Policy model

The security policy model of your system includes zones, conduits, and devices.

Zones

Zones form groups of logical or physical devices to which security settings are applied. Devices within a zone trust each other, except for
OPC UA
 servers.
Zones can contain
CIP
 and
OPC UA
 devices.
To configure zones, see Zones.

Conduits

Conduits are communication pathways in the policy model, connecting pairs of policy model components.
You can create conduits between these components:
CIP
 conduits
Endpoint 1
Endpoint 2
Zone
Zone
Zone
Device
Zone
Range
Device
Device
Device
Range
OPC UA
 conduits
Endpoint 1
Endpoint 2
Zone
Zone
Zone
OPC UA
 server
Zone
OPC UA
 client
Zone
Range
OPC UA
 client
OPC UA
 server
Conduits must follow these rules:
  • Conduits cannot be duplicated, each combination of endpoints must be unique.
  • One of the endpoints must be
    CIP Security
     or
    OPC UA security policy
     capable.
  • If one endpoint is a zone, the other endpoint cannot be a device within that zone.
  • Devices not assigned to any zone or onboarding devices cannot be used as endpoints.
To configure conduits, see Conduits.

Devices

Devices include:
  • Computers
  • Controllers
  • Modules
  • HMI panels
  • OPC UA
     clients
  • OPC UA
     servers
  • Drives
Some devices do not support
CIP Security
 or
OPC UA security policy
 and cannot authenticate themselves to the system. For such devices, consider using these approaches:
CIP Proxy device
A CIP Proxy device can be placed in front of the non-CIP securable device. The CIP Proxy device controls the communication to the device it proxies and can sign and encrypt data from the device. For more information, see CIP Proxy devices.
Trusted IP address
The device is assigned an IP address that is trusted by the system and permitted to communicate within the security zone. However, these devices are not able to sign or encrypt communications.
To configure devices, their ports, and device ranges, see Devices.

Policy model planning

To plan the policy model, establish the following:
  • Zones and their security requirements
  • Devices, their IP addresses, and zone assignments
  • Conduits to define trust relationships between policy model components
For an example, see Policy model example.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal