background image

Name

Values (Range)

Unit

Step

Default

Description

ExtLogSrv5IP

0 - 18

IP

Address

1

127.0.0.1

External log server 5 IP-address

ExtLogSrv6Type

Off

SYSLOG UDP/IP

SYSLOG TCP/IP

CEF TCP/IP

-

-

Off

External log server 6 type

ExtLogSrv6Port

1 - 65535

-

1

514

External log server 6 port number

ExtLogSrv6IP

0 - 18

IP

Address

1

127.0.0.1

External log server 6 IP-address

5.2 

Generic security application AGSAL

GUID-D0CE0102-C651-4914-8FBF-854151D7E360 v1

As a logical node AGSAL is used for monitoring security violation regarding
authorization, access control and inactive association including authorization
failure. Therefore, all the information in AGSAL can be configured to report to
61850 client.

5.3 

Security alarm SECALARM

GUID-205B0024-DA06-4369-8707-5E1D2D035995 v1

The function creates and distributes security events for mapping the security events
on protocols such as DNP3.

It is possible to map respective protocol to the signals of interest and configure
them for monitoring with the Communication Management tool (CMT) in
PCM600. No events are mapped by default.

Parameter names:

EVENTID: Event ID of the generated security event

SEQNUMBER: Sequence number of the generated security event

SECALARM

EVENTID

SEQNUMBER

IEC13000006-1-en.vsd

IEC13000006 V1 EN-US

Figure 21:

Function block, Security alarm SECALARM

PID-3430-SETTINGS v1

Table 7:

SECALARM Non group settings (basic)

Name

Values (Range)

Unit

Step

Default

Description

Operation

Off

On

-

-

On

Operation On/Off

Section 5

1MRK 511 454-UEN A

User activity logging

32

GMS600 1.3

Cyber security deployment guideline

Summary of Contents for GMS600

Page 1: ... RELION 650 SERIES GMS600 Version 1 3 Cyber security deployment guideline ...

Page 2: ......

Page 3: ...Document ID 1MRK 511 454 UEN Issued November 2017 Revision A Product version 1 3 Copyright 2017 ABB All rights reserved ...

Page 4: ...SL Project for use in the OpenSSL Toolkit http www openssl org This product includes cryptographic software written developed by Eric Young eay cryptsoft com and Tim Hudson tjh cryptsoft com Trademarks ABB and Relion are registered trademarks of the ABB Group All other brand or product names mentioned in this document may be trademarks or registered trademarks of their respective holders Warranty ...

Page 5: ...product failure would create a risk for harm to property or persons including but not limited to personal injuries or death shall be the sole responsibility of the person or entity applying the equipment and those so responsible are hereby requested to ensure that all measures are taken to exclude or mitigate such risks This document has been carefully checked by ABB but deviations cannot be compl...

Page 6: ...erning electrical equipment for use within specified voltage limits Low voltage directive 2006 95 EC This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255 26 for the EMC directive and with the product standards EN 60255 1 and EN 60255 27 for the low voltage directive The product is designed in accordance with the international standa...

Page 7: ...agement 17 Starting IED user management 18 General settings 18 User profile management 19 Adding new users 19 Adding users to new user roles 22 Deleting existing users 23 Changing password 25 User role management 26 Adding new users to user roles 27 Deleting existing User from user roles 27 Reusing user accounts 27 Writing user management settings to the IED 28 Reading user management settings fro...

Page 8: ...39 Saving settings 39 Recovering password 40 Section 7 WebHMI Use 43 Logging on 43 Changing Settings 44 Logging Off 45 Section 8 IEEE Compliance statement 47 IEEE1686 compliance 47 Section 9 Glossary 51 Table of contents 2 GMS600 1 3 Cyber security deployment guideline ...

Page 9: ...yber Security Deployment Guidelines describes password procedures and levels of access in the system 1 2 Document revision history GUID 52A4699C F83B 48F8 BF4E D853043AB731 v5 1 2 Document revision date History A November 2017 First release 1MRK 511 454 UEN A Section 1 Introduction GMS600 1 3 3 Cyber security deployment guideline ...

Page 10: ...4 ...

Page 11: ...rcial technologies in particular Ethernet and TCP IP based communication protocols They also enable connectivity to external networks such as office intranet systems and the Internet These changes in technology including the adoption of open IT standards have brought huge benefits from an operational perspective but they have also introduced cyber security concerns previously known only to office ...

