Deploy the Security Policy
Use
FactoryTalk® Policy Manager
software to deploy a security policy to the system and configure certain components
to be CIP Security™
-enabled. You can use other methods to define more security settings. For example, you
can use Studio 5000 Logix Designer®
to set the Security Authority option or FactoryTalk® Administration Console
to determine user access to parts of an application.To protect the high availability system from unauthorized access, deploy the security
policy in the following order:
- Install firmware on the redundant 1756-EN4TR modules.
- Deploy the security policy to the 1756-EN4TR modules.FactoryTalk® Policy Managermust identify your 1756-EN4TR modules as redundant for proper deployment, showing both IP addresses for one device in the zone.
- Initiate communication to the controller, redundancy module, and Ethernet adapters only via the secured 1756-EN4TR modules.
- Wait to perform other actions on the redundant chassis, including synchronization of the redundant chassis, controller project download, and redundancy configuration, until after the security policy is deployed.
IMPORTANT:
If you deploy the security policy, either new or changed, or update the security
configuration when your system is running, adverse effects can occur on the high
availability system.
Adverse effects include the following:
- Disqualification of the redundant chassis pair
- Partial or full loss of communication between devices in the system
- Loss of essential functions
- Users can become locked out of the control system and its interfaces
We strongly recommend that you deploy the security policy and security configuration
during system commissioning or when the system has been safely shut down for
maintenance. Update the security policy and security configuration only when the system
is safely shut down.
Disqualification of the Redundant Chassis Pair
Deployment of the security policy in a running system currently causes
disqualification of the redundant chassis pair. Synchronization after
disqualification depends on the auto-synchronization setting for the redundancy
module:
- If the auto-synchronization setting is Always, the disqualification is temporary and the system requalifies automatically after a short time.
- If the auto-synchronization setting is Never, you must manually synchronize the redundant chassis after you deploy the security policy.
For more information, see Choose an
Auto-synchronization Setting.
Cannot Deploy the Security Policy to the Controller Ethernet Port
You cannot deploy the security policy to the controller Ethernet port when redundancy
is enabled. The embedded Ethernet port is disabled when redundancy is enabled. You
must deploy the security policy to the 1756-EN4TR communication module in the
redundant chassis.
Security Model Deployment—Unsupported
Security Model Deployment—Supported
Security Configuration Matches in Primary and Secondary Chassis
When you deploy the security policy via
FactoryTalk® Policy Manager
software, the security policy is automatically deployed to the primary and the
secondary chassis.Automatic Device Replacement is Not Supported
Automatic Device Replacement (ADR) lets you replace a device in a running application
without the need to redeploy the security policy. ADR is not supported when a high
availability system is
CIP Security™
-enabled. If you replace a device in a high availability system that is
CIP Security™
-enabled, you must manually deploy the security policy via FactoryTalk® Policy Manager
software. Because you cannot deploy the security policy to an individual device,
the entire security policy must be redeployed when a device is replaced. Before you
replace a device and redeploy the security policy, complete a risk assessment so you
are aware of adverse effects on other devices in the application when the deployment
occurs.
IMPORTANT:
If
CIP Security™
is deployed incorrectly, devices can lose communication with each other. As a
result, you can experience a partial or full loss of application availability.
You should only deploy the security policy during system commissioning. Do not
reconfigure the security policy when the system is in operational mode during
production.Our recommended redundancy system is designed so that a compromise of the secured
1756-EN4TR module does not affect essential functions of standard and safety
I/O. Only remote access to the redundant chassis pair can be lost. In addition
to DLR and PRP topologies, we recommend that you implement secured, backup
remote paths to the redundant chassis pair. Use separate, secured 1756-EN4TR
modules configured by separate instances of
FactoryTalk® Policy Manager
.Preallocate CIP Security Devices
IMPORTANT:
Whenever new devices, such as
FactoryTalk® Linx
workstations, are added to the security policy in FactoryTalk® Policy Manager
software, the policy must be redeployed. To avoid redeployment, we recommend
that you preallocate potential devices for future use.Provide Feedback