As a control engineer, you have enough technology to learn and maintain, and it’s not hard to understand why you often just want to leave all the Microsoft Windows stuff to the IT folks. But as OT (Operational Technology) and IT (Information Technology) get more integrated, it’s time to start crossing the line and knowing more about some of the IT tools that you can use when needed.
As more and more organizations move to secure their EtherNet/IP, PROFINET IO and Modbus TCP networks, one of the pressing concerns they have is how to identify and track the individuals that are authorized to access the control networks. One solution is to use Active Directory – one of the Microsoft Windows tools used on the IT side of the house to authorize access.
Active Directory is part of a larger group of Windows services known as the Active Directory Domain Services (AD DS). It is a key component of every network organized a Windows domain – an idea first delivered by Microsoft in 1999. A Windows domain is nothing more than a group of computers (local or remote) in a windows network in which all key components of a network – printers, computers, users, credentials, passwords – are all registered in a central database. The computer servers that host AD DS are known as domain controllers. These domain controllers manage all the security-related connections between user and the network resources, centralizing security administration, and management. Everyone and everything in a domain are authenticated by the active domain services.
If you’re old enough to remember Modbus RTU, you’ll remember the old Windows for Workgroups. That was a way of organizing the components of a network in a way that the key components of the workgroup including security credentials were stored locally with the workgroup. That idea has since been discarded in favor of centrally locating credentials and passwords using Active Directory.
It’s a given that you most likely already use Active Directory services. Not only when you log in at work to your office desktop or laptop but when you VPN into your manufacturing system. The VPN system that you use will access the Active Directory services to validate your security certificate.
As we work to secure our manufacturing networks, we need a way of authorizing various individuals to have access to the machine network. We’ll need to add new users when they join the controls team and remove users when they leave to join some other department or leave the company.
While Active Directory has some ability to restrict what resources a user can access, it’s really not meant for securing manufacturing resources the way that we desire. In manufacturing, we like to grant some pretty granular access. We may want Sara to be able to only access the PLC in cell 1 using EtherNet/IP, which is her responsibility. Alan, her supervisor, should have access to all the PLCs in all the cells in the zone because that zone is his overall responsibility. He can use both PROFINET IO and EtherNet/IP. We may also want to grant some individuals access to the read the PLC data table but not write it.
Then there are the vendors that come in to take care of specific pieces of machinery: the welding people doing required maintenance on the welding system, the guys tuning the robot, and so on. These people need access not only to the network but to very specific components on the network for a limited time.
Active Directory, while it’s good for overall authorization, is not capable of managing this type of granular access. There are tools that can do this and do a very good job at it. If you want to know more about that, I’d be glad to tell you about something that will be coming in the very near future. Just give me a call at 800-249-1612.