Other than the obvious security measures utilizing password assignment or password protection, has anyone investigated information relative to this issue, which might provide an alternative approach to this potential problem?

I have been asked to develop a simple, systematic approach to this problem, and I have several ideas about how to go about it, but I was curious if anybody else had attempted to work on this problem or one similar to it.

 

You really need to be more specific about what types of problems you're trying to solve. Off-hand you can go on about:

* operator logging
* documenting operating procedures
* documenting training
* formalizing assignment of control console operation among shift personnel
* interlocks
* automate common sequences
* construct interface for output/setpoint ramping (as well as numeric kepad entry)
* construct interface to allow confirmation of process changes prior to acceptance by plc
* formalize unusual event/incidence reporting / followup.

What specific types of problems are you trying to address? Problems of this nature often occur from either lack of discipline/training of the operating staff or some inadequacy of the control system or process.

 

On occassion I have hardcoded registers in PLCs to prevent people from changing things without going to the effort of actually changing the program.

You could also not allow access to parameters you do not want changed, except through the programming system (PLC or DCS) which would tend to restrict such changes to authropized persons.

Bob Peterson

 

Many users use an external archive program to weekly fetch/validate the PLC program and all static data. This program will notice changes and demand an engineer "notate" or comment the change or it will be removed.

It also allows rolling changes back should a legitimate "experiment" fail to meet expectations. This detects changes AFTER the fact, but at least it detects them.

I hear about these because many such users buy Ethernet-to-serial bridges such as my company makes to allow this archive to work without competing with the control network traffic (ie: not load the ProfiBus or DH+ or ModbusPlus)

- LynnL, www.digi.com

 

We are doing a ton of this type work and are in the process of getting down as Engineering Standards.

Using a completely separate Windows Domain and isolated (Router) Control Network, we can control User Authentication, we also control desktop usage etc. this way.

As far as the control side, we have software that controls who can do what, from where, to the PLC's, we archive what they do, we control the "intellectual property" with document management software, and then we do automatic archiving of the control programs themselves daily and send reports on what was done. We also audit every move made to the PLC's so we have "recordings" of who did what, when and where.

You can contact me offlist for more info on this and we can go from there, I am preparing a white paper for a magazine and will also be doing a presentation in Milwaukee this fall on the topic.

I am just in the process of documenting it as a best practices type of thing.

[email protected]... Please no spam.

Dave

 

What document management software are you using? Does it handle more than just
the PLC programs?

--

************************
Michael Griffin
London, Ont. Canada
************************

 

For the PLC'S we use RSMACC, we have also used visual sourcesafe, ther are of course products like Documentum or Filenet.

But in order to integrate AB plc and Rockwell, we use RSMACC as added to menu system...

Also Mass MDT available.

Dave

 

I do agree that managing multiuser access on a SCADA system is not an easy task. First thing you know, the passwords are writen on sticky notes !

What we have done, is a Biometric Profile System with a simple ActiveX that will integrate in any VB scripting.

We've tried it in GE Cimplicity, Citect and Iconics.

The cool part is that there is no more need to log in / log out. You only need to add the identification function where and when needed.

The following link is not intended to be a promo. It is a tutorial I did for Iconics domonstrating how to implement the biometric tool for their reps.
http://www.isa-automation.com/tutorials/iconics/

[email protected]