Cyber Security Deployment Guideline
Cyber Security Deployment Guideline
Cyber Security Deployment Guideline
611 series
Cyber Security Deployment Guideline
Document ID: 1MRS758337
Issued: 2016-02-22
Revision: A
Product version: 2.0
The software or hardware described in this document is furnished under a license and
may be used, copied, or disclosed only in accordance with the terms of such license.
Trademarks
ABB and Relion are registered trademarks of the ABB Group. All other brand or
product names mentioned in this document may be trademarks or registered
trademarks of their respective holders.
Warranty
Please inquire about the terms of warranty from your nearest ABB representative.
http://www.abb.com/substationautomation
Disclaimer
The data, examples and diagrams in this manual are included solely for the concept or
product description and are not to be deemed as a statement of guaranteed properties.
All persons responsible for applying the equipment addressed in this manual must
satisfy themselves that each intended application is suitable and acceptable, including
that any applicable safety or other operational requirements are complied with. In
particular, any risks in applications where a system failure and/or product failure
would create a risk for harm to property or persons (including but not limited to
personal injuries or death) shall be the sole responsibility of the person or entity
applying the equipment, and those so responsible are hereby requested to ensure that
all measures are taken to exclude or mitigate such risks.
This product has been designed to be connected and communicate data and
information via a network interface which should be connected to a secure network.
It is the sole responsibility of the person or entity responsible for network
administration to ensure a secure connection to the network and to take the necessary
measures (such as, but not limited to, installation of firewalls, application of
authentication measures, encryption of data, installation of anti virus programs, etc.)
to protect the product and the network, its system and interface included, against any
kind of security breaches, unauthorized access, interference, intrusion, leakage and/or
theft of data or information. ABB is not liable for any such damages and/or losses.
This document has been carefully checked by ABB but deviations cannot be
completely ruled out. In case any errors are detected, the reader is kindly requested to
notify the manufacturer. Other than under explicit contractual commitments, in no
event shall ABB be responsible or liable for any loss or damage resulting from the use
of this manual or the application of the equipment.
Conformity
This product complies with the directive of the Council of the European Communities
on the approximation of the laws of the Member States relating to electromagnetic
compatibility (EMC Directive 2004/108/EC) and concerning electrical equipment for
use within specified voltage limits (Low-voltage directive 2006/95/EC). This
conformity is the result of tests conducted by ABB in accordance with the product
standard EN 60255-26 for the EMC directive, and with the product standards EN
60255-1 and EN 60255-27 for the low voltage directive. The product is designed in
accordance with the international standards of the IEC 60255 series.
Table of contents
Table of contents
Section 1 Introduction.......................................................................3
This manual........................................................................................ 3
Intended audience.............................................................................. 3
Product documentation.......................................................................4
Product documentation set............................................................4
Document revision history............................................................. 4
Related documentation..................................................................4
Symbols and conventions...................................................................5
Symbols.........................................................................................5
Document conventions.................................................................. 5
611 series 1
Cyber Security Deployment Guideline
Table of contents
Backup files...................................................................................... 27
Creating a backup from the relay configuration...........................27
Creating a backup from the PCM600 project.............................. 27
Restoring factory settings................................................................. 27
Restoring the administrator password.............................................. 28
Section 8 Glossary......................................................................... 29
2 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 1
Introduction
Section 1 Introduction
The cyber security deployment guideline describes the process for handling cyber
security when communicating with the protection relay. The cyber security
deployment guideline provides information on how to secure the system on which the
protection relay is installed. The guideline can be used as a technical reference during
the engineering phase, installation and commissioning phase, and during normal
service.
This guideline is intended for the system engineering, commissioning, operation and
maintenance personnel handling cyber security during the engineering, installation
and commissioning phases, and during normal service.
The personnel is expected to have general knowledge about topics related to cyber
security.
