The automatic negotiation mode acts on configured port number 21 and server
features, it tries to negotiate with explicit TLS via AUTH TLS. If the specified port
is any other, it tries to negotiate in a similar way.
Using FTP without TLS encryption gives the FTP client reduced capabilities. This
mode is only for accessing disturbance recorder data from the IED.
If normal FTP is required to read out disturbance recordings, create
a specific account for this purpose with rights only to do File
transfer. The password of this user will be exposed in clear text on
the wire.
3.4
Encryption algorithms
GUID-ED920AF8-06D3-441D-9AE4-52386DBB9D3D v1
SSL/TLS connections are encrypted with AES 256 if possible or AES 128 as a
minimum. At startup a negotiation decides between these two options.
No passwords are stored in clear text within the IED. An encrypted representation
of the passwords with SHA 256 is stored in the IED. These are not accessible from
outside via any ports.
3.5
Denial of service
GUID-EECFB0DB-AE52-4C7D-A02A-EE0503616FDF v1.1.1
The denial of service function is designed to limit the CPU load that can be
produced by the Ethernet network traffic on the IED. The communication facilities
must not be allowed to compromise the primary functionality of the device. All
inbound network traffic is quota controlled, so that a too heavy network load can be
controlled. Heavy network load might for instance be the result of malfunctioning
equipment connected to the network.
The denial of service functions DOSFRNT, DOSLAN1 measure the IED load from
communication and, if necessary, limits it from jeopardizing the IED's control and
protection functionality due to a high CPU load. The function has the following
outputs:
•
LINKUP indicates the Ethernet link status
•
WARNING indicates that the data rate is higher than 3000 frames/s
•
ALARM indicates that the IED limits the IP-communication
Section 3
1MRK 511 454-UEN A
Secure system setup
10
GMS600 1.3
Cyber security deployment guideline