Page 12: ...0189 2 en vsd IEC12000189 V2 EN US Figure 1 System architecture for substation automation system Section 2 1MRK 511 454 UEN A Security in Substation Automation 6 GMS600 1 3 Cyber security deployment guideline ...

Page 13: ... The ports are listed in ascending order The column Default state defines whether a port is open or closed by default All ports that are closed can be opened as described in the comment column in the table Front and Rear refer to the physical front and rear port The protocol availability on these ports is configurable ABB recommends using common security measures like firewalls up to date anti vir...

Page 14: ...t UDP port 67 between the IED and a computer is fixed and cannot be changed The IP port used for IEC 61850 default TCP port 102 is fixed and cannot be changed The IP ports used for DNP3 are configurable The communication protocol DNP3 could operate on UDP default port 20 000 or TCP default port 20 000 It is defined in the configuration which type of Ethernet communication is used Only one type is ...

Page 15: ...C12000171 1 en vsd IEC12000171 V1 EN US Figure 3 Ethernet port LAN1 rear view COM05 IEC13000021 1 en vsd IEC13000021 V1 EN US Figure 4 Ethernet ports LAN1A LAN1B rear view COM03 3 3 FTP access with TLS FTPACCS GUID 9E64EA68 6FA9 4576 B5E9 92E3CC6AA7FD v3 The FTP Client defaults to the best possible security mode when trying to negotiate with TLS 1MRK 511 454 UEN A Section 3 Secure system setup GMS...

Page 16: ...256 is stored in the IED These are not accessible from outside via any ports 3 5 Denial of service GUID EECFB0DB AE52 4C7D A02A EE0503616FDF v1 1 1 The denial of service function is designed to limit the CPU load that can be produced by the Ethernet network traffic on the IED The communication facilities must not be allowed to compromise the primary functionality of the device All inbound network ...

Page 17: ...se encryption to provide secure communication over the network The certificate is always trusted during communication between the IED and PCM600 If Windows is configured to use UAC High the certificate has to be manually trusted in a dialog box 1MRK 511 454 UEN A Section 3 Secure system setup GMS600 1 3 11 Cyber security deployment guideline ...

Page 18: ...12 ...

Page 19: ...ng out disturbances with third party FTP client or can be used to login using WebHMI full rights to change settings download disturbances clear alarm Table 3 Predefined user roles User roles Role explanation User rights VIEWER Viewer Can read parameters and browse the menus from LHMI OPERATOR Operator Can read parameters and browse the menus as well as perform control actions ENGINEER Engineer Can...

Page 20: ...ing particular data to the IED from PCM600 For more information about setting user access rights see the PCM600 documentation The meaning of the legends used in the table X Full access rights R Only reading rights No access rights Table 4 Predefined user roles Access rights VIEWER OPERATOR ENGINEER INSTALLER SECADM SECAUD RBACMNT Config Basic X X Config Advanced X X FileTransfer Tools X X UserAdmi...

Page 21: ...n e g Clear disturbance record FileTransfer Limited FileTransfer Limited is used for access to disturbance files e g through FTP DB Access normal Database access for normal user This is needed for all users that access data from PCM Audit log read Audit log read allows reading the audit log from the IED Setting Change Setting Group Setting Change Setting Group is separated to be able to include th...

Page 22: ... Users tool in PCM600 There are several options for forcing the password safer Minimum length of password 1 12 Require lowercase letters a z Require uppercase letters A Z Require numeric letters 0 9 Require special characters Password expiry time default 90 days To achieve IEEE 1686 conformity a password with a minimum length of 8 characters must be used and the square Enforce Password Policies sh...

Page 23: ...ata can be retrieved from an IED or data can be written to an IED if permitted The data from an IED can be saved to the project database Always use Read User Management Settings from IED before making any changes when managing user profiles If this is not done password changes made by users may be lost Nothing is changed in the IED until a writing to IED operation is performed 1MRK 511 454 UEN A S...

Page 24: ...eries this means reverting back to the factory delivered users Performing this operation does not remove the users in the IED Nothing is changed in the IED until a writing to IED operation is performed This is not the same action as Revert to IED defaults in the recovery menu The previous administrator user ID and password have to be given so that the writing toward the IED can be done Editing can...

Page 25: ... and different user group members can be edited A user profile must always belong to at least one user group IEC12000199 1 en vsd IEC12000199 V1 EN US Figure 8 Create new user 4 4 3 1 Adding new users GUID 85D09A73 7E14 4BD6 96E5 0959BF4326C0 v2 1 1 1 Click in the Users tab to open the wizard 1MRK 511 454 UEN A Section 4 Managing user roles and user accounts GMS600 1 3 19 Cyber security deployment...

Page 26: ... in the wizard to define a user name password and user group Select at least one user group where the defined user belongs The user profile can be seen in the User details field Section 4 1MRK 511 454 UEN A Managing user roles and user accounts 20 GMS600 1 3 Cyber security deployment guideline ...

Page 27: ...s 3 Select the user from the user list and type a new name or description in the Description full name field to change the name or description of the user 1MRK 511 454 UEN A Section 4 Managing user roles and user accounts GMS600 1 3 21 Cyber security deployment guideline ...

Page 28: ...2 AC6B C0051FD21D05 v2 1 1 1 Select the user from the Users list 2 Select the new role from the Select a role list 3 Click Information about the roles to which the user belongs to can be seen in the User details area Section 4 1MRK 511 454 UEN A Managing user roles and user accounts 22 GMS600 1 3 Cyber security deployment guideline ...

Page 29: ...12 Adding user 4 4 3 3 Deleting existing users GUID 472BF39B DDAC 4D88 9B74 E6C49D054524 v2 1 1 1 Select the user from the Users list 1MRK 511 454 UEN A Section 4 Managing user roles and user accounts GMS600 1 3 23 Cyber security deployment guideline ...

Page 30: ...N US Figure 13 Select user to be deleted 2 Click IEC12000205 1 en vsd IEC12000205 V1 EN US Figure 14 Delete existing user Section 4 1MRK 511 454 UEN A Managing user roles and user accounts 24 GMS600 1 3 Cyber security deployment guideline ...

Page 31: ...ce and the new password twice in the required fields The passwords can be saved in the project database or sent directly to the IED No passwords are stored in clear text within the IED A hash representation of the passwords is stored in the IED and it is not accessible from outside via any ports 1MRK 511 454 UEN A Section 4 Managing user roles and user accounts GMS600 1 3 25 Cyber security deploym...

Page 32: ... v2 In the Roles tab the user roles can be modified The user s memberships to specific roles can be modified with a list of available user roles and users IEC12000208 1 en vsd IEC12000208 V1 EN US Figure 17 Editing users Section 4 1MRK 511 454 UEN A Managing user roles and user accounts 26 GMS600 1 3 Cyber security deployment guideline ...

Page 33: ...ick the user in the Users assigned list 2 Select Remove this Role from Selected Member IEC12000210 1 en vsd IEC12000210 V1 EN US Figure 18 Remove Role from User 4 4 4 3 Reusing user accounts GUID C28C87EC 7027 440C BB38 2C8EC14ECA40 v1 IED user account data can be exported from one IED and imported to another The data is stored in an encrypted file To export IED user account data from an IED 1 Cli...

Page 34: ...EC12000209 1 en vsd IEC12000209 V1 EN US Figure 19 Importing and exporting user account data 4 4 5 Writing user management settings to the IED GUID 2066776C 72CC 49CC B8D8 F2C320541A5E v2 1 1 Click the Write User Management Settings to IED button on the toolbar IEC12000211 1 en vsd IEC12000211 V1 EN US Figure 20 Write to IED The data is saved when writing to the IED starts Section 4 1MRK 511 454 U...

Page 35: ...IED button on the toolbar 4 4 7 Saving user management settings GUID AE198606 6E71 4C77 A4E1 02B79E4270B4 v2 Select File Save from the menu Click the Save toolbar button The save function is enabled only if the data has changed 1MRK 511 454 UEN A Section 4 Managing user roles and user accounts GMS600 1 3 29 Cyber security deployment guideline ...

Page 36: ...30 ...

Page 37: ...SYSLOG UDP IP SYSLOG TCP IP CEF TCP IP Off External log server 2 type ExtLogSrv2Port 1 65535 1 514 External log server 2 port number ExtLogSrv2IP 0 18 IP Address 1 127 0 0 1 External log server 2 IP address ExtLogSrv3Type Off SYSLOG UDP IP SYSLOG TCP IP CEF TCP IP Off External log server 3 type ExtLogSrv3Port 1 65535 1 514 External log server 3 port number ExtLogSrv3IP 0 18 IP Address 1 127 0 0 1 ...

