I have a querry in managing the user account in PLC / SCADA based systems which provide different access levels but common user ID and some times only password component, for example “operator” user ID will be used by different operators in different shift. This might lead to non compliance with regard to Part 11 in terms of not maintaining unique user ID and password sharing. At the same time providing different user IDs in PLC/ SCADA based systems will result increase in project cost/ complexity in maintaining maintaining user IDs and some small systems do not have the provision itself. Im looking for some recommendation to manage user accounts at this scenario.
This seems to be a common problen with access to SCADA and PLC based equipment.
From previous experience only operators that are trained on the use of the PLC/SCADA are given the user_id for access and this is documented as part of the training. It is documented that only those operators with the correct training can use the user_id and are by no means allowed to give the user_id to anyone else.
To prevent unauthorized users even further the user_id was changed periodically to ensure further security.
This is by no means a wonderful solution until SCADA’s and PLC have a higher degree of security but if you document exactly how you manage your security I dont think any auditor could question this approach too much.
I would be interested to hear other opinions on this.
You can’t lump PLC and SCADA together…Two completely different animals. SCADA must and shall have unique user names and passwords. Cost and complexity is no reason to not comply with regulations.
PLC do not have the ability to unique user names and passwords (except for some GE Fanuc PLC) . Nor can a normal user access a PLC. Physical security is one route, you have to physically plug into a PLC to access. Of course you could have networked the PLC on a manufacturing LAN. In that case you may be able to control who can access the tool that talks to the PLC. For the most part, PLC must be controlled via change control and typically do not fall under Part 11.