Presentation is loading. Please wait.

Presentation is loading. Please wait.

To Join the Teleconference

Published byAlisha Melton Modified over 6 years ago

Similar presentations

Presentation on theme: "To Join the Teleconference"— Presentation transcript:

1 To Join the Teleconference
Dial Please specify conference ID You must dial in using a telephone to hear the audio portion of the broadcast. All participant telephone lines are muted. To ask a question, use the WebEx chat feature and select Send to Host. We will send a copy of this presentation and a recording of this broadcast within a few days.

2 Practical Applications of Security to Industrial Control Systems
FactoryTalk Security Eugene Krymskiy Engineer Sr. Systems Technical Support March 29, 2012

3 Agenda Presentation Data Access Security Questions?

4 Our Approach to Industrial Security Aligned w/ US Gov’t Agencies, ISA99IEC and other emerging standards A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.

5 Rockwell Automation Security Fundamentals
Apply products and services supporting a defense-in-depth (or layered) architecture Limit user and computer access to both configuration and data in automation devices Limit use of automation software applications Limit access to computers and keep computers patched Limit access to automation networks Limit physical access to all equipment and networks Layered Security Model Security Services Physical Perimeter Enforcement Network Computer Application Device Security Device DEFENSE in DEPTH

6 Data Access Security

7 System-level Security: FactoryTalk Security
Use FactoryTalk Security to Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a centralized authority to verify the identity of each user and; Granting or denying each user's request to perform a particular set of actions on resources within the system Security Authority (Domain Controller and / or FactoryTalk Network Directory) (Step 1) Request Access (Step 2) Access Granted or Denied (Step 3 - optional) Authorize access to specific devices (All FactoryTalk Security enabled software)

8 FactoryTalk Network Directory
Provides a central storage repository (yellow pages) for: Location of all Data Servers (including 3rd-parties) Location of all Alarms & Events Servers and Historical Databases Graphic displays (for HMI Servers) Security configuration information (Users, roles, resources, permissions …….) So how does this work?? Alarm Server HMI Client Alarm Client Data Client Data Server HMI Server Security Server Client Alarm Server Alarm Client HMI Server HMI Client Data Server Data Client Data Server Data Client Data server

9 Centralized Security Administration
Secure Controllers by Area (resource groups) Assign access permissions to specific controller groups Product Policies product specific configuration System Policies (plant wide security) Computers and Computer Groups Controllers to be secured User Accounts (FT users or Windows users) User Roles (FT groups or Windows groups FT Live Data FT Diagnostics FT Security

10 FactoryTalk Security Configuration
Step 1: Tighten the default security configuration Remove the local Windows Administrator group (Hint: most people have admin rights on their computer) Remove Permissions granted to “all users” (Hint: all users have full rights by default) Step 2: Create accounts for each user or link to a Windows Domain and allow IT to manage the users! Step 3: Add the names of all the computers that will be accessing the system Step 4: Assign your users to roles or groups or link to Windows Domain Groups in allow IT to manage the groups! Step 5: Add the appropriate Permissions to the new roles Step 6: Assign the new Roles & Permissions to automation resources Role User Computer Resources Permissions Example: Clark on COMPUTER3 is an Engineer that can Download Bottling Line Controllers.

11 Network Security: Isolating Network Traffic
Application Operating System Device Physical Network Production Control Process History Operator Interface Optimizing Manufacturing Security Zone DMZ Terminal Services Domain Controller Firewall Site Business Network Enterprise Network Router Enterprise , Intranet, shared drives, etc web TCP/IP FactoryTalk Directory Server Best Practices Location

12 FactoryTalk Directory Architecture and Settings

13 FactoryTalk Directory Structure
Step 1: The FactoryTalk directory is an integral part of FactoryTalk security; both components of the FactoryTalk Services Platform. Let’s take a few minutes to examine the FactoryTalk Directory structure and familiarize ourselves with different components. Launch FactoryTalk Administration Console: Double click on the following icon on the desktop Step 2: Select the Network option when prompted and click OK Select Network in the FactoryTalk Directory Window and click OK.

