The user categories and roles with user rights as defined by IEC
62359–8 for role based access control are pre-defined in the
The IED users can be created, deleted and edited only with
Password policies are set in the PCM600 IED user management
At delivery, the IED user has full access as SuperUser until
users are created with PCM600.
Authority status ATHSTAT
Authority status ATHSTAT function is an indication function
block for user log-on activity.
User denied attempt to log-on and user successful log-on are
Authority check ATHCHCK
To safeguard the interests of our customers, both the IED and
the tools that are accessing the IED are protected, by means of
authorization handling. The authorization handling of the IED
and the PCM600 is implemented at both access points to the
• local, through the local HMI
• remote, through the communication ports
The IED users can be created, deleted and edited only with
PCM600 IED user management tool.
IEC12000202 V1 EN
Figure 9.
PCM600 user management tool
This function enables/disables the maintenance menu. It also
controls the maintenance menu log on time out.
FTP access with SSL FTPACCS
The FTP Client defaults to the best possible security mode
when trying to negotiate with SSL.
The automatic negotiation mode acts on port number and
server features. It tries to immediately activate implicit SSL if the
specified port is 990. If the specified port is any other, it tries to
negotiate with explicit SSL via AUTH SSL/TLS.
Using FTP without SSL encryption gives the FTP client reduced
capabilities. This mode is only for accessing disturbance
recorder data from the IED.
If normal FTP is required to read out
disturbance recordings, create a specific
account for this purpose with rights only to
do File transfer. The password of this user
will be exposed in clear text on the wire.
Generic security application AGSAL
As a logical node AGSAL is used for monitoring security
violation regarding authorization, access control and inactive
association including authorization failure. Therefore, all the
information in AGSAL can be configured to report to 61850
Activity logging ACTIVLOG
ACTIVLOG contains all settings for activity logging.
There can be 6 external log servers to send syslog events to.
Each server can be configured with IP address; IP port number
and protocol format. The format can be either syslog (RFC
5424) or Common Event Format (CEF) from ArcSight.
Security alarm SECALARM
The function creates and distributes security events for
mapping the security events on protocols such as DNP3.
It is possible to map respective protocol to the signals of
interest and configure them for monitoring with the
Communication Management tool (CMT) in PCM600. No
events are mapped by default.
Parameter names:
• EVENTID: Event ID of the generated security event
• SEQNUMBER: Sequence number of the generated security
Security events
All user operations are logged as events. These events can
be sent to external security log servers using SYSLOG data
formats. The log servers can be configured using PCM600.
Generator protection REG650
1MRK 502 050-BEN B
Product version: 1.3