Security

FactoryTalk Linx

supports a range of security features to protect network communication, maintain integrity and confidentiality, including:

FactoryTalk Security

serves as a foundation for protecting the automation system by controlling access to authorized accounts with legitimate needs. It authenticates user identities and authorizes user requests to access

FactoryTalk

-enabled systems. Integrated into

FactoryTalk Directory

,

FactoryTalk Security

is an integral part of

FactoryTalk Services Platform

.

FactoryTalk Linx

uses

FactoryTalk Security

to determine what capabilities a user can perform, such as accessing and changing driver configuration, device configuration, and device statistics.

For more information on

FactoryTalk Security

, see

FactoryTalk Services Platform

Help

.

FactoryTalk Audit

serves as a central repository for plant-wide maintenance information associated with change management and asset health. Most of the

FactoryTalk

software will deliver configuration and data value changes to

FactoryTalk Audit

to aid in tracking system changes and facilitate government regulatory conformance. To use the

FactoryTalk Audit

Log, obtain, install, and use

FactoryTalk AssetCentre

software.

FactoryTalk Linx

provides audit logging for shortcut configuration changes, driver configuration changes, most device configuration changes made either in the

FactoryTalk Administration Console

or through the

FactoryTalk Linx

Network Browser.

For more information on

FactoryTalk Audit

, see

FactoryTalk Services Platform

Help

.

Socket.IO Security

FactoryTalk Services Platform

provides an option to use Socket.IO to perform the bi-directional communications between computers in a

FactoryTalk

system.

Socket.IO uses WebSockets as its primary transport mechanism. WebSockets inherently provide a secure communication channel. When using HTTPS (secure HTTP), Socket.IO automatically uses WSS (WebSocket Secure) for WebSocket connections, ensuring data encryption in transit.

Socket.IO is used as an alternative communication channel to DCOM. Unlike DCOM, which relies on periodic polling, Socket.IO allows real-time communication. It also supports integrity and confidentiality.

If all computers hosting

FactoryTalk

-enabled software are running

FactoryTalk Services Platform

version 6.31.00 or later, you can use Socket.IO.

For more information on Socket.IO, see

FactoryTalk Services Platform

Help

.

Common Industrial Protocol (CIP) Security enhances industrial communication security by providing authentication, integrity, and confidentiality features at the protocol level. With

CIP Security

, you can encrypt communication between devices, authenticate identities, and prevent unauthorized access to industrial assets. The

CIP Security

protocol can be used to secure connections between devices and

FactoryTalk Linx

.

FactoryTalk Linx

Network Browser detects which devices are capable of supporting

CIP Security

and presents a shield icon to indicate each device’s IP security status.

FactoryTalk Linx

is also used by

FactoryTalk Policy Manager

to select the devices for configuration of

CIP Security

zones and to deploy the

CIP Security

policy into the automation system. Finally,

FactoryTalk Linx

can be incorporated into a

CIP Security

zone and will leverage the

CIP Security

policy to communicate to CIP Secured devices. You can confirm and reset the

FactoryTalk Linx

CIP Security

configuration by accessing the properties for the top node on the Communications tab in

FactoryTalk Administration Console

.

DCOM Security

FactoryTalk Services Platform

provides an option to use

Microsoft

’s Distributed Component Object Model (DCOM) to provide bi-direction communications between computers in a

FactoryTalk

System. DCOM Security is essential for securing communication between distributed applications and components in a

Windows

environment. In response to the

Microsoft

DCOM Hardening patch (MS KB5004442),

Rockwell Automation

increased the minimum DCOM authentication level in its products to Packet Integrity. This upgrade ensures that data packet integrity remains intact during communication between clients and servers, reducing the risk of tampering or unauthorized access. Optionally, the DCOM security configuration can be raised to confidentiality, which will encrypt the information being transmitted.

FactoryTalk Linx

uses DCOM to interface with the

FactoryTalk Directory

to facilitate tag browsing and to locate servers and tags for data acquisition.

Syslog

Syslog, or System Logging Protocol, is a standard method for message logging. It allows the separation of message generation, storage, and reporting and analysis.

FactoryTalk Linx

supports Syslog for events such as

CIP Security

configuration changes, network configuration changes, and system turn-on. These Syslog messages are directed to the Syslog server, allowing for centralized monitoring and analysis of system activities.

