Rockwell knowledge base also has free subsciption
Security and RSLogix 5000 software - General Information.
Question
As of RSLogix 5000 version 10.00, there are two security tools and two software options to limit access to a Logix controller.
Answer
In addition to this Knowledgebase article, please review the Logix5000 Controllers Common Procedures Programming Manual (1756-PM001I-EN-P ) for a Chapter detailing “Security and RSLogix 5000 software”.Click Here
The security tools are implemented as standalone utilities. These tools can be installed from the RSLogix 5000 cdrom. The security tools can also be downloaded and installed from:
Software Updates web site offers the Tools along with RSLogix 5000 software:
http://rockwellautomation.com/support/webupdates/Rockwell Software Utilities & Downloads web site provides select Tools, by searching for "RSLogix".
http://rockwellautomation.com/rockwellsoftware/downloads/ ----------------------------------------------------------------------------------------------------------
Logix CPU Security Tool
The Logix CPU Security tool was created to protect the controller from unauthorized usage. A single supplied password "Locks" or "Unlocks" the controller. Once locked, this tool prevents RSLogix 5000 software from being able to go on-line with the controller.
When the controller is secured ("Locked"), no one will be able to go on-line with the processor by any means until the processor is unsecured ("Unlocked"). You must use the Logix CPU Security tool to unsecure it.
Important: THERE ARE ABSOLUTELY NO BACKDOOR METHODS TO BYPASS THIS SECURITY.
Special Notes:
RSLogix 5000 doesn't prompt to lock or unlock. The Logix CPU Security tool must be launched separately.
Tag values, in a locked controller, still have read / write access by messaging and through DDE/OPC communications.
The Logix CPU Security tool is only supported by ControlLogix, CompactLogix, FlexLogix, and DriveLogix controllers, running Version 6.x and later firmware. The RSLogix Emulate 5000 and SoftLogix5800 controllers do not support this password protection functionality.
Version 1.00 only connects via the controllers serial port.
Version 2.00 adds the ability to browse a remote communication path using RSLinx.
Version 3.00 can save secured state and relative password to controller's Nonvolatile Storage (NVS) memory. The controller must run firmware v15 or higher to support this capability.
----------------------------------------------------------------------------------------------------------
Routine Source Protection Tool
The RSLogix 5000 Source Protection Tool (a.k.a. OEM Lock) allows you to password protect your Routines with a source key. Starting with RSLogix 5000 v7 separate executable files <SP.exe> were made available to support each version of RSLogix 5000. The tool was later integrated into RSLogix 5000 v13 and higher software, where configuration is enabled using an executable file <RS5KSrcPtc.exe>. Once enabled, it is accessed from the RSLogix 5000 menu under Tools > Security > Configure Source Protection.
How it Works:
The RSLogix 5000 programmer applies a source key ("password") to the desired routines. Each routine can have the same source key or a unique source key, but multiple source keys cannot protect an individual routine. All source keys are maintained in a single file called <Sk.dat>. The programmer selects where <Sk.dat> is to be located on the local hard drive. Then only configured RSLogix 5000 workstations, pointing to the <Sk.dat> file, will be able to access protected routine.
The routine protection tool encrypts the source keys, using the Microsoft Cryptographic Application Programming Interface, and then stores them in the RSLogix 5000 project file (.ACD). The source keys remain encrypted in the controller following download.
In order for a other RSLogix 5000 workstations to gain access to the protected routines, these workstations must first: Add the ability to configure routine source protection. (run RS5KSrcPtc.exe ) Use RSLogix 5000 to select Tools > Security > Configure Source Protection. This utility will allow the user to specify the location of the Source Key (SK.DAT). Then copy the SK.DAT file from the original PC to the new PC so the new users have full access to the protected routines.
There is also an option to "Allow viewing of routine" which allows a routine to be viewed, but not edited. The routine background will appear gray in color on workstations not containing the <Sk.dat> file.
Special Notes:
RSLogix 5000 v15 and earlier do not Export source protected Routines to L5K format.
RSLogix 5000 v16 Export/Import maintains source protected Routine data in an encrypted format.
----------------------------------------------------------------------------------------------------------
RSLogix 5000 "Service Edition" software
In addtion to the security tools, there is a reduced functionality version of RSLogix 5000. Service Edition supports all Logix5000 Controllers v12 and higher. See Answer ID 25258 for more details. Click Here
You Can:
View and monitor controller configuration and code. (No Edits)
VIEW ONLY for All Languages (FBD, LD, SFC, ST) and PhaseManager.
Load / Store to non-volatile memory.
Tag data strip chart graphical trending.
Printing of application reports.
You Can Not:
Upload from the controller without an offline copy of the project.
Import tags.
Select rungs
Optional features may be disabled via Windows Registry Settings:
Modification of tag data values and I/O and SFC Forcing (initially enabled)
Upload / Download of projects from/to controllers (initially enabled)
REG files provided on CD to disable and re-enable these options
----------------------------------------------------------------------------------------------------------
RSI Security Server software
Security Server was Rockwell Software's first centralized system for restricting access to resources.The Security feature allows you to control the individual users access to RSLogix 5000 projects and controllers. Read below for details on the new FactoryTalkTM Security.
There are two forms of the Security Server software:
Standalone Edition (distributed with RSLogix 5000 software), which gives you local control over security functions on the machine where you install the Security Server. Intended for installation on standalone computer and run within the local admin account.
Network Edition (purchased separately) which gives you centralized control over security functions for Rockwell Software products over your entire network. Network Edition has some features the Standalone Edition does not have, including network administration.
Typically, you would use RSI Security Server software to grant or deny permission to perform a particular action on a particular project to a particular person at a particular workstation based upon:
user ID (i.e., the user’s login name)
workstation ID
action name (i.e., the activity the user is trying to perform, such as data table modification, or processor mode change)
resource name (i.e., controller name)
When used with RSLogix 5000 (v10-v13) software, RSI Security Server supports 3 global actions and 6 project-related actions:
Global Actions are not tied to a specific project, and may include:
securing the controller
creating a new project (either through the New Controller dialog, or through the Translator Tool utility)
updating your firmware.
Project Actions allow you to perform specific tasks on a specific project or group of projects, and may include:
viewing a project
going on-line
maintaining a project (e.g., saving, converting, exporting, downloading, setting/forcing tag values, etc.)
full access (e.g., editing a project)
unsecuring the controller
updating firmware.
RSLogix 5000 (v15 and greater) received four Action Groups to provide a finer granularity of options when securing.
Global Actions (v15+) are not tied to a specific project, and may include
Secure an unsecured controller
Create a new RSLogix 5000 project
Use RSLogix 5000 to start ControlFLASH
Modify workstation options
Modify print options
Customize toolbars
Project Actions ( v15+) provides four configurable action groups:
View Project
Open a (read-only) version of the project
Go Online
Go online with View Project access
Maintain Project
Have limited maintenance-type access to the projects
Edit the fault log, including clearing faults
Change controller modes
Convert the .ACD file to a higher revision
Change controller type
Edit module properties
Print reports
Compact a project file
Download a project to a controller
Save a project in .L5K format
Go online with a project
Set, clear, or modify the path associated with a given project
Save a project
Save a project to a new .acd file
Upload a project from a controller
Force tags and enable/disable existing forces
Change tag values
Create trends
Delete trends
Edit trend properties
Run trends
Use RSLogix 5000 to start ControlFLASH to update controller firmware
Full Access
Lock/unlock the controller for online edits
Edit controller properties
Create modules in the Controller Organizer
Delete modules in the Controller Organizer
Perform high impact operations such as module reset and calibration.
Perform low impact operations such as resetting electronic fuses
Perform axis direct commands
Modify axis, coordinate system or motion group properties.
Load from non-volatile memory
Store to non-volatile memory
Create equipment phases
Delete equipment phases
Manually control equipment phases
Edit equipment phases
Map PLC or SLC messages
Create programs
Delete programs
Edit program properties
Create a routine
Delete a routine
Manually control routine logic
Edit routine logic
Edit routine properties
Create tags
Delete tags
Edit tag properties
Create tasks
Delete tasks
Edit task properties, including program scheduling
Create user-defined data types or string types
Delete user-defined data types or string types
Edit user-defined data types or string types
Unsecure a secured controller
RSLogix 5000 version 16 provides tighter integration with Security software and improved ease-of-use
Allows users to log on / off of FactoryTalk Security through RSLogix 5000 and also change to a new user when a session has already been initiated by another user.
When security is enabled:
a Security Server Log On menu option will be added to the Tools->Security menu
a Security tab will appear in the Workstation Options Categories tree allowing the user to configure how RSLogix 5000 interacts with the security server
Granular Security Actions Added for GuardLogix – In version16, users can assign granular security actions to safety components using the Security Server. The following granular actions are available in the Security Server explorer.
Safety: Generate/Delete Signature
Safety: Lock/Unlock
Safety: Modify Component
Safety: Modify Tag Mappings
Granular Security Actions Added for Add-On Instructions – In version16, users can assign granular security actions to Add-On Instruction components using the Security Server. The following granular actions are available in the Security Server explorer.
Add-On Instruction: Create
Add-On Instruction: Delete
Add-On Instruction: Modify
For more information on RSI Security Server
A Getting Results with Rockwell Software's Security Server (Standalone Edition) publication ships with the Security Server software. You can also reference the RSI Security Server on-line help system for additional information.
----------------------------------------------------------------------------------------------------------
FactoryTalk™Security
RSLogix 5000 software v10-v16 has been written to work with RSI Security Server, but can be used with the newFactoryTalk™ Security (previous referred to as RSAssetSecurity).
This is intended to improve the security of your automation system by limiting access to those with a legitimate need. FactoryTalk™ Security authenticates user identities and authorizes user requests to access a FactoryTalk-enabled system. These security services are fully integrated into the FactoryTalk Directory and are included as part of the FactoryTalk Automation Platform that installs with many products.
For the Client side use the RSI Security emulator for use withFactoryTalk™ Security (read Factory Talk)
Server side migration tool may be used to migrate some RSI Security Server data to Factory Talk for use inFactoryTalk™ Security.
Note: Some customers may not want to migrate, if resource and action groups are important to them.FactoryTalk™ Security does not yet handle them and Action descriptions only exist for policies, not for device/project actions.
----------------------------------------------------------------------------------------------------------
Final Note:
Carefully review all of the information above before implementing a security solution. Please be aware that after the installation and enable of Security, the methods used for uninstallation and removal can be quite involved.
Full administrative priviledge is needed to uninstall software. Admin's then need to contact Technical Support for specific procedures on how to disable Security from the supporting applications. Depending upon the extent of the installation, signing of a removal permission form maybe required.