Transcription
User ManualOriginal InstructionsConfigure System Security Features
Important User InformationRead this document and the documents listed in the additional resources section about installation, configuration, andoperation of this equipment before you install, configure, operate, or maintain this product. Users are required tofamiliarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,and standards.Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance arerequired to be carried out by suitably trained personnel in accordance with applicable code of practice.If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment maybe impaired.In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting fromthe use or application of this equipment.The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables andrequirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility orliability for actual use based on the examples and diagrams.No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, orsoftware described in this manual.Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,Inc., is prohibited.Throughout this manual, when necessary, we use notes to make you aware of safety considerations.WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardousenvironment, which may lead to personal injury or death, property damage, or economic loss.ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, propertydamage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.IMPORTANTIdentifies information that is critical for successful application and understanding of the product.Labels may also be on or inside the equipment to provide specific precautions.SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerousvoltage may be present.BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces mayreach dangerous temperatures.ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people topotential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALLRegulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
Table of ContentsPrefaceCertification Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Design Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Follow Design and Engineering Best Practices. . . . . . . . . . . . . . . . . 7Microsoft Active Directory Group Policy . . . . . . . . . . . . . . . . . . . . . 7Secure System Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Manual Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 1Configure InfrastructureComponentsRequirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Windows Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Domain Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create Users and Groups in the Windows Domain . . . . . . . . . . . . . .Group Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add Servers or Computers to the Windows Domain . . . . . . . . . . . . .13141516161718Chapter 2Configure FactoryTalkComponentsFactoryTalk Directory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .FactoryTalk Directory Components . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the FactoryTalk Directory . . . . . . . . . . . . . . . . . . . . . . . . . . .Define Network Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure FactoryTalk Activation Manager . . . . . . . . . . . . . . . . . . . . .Configure FactoryTalk Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . .192021232626Chapter 3Configure FactoryTalk SecurityFactoryTalk Security Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure FactoryTalk Administration Console . . . . . . . . . . . . . . . . .Verify User Identity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Select the FactoryTalk Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . .Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure FactoryTalk Users and Groups . . . . . . . . . . . . . . . . . . . . . . .Remove the All Users Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assign Windows-linked User Groups toFactoryTalk Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the System Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the Application Authorization Policy . . . . . . . . . . . . .Configure the User Rights Assignment Policy. . . . . . . . . . . . . . . .Configure the Live Data Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the Health Monitoring Policy . . . . . . . . . . . . . . . . . . . .Configure the Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rockwell Automation Publication SECURE-UM001A-EN-P - March 20193132323233343436424546495051523
Table of ContentsConfigure the Product Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the Product Policies Feature Security . . . . . . . . . . . . . . . . .Product Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Product Policies for Individual Software Applications . . . . . . . .Configure Feature Security for FactoryTalk AssetCentre Users . . .Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure Feature Security for RSLogix 5000 Users . . . . . . . . . . . . . .Configure Feature Security for Product Policies . . . . . . . . . . . . . .Configure Security Securable Actions . . . . . . . . . . . . . . . . . . . . . . .Configure the Security Authority Identifier . . . . . . . . . . . . . . . . . . . . .Create a Permission Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a Controller Logical Name . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the Security Authority Identifier. . . . . . . . . . . . . . . . . .Configure Communication Restrictions. . . . . . . . . . . . . . . . . . . . .Configure Data Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure Code Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54575759626567687081828586888991Chapter 4Configure FactoryTalkAssetCentre FeaturesAudit and Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Create a Schedule for a Device Monitor - ChangeDetect Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97View and Search Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Master Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Create a Schedule for a Disaster Recovery Operation . . . . . . . . 122Appendix ASecurity ChecklistsTwo Types of Security Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Acceptance Testing Verification Checklist . . . . . . . . . . . . . . . . . . . . . 138Maintenance Verification Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1414Rockwell Automation Publication SECURE-UM001A-EN-P - March 2019