DEP settings

DEP (Data Execution Prevention) is a security feature in the

Windows

operating system to prevent malicious software from executing code in specific memory regions reserved for data. DEP helps protect computers from attacks that exploit vulnerabilities in software by preventing code execution from non-executable memory regions.

Digitally signed

FactoryTalk

software

Rockwell Automation

uses a software signing process to ensure the authenticity and integrity of its software components. During the build phase, the process begins with compiling the source code into executable binaries. These binaries are then assembled into comprehensive software packages. A digital signing procedure is employed, during which cryptographic hashes of the software components are encrypted using

Rockwell Automation

's private key. These encrypted hashes, or digital signatures, are attached to the corresponding software components.

FactoryTalk Services Platform

version 2.51.00 or later provides the ability to verify whether an application requesting a service token is signed by

Rockwell Automation

. The access to

FactoryTalk Directory

is denied if the certification is not signed by

Rockwell Automation

. Some earlier versions of

FactoryTalk

products were released without being signed, and they may fail to verify the publisher information.

For kernel drivers included with

FactoryTalk Linx

, an additional layer of validation is applied. These drivers are submitted to

Microsoft

's Hardware Developer Center, where they undergo comprehensive verification to ensure compliance with

Microsoft

's security and compatibility standards. Once verified,

Microsoft

signs these kernel drivers with its official digital signatures, adding another level of trust and reliability, acknowledged by both

Rockwell Automation

and

Microsoft

.

The authenticity of

Rockwell Automation

software binaries can be verified by both

Windows

and users through built-in mechanisms.

Windows

checks the digital signature upon execution of a signed executable or driver, ensuring that it originates from a trusted Certificate Authority (CA) and confirms the software has not been altered since signing by comparing hash values. Users can verify authenticity by accessing the file properties of an executable or driver and examining the details about the issuer and the status of the digital signature. This thorough process fosters confidence in the reliability and security of

Rockwell Automation

's software solutions, providing robust protection against tampering and unauthorized alterations.

For more information on the signed

FactoryTalk

products, see

FactoryTalk Services Platform

Getting Results Guide

.

FactoryTalk Linx Gateway

Remote Proxy Communications Security

FactoryTalk Linx Gateway

provides premium capabilities and interfaces to permit third-party software to interface with

Rockwell Automation

controllers and devices as well as third-party EtherNet/IP connected devices through

FactoryTalk Linx

. The

FactoryTalk Linx Gateway

Remote Proxy service was added to

FactoryTalk Linx Gateway

version 6.31.00 to enable

FactoryTalk Linx

software running on one computer to pass

FactoryTalk Linx

CIP communications through a proxy computer to interface with devices on a different network. The Remote Proxy service supports limiting this bridging capability to computers with specific IP addresses or to device in a configured

CIP Security

zone. Using the Remote Proxy service computers on a business network can securely access automation equipment on an automation network. All other network communications traffic, such as TCP, UDP, and SNMP, are blocked from accessing the automation network. Initially the Remote Proxy service was limited to passing communications from design software, for example,

Studio 5000 Logix Designer

,

ControlFLASH Plus

, and

Connected Components Workbench

software.

FactoryTalk Linx

version 6.40.00 added the ability to configure a data acquisition shortcut through the Remote Proxy service.

For more information on the Remote Proxy service, see

FactoryTalk Linx Gateway

Getting Results Guide

.

FactoryTalk Linx

SDK Security

FactoryTalk Linx Gateway

provides premium capabilities and interfaces to permit third-party software to interface with

Rockwell Automation

controllers and devices as well as third-party EtherNet/IP connected devices through

FactoryTalk Linx

. The

FactoryTalk Linx

Software Development Kit (SDK) provides a collection of software development tools that permit custom-built software to communicate with

Rockwell Automation

controllers and devices as well as third-party EtherNet/IP connected devices using an Application Program Interface (API) in

FactoryTalk Linx

. The SDK provides an option to identify the signature of a software package using the API and limit the API to only the software selected by the user.

For more information on

FactoryTalk Linx

SDK Security, see

FactoryTalk Linx Gateway

Getting Results Guide

and

FactoryTalk Linx

SDK Reference Manual

.