14 FactoryTalk Directory Structure
Step 3: The image below illustrates the structure for the FactoryTalk Network Directory following the FactoryTalk Services Platform installation. The Instant Fizz Application used in this presentation has also been added to the directory. Note that the computer hosting the FactoryTalk Directory is indicated at the top of the Application Explorer Window.

15 FactoryTalk Directory Structure
Note the available policy information for FactoryTalk-aware products is in FactoryTalk Directory. These policies can be modified on a product-by-product basis for specific users, groups, and computers included within the FactoryTalk Directory. Several examples of these settings will be explored in subsequent sections of this lab. Names of Computers registered with the FactoryTalk Directory. FactoryTalk User Groups defined within the FactoryTalk Directory. These can be either native FactoryTalk User Groups or linked to Windows User Groups. FactoryTalk Users defined within the FactoryTalk Directory. These can be either native FactoryTalk Users or linked to Windows User Accounts. Step 4: Expend root folders in the network directory tree

16 Users & User Groups (System Folder)
The Users and Groups folder is used to create, edit, delete, and manage the user accounts and groups that have access to the FactoryTalk Directory. By using Users and Groups, you can to control who accesses the FactoryTalk system and what actions they can perform. Security access to software or controllers can be applied to a single user, group of users, a computer, or by an action. This is all managed within the FactoryTalk Administration Console. For example, using FactoryTalk Security you can assign rights to a user account or group limiting the ability of that user or group from perform a download to a specific controller, or editing the value of a specific tag, or modifying HMI screens.

17 Users & User Groups (System Folder)

18 Users & User Groups (System Folder)

19 Users & User Groups (System Folder)
Step 5: Double-click on the Administrators Group to view the FactoryTalk Administrators. The Administrators group in FactoryTalk is not the Windows Administrators. The FactoryTalk Administrators are Administrators for FactoryTalk products.

20 Users & User Groups (System Folder)
Step 6: The Windows Administrators group is added to the FactoryTalk Administrators group during the FactoryTalk Services Platform installation. This is referred to as nesting Windows Linked Groups into FactoryTalk groups. This nesting of the groups gives the Windows Administrators group full rights to Rockwell Automation products using FactoryTalk Security.

21 Users & User Groups (System Folder)

22 Computers & Groups (System Folder)

23 Policies (System folder)

24 Policies (System folder)

25 Policies (System folder)

26 Policies (System folder)

27 Tightening FactoryTalk Security

28 Tightening FactoryTalk Security

29 Tightening FactoryTalk Security

30 Tightening FactoryTalk Security
5. In the New User window create the following user account (example) User Name Password Group Membership FTAdmin ftadmin Administrators Set the username to FTAdmin. User names in FactoryTalk are not case sensitive. Set the password to ftadmin. In FactoryTalk user password are case sensitive. The password created for the FTAdmin user must be greater than or equal to the Minimum password length Security Policy. By default this Security Policy is set to 6 characters. If you tried to create a password less than 6 characters, FactoryTalk would have given you an error message.

31 Tightening FactoryTalk Security

32 Tightening FactoryTalk Security

33 Tightening FactoryTalk Security

34 Tightening FactoryTalk Security

35 Tightening FactoryTalk Security

36 Tightening FactoryTalk Security

37 Tightening FactoryTalk Security

38 Tightening FactoryTalk Security

39 Tightening FactoryTalk Security

40 Tightening FactoryTalk Security

41 Modify Permissions

42 Modify Permissions

43 Modify Permissions

44 Modify Permissions

45 Modify Permissions

46 Modify Permissions

47 Modify Permissions

48 Modify Permissions

49 Modify Permissions

50 Modify Permissions

51 Modify Permissions

52 Modify Permissions

53 Change System Policies

54 Change System Policies

55 Change System Policies

56 Change System Policies

57 Change System Policies

58 Change System Policies

59 Questions

Download ppt "To Join the Teleconference"

Similar presentations

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2008 1 Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.

Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google