Compatibility Notice M241_M251

CompatibilityNotice_M241_M251
05/2021

www.se.com
Legal Information
The Schneider Electric brand and any trademarks of Schneider Electric SE and its
subsidiaries referred to in this guide are the property of Schneider Electric SE or its
subsidiaries. All other brands may be trademarks of their respective owners.
This guide and its content are protected under applicable copyright laws and
furnished for informational use only. No part of this guide may be reproduced or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), for any purpose, without the prior written permission of
Schneider Electric.
Schneider Electric does not grant any right or license for commercial use of the guide
or its content, except for a non-exclusive and personal license to consult it on an "as
is" basis. Schneider Electric products and equipment should be installed, operated,
serviced, and maintained only by qualified personnel.
As standards, specifications, and designs change from time to time, information
contained in this guide may be subject to change without notice.
To the extent permitted by applicable law, no responsibility or liability is assumed by
Schneider Electric and its subsidiaries for any errors or omissions in the informational
content of this material or consequences arising out of or resulting from the use of the
information contained herein.
© 2021 – Schneider Electric. All rights reserved.
Table of Contents
About the Book...........................................................................................5
Modicon M241 Logic Controller and Modicon M251 Logic Controller :
Hardware Version and Firmware Version Compatibilities ...............................5
User Rights Management - General Information............................................6
Resetting Device User Rights ......................................................................7
Deactivating Device User Rights................................................................10
Managing Device User Rights by Call Parameters ...................................... 11
Managing Device User Rights Using the Scripting API.................................12
Including User Rights While Cloning the SD Card .......................................13
Additional Information ...............................................................................13

CompatibilityNotice_M241_M251 3
Safety Information
Important Information
Read these instructions carefully, and look at the equipment to become familiar
with the device before trying to install, operate, service, or maintain it. The
following special messages may appear throughout this documentation or on the
equipment to warn of potential hazards or to call attention to information that
clarifies or simplifies a procedure.

The addition of this symbol to a “Danger” or “Warning” safety label indicates that an
electrical hazard exists which will result in personal injury if the instructions are not
followed.

This is the safety alert symbol. It is used to alert you to potential personal injury
hazards. Obey all safety messages that follow this symbol to avoid possible injury or
death.

! DANGER
DANGER indicates a hazardous situation which, if not avoided, will result in death or serious
injury.

! WARNING
WARNING indicates a hazardous situation which, if not avoided, could result in death or
serious injury.

! CAUTION
CAUTION indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.

NOTICE
NOTICE is used to address practices not related to physical injury.

Please Note
Electrical equipment should be installed, operated, serviced, and maintained only
by qualified personnel. No responsibility is assumed by Schneider Electric for any
consequences arising out of the use of this material.
A qualified person is one who has skills and knowledge related to the construction
and operation of electrical equipment and its installation, and has received safety
training to recognize and avoid the hazards involved.

4 CompatibilityNotice_M241_M251
About the Book
Document Scope
This document describes the cybersecurity best practices in the context of user
rights management.

Validity Note
This document has been updated for the release of EcoStruxureTM Machine
Expert V1.2.

Modicon M241 Logic Controller and Modicon M251 Logic

Controller

Hardware Version and Firmware Version Compatibilities

Overview

Modicon M241 Logic Controller and Modicon M251 Logic Controller are produced
with a new hardware revision. They are compatible with the firmware versions
V4.0.6.41 or greater.
M251 TM251MESE

RUN

STOP

Ethernet 2
MAC@ 00-80-F4-A1-3B-67

MAC@ 00-80-F4-3C-G9-6M

Use the table below to identify your hardware version:

References Previous Product Version New Product Version

TM241••R 8 9
TM241••T/U 6 7
TM251MES••• 5 6

NOTE: If a firmware downgrading occurs, flash a firmware version (V4.0.6.41

or greater) with an SD card to recover the logic controller.

Notes for SoMachine Users

• Firmware version V4.0.6.41 is available for download on the Schneider
Electric home page www.se.com
• Firmware version V4.0.6.41 is compatible with any application built with
SoMachine (V4.x)

CompatibilityNotice_M241_M251 5
 • Firmware version V4.0.6.41 is compatible with all hardware versions

User Rights Management - General Information

Overview
In order to meet constantly evolving cybersecurity requirements, with EcoStruxure
Machine Expert V1.2 the user rights management is by default activated for
Schneider Electric M241, M251, M262, PacDrive LMC Eco, PacDrive LMC Pro/
Pro2 controllers. This has the effect that every Schneider Electric controller
equipped with the latest EcoStruxure Machine Expert V1.2 firmware prompts you
for user credentials whenever you attempt to gain access.
NOTE: The new user rights management does not apply for HMISCU
controllers.
For general information regarding device user management, refer to the
Programming Guide online help, section Software > Programming >
Programming Guide > Configuration > Common Device Editor Dialogs >
Device Configuration > Users and Groups > Users and Groups Management.

First Login to Schneider Electric Controller with User Rights Management Activated
Using Default Credentials
As user management is activated by default in the controllers, use the following
default credentials for first login and modify them immediately.

Step Action

1 At first login to a Schneider Electric controller, enter the default user credentials:
• User name: Administrator
• Password: Administrator
Result: You are requested to change the default password.

2 Enter your individual Password.

3 Re-enter your individual Password.

4 Click OK to confirm.

Result: Access to your controller is now protected by these new credentials. They are
assigned the highest user rights level and allow you to manage access rights for users
or user groups.

NOTE: For future login, the new Password will be required.

Controller Locked After Entering Incorrect Credentials

If you enter incorrect credentials for three times, the controller will be locked for 60
seconds. After this time, retry to connect by entering the correct credentials.

Logoff Procedure
After successful login to the controller, you can perform further online actions on
the controller with EcoStruxure Machine Expert. As long as your project remains
open, you will not be prompted to enter your credentials again.
In order to log off the present user from the controller, execute the command
Online > Security > Logoff current device user.
After that you will be prompted for your credentials when you attempt to perform
another online command on the controller.

6 CompatibilityNotice_M241_M251
Firewall Settings
Most of the communication services like FTP or OPC UA access the controller by
using the settings of the user rights management. Therefore, make sure that the
firewall settings on the controller allow the services to access the controller file
system.

Controller - HMI Communication with User Rights Management Activated

With user rights management activated in the controllers, the connection between
an HMI programmed with Vijeo-Designer and the controller will not be established.
The following solutions are available to solve this issue:
• In Vijeo-Designer, open the Network Equipment Settings dialog box of the
I/O Manager
and enter the Username and the Password to access the controller.
• Reset the device user rights of the controller, page 7.

Resetting Device User Rights

Overview
You can reset the device user rights to the default settings by using different
software tools. Your individual credentials are required for this procedure. For
further information on the default settings, refer to the First Login to Schneider
Electric Controller with User Rights Management Activated Using Default
Credentials paragraph, page 6.

Reset via EcoStruxure Machine Expert Logic Builder

For PacDrive LMC Eco and PacDrive LMC Pro/Pro2 controllers, you can reset the
device user rights using the Reset user rights management to default
command that is available at two different locations:
Online > Security > Reset user rights management to default menu:

Contextual menu of the controller, Security > Reset user rights management to
default command:

CompatibilityNotice_M241_M251 7
 CAUTION
NO ACCESS VIA FTP, HTTP, OPC-UA
When you reset the user rights management to the default values, access to
FTP, HTTP and OPC-UA servers is denied until you set your individual user
name and password.
Failure to follow these instructions can result in injury or equipment
damage.

Confirm the message with OK.

Reset via Controller Webserver

The Modicon M241 Logic Controller, Modicon M251 Logic Controller, and the
Modicon M262 Logic/Motion Controller support the reset of device user rights
management via the embedded webserver: MAINTENANCE > USER
MANAGEMENT > USER ACCOUNTS MANAGEMENT > RESET TO DEFAULT
Consult the Programming Guide specific to your controller in the EcoStruxure
Machine Expert online help for further information:
• Modicon M241 Logic Controller
Machine Expert > V1.2 > Controllers > M241 Logic Controllers > M241 Logic
Controller - Programming Guide > Ethernet Configuration > Ethernet Services
> Web Server
• Modicon M251 Logic Controller
Machine Expert > V1.2 > Controllers > M251 Logic Controllers > M251 Logic
Controller - Programming Guide > Ethernet Configuration > Ethernet Services
> Web Server
• Modicon M262 Logic/Motion Controller
Machine Expert > V1.2 > Controllers > M262 Logic/Motion Controllers >
M262 Logic/Motion Controller - Programming Guide > Ethernet Configuration
> Ethernet Services > Web Server

Reset via Controller Assistant

With EcoStruxure Machine Expert V1.2, the service tool Controller Assistant
supports user rights management of PacDrive LMC Eco and PacDrive LMC Pro/
Pro2 controllers.
By attempting to write an image to the controller in online mode or to the SD card
or flash disk, you will be prompted to decide how to handle user rights in the
controller:

8 CompatibilityNotice_M241_M251
 The following options are available:
• Keep existing user rights management on the controller
Activate this option to keep the existing user rights management as it is. This
applies even if the user rights management is disabled.
NOTE: If you attempt to write an EcoStruxure Machine Expert V1.2 or
later firmware to a controller without user rights defined, the user rights
management in the controller will be set to the default settings.
• Overwrite existing user rights management on the controller by the one
on the current image
The user rights management in the controller will be overwritten by the user
rights management that is defined in the image you attempt to write.
NOTE: If you attempt to write an EcoStruxure Machine Expert V1.2 or
later firmware and if there is no user rights management defined in the
image, the user rights management in the controller will be set to the
default settings.
• Reset the user rights management on the controller to default (factory
settings)
The user rights management in the controller will be set to the default
settings.
By default, the user rights management existing in the controller are preserved
when writing to the controller in online mode.

Reset Without Credentials

If you have lost the credentials, you can reset the user rights management of the
controller by using the service tool Controller Assistant to write the image to the
SD card or flash disk.
From the message prompting you to decide how to handle user rights in the
controller, select the option Reset the user rights management on the
controller to default (factory settings). If this option is not available, you can
create a new firmware from scratch that comes with the default settings. Then you
can restart the controller directly from this SD card or flash disk.
The Modicon M241 Logic Controller, Modicon M251 Logic Controller, and the
Modicon M262 Logic/Motion Controller also allow you to modify a script.cmd file
on the SD card to reset the user rights management. Consult the Programming
Guide specific to your controller for further information.

CompatibilityNotice_M241_M251 9
Deactivating Device User Rights
Overview
In order to help prevent unauthorized access to your controller, keep the device
user rights management function activated. If you ensure that your machine or
process is not accessible to unauthorized personnel, you can deactivate the
function as described in this chapter. Your individual credentials are required for
this procedure.

Deactivating via EcoStruxure Machine Expert Logic Builder

For PacDrive LMC Eco and PacDrive LMC Pro/Pro2 controllers, you can
deactivate the device user rights management using the Disable user rights
management on device command that is available at two different locations:
• Online > Security > Disable user rights management on device menu
• Contextual menu of the controller, Security > Disable user rights
management on device command

WARNING
UNAUTHENTICATED ACCESS AND MACHINE OPERATION
Do not disable user rights management if your machine or process is accessible
to unauthorized personnel either directly or via a network.
Failure to follow these instructions can result in death, serious injury, or
equipment damage.

Confirm the two confirmation messages with OK if you are sure to deactivate the
device user rights.

Result: Access the controller is now available without credentials.

Deactivating via Controller Webserver

The Modicon M241 Logic Controller, Modicon M251 Logic Controller, and the
Modicon M262 Logic/Motion Controller allow you to deactivate the device user
rights management via the embedded webserver: MAINTENANCE > USER
MANAGEMENT > USER ACCOUNTS MANAGEMENT > DEACTIVATE

10 CompatibilityNotice_M241_M251
 Consult the Programming Guide specific to your controller in the EcoStruxure
Machine Expert online help for further information:
• Modicon M241 Logic Controller
Machine Expert > V1.2 > Controllers > M241 Logic Controllers > M241 Logic
Controller - Programming Guide > Ethernet Configuration > Ethernet Services
> Web Server
• Modicon M251 Logic Controller
Machine Expert > V1.2 > Controllers > M251 Logic Controllers > M251 Logic
Controller - Programming Guide > Ethernet Configuration > Ethernet Services
> Web Server
• Modicon M262 Logic/Motion Controller
Machine Expert > V1.2 > Controllers > M262 Logic/Motion Controllers >
M262 Logic/Motion Controller - Programming Guide > Ethernet Configuration
> Ethernet Services > Web Server

Deactivating User Rights for the Simulation Device in EcoStruxure Machine Expert
Logic Builder
The simulation device in EcoStruxure Machine Expert Logic Builder has own user
rights that can differ from those that are defined in the real controller.
NOTE: To help avoid account lockout (deadlocking), first disconnect
EcoStruxure Machine Expert Logic Builder from the controller and make sure
no other client, for example, an HMI, automatically attempts to connect using
the previous user rights configuration.
In order to deactivate user rights in the simulation device, proceed as follows:

Step Action

1 Close all instances of EcoStruxure Machine Expert Logic Builder.

2 Close all instances of Vijeo-Designer.

3 Remove the folder c:\ProgramData\CODESYS\Simulation.

Result: The simulation device is reset to the default settings.

Managing Device User Rights by Call Parameters

Overview
The service tools Controller Assistant and Diagnostics provide command line
arguments that are used to connect to a controller with the required credentials.
For detailed information, refer to the Controller Assistant - User Guide and the
Diagnostics - User Guide in the EcoStruxure Machine Expert online help.
The following arguments are available:
• -username <Username>
• -password <Password>
• -renewalpassword <RenewalPassword>

Examples
ControllerAssistant.exe -username Administrator -password
Administrator -renewalpassword MyNewPassword
-getcontrollerinfo etcp4://192.168.3.40
Diagnostics.exe -username Administrator -password MyPassword
-save ip etcp4://192.168.3.40 c:\Temp\MyDiagnosticsFile.pdi

CompatibilityNotice_M241_M251 11
-renewalpassword Argument
The argument -renewalpassword is used when a new password needs to be
inserted. This is typically the case when the first login to a controller is performed
and the default credentials (user name = Administrator and password =
Administrator) are required.
The argument -renewalpassword cannot be used to change the password.

Starting Controller Assistant

Controller Assistant can also be started with graphical user interface using the
command line arguments. In this case, you are not prompted to enter the
credentials. They are retrieved from the values of the arguments.

Managing Device User Rights Using the Scripting API

Scripting for Using Online Services
EcoStruxure Machine Expert provides access to many of its online services via
the scripting API. In order to establish a connection or to use an online service at a
later time, valid credentials must be stored in the system.

Providing Specific Credentials for Online Services

You can store credentials via online device or online application in case of multi-
controller projects. If there are specific credentials provided for the connection,
they will be used by the system.
Example:
# create an "online device" to use online services
root_device = projects.primary.find("LMC_PacDrive", False)
[0]
online_device = online.create_online_device(root_device)

# store credentials specific to this "online device"

online.set_specific_credentials(online_device, "my_user",
"my_password")

# use of any online service

online_device.connect()

Providing Default Credentials for Online Services

If no specific credentials are provided for the connection, the system uses the
default credentials.
Example:
# create an "online device" to use online services
root_device = projects.primary.find("LMC_PacDrive", False)
[0]
online_device = online.create_online_device(root_device)

# store default credentials

online.set_default_credentials("my_user", "my_password")

# use of any online service

online_device.connect()

Scripting for Enforced Password Renewal

The following scenarios require the password to be changed by the user after
authentication:

12 CompatibilityNotice_M241_M251
 • First login to a new controller.
• First connection after the user rights management has been reset to default.
• A password renewal is enforced for a specific user by an administrator of the
device.
EcoStruxure Machine Expert V1.2 does not support the renewal of passwords
using the scripting API. Perform this by using the service tool Controller Assistant.
You can call the latest version of Controller Assistant from command line as
indicated in the following example:
"c:\Program Files (x86)\Schneider Electric
\EcoStruxureMachine Expert\Tools\ControllerAssistant
\ControllerAssistant.exe" -username Administrator -password
Administrator -renewalpassword MyNewPassword
-getcontrollerinfo etcp4://192.168.3.50

Including User Rights While Cloning the SD Card

Overview
The Modicon M241 Logic Controller, Modicon M251 Logic Controller, and the
Modicon M262 Logic/Motion Controller provide a clone function that allows you to
write the image of the controller to an SD card. By default, the user rights
management is not written to the SD card with the image. If supported by your
controller, you can activate the user rights management for the clone procedure in
the Clone management on the webserver of the controller. Consult the
Programming Guide specific to your controller for further information.

Additional Information
Cybersecurity Best Practices
Schneider Electric has incorporated cybersecurity best practices and solutions in
our products.
NOTE: To help keep your Schneider Electric products secure and protected, it
is in your best interest that you implement the cybersecurity best practices as
indicated in the Cybersecurity Best Practices document provided on the
Schneider Electric website.

CompatibilityNotice_M241_M251 13
Schneider Electric
35 rue Joseph Monier
92500 Rueil Malmaison
France
+ 33 (0) 1 41 29 70 00
www.se.com

As standards, specifications, and design change from time to time,

please ask for confirmation of the information given in this publication.

© 2021 – Schneider Electric. All rights reserved.

CompatibilityNotice_M241_M251