Professional Documents
Culture Documents
L03 - Applying Integrated Architecture Features To Improve Industrial Control System (ICS) Security Lab Manual PDF
L03 - Applying Integrated Architecture Features To Improve Industrial Control System (ICS) Security Lab Manual PDF
The variety of uses for the hardware, software and firmware (hereinafter “Products”) described in this Documentation, mandates
that those responsible for the application and use of those Products must satisfy themselves that all necessary steps have been
taken to ensure that each application and actual use meets all performance and safety requirements, including any applicable
laws, regulations, codes and standards in addition to any applicable technical documents.
In no event will Rockwell Automation, Inc., or any of its affiliate or subsidiary companies (hereinafter “Rockwell Automation”) be
responsible or liable for any indirect or consequential damages resulting from the use or application of the Products described in
this Documentation. Rockwell Automation does not assume responsibility or liability for damages of any kind based on the
alleged use of, or reliance on, this Documentation.
No patent liability is assumed by Rockwell Automation with respect to use of information, circuits, equipment, or software
described in the Documentation.
Except as specifically agreed in writing as part of a maintenance or support contract, equipment users are responsible for:
• properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell Automation
or third-party provided instructions, warnings, recommendations and documentation;
• ensuring that only properly trained personnel use, operate and maintain the Products at all times;
• staying informed of all Product updates and alerts and implementing all updates and fixes; and
• all other factors affecting the Products that are outside of the direct control of Rockwell Automation.
Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation is
prohibited.
Throughout this manual we use the following notes to make you aware of safety considerations:
Identifies information that is critical for successful application and understanding of the product.
Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you:
• identify a hazard
• avoid a hazard
• recognize the consequence
Labels may be located on or inside the drive to alert people that dangerous voltage may be present.
Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.
Applying Integrated Architecture® Features to Improve Industrial Control System
(ICS) Security
Contents
Before you begin ........................................................................................................................................... 5
About this lab .................................................................................................................................................................................... 5
Other Automation Fair Labs with Application Specific Security Content ........................................................................................... 5
FactoryTalk Users for Lab................................................................................................................................................................. 5
Tools & Prerequisites ........................................................................................................................................................................ 5
3 of 130
Modifying a “Signed” AOI ................................................................................................................................................................ 98
Getting Signature Information in Code.......................................................................................................................................... 100
Distributing/Reusing a Protected/Signed AOI ............................................................................................................................... 104
Section 5: Change Management for ControlLogix Programmable Automation Controllers ..................... 110
ControlLogix Change Detection .................................................................................................................................................... 110
FactoryTalk AssetCentre Audit Logging ....................................................................................................................................... 115
FactoryTalk AssetCentre Audit Log Reporting.............................................................................................................................. 116
Automated Controller Change Monitoring with FactoryTalk AssetCentre ..................................................................................... 120
4 of 130
Before you begin
This lab will walk you through practical ways to protect the intellectual property contained in your ControlLogix PAC, manage
access control to your control system hardware and software, and improve tamper resistance. This includes the application of
FactoryTalk Security, Logix Designer® Source Protection, Logix Designer Data Access Protection. Additional appendices of this
hands-on lab walk through how to leverage FactoryTalk Security in FactoryTalk View Site Edition® applications and leverage
FactoryTalk AssetCentre® for additional access control to your industrial control system.
5 of 130
RSSecurity Emulator 2.60 (CPR 9 SR 6)
(Installed from the FactoryTalk Tools program files folder in the Start Menu)
Logix Designer v20.01 (CPR 9 SR 5)
RSLinx Classic v3.60 (CPR 9 SR 6)
FactoryTalk AssetCentre v5.00 (CPR 9 SR 6)
Microsoft SQL Server 2008 R2
Files required
The following files are required to complete this lab.
VMware image files for the Automation Fair 2014 NW17 hands-on lab
IF2_Demo.ACD project file for RSLogix5000
(Stored in FactoryTalk AssetCentre Archive within image under the InstantFizz container)
InstantFizz_HMI project files for FactoryTalk View SE
(Stored in FactoryTalk AssetCentre Archive within image under the InstantFizz container)
6 of 130
Deploy Initial Logix Designer Project to Controller
The first step that we must take in our lab is to ensure that the controller project we will be using in this lab is deployed
successfully to the processor.
1. Launch the IF2_DEMO.ACD Logix Designer project from the desktop by double-clicking on the
following icon:
2. You will be asked to Log On to FactoryTalk; at this point we are going to login as the FTAdmin user.
Logon Credentials
User: ftadmin
Password: rockwell
7 of 130
4. Click the button that says Download to download this application to the controller
Quick Tip: Take notice that the area boxed in blue. This indicates to us that the controller currently is not
secured. We will review later what it looks like when the controller is secured.
5. Once the application has successfully downloaded, it should ask you to return the controller to
Remote Run. Click Yes
8 of 130
Note: If you don’t get the prompt you can set the controller to Run from the controller menu in Logix
Designer.
9 of 130
8. Click the button that says, Set Date, Time, and Zone from Workstation (Circled in Red below).
10 of 130
Section 1: Securing RSLogix5000 Projects and Controllers
The following section of the lab will explain how to secure both Logix Designer project files and Programmable Automation
Controller (PAC) hardware resources to the FactoryTalk Directory.
This section takes approximately 20 minutes to complete.
Design Note: Security binding is on a resource basis. You must enable each project in your system to
communicate with the FactoryTalk directory security model, then link the resource in the FactoryTalk
Directory using the steps below.
11 of 130
2. From the Controller Properties dialog select the Security tab
Why is the Security Authority field Non-Editable by Default: Since resource security does restrict access
to automation resources, the ability to apply it to Logix Designer projects is prevented at the FactoryTalk
Directory level by default. Users & Groups must be explicitly granted this feature security to enable the
functionality in Logix Designer.
3. Leaving Logix Designer open, open the FactoryTalk Administration Console by clicking on the icon
show below from the desktop:
12 of 130
5. Logon to the Network FactoryTalk Directory as the ftadmin user.
Logon Credentials
User: ftadmin
Password: rockwell
6. Double click on Feature Security from the System Policies Product Policies RSLogix
5000 container. You will see the dialog shown below:
7. From the Feature Security property dialog open the Configure Security window by clicking on the
button in the Controller: Secure field (shown in the image above in blue).
13 of 130
8. Notice in the Securable Action dialog below that the only group with privileges to secure a controller is
our Engineers group. Therefore we need to login to Logix Designer as the engineer user.
9. Click Cancel on both open windows to close the security configuration windows.
11. From the Logix Designer Tools Security menu select Log On...
14 of 130
13. If you have the Controller Properties window open you will see that the Security Authority field
becomes editable once we login as the engineer user.
14. From the drop down menu select FactoryTalk Security (FTSEC-DEMO14) and click OK to apply this
change to the project after taking notice of the callouts below.
Design Tip: The Use only the selected Security Authority for Authentication and Authorization box requires
that the unique identification key (GUID) of the FactoryTalk Security server selected match the value
encrypted in this project. We will learn more about this value in the next section.
15 of 130
15. After clicking OK, applying the security configuration for this project, you will receive a dialog alerting
you that applying security will result in a loss of some privileges, acknowledge this warning by clicking
Yes.
16. From the Controller menu select Download, to download the application.
Note: If you were already online and made this change you will not need to re-download to the controller.
17. From the Download dialog take notice that the processor we are downloading to currently is not
security enabled, circled in blue below, and click Download.
16 of 130
18. Once the download completes, you will be asked to change the controller back to Remote Run, click
Yes to initialize the project.
19. Click the save button to apply our changes to the project. If prompted, click Yes to upload tag
values.
21. Once Logix Designer closes, open the IF2_DEMO.acd application again by double clicking the icon
on the desktop.
Logon Credentials
User: denied
Password: rockwell
23. You should see the message window displayed below that informs the user they are not authorized to
open this project according to our security policy.
17 of 130
Bind Physical Controller Resource to FactoryTalk Security Server
Now that we have configured both FactoryTalk Security and secured our Logix Designer project file we need to bind the newly
secured controller resource to our FactoryTalk Directory server to protect it from unauthorized connections.
18 of 130
4. From the Logical name: field select newly created IF2_DEMO item from the drop down list and click
OK. This logical name was created by Logix Designer when we bound the project to FactoryTalk
Security.
Design Tip: Logical Names can be assigned like above or to a specific area, such as an HMI Area controller
and used for things like resource & action groups.
FactoryTalk uses these logical name assignments to link a resource on the network to the FactoryTalk
Directory.
We have now secured our directory, project, and physical controller resources.
6. From the Security Settings windows select the Operators group from the top window, expand the
RSLogix5000 container and scroll down to the permission, Project: Download.
19 of 130
You will notice on our IF2_DEMO resource our Operators group does not have permission to
download to this controller.
7. Click Cancel to close the security dialog, and minimize the FactoryTalk Administration Console.
1. Open IF2_DEMO.ACD from the desktop by clicking on the icon that looks like the one below.
Logon Credentials
User: operator
Password: rockwell
20 of 130
3. From the Controller Status, notice that the Download option is greyed out, as we do not have
permission to download to the selected controller resource.
We have now successfully verified the security on the controller asset and Logix Designer project file.
2. From the Tools menu select the FactoryTalk Security Authority Identifier…
21 of 130
3. From the Security Authority Identifier Window click on Backup to retain a copy of our current ID value.
4. From the backup window leave the name set to the default, but change the location of the backup file
to the Desktop (C:\Users\Labuser\Desktop) and click OK to create the backup.
WARNING: Prior to binding Logix Designer applications to a FactoryTalk Security server, you must backup
the FactoryTalk Directory, as we just did, to ensure you retain a copy of this ID value. In the event the
FactoryTalk Security and Directory server is lost, this ID value must be restored to access the bound
applications.
If you do not have a backup of the ID you bind to controller resources, there is no way to recover the ID and
go online with the secured controller.
22 of 130
5. Once the backup process completes, click OK in the success dialog, but leave the Security Authority
Identifier dialog open.
6. Looking back at Logix Designer select the Log On… option from the Tools Security Menu.
Logon Credentials
User: engineer
Password: rockwell
23 of 130
9. From the Controller Properties window select the Security tab and check the box under the
Security Authority that says, Use only the selected Security Authority for Authentication and
Authorization. When complete, click OK to apply the changes.
By checking this box, you are telling the controller and Logix Designer application that it should ensure the
FactoryTalk GUID used to secure this project matches each time Logix Designer attempts to access the
application or controller. Without checking this box, the controller and Logix Designer are just ensuring that
the name of the security authority matches and the logical name exists in that directory.
10. From the Controller Status menu select Download, to download the application.
24 of 130
11. From the Download dialog take notice that our processor now indicates that it is indeed bound to our
security server, circled in blue below, and click Download.
12. Once the download completes, you will be asked to change the controller back to Remote Run, click
Yes to initialize the project.
13. Click the save button to apply our changes to the project, and click Yes if prompted to upload tag
values.
25 of 130
Generate a New FactoryTalk Security Authority Identifier
Looking back at the FactoryTalk Administration Console we are now going to simulate a FactoryTalk Security server failure by
changing the unique identifier of our FactoryTalk Directory and Security server.
2. If the Security Authority dialog is not currently open, open it from the Tools menu FactoryTalk
Security Authority Identifier…
4. You will next be asked to confirm this decision, take note of the very important warning message and
click Yes to continue.
5. After the action completes take note of the new ID value circled in blue below, then close the open
dialogs but leave the FactoryTalk Administration Console open.
26 of 130
6. Open Logix Designer once again logon as our engineering user.
Logon Credentials
User: engineer
Password: rockwell
8. You should see the below dialog indicating that the security ID of the FactoryTalk Security server
does not match the value in the controller project, therefore Logix Designer cannot open the project.
Design Tip: If we did not have the exclusive binding box checked in the controller property dialog and
change the unique ID of our FactoryTalk Security server, we would have been authorized to open this project
because the name of the FactoryTalk Security server remained the same. If the name of your FactoryTalk
Security server changes and you secured projects and controller resources in Logix Designer you will see
this same error when you try to open a secured project.
27 of 130
Restore a FactoryTalk Security Authority Identification Value
Now that we have simulated a failure in our FactoryTalk Security server by changing the unique ID we are going to walk through
how to restore functionality from the backup that we created.
1. Looking back at the FactoryTalk Administration Console, select FactoryTalk Security Authority
Identifier… from the Tools menu.
3. From the Restore dialog browse to our backup file located on the Desktop:
(C:\Users\Labuser\Desktop\Network – 6739169-2578-4849-A.bak)
28 of 130
5. You may see the following dialog asking for a Passphrase to restore the directory. In our case we
checked the box earlier to encrypt the directory but did not enter a password, therefore you can click
OK on this dialog to proceed leaving the passphrase field blank.
6. In the Restore dialog select the radial button that says, Restore security authority identifier only to
only restore our Security Authority ID.
10. Open the IF2_DEMO.ACD Logix Designer project once again from the desktop.
29 of 130
11. Logon as engineer using the password, rockwell.
Logon Credentials
User: engineer
Password: rockwell
Logix Designer will now successfully open and we have fully secured both our design editor (Logix
Designer), our application file (IF2_DEMO.ACD), and our physical controller to a single FactoryTalk
Security Authority.
This completes the Logix Designer Security integration with FactoryTalk Security section of this lab.
FactoryTalk View Site Edition (SE) uses the same security accounts that have been configured within the FactoryTalk Directory
that we use for Logix Designer, allowing the ability to assign specific FactoryTalk View SE actions to existing users. This portion
of the lab will review how to configure some of these basic security options, and then interact with them at client runtime.
1. Launch the FactoryTalk View Studio shortcut from the desktop, or at All Programs Rockwell
Software FactoryTalk View FactoryTalk View Studio
30 of 130
2. Select View Site Edition (Network Distributed) and click Continue
Logon Credentials
User: engineer
Password: rockwell
31 of 130
And the follow message in the message display:
The engineer does not currently have access to read the application, which blocks FactoryTalk View Studio from
launching the application at all. The next section of the lab will show how to allow access to this user.
6. Click OK to clear the error and Cancel on the Open dialog. FactoryTalk View Studio will now load
the FactoryTalk Network Directory, but not the View application.
1. Looking at FactoryTalk View Studio, note that the InstantFizz application is not currently listed in the
FactoryTalk tree:
2. Because the engineer cannot access the application, a different user will have to log in to access the
application security. Log off and log in as our admin user, ftadmin (password: rockwell), from the
File menu of the FactoryTalk View Studio.
Logon Credentials
User: ftadmin
Password: rockwell
32 of 130
3. Select InstantFizz from the Open dialog and click Open.
33 of 130
5. Select the Engineers user group from the upper field.
Design Tip: All Actions have been denied to this user in the InstantFizz application. Even though at the
higher Network level this users has been granted these privileges, as indicated by the grey check in the
Allow column, the denial at the InstantFizz level takes precedence. Explicit denials always take precedence
over explicit allows in FactoryTalk Security, deny with care.
6. Uncheck the Deny checkboxes All Actions. The engineer will now inherit its permissions from the
Network container, which allows all privileges except managing security.
7. Check the Allow box next to All Actions. This grants our engineer full access to the application.
Design Tip: We have granted our Engineer user all rights to the application, including configuring
application security. If we DID NOT check the Allow - All Actions box our Engineer user in the following
section would receive the below error when trying to modify Runtime Security in FactoryTalk View:
34 of 130
8. Click OK to close the Security dialog for the InstantFizz application.
1. From the file menu, select Log off, and click Yes to close the open application
Logon Credentials
User: engineer
Password: rockwell
5. With the proper security privileges in place, the application will now successfully load.
35 of 130
FactoryTalk View SE Feature Security
This section will demonstrate how to assign security levels to FactoryTalk users, and then define how those levels relate to
feature options within FactoryTalk View SE. Four levels of feature security will be covered: display level security, object level
security, tag level security, and command level security.
1. With the InstantFizz application open, navigate to Runtime Security in the tree and double-click on it.
2. A list of all currently configured users will appear in the lower pane:
Design Tip: This list identifies the users that have been configured for use with this FactoryTalk View SE
application. While FactoryTalk View SE security makes use of the accounts created in the FactoryTalk
Directory, it does not automatically import these accounts until the user has specifically configured them.
The ‘All Users’ group is automatically configured here by default. We have to now configure our user groups and assign their
access levels.
36 of 130
4. The familiar Security Settings dialog will appear.
7. Select the Supervisors group and click OK to add them to the security list.
Note: Our current user, engineer, is not listed here yet he is logged into this project in View Studio. That is
because the settings above are for Runtime HMI project security, the engineer is inheriting permissions to
manage View Studio from the FactoryTalk Directory privileges the Engineers group was granted.
37 of 130
8. Add the Administrators, Engineers, Maintenance, No Access, and Operators user groups like
you did the Supervisors group.
9. Your Security Settings dialog should now look like the image below
Note: The Supervisors group is also in this list but slightly hidden in the upper field
38 of 130
10. Select the Operators group. In the lower pane, under All Actions, Expand the FactoryTalk View
Security Codes heading.
11. With the Operators group still selected, check the Deny checkboxes for B, C and D security codes.
39 of 130
12. Next, select the Maintenance group, and check the Deny checkbox for C and E.
14. Finally, select the No Access group, and check the Deny checkbox for All Actions. Then check the
box to Allow code A.
15. Once the new users are added and configured, click OK. A warning may appear in regard to Deny
permissions – click Yes to acknowledge it.
Warning: A member of a group will inherit that group’s permissions (for instance, Operator inherits all
security codes from the Operators group), but explicitly denying a permission will always take precedence if
the permission has been allowed elsewhere.
Note that the new groups now appear in the Runtime Security list.
40 of 130
Configure FactoryTalk View SE Tag Write Security
The goal of this section is to configure the Start_Filling tag as read-only for the Operators and Maintenance groups.
Design Note: The security drop-down currently has the asterisk (*) selected:
This means that any user with at least one security code is capable of writing to this tag. HMI tag security
allows for more granular selection of write access, as opposed to the application-level tag write security.
