FactoryTalk Security
From SCADApedia
FactoryTalk Security, formerly known as RSAsset Security, is a software security application that other Rockwell Software PLC and PAC management applications will either integrate or leverage. FactoryTalk security will authenticate users, implement granular authorization, and log access details.
FactoryTalk Security runs on Windows 2000, 2003 and XP operating systems.
Contents |
Overview
FactoryTalk Security centralizes the authentication and authorization controls for managing a system of Rockwell Automation PAC's such as ControlLogix. In a decentralized environment, users would run programs such as RSLinx or RSLogix and connect directly to a controller. In the FactoryTalk Security approach, the management programs will connect to FactoryTalk Security to authenticate the user and computer and determine what authorization rights have been enabled by the FactoryTalk Security administrator.
Authentication
FactoryTalk Security supports both local accounts and authentication and Microsoft Active Directory accounts and authentication via a domain controller.
Local Accounts
UserID's and associated passwords can be entered locally into the FactoryTalk Security application. This is recommended for organizations with a small number of users or organizations that do not have a dedicated domain controller, in a different tree/forest than the enterprise domain, in the control center network.
Active Directory (Domain Controller) Accounts
FactoryTalk Security can proxy the authentication solution to an Active Directory domain controller. For organizations with a control system domain, this eliminates the need to re-enter users in a second management system. It also is easier to remove users who no longer require access.
Active Directory supports a variety of strong, two-factor authentication methods such as biometrics (fingerprint), smart cards and SecurID tokens. It is unclear whether FactoryTalk Security supports any of these strong authentication methods.
Authentication Security Policy
Common authentication settings such as a password policy, including complexity requirements, and idle timeouts can be set directly in the Security Policy Properties area.
Computer Authentication
A list of authorized Windows computers can be added to the FactoryTalk Security application. When a user attempts to login to the FactoryTalk Security application it will verify the password credential and that the user's computer is entered in FactoryTalk Security.
For example, the HMI computers could be added to FactoryTalk Security and a unique account could be created for an operator. Assuming proper entry of his userID/password, the operator would be authenticated from an HMI computer but fail authentication with the same credentials from a laptop connected to the control center network.
CPU Lock Password
A Logix PAC, such as the [ControlLogix], supports a single password on the PAC through the CPU Lock feature. The passwords in FactoryTalk Security are independent of the CPU Lock password. If both CPU Lock and FactoryTalk Security are implemented, a user would need to run the CPU Lock utility and unlock the PAC prior to managing the PAC with the RSLinx, RSLogix or some other tool that required FactoryTalk Security authentication. Version 16 of the RSLogix may include an integrated CPU Lock utility.
The implementation of FactoryTalk Security does not obviate the need to protect the controllers being managed. While authenticated users are likely to not try to exceed their authority, disgruntled insiders and other attackers that have breached the security perimeter can simply ignore FactoryTalk Security and go straight to the controller. A copy of a Rockwell Software management application, such as RS Linx, makes this simple if the PAC is not locked using the CPU Lock feature as shown in the figure below.
If unlocking and locking each PAC is considered to onerous for administrators, an access control list (ACL) on a router or similar firewall ruleset can restrict access to authorized IP addresses and the required ports. In fact, limiting access via router ACL or firewall ruleset is a positive control even with CPU Lock passwords to provide defense in depth.
Authorization
Once a user is authenticated to FactoryTalk Security the application will pass a set of product policies to the Rockwell Software application that determines
- what PAC's the user can access
- over 50 actions on the PAC can be enabled or disabled
What PAC's the user can manage is straightforward. For example, for an organization with three power plants each user may have access restricted to the PAC's in their respective plants.
Setting action authorizations often require more thought and time because of the large number of possible settings. Examples of actions that can be allowed or prohibited include Clear Fault, Modify Mode, Permit Tag Value Changes and Controller Upload/Download.
PAC access and actions can be configured uniquely for each user. FactoryTalk Security also supports assigning PAC access and actions by group to ease implementation of role based access control.
Security Event Logging
Security event audit settings can also be configured in FactoryTalk Security and pushed to the Rockwell Software product at login. Audit settings can determine whether controller access permitted and denied events are logged as well as individual actions.
The logs remain on the Rockwell Software product and are not pushed to the FactoryTalk Security system. Rockwell Automation does offer a centralized management solution called FactoryTalk AssetCentre that provides centralized and detailed logging as well as change control and backup.
