Home
Security in PLCnext Engineer
Controller Security (Settings via WBM)

Controller Security (Settings via WBM)

It is strongly recommended to use the possible security settings in order to protect the controller against unauthorized access and ensure the integrity of data and the application.

In addition to the security features implemented in PLCnext Engineer, the Web Based Management (WBM) of the controller offers protective measures to be applied.

How to access the WBM of the controller

Double-click the controller node in the PLANT and open the 'Cockpit' editor.
In the Cockpit, click the 'Connect to controller' button on the toolbar.
The authentication mask appears. Enter the user name of the administrator user role as well as the relating password and press <Enter> to log on.
On delivery, the default user with administrator rights is admin. The password is printed on the front of the controller.
Access the Web-based Management (WBM) by clicking the following icon on the Cockpit toolbar:
The login page to the controller's WBM appears in the default web browser.
Logon to the WBM with the admin user name and password.
On the left, the 'Security' category offers various pages.

Activating and configuring the internal firewall on the controller (deactivated on delivery)

Open the 'Firewall' page.
You can activate the firewall temporarily or permanently:
Temporary activation: Set 'Status = Start' and click 'Apply' (lower screen border). The firewall is activated immediately and remains active as long as the controller is not restarted.
Permanent activation: Mark the 'Activation' checkbox and click 'Apply' (lower screen border). The firewall is activated immediately and remains active even after a controller restart.
Set the basic filter rules using the options in the 'Basic Configuration' section.
The currently set firewall configuration can be displayed by clicking the 'Show Rules' button (section 'System Status' at the beginning of the page).

Adding and defining user roles in addition to the default admin user

Open the 'User Authentication' page.
Click 'Add User', enter the desired user name and password and confirm.
Click 'Modify Roles' for the newly added user.
Mark the checkbox for each access right to be granted for the user (multiselection is possible). The meaning of the access rights provided for selection are described in the controller manual.

Also observe the help chapter "Network Security: Authentication with User Role and Password" for details on the implementation in PLCnext Engineer.

Adding a controller certificate

Open the 'Certificates Authentication' page.
On the 'Trust Store' tab, you can add trusted certificates and revocation lists of allowed communication partners. Communication partners must authenticate theirselves using these certificates when establishing the communication connection.
On the 'Identity Store' tab, you can create and add certificates.
It is recommended to personalize the secure communication connection between the controller and PLCnext Engineer by adding your specific certificate here. After (creating and) adding your own certificate, you must also add the certificate in the trust store of PLCnext Engineer.

For further information, refer to the help chapter "Network Security: Network Security: Certificates enable Secure Connection" for details on the implementation in PLCnext Engineer as well as to the controller manual.

SD card-related setting

On the 'SD Card' page, you can activate or deactivate the support of an SD card plugged into the controller. By default, the support for the SD card is enabled.

Further Info
Read the controller manual for details regarding the use of an SD card as well as the behavior of the controller if an SD card or an empty SD card is detected in the card slot.

Security recommendations

Disable the support of the SD card if you want to operate the controller without a card.
If the support of the SD card remains enabled but the controller is operated without an external SD card, there is a risk of data theft or data manipulation. Unauthorized persons may insert an SD card and restart the controller.

An SD card stores sensitive and proprietary data. Therefore, the "physical access" on site must be controlled and restricted if necessary to prevent damage due to unauthorized access.

Make sure that only authorized access is possible.
Protect the SD card (slot) by mounting the devices in a control cabinet.
Secure the control cabinet with a lock.
Ensure that the control cabinet key is only accessible to authorized persons.

LDAP settings

On the 'LDAP Configuration' page, you can activate LDAP and set up the service.

Lightweight Directory Access Protocol (LDAP) is an authentication mechanisms implemented in AD (besides other ones like, for example, Kerberos). From a technical point of view, LDAP is a network protocol that enables queries and changes in a decentralized directory service. This means the directory may be distributed over several servers/computers. Each system involved must allow to communicate via a particular port (636 for TLS communication).

Note
LDAP should not be used without TLS protection as otherwise credentials (username, password) will be transmitted in unencrypted text.

Further Info
For further details on LDAP refer to the Phoenix Contact Industrial Security Guide, chapter "(Central) User Management".

Further Info
Details on the possible settings mentioned can be found in the respective controller user manual.