41 of 130
3. Change the Security drop-down to C.
Recall that the Maintenance and Operators groups were both denied the C security code. By selecting C as
the required tag-write code, it denies write privileges to those users.
42 of 130
43 of 130
2. Right-click on the background of the display (as opposed to one of the objects) and select Display
Settings…
3. The Security Code drop-down is currently set to the asterisk (*), meaning that any user with any
security code authorization can access this screen. Change the code to B.
Recall that the Operators group was denied the B security code. Requiring the B security code for access to
this display means that the Operators will not be able to open it.
4. Click the OK button to apply this change and close the Display Security dialog.
5. Close the med_labeling display and click Yes to save the changes.
44 of 130
Configure FactoryTalk View SE Object Security
The goal of this section is to prevent the Operators group from having the ability to close the FactoryTalk View SE client from its
navigation bar.
45 of 130
2. Right-click on the SHUTDOWN button, at the far right side of the display, and select Animation
Visibility…
46 of 130
5. Select Security CurrentUserHasCode()
6. Click OK.
7. Between the parentheses, type the letter D to indicate that the currently logged in user must have the
security code D for this expression to evaluate as true.
47 of 130
8. Select Logical… OR
11. Click OK
48 of 130
12. Between the parentheses, type “Maintenance” to indicate that the logged in user must be a member
of the Maintenance FactoryTalk Group or have code D for this expression to evaluate as true.
The security feature CurrentUserHasGroup( ) was a new feature enhancement in FactoryTalk View 8.0.
This feature is designed to extend the native FactoryTalk Security functionality to most objects within
FactoryTalk View applications without the need for separate A-P codes.
13. Click OK, to apply this expression to the Exit button object.
Recall that the Operators group was denied the security code D. Because this expression must evaluate to
True for the Exit button to be visible, and it will only evaluate true if the logged in user has security code D,
the Operators group members will not be able to see this button. We have granted our Maintenance group
access so our Maintenance user will be able to see this button regardless of security codes
49 of 130
15. Click Close to close the animation dialog.
16. Close the med_moremenu display and click Yes to save changes.
2. Select row 2, then click the browse button by the Command text field, circled below.
4. Click Finish
50 of 130
5. Select E from the Security Code drop-down menu.
Recall that the Maintenance group was denied the security code E, meaning that user will not be able to
issue the Language command. This means that the Maintenance group members will be unable to change
languages at runtime.
51 of 130
2. Log into the client as our supervisor (password: rockwell) and click OK.
3. When the client has finished loading, note that the supervisor user is currently logged in, granting full
rights to the application as a member of the Supervisors group.
Note that the Exit button is visible on the Navigation bar under More… – this button will not be visible to the
Operators users when they log in.
4. Navigate to the Labeling screen by clicking the security key button on the navigation bar.
Recall that this screen has display level security requiring security code B for viewing. When the Operators
group members log in, this screen will not display for them.
52 of 130
6. Click the dial one time to change the status from Run to Stop.
Note that the button toggles to the Stop state and the filling line stops. Click the button again to start the line
and toggle it back to the Start state.
7. Click the dial once again to start the filling process again.
53 of 130
9. When the language selection screen appears, select Spanish. Note that the application’s language
switches.
Take note of the fact that the text fields in this display switched to Spanish.
10. Switch back to English (Inglés), then close the Language Switching display.
54 of 130
2. Use the Login button to login as operator with the password: rockwell
3. Once the Operator user is logged in you will see our display indicates that it is restricted:
4. Close the Login/Logout window with the Close Display button in the top right corner of the
Login/Logout window.
5. Note that the MORE… SHUTDOWN button is now missing from the navigation bar, due to the
visibility animation checking if the user has the proper security code.
6. Try to navigate to the Labeling screen by clicking the Labeling button on the navigation bar.
7. Note that the system does not navigate to the packaging page, and there is an error in the
diagnostics log at the bottom of the screen.
55 of 130
8. Now use the Login/Logout screen to log in as our Maintenance user, with the password: rockwell
9. Close the Login/Logout window with the Close Display button in the top right corner of the
Login/Logout window.
10. Notice the MORE… SHUTDOWN button reappears, as this user is a member of the allowed group
11. Navigate to the LABELING screen, which will display properly this time.
56 of 130
13. Click the Start/Stop Button.
15. Push the LANGUAGES button from the MORE… menu on the navigation bar.
16. Attempt to change the language to Spanish, and note the error message displayed in the message
window:
17. Click the SHUTDOWN button from the MORE… menu on the navigation bar.
57 of 130
18. Click Yes / Exit to close the View SE Client.
This completes the FactoryTalk View SE Security Overview section of this lab.
58 of 130
Section 3: Securing Controller Data and Data Access
This section will explain how program data and data access control is configured to ensure that your data is protected from
design time all the way to implementation and runtime.
59 of 130
1. Open the IF2_DEMO.ACD Logix Designer project from the desktop.
Logon Credentials
User: engineer
Password: rockwell
1. From the controller menu select Go Online to go online with the controller.
60 of 130
2. Be sure the controller is in the Run from the controller menu in Logix Designer.
frtad
61 of 130
5. If not already selected, click the Edit Tags tab on the bottom of the window.
6. Scroll to the right until you can see the columns External Access and Constant.
The following subsections will explain the External Access & Constant functionality of Logix Designer and how these
enhancements to the Rockwell Automation Integrated Architecture system can be utlized to implement some stronger security
practices in applications.
62 of 130
External Access
1. In the Logix Designer tag editor, notice that the External Access property for the NormalTag, PV,
and TempWorking tags is set to Read/Write.
63 of 130
Default Value of External Access
The default value in the External Access box is dependent on the usage, and type of the tag. The following table
describes the values.
If the tag is Default value is
2. Launch the InstantFizz application in the FactoryTalk View SE Client from the desktop, leaving Logix
Designer open on Online in the background.
3. Log into the client as our administrator, ftadmin (password: rockwell) and click OK.
64 of 130
4. When the client has finished loading, select the TAG SECURITY display from the MORE… menu.
5. Click on Numeric Entry labeled Normal Tag. Type a new value in and hit the Enter key. Watch the
value change in the numeric display to the right.
6. Repeat above step, writing a value to PV and then Temp Working Tag.
7. Switch back to Logix Designer, leaving the InstantFizz ViewSE client open.
65 of 130
8. Change the value of the External Access property for the tags listed below.
Tag External Access
NormalTag Read/Write
PV Read Only
TempWorking None
10. Click the Overview button to refresh the main Overview display.
11. Click the TAG SECURITY display from the MORE… menu.
66 of 130
12. Click on numeric entry labeled Normal Tag. Type a new value in and hit the Enter key. Watch the
value change in the numeric display to the right.
13. Click on numeric entry labeled PV. Type a new value in and hit the Enter key.
Notice that the value doesn’t change in the Numeric Display to the right, the input box turns red, and an error is logged to
the Diagnostics List.
67 of 130
14. Notice that the numeric input and numeric display objects that are labeled Temp Working are now
wire-framed.
This completes the External Access section of this lab. Leave both Logix Designer and the InstantFizz View SE Client Open and
proceed to the next section.
68 of 130
Constants
About Constants
In Logix Designer v18 and later, you can designate tags as constants to protect them from being changed programmatically via:
the controller programming application.
logic in the controller.
A check mark in the Constant box on tag creation dialog boxes and tag editor/monitor windows indicates a ‘constant’
designation.
FactoryTalk security is used to control who is permitted to modify values of constants and who can modify the constant attribute
of a tag. To change the value of a constant, you must have the Tag: Modify Constant Tag Values permission. To modify the
constant attribute of a tag, you must have the Tag: Modify Constant Property permission.
For details on setting permissions, see the FactoryTalk Security System Configuration Guide, publication FTSEC-QS001.
For an alias tag, the default constant setting of this tag is the same as its target tag. For all other conditions, the default value is
unchecked, indicating the tag is not a constant value tag.
When you designate an InOut parameter as a constant, it cannot be written to within the Add-On Instruction.
Design Tip: You cannot pass a constant value tag as an argument to an Output parameter of an Add-On
Instruction. You cannot pass a constant tag to an InOut parameter that is not also designated as a constant
value.
69 of 130
Protecting Tags from Programmatic Modification
1. Return to Logix Designer. Notice the values of the External Access and Constant properties for the
OperSetPoint, Pi, and SecretRatio. External Access should be set to Read/Write, and the Constant
property should be unchecked for all 3 tags.
2. Return to the InstantFizz View SE Client’s Tag Based Security Demo display.
3. Click on Numeric Entry labeled Set Point (Operator Input). Type a new value in and hit the Enter
key. Watch the value change in the numeric display to the right.
4. Click on Numeric Entry labeled Pi (Constant). Type the value 3.14 in and hit the Enter key. Watch
the value change in the numeric display to the right.
5. Click on Numeric Entry labeled Secret Ratio. Type the value .0218 in and hit the Enter key. Watch
the value change in the numeric display to the right.
70 of 130
6. Return to Logix Designer.
7. Change the value of the External Access property and Constant property for the tags listed below.
Tag External Access Constant
OperSetPoint Read/Write
Pi Read Only
SecretRatio None
71 of 130
8. Return to FactoryTalk View SE Client
10. Click the TAG SECURITY display from the MORE… menu.
11. Click on Numeric Entry labeled Set Point (Operator Input). Type a new value in and hit the Enter
key. Watch the value change in the numeric display to the right.
72 of 130
12. Click on Numeric Entry labeled Pi (Constant). Type a new value in and hit the Enter key. Notice that
the value doesn’t change in the Numeric Display to the right and an error is logged to the Diagnostics
List.
Red indicates there was an The value doesn’t change
error writing the value to the because it was never written to
controller. the controller.
13. Notice that the Numeric Input and Numeric Display objects that are labeled Secret Ratio are now
wire-framed.
14. Click the SHUTDOWN button from the MORE… menu on the navigation bar.
73 of 130
16. Return to Logix Designer.
18. Click on rung 0 and then click on the new rung button.
Click on the Rung button on the toolbar.
74 of 130
19. Use the scroll button ( ) in the instructions toolbar to scroll until you can see the Move/Logical tab.
Click on the Move/Logical tab.
20. Click the MOV button on the instruction toolbar to add a new MOV instruction to the rung.
Set the source to NormalTag and the destination as OperSetPoint.
21. Click the Accept Pending Rung Edits button on the toolbar.
75 of 130
22. Notice that Logix Designer reports that there is an error with the new rung. This is because a tag that
has been designated as a constant cannot be the destination for any instruction.
76 of 130
26. Click the save button ( ) on the toolbar to save the program, answer Yes to when prompted to
upload data.
1. From the Logix Designer tool menu select Tools Security Log On
2. When prompted to login we will now login as our maintenance user, maintenance with the password,
rockwell.
Logon Credentials
User: maintenance
Password: rockwell
77 of 130
5. Change the value of SecretRatio to another number.
6. Launch the FactoryTalk Administration Console from the Desktop if not already open.
Logon Credentials
User: ftadmin
Password: rockwell
78 of 130
9. Right click on Network (FTSEC-DEMO14) in the Explorer tree. Choose Security…
10. In the Security Settings, select the Maintenance group in the top pane. Then scroll down to and
expand the RSLogix5000 group.
79 of 130
11. Scroll down in the permissions list until you see Tag: Modify Constant Property and Tag: Modify
Constant Tag Values under the RSLogix5000 group.
12. Uncheck the Tag: Modify Constant Property and Tag: Modify Constant Tag Values under the
Logix Designer group.
16. From the Logix Designer, select Tools Security Refresh Privileges
17. Notice that Value field is greyed out for all of the constant tags.
Note: If the fields do not become non-editable you may not have enabled security from section 1 of this lab.
80 of 130
18. Select Tools Security Log On
Logon Credentials
User: engineer
Password: rockwell
20. Open the Tag Monitor from the SecurityDemo Program Tags window
22. Close Logix Designer and save changes, uploading tag values, when prompted.
81 of 130
Section 4: Protecting Logix Designer Source Code
Source protection is useful to protect the intellectual property or critical areas of an Logix Designer application from unauthorized
access. You can restrict access to the following type of Logix 5000 objects:
Add-On Instructions
Routines
o Ladder
o Function Block Diagrams
o Sequential Function Charts
o Structured Text
For more information about Logix Designer Source Protection please refer to the FactoryTalk Security System Configuration
Guide (FTSEC-QS001-EN-E) from the Rockwell Automation Literature Library, direct link & QR code below.
http://literature.rockwellautomation.com/idc/groups/literature/documents/qs/ftsec-qs001_-en-e.pdf
82 of 130
Configuring Source Protection on a Logix Designer Application File
After enabling the Source Protection function via the Logix Designer installation the Configure Source Protection is available from
the Tools > Security menu. For the purposes of this lab, the Source Protection Tool has already been enabled. This utility is an
optional component of the installation made available by checking the box during the installation labelled “Enable Source
Protection”.
2. Logon as engineer using the password, rockwell. If the application is already open select Log On…
from the Tools Security menu of Logix Designer to login as the engineer.
Logon Credentials
User: engineer
Password: rockwell
3. Select Configure Source Protection from the Tools > Security menu.
Design Tip: Source Protection can only be configured on an offline project file.
4. Source Protection requires a Source Key File location to be specified. Click Yes to specify the Source
Key File location.
83 of 130
5. The following dialog will open, enter this path: C:\Lab Files\ into the Source Key File Location: field
and click OK to create the sk.dat key file in this location.
Design Tip: You may want to store this key file in a secured area of FactoryTalk AssetCentre, but it would
have to be downloaded separately to be accessed. Logix Designer cannot access a key file inside the
FactoryTalk AssetCentre archive.
84 of 130
7. View the Source Protection Configuration options:
When the Source Protection Configuration dialog box displays, you will see all of the Program routines and Add-On
Instructions in the project file:
85 of 130
9. Enter VendorCode as the source key. Show Source Key can be enabled to see the value in
plaintext. Click OK to continue.
Design Tip: An ideal key uses all characters available on the keyboard including letters, punctuation,
symbols, and numbers. The greater the variety of characters used, the better.
10. The PFlex_700_AOI routine is now protected with the key VendorCode.
86 of 130
11. Highlight the SIM_PV_AOI routine, and click the Protect button.
Design Tip: You can select the Allow viewing of routine check box on this dialog box to allow a routine to be
viewed, but not edited, from a system that does not have the appropriate source keys. If you leave this box
cleared, the source is not viewable.
Protected routines that do not allow viewing cannot be viewed by systems that do not have the required key
files.
87 of 130
14. The SIM_PV_AOI routine is protected, but can be viewed in a read only mode by sources that do not
have the key file.
15. Highlight the VFD_AOI routine, and click the Protect button.
88 of 130
16. Check the Show Source Key check box.
18. The VFD_AOI routine is protected, and cannot be viewed by sources that do not have the key file.
89 of 130
19. Highlight the SecurityDemoProg MainRoutine routine, and click the Protect button.
20. Select the ProtectedCode as the source key from the drop down. To make the routine viewable,
select Allow Viewing of component(s). Click OK to continue.
21. The MainRoutine routine is protected, but can be viewed in a read only mode by sources that do not
have the key file.
Design Tip: Notice that the same Source Key can be used for multiple routines. You can also make some
routines visible using the same source key as other routines are not visible.
90 of 130
22. Click Close.
23. Click the save button ( ) on the toolbar to save the program.
91 of 130
26. When prompted to return the controller back to Remote Run, click Yes.
WARNING: If you export a source-protected Add-On Instruction and want the exported contents encrypted,
you must first remove, rename, or move the source key file (sk.dat). This causes the exported Add-On
Instructions to be encrypted.
3. Move, do not copy, the sk.dat file from the Lab Files folder to the Desktop.
Recall this is our key file that we secured several object with in Logix Designer. Removing this file
from the configured location should secure those objects as we configured.
Logon Credentials
User: engineer
Password: rockwell
92 of 130
6. Navigate to the SecurityDemo task and open the Main Routine.
VFD_AOI was protected and not viewable. The tag and code within
the AOI are not viewable on a system that does not contain the key for
the routine; the user cannot modify the routine.
93 of 130
8. Next, navigate to the SIM_PV_AOI Add-On Instruction and open it.
Instruction Signature
94 of 130
When an instruction is sealed, you can perform only these actions:
Copy the instruction signature
Create or copy a signature history entry
Create instances of the Add-On Instruction
Download the instruction
Remove the instruction signature
Print reports
Copy the Add-on Instruction Definition to another project (the instruction will remain sealed and under source protection
if applicable)
Design Tip: If desired, source protection must be applied prior to generating an instruction signature. You
will need the source key to create a signature history entry. When source protection is enabled, you can still
copy the instruction signature or signature history, if they exist, but you cannot remove the signature, nor edit
the AOI definition without the proper key.
Add-on Instructions that have a signature are often referred to as a High Integrity Add-On Instruction or Sealed Add-On
Instruction.
Generating a Signature
Follow these steps to generate an instruction signature:
1. Open Logix Designer once again logon as our engineering user, engineer.
Logon Credentials
User: engineer
Password: rockwell
95 of 130
3. Double click on the VFD_AOI add-on instruction
Design Tip: You must be offline to perform this procedure. If this is a safety Add-On Instruction, the project
cannot be safety-locked or have a safety task signature.
96 of 130
6. Answer Yes to the prompt "Generate instruction signature?"
Re
This seals the instruction, generates its signature, updates the Last Edit Date, and places the instruction in a read-only state
to prevent edits.
Design Note: If unsaved edits exist on other tabs of the Add-On Instruction dialog box, the prompt reads as
follows: "Unapplied edits exist in the add-on instruction. Do you want to apply edits and generate signature?"
Answering Yes saves those edits and generates a signature.
1. On the Signature tab of the Add-On Instruction Definition Editor, click the Add to History button.
2. You can add a description, up to 512 characters long, for the entry.
Enter the description “Revision 1 – Initial release for general use.” Click OK.
97 of 130
3. The Signature information along with the description you entered is added to the top of the Signature
History Table. Click OK to close the Add-On Instruction Definition dialog.
