Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC - 5058-CO900G L03 - Design, Implement, and Manage FactoryTalk Security.

Slides:

Advertisements

Similar presentations

Lesson 17: Configuring Security Policies

Advertisements

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

Module 4: Implementing User, Group, and Computer Accounts

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Information Security Policies and Standards

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Administering Active Directory

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Factors to be taken into account when designing ICT Security Policies

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900G Rockwell Software® Studio 5000® and Logix Basics Lab.

Understanding Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

L18 - Studio 5000® and Logix Advanced Lab

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

By Jacques Terblanche Johnson Matthey

Hands-On Microsoft Windows Server 2008

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Week #7 Objectives: Secure Windows 7 Desktop

Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

V 0.1Slide 1 Security – System Configuration How to configure WebSAMS? Access Control Other Information Configuration  system customization  system configuration.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Designing Active Directory for Security

Chapter 8 Implementing Disaster Recovery and High Availability Hands-On Virtual Computing.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 7: Fundamentals of Administering Windows Server 2008.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

11 MANAGING AND MONITORING DHCP Chapter 2. Chapter 2: MANAGING AND MONITORING DHCP2 MANAGING DHCP: COMMON DHCP ADMINISTRATIVE TASKS  Configure or modify.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Overview Managing a DHCP Database Monitoring DHCP

Module 3 Configuring File Access and Printers on Windows ® 7 Clients.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Module 7 Planning and Deploying Messaging Compliance.

Module 3: Configuring File Access and Printers on Windows 7 Clients

Chapter 2 Securing Network Server and User Workstations.

Lesson 12: Configuring Remote Management

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Module 3: Planning Administrative Access. Overview Determining the Appropriate Administrative Model Designing Administrative Group Strategies Planning.

Managing Applications, Services, Folders, and Libraries Lesson 4.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

6/19/2016 أساسيات الأتصال و الشبكات Communication & Networks Fundamentals lab 4.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Lesson 14: Configuring File and Folder Access MOAC : Configuring Windows 8.1.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900H L19 - Studio 5000® and Logix Advanced Lab.

Chapter 5 : Designing Windows Server-Level Security Processes

THE STEPS TO MANAGE THE GRID

To Join the Teleconference

Administering Your Network

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900G L03 - Design, Implement, and Manage FactoryTalk Security

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC User Roles (FT groups or Windows groups) User Accounts (FT users or Windows users) Computers and Computer Groups System Policies (plant wide) Product Policies Controllers to be secured Secure Controllers by Area (resource groups) Background: What is FactoryTalk Security ? Use FactoryTalk Security to… Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a security authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system. (Step 1) Request Access (Step 2) Access Granted or Denied Security Authority (FactoryTalk Directory) (All FactoryTalk Security enabled software) (Step 3 - optional) Authorize access to specific devices 2

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred Creating User Accounts 3 “Fred”; user name and PW

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred FactoryTalk System Policies 4 “Fred’s” PW expires in 30 days

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred Assigning Users to a Group or Role 5 “Fred” is an Engineer

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred Assign FactoryTalk Software Permissions 6 “Fred” can use Logix Designer

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred Assign Groups or Roles Permissions 7 Engineers can Modify AOI’s

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Let’s Learn about Fred Resource Assignment to Areas of Applications 8 Finally; “Fred” is an Engineer who can Modify AOI’s on all controllers in “Area2”

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC FactoryTalk Security in Logix Controllers Using the Security Authority Identifier (SAID)  With FactoryTalk Services Platform SR5 and Logix V20 (and later)  Configures Logix Controllers to require that all users be authenticated from a specific instance of the FactoryTalk Directory before they can access the controller (Security Authority Identifier)  Security Authority Identifier gets stored in the project (“project binding”) – secures the offline file Anyone working on a project (on-line or off-line) with the “Security Authority ID required” box checked… Is first required to “Log On” ….. … using the FactoryTalk Directory used to secure the project 9

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Backing up the SAID  Use the FactoryTalk Administration Console, the Security Authority Identifier can be…  Encrypted with a passphrase or password to allow for secure backup copies (disaster recovery)  Allows secure duplication and distribution to allow multiple FTDirectories to share the same ID !  Can be used to replace the CPU Lock functionality that was deprecated in v20 The Security Authority Identifier looks like this 10

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Secure Slot for Communications Copyri ght © 2011 Rockw ell Autom ation, Inc. All rights reserv ed.

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC 12 Pick and Choose: Data Access Control  Users can assign External Access settings of Read/Write, Read Only, or None to tags  Useful to control which tags can be modified from an HMI or other external application  A cryptographically licensed trusted connection is established between RSLogix TM 5000 and the Logix controller  Ensures the “External Access” attribute can only by changed by RSLogix 5000  “Who” can use RSLogix 5000 to change this attribute controlled by FactoryTalk ® Security  Users can also define tags as Constants  Constants can not be modified by controller logic Improves security of tags especially when used in conjunction with FactoryTalk ® Security

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC 13 Pick and Choose: FactoryTalk View SE Security  FactoryTalk View SE Security can be applied to:  Displays

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC 14 Pick and Choose: FactoryTalk View SE Security  FactoryTalk View SE Security can be applied to:  Displays  Objects

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC 15 Pick and Choose: FactoryTalk View SE Security  FactoryTalk View SE Security can be applied to:  Displays  Objects  Applications

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Pick and Choose: ControlLogix Real-Time Change Detection  Real-time monitoring of ControlLogix V20 or higher for changes via “Audit Value”  On Detect will get activities via controller “Change Log”  On Detect complete will consolidate all activities in a Report via Event Log  Will detect Rogue changes  Optionally can send to Audit log as well 16

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Pick and Choose: FactoryTalk AssetCentre Audit / Change Reporting  Search FactoryTalk AssetCentre  Events  Audits  Archive history  Schedule a Report or “Run Now”  reports per a Schedule  Examples  Search audit log for changes made during last four hours to a specific asset that has failed  Search archive history to determine what files a user has modified during last month  Search event logs for upload tasks that failed  Search audit log at the end of every shift for any forces or empty branches to improve plant-floor safety 17

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Lab Layout - Sections 1.FactoryTalk Overview: Everyone Must Complete 2.Deploy Initial RSLogix Project to Controller: Everyone Must Complete 3.Securing RSLogix 5000: Everyone Must Complete 4.FactoryTalk View SE Security: Pick & Choose 5.Securing Controller Data & Access: Pick & Choose 6.Protecting RSLogix 5000 Source Code: Pick & Choose 7.Real-Time Change Management for ControlLogix: Pick & Choose 18 Main Sections of the Lab:

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Lab Layout - Sections 1.FactoryTalk Overview: Everyone Must Complete 2.Deploy Initial RSLogix Project to Controller: Everyone Must Complete 3.Securing RSLogix 5000: Everyone Must Complete 4.FactoryTalk View SE Security: Pick & Choose 5.Securing Controller Data & Access: Pick & Choose 6.Protecting RSLogix 5000 Source Code: Pick & Choose 7.Real-Time Change Management for ControlLogix: Pick & Choose 19 Main Sections of the Lab: