An in-depth guide to keeping TIA Portal Projects safe from accidental and malicious changes because your machines are only as secure as their source code.
As industrial devices get more connected, the need for security in industrial automation has increased.
One of the easiest ways to secure your machines and systems is to use an authentication and authorization system to prevent accidental or malicious modifications to the automation software. After all, your machines are only as secure as their source code.
TIA Portal provides powerful tools for user authentication and authorization within a project or across multiple projects.
In this article, I’ll explain:
In practical terms, authentication is the process of verifying who a user is and authorization is the process of verifying what they have access to. Using these authentication and authorization, you can control who has access to a project and what each user is allowed to do in a project.
In TIA Portal, you can access the Security Settings in the Project Tree. Double click on Settings to open the Settings Editor window.
You can click on ‘Protect this project’ to activate project protection. Note: once project protection is activated, it cannot be undone.
When you activate project protection, you are prompted to create the credentials for a Project Administrator. Every project has to have at least one administrator who defines and manages the users that have access to the project.
Define the credentials for the project administrator and click OK to activate project protection. The project is now encrypted and additional security features are available to configure:
Now, when you try to open the project, you will be prompted for a user name and password
Now, there is one user that can access the project. Throughout the life of a TIA Portal Project though, many people need to access the software for commissioning, quality checks and maintenance purposes. As a project administrator, you can define the users that have access to the project and the authorizations that those users have.
Double click on ‘Users and roles’ in the Project Tree to open the Users and Roles Editor window.
In this window, you can see all of the users that are configured in the project as well as the roles that they are assigned to.
In the example below, we can see that the user ‘admin’ was created (1) and that this user belongs to the ‘Engineering administrator’ role (2).
In the ‘Roles’ tab (1), new roles can be created (2).
Each role has an associated set of authorizations. These authorizations define what a user that belongs to a specific role can do within a project.
These authorizations can be related to the project itself (for example, a user belongs to a role is allowed to open a read-only version of the project).
Other authorizations are related to runtime configuration of devices like managed switches and PLCs.
When the project is downloaded, the users and their respective roles configured within a project are automatically loaded to the devices and stored in an encrypted container.
In the ‘Users’ tab (1), a project administrator can manage users.
An administrator can add or remove users (2) as well as updating a user’s password and assigned roles (3).
It is possible to assign multiple roles to a single user to give them more rights.
A project administrator can monitor the rights that the user has in the ‘Assigned rights’ tab of the bottom pane.
Siemens has answered the need for greater security in industrial automation with a flexible authentication and authorization system built directly into TIA Portal. Its easier than ever to secure access to your automation software using native tools.
In this article, I have explained how to configure protection for a project and to create local users and roles with varying authorizations.
These users and roles only exist locally in the TIA Portal Project. If you want to define users and roles which exist across multiple projects (and are synchronized with Windows Active Directory) then you need to use the optional User Management Component (UMC) that is available for TIA Portal.
Part 2 of Software Standardization for OEMs
Part 1 of Software Standardization for OEMs