IMPORTANT: The Generate signature action is lost (along with all other unsaved edits) if the project is not
saved.
98 of 130
2. Click on the Signature tab.
3. On the Signature tab of the Add-On Instruction Definition Editor, click the Remove button.
This will “unseal” the AOI so it can be modified.
99 of 130
Getting Signature Information in Code
There is a new class in for the GSV instructions that allows you to get key AOI information programmatically. The following
information can be read using the new class name:
Element Description Data Description
Type
Class Name AddOnInstructionDefinition
Instance Name AOI Definition Name
Attribute Name MajorRevision DINT Major revision number of the Add-On
Instruction
MinorRevision DINT Minor revision number of the Add-On
Instruction
Name String Name of the Add-On Instruction
RevisionExtendedText String Text describing the revision of the Add-On
Instruction
Vendor String Vendor that created the Add-On
Instruction
LastEditDate LINT Date and time stamp of the last edit to an
Add-On Instruction
SignatureID DINT 32-bit instruction signature value
SafetySignatureID DINT 32-bit safety instruction signature value
100 of 130
3. Use the values below for the new GSV instruction. You will have to type SignatureID into the Dest
field, because the tag does not exist yet.
4. Right click on SignatureID in the Dest field and select New Local Tag ‘SignatureID’… from the
context menu.
5. In the New Tag dialog box, set the Usage to Output Parameter, and then click OK.
101 of 130
6. Double click on the VFD_AOI add-on instruction
7. On the General tab of the AOI Definition dialog, bump the Minor revision number up by one.
102 of 130
10. You may be prompted to apply unsaved edits, click Yes to commit these changes.
11. If prompted with a warning about signatures, answer Yes to the prompt "Generate instruction
signature?"
12. On the Signature tab of the Add-On Instruction Definition Editor, click the Add to History button.
13. Enter the description “Revision 1.1 – Added SignatureID as an output parameter.” Click OK.
103 of 130
14. The Signature information along with the description you entered is added to the top of the Signature
History Table. Click OK to close the Add-On Instruction Definition dialog.
15. Click the save button ( ) on the toolbar to save the program.
IMPORTANT: The Generate signature action is lost (along with all other unsaved edits) if the project is not
saved.
104 of 130
3. Select Create New Project
6. Click Next
105 of 130
7. Under the Security Authority: field select FactoryTalk Security (FTSEC-DEMO14)
8. Click Finish
Logon Credentials
User: engineer
Password: rockwell
106 of 130
11. Right click on VFD_AOI and click Copy on the context menu.
107 of 130
12. Return to the new Logix Designer project you created. Right click on Add-on Instructions and click
Paste from the context menu.
13. Double click on the newly copied VFD_AOI add-on instruction in your new project.
108 of 130
14. Click on the Signature tab.
16. Close both Logix Designer applications. There is no need to save the changes to the new project.
This completes Protecting Logix Designer Source Code section of this lab.
109 of 130
Section 5: Change Management for ControlLogix Programmable Automation Controllers
This section of the lab outlines how to leverage security features within the Logix Designer to enhance the security of your
application and system.
We are first going to explore the change detection functions in Logix Designer and investigate how to configure what types of
changes are tracked. Then we will move over to FactoryTalk AssetCentre where our maintenance user can review the audit log
for changes, and generate a report of changes made during a shift period.
1. Open Logix Designer once again logon as our engineer user (password: rockwell).
Logon Credentials
User: engineer
Password: rockwell
3. Open the controller properties dialog, by pushing the button on the menu bar.
110 of 130
4. Once the Controller Properties dialog is open select the Security tab. You should see the window
shown below:
Note: Notice the Changes to Detect field circled in blue above. You will see this value displays all “F”’s.
This hexadecimal key code is the mechanism that Logix Designer uses to calculate audit changes.
5. Click the Configure… button. You will see the list of all the items that can be audited in the
controller, but default all items are selected.
111 of 130
8. Notice how the Changes to Detect value has changed:
10. From the controller menu, select Download to download the project with these changes to the
controller.
112 of 130
11. From the download dialog click the Download button.
12. If the controller is not currently in run mode, switch the controller back to Run and stay Online.
13. Open the Controller Properties once again, by clicking the button, select the Security tab, and
notice how the Audit Value of the Change Detection field is populated and has a unique value. This
value is called the CCUID.
Note: Your value will likely not be the same as the one above, this value is unique.
14. Using the key on the controller change the mode of the processor to from REM to PROG, then PROG
to RUN, then finally back to REM.
113 of 130
15. Look at the Audit value again, notice that it changes from what you noted before.
This is an indication that a change has occurred on the system which has been capured in the
controllers change log.
16. Recalling that we disabled the change detect option for Remote Mode Changes from the Change
Detection configuration, change the processor mode from Run Mode to Program Mode. You will be
prompted with the dialog shown below warning about the change to program mode, click Yes to
acknowledge this warning.
17. Look at the Audit value again, notice that the value did not change from what you last.
Since this change is not tracked it will therefore not be retained as an audit value.
19. Change the mode of the processor back to Run Mode from the Controller Menu.
The change detection feature in Logix Designer monitors all changes to the controller. While online with the controller feel free to
add additional tasks, Add-On Instructions, Data Types, etc… and take note of how the Audit Value in the controller property
dialog changes.
114 of 130
FactoryTalk AssetCentre Audit Logging
1. Leaving Logix Designer open, launch the FactoryTalk AssetCentre Client by double-clicking on the
icon that looks like the one below from the desktop.
2. When prompted to login we will now login as our maintenance user, maintenance with the password,
rockwell.
Logon Credentials
User: maintenance
Password: rockwell
3. Once the client opens, from the menu along the top of the client interface click the Logs button
4. Once inside of the Logs module, select the audit messages by clicking on the button that says,
Audit Logs.
5. You should see several new audit log messages that look similar to the snippet below:
Note: Make special notice of the Source collecting these logs are Logix Designer. Also notice that the
Resource name is the project name running on this particular controller, IF2_DEMO in our case. You will
also note that since the engineer was logged into Logix Designer at the time these changes were made, the
engineer was listed as the user making the change. This drastically simplifies the reporting process for
controller change reports.
115 of 130
FactoryTalk AssetCentre Audit Log Reporting
FactoryTalk AssetCentre has a large array of reporting options available. You can produce reports on file access from the
FactoryTalk AssetCentre Archive, event data from the FactoryTalk AssetCentre Event Log, network health reports from the
FactoryTalk AssetCentre Network Health Log using RSNetworx, and audit reports using the FactoryTalk AssetCentre audit log.
We are going to focus on the last area, the audit logs.
2. You will see several pre-configured searches that were already created in the list, we want to create
new one to look at changes in Logix Designer made today.
5. In the lower field select the Audits Data Source and click Finished
116 of 130
6. Now that the search is created we need a add conditions to the search, in the lower field of the
search display click the Conditions tab.
8. From the New Condition dialog select the Relative to date/time report is run radial button
117 of 130
11. From the Column field select Source.
12. From the lower String Condition field select Equal To and select Logix Designer from the list.
14. Notice in our condition list the second condition was added with an ‘AND’. This is the default
condition. You could also add this as an OR, or a NOT, but we want AND in our case.
15. Click the button in the lower right corner of the screen.
16. Click the button from the upper part of the Searches dialog and see next page.
118 of 130
17. You should have a report that looks similar to this, but with today’s date:
Audit messaging is an important aspect of system security. FactoryTalk AssetCentre serves as the repository for
audit messages produced in FactoryTalk. All Integrated Architecture branded Rockwell products that utilize the
FactoryTalk Directory produce audit messages, we just looked at one example here Logix Designer.
119 of 130
Automated Controller Change Monitoring with FactoryTalk AssetCentre
A new feature introduced with version 4.10 of FactoryTalk AssetCentre and version 20 of Logix Designer is the ability for
AssetCentre to automatically monitor changes made to CompactLogix and ControlLogix controllers without needing to use Logix
Designer. Let’s explore how that feature works.
1. Looking once again at FactoryTalk AssetCentre click the button from the top toolbar.
You will see a schedule that already exists. That schedule is backing up our FactoryTalk View SE HMI server
application and our Logix Designer Application. We won’t explore these in this lab, but if you have questions
on these types of schedules ask one of the lab moderators to explain this feature to you.
2. From the asset tree on the left side of the AssetCentre Client window select the container object
called InstantFizz.
120 of 130
3. Click the button on the Schedule dialog,
4. From the New Schedule Wizard select Device Monitor – Change Detect from the Operations menu
7. On the timing properties page change the Controller Idle: to 1 Minute and the Maximum Runtime
to 2 minutes.
The Controller Idle time setting indicates how long AssetCentre should wait for the changes (tracked by that Audit Value in Logix
Designer we previously learned about) to stop occurring before adding those detected changes to the log. We want them to
come in quickly, so we are setting the values very low. Similarly the maximum runtime for the schedule tells AssetCentre how
long it should absolutely wait before taking the current set of changes and submitting them. Once changes are submitted the
schedule will continue and gather more changes.
8. Click Next
121 of 130
9. From the Operations Properties dialog expand the InstantFizz container and select the IF2_Demo
Logix PAC
10. Once the controller is selected on the right side of the screen change the Copy Controller Log to
Audit Log value to True
12. Once the schedule is created in the lower left field you will see that AssetCentre is now creating a
connection to the controller.
122 of 130
13. After a few seconds the status will change to Change detect in process. This indicates that
AssetCentre has successfully connected and is waiting changes to occur.
14. Recall from earlier that we set our controller, through Logix Designer, to monitor changes to the key
switch mode. Once again turn the key on the controller from REM to PROG to RUN to REM.
15. Wait approximately 1 minute for the Change detect in progress status to disappear from the
AssetCentre schedule.
16. Once the status clears click the Logs tab once again near the top of the screen, and be sure you are
looking at the Audit Log
123 of 130
17. You should now see several new logs, indicated in bold type, similar to the image below:
18. Select the message at the top of the list that says Keyswitch mode change in the message field.
Looking at the details of the audit message you can see what is captured, in many cases, the previous value and the new value
to give context to the user in regards to the change that was made.
19. Switch back to the Logs tab and click the Event Log button
20. Select the entry of the message that says: Change Detect Complete
AssetCentre/InstantFizz/IF2_Demo Logix PAC
21. In the lower field you will see the information about this change detection schedule, such as the
location of the controller on the network and when this entry was made.
22. Double click on the paper clip by the event message that says:
124 of 130
23. Click the View button to view the change report.
This report is produced and stored with a quick report of all the changes that occurred during the last
detection event. This report can be automatically emailed to a list of recipients upon creation.
26. From the menu along the top of the FactoryTalk AssetCentre Client click the Searches button
125 of 130
28. In the name field enter, ControlLogix Changes Detected Today
29. In the lower field select the Audits Data Source and click Finished
30. Now that the search is created we need a add conditions to the search, in the lower field of the
search display click the Conditions tab.
126 of 130
31. Click the button
32. From the New Condition dialog select the Relative to date/time report is run radial button
36. From the lower String Condition field select Equal To and select Logix5000 Controller from the list.
127 of 130
38. Notice in our condition list the second condition was added with an ‘AND’. This is the default
condition you could also add this as an OR or a NOT, but we want AND in our case.
39. Click the button in the lower right corner of the screen.
40. Click the button from the upper part of the Searches dialog and see next page.
128 of 130
41. You should have a report that looks similar to this, but with today’s date:
Design Tip: This report was created in FactoryTalk AssetCentre to grab all the changes on this controller
that occurred today. You could also expand this report by adding the Event Messages for the IF2_DEMO
produced by the RA Disaster Recovery Agent to include details on when backups were performed on this
controller. Additionally, you could configure this report to collect only the changes made in a past few hours,
days, etc.… to compare to a previous report.
This completes the Change Management for ControlLogix Programmable Automation Controllers section of this lab.
129 of 130
Publication CE-DM131E-EN-E — November 2014 Copyright© 2014 Rockwell Automation, Inc. All rights reserved.
Supersedes Publication CE-DM131D-EN-E — June 2014
130 of 130