611 series 3
Cyber Security Deployment Guideline
Section 1 1MRS758337 A
Introduction
Maintenance
Engineering
Planning &
Installation
Operation
Quick start guide purchase
Quick installation guide
Brochure
Product guide
Operation manual
Installation manual
Connection diagram
Engineering manual
Technical manual
Application manual
Communication protocol manual
IEC 61850 engineering guide
Point list manual
Cyber security deployment guideline
GUID-0777AFDA-CADF-4AA9-946E-F6A856BDF75E V1 EN
4 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 1
Introduction
1.4.1 Symbols
The tip icon indicates advice on, for example, how to design your
project or how to use a certain function.
• Abbreviations and acronyms are spelled out in the glossary. The glossary also
contains definitions of important terms.
• Push button navigation in the LHMI menu structure is presented by using the
push button icons.
To navigate between the options, use and .
• Menu paths are presented in bold.
Select Main menu/Settings.
• LHMI messages are shown in Courier font.
To save the changes in nonvolatile memory, select Yes and press .
• Parameter names are shown in italics.
The function can be enabled and disabled with the Operation setting.
• Parameter values are indicated with quotation marks.
The corresponding parameter values are "On" and "Off".
• Input/output messages and monitored data names are shown in Courier font.
When the function starts, the START output is set to TRUE.
• This document assumes that the parameter setting visibility is "Advanced".
611 series 5
Cyber Security Deployment Guideline
6
1MRS758337 A Section 2
Security in distribution automation
The new generation of automation systems uses open standards such as IEC
60870-5-104, DNP3 and IEC 61850 and commercial technologies, in particular
Ethernet and TCP/IP based communication protocols. They also enable connectivity
to external networks, such as office intranet systems and the Internet. These changes
in technology, including the adoption of open IT standards, have brought huge
benefits from an operational perspective, but they have also introduced cyber security
concerns previously known only to office or enterprise IT systems.
To counter cyber security risks, open IT standards are equipped with cyber security
mechanisms. These mechanisms, developed in a large number of enterprise
environments, are proven technologies. They enable the design, development and
continual improvement of cyber security solutions also for control systems, including
distribution automation applications.
ABB understands the importance of cyber security and its role in advancing the
security of distribution networks. A customer investing in new ABB technologies can
rely on system solutions where reliability and security have the highest priority.
ABB is involved in the standardization and definition of several cyber standards, the
most applicable and referred ones are ISO 2700x, IEC 62443, IEEE P1686 and IEC
611 series 7
Cyber Security Deployment Guideline
Section 2 1MRS758337 A
Security in distribution automation
62351. Besides standardization efforts there are also several governments initiated
requirements and practices like NERC CIP and BDEW. ABB fully understands the
importance of cyber security for substation automation systems and is committed to
support users in efforts to achieve or maintain compliance to these.
8 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 3
Secure system setup
• Recognizing and familiarizing all parts of the system and the system's
communication links
• Removing all unnecessary communication links in the system
• Rating the security level of remaining connections and improving with applicable
methods
• Hardening the system by removing or deactivating all unused processes,
communication ports and services
• Checking that the whole system has backups available from all applicable parts
• Collecting and storing backups of the system components and keeping those up-
to-date
• Removing all unnecessary user accounts
• Changing default passwords and using strong enough passwords
• Checking that the link from substation to upper level system uses strong enough
encryption and authentication
• Separating public network from automation network
• Segmenting traffic and networks
• Using firewalls and demilitarized zones
• Assessing the system periodically
• Using antivirus software in workstations and keeping those up-to-date
611 series 9
Cyber Security Deployment Guideline
Section 3 1MRS758337 A
Secure system setup
AFF650
Firewall
SYS600 C COM600S
AFS660
Security zone 1
GUID-9C3524CC-091F-4333-A707-FAC0A835C1ED V2 EN
All physical ports dedicated for station bus communication can be opened and closed
in relay configuration. Front port is used for engineering and it can be used only for
point-to-point configuration access with PCM600 or WHMI. Front port should not be
connected to any Ethernet network.
Table 1: Physical ports on relay's communication cards
Port ID Type Default state Description
X1...X3 RJ-45 or fiber optic Open Ethernet station bus
X5 RS-485 Closed Serial station bus
X6 RS-232/RS-485 Closed Serial station bus
Front port RJ-45 Open LHMI service access
If the protection relay is ordered with station bus option, serial ports are closed by
default and Ethernet ports are open. All protocol instances except for IEC 61850 are
by default off and do not respond to any protocol requests in serial or Ethernet ports.
10 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 3
Secure system setup
IEC 61850 protocol and rear Ethernet ports are by default activated as those are used
for engineering of the protection relay. Front port is segregated from rear ports' station
bus communication.
The relay supports an option with multiple station communication Ethernet ports. In
this case, all ports use the same IP and MAC address regardless of what redundancy
option is activated in the relay configuration.
To set up an IP firewall the following table summarizes the IP ports used by the device.
All closed ports can be opened in the configuration. Ports which are by default open
are used for configuring the protection relay.
Table 2: IP ports used by the relay
Port number Type Default state Description
20, 21 TCP Open File Transfer protocol
(FTP and FTPS)
102 TCP Open IEC 61850
80 TCP Open Web Server HTTP
443 TCP Open Web Server HTTPS
123 UDP Client service not Simple Network Time
active by default in Protocol
relay
502 TCP Closed Modbus TCP
FTP and IEC 61850 are primary services needed for relay configuration and those
cannot be disabled. Additionally, the protection relay uses layer 2 communications in
GOOSE, IEEE 1588 (PTP) and HSR/PRP supervision services, which needs to be
taken into account when designing the network.
In addition to the HTTP and FTP protocols, the relay supports the Ethernet-based
substation automation communication protocol Modbus. IEC 61850 is always
enabled, and the relay can be ordered with one additional station bus protocol.
Additional protocols must be enabled in the configuration, otherwise the
communication protocol TCP/UDP port is closed and unavailable. If the protocol
service is configured, the corresponding port is open all the time.
611 series 11
Cyber Security Deployment Guideline
Section 3 1MRS758337 A
Secure system setup
See the relay series technical manual and the corresponding protocol documentation
for configuring a certain communication protocol.
In Modbus it is possible to assign the TCP or UDP port number if required and it is also
possible to allow connection requests only from configured client IP address.
The certificate is used to verify that a public key belongs to an identity. In case of
HTTPS, the WHMI server in protection relay presents the certificate to the Web client
giving the client the public key and the identity of the server. The public key is one part
of an asymmetric key algorithm, where one key is used to encrypt a message and
another key is used to decrypt it. Public private key pair (asymmetric key) is used to
exchange the symmetric key, which is used to encrypt and decrypt the data, that is
exchanged between server and client.
Messages encrypted with the public key can only be decrypted with the other part of
the algorithm the private key. Public and private key are related mathematically and
represent a cryptographic key pair. The private key is kept secret and stored safely in
the protection relay, while the public key may be widely distributed.
The protection relay certificate is trusted in communication between the relay and
PCM600. For WHMI use, certificate signed by the relay must be accepted in the Web
browser when opening the connection to WHMI.
12 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 3
Secure system setup
No passwords are stored in clear text within the IED. A hashed representation of the
passwords with SHA 256 is stored in the IED. These are not accessible from outside
via any ports.
The WHMI is one of the available user access services in the protection relay. By
default the service is enabled and the HTTP and HTTPS TCP ports are open. WHMI
can be disabled with the Web HMI mode parameter via LHMI menu path Main menu/
Configuration/HMI.
The relay supports HTTPS protocol to provide encryption and secure identification in
the communication to the WHMI. The Secure Communication parameter is active by
default, and WHMI access is automatically opened in HTTPS mode. When the Secure
Communication parameter is inactive, both HTTP and HTTPS protocols can be used
for WHMI.
