Page 4
Copyright This document and parts thereof must not be reproduced or copied without written permission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software and hardware described in this document is furnished under a license and may be used or disclosed only in accordance with the terms of such license.
Page 5
In case any errors are detected, the reader is kindly requested to notify the manufacturer. Other than under explicit contractual commitments, in no event shall ABB be responsible or liable for any loss or damage resulting from the use of this manual or the application of the equipment.
Page 6
(EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standard EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive.
Table of contents Table of contents Section 1 Introduction...............5 This manual..................5 Intended audience................5 Product documentation...............6 Product documentation set............6 Related documents................7 Document symbols and conventions..........9 Symbols..................9 Document conventions..............10 Section 2 Security in Substation Automation......... 13 General security in Substation Automation........13 Section 3 Secure system setup............15 Physical interfaces................15 Communication ports and services..........
Page 8
Table of contents Section 5 Central Account Management........41 Introduction..................41 Certificate management..............42 Creating IED certificates..............42 Importing and writing certificates to an IED......... 44 Reading certificates from an IED..........47 Certificate information on local HMI..........49 Invalid certificates ............... 52 Deleting certificates from an IED..........52 Activation of Central Account Management........
Section 1 1MRK 511 399-UEN B Introduction Section 1 Introduction This manual GUID-AB423A30-13C2-46AF-B7FE-A73BB425EB5F v18 The cyber security deployment guideline describes the process for handling cyber security when communicating with the IED. Certification, Authorization with role based access control, and product engineering for cyber security related events are described and sorted by function.
Section 1 1MRK 511 399-UEN B Introduction Product documentation 1.3.1 Product documentation set GUID-3AA69EA6-F1D8-47C6-A8E6-562F29C67172 v15 Engineering manual Installation manual Commissioning manual Operation manual Application manual Technical manual Communication protocol manual Cyber security deployment guideline IEC07000220-4-en.vsd IEC07000220 V4 EN-US Figure 1: The intended use of manuals throughout the product lifecycle The engineering manual contains instructions on how to engineer the IEDs using the various tools available within the PCM600 software.
Section 1 1MRK 511 399-UEN B Introduction describes the process of testing an IED in a substation which is not in service. The chapters are organized in the chronological order in which the IED should be commissioned. The relevant procedures may be followed also during the service and maintenance activities.
Page 14
Section 1 1MRK 511 399-UEN B Introduction Documents related to REC670 Document numbers Application manual 1MRK 511 401-UEN Commissioning manual 1MRK 511 403-UEN Product guide 1MRK 511 404-BEN Technical manual 1MRK 511 402-UEN Type test certificate 1MRK 511 404-TEN Documents related to RED670 Document numbers Application manual 1MRK 505 376-UEN...
Section 1 1MRK 511 399-UEN B Introduction The warning icon indicates the presence of a hazard which could result in personal injury. The caution hot surface icon indicates important information or warning about the temperature of product surfaces. The caution icon indicates important information or warning related to the concept discussed in the text.
Page 17
Section 1 1MRK 511 399-UEN B Introduction • the character ^ in front of an input/output signal name indicates that the signal name may be customized using the PCM600 software. • the character * after an input signal name indicates that the signal must be connected to another function block in the application configuration to achieve a valid application configuration.
At ABB, we are addressing cyber security requirements on a system level as well as on a product level to support cyber security standards such as NERC-CIP, IEEE 1686 and BDEW Whitepaper.
Page 20
Section 2 1MRK 511 399-UEN B Security in Substation Automation it easier for our customers to address NERC CIP requirements and maintain compliance standards. Maintenance Center (Security Zone 4) Remote Control Center (Security Zone 3) Encrypted communication Security Zone 2 Workstation Encrypted MicroSCADA Pro SYS600...
3061 and 3062. The protocol availability on these ports can be configured using the Ethernet configuration tool. ABB recommends using common security measures, like firewalls, up to date anti virus software, etc. to protect the IED and the equipment around it.
Page 22
Section 3 1MRK 511 399-UEN B Secure system setup Port Protocol Default Front 3061 3062 Service Comment state 2102 open PCM Access IED configuration protocol (IED configuration protocol) 20 000 closed DNP3.0 DNP3.0 DNP communication only 20 000 closed DNP3.0 DNP3.0 DNP communication only 49152 closed...
Page 23
Section 3 1MRK 511 399-UEN B Secure system setup defined in the configuration which type of Ethernet communication is used. Only one type is possible at a time. • The TCP/ UDP port used for IEEE1344/C37.118 protocol can be changed in the IED.
Section 3 1MRK 511 399-UEN B Secure system setup IEC13000268-2-en.vsd IEC13000268 V2 EN-US Figure 4: Optical ethernet ports, position X311, rear view FTP access with TLS, FTPACCS GUID-9E64EA68-6FA9-4576-B5E9-92E3CC6AA7FD v3 The FTP Client defaults to the best possible security mode when trying to negotiate with TLS.
Section 3 1MRK 511 399-UEN B Secure system setup No passwords are stored in clear text within the IED. A hashed representation of the passwords with SHA 256 is stored in the IED. These are not accessible from outside via any ports. A user with SECADM or RBACMNT role is allowed to read out the hashed password on a secured (TLS) ODBC link.
Page 26
Section 3 1MRK 511 399-UEN B Secure system setup The certificate is always trusted during communication between the IED and PCM600. If Windows is configured to use UAC High the certificate have to be manually trusted in a dialog box. This certificate handling changes with Central Account Management and the possibility to use other certificates but self- signed in the IED.
Section 4 1MRK 511 399-UEN B Local user account management Section 4 Local user account management Authorization GUID-981A881D-9229-45E8-9EE5-D6DF2CA457E5 v4 User roles with different user rights are predefined in the IED. It is recommended to use user defined users instead of the predefined built-in users. The IED users can be created, deleted and edited only with PCM600.
Page 28
Section 4 1MRK 511 399-UEN B Local user account management User roles Role explanation User rights SECAUD Security auditor Can view audit logs RBACMNT RBAC Can change role assignment management ADMINISTRATOR Administrator Sum of all rights for SECADM, SECAUD and RBACMNT rights This User role is vendor specific and not defined in IEC 62351–8...
Section 4 1MRK 511 399-UEN B Local user account management At delivery, the IED has a default user defined with full access rights. PCM600 uses this default user to access the IED. This user is automatically removed in IED when users are defined via the IED Users tool in PCM600. Default User ID: Administrator Password: Administrator For user management, see Cyber security deployment guideline.
Page 30
Section 4 1MRK 511 399-UEN B Local user account management Access rights VIEWER OPERATOR ENGINEER INSTALLER SECADM SECAUD RBACMNT ADMINISTRATOR Control – Basic Control – Advanced IEDCmd – Basic IEDCmd – Advanced FileTransfer – Limited DB Access normal Audit log read Setting –...
Section 4 1MRK 511 399-UEN B Local user account management First user created must be appointed the role SECADM to be able to write users, created in PCM600, to the IED. In order to allow the IED to communicate with PCM600 when users are defined via the IED Users tool, the access rights “UserAdministration”...
Section 4 1MRK 511 399-UEN B Local user account management I E C 1 3 0 0 0 0 2 7 - 2 - e n . p s d IEC13000027 V2 EN-US Figure 6: Change Password Policies dialog box in IED Users tool in PCM600 IED User management GUID-B3A1A9F3-7F76-413C-A9A1-E090B90A8B3A v3 The IED Users tool in PCM600 is used for editing user profiles and role...
Section 4 1MRK 511 399-UEN B Local user account management The IED User dialog box appears. 4.4.2 General settings GUID-0326F993-E3F2-4F72-A94F-D8886EB9F6AD v4 In the General tab, by clicking Restore factory settings the default users can be restored in the IED Users tool. For the IED series this means reverting back to the factory delivered users.
Section 4 1MRK 511 399-UEN B Local user account management A user profile must always belong to at least one user group. IEC12000199-2-en.vsd IEC12000199 V2 EN-US Figure 8: Create new user 4.4.3.1 Adding new users GUID-85D09A73-7E14-4BD6-96E5-0959BF4326C0 v3 Click in the Users tab to open the wizard. 670 series 2.2 IEC Cyber security deployment guideline...
Page 35
Section 4 1MRK 511 399-UEN B Local user account management I E C 1 2 0 0 0 2 0 0 - 2 - e n . p s d IEC12000200 V2 EN-US Figure 9: Create new user Follow the instructions in the wizard to define a user name, password and user role.
Page 36
Section 4 1MRK 511 399-UEN B Local user account management IEC12000201-3-en.vsd IEC12000201 V3 EN-US Figure 10: Select user role Select the user from the user list and type a new name or description in the Description/full name field to change the name or description of the user. 670 series 2.2 IEC Cyber security deployment guideline...
Section 4 1MRK 511 399-UEN B Local user account management IEC12000202-2-en.vsd IEC12000202 V2 EN-US Figure 11: Enter description 4.4.3.2 Adding users to new user roles GUID-F335590A-EAC7-42E2-AC6B-C0051FD21D05 v2 Select the user from the Users list. Select the new role from the Select a role list. Click Information about the roles to which the user belongs to can be seen in the User details area.
Section 4 1MRK 511 399-UEN B Local user account management IEC12000203-2-en.vsd IEC12000203 V2 EN-US Figure 12: Adding user 4.4.3.3 Deleting existing users GUID-472BF39B-DDAC-4D88-9B74-E6C49D054524 v2 Select the user from the Users list. 670 series 2.2 IEC Cyber security deployment guideline...
Page 39
Section 4 1MRK 511 399-UEN B Local user account management IEC12000204-2-en.vsd IEC12000204 V2 EN-US Figure 13: Select user to be deleted Click 670 series 2.2 IEC Cyber security deployment guideline...
Section 4 1MRK 511 399-UEN B Local user account management IEC12000205-2-en.vsd IEC12000205 V2 EN-US Figure 14: Delete existing user 4.4.3.4 Changing password GUID-6180D722-CC49-445B-B520-BAD8904A60AF v2 Select the user from the Users list. 670 series 2.2 IEC Cyber security deployment guideline...
Page 41
Section 4 1MRK 511 399-UEN B Local user account management IEC12000206-2-en.vsd IEC12000206 V2 EN-US Figure 15: Select user Click Type the old password once and the new password twice in the required fields. The passwords can be saved in the project database or sent directly to the IED.
Section 4 1MRK 511 399-UEN B Local user account management I E C 1 2 0 0 0 2 0 7 - 2 - e n . p s d IEC12000207 V2 EN-US Figure 16: Change password 4.4.4 User role management GUID-213FBF87-3268-42E6-88B0-8EE260127B08 v2 In the Roles tab, the user roles can be modified.
Section 4 1MRK 511 399-UEN B Local user account management IEC12000208-2-en.vsd IEC12000208 V2 EN-US Figure 17: Editing users 4.4.4.1 Adding new users to user roles GUID-C53B644A-6C5C-43FC-96D7-E2CA152BD84A v1 Select the required role from the Roles list. The role profile can be seen under the Role details field. Select the new user from the Select a user list.
Section 4 1MRK 511 399-UEN B Local user account management IEC12000210-2-en.vsd IEC12000210 V2 EN-US Figure 18: Remove Role from User 4.4.4.3 Reusing user accounts GUID-C28C87EC-7027-440C-BB38-2C8EC14ECA40 v2 IED user account data can be exported from one IED and imported to another. The data is stored in an encrypted file.
Section 4 1MRK 511 399-UEN B Local user account management IEC12000209-2-en.vsd IEC12000209 V2 EN-US Figure 19: Importing and exporting user account data 4.4.5 Writing user management settings to the IED GUID-2066776C-72CC-49CC-B8D8-F2C320541A5E v2 • Click the Write User Management Settings to IED button on the toolbar. I E C 1 2 0 0 0 2 1 1 - 2 - e n .
Section 4 1MRK 511 399-UEN B Local user account management 4.4.7 Saving user management settings GUID-AE198606-6E71-4C77-A4E1-02B79E4270B4 v2 • Select File/Save from the menu. • Click the Save toolbar button. The save function is enabled only if the data has changed. 670 series 2.2 IEC Cyber security deployment guideline...
In this manual the LDAP server software description and handling is based on SDM600, which is an ABB product. Other Central Account Management software can be used, provided it has sufficient functionality.
Section 5 1MRK 511 399-UEN B Central Account Management Certificate management GUID-FFF5C8F8-8227-435E-8E5B-70D37D8E86DC v1 Normal User Security Administrator Manually transferred certificate files PCM600 SDM600 Start secure communication Start secure communication Replicate users Deploy certificate to IED Login Write Role to Right mapping Change own password Activate CAM Deactivate CAM...
Page 49
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000280 V1 EN-US Figure 22: Export SCD file Generate the SCD file from PCM600 In SDM600, import SCD via the Load Structure tool. Refer to Setting Up the SDM600 Structure in the SDM600 User Manual. Update "Alternative IP Addresses"...
Section 5 1MRK 511 399-UEN B Central Account Management SDM600 allows user to set key length of the certificates that needs to be deployed in IED. While it may be prudent to use a larger key size, it would also mean it requires a considerable longer time for the TLS handshake (between IED and tools/ Central Account Management servers) before any secure communication starts.
Page 51
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000346 V1 EN-US Figure 24: Import and Write certificates tool view in PCM600 Select for those IEDs to which certificates needs to be written Click on Import certificate button. IEC15000348 V1 EN-US Figure 25: Importing certificate (p12) file If certificate is password protected the user will be prompted to enter the...
Page 52
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000349 V1 EN-US Figure 26: Entering password of a certificate Only CAM certificates can be written from PCM600 to IED. 10. Select certificate IEC15000350 V1 EN-US Figure 27: Choosen certificate Click button to write certificate(s) for the enabled IEDs and click Yes in the confirmation dialog IEC15000352.vsdx...
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000353 V1 EN-US Figure 29: Result of written certificates When Central Account Management is enabled in IED, and if user deploys an invalid certificate in to an IED (e.g.: SDM600 certificate of another SDM server, than the one that is configured in the IED), then replication will fail at the time when IED tries to replicate.
Page 54
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000281 V1 EN-US Figure 30: Account Management Tool in PCM Select the Read and Delete Certificates option. IEC15000334 V1 EN-US Figure 31: Read and Delete Certificates view in PCM600 Select for those IEDs from which certificates needs to be read. Click button to read certificates from the IED IEC15000337 V1 EN-US...
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000339 V1 EN-US Figure 33: Certificates that are read from the IED 10. Double click on a Certificate Unit to view the details of it or 11. Right click on a Certificate Unit and select Properties IEC15000340 V1 EN-US IEC15000341 V1 EN-US Figure 34:...
Page 56
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000324 V1 EN-US Figure 35: Certificates view In the Certificates view certificate information is grouped according to usage. Selecting CAM and pressing will show information about the certificates used for Central Account Management. IEC15000325 V1 EN-US Figure 36: Certificate information for CAM certificates...
Page 57
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000326 V1 EN-US Figure 37: CAM certificates By pressing on a menu item without information in the right field more information will be shown. For instance, by pressing in the Issued to menu item shown in figure below, more information will be shown as in figure below.
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000328 V1 EN-US Figure 39: Certificate issued to 5.2.5 Invalid certificates GUID-66DFAC1D-F305-416F-91D9-05D035F1810B v1 The certificate can be invalid for different reasons, e.g. if the certificate has expired. In this case, if the IED is using a self-signed certificate, it will generate a new self signed certificate.
Page 59
Section 5 1MRK 511 399-UEN B Central Account Management Select the Certificate Units that needs to be deleted. IEC15000342 V1 EN-US Click on the delete-button in the toolbar. IEC15000343-1-en.vsdx A confirmation dialog appears IEC15000402 V1 EN-US Figure 40: Certificate deletion confirmation dialog Click on the Yes button to confirm the deletion.
Section 5 1MRK 511 399-UEN B Central Account Management It will not be possible to delete Internal and External certificates from PCM600 When IED is in Central Account Management mode, it is not recommended to remove Central Account Management certificates from the IED, because this action could cause connectivity problems between Central Account Management server (SDM600) and IED.
Page 61
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000280 V1 EN-US Figure 42: Export SCD file Import project SCD file in SDM600 and generate CAM configuration package. Please refer to SDM600 documentation for the detailed steps to generate CAM configuration package from SCD file. From PCM600, select Voltage Level or Bay or IED in the plant structure Select Tools/Account Management Right click on Voltage Level or Bay or IED in the plant structure and select...
Page 62
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000281 V1 EN-US Figure 43: Account Management Tool in PCM Click on SDM600 Configuration button, to open SDM600 configuration tool. IEC15000282 V1 EN-US Figure 44: Import SDM600 configuration From Tool bar, click to import SDM600 configuration zip file that is generated above at step #4.
Page 63
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000284 V1 EN-US Figure 46: SDM600 configuration import results 12. Click on Done button. 13. In Account management tool, select the IED(s) for which Central Account Management needs to be activated. 14.
Page 64
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000287 V1 EN-US Figure 48: Central Account Management write status When Central Account Management is set to active, the IED will do the following: • Verify the configuration to secure that SDM600 can be accessed. •...
Section 5 1MRK 511 399-UEN B Central Account Management If the Central Account Management activation fails, the activate parameter will be reset and Central Account Management must be activated again and a failure message will be indicated in PCM Output window. When Central Account Management is activated, any ongoing sessions with the IED will continue until they are closed.
Section 5 1MRK 511 399-UEN B Central Account Management Local Configuration tab indicates the configuration that currently exists in PCM600. Remote Configuration tab indicates the configuration that currently exists in the IED. IEC15000290 V1 EN-US Figure 51: Remote configuration Remote Configuration tab will have the configuration only if Read Central Account Management Configuration from the IED as described in section Reading configuration from IED...
Section 5 1MRK 511 399-UEN B Central Account Management 5.3.3 Deactivation of Central Account Management from PCM600 GUID-19BDC85E-4175-4B53-909F-0051E5D98492 v1 When Central Account Management is switched off in the IED, the IED will go back to be open. There will not be any IED users defined even if that was the case when Central Account Management was activated.
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000294-1-en.vsdx IEC15000294 V1 EN-US Figure 55: PCM600 output window indicating deactivation of Central Account Management in the IED 5.3.4 Deactivation of Central Account Management on local HMI GUID-A3829B79-FB89-4575-9D5C-C28EBCDD24CD v1 In case of wrong configuration of CAM and Certificates, there is a possibility to disable Central Account Management and delete the loaded certificates in the IED.
Section 5 1MRK 511 399-UEN B Central Account Management IEC12000170-4-en.vsdx IEC12000170 V4 EN-US Figure 58: Selection menu Select OK to Delete Certificates and Disable CAM PLEASE CONFIRM Delete Certificates, Disable CAM? (persistent) Cancel IEC15000364-1-en.vsd IEC15000364 V1 EN-US Figure 59: Confirmation Press to continue the startup sequence (now all the loaded certificates are deleted in the IED and Central account management is disabled in the IED).
Page 70
Section 5 1MRK 511 399-UEN B Central Account Management Table 7: Default users User name User rights SuperUser Full rights, only presented in LHMI. LHMI is logged on by default until other users are defined Guest Only read rights, only presented in LHMI. LHMI is logged on by default when other users are defined (same as VIEWER) Administrator Full rights.
Page 71
Section 5 1MRK 511 399-UEN B Central Account Management • A substation can be equipped with two redundant authentication servers operating in a hot standby mode. • If configured by the security administrator, the IED itself maintains a local replica in the database with selected users. This database is periodically updated with data from the server and used as fallback if none of the servers are reachable.
Section 5 1MRK 511 399-UEN B Central Account Management Predefined user roles GUID-DA25A28A-1E94-4B1D-A0FC-EA151070FA48 v1 There are different roles of users that can access or operate different areas of the IED and tool functions. The meaning of the legends used in the table: •...
Page 73
Section 5 1MRK 511 399-UEN B Central Account Management Access rights Explanation UserAdministration UserAdministration is used to handle user management e.g. adding new user Setting – Basic Setting – Basic is used for basic settings e.g. control settings and limit supervision Setting –...
Section 5 1MRK 511 399-UEN B Central Account Management Password policy settings for Central Account Management enabled IED GUID-ABB0D1DF-FF41-4411-95EC-7D4B93FF4E0B v1 The password policy is set in the Central Account Management server (SDM600). Refer to SDM600 user manual. PCM600 access to Central Account Management enabled IED GUID-D7C470F9-465E-494F-8345-D0B311C4F3CD v1 During normal access, e.g.
Section 5 1MRK 511 399-UEN B Central Account Management 5.7.1 Changing password GUID-C36A2E99-0BA8-42BA-A73E-77CC28DCDE65 v1 The user can also change the own password from PCM600 or LHMI. The following process is used: • A change password dialog is presented for the user in PCM600 or LHMI •...
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000295-1-en.vsdx IEC15000295 V1 EN-US Figure 60: Change own password User can enter details and click on OK button. Password will be changed and the result of the operation will be indicated in the PCM600 output window. 5.7.2 Error messages GUID-A90A0E1E-0581-4BE4-A34A-879BD1782793 v1...
Page 77
Section 5 1MRK 511 399-UEN B Central Account Management Table 12: Error indications from failed login Description EVENT NUMBER User feedback Login successful. 1110 *: Your password will expire in An additional password expiry x days. Do you want to change time can be sent by the CAM server.
Section 5 1MRK 511 399-UEN B Central Account Management Description EVENT NUMBER User feedback CAM server failed to write 2220 Error in the Central Account password to the provider. Server! Password is not changed. Connection to CAM server 2220 Error in the Central Account could not be established or Server! connection has been...
Page 79
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000369 V1 EN-US Figure 61: CAM default status When IED is not configured with Central Account Management the default status of the CAMStatus diagnostics will be: 670 series 2.2 IEC Cyber security deployment guideline...
Page 80
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000354 V1 EN-US Figure 62: CAM diagnostics default staus When the IED is Central Account Management configured with One server, the status of CAMStatus will be: 670 series 2.2 IEC Cyber security deployment guideline...
Page 81
Section 5 1MRK 511 399-UEN B Central Account Management IEC15000355 V1 EN-US Figure 63: IED CAM configured status Table 14: Label Rational Values Remarks UAMMode User account Builtin When IED is management mode configured with PCM users Local When IED is configured with default users Central...
Page 82
Section 5 1MRK 511 399-UEN B Central Account Management Label Rational Values Remarks Failed When last replication cycle has failed Last Update Indicates the last Never When replication was update of the status not configured information above. Timestamp Time when successful replication took place.
Page 83
Section 5 1MRK 511 399-UEN B Central Account Management Table 16: Symptoms Probable causes Solution Diagnostics on Local HMI: Server(s) not reachable Check if LDAP server is up Central Account Manager and running Server status will be indicated as Offline. Check IED connection Security Event: 3810 CAM Server communication failed.
Page 84
Section 5 1MRK 511 399-UEN B Central Account Management Table 17: Symptoms Probable causes Solution Diagnostics: Replication Server(s) not reachable Check if LDAP server is up ReplicaLastUpdate Failed. and running shows the time when last Server configuration has successful replication. changed Verify with system administrator that LDAP...
Section 6 1MRK 511 399-UEN B User activity logging Section 6 User activity logging Activity logging protocol GUID-9D7788E2-F94D-40E5-BE3E-3C47C39D34FC v1 Activity Logging can be reported from the IED through two different protocols; either IEC 61850 or Syslog. Syslog is a standard for computer message logging (RFC 5424).
Section 6 1MRK 511 399-UEN B User activity logging Name Values (Range) Unit Step Default Description ExtLogSrv2IP 0 - 18 127.0.0.1 External log server 2 IP-address Address ExtLogSrv3Type External log server 3 type SYSLOG UDP/IP SYSLOG TCP/IP CEF TCP/IP ExtLogSrv3Port 1 - 65535 External log server 3 port number ExtLogSrv3IP...
Section 6 1MRK 511 399-UEN B User activity logging It is possible to map respective protocol to the signals of interest and configure them for monitoring with the Communication Management tool (CMT) in PCM600. No events are mapped by default. Parameter names: •...
Section 6 1MRK 511 399-UEN B User activity logging Event types GUID-F56B592A-FA2E-4812-BED2-337115AAAF60 v2 The following table contains the event types that can be logged, including their 61850 mapping on the logical node GSAL Table 21: Event type codes Event number Acronyms GSAL mapping English 1110...
Page 89
Section 6 1MRK 511 399-UEN B User activity logging Event number Acronyms GSAL mapping English 3710 CAM_SRV_COMM_OK GSAL.Ina CAM Server communication successful 3810 CAM_SRV_COMM_FAIL GSAL.Ina CAM Server communication failed 3820 CAM_REPLICATION_NO_USERS GSAL.Ina Replication performed. No users replicated! 3830 CAM_REPLICATION_NO_CAPACITY GSAL.Ina Replication attempted but failed.
Page 90
Section 6 1MRK 511 399-UEN B User activity logging Event number Acronyms GSAL mapping English 10042 MAINT_UPDATE_ABORT_FAIL GSAL.Ina Failed to abort firmware update procedure 10050 MAINT_RECOVERY_ENTER_OK GSAL.Ina Recovery menu entered successfully 10052 MAINT_RECOVERY_ENTER_FAIL GSAL.Ina Failed to enter Recovery menu 10060 MAINT_AUTH_DIS_OK GSAL.Ina Authentication disabled from...
Section 7 1MRK 511 399-UEN B Local HMI use Section 7 Local HMI use GUID-9D51F5A5-B05A-4BEC-9E71-8BD0BEB87764 v3 At delivery, login is not required and the user has full access until users and passwords are created with PCM600 and written into the IED. The LHMI is logged on as SuperUser by default until other users are defined.
Page 92
Section 7 1MRK 511 399-UEN B Local HMI use IEC12000161-3-en.vsd IEC12000161 V3 EN-US Figure 66: Selecting the user name Select OK on the on-screen keyboard and press to stop editing the user name. Press to select the Password field and press to activate it.
Page 93
Section 7 1MRK 511 399-UEN B Local HMI use Only characters A - Z, a - z and 0 - 9 shall be used in user names. User names are not case sensitive. For passwords see the Password policies in PCM600. Select OK on the on-screen keyboard and press to stop editing the password.
Section 7 1MRK 511 399-UEN B Local HMI use Logging off GUID-0FDDB51B-D1C2-4442-AAE5-865BC39AE253 v1 The user is automatically logged off after the display timeout. The IED returns to a state where only reading is enabled. Manual logoff is also possible. Press To confirm logoff, select Yes and press IEC12000159-3-en.vsd IEC12000159 V3 EN-US...
Section 7 1MRK 511 399-UEN B Local HMI use Maintenance menu GUID-6E41F1AC-A4AB-40A0-B48D-2F4C91D838AF v1 It is possible to disable the Maintenance menu. This is done by setting the parameter MaintMenuEnable to No in the Group AUTHMAN: 1 using the Parameter settings in PCM600. If the Maintenance menu is disabled, there is no way to bypass authority if passwords are forgotten.
Page 96
Section 7 1MRK 511 399-UEN B Local HMI use IEC12000168-4-en.vsdx IEC12000168 V4 EN-US Figure 73: Select Recovery menu Enter PIN code 8282 and press IEC13000036-4-en.vsdx IEC13000036 V4 EN-US Figure 74: Enter PIN code Select Turn off authority and press IEC12000170-4-en.vsdx IEC12000170 V4 EN-US Figure 75: Turn off Authority...
Section 7 1MRK 511 399-UEN B Local HMI use Open PCM600 and start the IED Users tool. • Remove the faulty user • Create a new user with the same access rights • Write the user management settings to the IED The IED perform a reboot, new settings are activated and the authority system is enabled again.
Section 7 1MRK 511 399-UEN B Local HMI use When the IED is reverted to IED defaults through Maintenance menu, the certificates will be deleted. 7.4.3 Restore points GUID-AD24F69B-BEEE-4370-8E8C-F245B947F1DD v1 Restore points can be used to restore the IED to a previous configuration. A total of three restore points can be active, one of these is reserved to the “IED update functionality”...
Page 99
Section 7 1MRK 511 399-UEN B Local HMI use IEC17000034-1-en.vsdx IEC17000034 V1 EN-US Figure 80: List of restore points To create a restore point, navigate to “User restore point” and press To confirm, select OK and press IEC17000035-1-en.vsdx IEC17000035 V1 EN-US Figure 81: Confirm selection This will start a save of the current system state to a restore point and a...
Page 100
Section 7 1MRK 511 399-UEN B Local HMI use IEC17000038-1-en.vsdx IEC17000038 V1 EN-US Figure 84: List of restore points Here the system can be reverted to the system state of the restore point. In this menu, currently active restore point can be deleted or replaced. IEC17000039-1-en.vsdx IEC17000039 V1 EN-US Figure 85:...
GUID-EE0D9238-4DCF-4D2D-96FE-D2879C4CC6C3 v2 Cyber security issues have been the subject of standardization initiatives by ISA, IEEE, or IEC for some time and ABB plays an active role in all these organizations, helping to define and implement cyber security standards for power and industrial control systems.
Section 8 1MRK 511 399-UEN B Standard compliance statement IEEE1686 compliance GUID-009DC366-9ABB-430B-A71C-AA4E5FD1B631 v2 Table 23: IEEE1686 compliance Clause Title Status Comment IED cyber security Acknowledge features Electronic access Acknowledge control 5.1.1 IED access control Comply Access is protected for local access overview through control panel.
Page 103
Section 8 1MRK 511 399-UEN B Standard compliance statement Clause Title Status Comment 5.1.6 f) ID/password or RBAC Comply Feature is accessible through management individual user accounts. 5.1.6 g) Audit log Comply Feature is accessible through individual user accounts. 5.1.7 Password display Comply 5.1.8...
Page 104
Section 8 1MRK 511 399-UEN B Standard compliance statement Clause Title Status Comment 5.3.3 c) Attempted use of Exception Client certificates are not in use unauthorized configuration software 5.3.3 d) Invalid configuration Comply or firmware download 5.3.3 e) Unauthorized Exception Not supported configuration or firmware file...
Page 105
Section 8 1MRK 511 399-UEN B Standard compliance statement Clause Title Status Comment IED configuration Acknowledge software 5.5.1 Authentication Exception IED can be configured using unauthorized copies of the configuration software. However configuration download is handled by authentication. 5.5.2 Digital signature Exception Feature not supported 5.5.3...
Section 9 1MRK 511 399-UEN B Glossary Section 9 Glossary GUID-2282AE1E-7E51-4F9F-8066-70614FB38695 v4 Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext.
Page 108
Section 9 1MRK 511 399-UEN B Glossary EN 50263 Electromagnetic compatibility (EMC) - Product standard for measuring relays and protection equipment. EN 60255-26 Electromagnetic compatibility (EMC) - Product standard for measuring relays and protection equipment. EN 60255-27 Electromagnetic compatibility (EMC) - Product standard for measuring relays and protection equipment.
Page 109
Section 9 1MRK 511 399-UEN B Glossary IEEE 1686 Standard for Substation Intelligent Electronic Devices (IEDs') Cyber Security Capabilities IEEE IEEE standard for synchrophasors for power systems. The C37.118-2005 standard was published in 2006 and a new version of the standard was published in December 2011 which split the IEEE C37.118-2005 into IEEE C37.118.1-2011 and IEEE C37.118.2-2011.
Page 110
Section 9 1MRK 511 399-UEN B Glossary SCADA Supervision, control and data acquisition, see also MicroSCADA System configuration tool according to standard IEC 61850 The Secure Hash Algorithm is a family of cryptographic hash functions. The SHA 2 family comprise two similar hash functions, with different block sizes, known as SHA-256 and SHA-512.
Page 111
Section 9 1MRK 511 399-UEN B Glossary Coordinated Universal Time. A coordinated time scale, maintained by the Bureau International des Poids et Mesures (BIPM), which forms the basis of a coordinated dissemination of standard frequencies and time signals. UTC is derived from International Atomic Time (TAI) by the addition of a whole number of "leap seconds"...