Requirements for Use Control

Requirements for Use Control
Product
Required to Meet IEC-62443-4-2 SL 1
Details
FactoryTalk® Security
 software
Studio 5000 Logix Designer®
 application
Yes
Configure
FactoryTalk® Security
 to define policies, user groups, and other permission sets.
  • The
    Studio 5000 Logix Designer®
     application enforces the policy based on the access policies that are provided to it by
    FactoryTalk® Security
     for the software authenticated user. Once authenticated, the
    Studio 5000 Logix Designer®
     application acts as your interface to the drives via the controller. This applies to all protected CIP™ communications to the drive, whether from Ethernet, backplane, or USB.
  • The
    FactoryTalk® Services Platform
     offers feature access control to manage user access to product features, such as project import, project create, enable
    DeviceLogix
     (applicable for I/O mode only), change logic, project download to drive and firmware update.
  • In
    FactoryTalk® Security
    , define which users can change and download projects to the drive.
  • Security authority binding restricts the controller to a specific
    FactoryTalk® Security
     instance. This binding reduces the attack surface for security server spoofing because the client software and the security software determine the identity of the security authority responsible for controlling access.
For more information, see the following:
  • Configure System Security Features User Manual, publication SECURE-UM001
  • FactoryTalk Security System Configuration Guide, publication FTSEC-QS001
Microsoft® Active Directory service
Yes
Active Directory is used to create and configure the policies for each user and user group.
  • Create at least two user types and assign a minimum level of user permission for each type.
  • Enforces the password policy according to industry password standard.
  • Define the user account access settings.
  • Define the System use notifications settings.
  • Define the System inactivity lockout setting.
For more information, see the following:
  • Configure System Security Features User Manual, publication SECURE-UM001
Secure
DPI
 Ports
Yes
Applicable for I/O mode only:
HIM and Communication option cards are connected to the drive through DPI ports and should be secured by configuring the mask parameters in the drive.
After product commissioning, HIM should be either removed or set to read-only mode. To remove HIM, see instructions in the PowerFlex 20-HIM-A6 and 20-HIM-C6S HIM User Manual, publication 20HIM-UM001.
Communication option cards should also be disallowed from controlling the logic command (start, jog, change of direction, and so forth) of the drive.
The following mask parameters can be used to configure the control to logic command and to set read-only mode:
  • 0:41 [Logic Mask]
  • 0:230 [Write Mask Cfg]
For more information, see CIP Security with Rockwell Automation Products, publication SECURE-AT001.
Applicable for CIP Motion mode only:
HIM can only be used for monitoring and cannot be used to control the drive or change configuration settings. For more information, see Integrated Motion on the EtherNet/IP Network: Configuration and Startup User Manual, publication MOTION-UM003.
FactoryTalk® Policy Manager
Yes
FactoryTalk® Policy Manager
 is a secure configuration tool that is one of a set of products that
Rockwell Automation®
 uses to implement CIP Security.
CIP Security helps to provide a secure data transport across an EtherNet/IP network. Use
FactoryTalk® Policy Manager
 software to create zones and turn on CIP Security to check for data integrity.
  • Enable integrity + Confidentiality in both I/O Data Security and Messaging Security. For more information, see CIP Security with Rockwell Automation Products, publication SECURE-AT001.
FactoryTalk® AssetCentre
 software
Yes
Configure and use the following:
  • Audit log accessibility
  • Continuous monitoring
For more information, see the following:
  • Configure System Security Features User Manual, publication SECURE-UM001.
  • System Security Design Guidelines Reference Manual, publication SECURE-RM001.
Syslog collector
Yes, if not using
FactoryTalk® AssetCentre
 for logging
The Drive supports syslog event logging. Choose a syslog collector that supports the following:
  • RFC-5424 syslog protocol
  • Ability to receive messages from the drives
IMPORTANT: The drive sends events to a syslog collector through its Ethernet port. The Ethernet port must be connected to the same network as the syslog collector.
To set the IP address of the syslog collector, use
FactoryTalk® Policy Manager
 software. For more information, see CIP Security with Rockwell Automation Products Application Technique, publication SECURE-AT001.
To view a list of syslog messages and their descriptions, see the PowerFlex Drives with TotalFORCE Control Conditions Reference Data, publication 750-RD102.
Secure Hardware Input Device
Yes, if the hardware input device is programmed to control critical function
Hardware input devices such as push buttons can be programmed to control critical functions such as start, stop, and reset via discrete I/O port available on the drive.
To apply security measures, for example, limiting physical access on such hardware input devices to prevent accidental or intentional alteration of drive critical function state.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal