Understanding restrictions placed on the system – Rockwell Automation 1785-Lx6B,D17856.5.13 MNL. PLC-5 PROTECTED PROCESSOR User Manual
Page 27
Chapter 3
Configuring DTE Protection
3-6
As system administrator, you should have set up the basic protection for the
processor application using the passwords and privileges capabilities
discussed in Chapter 2. While doing this, you should have removed write
privileges from all classes (except class 1) for all program and data files
that you consider to be critical for the security of the application program.
Program files that end users create afterwards are not protected in this
way, and they default to allow all four classes to have both read and write
privileges. This distinction allows the processor to key its download
screening to any download request made that has a ladder or structured-text
program file as its destination and also has write privileges allowed for
class 2.
Any protection violation causes the download to abort, the download screen
displays the message
Data
Table
Element
Protection
Violation
, and
the screen continues displaying the program file number that caused the
protection violation. Use this information to trace the instruction/operand
combination that caused the protection violation.
On detecting a protection-violation error during download mode, the
processor responds as if a download timeout had occurred, sets the processor
mode back to program (or remote program), and sets major fault “Bad User
Program Memory” with a fault code of “Download Aborted” (19).
To reduce security risks, the following restrictions have been placed on the
use of a protected system.
Indirect Addressing
Because indirect addressing lets the end user determine the effective data-
table address at run time by manipulating the indirect location in ladder
program, a security risk could exist. When DTEP is enabled and the end user
does not have the ability to modify privileges, the protected processor
screens for indirect addressing in ladder and structured-text instructions that
are inserted. The security system:
•
rejects all indirect addressing at the file level—e.g., N[N7:0]:20
•
allows indirect addresses at the element level—e.g., N12:[N7:0]—only if
the file specified contains no protected elements
•
rejects indirect addressing at the element level if the file specified
contains any protected elements
If a protection violation occurs, the request is rejected, an error code
(
Data
Table
Element
Protection
Violation
) is returned, and minor-fault bit
S:17/11 is set.
Understanding Restrictions
Placed on the System