PrefaceThis manual describes the system-level configuration requirements to use aControlLogix 5580 controller that has achieved IEC 62443-4-2:2019certification. In the rest of this publication, it is referred to as IEC-62443-4-2SL 1 certification.Rockwell Automation considered Threat level - SL 1: Protection against casualor coincidental violation when it completed activities to achieveIEC-62443-4-2 SL 1 certification.For the definition of the SL 1 threat level and other SL threat levels, see theIEC-62443-3-3 International Standard available from the InternationalElectromechanical Commission (IEC) at https://www.iec.ch/index.htm.You must be trained and experienced in creating, operating, and maintainingindustrial security programs before you complete the tasks described in thispublication.Certification RequirementsThe following table describes the IEC-62443-4-2 SL 1 certificationconfiguration requirements that you must meet.RequirementDescriptionMeet product-level requirementsYou must meet product-level requirements regarding IEC-62443-4-2 SL 1 certifications.ControlLogix 5580 controllers have IEC-62443-4-2 SL 1 certification. To achieve that certification, you must not only meet the system-levelrequirements that are described in this publication. You must also meet the product-level requirements that are described in theControlLogix 5580 and GuardLogix 5580 Controllers User Manual, publication 1756-UM543.Use ControlLogix 5580 controllerYou must use one of the controllers in the ControlLogix 5580 controller family, and the controller must use firmware revision 32.011 orlater.IMPORTANT: Only the ControlLogix 5580 controllers have achieved IEC-62443-4-2 SL 1 certification. No other Logix 5000 controllers areIEC-62443-4-2 SL 1-certified.Controller accessYou must actively manage physical access to the ControlLogix 5580 controller. As necessary, secure the controller’s location, for example, ina cabinet, to help prevent unauthorized users from accessing it.Rockwell Automation Publication SECURE-UM001A-EN-P - March 20195
PrefaceRequirementDescriptionInclude compensatingcountermeasuresManage physical access to thecontrollerYou must include compensating countermeasures when you configure a system with a ControlLogix 5580 controller that has achievedIEC-62443-4-2 SL 1 certification.The following compensating countermeasures are required:Active DirectoryWindows-based service that runs on a domain controller and stores information about objects on anetwork.ControlFLASH Version 15.01 or later requiredSoftware tool that is used for electronically updating firmware in hardware devices.ControlFLASH Plus Version 2.00 or later requiredSoftware tool that is used for electronically updating firmware in hardware devices. ControlFLASH Plusonly supports the firmware updates for CIP devices.FactoryTalk Activation Manager Version 4.03.03 or later requiredProvides a secure, software-based system to apply Rockwell Automation licenses for continuous use ofFactoryTalk software and other Rockwell Automation software products.6FactoryTalk AssetCentreVersion 9.00 or later requiredCentralized tool used to secure, manage, version, track, and report information about assets in a systemautomatically. The software helps to prevent unauthorized or unwanted changes that can impact asecure control system.FactoryTalk LinxVersion 6.11 or later requiredServer and communications service that is designed to deliver control system information fromAllen-Bradley control products to the FactoryTalk software portfolio and Studio5000 Logix Designersoftware.Supports CIP Security .FactoryTalk Policy ManagerVersion 6.11 or later requiredSecure configuration tool that is one of a set of products that Rockwell Automation uses to implementCIP Security .FactoryTalk SecurityImproves the security of an automation system by enabling the enforcement of least privilege viaauthentication and authorization of users.FactoryTalk ViewVersion 11.00 or later requiredHuman machine interface software for monitoring distributed multi-user applications.Studio 5000 Logix Designer Version 32.00.00 or later requiredComprehensive programming software that works with Rockwell Automation Logix Platforms and theLogix 5000 family of controllers.Rockwell Automation Publication SECURE-UM001A-EN-P - March 2019
PrefaceDesign RecommendationsThis publication describes the IEC-62443-4-2 SL 1 certification configurationrequirements that apply to the overall Windows domain and specificallyRockwell Automation products that are used in the Domain. However, werecommend the following when you design and configure your system.Follow Design and Engineering Best PracticesWe recommend that you follow not only your company design guidelines butalso general good engineering practices and behaviors when you configureyour system.Microsoft Active Directory Group PolicyGroup Policy enables policy-based administration using Microsoft ActiveDirectory directory services. Group Policy uses directory services and securitygroup membership to provide flexibility and support extensive configurationinformation. Policy settings are specified by an administrator. This is incontrast to profile settings that are specified by a user. Policy settings arecreated using the Microsoft Management Console (MMC) snap-in for GroupPolicy.Rockwell Automation control system components are Windows-based. Youcan install FactoryTalk software applications on only workstations and serversthat use Windows operating systems.We strongly recommend that you implement an industry-standardconfiguration that is widely known and thoroughly tested. Some examples ofindustry-standards include Microsoft Security Baseline, Security TechnicalImplementation Guides (STIGs), National Institute of Standards andTechnology (NIST), and Center for Internet Security (CIS) Benchmarks.Rockwell Automation Publication SECURE-UM001A-EN-P - March 20197
PrefaceFigure 1 shows a control system that has system-level security.Secure System ElementsIMPORTANTWe assume that you have implemented the appropriate networksegmentation and configuration. For example, you can use the ConvergedPlantwide Ethernet (CPwE) architecture in your network design.For more information on how to use the CPwE architecture and generalnetwork security design, see the System Security Design GuidelinesReference Manual, publication SECURE-RM001.Figure 1 - Example Control System with System-level SecurityDomain ControllerFactoryTalk Directory ServerFactoryTalk AssetCentre ServerFactoryTalk View SE ServerStratix 5400 22I/OI/O-A6 1I/O-B61Logix55851I/O-A6 1I/O-B61I/O-A6 1I/O-B645UFB10 510UFB-AUFB-BD D-D D-MF-A510 510UFB-AUFB-BD D-D D-MF-BMF-A510 510UFB-AUFB-BRUN FORCE SD OKDC INPUTEtherNet/IPNETLINKLNK1 LNK2 NET OKD D-D D-MF-BTMSAFETY ON0000I/OMF-AMF-B-MBRK 21Kinetix 5700DriveControlLogix 5580 Controller1756-EN4T EtherNet/IP Communication ModuleStudio 5000 Logix DesignerControlFLASHIMPORTANT: In this example, software that is listed as a compensating countermeasure on page 6 but is not shownin this graphic, is installed on the FactoryTalk Directory server, for example, FactoryTalk Linx software.8Rockwell Automation Publication SECURE-UM001A-EN-P - March 2019FactoryTalk View SE Client
PrefaceManual OrganizationSectionChapter 1ConfigureInfrastructureComponents onPage 13This table describes how the manual is organized.DescriptionDescribes therequirements toimplement a WindowsDomainWindows T2211I/O-AI/O-B6 161Logix55851I/O-AI/O-B6 161I/O-AI/O-B6 1645UFB10 510UFB-AUFB-BD D-D D-MF-A510 510UFB-AUFB-BD D-D D-MF-BMF-A510 510UFB-AUFB-BTMDC INPUTEtherNet/IPSAFETY ON0000I/ONETLINKLNK1 LNK2 NET OKRUN FORCE SD OKD D-D D-MF-BMF-AMF-B-MBRK 21Chapter 2ConfigureFactoryTalkComponents onPage 19Describes therequired FactoryTalksoftware applicationsthat are used in thecontrol system.FactoryTalk DNET2211I/O-A6 1I/O-B61Logix55851I/O-A6 1I/O-B61I/O-A6 1I/O-B645UFB10 510UFB-AUFB-BD D-D D-MF-A510 510UFB-AUFB-BD D-D D-MF-BMF-A510 510UFB-AUFB-BRUN FORCE SD OKDC INPUTEtherNet/IPNETLINKLNK1 LNK2 NET OKD D-D D-MF-BTMSAFETY ON0000I/OMF-AMF-B-MBRK 21Rockwell Automation Publication SECURE-UM001A-EN-P - March 20199
PrefaceSectionDescriptionChapter 3ConfigureFactoryTalk Securityon Page 31Describes therequired FactoryTalksoftware applicationand Logix Designerapplication parametersthat you mustconfigure as part of thesystem security.FactoryTalk DNET2211I/O-AI/O-B6 161Logix55851I/O-AI/O-B6 161I/O-AI/O-B6 1645UFB10 510UFB-AUFB-BD D-D D-MF-A510 510UFB-AUFB-BD D-D D-MF-BMF-A510 510UFB-AUFB-BTMDC INPUTEtherNet/IPSAFETY ON0000I/ONETLINKLNK1 LNK2 NET OKRUN FORCE SD OKD D-D D-MF-BMF-AMF-B-MBRK 21Chapter 4ConfigureFactoryTalkAssetCentreFeatures on Page 95Describes how you canuse FactoryTalkAssetCentre softwareto track all activity inthe system.FactoryTalk MODNET2211I/O-A6 1I/O-B61Logix55851I/O-A6 1I/O-B61I/O-A6 1I/O-B645UFB10 510UFB-AUFB-BD D-D D-MF-A510 510UFB-AUFB-BD D-D D-MF-BMF-A510 510UFB-AUFB-BRUN FORCE SD OKDC INPUTEtherNet/IPNETLINKLNK1 LNK2 NET OKD D-D D-MF-BTMSAFETY ON0000I/OMF-AMF-B-MBRK 21TIP: FactoryTalk AssetCentre software supports distributed architectures.In that case, you can use another computer to incorporate additionalconfiguration into the architectural design and maintenance.10Rockwell Automation Publication SECURE-UM001A-EN-P - March 2019
PrefaceAdditional ResourcesThese documents contain additional information concerning related productsfrom Rockwell Automation.ResourceDescriptionCIP Security Application Technique, publicationSECURE-AT001Defines CIP Security and describes how to use it,including a list of products that are CIP-enabled andtypical architectures.System Security Design Guidelines Reference Manual,publication SECURE-RM001Provides guidelines for how to use RockwellAutomation products to improve the security of yourindustrial automation system.ControlLogix 5580 and GuardLogix 5580 Controllers UserManual, publication 1756-UM543Describes how to use ControlLogix 5580 andGuardLogix 5580 controllers.Industrial Automation Wiring and Grounding Guidelines,publication 1770-4.1Provides general guidelines for installing a RockwellAutomation industrial system.Product Certifications website, tion/overview.pageProvides declarations of conformity, certificates, andother certification details.You can view or publications ure-library/overview.page.To order paper copies of technical documentation, contact your local AllenBradley distributor or Rockwell Automation sales representative.Rockwell Automation Publication SECURE-UM001A-EN-P - March 20191
Software tool that is used for electronically updating firmware in hardware devices. ControlFLASH Plus Version 2.00 or later required . group membership to provide flexibility and support extensive configuration inform
