L8 Controller Security Features

[ElectronGuru 81]

Anyone have experience with the 1756-5580 controllers? I'm specifically curious about the role-based access control that Rockwell is boasting about. The following bullet point is from the associated link:

• Includes controller-based change detection and logging, digitally-signed controller firmware, and role-based access control for extra security

https://www.rockwellautomation.com/en-us/products/hardware/allen-bradley/programmable-controllers/large-controllers/controllogix/1756controllogix5580.html

The L7 controllers also have controller-based change detection and logging. It's just been expanded in the L8 from logging 100 to 500 events in the controller's memory. But they're making it sound like it's a brand new thing.

The above bullet point also makes it sound as though the role-based access control feature is embedded in the controller, and therefore would not be dependent upon the FactroyTalk Admin Directory. Is this true and if so, how do you use this feature? Would you apply the FactoryTalk security when creating the project and it just remembers the permissions? Or is this advertising blurb a bit misleading, like making the change detection and logging sound like a whole new thing?

Anyone?

[pturmel 157]

I have one in my lab.  I haven't even tried to use those features, in part because I avoid FT.  I haven't seen anything about using RBAC without FT.  FWIW.

Part of the reason I have one is to add CIP Security support to my Ignition driver.  CIP security (L8x processors and the EN4T card) can be configured to only accept encrypted connections using certificates or a pre-shared key.  I'd go that route before pursuing RBAC.  Especially since the EN4T would make that approach work with older processors, too.

[pcmccartney1 141]

Haven't looked at RBAC.  I do use FT Security for a specific customer (150+ sites) because the process is patented.  I've locked it down such that you can't even open the ACD unless you have the specific VM Image (i.e. computer name and ability to login to FT).

[pturmel 157]

CIP Security has similar level of control as FT Security (I think FT Security is layered on CIP Security).  But CIP Security, while patented, is part of EtherNet/IP specification and is therefore automatically licensed to EtherNet/IP specification subscribers (like me).  So it can lock down comms, including Studio 5000 comms, to those with suitable certificates.  And yes, the user installs the certificate chain they wish into the devices--it isn't limited to Rockwell products.