How to Use Data Logger Security Codes
by Janet Albers | Updated: 06/28/2017 | Comments: 2
Blog Topics
Area / Application
Product Category
Corporate / News
Search the Blog
Subscribe to the Blog
Set up your preferences for receiving email notifications when new blog articles are posted that match your areas of interest.
Suggest an Article
Is there a topic you would like to learn more about? Let us know. Please be as specific as possible.
Security codes are the oldest method of securing a data logger. They can effectively prevent innocent tinkering and discourage wannabe hackers—actions that could potentially wreak havoc on the integrity of your data. In this article, I’ll discuss the different security codes and how to use them to secure your data and settings.
Up to three levels of data logger security can be set. For a CR1000 or newer data logger, valid security codes are 1 through 65535. (0 is no security.) We recommend that you use a unique code for each of the three levels.
Using a bank as an analogy, level 3 is the front door to the bank; if it is locked, nobody gets in without a key. Level 2 is the reception area where you can access some information but not all. Level 1 is the vault; with the correct combination to the vault, you have access to everything.
Level 1 (the vault) must be set before level 2 (the reception area) can be set, and level 2 must be set before level 3 (the front door) can be set. If a level is set to 0, any level greater than it will also be set to 0. For example, if level 2 is 0, level 3 is also 0.
The security levels are unlocked in reverse order: level 3 before level 2 before level 1. When a level is unlocked, any level greater than it will also be unlocked. For example, unlocking level 1 (entering the level 1 Security Code or vault’s combination) also unlocks levels 2 and 3, giving you access to all data logger settings and functions.
To set the security codes for your data loggers, we recommend that you use the Device Configuration Utility. Communication settings, such as the PakBus address, are accessed through the Settings Editor. Setting a level 1 Security Code will restrict others from making changes to these network settings. Setting a level 2 Security Code means that only those with the security code for level 2 can make changes to a data logger clock. The following table highlights how setting the different levels affects your ability to make changes or access information:
| Function | When level 1 is set | When level 2 is set | When level 3 is set |
|
CR1000 Program |
Cannot change or retrieve the program. |
All communications are prohibited. |
|
|
Settings Editor and Status Table |
Writable variables cannot be changed. |
||
|
Setting Clock |
Unrestricted |
Cannot change or set the clock. |
|
|
Public Table |
Unrestricted |
Writeable variables cannot be changed. |
|
|
Collecting Data |
Unrestricted |
Unrestricted |
|
In this image, all three levels are set:
After a data logger has security enabled, you can give trusted individuals varying levels of access. The network administrator (or the person responsible for updating data logger programs and communications) should have the highest level of access, or Security Code 1. In contrast, someone who only needs to collect data can have Security Code 3.
To store your security code in your data logger support software, follow these steps:
- Go to the Setup Screen.
- In the EZSetup Wizard, go to Datalogger Settings and click the Next button.
- Enter your Security Code, and click the Finish button.
In the image below, the Security Code for level 3 is entered; data collection is unrestricted but changes to the clock and other settings are blocked:
Data logger security codes are one way to keep control over who can make changes to important data logger settings. It is a good hardware management practice to give people access only to what they need, not more. If you have any questions or comments about setting your levels of security, post them below.
About the Author
Janet Albers is a Senior Technical Writer. She'll share tips, simplify concepts, and guide you to a successful project. She's been at Campbell Scientific, Inc. longer than the CR1000, but not quite as long as the CR10X. After work hours, Janet enjoys the outdoors with her boys and dogs.
Comments
Rene.Astudillo | 06/14/2021 at 06:35 AM
Hello Janet,
I am looking for some guide for configuring a CR6 datalogger ussing TLS 2.1 for communicating with a DNP3 server.
In our case, the DNP3 is under a firewall and communication is on a VPN.
The CR6 has the options for working using TLS, and
specifically, the PEM file.
At this point, some question cam to my mind, for example:
In this case, the CA certificate, who generates it and who does the negotiation, the DNP3 Server?.
By the other hands, if the DNP3 Server is not in charge for negotiating the CA certificate, who is?, the VPN server ?
We try to connect whith this DNP3 server using a CR1000 and it was not possible, I think CR1000 does not support TLS on the DNP3 functions in the CRBasic.
Have you got some guide I can use?
Thanks so much for any help you can give me.
Best regards,
René
rene.astudillo@neyenmapu.cl
rene.astudillo.bgl@gmail.com
+56 9 7958 8215
Nathanael | 06/14/2021 at 12:03 PM
The CA generates and signs the certificate that the server you are communicating with uses. That certificate and its associated key(s) are attached to your server. The server (the DNP3 server) is the one that you actually make the secure connection with. The datalogger and DNP server exchange keys, run some math, and connect with each other. The CR1000 is too slow to calculate the math for a TLS certificate in a reasonable amount of time (before the timeout when the server stops listening) to make a TLS connection. For that reason it is only supported on newer loggers like the CR6, CR1000X, and I think also the CR300 series. Does that answer your questions?
Please log in or register to comment.