How to Use Data Logger Security Codes

by Janet Albers | Updated: 06/28/2017 | Comments: 4

Blog Topics


Search the Blog


Subscribe to the Blog

Get an email when a new article is posted. Choose the topics that interest you most.


Enter your email address:



Suggest an Article

Is there a topic you would like to learn more about? Let us know.

Leave this field empty

Datalogger with padlock

Security codes are the oldest method of securing a data logger. They can effectively prevent innocent tinkering and discourage wannabe hackers—actions that could potentially wreak havoc on the integrity of your data. In this article, I’ll discuss the different security codes and how to use them to secure your data and settings.

Up to three levels of data logger security can be set. For a CR1000 or newer data logger, valid security codes are 1 through 65535. (0 is no security.) We recommend that you use a unique code for each of the three levels.

Using a bank as an analogy, level 3 is the front door to the bank; if it is locked, nobody gets in without a key. Level 2 is the reception area where you can access some information but not all. Level 1 is the vault; with the correct combination to the vault, you have access to everything.

Three levels of datalogger security

Level 1 (the vault) must be set before level 2 (the reception area) can be set, and level 2 must be set before level 3 (the front door) can be set. If a level is set to 0, any level greater than it will also be set to 0. For example, if level 2 is 0, level 3 is also 0.

The security levels are unlocked in reverse order: level 3 before level 2 before level 1. When a level is unlocked, any level greater than it will also be unlocked. For example, unlocking level 1 (entering the level 1 Security Code or vault’s combination) also unlocks levels 2 and 3, giving you access to all data logger settings and functions.

To set the security codes for your data loggers, we recommend that you use the Device Configuration Utility. Communication settings, such as the PakBus address, are accessed through the Settings Editor. Setting a level 1 Security Code will restrict others from making changes to these network settings. Setting a level 2 Security Code means that only those with the security code for level 2 can make changes to a data logger clock. The following table highlights how setting the different levels affects your ability to make changes or access information:

Function When level 1 is set When level 2 is set When level 3 is set

CR1000 Program

Cannot change or retrieve the program.

All communications are prohibited.

Settings Editor and Status Table

Writable variables cannot be changed.

Setting Clock

Unrestricted

Cannot change or set the clock.

Public Table

Unrestricted

Writeable variables cannot be changed.

Collecting Data

Unrestricted

Unrestricted

In this image, all three levels are set:

All three security codes are set

After a data logger has security enabled, you can give trusted individuals varying levels of access. The network administrator (or the person responsible for updating data logger programs and communications) should have the highest level of access, or Security Code 1. In contrast, someone who only needs to collect data can have Security Code 3.

To store your security code in your data logger support software, follow these steps:

  1. Go to the Setup Screen.
  2. In the EZSetup Wizard, go to Datalogger Settings and click the Next button.
  3. Enter your Security Code, and click the Finish button.

In the image below, the Security Code for level 3 is entered; data collection is unrestricted but changes to the clock and other settings are blocked:

Security Code 3 is entered

Data logger security codes are one way to keep control over who can make changes to important data logger settings. It is a good hardware management practice to give people access only to what they need, not more. If you have any questions or comments about setting your levels of security, post them below.


Share This Article



About the Author

janet albers Janet Albers was a Senior Technical Writer. She enjoyed sharing tips, simplifying concepts, and guiding our clients to a successful project. She had been with Campbell Scientific, Inc. longer than the CR1000, but not quite as long as the CR10X. After work hours, Janet enjoyed the outdoors with her boys and dogs.

View all articles by this author.


Comments

Rene.Astudillo | 06/14/2021 at 06:35 AM

Hello Janet,

I am looking for some guide for configuring a CR6 datalogger ussing TLS 2.1 for communicating with a DNP3 server.

In our case, the DNP3 is under a firewall and communication is on a VPN.

The CR6 has the options for working using TLS, and
specifically, the PEM file.

At this point, some question cam to my mind, for example:

In this case, the CA certificate, who generates it and who does the negotiation, the DNP3 Server?.

By the other hands, if the DNP3 Server is not in charge for negotiating the CA certificate, who is?, the VPN server ?

We try to connect whith this DNP3 server using a CR1000 and it was not possible, I think CR1000 does not support TLS on the DNP3 functions in the CRBasic.

Have you got some guide I can use?

Thanks so much for any help you can give me.

Best regards,

René

rene.astudillo@neyenmapu.cl

rene.astudillo.bgl@gmail.com

+56 9 7958 8215

Nathanael | 06/14/2021 at 12:03 PM

The CA generates and signs the certificate that the server you are communicating with uses. That certificate and its associated key(s) are attached to your server. The server (the DNP3 server) is the one that you actually make the secure connection with. The datalogger and DNP server exchange keys, run some math, and connect with each other. The CR1000 is too slow to calculate the math for a TLS certificate in a reasonable amount of time (before the timeout when the server stops listening) to make a TLS connection. For that reason it is only supported on newer loggers like the CR6, CR1000X, and I think also the CR300 series. Does that answer your questions?

M.Hasban | 03/20/2023 at 06:57 PM

Using advanced weather stations, I'm working on a project. Sensors and a datalogger are from Campbell Scientific.
Data Logger is fully password protected at all three levels. We only have the one password by using it we are only able to view data with PC200W and Loggernet softwares by Campbell Scientific.
My question is whether we can fetch the data using any data acquisitionsystem with the level three password and whether we can send data to a cloud platform.

Nathanael | 03/21/2023 at 05:46 PM

@M.Hasban

The security password will allow you to get into the datalogger via the pakbus protocol using Dev Config, LoggerNet, and other Campbell Scientific applications. If you wanted to pull data using other data aquisition platforms most won't support Pakbus. You can program the datalogger to send data out via FTP, HTTP, Modbus and other protocols. Maybe if we have some more information about what protocols and systems you are hoping to interface with I can answer your questions better. I see you've got an open case about this in the system with one of our Support Engineers. I'll send you an email and include him with it as well.

Please log in or register to comment.