Deploy the Security Policy

Use
FactoryTalk® Policy Manager
software to deploy a security policy to the system and configure certain components to be
CIP Security
-enabled. You can use other methods to define more security settings. For example, you can use
Studio 5000 Logix Designer®
to set the Security Authority option or
FactoryTalk® Administration Console
to determine user access to parts of an application.
To protect the high availability system from unauthorized access, deploy the security policy in the following order:
  1. Install firmware on the redundant 1756-EN4TR modules.
  2. Deploy the security policy to the 1756-EN4TR modules.
    FactoryTalk® Policy Manager
    must identify your 1756-EN4TR modules as redundant for proper deployment, showing both IP addresses for one device in the zone.
  3. Initiate communication to the controller, redundancy module, and Ethernet adapters only via the secured 1756-EN4TR modules.
  4. Wait to perform other actions on the redundant chassis, including synchronization of the redundant chassis, controller project download, and redundancy configuration, until after the security policy is deployed.
IMPORTANT:
If you deploy the security policy, either new or changed, or update the security configuration when your system is running, adverse effects can occur on the high availability system.
Adverse effects include the following:
  • Disqualification of the redundant chassis pair
  • Partial or full loss of communication between devices in the system
  • Loss of essential functions
  • Users can become locked out of the control system and its interfaces
We strongly recommend that you deploy the security policy and security configuration during system commissioning or when the system has been safely shut down for maintenance. Update the security policy and security configuration only when the system is safely shut down.

Disqualification of the Redundant Chassis Pair

Deployment of the security policy in a running system currently causes disqualification of the redundant chassis pair. Synchronization after disqualification depends on the auto-synchronization setting for the redundancy module:
  • If the auto-synchronization setting is Always, the disqualification is temporary and the system requalifies automatically after a short time.
  • If the auto-synchronization setting is Never, you must manually synchronize the redundant chassis after you deploy the security policy.
For more information, see Choose an Auto-synchronization Setting.

Cannot Deploy the Security Policy to the Controller Ethernet Port

You cannot deploy the security policy to the controller Ethernet port when redundancy is enabled. The embedded Ethernet port is disabled when redundancy is enabled. You must deploy the security policy to the 1756-EN4TR communication module in the redundant chassis.
Security Model Deployment—Unsupported
Security policy model not deployed to 1756-EN4TR
Security Model Deployment—Supported
Security model deployed to 1756-EN4TR

Security Configuration Matches in Primary and Secondary Chassis

When you deploy the security policy via
FactoryTalk® Policy Manager
software, the security policy is automatically deployed to the primary and the secondary chassis.

Automatic Device Replacement is Not Supported

Automatic Device Replacement (ADR) lets you replace a device in a running application without the need to redeploy the security policy. ADR is not supported when a high availability system is
CIP Security
-enabled.
If you replace a device in a high availability system that is
CIP Security
-enabled, you must manually deploy the security policy via
FactoryTalk® Policy Manager
software. Because you cannot deploy the security policy to an individual device, the entire security policy must be redeployed when a device is replaced. Before you replace a device and redeploy the security policy, complete a risk assessment so you are aware of adverse effects on other devices in the application when the deployment occurs.
IMPORTANT:
If
CIP Security
is deployed incorrectly, devices can lose communication with each other. As a result, you can experience a partial or full loss of application availability. You should only deploy the security policy during system commissioning. Do not reconfigure the security policy when the system is in operational mode during production.
Our recommended redundancy system is designed so that a compromise of the secured 1756-EN4TR module does not affect essential functions of standard and safety I/O. Only remote access to the redundant chassis pair can be lost. In addition to DLR and PRP topologies, we recommend that you implement secured, backup remote paths to the redundant chassis pair. Use separate, secured 1756-EN4TR modules configured by separate instances of
FactoryTalk® Policy Manager
.

Preallocate CIP Security Devices

IMPORTANT:
Whenever new devices, such as
FactoryTalk® Linx
workstations, are added to the security policy in
FactoryTalk® Policy Manager
software, the policy must be redeployed. To avoid redeployment, we recommend that you preallocate potential devices for future use.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal