Security Policy

CS1000/3000 Fundamental Course Textbook PART-H Security Policy

H-1. Security Overview H-2. HIS Security H-3. User Security H-4. User Group H-5. Window Authorities H-6. Mode Selection Key H-7. Function Block Security H-8. Operation Mark

TE33Q4T30-01E

YOKOGAWA

Security Overview (1)

The security policy is set to prevent illegal operations and other problems and ensuring the safety of the system. The security policy restricts the scope of operation and monitoring permitted for an operator, and masks certain alarms of which the operator need not be notified.
In the CS 1000/CS 3000 security policy, operation and monitoring is defined as follows:

Operation
Setting data to function blocks, changing function block status and other operations.

Monitoring
Displaying function block data, acknowledgment of received messages and alarms or calling up windows.

TE33Q4T30-01E

YOKOGAWA

Security Overview (2)

The following two types of policies are available in CS 1000/CS 3000. HIS Security Policy
HIS security policy stipulates the scope of operation and monitoring allowed on the Human Interface Station. Regardless of the logon users, the operation performed to a device or to a function block data item may be restricted.

User Security Policy

User security policy stipulates the scope of operation and monitoring for the users. Each user is restricted to operate or monitor a certain scope of devices and function block data items. The scope of operation and monitoring permitted for an operator is determined by a combination of HIS security and user security settings.
General-purpose Windows applications follow the security policy of Windows. The user of CENTUM is different from the user of Windows.
TE33Q4T30-01E
3

YOKOGAWA

Flow of Security Check

HIS operation
Security check

HIS security check

Scope of operation and monitoring check for the HIS

User security check

Scope of operation and monitoring check for a user group Privilege levels of operation and monitoring check for a user

Operation Window operation and monitoring Function block operation and monitoring Operation record

Operation History

TE33Q4T30-01E

YOKOGAWA

HIS Security
The security level regarding operation and monitoring as well as the operation and monitoring scope can be set for the HIS itself. The HIS security check has a precedence over the user security check. The operation and monitoring scope of the HIS is unrelated with the operation and monitoring scope set for each user group.

The security level setting means to select either monitoring only machine or monitoring and operation machine (default).
TE33Q4T30-01E
5

YOKOGAWA

User Security
The operators performing the operation and monitoring functions are classified based on their privilege level (authority).

This classification is called user.

The following attributes are assigned to each user: User name: Password: User group: Privilege level: User recognition User identification Monitoring and operation scope Monitoring and operation authority

The operations performed by the user are held as the operation record. The operation record can be confirmed by the historical message report.

TE33Q4T30-01E

YOKOGAWA

User Privilege Levels

The users operation and monitoring rights on HIS are defined according to privilege levels. For each window, operation and monitoring rights can be defined. Whether the user with a certain privilege level is permitted to operate the specified data item can also be defined.
The following default privilege levels are available (security level 4).

*1 Maintenance means the engineering work such as initiation of the builder.

See Supplement X. Function Block Security.

TE33Q4T30-01E
7

YOKOGAWA

Default User Names

The HIS offers the following default user names.
The privilege level of the user who accesses from the User-in Dialog becomes valid when the mode selection key position of the operation keyboard is OFF.

*1: When the user group for OFFUSER is changed to NONEGRP and the HIS is started, the operation and monitoring will be disabled. *2: User cannot user-in as PROG. Password is not required for OFFUSER but required for ONUSER and ENGUSER, the password is user definable. The user group can be changed for any user.
TE33Q4T30-01E
8

YOKOGAWA

Switching Users
In the HIS, switching the OFFUSER to a different user is called user-in, and the user switching back to the OFFUSER is called user-out.
To perform user-in or user-out, call up the User-In dialog box from the System Message window and enter a user name and the password.
Userin at HIS startup

OFFUSER

USER A

USER B

User-in operation

User-out operation

Change password button

When an automatic user out-time is defined, the user automatically changes to the OFFUSER when the automatic user-out time elapsed.
TE33Q4T30-01E
9

YOKOGAWA

User Group
The users are classified into groups based on their operation and monitoring scopes.

This classification is called user group.

The following attributes are assigned to each user group: User group name: Monitoring scope: Operation and monitoring scope: Windows scope: Acknowledgement: Process message receiving: User group recognition Monitoring range Operation and monitoring range Window names for operation and monitoring Acknowledgment range Monitoring range of the generated messages

The range is set by the plant name. If the plant name is not used, set by the station name and the control drawing.
TE33Q4T30-01E
10

YOKOGAWA

Default User Group

The following built-in default user groups are managed by CS 1000/CS 3000 security policy.

The user group name may be defined on the Security Builder.

TE33Q4T30-01E

11

YOKOGAWA

Concepts of Scope and Privilege

Operation & monitoring scope of HIS0124. Operation & monitoring scope of user Group-AB.

Whole Plant

Equipment A

Equipment B

Equipment C

Equipment D

Users in Group-AB:
OPS1-A: Monitoring OPS2-A: Operation and monitoring OPS3-A: Operation, monitoring and maintenance

Equipment E

Operation & monitoring scope of users, OPS*-A in Group-AB using HIS0124 and their privileges.
TE33Q4T30-01E
12

YOKOGAWA

Window Authorities
The table below shows operation and monitoring authorities on windows, indicating which user can perform operation and monitoring using which types of windows:

Users of privilege level S1 or S2 cannot start System View from the system message window, but can start and operate System View from [Start Menu]. Users of privilege level S1 can operate and monitor general windows. However, they can only monitor important windows and system operation windows excluding System View. Users of privilege level S2 can operate and monitor general and important windows. However, they can only monitor system operation windows excluding System View. Users of privilege level S3 can operate and monitor all windows.
TE33Q4T30-01E
13

YOKOGAWA

Function Block Security

The attributes of function blocks contain security levels, tag mark types and alarm processing levels. The attributes can be defined to each function block in engineering. There is no restriction on the combination of security levels, tag mark types and alarm processing levels.
The tables below show the relationship of the function blocks data items and the privilege levels in operation and monitoring rights.

R: Monitoring

W: Operation

The tables on operation and monitoring authority are fixed and cannot be edited.
TE33Q4T30-01E
14

YOKOGAWA

Function Block Security

The operation and monitoring authorities for three different function security levels are shown below:

Level 2

Level 4 (Default)

Level 6

TE33Q4T30-01E

15

YOKOGAWA

Mode Selection Key

When the HIS is connected with an operation keyboard, the privilege level of the user may be changed temporarily using the mode selection key on the keyboard. The privilege level changed on the keyboard has higher priority than the level set in the user-in dialog box. The following two mode selection keys are used to switch the security level: Operation key (Privilege level S2) The key can be switched between the ON and OFF positions only. Engineering key (Privilege level S3) The key can be switched to any position.

In the case of the operation key When the engineering key is selected. Changes between the ON, OFF positions. TE33Q4T30-01E The key can be switched to any position.
16

YOKOGAWA

Operation Mark
To attach or remove an operation mark on a function block may temporarily enable or disable the operation restriction on the instrument faceplate. When an operation mark is attached to a function block, a comment label can be added to the function block or the operation authorities on the function block can be changed temporarily during plant operation. When the operation mark is removed, operation authorities return to the original setting.
Operation marks have the following attributes:

Operation mark type Color Comment label Attachment/removal attribute

Color and comment label may be defined with HIS Setup function. If the builder file is downloaded, that file replaces the current file.
TE33Q4T30-01E
17

INHIBIT

YOKOGAWA

Types of Operation Marks

The security levels exerted by operation marks and the types of operation marks are displayed as follows.

Not used in default.

TE33Q4T30-01E

18

YOKOGAWA

Install or Remove Operation Mark

The unauthorized user is prohibited to install / remove the operation mark. The setting of installing/removing is performed in Operation Mark Builder.
The relationship between users privilege level and the operation rights on installing/removing mark authority is shown below:

TE33Q4T30-01E

19

YOKOGAWA