSave for Security Services
► Open AutoSave Client► Logon to AutoSave Server► Select PLC► Launch Project
► NO CONFIGURATION REQUIRED
What now?
► Windows user authenticated to Security Server▪ Local Users▪ Domain users
► User with development privileges► User with read only privileges
Topology - Software
► The AutoSave system consists of:▪ AutoSave Server
• 2003 Server
• SQL 2000 SP4
• AutoSave 5.04
• FactoryTalk Services Platform – Network Security
▪ AutoSave Agents• 2003 Server
• Logix 500 and 5000
• One Logix 5000 agent and one Logix 500 agent
• FactoryTalk Services Platform – Referencing AutoSave Server
▪ AutoSave Development clients• XP SP2 Pro
• Logix 500 and 5000
• FactoryTalk Services Platform – Referencing AutoSave Server
Topology - Network
Topology – Use of Agents
► Remote connection enabled► User starts a Terminal Session
▪ Allows multiple users access to AutoSave▪ Less development software installations
Agenda
IntroductionIntroductionIntroductionIntroduction
Project SolutionProject SolutionProject SolutionProject Solution
BenefitsBenefitsBenefitsBenefits
ConsiderationsConsiderationsConsiderationsConsiderations
SummarySummarySummarySummary
Benefits / Goals Achieved
► Were the initial goals achieved?▪ Secure all Rockwell PLC’s – YES▪ Provide Software Change Management - YES
► What benefits?▪ PLC Online connection is read only
• No Online changes possible
• No offline changes possible
• No access via unauthorised Development software
Agenda
IntroductionIntroductionIntroductionIntroduction
Project SolutionProject SolutionProject SolutionProject Solution
BenefitsBenefitsBenefitsBenefits
ConsiderationsConsiderationsConsiderationsConsiderations
SummarySummarySummarySummary
Lessons Learned
► SLC projects must be converted to the latest Logix 500 version
► Cannot access PLC’s if Security Server is unavailable▪ Install and configure secondary security server for
emergencies
Agenda
IntroductionIntroductionIntroductionIntroduction
Project SolutionProject SolutionProject SolutionProject Solution
BenefitsBenefitsBenefitsBenefits
ConsiderationsConsiderationsConsiderationsConsiderations
SummarySummarySummarySummary
Conclusions
► It is essential to have the correct tools available to perform Software Change Management▪ MDT AutoSave provides an easy interface with all the
functionality.
► Securing your Rockwell PLC’s is quick and easy using the Factory Talk Service Platform
The End....