Security Tab

Introduction

Control Expert provides security services for the controller. Enable and disable these services on the Security tab in Control Expert.

Accessing the Security Tab

View the Security configuration options:

Step	Action
1	Open your Control Expert project.
2	Double-click the Ethernet ports on the controller in the local backplane or right-click the Ethernet ports and select Open Submodule.
3	Select the Security tab in the RIO DIO Communicator Head window to enable/disable Ethernet services.

Available Ethernet Services

You can enable or disable these Ethernet services:

Field	Comment
Enforce Security	Click the Enforce Security button to execute these functions: Enable Access Control. Disable FTP, TFTP, HTTP, EIP, SNMP, and DHCP/BOOTP. NOTE: From version 4.10, HTTPS replaces HTTP. HTTPS is not affected when the Enforce Security button is selected. NOTE: You can set each field individually once the global setting is applied.
Unlock Security	Click the Unlock Security button to execute these functions: Enable TFTP, HTTP, EIP, SNMP, and DHCP/BOOTP. Disable Access Control. NOTE: From version 4.10, HTTPS replaces HTTP. HTTPS is not affected when the Unlock Security button is selected. NOTE: You can set each field individually once the global setting is applied.
FTP	Enable or disable (default) firmware upgrade, SD memory card data remote access, data storage remote access, and device configuration management using the FDR service. NOTE: Local data storage remains operational, but remote access to data storage is disabled.
TFTP	Enable or disable (default) the ability to read RIO drop configuration and device configuration management using the FDR service. NOTE: Enable this service to use eX80 Ethernet adapter modules.
HTTPS	Enable or disable (default) the web access service.
DHCP / BOOTP	Enable or disable (default) the automatic assignment of IP addressing settings. For DHCP, also enable/disable automatic assignment of subnet mask, gateway IP address, and DNS server names.
SNMP	Enable or disable (default) the protocol used to monitor the device.
EIP	Enable or disable (default) access to the EtherNet/IP server.
Engineering Link Mode	Depending on the level of targeted cybersecurity, you can select one of the following three Engineering Link Modes: Full Access The controller behaves as in previous firmware versions. Secure and non-secure communications are accepted. For Control Expert communication, the controller accepts the Modbus TCP and Modbus TCP via USB non-secure drivers or the HTTPS and HTTPS via USB secure drivers. For SCADA or controller-to-controller communication, Modbus TCP (port 502) is accepted. Filtered (default) Use this hybrid mode to apply cybersecurity on the engineering link and non-secure connectivity on links to SCADA or other controllers. For Control Expert communication, the controller accepts HTTPS and HTTPS via USB secure drivers. For SCADA or controller-to-controller communication, Modbus TCP (port 502) or UMAS (OFS) are accepted. NOTE: In Filtered mode, the controller accepts the Modbus TCP and Modbus TCP via USB non-secure drivers but only with Connection mode set to monitoring in the options of the project. Monitoring mode is a read-only mode, in which it is not possible to download an application to the controller or stop the controller. Enforced This mode provides the highest level of security. Only secure protocols are accepted by the controller. For Control Expert communication, the controller accepts only the HTTPS and HTTPS via USB secure drivers. For SCADA or controller-to-controller communication, Modbus TCP (port 502) or UMAS (OFS) are NOT accepted. NOTE: The Engineering Link Mode is available only for M580 controllers with firmware as of version 4.20 (or subsequent supporting versions) when the HTTPS service is enabled. Refer to the detailed description of Engineering Link Mode.
Access Control	Enable (default) or disable Ethernet access to the multiple servers in the controller from unauthorized network devices.
Authorized addresses⁽¹⁾	Subnet (Yes or No) IP Address: 0.0.0.0 ... 223.255.255.255 Subnet mask: 224.0.0.0 ... 255.255.255.252 FTP: Grant access to the FTP server in the controller. TFTP: Grant access to the TFTP server in the controller. HTTPS: Grant access to the HTTP secured server in the controller. Port 502: Grant access to port 502 (typically used for Modbus messaging) of the controller. EIP: Grant access to the EtherNet/IP server in the controller. SNMP: Grant access to the SNMP agent resident in the controller.
¹ Set Access Control to Enabled to modify this field.

NOTE: Refer to the ETH_PORT_CTRL topic for information regarding using this function block to control the FTP, TFTP, HTTPS, and DHCP/BOOTP protocols.

Enable/Disable Ethernet Services

You can enable or disable Ethernet services on the Security tab:

Enable/disable FTP, TFTP, HTTPS, EIP, SNMP, and DHCP/BOOTP for all IP addresses. (You can use this feature offline only. The configuration screen is grayed out in online mode.)

– or –
Enable/disable FTP, TFTP, HTTPS, Port 502, EIP, and SNMP for each authorized IP address. (You can use this feature online.)

Set the Security tab parameters before you download the application to the controller. The default settings (maximum security level) reduce the communication capacities and port access.

NOTE: Disable services that are not being used.

Using Access Control for Authorized Addresses

Use the Access Control area to restrict device access to the controller in its role as a server. After you enable access control in the Security dialog box, you can add the IP addresses of the devices that you want to communicate with the controller to the list of Authorized Addresses :

By default, the IP address of the controller embedded Ethernet I/O scanner service with Subnet set to Yes allows any device in the subnet to communicate with the controller through EtherNet/IP or Modbus TCP.
Add the IP address of any client device that may send a request to the controller Ethernet I/O scanner service, which, in this case, acts as a Modbus TCP or EtherNet/IP server.
Add the IP address of your maintenance PC to communicate with the controller through the controller Ethernet I/O scanner service via Control Expert to configure and diagnose your application.
If the controller is configured as a network time service client in the NTP tab, add the IP address of the network time server (or servers, if more than one server). This is the same IP address that was added to the list of Server IP addresses in the NTP tab.

NOTE: The subnet in the IP Address column can be the subnet itself or any IP address inside the subnet. If you select Yes for a subnet that does not have a subnet mask, a pop-up window states that the screen cannot be validated because of a detected error.

You can enter a maximum of 127 authorized IP addresses or subnets.

Adding Devices to the Authorized Addresses List

To add devices to the Authorized Addresses list:

Step	Action
1	Set Access Control to Enabled .
2	In the IP Address column of the Authorized Addresses list, enter an IP address. Enter the address of the device to access the controller Ethernet I/O scanner service with either of these methods: Add a single IP address: Enter the IP address of the device and select No in the Subnet column. Add a subnet: Enter a subnet address in the IP Address column. Select Yes in the Subnet column. Enter a subnet mask in the Subnet Mask column. NOTE: The subnet in the IP Address column can be the subnet itself or any IP address in the subnet. If you enter a subnet without a subnet mask, an on-screen message states that the screen cannot be validated. A red exclamation point indicates a detected error in the entry. You can save the configuration only after the detected error is corrected.
3	Select one or more of the following methods of access you are granting the device or subnet: FTP, TFTP, HTTP , HTTPS if available, Port 502 , EIP, SNMP.
4	Repeat steps 2 and 3 for each additional device or subnet to which you want to grant access to the controller Ethernet I/O scanner service. NOTE: You can enter up to 127 authorized IP addresses or subnets.
5	Click Apply .

Removing Devices from the Authorized Addresses List

To remove devices from the Authorized Addresses list:

Step	Action
1	In the Authorized Addresses list, select the IP address of the device to delete.
2	Press the Delete button.
3	Click Apply .