Hello folks,
We have an Ignition gateway with a SCADA application. This application cover 4 identical lines.
So far, we are using the SCADA mostly to show KPIs and Dashboards. The SCADA pick data from various sources (PLC, Database, webservices) and show it in one application to the operator.
Until now, we did a smal amount of control with Ignition.
This is about to change. We would like to allow the operator to do some control (start, stop, setpoint change etc..) from their pocket using an iPhone.
My question is the following: How do you manage the security with portable devices? We need to make sure an operator will not start or stop a machne in another line by accident.
- I cannot rely on username or roles since the operators can work on different lines in the mill.
- I cannot rely on ip address since the iPhone are on wifi in DHCP
Any ideas? I'm sure other peoples have good ideas about that.
Thanks.
Perspective can use geofencing with the mobile apps. If you get a GPS signal in the plant that is precise enough, that might work.
If there is any possibility of machine damage from remote start, consider not allowing mobile devices to do this. (They can lie about their coordinates.)
1 Like
Thank you Phil,
GPS is not working inside the Faraday box that is our mill.
Is there a way to read the MAC Address of a device in Perspective? I could maintain a white list per line...
No, and probably never for mobile. Possibly in the future for Workstation. Vision can do this, of course, but doesn't run on mobile. (Are you really sure you want mobile devices to do this?)
2 Likes
What about security zones?
You mentioned not using IP addresses, but do hostnames work on mobile?
Hostnames are derived from IP addresses, and only if the local DNS server allows reverse lookups.
This whole issue has been beat to death in the various Vision versus Perspective discussions. Perhaps those should be re-read.
TL/DR: Don't use Perspective for direct machine control. You cannot lock it down when you need to.
I've read them, I also remember reading where a recent release allowed for this?
Link?
And what do you mean by "this" ?
I don't have a link, I'm using my terrible memory to try and recall what I read. Maybe it was Resolve Client Hostnames? Although that isn't exactly a recent addition (8.1.10).
That just turns on reverse IP lookups if the user thinks they'll work. (Failing reverse lookups add delays.) It is still derived from the IP address. You have to have strict DHCP in place with IP address presence enforcement at the switch to have any "security" at all. And doubly difficult for WiFi.
I have not yet seen any changes to Perspective that make it acceptable to me as an on-machine HMI, for the typical uses of such HMIs. You cannot ensure that a perspective client is within line-of-sight of a machine. You can with Vision.
1 Like
What about having a combination of a Perspective push button and some physical device / component / button next to or on the line? It seems pretty redundant, but at least you can use your mobile phone as a sort of HMI...
I've always been a bit leery of the existing techniques used for this purpose. I think we should explore the idea that one could install a certificate client-side in Workstation and/or the native apps, whose presence could be verified and then would translate into the grant of a security zone.
In other words, a new security zone identifier type that used PKI instead of network configuration.
7 Likes
We faced the same challenges .. We created QR Code for each machine and add on the visible location on the machine . Operator have to scan it first to start doing action related to that machine .
5 Likes
It does take some care, but Vision's access to local resources makes certain kinds of things possible. I like the certificate idea, but would rather see it implemented with hardware tokens. Vision can already interrogate a Yubikey or similar for this kind of validation. Adding that to Workstation, and perhaps the NFC equivalent to mobile, would solve this problem definitively. Imagine an NFC token epoxied to a machine frame--swiping the mobile device over it to unlock local functions.
Hmmm?
A certificate, by itself, only says "yes, this is the device I installed a cert in", but not where that device is. That may be sufficient for PC workstation, somewhat better than the MAC IDs of a machine, but not enough for a mobile device or laptop. A physical token known to be tied to a location, with a non-extractable private key, is the gold standard.
Think of it as two new security zone types, both using PKI: assertion of device identity via cert or TPM or similar, and assertion of proximity to a security token. The former potentially sufficient when a particular machine is physically secured to a location.
1 Like
Sure, I think these are all compelling ideas. I was not suggesting that a certificate by itself makes any claim on location, but could be a very useful tool if administered correctly. Certainly would be a big step up for implementing local control using Perspective Workstation. Physical tokens and/or NFC that granted temporary access are both ideas that I would be interested in pursuing.
2 Likes
I'm happy to see the interest over this topic.
I'm thinking about a security zone per line used to allow an IP addresses whitelist (I could used fix IP for these devices). Combined with NFC tag that you need to scan to unlock the functionalities for a certain period seems to make sense.
2 Likes
While not a direct answer to this question, but an answer to the proximity/location bits: You could use a bluetooth beacon instead of GPS. Perspective Mobile 1.0.8 will even add support for Eddystone EID (Encrypted) and TLM and will begin including the Address/MAC of the beacon if available. These beacons can have their transmission power configured at the beacon level and more.
In real world testing the reliability of these beacons isn't full-proof though so I wouldn't rely on it for mission critical stuff, but its another option to consider.
3 Likes
I like this solution. This could be perfect.
Surely something I will test when I have some spare time.
Thanks.