Page 38: ...0 client 5 3 Security alarm SECALARM GUID 205B0024 DA06 4369 8707 5E1D2D035995 v1 The function creates and distributes security events for mapping the security events on protocols such as DNP3 It is possible to map respective protocol to the signals of interest and configure them for monitoring with the Communication Management tool CMT in PCM600 No events are mapped by default Parameter names EVE...

Page 39: ...ording to IEC 61850 Table 9 Event type codes Event number Acronyms GSAL mapping English 1110 LOGIN_OK GSAL Ina Login successful 1115 LOGIN_OK_PW_EXPIRED GSAL Ina Password expired login successful 1130 LOGIN_FAIL_WRONG_CR GSAL AuthFail Login failed Wrong credentials 1170 LOGIN_FAIL_3_TIMES GSAL AuthFail Login failed 3 times 1210 LOGOUT_USER GSAL Ina Logout user logged out 1220 LOGOUT_TIMEOUT GSAL I...

Page 40: ...user action 10020 MAINT_FORCED_MENU_OK Device successfully forced into maintenance menu due to new state 10030 MAINT_FTP_ACTIV_OK FTP server successfully activated from maintenance menu 10040 MAINT_UPDATE_ABORT_OK Firmware update procedure aborted successfully 10050 MAINT_RECOVERY_ENTER_OK Recovery menu entered successfully 10052 MAINT_RECOVERY_ENTER_FAIL Entering Recovery menu failed 10060 MAINT_...

Page 41: ... Failed to transfer configuration to the device 14300 READ_CONFIG_FAIL Failed to read configuration files from the device 14400 TRANSFER_FIRMW_FAIL Failed to transfer firmware to the device 14500 READ_FIRMW_FAIL Failed to read firmware files from the device 14520 TRANSFER_CERTS_FAIL Failed to transfer certificates to the device 14580 READ_CERTS_FAIL Failed to read certificates from the device 1MRK...

Page 42: ...36 ...

Page 43: ...easibility of using passwords In emergency situations the use of passwords could delay urgent actions When security issues must be met the two factors must be seriously considered The auxiliary power supply to the IED must not be switched off before changes such as passwords setting parameter or local remote control state changes are saved 6 1 Logging on GUID E0F937A9 78EC 4528 AB34 FD6EC79A7815 v...

Page 44: ...gon fails a message is displayed on the display IEC12000158 vsdx IEC12000158 V3 EN US Figure 24 Error message indicating an incorrect password The logon dialog appears if the attempted operation requires another level of user rights Once a user is created and written into the IED logon is possible with the password assigned in the tool If there is no user created an attempt to log on causes the di...

Page 45: ... flash memory remain in effect also after reboot 1 Press to confirm any changes 2 Press to move upwards in the menu tree or to enter the Main Menu 3 To save the changes in nonvolatile memory select Yes and press To exit without saving changes select No and press To cancel saving settings select Cancel and press Pressing Cancel in the Save changes dialog closes only the Save changes dialog box but ...

Page 46: ...nu is disabled there is no way to bypass authority if passwords are forgotten To be able to do field updating the maintenance menu have to be re enabled To enter this menu the IED must be rebooted and a specific key combination must be pressed on the LHMI during the IED boot sequence 1 Switch off the power supply to the IED and leave it off for one minute 2 Switch on the power supply to the IED an...

Page 47: ...s rights Write the user management settings to the IED The IED perform a reboot new settings are activated and the authority system is enabled again The Maintenance Menu is only available on the Local HMI The purpose of this menu is to have a way to recover in the field at different situations The recovery menu is also protected with a 4 digit PIN code fixed for all IEDs Avoid unnecessary restorin...

Page 48: ...t settings and restarts Restoring can take several minutes Confirmation of the restored factory IED default settings is shown on the display for a few seconds after which the IED restarts Section 6 1MRK 511 454 UEN A Local HMI use 42 GMS600 1 3 Cyber security deployment guideline ...

Page 49: ...nce IED uses self signed certificate the web page will ask the user to trust the certificate authority manually 1 Click on the Continue to this website IEC17000058 1 en vsdx IEC17000058 V1 EN US 2 Click on 3 Enter the username and password EC17000060 1 en vsdx IEC17000060 V1 EN US Upon successful authentication the application page will be displayed 1MRK 511 454 UEN A Section 7 WebHMI Use GMS600 1...

Page 50: ...eMode parameter under Main Menu Configuration HMI Webserver WEBSERVER 1 To edit the setting navigate to the Function under setting or configuration 1 Click on Enable Write button IEC17000153 1 en vsdx IEC17000153 V1 EN US All the writable settings will be Enabled for writing Section 7 1MRK 511 454 UEN A WebHMI Use 44 GMS600 1 3 Cyber security deployment guideline ...

Page 51: ...lick on Write to IED IEC17000155 1 en vsdx IEC17000155 V1 EN US 7 3 Logging Off GUID 08D3E3F3 033A 47D9 9028 D4833F2A5F70 v1 Click Logout on top right corner of the web page to logout 1MRK 511 454 UEN A Section 7 WebHMI Use GMS600 1 3 45 Cyber security deployment guideline ...

Page 52: ...46 ...

Page 53: ...imum enforced password length is configurable If password policy is enforced minimum is 6 Use of mix of lower and UPPERCASE characters is enforced configurable in password policies Use of numerical values is enforced configurable in password policies Use of non alphanumeric character e g is enforced configurable in password policies 5 1 5 IED access control Acknowledge 5 1 5 1 Authorization levels...

Page 54: ...ime and date Comply 5 2 3 c User identification Comply 5 2 3 d Event type Comply 5 2 4 Audit trail event types Acknowledge 5 2 4 a Login Comply 5 2 4 b Manual logout Comply 5 2 4 c Timed logout Comply 5 2 4 d Value forcing Comply 5 2 4 e Configuration access Exception 5 2 4 f Configuration change Comply 5 2 4 g Firmware change Comply 5 2 4 h ID password creation or modification Comply 5 2 4 i ID p...

Page 55: ...D cyber security features Acknowledge 5 4 1 IED functionality compromise Comply Services and ports used for real time protocols are listed in the user documentation 5 4 2 Specific cryptographic features Exception File transfer functionality provided by the IED user File transter protocol over TLS 5 4 2 a Webserver functionality Comply Secure web communication using HTTPS 5 4 2 b File transfer func...

Page 56: ...tion download is handled by authentication 5 5 2 Digital signature Exception Feature not supported 5 5 3 ID password control Comply Stored in the IED 5 5 4 ID password controlled features Comply 5 5 4 1 View configuration data Comply 5 5 4 2 Change configuration data Comply 5 6 Communications port access Comply 5 7 Firmware quality assurance Exception Quality control is handled according to ISO900...

Page 57: ... certificates The digital certificate certifies the ownership of a public key by the named subject of the certificate CMT Communication Management tool in PCM600 CPU Central processor unit CRC Cyclic redundancy check DARPA Defense Advanced Research Projects Agency The US developer of the TCP IP protocol etc DHCP Dynamic Host Configuration Protocol DNP3 DNP3 Distributed Network Protocol is a set of...

Page 58: ...S stands for Secure It means all communications between your browser and the website are encrypted ID IDentification IEC International Electrical Committee IEC 60255 This standard specifies the general performance requirements of all electrical measuring relays and protection equipment used in the electrotechnical fields covered by the IEC IEC 60870 5 103 Communication standard for protective equi...

Page 59: ...0 SHA Secure Hash Algorithms The SHA is one of a number of cryptographic hash functions A cryptographic hash is like a signature for a text or a data file SHA 256 algorithm generates an almost unique fixed size 256 bit 32 byte hash Hash is a one way function it cannot be decrypted back SMT Signal matrix tool within PCM600 SNTP Simple network time protocol is used to synchronize computer clocks on ...

Page 60: ...ternet Protocol IP network without prior communications to set up special transmission channels or data paths UMT User management tool UTC Coordinated Universal Time A coordinated time scale maintained by the Bureau International des Poids et Mesures BIPM which forms the basis of a coordinated dissemination of standard frequencies and time signals UTC is derived from International Atomic Time TAI ...

Page 61: ...55 ...

Page 62: ... AB Grid Automation Products 721 59 Västerås Sweden Phone 46 0 21 32 50 00 abb com protection control Copyright 2017 ABB All rights reserved Specifications subject to change without notice 1MRK 511 454 UEN ...

Reviews: