Field devices in industrial plants have a graded authorisation management and suitable authentication mechanisms to prevent the high-risk results of incorrect input and unauthorised access to process control. However, these traditional log-in procedures are impractical and time-consuming in cases where staff have to frequently change between operator stations. The use of RFID readers greatly simplifies the authentication process.
Optimised log-in for Thin Clients
The ongoing digitalisation in the process industry means ever-increasing requirements for operating and monitoring systems with regard to ensuring reliable access to production processes, process values and system statuses from the field to the control room. On the one hand, the growing inter-connectedness of automation and communication technology means an increase in data traffic. IoT applications and the need for more efficient use of memory and computer capacity on the other hand drive the virtualisation of formerly hardware-based control and communication architectures. The HMIs must therefore be of robust, reliable design. In addition, they should also feature flexible access options, mature usability and compatibility with a broad range of key control systems.
The time element of access security
Staff of many large-scale systems and operations have to change operator stations frequently. Dynamic access management enabling authorised staff to access processes and systems from different terminals is therefore one of the central security aspects. However, security guidelines require a log-off and log-on with user name and password for every change of system.
Adverse conditions such as wearing protective gloves or inaccurately calibrated on-screen keyboards can make the constant log-off / log-on procedures even more cumbersome. Frequently, this leads to counterproductive behaviour, such as staff using passwords without protective function, openly displaying access codes or simply not logging out. An ergonomic solution to this might be biometric procedures using fingerprints or face recognition to check access authority. This method is useless, however, in sensitive areas where staff have to wear protective clothing, gloves and face masks for hygienic reasons.
This is where LogOnPlus comes in, a software that greatly simplifies every-day production processes. LogOnPlus is a modular server-client application that manages log-on control for production applications. Users are, for example, identified through their RFID ID card, authenticated vis-a-vis the company's active directory and then logged on to the target application, e.g. a DCS, by LogOnPlus via an application-specific connector.
Contactless RFID authentication
R. STAHL is the only manufacturer on the market that can equip its explosion-protected Thin Clients with contactless RFID authentication, which reduces the time required for log-on and authorised access to process control and data communication to a minimum. For this, we have developed specific RFID readers for use in Zone 1/21 and 2/22 that are either integrated into the enclosure, available as separate units with USB interface for panel-mounting or are firmly installed under the HMI's front panel, such as with the Thin Client models for use in the oil and gas industry.
The usual log-ons and log-offs in the automation system are no longer necessary due to the RFID access control, which meets the current security requirements according to FDA and GAMP. Following the user authentication via card or chip and after a password has been entered, the system will immediately call up the individual, customised start menu with the applications available for the specific user. In addition to transponders with MIFARE, DESFIRE, EV1 or LEGIC Advant, our RFID readers now also support the use of a particularly comfortable log-on system.
Fast, secure log-in
Compatible with many commonly used card readers and distributed control or SCADA systems, LogOnPlus provides integrated RFID authentication via staff ID cards. With this software, access control at the Client will remain active even when the server is down or during maintenance works. Another useful feature is that users can allocate their work ID themselves, without the need for extra administration. The system allows for a period to be configured as a "smart logon session", during which follow-up log-ins will be accepted without the need for a password, thus speeding up the process. This way, when users need to log in again during the defined period of time, they merely need to place their staff ID onto the reader.
Another benefit in terms of security and compliance is the option of automatically logging off a user when the ID card is removed from the reader, making "open systems" a thing of the past. To meet the high standards set for IT security, compliance and QM, there is the option of an audit trail that documents all log-on and log-off processes centrally. In addition, access to the desktop can be locked via a screen keyboard without function keys. Sensitive data are protected via encryption.
This uncomplicated RFID integration is one of the features of the modern industrial-grade Remote HMI firmware, which we have developed to make our Thin Clients fit for the Industrial Internet of Things. This user-friendly firmware on the basis of Windows 10 IoT Enterprise is tailored for the latest developments of digital automation. It ensures the secure, manipulation-proof remote control of virtual or real workstations in a network as a closed system with a uniform operating concept. All major remote protocols, such as VNC and RDP, are supported. The App concept allows for CITRIX access, protocols such as Delta V Remote Desktop Connection (DRDC), browsers, CCTV apps or any other applications to be operated securely and without modification of the Remote HMI firmware. The firmware provides a customised access management with graded access rights for authorised access to centrally stored or cloud-based programs and applications.
Conclusion
RFID readers provide a simplified authentication management via RFID cards. The reader's compatibility with various reader technologies simplifies implementation at sites where staff already use transponder cards for other areas of application. In addition, the readers' support of LogOnPlus mean a considerable increase in comfort whilst maintaining high security standards. Users are, for example, identified through their RFID ID card, authenticated vis-a-vis the company's active directory and then logged on to the target application, e.g. a DCS, by LogOnPlus via an application-specific connector.
Write new comment