The WHMI requires that certain technical features must be supported and enabled by
the used Web client.
• HTTP 1.1
• HTML 4 and HMTL 5
• XSLT 2.0
• CSS1 and CSS2.1
• AJAX
• JavaScript 1.2
• DOM 1.0
• HTTP Digest Access Authentication
• HTTP session cookies
• HTTP compression
• SVG 1.1 [1]
In case of HTTPS access the Web client must support HTTPS via TLS 1.0 or TLS
1.1/1.2. The WHMI is verified with Internet Explorer 8.0, 9.0, 10.0 and 11.0.
The access to the relay's WHMI is protected by the HTTP Digest Access
Authentication (DAA) that requires a user name and password. DAA ensures that the
user credentials are encrypted secure before sending over the network. See RFC2617
"HTTP Authentication: Basic and Digest Access Authentication" for detailed
information about DAA.
611 series 13
Cyber Security Deployment Guideline
Section 3 1MRS758337 A
Secure system setup
If the Internet Explorer is used as Web client the advanced option "Show friendly
HTTP error messages" might be enabled by default. It is recommended to disable this
option. If this option is enabled, detailed error information of the WHMI is shown. The
option can be found in the "Advanced" tab of the "Internet Options".
14 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 4
User management
Four user categories have been predefined for the LHMI and the WHMI, each with
different rights and default passwords.
The default passwords in the protection relay delivered from the factory can be
changed with Administrator user rights. Relay user passwords can be changed using
LHMI, WHMI or the IED User Management tool in PCM600 and the user information
is stored to the protection relay's internal memory.
611 series 15
Cyber Security Deployment Guideline
Section 4 1MRS758337 A
User management
authentication, the activated user level and its password are required when the
protection relay is configured using PCM600.
Table 4: Object properties to change
Object Properties field Value
Is Authentication Disabled False
Is Password used True
Password Write the correct password
When communicating with the protection relay with PCM600 tools and with the relay
authentication enabled, the relay username and password must be given when
prompted. When setting the technical key, the username and password must be given
twice.
Passwords are settable for all predefined user categories. The LHMI password must
be at least four and WHMI password at least nine characters. The maximum number
of characters is 8 for the LHMI password and 20 for the WHMI password. Only the
following characters are accepted.
• Numbers 0-9
• Letters a-z, A-Z
• Space
• Special characters !"#%&'()*+´-./:;<=>?@[\]^_`{|}~
16 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 4
User management
The protection relays are delivered from the factory with default passwords. It is
recommended to change the default passwords.
Table 5: Predefined user categories and default passwords
Username LHMI WHMI password User rights
password
VIEWER 0001 remote0001 Only allowed to view
OPERATOR 0002 remote0002 Authorized to make operations
ENGINEER 0003 remote0003 Allowed to change protection relay parameters,
but no operation rights
ADMINISTRATOR 0004 remote0004 Full access
611 series 17
Cyber Security Deployment Guideline
18
1MRS758337 A Section 5
Security logging
The protection relay offers a large set of event-logging functions. Critical system and
protection relay security-related events are logged to a separate nonvolatile audit trail
for the administrator.
Audit trail is a chronological record of system activities that allows the reconstruction
and examination of the sequence of system and security-related events and changes in
the protection relay. Both audit trail events and process related events can be
examined and analyzed in a consistent method with the help of Event List in LHMI
and WHMI and Event Viewer in PCM600.
The protection relay stores 2048 audit trail events to the nonvolatile audit trail.
Additionally, 1024 process events are stored in a nonvolatile event list. Both the audit
trail and event list work according to the FIFO principle. Nonvolatile memory is based
on a memory type which does not need battery backup nor regular component change
to maintain the memory storage.
Audit trail events related to user authorization (login, logout, violation remote and
violation local) are defined according to the selected set of requirements from IEEE
1686. The logging is based on predefined user names or user categories. The user audit
trail events are accessible with IEC 61850-8-1, PCM600, LHMI and WHMI.
Table 6: Audit trail events
Audit trail event Description
Configuration change Configuration files changed
Firmware change Firmware changed
Firmware change fail Firmware change failed
Attached to retrofit test case Unit has been attached to retrofit case
Removed from retrofit test case Removed from retrofit test case
Setting group remote User changed setting group remotely
Setting group local User changed setting group locally
Control remote DPC object control remote
Control local DPC object control local
Test on Test mode on
Test off Test mode off
Reset trips Reset latched trips (TRPPTRC*)
Setting commit Settings have been changed
Table continues on next page
611 series 19
Cyber Security Deployment Guideline
Section 5 1MRS758337 A
Security logging
PCM600 Event Viewer can be used to view the audit trail events and process related
events. Audit trail events are visible through dedicated Security events view. Since
only the administrator has the right to read audit trail, authorization must be used in
PCM600. The audit trail cannot be reset, but PCM600 Event Viewer can filter data.
Audit trail events can be configured to be visible also in LHMI/WHMI Event list
together with process related events.
To expose the audit trail events through Event list, define the
Authority logging level parameter via Configuration/
Authorization/Security. This exposes audit trail events to all users.
20 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 5
Security logging
611 series 21
Cyber Security Deployment Guideline
22
1MRS758337 A Section 6
Using the HMI
To use the LHMI, logging in and authorization are required. Password authorization
is disabled by default and can be enabled via the LHMI.
6.1.1 Logging in
GUID-7B40EC73-2324-4E9A-9DF7-CC742744EC1B V1 EN
GUID-C8BDDF55-EB8B-42AD-8184-3939BF51B4C4 V1 EN
611 series 23
Cyber Security Deployment Guideline
Section 6 1MRS758337 A
Using the HMI
GUID-39601B65-8E32-49F7-AE8A-C16B71770D69 V1 EN
The current user level is shown on the display's upper right corner in
the icon area.
GUID-65BD2160-B3FF-4FD0-8028-C5F0CB67FE54 V1 EN
If the WHMI was previously disabled, it can be enabled again via the LHMI.
24 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 6
Using the HMI
6.2.1 Logging in
A070923 V5 EN
5. Click OK.
The language file starts loading and the progress bar is displayed.
611 series 25
Cyber Security Deployment Guideline
26
1MRS758337 A Section 7
Protection of relay and system configuration
Backups are not directly part of the cyber security but they are important for speeding
up the recovery process, for example, in case of failure of the protection relay.
Backups need to be updated when there are changes in configuration.
1. Use the “Read from IED” function from the IED context menu in PCM600 to
back up the relay configuration.
2. Enter the user credentials if the default administrator password has been
changed.
Administrator or engineer credentials are needed for authorization.
In case of configuration data loss or any other file system error that prevents the
protection relay from working properly, the whole file system can be restored to the
611 series 27
Cyber Security Deployment Guideline
Section 7 1MRS758337 A
Protection of relay and system configuration
original factory state. All default settings and configuration files stored in the factory
are restored. Only the administrator can restore the factory settings.
The protection relay restores the factory settings and restarts. Restoring takes 1...3
minutes. Confirmation of restoring the factory settings is shown on the display a few
seconds, after which the relay restarts.
Restoring factory settings also resets the IP address for the rear port
and the corresponding subnet mask to the factory default settings.
• Contact ABB technical customer support to retrieve back the administrator level
access to the protection relay.
28 611 series
Cyber Security Deployment Guideline
1MRS758337 A Section 8
Glossary
Section 8 Glossary
611 series 29
Cyber Security Deployment Guideline
Section 8 1MRS758337 A
Glossary
30 611 series
Cyber Security Deployment Guideline
31
Contact us
www.abb.com/mediumvoltage
www.abb.com/substationautomation