HMI Security
In today’s IIoT world, security is a top priority. Demands for instantaneous data from all levels of production have put increased pressure on OEMs and systems integrators to provide remote access to the manufacturing plant. Just as important though, is ensuring that the safety of employees and protection of company equipment and intellectual property is not compromised. Maple Systems HMIs provide several layers of security features that keep your control system safe, yet still accessible to personnel located outside the plant.
Protect your HMI from Unauthorized Access
First and foremost, Maple Systems HMIs offer the ability to protect your HMI data with extensive password control. Use a password to restrict access to the HMI’s local setup menus. Uploading or downloading a new project to the HMI can be password-protected as well as retrieving stored data in the HMI. Access from connected devices such as PCs, other HMIs or smart devices are also password-protected.
Administrator-Based User Access
HMI screens, data objects (such as Video Player or Data Block Displays), or input objects (i.e. momentary buttons, toggle switches, or data entry) can be activated by users based upon an administrator-based user access feature on Maple HMIs. Objects with restricted access are invisible or display an “access-denied” warning message. Up to 12 users (128 users with USB security key) can be configured each with a unique username and alphanumeric password. The administrator can add, delete, or modify the list of users during HMI runtime. Easily select from a user list, then enter the assigned password to change the access level.
Enhanced Security Features
Manage access to your control system and keep your facility safe. Our configuration software offers enhanced operational security features to prevent unauthorized personnel from accessing windows in the HMI or from operating critical functions including:
- Projects
- Screens
- Objects
- Adding/deleting accounts
- Modifying privileges
- Resetting passwords
- And more
Add/Delete Users at Any Time
- Grant access to as many as 128 users, each with a unique password.
- Temporary users can be added for a specified period of time.
- User names and passwords can be added or deleted on the HMI screen, or from a USB flash drive or SD card using a Function Key.
USB Security Key Login
Login directly with a USB Security Key. Login information can be stored on a USB flash drive and allow a user to be logged in using a Function Key.
Project Protection
- Project Password Feature – Secures a project and prevents it from being modified without the proper password.
- Project Protection Feature– Sets a unique password (Project Key) in the project that will cause the project to run only on specific HMIs that have a matching password (HMI Key).
- Disable Upload Function Feature– Disables the upload function, preventing a project from being uploaded from your HMI.
- Decompiling Prohibited Feature– Prevents decompiling of a project.
- XOB Password Feature – Allows you to set a password when compiling your project to prevent unauthorized decompiling.
Additional Resources
- Learn More: Dual-Ethernet Models
- Learn More: EasyAccess 2.0- Remote Access to your HMI
- Sample Project: Alarm Events – Multiple Histories
- Sample project: Security – Security features including select user, login, security classes, update password, object security and window security.
- Sample project: Security – Enhanced Basic – Demonstrates how to use the preconfigured security windows in EZwarePlus to log in and out with a pop up window and to modify account settings using Enhanced Security.
- Sample project: Security Password Pop-Up – Demonstrates General mode security using a pop up window to login for one user.
- Sample project: Security – Window Change – Allows users to log in using a common screen and once logged in, the HMI will automatically take the user to a different screen based on the access level of the user.
- Product video: Security Features of the Maple Systems HMI5000 Series [ 10 min. ] This video demonstrates the security features in the Maple Systems 5000 Series HMI. It also explains how to configure security in EZware-5000.
- Product video: Enhanced Security (Using EZwarePlus) [ 5 min. 11 sec. ] The security features in the HMI5000P can use the original security features as outlined in the HMI5000 Security video or the enhanced security features can be used. This video covers the implementation and use of the enhanced security features.
Protected and Secure Remote Access
Using EasyAccess 2.0, remote PCs with an Internet connection can communicate to Maple Advanced and cMT HMIs for screen monitoring or to change settings on the HMI or connected PLC, lowering the cost of screen updates and minimizing down time. It is of paramount importance that this connection be secure. This is why Maple Systems employs a VPN (Virtual Private Network) connection and SSL encryption for remote communication. Wi-Fi access to cMT series using cMT Viewer is also password-protected. With the press of a button on the HMI, remote access can be temporarily disabled.
Secure Password Authentication (SPA) is also an important factor when sending predefined email messages from HMIs that contain sensitive data or information about an alarm event. The email function employs the SMTP protocol with the option for data encryption (SSL and TLS supported).
Many of our HMIs possess two Ethernet ports which provide a physical separation between your local network and the web. Our HMI series uses a proprietary operating system that further reduces susceptibility to viruses or malware.
Safety Comes First
Security is a necessity, but just as important is ensuring that the operation of an HMI is conducted in a safe environment. All HMIs can be temporarily taken offline with the press of a button. Use the interlock feature, which monitors the status of a safety bit when activating potentially dangerous equipment. Other safety features include the option of a minimum press time before a button is engaged or the display of a confirmation window. The Operation Log feature records each action of the HMI operator to help determine incorrect action sequences and to reinforce proper HMI operation.
Alphanumeric User Names and Passwords
- Identify users by name or functions using alphanumeric characters
- Alphanumeric passwords provide a higher level of security
Operational Security
- Password Protection– Stops unauthorized entries into your HMI application.
- Security Levels– Provide up to 12 levels of security for various levels of access to critical functions. An “Access Denied” message can be configured to pop-up if an attempt is made to access a function without the correct security level.
- Object Level Security – Apply object level security so only certain users can have access to the function of an object.
- Object Security Disabled– An object’s security can be disabled after activation/use.
- Object Warning Message– Displays a warning message if access to an object is denied.
- Object Invisibility– Set objects to turn invisible while protected.
- Window Access – Limits access to pop-up windows and screens, etc.
- Interlock Function – Control the visibility and functionality of buttons, switches, and displays under PLC control.
- Monitor User Actions– Record HMI input (such as the press of a function key/switch, changing screens, or data entry) taken by the HMI operator along with information such as date/time of action, security level of user, and specific data entered. This action log can be viewed on the HMI or stored as an SQLite database file. This feature enhances security and helps to determine the sequence of events which may have led to an operational error.
- Additional Features – Sound output for alarms and auto logout.
Secure Remote Access
- EasyAccess 2.0 – This feature provides a secure encrypted connection to your HMI from remote PCs or smart devices. A VPN (Virtual Private Network) connection that is encrypted with SSL (Secure Sockets Layer) prevents unauthorized access to your HMI. This optional feature is administrator-based so that you can limit access to specific users and HMIs.
- cMT Viewer– Another remote monitoring feature that adds password-security protection to cMT connected to Wi-Fi.
- Email Protection– Send predefined alarm messages to a list of email addresses automatically from an Internet-connected HMI when a trigger condition occurs. Using SMTP protocol, the HMI can be configured to use SPA (Secure Password Authentication) and is encrypted with SSL or TLS.
- Hardware Protection – In addition to the software features above, many Maple Systems HMIs have two Ethernet ports to allow physical separation between the control system and outside contact via the Internet. And finally, the Maple Systems HMI series uses a proprietary operating system, further protecting the HMI from contact with Windows-based viruses and malware.