An in-depth guide to keeping TIA Portal Projects safe from accidental and malicious changes because your machines are only as secure as their source code.
As industrial devices get more connected, the need for security in industrial automation has increased.
One of the easiest ways to secure your machines and systems is to use an authentication and authorization system to prevent accidental or malicious modifications to the automation software. After all, your machines are only as secure as their source code.
TIA Portal provides powerful tools for user authentication and authorization within a project or across multiple projects.
In this article, I’ll explain:
Before I dive into the post though, I want to take a brief moment to introduce myself to anyone who might be new here.
My name is Ken Bourke and I have worked as an automation professional for almost a decade. During this time, I have worked on large global projects in different industries around the world. In the last year, I have started producing content online to share my knowledge through free blog posts and free or very reasonably priced courses. If you get some value out of this post then consider checking out my courses or joining the mailing list using the form at the bottom of this page. With that bit of shameless self-promotion out of the way, let’s get back to the topic at hand.
In practical terms, authentication is the process of verifying who a user is and authorization is the process of verifying what they have access to. Using these authentication and authorization, you can control who has access to a project and what each user is allowed to do in a project.
In TIA Portal, you can access the Security Settings in the Project Tree. Double click on Settings to open the Settings Editor window.
You can click on ‘Protect this project’ to activate project protection. Note: once project protection is activated, it cannot be undone.
When you activate project protection, you are prompted to create the credentials for a Project Administrator. Every project has to have at least one administrator who defines and manages the users that have access to the project.
Define the credentials for the project administrator and click OK to activate project protection. The project is now encrypted and additional security features are available to configure:
Now, when you try to open the project, you will be prompted for a user name and password
Now, there is one user that can access the project. Throughout the life of a TIA Portal Project though, many people need to access the software for commissioning, quality checks and maintenance purposes. As a project administrator, you can define the users that have access to the project and the authorizations that those users have.
Double click on ‘Users and roles’ in the Project Tree to open the Users and Roles Editor window.
In this window, you can see all of the users that are configured in the project as well as the roles that they are assigned to.
In the example below, we can see that the user ‘admin’ was created (1) and that this user belongs to the ‘Engineering administrator’ role (2).
In the ‘Roles’ tab (1), new roles can be created (2).
Each role has an associated set of authorizations. These authorizations define what a user that belongs to a specific role can do within a project.
These authorizations can be related to the project itself (for example, a user belongs to a role is allowed to open a read-only version of the project).
Other authorizations are related to runtime configuration of devices like managed switches and PLCs.
When the project is downloaded, the users and their respective roles configured within a project are automatically loaded to the devices and stored in an encrypted container.
In the ‘Users’ tab (1), a project administrator can manage users.
An administrator can add or remove users (2) as well as updating a user’s password and assigned roles (3).
It is possible to assign multiple roles to a single user to give them more rights.
A project administrator can monitor the rights that the user has in the ‘Assigned rights’ tab of the bottom pane.
Siemens has answered the need for greater security in industrial automation with a flexible authentication and authorization system built directly into TIA Portal. Its easier than ever to secure access to your automation software using native tools.
In this article, I have explained how to configure protection for a project and to create local users and roles with varying authorizations.
These users and roles only exist locally in the TIA Portal Project. If you want to define users and roles which exist across multiple projects (and are synchronized with Windows Active Directory) then you need to use the optional User Management Component (UMC) that is available for TIA Portal, which is a more complex topic that I will cover at a later date.
Sign up to the mailing list to get a new post about industrial automation and controls engineering delivered to your inbox every week.
In this tutorial, I provide you with a complete, step by step guide for integrating SINAMICS drives in TIA Portal projects including how to commission the standard and safety features of SINAMICS drives in Startdrive, how to integrate and control SINAMICS drives in your TIA Portal projects using standard telegrams and blocks, and how to control and visualize the status of SINAMICS drives in a WinCC HMI application.
Learn the skills you need to start your journey as a PLC programmer. Enroll in PLC Bootcamp to learn how to write and test your first PLC program for free.