0% found this document useful (0 votes)

92 views130 pages

670 Version 2.2 IEC CSDG

Uploaded by

kormantas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

92 views130 pages

670 Version 2.2 IEC CSDG

Uploaded by

kormantas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 130

Relion® 670 SERIES

670 series
Version 2.2 IEC
Cyber security deployment guideline
Document ID: 1MRK 511 399-UEN
Issued: May 2020
Revision: M
Product version: 2.2

© Copyright 2017 ABB Power Grids. All rights reserved

Copyright
This document and parts thereof must not be reproduced or copied without written
permission from ABB Power Grids, and the contents thereof must not be imparted to a third
party, nor used for any unauthorized purpose.

The software and hardware described in this document is furnished under a license and may
be used or disclosed only in accordance with the terms of such license.

This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (https://www.openssl.org/) This product includes cryptographic software written/
developed by: Eric Young ([email protected]) and Tim Hudson ([email protected]).

Trademarks
ABB and Relion are registered trademarks of the ABB Group. All other brand or product names
mentioned in this document may be trademarks or registered trademarks of their respective
holders.

Warranty
Please inquire about the terms of warranty from your nearest ABB Power Grids representative.
Disclaimer
The products are designed to be connected to and to communicate information and data via a
network interface. It is the user’s sole responsibility to provide and continuously ensure a
secure connection between the product and the user’s network or any other network (as the
case may be). The user shall establish and maintain any appropriate measures (such as but not
limited to the installation of firewalls, application of authentication measures, encryption of
data, installation of anti-virus programs, etc) to protect the product, the network, its system
and the interface against any kind of security breaches, unauthorized access, interference,
intrusion, leakage and/or theft of data or information. ABB Power Grids is not liable for
damages and/or losses related to such security breaches, any unauthorized access,
interference, intrusion, leakage and/or theft of data or information.

The data, examples and diagrams in this manual are included solely for the concept or product
description and are not to be deemed as a statement of guaranteed properties. All persons
responsible for applying the equipment addressed in this manual must satisfy themselves that
each intended application is suitable and acceptable, including that any applicable safety or
other operational requirements are complied with. In particular, any risks in applications where
a system failure and/or product failure would create a risk for harm to property or persons
(including but not limited to personal injuries or death) shall be the sole responsibility of the
person or entity applying the equipment, and those so responsible are hereby requested to
ensure that all measures are taken to exclude or mitigate such risks.

This document has been carefully checked by ABB Power Grids but deviations cannot be
completely ruled out. In case any errors are detected, the reader is kindly requested to notify
the manufacturer. Other than under explicit contractual commitments, in no event shall ABB
Power Grids be responsible or liable for any loss or damage resulting from the use of this
manual or the application of the equipment.
Conformity
This product complies with the directive of the Council of the European Communities on the
approximation of the laws of the Member States relating to electromagnetic compatibility
(EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified
voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests
conducted by ABB in accordance with the product standard EN 60255-26 for the EMC directive,
and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive. The
product is designed in accordance with the international standards of the IEC 60255 series.
Table of contents

Table of contents

Section 1 Introduction.................................................................................................... 5
1.1 This manual....................................................................................................................................5
1.2 Intended audience........................................................................................................................5
1.3 Product documentation.............................................................................................................. 5
1.3.1 Product documentation set..................................................................................................... 5
1.3.2 Document revision history....................................................................................................... 6
1.4 Document symbols and conventions....................................................................................... 7
1.4.1 Symbols........................................................................................................................................ 7
1.4.2 Document conventions............................................................................................................. 7

Section 2 Security in Substation Automation............................................................. 9

2.1 General security in Substation Automation............................................................................9

Section 3 Secure system setup.................................................................................... 11

3.1 Physical interfaces...................................................................................................................... 11
3.2 Communication ports and services.........................................................................................11
3.3 FTP access with TLS, FTPACCS................................................................................................14
3.4 Encryption algorithms............................................................................................................... 14
3.4.1 Configuring TLS Version......................................................................................................... 14
3.5 Denial of service.......................................................................................................................... 15
3.6 Certificate handling....................................................................................................................16

Section 4 Local user account management................................................................17

4.1 Authorization............................................................................................................................... 17
4.2 Predefined user roles................................................................................................................. 18
4.3 Changing the default user password.....................................................................................20
4.3.1 Password policies.....................................................................................................................22
4.4 IED User management .............................................................................................................. 22
4.4.1 Starting IED user management............................................................................................. 23
4.4.2 General settings........................................................................................................................23
4.4.3 User profile management.......................................................................................................23
4.4.3.1 Adding new users............................................................................................................... 24
4.4.3.2 Adding users to new user roles........................................................................................26
4.4.3.3 Deleting existing users...................................................................................................... 27
4.4.3.4 Changing password........................................................................................................... 29
4.4.4 User role management........................................................................................................... 30
4.4.4.1 Adding new users to user roles........................................................................................ 31
4.4.4.2 Deleting existing User from user roles........................................................................... 31
4.4.4.3 Reusing user accounts....................................................................................................... 31
4.4.5 Writing user management settings to the IED...................................................................32
4.4.6 Reading user management settings from the IED............................................................ 32
4.4.7 Saving user management settings....................................................................................... 32

670 series 1
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Table of contents

4.5 Password policies.......................................................................................................................32

Section 5 Central Account Management.................................................................... 35

5.1 General description....................................................................................................................35
5.2 Central Account Management using SDM600......................................................................35
5.2.1 Introduction...............................................................................................................................35
5.2.1.1 Creating IED certificates................................................................................................... 36
5.2.1.2 Importing and writing certificates to an IED................................................................ 37
5.2.1.3 Reading certificates from an IED.................................................................................... 40
5.2.1.4 Invalid certificates ............................................................................................................. 42
5.2.1.5 Deleting certificates from an IED.................................................................................... 42
5.2.2 Activation of Central Account Management...................................................................... 44
5.2.2.1 Manual configuration of Central Account Management............................................ 48
5.2.2.2 Emergency account............................................................................................................ 51
5.2.2.3 Reading configuration from IED......................................................................................53
5.2.2.4 Deactivation of Central Account Management from PCM600.................................. 53
5.2.2.5 Deactivation of Central Account Management on local HMI..................................... 55
5.2.3 Password policy settings for Central Account Management enabled IED...................56
5.3 Central Account Management using LDAP server (not using SDM600)......................... 56
5.3.1 Introduction.............................................................................................................................. 56
5.3.2 Activation of Central Account Management.......................................................................57
5.3.2.1 Configuring CAM using configuration package........................................................... 58
5.3.2.2 Manual configuration of Central Account Management............................................ 60
5.3.2.3 Emergency account............................................................................................................63
5.4 Central Account Management using AD server....................................................................65
5.4.1 Introduction.............................................................................................................................. 65
5.4.2 Activation of Central Account Management ..................................................................... 66
5.4.2.1 Roles to Active Directory Group Mapping..................................................................... 67
5.4.2.2 Import and Write Certificates.......................................................................................... 69
5.4.2.3 Centralized Account Management Configuration........................................................71
5.4.2.4 Enabling CAM from PCM600............................................................................................ 72
5.4.3 Limitations in User management..........................................................................................72
5.4.4 Password permissions and policies..................................................................................... 72
5.4.4.1 Password permissions.......................................................................................................72
5.4.4.2 Password expiry.................................................................................................................. 73
5.4.4.3 Password change................................................................................................................ 73
5.4.4.4 Password policy.................................................................................................................. 74
5.5 Certificate package....................................................................................................................74
5.5.1 PKCS12 (p12) file....................................................................................................................... 74
5.5.2 PKCS7 file................................................................................................................................... 76
5.6 Redeployment of certificate.....................................................................................................76
5.7 FST update and upgrade...........................................................................................................77
5.8 Restore Point............................................................................................................................... 77
5.9 Predefined user roles................................................................................................................. 77
5.10 Trouble shooting Central Account Management.................................................................79
5.10.1 Certificate information on local HMI....................................................................................83

2 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Table of contents

5.11 Authorization with Central Account Management enabled IED....................................... 85

5.12 PCM600 access to Central Account Management enabled IED........................................86
5.12.1 Changing password.................................................................................................................87
5.12.2 Error messages........................................................................................................................ 88

Section 6 User activity logging....................................................................................91

6.1 Activity logging protocol...........................................................................................................91
6.2 Activity logging ACTIVLOG....................................................................................................... 91
6.3 Settings........................................................................................................................................ 91
6.4 Generic security application GSAL.......................................................................................... 92
6.5 Security alarm SECALARM........................................................................................................ 92
6.5.1 Signals........................................................................................................................................ 93
6.5.2 Settings...................................................................................................................................... 93
6.6 About Security events............................................................................................................... 93
6.7 Event types.................................................................................................................................. 93

Section 7 Local HMI use................................................................................................ 97

7.1 Logging on................................................................................................................................... 97
7.2 Logging off..................................................................................................................................99
7.3 Saving settings........................................................................................................................... 99
7.4 Function Keys............................................................................................................................100
7.5 Maintenance menu................................................................................................................... 101
7.5.1 Maintenance menu default pin change..............................................................................101
7.5.2 Recovering password............................................................................................................104
7.5.3 Fallback access....................................................................................................................... 106
7.5.4 Restore points........................................................................................................................ 106

Section 8 Standard compliance statement..............................................................109

8.1 Applicable standards...............................................................................................................109
8.2 IEEE 1686 compliance.............................................................................................................. 110
8.3 Compliance Statement IEC 62443-4-2.................................................................................. 113
8.3.1 FR 1 – Identification and authentication control (IAC).................................................... 113
8.3.2 FR 2 - Use control (UC)...........................................................................................................114
8.3.3 FR 3 - System integrity (SI)....................................................................................................115
8.3.4 FR 4 – Data confidentiality (DC)........................................................................................... 117
8.3.5 FR 5 – Restricted data flow (RDF)........................................................................................ 117
8.3.6 FR 6 – Timely response to events (TRE)..............................................................................117
8.3.7 FR 7 – Resource availability (RA)...........................................................................................117

Section 9 Glossary....................................................................................................... 119

670 series 3
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
4
1MRK 511 399-UEN M Section 1
Introduction

Section 1 Introduction
1.1 This manual GUID-818ABF52-5D9F-4E38-A3EF-721301052367 v1

The cyber security deployment guideline describes the process for handling cyber security
when communicating with the IED. Certification, Authorization with role based access control,
and product engineering for cyber security related events are described and sorted by
function.

1.2 Intended audience GUID-C9B8127F-5748-4BEA-9E4F-CC762FE28A3A v11

This guideline is intended for the system engineering, commissioning, operation and
maintenance personnel handling cyber security during the engineering, installation and
commissioning phases, and during normal service.

The personnel is expected to have general knowledge about topics related to cyber security.

1.3 Product documentation

1.3.1 Product documentation set GUID-58DA39FE-161C-4462-A1BC-252CEBF9BF33 v1

Deinstalling & disposal

Planning & purchase

Decommissioning
Commissioning

Maintenance
Engineering

Operation
Installing

Engineering manual
Installation manual

Commissioning manual
Operation manual

Application manual

Technical manual

Communication
protocol manual
Cyber security
deployment guideline
IEC07000220-4-en.vsd
IEC07000220 V4 EN-US

Figure 1: The intended use of manuals throughout the product lifecycle

670 series 5
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 1 1MRK 511 399-UEN M
Introduction

The engineering manual contains instructions on how to engineer the IEDs using the various
tools available within the PCM600 software. The manual provides instructions on how to set
up a PCM600 project and insert IEDs to the project structure. The manual also recommends a
sequence for the engineering of protection and control functions, as well as communication
engineering for IEC 61850.

The installation manual contains instructions on how to install the IED. The manual provides
procedures for mechanical and electrical installation. The chapters are organized in the
chronological order in which the IED should be installed.

The commissioning manual contains instructions on how to commission the IED. The manual
can also be used by system engineers and maintenance personnel for assistance during the
testing phase. The manual provides procedures for the checking of external circuitry and
energizing the IED, parameter setting and configuration as well as verifying settings by
secondary injection. The manual describes the process of testing an IED in a substation which
is not in service. The chapters are organized in the chronological order in which the IED should
be commissioned. The relevant procedures may be followed also during the service and
maintenance activities.

The operation manual contains instructions on how to operate the IED once it has been
commissioned. The manual provides instructions for the monitoring, controlling and setting of
the IED. The manual also describes how to identify disturbances and how to view calculated
and measured power grid data to determine the cause of a fault.

The application manual contains application descriptions and setting guidelines sorted per
function. The manual can be used to find out when and for what purpose a typical protection
function can be used. The manual can also provide assistance for calculating settings.

The technical manual contains operation principle descriptions, and lists function blocks, logic
diagrams, input and output signals, setting parameters and technical data, sorted per
function. The manual can be used as a technical reference during the engineering phase,
installation and commissioning phase, and during normal service.

The communication protocol manual describes the communication protocols supported by

the IED. The manual concentrates on the vendor-specific implementations.

1.3.2 Document revision history GUID-34B323E4-1319-4D42-80CE-29B0F2D36E2C v4

Document Date Product revision History

revision
- 2017–05 2.2.0 First release for product version 2.2
A 2017–10 2.2.0 Ethernet ports with RJ45 connector added.
B 2017–11 2.2.1 Updates to Communication ports and services
C 2018–03 2.2.1 Updates to Communication ports and services
D 2018–06 2.2.2 Updates to secure system setup section
Updates to Function Keys in Local HMI use section
E Document not released
F Document not released
G 2018–11 2.2.3 Changes to FTP access settings addressed.IED
supports different versions up to 1.2 (1.0, 1.1 and
1.2).
Table continues on next page

6 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 1
Introduction

Document Date Product revision History

revision
H Document not released
J Document not released
K 2019-05 2.2.3 PTP enhancements and corrections
L Document not released
M 2020-05 2.2.4 New section on Central Account Management
added which includes SDM600, LDAP, AD servers.
The configuration of different servers on PCM600
is handled in this release.
Updated Maintenance menu section with new
features on changing PIN and password policies.
Updates to Section Configuring TLS Version.
Changes made on Keyboard layout.

1.4 Document symbols and conventions

1.4.1 Symbols GUID-2945B229-DAB0-4F15-8A0E-B9CF0C2C7B15 v13

The electrical warning icon indicates the presence of a hazard which could
result in electrical shock.

The warning icon indicates the presence of a hazard which could result in
personal injury.

The caution icon indicates important information or warning related to the

concept discussed in the text. It might indicate the presence of a hazard which
could result in corruption of software or damage to equipment or property.

The information icon alerts the reader of important facts and conditions.

The tip icon indicates advice on, for example, how to design your project or
how to use a certain function.

Although warning hazards are related to personal injury, it is necessary to understand that
under certain operational conditions, operation of damaged equipment may result in
degraded process performance leading to personal injury or death. It is important that the
user fully complies with all warning and cautionary notices.

1.4.2 Document conventions GUID-96DFAB1A-98FE-4B26-8E90-F7CEB14B1AB6 v9

• Abbreviations and acronyms in this manual are spelled out in the glossary. The glossary
also contains definitions of important terms.
• Parameter names are shown in italics.

670 series 7
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 1 1MRK 511 399-UEN M
Introduction

For example, the function can be enabled and disabled with the Operation setting.
• Each function block symbol shows the available input/output signal.
• the character ^ in front of an input/output signal name indicates that the signal
name may be customized using the PCM600 software.
• the character * after an input signal name indicates that the signal must be
connected to another function block in the application configuration to achieve a
valid application configuration.
• Dimensions are provided both in inches and millimeters. If it is not specifically mentioned
then the dimension is in millimeters.

8 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 2
Security in Substation Automation

Section 2 Security in Substation Automation

2.1 General security in Substation Automation GUID-D156D1EA-15EF-4700-B6E2-8A316A7C3288 v4

The electric power grid has evolved significantly over the past decade thanks to many
technological advancements and breakthroughs. As a result, the emerging “smart grid” is
quickly becoming a reality. At the heart of these intelligent advancements are specialized IT
systems, various control and automation solutions such as substation automation systems.
To provide end users with comprehensive real-time information, enable higher reliability and
greater control; the automation systems have become ever more interconnected. To combat
the increased risks associated with these interconnections, we offer a wide range of cyber
security products and solutions for automation systems and critical infrastructure.

The new generation of automation systems uses open standards such as IEC 60870-5-103,
DNP 3.0 and IEC 61850 and commercial technologies, in particular Ethernet- and TCP/IP-based
communication protocols. They also enable connectivity to external networks, such as office
intranet systems and the Internet. These changes in technology, including the adoption of
open IT standards, have brought huge benefits from an operational perspective, but they have
also introduced cyber security concerns previously known only to office or enterprise IT
systems.

To counter cyber security risks, open IT standards are equipped with cyber security
mechanisms. These mechanisms, developed in a large number of enterprise environments, are
proven technologies. They enable the design, development and continual improvement of
cyber security solutions specifically for control systems, including substation automation
applications.

ABB fully understands the importance of cyber security and its role in advancing the security of
substation automation systems. A customer investing in new ABB technologies can rely on
system solutions where reliability and security have the highest priority.

At ABB, we are addressing cyber security requirements on a system level as well as on a

product level to support cyber security standards such as NERC-CIP, IEEE 1686, Compliance to
IEC 62443-4-2 and BDEW Whitepaper. We support verified third-party security patches and
antivirus software to protect station computers from viruses and other types of attacks.
Cyber security can also be improved by preventing the unauthorized use of removable media
(such as USB memory sticks) in station computers. We have built additional security
mechanisms into our products. Those offer advanced account management, secure
communication, and detailed security audit trails. This makes it easier for our customers to
address NERC CIP requirements and maintain compliance standards.

670 series 9
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 2 1MRK 511 399-UEN M
Security in Substation Automation

Maintenance Center (Security Zone 4) Remote Control Center

(Security Zone 3)
Encrypted
communication

Security Zone 2
Workstation
MicroSCADA Pro SYS600 Encrypted
Antivirus
Antivirus communication

Firewall/
Router /
VPN
Firewall / Router / VPN
Station LAN

MicroSCADA Pro SYS600C

IEC 61850-8-1 Station Bus

Control and Protection IED

Security Zone 1
Perimeter Pr otection
IEC12000189-4-en.ai
IEC12000189 V4 EN-US

Figure 2: System architecture for substation automation system

10 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 3
Secure system setup

Section 3 Secure system setup

3.1 Physical interfaces GUID-DA029F79-3173-4D17-A7B9-AA213FAC8F68 v2

To reduce exposure to cyber-attacks and thus comply with cyber security requirements, it
must be possible to prevent services in the IED from operating on other physical interfaces
than the ones specified by the vendor or by the owner.

3.2 Communication ports and services GUID-A5E2256D-C7E2-4CAC-8EAD-E7DBBCB4AF08 v12

The security guideline does not suggest concrete products for a secure system setup. This
must be decided within the specific project, requirements and existing infrastructure.

The ports used in the IED to configure firewall are listed in table 1. The column “Default state”
defines whether a port is open or closed by default. All ports that are closed can be opened as
described in the comment column in the table. Front refers to the physical front port. On the
rear side of the IED there are four network interfaces labeled 301, 302, 303 and 304. If there is
an OEM02 module installed there are two additional optical network interfaces on the rear
side, they are labeled 3061 and 3062. The protocol availability on these ports can be configured
using the Ethernet configuration tool.

ABB recommends using common security measures, like firewalls, up-to-date anti-virus
software, etc. to protect the IED and the equipment around it.

It is recommended to deactivate the Access points and protocols that are not
in use to increase cyber security.

Table 1: Available ports

Port Protoc Default Front AP1 AP2 AP3 AP4 AP5 AP6 Service Comment
ol state of (Slot (Slot (Slot (Slot (Slot (Slot
port 301) 302) 303) 304) 3061) 3062)
21 TCP open OFF OFF OFF OFF OFF OFF OFF FTP File transfer protocol
21 TCP open ON ON ON ON ON ON ON FTPS Explicit FTP over TLS
102 TCP closed OFF OFF OFF OFF OFF OFF OFF IEC 61850 MMS communication
(MMS)
123 UDP closed OFF OFF OFF OFF OFF OFF OFF SNTP Enabled when IED is
configured as SNTP
master.
2102 TCP open ON ON ON ON ON ON ON PCM Access IED configuration
(IED protocol
configuration
protocol)
20000 TCP closed OFF OFF OFF OFF OFF OFF OFF DNP3.0 DNP3.0 DNP
communication only
20000 UDP closed OFF OFF OFF OFF OFF OFF OFF DNP3.0 DNP3.0 DNP
communication only
49152 UDP closed OFF OFF OFF OFF OFF OFF OFF SNTP Client Enabled when IED is
configured as SNTP
client.
Table continues on next page

670 series 11
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 3 1MRK 511 399-UEN M
Secure system setup

Port Protoc Default Front AP1 AP2 AP3 AP4 AP5 AP6 Service Comment
ol state of (Slot (Slot (Slot (Slot (Slot (Slot
port 301) 302) 303) 304) 3061) 3062)
49200 TCP closed OFF OFF OFF OFF OFF OFF OFF FTPS First TCP data port for
PASV
49232 TCP closed OFF OFF OFF OFF OFF OFF OFF FTPS Last TCP data port for
PASV
4711 TCP closed OFF OFF OFF OFF OFF OFF OFF IEEE 1344 Phasor measurement
4712 TCP closed OFF OFF OFF OFF OFF OFF OFF IEC/IEEE Phasor measurement
60255-118
(C37.118)
4713 TCP closed OFF OFF OFF OFF OFF OFF OFF IEC/IEEE Phasor measurement
— 60255-118
4718 (C37.118)/ IEEE
1344
Command,
header and
configuration
8910 UDP closed OFF OFF OFF OFF OFF OFF OFF IEC/IEEE Phasor measurement
— 60255-118
8915 (C37.118) /IEEE
1344 Data and
configuration

The IEDs support the following Ethernet communication protocols:

• IEC 61850
• DNP3.0
• IEC/IEEE 60255-118 (C37.118)/IEEE 1344
• SPA
• IED configuration protocol
• FTP

These communication protocols are enabled by configuration. This means that the port is
closed and unavailable if the configuration of the IED series does not contain a communication
line of the protocol. If a protocol is configured, the corresponding port is open all the time.

See the IED series technical manual and the corresponding protocol
documentation on how to configure a certain communication protocol.

There are some restrictions and dependencies:

• The port used for IEC 61850 (default TCP port 102) is fixed and cannot be changed.
• The ports used for DNP3 are configurable. The communication protocol DNP3 could
operate on UDP (default port 20 000) or TCP (default port 20 000). It is defined in the
configuration which type of Ethernet communication is used. Only one type is possible at
a time.
• The TCP/ UDP port used for IEC/IEEE 60255-118 (C37.118)/IEEE 1344 protocol can be
changed in the IED.
• The port used for FTP (default TCP port 21) can be changed in the IED if needed by a 3rd
party FTP client.
• The port range used for FTP PASV command is fixed and cannot be changed. The
maximum number of simultaneous ports is 16.
• The port used for SNTP when IED is configured as SNTP Client can be changed in the IED.

12 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 3
Secure system setup

If the FTP port is changed, PCM600 cannot be used as it cannot be configured

to use other IP-ports than port 21 for FTP.

Two ports are used by PCM600 to communicate with the IED. An IED configuration protocol
(TCP port 2102) and FTP. For uploading disturbance records (DR), the FTP port is used.

The port used by the IED configuration protocol is fixed and cannot be
changed.

IP routing is not possible via any of the physical interfaces.

IEC13000267-2-en.psd
IEC13000267 V2 EN-US

Figure 3: Ethernet port used for PCM600 only, front view

IEC13000268-5-en.vsd
IEC13000268 V5 EN-US

Figure 4: Optical LC or electric RJ45 Ethernet interface, position X301, X302, X303,
X304, X3061 and X3062 rear view

670 series 13
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 3 1MRK 511 399-UEN M
Secure system setup

3.3 FTP access with TLS, FTPACCS GUID-9E64EA68-6FA9-4576-B5E9-92E3CC6AA7FD v5

The FTP client defaults to the best possible security mode when trying to negotiate with TLS.
The automatic negotiation mode is used by the client to negotiate with explicit TLS via AUTH
TLS.

It is only possible to access disturbance records from the IED if FTP without TLS encryption is
used.

If clear text FTP is required to read out disturbance recordings, create a

specific account for this purpose with rights only to do File transfer. The
password of this user will be exposed in clear text on the wire.

Setting FTP to OFF on an access point does not switch off FTP as the service will still be used
by PCM600 and FST. So to completely switch off the port number 21 access the following
parameters must be set to OFF.

• FTP = OFF
• PCMAccess = OFF
• FSTAccess = OFF

3.4 Encryption algorithms GUID-ED920AF8-06D3-441D-9AE4-52386DBB9D3D v6

TLS connections are encrypted with AES 256.

No passwords are stored in clear text within the IED. A hashed representation of the
passwords with SHA 256 is stored in the IED.

IED supports TLS versions up to 1.2 (1.0, 1.1 and 1.2), decided by the client and
the setting TLSMinVersion and TLSMaxVersion set in the IED.

3.4.1 Configuring TLS Version GUID-71E9ABDA-2CF6-43BC-9E13-4CF98E9CB172 v1

Configurable TLS version setting provides the possibility for the user to select the minimum
and maximum TLS versions for establishing a secure communication. This setting is applicable
only when the IED is acting as a server and not when IED acting as a client.

User can configure the TLS version only on LHMI under the /Main menu/Configuration/
Communication/Cyber security/AUTHMAN: 1. Only Security Administrator can configure
these settings.

Based on the minimum and maximum versions set by the user, and also based on the versions
supported by client, the IED decides the highest TLS version to use for communication. The
Figure 5 displays the options displayed in LHMI.

14 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 3
Secure system setup

IEC20000113-1-en.vsd
IEC20000113 V1 EN-US

Figure 5: TLS versions selection in LHMI

Configuring TLS version using LHMI

There are two options provided for the user to configure the TLS versions:

1. TLSMinVersion – is used to set the minimum TLS version that should be supported for
establishing the secure communication with client.
2. TLSMaxVersion – is used to set the maximum TLS version that should be supported for
establishing the secure communication with client.

Currently, the IED supports these TLS versions:

• TLS 1.0
• TLS 1.1
• TLS 1.2

By default and for the ease of configuration, TLSMinVersion is set as MinSupported and
TLSMaxVersion is set as MaxSupported.

• MinSupported – This is available only for TLSMinVersion. If user selects this setting, the
device will use currently supported minimum TLS version by the IED. The IED currently
uses TLS 1.0 for MinSupported setting.
• MaxSupported – This is available only for TLSMaxVersion. If user selects this setting, the
device will use currently supported maximum TLS version by the IED. The IED currently
uses TLS 1.2 for MaxSupported setting.

3.5 Denial of service GUID-94340D4F-4D32-409B-BA1A-BA49A0C3F297 v6

The denial of service protection is designed to protect the IED from overload when exposed to
high amount of Ethernet network traffic. The communication facilities must not be allowed to
compromise the primary functionality of the device. All inbound network traffic is quota
controlled, so that a too heavy network load can be controlled. Heavy network load might for
instance be the result of malfunctioning equipment connected to the network.

670 series 15
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 3 1MRK 511 399-UEN M
Secure system setup

The denial of service functionality in SCHLCCH and RCHLCCH measures the IED load from
communication and, if necessary, limits it from jeopardizing the IED's control and protection
functionality. The function has the following outputs:

• RCHLCCH
• LinkAUp and LinkBUp indicates the Ethernet link status for the rear ports channel A
and B
• DOSLINKA and DOSLINKB indicates that DOS functionality is active on channel A and
channel B
• DOSALARM indicates that DOS functionality is active on the access point
• SCHLCCH
• LINKUP indicates the Ethernet link status
• DOSALARM indicates that DOS functionality is active on the access point

The DOS functionality activates when the inbound traffic rate exceeds 3000
packets per second.

3.6 Certificate handling GUID-C9F2CFBF-1A4A-4237-A37F-50064A6E1E65 v4

A self-signed certificate is generated by the IED. Certificates use encryption to provide secure
communication over the network.

The certificate is trusted (if the user selects to) during communication between the IED and
PCM600.

If Windows is configured to use UAC High the certificate have to be manually trusted.

16 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

Section 4 Local user account management

4.1 Authorization GUID-981A881D-9229-45E8-9EE5-D6DF2CA457E5 v6

User roles with different user rights are predefined in the IED. It is recommended to use user
defined users instead of the predefined built-in users.

The IED users can be created, deleted and edited only with PCM600. One user can belong to
one or several user roles. By default, the users in Table 2 are created in the IED, and when
creating new users, the predefined roles from Table 3 can be used.

At delivery, the IED user has full access as SuperUser until users are created
with PCM600.

Table 2: Default users

User name User rights
SuperUser Full rights, only presented in LHMI. LHMI is logged on by default until other users are
defined
Guest Only read rights, only presented in LHMI. LHMI is logged on by default when other users are
defined (same as VIEWER)
Administrator Full rights. Password: Administrator. This user has to be used when reading out
disturbances with third party FTP-client.

Table 3: Predefined user roles according to IEC 62351-8

User roles Role explanation User rights
VIEWER Viewer Can read parameters and browse the menus from LHMI
OPERATOR Operator Can read parameters and browse the menus as well as perform
control actions
ENGINEER Engineer Can create and load configurations and change settings for the IED
and also run commands and manage disturbances
INSTALLER Installer Can load configurations and change settings for the IED
SECADM Security Can change role assignments and security settings. Can deploy
administrator certificates.
SECAUD Security auditor Can view audit logs
RBACMNT RBAC Can change role assignment
management
ADMINISTRATOR Administrator Sum of all rights for SECADM, SECAUD and RBACMNT
rights

This User role is vendor specific and not defined in

IEC 62351–8

Changes in user management settings do not cause an IED reboot.

670 series 17
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

After three consecutive failed login attempts the user will be locked out for ten
minutes before a new attempt to login can be performed. This time is settable
10 minutes to 60 minutes.

The PCM600 caches the login credentials after successful login for 15 minutes.
During that time no more login will be necessary.

Table 4: Authority-related IED functions

Function Description
Authority status This function is an indication function block for user logon activity.
ATHSTAT User denied attempt to log-on and user successful logon are reported.
Authority check To safeguard the interests of our customers, both the IED and the tools that are
ATHCHCK accessing the IED are protected, by means of authorization handling. The
authorization handling of the IED and the PCM600 is implemented at both access
points to the IED:

• local, through the local HMI

• remote, through the communication ports

The IED users can be created, deleted and edited only in the CAM server.
Authority This function enables/disables the maintenance menu. It also controls the
management maintenance menu log on time out.
AUTHMAN

For more information on Authority management AUTHMAN, Authority status ATHSTAT, and
Authority check ATHCHCK functions, see Chapter Basic IED functions in technical manual.

At delivery, the IED has a default user defined with full access rights. PCM600 uses this default
user to access the IED. This user is automatically removed in IED when users are defined via
the IED Users tool in PCM600.

Default User ID: Administrator

Password: Administrator

Only characters A - Z, a - z and 0 - 9 shall be used in user names. User names are
not case sensitive. For passwords see the section Password policies.

4.2 Predefined user roles GUID-41C5DF7D-BE92-476D-B3A9-646238A7CD6A v6

There are different roles of users that can access or operate different areas of the IED and tool
functionalities.

Ensure that the user logged on to the IED has the required access when writing
particular data to the IED from PCM600. For more information about setting
user access rights, see the PCM600 documentation.

The meaning of the legends used in the table:

18 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

• X= Full access rights

• R= Only reading rights
• - = No access rights

Table 5: Predefined user roles according to IEC 62351-8

Access rights VIEWER OPERATOR ENGINEER INSTALLER SECADM SECAUD RBACMNT ADMINISTRATOR
Config – Basic - - X X - - - -
Config – - - X X - - -
-
Advanced
FileTransfer – - - X X - - -
-
Tools
UserAdministrat - - - - X - X
X
ion
Setting – Basic R - X X - - - -
Setting – R - X X - - -
-
Advanced
Control – Basic - X X - - - - -
Control – - X X - - - -
-
Advanced
IEDCmd – Basic - X X - - - - -
IEDCmd – - - X - - - -
-
Advanced
FileTransfer – - X X X X X X
X
Limited
DB Access - X X X X X X
X
normal
Audit log read - - - - - X - X
Setting – - X X X - - -
Change Setting -
Group
Security - - - - X - -
X
Advanced

Table 6: Access rights explanation

670 series 19
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

Access rights Explanation

IEDCmd – Basic IEDCmd – Basic is used for commands to the IED that are not critical e.g. Clear LEDs,
manual triggering of disturbances
IEDCmd – Advanced IEDCmd – Advanced is used for commands to the IED that can hide information e.g. Clear
disturbance record
FileTransfer – Limited FileTransfer - Limited is used for access to disturbance files e.g. through FTP
DB Access normal Database access for normal user. This is needed for all users that access data from PCM
Audit log read Audit log read allows reading the audit log from the IED
Setting – Change Setting Group Setting – Change Setting Group is separated to be able to include the possibility to change
the setting group without changing any other setting
Security Advanced Security Advanced is the privilege required to do some of the more advanced security-
related settings

IED users can be created, deleted and edited only with the IED Users tool within PCM600. From
the LHMI, no users can be created nor changed.

First user created must be appointed the role SECADM to be able to write
users, created in PCM600, to the IED.

In order to allow the IED to communicate with PCM600 when users are defined
via the IED Users tool, the access rights “UserAdministration” and “FileTransfer
— Limited” must be applied to at least one user.

“DB Access normal” and “File Transfer — Limited” are required for PCM600
access to the IED.

4.3 Changing the default user password GUID-2BF4493D-35FB-477C-9D0B-8F24A271D98B v1

The IED provides the possibility to change the default password of the default user
'Administrator'. Option to change the password is given only from LHMI and is not possible
through PCM600. Default user password cannot be changed if external users are configured in
the IED.

If the default password is changed then:

• When the IED is Reset to factory default in LHMI from the Maintenance menu, the default
password is reset to factory default.
• PCM600 will present a login dialog to the user while performing any read and write
operation.
• Field Service Tool (FST) tool will present login dialog to user while performing update/
upgrade operation on IED.
• Changed password is used for authentication for FTP login in Maintenance menu.
• Turning off authority in the Maintenance menu is only applicable to external users and not
for default user (with changed passwords).
• The default user password is reset to "Administrator" if external users are defined.
• The default user password is reset to "Administrator" if IED is upgraded using FST.

20 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

1. To change the default password from LHMI, navigate to Main Menu->Configuration-

>Communication->Cyber Security.
2. Click the option Change default user password.

IEC20000104-1-en.vsdx

3. On the Change Password dialogue box, enter the passwords.

IEC20000105-1-en.vsdx

If external users are configured, password cannot be changed.

670 series 21
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

IEC20000106-1-en.vsdx

4.3.1 Password policies GUID-DDE53645-20C8-46DA-A7E5-ED1EC0EA0D97 v1

• Password must have a minimum of 8 characters and maximum of 18 characters.

• The password must have one or more lowercase characters (range a-z).
• The password must have one or more uppercase characters (range A-Z).
• The password must have one or more numeric characters (range 0-9).
• The password must have one or more special characters (!, @, #, +, ", *, %, &, /, = or ?).

Password policy for default user is fixed and it is not configurable.

4.4 IED User management GUID-B3A1A9F3-7F76-413C-A9A1-E090B90A8B3A v3

The IED Users tool in PCM600 is used for editing user profiles and role assignments.

In the IED Users tool, the data can be retrieved from an IED or data can be written to an IED if
permitted. The data from an IED can be saved to the project database.

Always use Read User Management Settings from IED before making any
changes when managing user profiles. If this is not done password changes
made by users may be lost!

Nothing is changed in the IED until a “writing-to-IED operation” is performed.

22 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

4.4.1 Starting IED user management GUID-58114BAC-2E0B-49DD-A2AB-A50384369B38 v2

• Connect the PC to the IED

• Start PCM600
• Select an IED in the plant structure
• Select Tools/IED Users or,
• Right-click an IED in the plant structure and select IED Users
The IED User dialog box appears.

4.4.2 General settings GUID-0326F993-E3F2-4F72-A94F-D8886EB9F6AD v5

In the General tab, by clicking Restore factory settings the default users can be restored in the
IED Users tool. For the IED series this means reverting back to the factory delivered users.
Performing this operation does not remove the users in the IED. Nothing is changed in the IED
until a “writing-to-IED operation” is performed.

This is not the same action as Revert to IED defaults in the recovery menu.

The previous administrator user ID and password have to be given so that the
writing toward the IED can be done.

Editing can be continued by clicking on Restore factory settings when not connected to the
IED.

IEC13000017-2-en.vsd
IEC13000017 V2 EN-US

Figure 6: General tab

4.4.3 User profile management GUID-74EEBF57-309E-4C97-A5A0-5731E21B9CBE v3

In the User Management tab, the user profiles of the selected IED can be edited. New users
can be created, existing users can be deleted and different user group members can be edited.

670 series 23
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

A user profile must always belong to at least one user role.

IEC12000199-2-en.vsd
IEC12000199 V2 EN-US

Figure 7: Create new user

4.4.3.1 Adding new users GUID-85D09A73-7E14-4BD6-96E5-0959BF4326C0 v3

1. Click in the Users tab to open the wizard.

24 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

I
EC12000200-
2-en.
psd

IEC12000200 V2 EN-US

Figure 8: Create new user

2. Follow the instructions in the wizard to define a user name, password and user role.
Select at least one user role where the defined user belongs. The user profile can be seen
in the User details field.

IEC12000201-3-en.vsd
IEC12000201 V3 EN-US

Figure 9: Select user role

3. Select the user from the user list and type a new name or description in the Description/
full name field to change the name or description of the user.

670 series 25
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

IEC12000202-2-en.vsd
IEC12000202 V2 EN-US

Figure 10: Enter description

4.4.3.2 Adding users to new user roles GUID-F335590A-EAC7-42E2-AC6B-C0051FD21D05 v2

1. Select the user from the Users list.

2. Select the new role from the Select a role list.
3. Click .
Information about the roles to which the user belongs to can be seen in the User details
area.

26 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

IEC12000203-2-en.vsd
IEC12000203 V2 EN-US

Figure 11: Adding user

4.4.3.3 Deleting existing users GUID-472BF39B-DDAC-4D88-9B74-E6C49D054524 v2

1. Select the user from the Users list.

670 series 27
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

IEC12000204-2-en.vsd
IEC12000204 V2 EN-US

Figure 12: Select user to be deleted

2. Click .

IEC12000205-2-en.vsd
IEC12000205 V2 EN-US

Figure 13: Delete existing user

28 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

4.4.3.4 Changing password GUID-6180D722-CC49-445B-B520-BAD8904A60AF v2

1. Select the user from the Users list.

IEC12000206-2-en.vsd
IEC12000206 V2 EN-US

Figure 14: Select user

2. Click .
3. Type the old password once and the new password twice in the required fields.
The passwords can be saved in the project database or sent directly to the IED.

No passwords are stored in clear text within the IED. A hash

representation of the passwords is stored in the IED and it is not
accessible from outside via any ports.

670 series 29
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

I
EC12000207-
2-en.
psd

IEC12000207 V2 EN-US

Figure 15: Change password

4.4.4 User role management GUID-213FBF87-3268-42E6-88B0-8EE260127B08 v2

In the Roles tab, the user roles can be modified. The user's memberships to specific roles can
be modified with a list of available user roles and users.

IEC12000208-2-en.vsd
IEC12000208 V2 EN-US

Figure 16: Editing users

30 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

4.4.4.1 Adding new users to user roles GUID-C53B644A-6C5C-43FC-96D7-E2CA152BD84A v2

1. Select the required role from the Roles list.

The role profile can be seen under the Role details field.
2. Select the new user from the Select a user list.
3. Click .
The new user is shown in the Users assigned list.

4.4.4.2 Deleting existing User from user roles GUID-9DFF2F01-52D9-406D-AE0A-DEE655D4B2F5 v3

1. Right-click the user in the Users assigned list.

2. Select Remove This Role from Selected Member.

IEC12000210-2-en.vsd
IEC12000210 V2 EN-US

Figure 17: Remove Role from User

4.4.4.3 Reusing user accounts GUID-C28C87EC-7027-440C-BB38-2C8EC14ECA40 v2

IED user account data can be exported from one IED and imported to another. The data is
stored in an encrypted file.

Exported passwords are hashed and not in clear text.

To export IED user account data from an IED

1. Click the Import Export tab in the IED User tool in PCM600.
2. Click Export IED account data.

The user account data is exported to a file with user defined filename and location.

Import IED user rights to an IED

670 series 31
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 4 1MRK 511 399-UEN M
Local user account management

1. Click Import IED account data.

2. Open the previously exported file.

Only users who have the right to change the user account data in PCM600 are allowed to
export and import.

IEC12000209-2-en.vsd
IEC12000209 V2 EN-US

Figure 18: Importing and exporting user account data

4.4.5 Writing user management settings to the IED GUID-2066776C-72CC-49CC-B8D8-F2C320541A5E v3

• Click the Write User Management Settings to IED button on the toolbar.

The data is saved when writing to the IED starts.

4.4.6 Reading user management settings from the IED GUID-26732B3E-D422-4A39-82BA-74FCA1C6DD0E v1

• Click the Read User Management Settings from IED button on the toolbar.

4.4.7 Saving user management settings GUID-AE198606-6E71-4C77-A4E1-02B79E4270B4 v2

• Select File/Save from the menu.

• Click the Save toolbar button.

The save function is enabled only if the data has changed.

4.5 Password policies GUID-01918A5B-726C-4FC8-8644-424A83B26090 v5

Only ASCII characters are allowed when typing username or password. Currently passwords in
the range 32-126 and 192-383 (ASCII ranges, decimal) are supported.

Password policies are set in the IED Users tool in PCM600. There are several options for
forcing the password safer.

32 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 4
Local user account management

• Minimum length of password (1 - 18)

• Require lowercase letters ( a - z )
• Require uppercase letters ( A - Z )
• Require numeric letters ( 0 - 9 )
• Require special characters ( !@#+”*%&/=? )
• Password expiry time (default 90 days)

To achieve IEEE 1686 conformity, a password with a minimum length of 8

characters must be used, and the checkbox Enforce Password Policies shall be
ticked.

After password expiry the user is still able to login, but a warning dialog will be
displayed on the Local HMI. Also a security event will be issued.

IEC13000233-1-en.vsd
IEC13000233 V1 EN-US

Figure 19: Password expiry warning dialog

I
EC13000027-
2-en.
psd

IEC13000027 V2 EN-US

Figure 20: Change Password Policies dialog box in IED Users tool in PCM600

670 series 33
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
34
1MRK 511 399-UEN M Section 5
Central Account Management

Section 5 Central Account Management

5.1 General description GUID-3ECAB183-414F-46FD-B273-C832FB0EDA82 v1

Central Account Management is an authentication infrastructure that offers a secure solution

for enforcing access control to IEDs and other systems within a substation. This incorporates
management of user accounts, roles and certificates and the distribution of such, a procedure
completely transparent to the user.

5.2 Central Account Management using SDM600

5.2.1 Introduction GUID-63E85A54-D3A2-46F4-8315-EEC364251065 v2

In this section, the LDAP server software description and handling is based on SDM600, which
is an ABB product. Other Central Account Management software can also be used, provided it
has sufficient functionality. This is described in Chapter 5.3.1.

Security Administrator Normal User

Manually transferred certificate

files

SDM600 PCM600

Start secure communication Start secure communication

Replicate users Deploy certificate to IED
Login Write Role to Right mapping
Change own password Activate CAM
Deactivate CAM
Login
Change own password
Reset emergency account

IED
IEC150003 68-2-en-us.vsdx

IEC15000368 V2 EN-US

Figure 21: Overview of the functionality between the products in the system.
The CAM server, such as the SDM600, also acts as a CA meaning that it is able to issue digital
certificates. Each device, such as an IED, will have its own unique device certificate, one which
must be imported into the PCM600 configuration and then written to the IED. At this point

670 series 35
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

trust is automatically established directly between the CAM server and the IED. The Security
Administrator is responsible for this setup.

5.2.1.1 Creating IED certificates GUID-DBE03CD9-0BA9-48F0-AC9A-8CE1E33AD11B v2

SDM600 can be used to create IED certificates and this chapter explains on how to create a
device certificates.

1. In PCM600, export the Substation Configuration Description (SCD).

IEC15000280 V1 EN-US

Figure 22: Export SCD file

2. In SDM600, import SCD via the Load Structure tool. Refer to Setting Up the SDM600
Structure in the SDM600 User Manual.
3. In SDM600 update "Alternative IP Addresses" with all configured interfaces on the device.
4. Generate certificates in the SDM600 server for all IEDs.
5. Export the certificate or the configuration package from the SDM600 server.
6. Use PCM600 to load the certificate and configuration into the correct IED.

36 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IED deploys only certificates bundled in a PCKS#12 file format from SDM600.

SDM600 allows user to set key length of the certificates that needs to be deployed in IED.
While it may be prudent to use a larger key size, it would also mean it requires a considerable
longer time for the TLS handshake (between IED and tools/ Central Account Management
servers) before any secure communication starts. We recommend to deploy certificates with
key length of 2048 in the IED. NSA (National Security Agency) recommendation is that RSA keys
of 2048 bit key size is acceptable.

IED will use the certificate imported via PCM600 to automatically access to the
SDM600 server. This certificate is also used as a server certificate to secure
communication of FTP and ODBC protocols.

5.2.1.2 Importing and writing certificates to an IED GUID-36E12AF0-A5D9-446D-B679-ABD55BB12CD6 v3

The following are the steps to import and write certificates to the IED.

1. Connect PC to the IED.

2. Start PCM600, open project.
3. Select VoltageLevel, Bay or IED in the plant structure.
4. Select Tools/Account Management or right click on VoltageLevel, Bay or IED in the plant
structure and select Account Management.
The Account Management dialog will appear as shown below:

IEC15000281 V2 EN-US

Figure 23: Account Management Tool in PCM

5. Select the Import and Write Certificates option.
6. Select those IEDs to which certificates needs to be written.

670 series 37
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000346 V2 EN-US

Figure 24: Import and Write certificates tool view in PCM600

7. Select for those IEDs to which certificates needs to be written.
8. Click on Import certificate button.

IEC15000348 V1 EN-US

Figure 25: Importing certificate (p12) file

9. If certificate is password protected, the user will be prompted to enter the password.
9.1. Select CAM as the Certificate Unit.
9.2. Click the OK button.

38 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000349 V1 EN-US

Figure 26: Entering password of a certificate

Only CAM certificates can be written from PCM600 to IED.

10. Select certificate.

IEC15000350 V1 EN-US

Figure 27: Choosen certificate

11.
Click button to write certificate(s) for the enabled IEDs and click Yes in the
confirmation dialog.

IEC15000352.vsdx

IEC15000352 V1 EN-US

Figure 28: Write certificate confirmation dialog

12. The process and the status of the writing is indicated in the Account Management tab.

670 series 39
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000353 V1 EN-US

Figure 29: Result of written certificates

If the Central Account Management is active in the IED and if user deploys an invalid certificate
into an IED (e.g.: SDM600 certificate of another SDM server, than the one that is configured in
the IED), then replication will fail at the time when IED tries to replicate. The central account
management will be enabled in the IED.

If SECADM is able to login to the IED (replication) then the correct certificates can be deployed
using PCM600 otherwise, the user must go to the Maintenance menu of the IED and Disable
CAM and Delete Certificates.

5.2.1.3 Reading certificates from an IED GUID-52D3484C-350B-424E-A5CC-9C0E626D4A73 v2

The following are the steps to read certificates from an IED:

1. Connect PC to the IED.

2. Start PCM600, open project.
3. Select Voltage Level or Bay or IED in the plant structure.
4. Select Tools/Account Management or right click on Voltage Level or Bay or IED in the
plant structure and select Account Management.
The Account Management dialog will appear as shown below.

IEC15000281 V2 EN-US

Figure 30: Account Management Tool in PCM

5. Select the Read and Delete Certificates option.

40 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000334 V1 EN-US

Figure 31: Read and Delete Certificates view in PCM600

6. Select for those IEDs from which certificates needs to be read.
7.
Click button to read certificates from the IED.

IEC15000337 V1 EN-US

Figure 32: Reading certificates from IED

8.
Click the button to view certificates that are read from the IED.

IEC15000339 V1 EN-US

Figure 33: Certificates that are read from the IED

9. Double click on a Certificate Unit to view the details of it or right click on a Certificate
Unit and select Properties

IEC15000340 V1 EN-US

670 series 41
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000341 V1 EN-US

Figure 34: Viewing details of certificate of an IED in PCM600

5.2.1.4 Invalid certificates GUID-66DFAC1D-F305-416F-91D9-05D035F1810B v2

The certificate can be invalid for different reasons, e.g. if the certificate has expired. In this
case, if the IED is using a self-signed certificate, it will generate a new self signed certificate.
Otherwise, when IED is using a certificate generated by SDM600, it is required that the
security administrator generates new certificates and re-deploy them using PCM600. If the
certificate has expired, PCM600 will issue a warning to the user about connecting to a device
with expired certificate. SDM600 will reject user authentication with expired certificate.

If the replication is enabled and server rejects the authentication (due to expired certificate)
then the user is allowed to login using the replicated data. IED will raise a security event 30
days before the certificate will expire and continue till the expiry date once every day.

There are two main cases when the IED accesses the server:

1. Cyclic replication
2. User authentication or to change user password

These two cases are different in that sense that one has an ongoing user interaction, while the
other occurs cyclically without user interaction. In both cases a security event will be
generated in the IED.

5.2.1.5 Deleting certificates from an IED GUID-CFA1897A-AF2F-49D2-A8AF-AB63BE7FCA67 v2

Deletion of certificates from IED is possible only after reading certificates from
IED.

1. Select the Certificate Units that needs to be deleted.

42 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000342 V1 EN-US

2. Click on the delete-button in the toolbar.

IEC15000343-1-en.vsdx
A confirmation dialog appears.

IEC15000402 V1 EN-US

Figure 35: Certificate deletion confirmation dialog

3. Click on the Yes button to confirm the deletion.

The certificates are deleted from the IED, confirmation of this can be seen in the tool.

IEC15000334 V1 EN-US

Figure 36: Deletion of certificates from an IED

Only CAM certificates can be deleted from PCM600.

It will not be possible to delete Internal and External certificates from PCM600.

When IED is in Central Account Management mode, it is not recommended to

remove Central Account Management certificates from the IED, because this
action could cause connectivity problems between Central Account
Management server (SDM600) and IED.

670 series 43
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

5.2.2 Activation of Central Account Management GUID-9A684497-1D1C-4184-8D46-B2C167F73F98 v2

Central Account Management on the IED must be activated from PCM600. The following are
the steps to activate Central Account Management on the IED:

1. Connect PC to the IED.

2. Start PCM600, open project.
3. Right click at Substation and select Export to export project SCD file.

IEC15000280 V1 EN-US

Figure 37: Export SCD file

4. Import project SCD file in SDM600 and generate CAM configuration package.

Please refer to SDM600 documentation for the detailed steps to generate

CAM configuration package from SCD file.

5. From PCM600, select Voltage Level or Bay or IED in the plant structure.
6. Select Tools/Account Management.
7. Right click on Voltage Level or Bay or IED in the plant structure and select Account
Management. The Account Management dialog will appear as shown below:

44 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000281 V2 EN-US

Figure 38: Account Management Tool in PCM

8. Click Centralized Account Management Configuration button, to open SDM600
configuration tool.

IEC15000282 V2 EN-US

Figure 39: Import SDM600 configuration

From Tool bar, click to import SDM600 configuration zip file that is generated
above at step #4.
10. If the SDM600 configuration zip file/certificate is protected with password (KEK), then
the user will be prompted to enter password.

670 series 45
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000283 V1 EN-US

Figure 40: Password for the certificate package

11. Import Summary dialog will show the actions performed on each IED in the plant
structure.

IEC15000284 V1 EN-US

Figure 41: SDM600 configuration import results

12. Click Done button.
13. In Account management tool, select the IED(s) for which Central Account Management
needs to be activated.
14. To enable Central Account Management for the selected IED(s), from Toolbar, click

button.

46 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000286=IEC15000286=1
IE C15000286-2-en.vsdx
=en-us=Original.vsdx

IEC15000286 V2 EN-US

Figure 42: Writing Central Account Management to IED

IE C15000287-2-en.vsdx

IEC15000287 V2 EN-US

Figure 43: Central Account Management write status

When Central Account Management is set to active, the IED will do the following:

• Verify the configuration to secure that SDM600 can be accessed.

• Replicate the defined user group from SDM600 to the IED. At least one user must be
replicated.

The maximum number of replicated users supported by the IED is 100. If

replication group is empty or contains more then 100 users, the Central
Account Management activation will fail.

It is recommended to define replication groups in SDM600 and associate them

to the devices when CAM configuration is created. One replication group can be
used in several devices. SDM600 has the possibility to replicate all users from
the server however this is not considered as a good security practice and it
reduces the maximum number of replicated users.

If replication is disabled, and the emergency account is not configured, and if

the Central Account Management server is not reachable, then the user will not
be able to login to the IED.
Replication support is only available if the customer is using SDM600. If the
customer is using LDAP servers other than SDM600, no user replication is
possible.

The configuration for Central Account Management is handled by a new tool in

PCM600. The possibility to enable/disable replication is done in a checkbox
(Replication) in the tool.

When this is successfully done, the IED will indicate that Central Account Management as
active. In addition, the IED will delete any users locally defined in the IED by PCM600 user tool.

670 series 47
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

If the Central Account Management activation fails, the activate parameter will be reset and
Central Account Management must be activated again and a failure message will be indicated
in PCM Output window.

When Central Account Management is activated, any ongoing sessions with the IED will
continue until they are closed.

5.2.2.1 Manual configuration of Central Account Management GUID-D4123E80-3D91-4767-9B67-5936CF1030D5 v2

It is possible to edit Central Account Management configuration parameters and modify them
(if needed) in PCM600. In order to edit configuration parameters, right click on the Device and
select Edit as shown below.

IEC15000288 V2 EN-US

Figure 44: Edit configuration

The following screen appears, where in which user can edit the Central Account Management
configuration parameters and/or manually change the certificate.

48 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000289 V2 EN-US

Figure 45: Local configuration

Local Configuration tab indicates the configuration that currently exists in PCM600.

Remote Configuration tab indicates the configuration that currently exists in the IED.

670 series 49
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC150002 90-1-en.vsdx

IEC15000290-2-en.vsdx

IEC15000290 V2 EN-US

Figure 46: Remote configuration

Remote Configuration tab will have the configuration only if Read Central
Account Management Configuration from the IED as described in section
Reading configuration from IED is performed.

Generally “ldap” string in URL represents the unsecured transmission which

uses default port 389 and “ldaps” represents the secured version of LDAP
which uses Transport Layer Security for secured communication over port 636.
IED always initiates secure communication irrespective of secured or
unsecured URL in CAM configuration.

SDM600 Configuration check box must be enabled for SDM600 server

configuration.

LDAP server URL must contain IP address and port number of the CAM server.
Ensure that all the parameters are written or set correctly before writing the
CAM configuration to the IED, else this can lead to lock out of the IED.

50 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

When Central Account Management is enabled in the IED, and if the user
deploys an invalid certificate in to an IED, then it is not possible to
communicate with the LDAP server. However, Central Account Management
remains enabled in the IED and the IED will be locked out. In this situation,
deactivate Central Account Management using the Disable CAM and Delete
Certificates option from the Maintenance menu.

5.2.2.2 Emergency account GUID-DF4E9F8C-7AAE-4050-9477-C8B5E107E0DA v1

When the SDM600 is configured without replication, it is recommended to configure the

emergency account. Once the emergency account is configured, it will get activated only when
the authentication to CAM server fails due to unavailability of the server.

Emergency account can be created along with the CAM configuration in PCM600 if replication
is disabled:

1. Select the Emergency Account checkbox which is provided inside CAM configuration in
AMT.
2. Enter the Username and Password and write to IED.

In case the configuration is done with import of the package, the CAM
configuration should be manually edited in PCM600 to include the
emergency account.

670 series 51
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC20000122 V1 EN-US

Figure 47: Emergency account option in PCM600 AMT

3. Select Allow remote access checkbox to allow PCM600 or other clients (e.g. FTP) to use
emergency account to login to the IED which otherwise restricts the usage of emergency
account only on LHMI.

It is recommended that the Emergency account credentials should be stored in

a secure location, secured with a key or digital PIN code. The substation user
retrieves the PIN or key in an “out of band” manner. The substation user uses
the PIN or key to retrieve the emergency user accounts. Usage of the PIN or key
is logged.
It is also recommended to change the credentials of Emergency account on all
the IED’s once the credentials are compromised. This can be done using Reset
Emergency Account tab in AMT.
Upon first unsuccessful authentication due to unavailability of the CAM server,
there will be an indication on the LHMI and PCM600 that the Emergency
account is activated.
Emergency account will be active for 15 minutes after first unsuccessful
authentication due to CAM server offline. During this period if the server comes
online again then user will be allowed to login using both emergency account
and CAM user. In this case, once the login using CAM user is successful then
emergency account is disabled.

See Section 5.2.1 for more details on CAM using SDM600.

52 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

5.2.2.3 Reading configuration from IED GUID-9C4F2F04-FBFF-453C-85EA-2FF855E9CAC0 v1

It is possible to read Central Account Management configuration from the IED by right clicking
on the Device and selecting Read from IED.

IEC15000291 V2 EN-US

Figure 48: Read configuration from IED

5.2.2.4 Deactivation of Central Account Management from PCM600 GUID-19BDC85E-4175-4B53-909F-0051E5D98492 v2

When Central Account Management is disabled in the IED, there will not be any external users
defined in the IED. Instead the built-in, factory default users will be reactivated.

1. Right click on the Device in Account Management tool and select Edit as shown in figure
48.

670 series 53
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000292-2-en.vsdx

IEC15000292 V2 EN-US

Figure 49: Deactivation of Central Account Management

2. Select Device CAM Mode as Disable as shown in fig 49.
3. Click Save & Close button, to save and close manual configuration screen.
4. Right click on the Device, and select Write to IED as shown in fig 50.

IEC150002 93-2-en.vsdx

IEC15000293 V2 EN-US

Figure 50: Write configuration to IED

5. PCM600 output window indicates the result of the write operation as shown in fig 51.

54 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000294-1-en.vsdx

IEC15000294 V1 EN-US

Figure 51: PCM600 output window indicating deactivation of Central Account

Management in the IED

5.2.2.5 Deactivation of Central Account Management on local HMI GUID-A3829B79-FB89-4575-9D5C-C28EBCDD24CD v3

In case of wrong configuration of CAM and Certificates, there is a possibility to disable Central
Account Management and delete the loaded certificates in the IED. This can be done from
recovery menu option. To enter this menu, the IED must be rebooted and a specific key
combination must be pressed on the LHMI during the IED boot sequence.

1. Switch off the power supply to the IED and leave it off for one minute.
2. Switch on the power supply to the IED and press and hold down and until the
Maintenance Menu appears on the LHMI (this takes around 20-60s).
3. Navigate down and select Recovery Menu and press or .

Maintenance Menu
1. Activate FTP server
2. Abort IED-update
3. Display IP address
4. View system event log
5. Recovery Menu (Password protected)
Press Clear to continue start-up7

Enter Maintenance
menu=IEC12000168=4=en-
IEC1200 0168-4-en. vsdx

us=Original.vsdx
IEC12000168 V5 EN-US

Figure 52:
4. Enter the PIN code and press .

Enter PIN code

****
IEC1300 0036-6-en. vsdx

IEC13000036 V6 EN-US

Figure 53:
5. Select Delete Certificates and Disable CAM and press or .

Recovery Menu
5.1 Turn off Authority (temporary)
5.2 Turn off Change-lock (temporary)
5.3 Turn off IEC61850
5.4 Revert to IED defaults
5.5 Delete Certificates and Disable CAM
5.6 Restore Points
5.7 Change PIN
Press Clear to continue start-up
IE C20000108-1-en.vsdx
IEC20000108 V2 EN-US

Figure 54: Selection menu

6. Select OK to Delete Certificates and Disable CAM.

670 series 55
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

PLEASE CONFIRM

………………………..

Delete Certificates, Disable CAM?

(persistent)

OK Cancel
IEC15000364=IEC15000364=2
IEC1500 0364-2-en. vsd
=en-us=Original.vsdx

IEC15000364 V2 EN-US

Figure 55: Confirmation

7. Press to continue the startup sequence (now all the loaded certificates are deleted in
the IED and Central account management is disabled in the IED).

To cancel the operation in any step, press .

5.2.3 Password policy settings for Central Account Management

enabled IED GUID-ABB0D1DF-FF41-4411-95EC-7D4B93FF4E0B v1

The password policy is set in the Central Account Management server (SDM600). Refer to
SDM600 user manual.

5.3 Central Account Management using LDAP server (not

using SDM600)

5.3.1 Introduction GUID-14A392BB-97EE-44AE-AD78-9F47494B214C v1

In this section, the LDAP server software description and handling is based on the third party
LDAP server.

56 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

Security Administrator Normal User

Manually transferred certificate

files

LDAP PCM600
Server

Start secure communication

Start secure communication Deploy certificate to IED
Login Write Role to Right mapping
Change own password Activate CAM
Deactivate CAM
Login
Change own password
Reset emergency account

IED
IEC200005 02-1-en-us.vsdx

IEC20000502 V1 EN-US

Figure 56: Overview of the functionality between the products in the system
Before any authentication/authorization of user takes place, a trust relation must be
established. It is important for the IED to know that LDAP server to which the IED is
communicating with, is a trusted server.

In case, if there is no requirement for the server to trust the IED, then IED can communicate
with the LDAP server using its self signed certificate. To trust the LDAP server, the signer
certificate of the LDAP server i.e. Root CA / Intermediate CA certificate must be installed in the
IED using PCM600 in .p7b or .cer format.

In case of mutual trust between LDAP server and the IED, the LDAP server can act as a CA ,
which means that it can issue digital certificates. Each device, such as an IED, will have its own
unique device certificate, one which must be imported into the PCM600 configuration in .p12
or .pfx format and then written to the IED. At this point trust is automatically established
directly between the CAM server and the IED.

The Security Administrator is responsible for this setup.

5.3.2 Activation of Central Account Management GUID-79C2E5A7-F442-4580-9E7E-48BA19D232AE v1

There are two ways of configuring the Central Account Management with LDAP server (not
using SDM600).

1. By creating the configuration package bundle.

2. Manual configuration of every IED in PCM600. (Recommended)

670 series 57
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

5.3.2.1 Configuring CAM using configuration package GUID-2B98AC99-1346-4507-8938-AF234A7E54EF v1

For each IED, create the configuration package that contains the details of the LDAP server,
certificates, and a private key.

The CAM configuration is a zip file.

Each IED in the configuration package contains two files:

• A configuration file (xml file).

• A PKCS12 (p12) file containing certificates and a private key.

It is recommended to deploy certificates with key length of 2048 in the IED.

NSA (National Security Agency) recommendation is that RSA keys of 2048 bit
key size is acceptable.

These two files should have the same name with different file extensions, for example,
AA1J1Q01A1.xml and AA1J1Q01A1.p12.

If CAM with SDM600/AD is already enabled in the IED and user wants to switch
to CAM with LDAP server, then user must disable the CAM with SDM600/AD
before enabling the CAM with LDAP and vice versa.

The LDAP server certificate must contain the IP address as its Subject
Alternative Name.

In case, there is a need for configuring emergency account then the CAM
configuration should be edited manually after importing the configuration
package. See Section 5.3.2.3 for more details on emergency account.

Configuration file (xml file) GUID-373B6AF4-D482-4DED-9758-36A25C4E32B2 v1

The configuration file should have <IEDName>-<optional Description>-<optional Tool
Name>.xml naming convention.

<IEDName>
<IEDName> is the IEC61850 "name" attribute of the corresponding IED in SCL.

<IEDName> fulfills the following criteria:

• IED name regex: <xs:pattern value="[A-Za-z][0-9A-Za-z_]*"/>

• Max length 64 characters (Ed. 2)
• Cannot be empty
• Starts with a basic Latin letter a-z, A-Z
• Contains basic Latin letters, digits, or underscore

<Description> and <Tool Name>

<Description> and <Tool Name> are optional and are used only for information purposes. This
text can be modified. No other meaning can be associated with this text. A tool can decide to
add this text to the file name while generating the CAM configuration. However, this text can
be modified by other tools, and no tool shall require, apply or infer any meaning to this text.

58 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

Content in the xml file

<?xml version="1.0"?>

<SDM600_CAM_IED_Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://abb.com/
ConfigurationSchema.xsd">

<IED_information>

<description>Relion IED 670 series</description>

</IED_information>

<BaseDN>ou=CamUsers,dc=vmbox,dc=int</BaseDN>

<Replication_Group></Replication_Group>

<Replication_Interval>0</Replication_Interval>

<CAM_Servers>

<CAM_Server>

</CAM_Server>

</CAM_Servers>

</SDM600_CAM_IED_Configuration>

IED_information tag: This tag contains the IEC61850 name, description, and IP address of the
IED.

BaseDN tag: This tag contains the Base distinguished name of the LDAP server. The maximum
length of the field is 100 bytes long.

Replication_Group and Replication_Interval tags: These are ABB specific tags. Set
Replication_Interval to 0.

CAM_Servers tag: This tag contains the ldap address of the server.

The format should follow “ldap://<IP_ADDRESS_OF_THESERVER>:<LDAP_PORT>” or “ldaps://

<IP_ADDRESS_OF_THESERVER>:<LDAPS_PORT>”

It is possible to add one standby server. In this case the CAM_Servers look like:

<CAM_Servers>

<CAM_Server>

</CAM_Server>

670 series 59
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

</CAM_Servers>

Multiple configurations for multiple IEDs GUID-0536E336-25F5-47F0-9108-56581B3833F4 v1

The configuration package zip file contains configuration (xml) and certificate (p12) files for
multiple IEDs.

This provides a convenient and efficient means of transferring the configurations for multiple
devices between engineering tools.

In this case the content of the configuration package zip file should be a flat structure of pairs
of xml/p12 files for each IED.

Each p12 file in the configuration package can be protected with a password.

Although it is theoretically possible to have different (unique) passwords for each p12 file, this
is not user friendly. In this case, it is acceptable to have the same password for each p12 file.

Example:

exported_ieds.zip

+- AA1Q1D1.p12

+- AA1Q1D1.xml

+- AA1Q1D2.p12

+- AA1Q1D2.xml

Enabling CAM from PCM600 GUID-84BEE5B1-6D23-468D-9718-1FAC6343503D v1

Once the configuration is done, then save the configuration and write to the IED to enable the
CAM in IED.

5.3.2.2 Manual configuration of Central Account Management GUID-9F75D69F-285C-4C3D-9A65-7BCC27812F01 v1

Configuration of Central Account Management for LDAP server can be done manually using
Account Management Tool.

CAM configuration for LDAP server can be performed using below steps:

1. Import the certificate package and write to the IED using Import and Write Certificates
tab.
2. Configure LDAP server details, create emergency account which is optional and then
write configuration to IED. Figure 57 is the PCM600’s Account Management Tool which is
used to configure LDAP server.

60 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000281 V2 EN-US

Figure 57: Account Management Tool in PCM

The various modules in this tool are described:
• Import and write Certificate: Used to write device certificate to the IED.
• Centralized Account Management Configuration: Used to configure LDAP server
details and emergency account.
• Rights to Roles Mapping: IED by default has rights to roles mapping, user can use
this option to customize rights to roles.
• Reset Emergency Account: Used to reset emergency account and write to IED.

If CAM with SDM600/AD is already enabled in the IED and user wants to
switch to CAM with LDAP server, then the user must disable the CAM with
SDM600/AD before enabling the CAM with LDAP and vice versa.

See Section 5.3.2.3 for more details on emergency account.

Import and Write Certificates GUID-C0956ED9-B451-4CC3-BE52-12845D52A20E v1

For the TLS handshake, between IED and LDAP server, X.509 certificates are used.

For IED to trust the LDAP server, the root CA of LDAP server is required to be installed in the
IED. Generally, LDAP server does not trust the clients, in this case the self-signed certificate
generated in the IED can be used only for encryption.
GUID-C5C6F322-9793-4BCB-8A64-0AB232F0A34D v1
User must write only the Root CA certificate/Intermediate CA certificate which is used to sign
the LDAP server certificate to the IED for authenticating the LDAP server. In this case same
certificate package can be written to all the IED’s which are connected to same LDAP server.
The Root CA/Intermediate CA certificate file format should be .p7b or .cer.
GUID-64C246AE-E771-466F-B2BE-F6506C347B25 v1
For having a mutual trust between CAM server and IED, IED certificate must be signed by the
same Root certificate which has been used to sign the LDAP server certificate. The certificate
should be exported in PKCS#12 format. This package can be imported to PCM600 using the
option Import and Write certificates in AMT and write to the IED. A certificate write can either

670 series 61
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

be a single write to one IED or a batch write to multiple IEDs. PCM needs to determine which
PKCS#12 archive to deploy to each IED in case of a batch upload.

If LDAP server is required to trust the IED then, IED certificate (CAM certificate) should be
generated out of the same signing authority.

See Section 5.5 for more details on Certificate package.

Centralized Account Management Configuration GUID-4A1D7A7D-EC6C-43CF-BDBD-DB5B1CBC3998 v1

Centralized Account Management Configuration tab is used to fill the details of the LDAP
server and write to the IED.

IEC15000289 V2 EN-US

Figure 58: Local configuration

LDAP server URL must contain IP address and port number of the CAM server. The URL should
be in the format Idap://<ipaddr>:<portnumber>” or “ldaps://<ipaddr>:<portnumber>.

SDM600 Configuration check box must be enabled while configuring 3rd party LDAP server.
3rd party LDAP doesn't support replication, so the Replication check box will be disabled.

The emergency account is optional field, but it is recommended to configure in case of

exigency. See Section 5.3.2.3 for more details on emergency account.

The LDAP server certificate can contain IP address of the host in the Subject Alternative Name
field. In this case, IED verifies the certificate IP address against the URL.

62 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

If the LDAP server certificate contains only the DNS of the host in the Subject Alternative
Name field, then the DNS of the host must be configured in the Server DNS Name field in the
configuration.

Ensure that all the parameters are written or set correctly before writing the CAM
configuration to the IED, else this can lead to lock out of the IED in case the emergency
account is not configured.

Generally “ldap” string in URL represents the unsecured transmission which

Enabling CAM from PCM600

Once the configuration is done, then save the configuration and write to the IED to enable the
CAM in the IED.

5.3.2.3 Emergency account GUID-3545CCDB-0797-464A-B31D-1D5375C2C806 v1

It is recommended to configure the emergency account with third party LDAP server. Once the
emergency account is configured, it will get activated only when the authentication to CAM
server fails due to the unavailability of the server. Emergency account is recommended to be
used only when there is any urgent need to perform any operation with the IED.

Emergency account can be created along with the CAM configuration in PCM600:

1. Select the Emergency Account checkbox which is provided inside CAM configuration in
AMT.
2. Enter the Username and Password and write to IED.

In case the configuration is done with import of the package, the CAM
configuration should be manually edited in PCM600 to include the
emergency account

670 series 63
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC20000122 V1 EN-US

Figure 59: Emergency account option in PCM600 AMT

3. Select Allow remote access checkbox to allow PCM600 or other clients (e.g. FTP) to use
emergency account to login to the IED which otherwise restricts the usage of emergency
account only on LHMI.

It is recommended that the Emergency account credentials should be

stored in a secure location, secured with a key or digital PIN code. The
substation user retrieves the PIN or key in an “out of band” manner. The
substation user uses the PIN or key to retrieve the emergency user
accounts. Usage of the PIN or key is logged.
It is also recommended to change the credentials of Emergency account
on all the IED’s once the credentials are compromised. This can be done
using Reset Emergency Account tab in AMT.
Upon first unsuccessful authentication due to unavailability of the CAM
server, there will be an indication on the LHMI and PCM600 that the
“Emergency account is activated”.
Emergency account will be active for 15 minutes after first unsuccessful
authentication due to CAM server offline. During this period if the server
comes online again then user will be allowed to login using both
emergency account and CAM user. In this case, once the login using CAM
user is successful then emergency account is disabled.
It is also recommended to change the credentials of Emergency account
once the credentials are compromised.

64 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

5.4 Central Account Management using AD server

5.4.1 Introduction GUID-62CD77C3-684D-4A83-B4EE-1FB95EEDCB07 v1

Active Directory (AD) is a Microsoft product that consists of several services that run on
Windows Server to manage permissions and access to network resources.

The main service in Active Directory is Domain Services (AD DS), which stores directory
information and handles the interaction of the user with the domain. AD DS verifies access
when a user signs into a device or attempts to connect to a server over a network using LDAP.
AD DS controls which users have access to each resource. For example, an administrator
typically has a different level of access to data than an end user.

Security Administrator Normal User

Manually transferred certificate

files

AD Server PCM600

Start secure communication

Groups to role
Start secure communication Deploy certificate to IED
Login Import and write certificate
Change own password Write Role to Right mapping
Activate CAM
Deactivate CAM
Login
Change own password
Reset emergency account

IED
IEC200001 15-1-en-us.vsdx

IEC20000115 V1 EN-US

Figure 60: Overview of the functionality between the products in the system
IED to use AD server as authentication server which works on group-based authorization
where every user is mapped with the groups in the server. When IED authenticates the user
from the server then the server acknowledges with the user info and groups of that user to the
IED.

IED uses roles defined in IEC 62351-8 for providing the authorization to the users. Since AD
server works on group-based authorization, PCM600 provides the infrastructure to map AD
groups to IEC 62351-8 roles defined in IED. Groups to roles mapping must be written to the IED
before enabling the CAM configuration with AD. During authentication, AD server authorizes
the user and sends the groups associated with that user to the IED. IED then maps the groups
to roles based on the groups to roles mapping configured in the IED.

670 series 65
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

Before any authentication/ authorization of user takes place, a trust relation must be
established. It is important for the IED to know that AD server to which the IED is
communicating with, is a trusted server.

In case, if there is no requirement for the server to trust the IED, then IED can communicate
with the AD server using its self-signed certificate. To trust the AD server, the signer certificate
of the AD server i.e. Root CA / Intermediate CA certificate must be installed in the IED using
PCM600 in .p7b or .cer format.

In case of mutual trust between AD server and the IED, the AD server can act as a CA, which
means that it can issue digital certificates. Each device, such as an IED, will have its own
unique device certificate, one which must be imported into the PCM600 configuration in .p12
or .pfx format and then written to the IED. At this point trust is automatically established
directly between the CAM server and the IED.

The Security Administrator is responsible for this setup.

5.4.2 Activation of Central Account Management GUID-B6C56844-0846-4C79-8B9C-19CB7CAEADF9 v1

Configuration of Central Account Management with AD server can only be done manually in
PCM600. As a prerequisite it is essential to have certificate package and group file exported
from the AD server.
CAM configuration for AD server can be performed using these steps:

1. Import the group file in PCM600 and map group to roles and write to IED using the Roles
to Active Directory Group Mapping tab.
2. Import the certificate package and write to the IED using the Import and Write
Certificates tab.
3. Configure LDAP server details, create emergency account which is optional and then
write configuration to IED using the Centralized Account Management Configuration
tab.

It is important to write the Groups to roles mapping and the certificates

before enabling the Central account management with AD in the IED.

Figure 61 is the PCM600’s Account Management Tool which is used to configure LDAP
server.

66 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC15000281 V2 EN-US

Figure 61: Account Management Tool in PCM

The various modules in this tool are described:

• Roles to Active Directory Group mapping: Used to import groups and then map groups to
roles and write to IED.
• Import and write Certificate: Used to write device certificate to the IED.
• CAM Configuration: Used to configure LDAP server details and emergency account.
• Rights to Role Mapping: IED by default has rights to roles mapping, user can use this
option to customize rights to roles.
• Reset Emergency Account: Used to reset emergency account and write to IED.

If CAM with SDM600/LDAP is already enabled in the IED and the user wants to
switch to CAM with AD, then the user must disable the CAM with SDM600/
LDAP before enabling the CAM with AD and vice versa.

5.4.2.1 Roles to Active Directory Group Mapping GUID-CAE51359-1FF2-479B-91F3-DC14C0800B66 v1

Using "Roles to Active Directory Group Mapping” tool in AMT, the group file exported from AD
server can be imported in PCM600. The supported formats for group file in PCM600
are .txt, .ldif and .csv.

1. Select Roles to Active Directory Group Mapping tool to select the IED’s to import the
group file. The IED’s which has AD support is only enabled.

670 series 67
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC20000116 V1 EN-US

Figure 62: Roles to Active Directory Group Mapping tool view

2. Map the AD groups to IED roles and write to the IED as shown in the Figure 63.

IEC20000119 V1 EN-US

Figure 63: Groups to roles mapping in AMT

3. Edit Roles to Active Directory Group Mapping at one IED to apply the same
configuration for multiple IEDs (based on the selection of IED’s) as shown in Figure 64.

68 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC20000120 V1 EN-US

Figure 64: Message box displaying to confirm roles configuration in all selected
IED’s

• User can map up to 50 groups to roles (ConnPack/TypeData driven)

and if the mapping exceeds, then PCM displays a message without
allowing further mapping.
• While mapping Groups to Roles, ensure that there must be at least
one user in the configured BaseDN in active directory, whose group
is mapped to SECADM role.

5.4.2.2 Import and Write Certificates GUID-874B25AB-8DDD-4FB8-8BD7-7F7C676BE438 v1

For TLS handshake between IED and AD server, X.509 certificates are used.

For IED to trust the AD server, the root CA of AD server is required to be installed in the IED.
Generally, AD server does not trust the clients, in this case the self-signed certificate
generated in the IED can be used only for encryption. User must write only the Root CA
certificate/Intermediate CA certificate which is used to sign the AD server certificate to the
IED for authenticating the AD server. In this case same certificate package can be written to all
the IED’s which are connected to same AD server. The Root CA/Intermediate CA certificate file
format should be in .p7b or .cer format.

In case, if AD server is required to trust the IED then the IED certificate (CAM certificate) should
be generated out of the same signing authority.

For having a mutual trust between CAM server and IED, IED certificate must be signed by the
same Root certificate which has been used to sign the AD server certificate. The certificate
should be exported in PKCS#12 format. This package can be imported to PCM600 using the

670 series 69
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

option Import and Write certificates in AMT and write to the IED. A certificate write can either
be a single write to one IED or a batch write to multiple IEDs. PCM needs to determine which
PKCS#12 archive to deploy to each IED in case of a batch upload.

See Section 5.5 for more details on certificate package.

It is possible to import certificate in bulk to PCM600. For that the certificate bundle format
should be as mentioned below:

1. IED certificate name should be a Technical Key and file format can be pkcs12, .pfx, .p7b
or .cer (e.g. AA1J1Q01A1.p12 or AA1J1Q01A1.p7b). User can get the technical key of the IED
which is configured in PCM600.
2. Certificate bundle should be a zip file which contains single /multiple IEDs certificates as
mentioned below.

IEC20000126 V1 EN-US

Figure 65: Certificate bundle file

3. Since Technical Key is a unique value in PCM600 project, based on certificate file name
PCM600 can able to identify the IED object in the project and import it to that IED.
4. If the certificate name (Technical Key) is not assigned to any of the IED object in the
project plant structure, then PCM600 will skip that certificate to import and inform user
via message/warning in PCM600 output window.
5.

IEC15000346 V2 EN-US

Figure 66: Import and write certificate from PCM600

70 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

5.4.2.3 Centralized Account Management Configuration GUID-F6BE8767-2BB1-4184-BFE3-CAD47F9B125D v1

Centralized Account Management Configuration tab is used to fill the details of the AD server
and write to the IED.

IEC15000289 V2 EN-US

Figure 67: Local configuration

AD server URL must contain IP address and port number of the CAM server.

The URL should be in the format ldap://<ipaddr>:<portnumber>” or “ldaps://

<ipaddr>:<portnumber>.

SDM600 Configuration check box must be disabled while configuring AD server.

The emergency account is optional field, but it is recommended to configure in case of

exigency.

See Section 5.3.2.3 for more details on emergency account.

The AD server certificate can contain IP address of the host in the Subject Alternative Name
field. In this case, IED verifies the certificate IP address against the URL.

If the AD server certificate contains only the DNS of the host in the Subject Alternative Name
field, the DNS of the host must be configured in the Server DNS Name field in the
configuration.

670 series 71
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

Ensure that all the parameters are written or set correctly before writing the CAM
configuration to the IED, else this can lead to lock out of the IED in case the emergency
account is not configured.

Generally “ldap” string in URL represents the unsecured transmission which

5.4.2.4 Enabling CAM from PCM600 GUID-84BEE5B1-6D23-468D-9718-1FAC6343503D v1

Once the configuration is done, then save the configuration and write to the IED to enable the
CAM in IED.

5.4.3 Limitations in User management GUID-BAAC489C-0402-4964-AA05-2EC278E34642 v1

• There is a limitation from the IED that the full name or display name should be provided as
the user name while logging in to the AD server from IED.
• User name and password should contain only ASCII (American Standard Code for
Information Interchange) characters.
• The display name should be of maximum 31 characters and password should be of
maximum 24 characters.

5.4.4 Password permissions and policies

5.4.4.1 Password permissions GUID-3ECF2230-B971-4301-A417-4EACCF5D226B v1

Users in AD server can be created using the following below password permissions as shown
in the Figure 68.

72 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

GUID-9DC6026C-8906-4A43-A3FB-4882C74237B4 V1 EN-US

Figure 68: Permissions that can be given to AD server users

1. User must change the password at next login: Creating users in AD server using this
password permission is not recommended as the IED does not support to change the
password only during the first login. When any user with this permission set tries to login
for the first time without changing the password then error message is displayed,
(Password must be changed) on the LHMI and PCM600, and the login will be denied. In
this case user may change the password using windows machine connected to the AD
server.
2. Password never expires: When any user with Password never expires permission logins
successfully through LHMI or PCM600, then the warning message (Password for this user
account never expires) is always displayed on LHMI or PCM600 and user will be allowed to
login.

5.4.4.2 Password expiry GUID-903AC9E7-9F43-45DE-A4AB-0F447C7AFC45 v1

If password of any AD user is going to expire within 10 days, then password expiry warning is
displayed on LHMI or PCM600. Once the user attempts to login through LHMI / PCM600 then
login will be successful.

Once the password is expired then the user will not be allowed to login through the IED.

If the UTC time in the IED is different to that of AD server then the password
expiry may not work as expected.

5.4.4.3 Password change GUID-7CF99D25-1941-407D-B74A-B7676F01D1EC v1

Password can be changed from both the LHMI and PCM600. IED abides with the password
policy set in the AD Server.

670 series 73
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

5.4.4.4 Password policy GUID-20DB1999-0A4D-4E08-A5CC-F2182E22357B v1

The password must contain at least three of four characters types:

• Uppercase—for example, A to Z
• Lowercase—for example, a to z
• Numeric—0 to 9
• Nonalphanumeric—symbols such as, !, #, %, or &.
• Maximum password length allowed in IED is 24 characters.

5.5 Certificate package GUID-072F62FE-C85C-4F31-B62B-69D59A432EE6 v1

The supported certificate packages in IED are PKCS12 and PKCS7.

5.5.1 PKCS12 (p12) file GUID-7C3398BD-54A3-481A-AB99-5B2EAF2B2060 v1

The PKCS12 file contains:

• Client certificate
• The private key associated with the client certificate
• A Trust anchor certificate

The PKCS12 file can be protected with a password, as it contains the private key associated
with the client certificate.

The password for the p12 file should be protected. Normal password protection procedures
and guidelines will apply, for example, use a secure password, do not store the password in
clear text and do not share/publish the password, etc.

Client Certificate
The communication between the device and the LDAP/AD server will be protected using TLS
mutual authentication.

The certificate contained in the configuration will be used by the device to self authenticate
towards the LDAP/AD. In this case the certificate is used as a client certificate. This is the
client authentication part of the TLS mutual authentication.

This certificate can also be used by services on the IED, that is, it can also act as
a server certificate on the IED.

It is recommended to deploy certificates with key length of 2048 in the IED.

NSA (National Security Agency) recommendation is that RSA keys of 2048 bit
key size is acceptable.

The client certificate must contain the IP address of the client as its Subject
Alternative Name and the IP address must be at the top in SAN details as
shown in Figure 69 and Figure 70.

74 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

IEC20000503 V1 EN-US

IEC20000537 V1 EN-US

Figure 69: Sample client certificate

670 series 75
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC20000504 V1 EN-US

Figure 70: Sample client certificate

Trust anchor certificate

This certificate should be present in the PKCS12 file.

The trust anchor certificate identifies the organization which the device will trust.

The trust anchor certificate will typically be the Root Certificate of the Certificate Authority
that issues all certificates for devices and applications in the system. In other words, this
device will trust any TLS peer that presents a certificate that has a "chain of trust" back to the
trust anchor certificate.

5.5.2 PKCS7 file GUID-C12706AC-0BA3-4724-B121-D5F411CA3741 v1

The file format of PKCS7 certificate is .p7b.

The PKCS7 file contains:

• A Trust anchor certificate containing the Root CA certificate or Intermediate CA

certificate.

Trust anchor certificates

This certificate should be present in the PKCS7 file.

The trust anchor certificate identifies the organization which the device will trust.

The trust anchor certificate will typically be the Root Certificate or the Intermedia CA of the
Certificate Authority that has issued the certificate for the CAM server.

5.6 Redeployment of certificate GUID-77D6D4B4-E102-4E3E-B076-191E9F70F476 v1

To redeploy the certificate, Import and Write Certificates option in PCM600 can be used.
When the IED certificate is about to expire, UAL events prior to 30 days of expiry will be

76 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

generated. User must redeploy the certificate before it is expired. In case, the certificate is
already expired user may not be able to communicate with the CAM server.

In this case user has two options:

1. Boot the IED after turning off authority in recovery menu and redeploy the certificates.
2. Disable CAM and delete certificate under recover menu, in this case CAM server must be
configured freshly, including certificates.

5.7 FST update and upgrade GUID-AF8D26E3-DF95-43B9-A34E-C5535180583E v1

1. In case of FST update, CAM configuration will not be modified.

2. In case of FST upgrade, CAM configuration will be reset to factory default.

5.8 Restore Point GUID-B2745FD4-677A-49CD-BA94-3F68A926B8FC v1

1. Restore point creation will copy CAM configuration, emergency account, IED certificates,
groups to roles mapping(in case of AD server) and rights to roles mapping.
2. Upon revert to restore point, the CAM configuration, emergency account, IED certificates,
groups to roles mapping(in the case of AD server) and rights to roles mapping present in
restore point will be applied.

5.9 Predefined user roles GUID-DA25A28A-1E94-4B1D-A0FC-EA151070FA48 v3

There are different roles of users that can access or operate different areas of the IED and tool
functions.

The meaning of the legends used in the table:

• X= Full access rights

• R= Only reading rights
• - = No access rights

Table 7: Predefined user roles according to IEC 62351-8

ADMINISTR
Access rights VIEWER OPERATOR ENGINEER INSTALLER SECADM SECAUD RBACMNT
ATOR
Config – Basic - - X X - - - -
Config – Advanced - - X X - - - -
FileTransfer – Tools - - X X - - - -
UserAdministration - - - - X - X X
Setting – Basic R - X X - - - -
Setting – Advanced R - X X - - - -
Control – Basic - X X - - - - -
Control – Advanced - X X - - - - -
IEDCmd – Basic - X X - - - - -
IEDCmd – Advanced - - X - - - - -
FileTransfer – - X X X X X X
X
Limited
Table continues on next page

670 series 77
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

ADMINISTR
Access rights VIEWER OPERATOR ENGINEER INSTALLER SECADM SECAUD RBACMNT
ATOR
DB Access normal - X X X X X X X
Audit log read - - - - - X - X
Setting – Change - X X X - - -
-
Setting Group
Security Advanced - - - - - X - X

ADMINISTRATOR is a vendor specific user role and not specified in IEC 62351-8

Table 8: Access rights explanation

Access rights Explanation
Config – Basic Configuration – Basic is intended for engineers that only adapt an existing configuration
e.g. the I/O-Configuration using SMT
Config – Advanced Configuration – Advanced is intended for engineers that do the whole application
engineering and using e.g. ACT
FileTransfer – Tools FileTransfer – Tools is used for some configuration files for the configuration and shall
have the same value as Config – Advanced
UserAdministration UserAdministration is used to handle user management e.g. adding new user
Setting – Basic Setting – Basic is used for basic settings e.g. control settings and limit supervision
Setting – Advanced Setting – Advanced is used for the relay engineer to set settings e.g. for the protection
functions
Control – Basic Control – Basic is used for a normal operator without possibility to bypass safety functions
e.g. interlock or synchro-check bypass
Control – Advanced Control – Advanced is used for an operator that is trusted to do process commands that
can be dangerous
IEDCmd – Basic IEDCmd – Basic is used for commands to the IED that are not critical e.g. Clear LEDs,
manual triggering of disturbances
IEDCmd – Advanced IEDCmd – Advanced is used for commands to the IED that can hide information e.g. Clear
disturbance record
FileTransfer – Limited FileTransfer - Limited is used for access to disturbance files e.g. through FTP
DB Access normal Database access for normal user. This is needed for all users that access data from PCM
Audit log read Audit log read allows reading the audit log from the IED
Setting – Change Setting Group Setting – Change Setting Group is separated to be able to include the possibility to change
the setting group without changing any other setting
Security Advanced Security Advanced is the privilege required to do some of the more advanced security-
related settings

IED users can be created, deleted and edited only in the CAM server. From the LHMI or
PCM600, no users can be created nor changed when Central Account Management has been
enabled in the IED. However, user rights are edited using the PCM600 user tool (IEDUM) and
password can be changed from PCM600 or LHMI.

At delivery, the IED has a default Administrator defined with full access rights. PCM600 uses
this default user to access the IED. This user is automatically removed in IED when CAM is
enabled.

78 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

Only characters A - Z, a - z and 0 - 9 shall be used in user names. User names are
not case sensitive. For passwords see the Password policies.

In order to allow the IED to communicate with PCM600 when users are defined
in the CAM server, the access rights “UserAdministration” and “FileTransfer —
Limited” must be applied to at least one user. User rights are assigned using
the PCM600 user tool (IEDUM).

"DB Access normal" and "FileTransfer – Limited" are required for PCM600
access to the IED.

5.10 Trouble shooting Central Account Management GUID-8D0E0946-801B-4697-8DFD-17752A20FEF2 v3

To know the status of the Central Account Management, the diagnostics information is
provided on Local HMI. This is available under Diagnostics/Communication/CAM status/
CAMStatus

1. When IED is not configured with any users, the default status of the CAMStatus
diagnostics will be:

IEC15000369-2-en.vsdx

IEC15000369 V2 EN-US

Figure 71: CAM default status

2. When IED is configured with local users, the default status of the CAMStatus diagnostics
will be:

670 series 79
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000354-2-en.vsdx

IEC15000354 V2 EN-US

Figure 72: CAM diagnostics default staus

3. When the IED is configured with Central Account Management, then CAMStatus will be:

IEC150003 55-2-en.vsdx

IEC15000355 V2 EN-US

Figure 73: IED CAM configured status

When the CAM server is configured with SDM600 server along with
replication, only then the replication status is shown.

80 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

Table 9: CAM Status

Label Rational Values Remarks
UAMMode User account Builtin When IED is configured
management mode with PCM users
Local When IED is configured
with default users
Central When Central Account
Management is active
Replication Indicates the status of Not replicated When replication is not
the last replication configured
Good When last replication
was successful
Failed When last replication
cycle has failed
Last Update Indicates the last Never When replication was
update of the status not configured
information above.
Timestamp Time when successful
replication took place.

4. Errors during activation of CAM or redeployment of Certificates:

Table 10: Errors

Symptoms Probable causes Solution
PCM error CAM enabling failed. Wrong configuration parameters Check IED CAM configuration
or (e.g. LDAP address…). parameters
Security event 3810 CAM server
communication failed. Server(s) not reachable during In case of security event 3810
or activation, Invalid or wrong CAM server communication
Security event 3820 Replication certificate is deployed. failed: Check if servers are
performed. No users replicated!. reachable and the IED is
or In case of replication is enabled, connected. Also, check if the
Security event 3830 Replication the replica is not valid (no users deployed certificates are valid.
attempted but failed. No or more than 100 users in the
capacity. replication group). In case of 3820 Replication
performed. No users replicated!
or 3830 Replication attempted
but failed. No capacity. Check if
there are sufficient users in the
replication group and there are
not more than 100 users in the
replication group.
If the Central Account
Management is activated
without replication to a non
existent Central Account
Management server or incorrect
configuration or in case of
invalid certificate being
redeployed. The only way to
disable Central Account
Management is through
Maintenance menu on Local
HMI.

670 series 81
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

If the initial activation of CAM fails, the IED reverts to local UAM or default
users. Access to the device is possible using the local default credentials. If
syslog is not configured then security events can be read from Event
Viewer tool in PCM600.

5. Server not reachable during runtime:

Table 11: Runtime symptoms

Symptoms Probable causes Solution
If the server is offline during Server(s) not reachable Check if LDAP server is up and
authentication or during running
replication or during password
change then Security Event: 3810 Check IED connection
CAM Server communication
failed is raised.
Security Event: 3810 CAM Server
communication failed.

Authentication will continue to work based on the latest local LDAP Replica
if replication is enabled. After reconnection with the server(s),
authentication will again run via the LDAP server and the local replica will
be updated.

If emergency account is enabled then it is activated once CAM server is

offline. For more details refer Section 5.3.2.3 above.

6. Local replication failed.

IEC15000356-2-en.vsdx

IEC15000356 V2 EN-US

Figure 74: Replication status

82 670 series
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
1MRK 511 399-UEN M Section 5
Central Account Management

Table 12: Replication symptoms

Symptoms Probable causes Solution
Diagnostics: Replication Failed. Server(s) not reachable Check if LDAP server is up and
ReplicaLastUpdate shows the running
time when last successful Server configuration has
replication. changed Verify with system administrator
that LDAP settings are still valid
Security Event: 3810 CAM Server
communication failed Check the IED connection

Authentication will continue to work based on the latest local LDAP replica.
After reconnection with the server(s), authentication will again run via the
LDAP server and the local replica will be updated.

5.10.1 Certificate information on local HMI GUID-64A7C73F-C27D-4B67-A594-0BCD13D086FD v3

Information about the currently installed certificates can be found in the local HMI by
traversing the menu tree by using the arrow keys. Main menu/Diagnostics/Communication

IEC15000324 V1 EN-US

Figure 75: Certificates view

In the Certificates view, certificate information is grouped according to usage. Selecting CAM
and pressing will show information about the certificates used for Central Account
Management.

Only the categories with installed certificates are shown. If no external, trusted or CAM
certificates are installed then a category named internal is shown which lists the certificates
generated by the device.

In figure 76, two certificates are shown for the selected usage.

670 series 83
Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
Section 5 1MRK 511 399-UEN M
Central Account Management

IEC15000326 V1 EN-US

Figure 76: CAM certificates

By pressing on a menu item without information in the right field more information will be
shown. For instance, by pressing in the Issued to menu item shown in figure 77 below,
more information will be shown as in figure 78 below.

IEC15000327 V1 EN-US

Figure 77: Detailed certificate information

IEC15000328 V1 EN-US

Figure 78: Certificate issued to

5.11 Authorization with Central Account Management

enabled IED GUID-1A836989-5D89-4F3D-B3A2-3BABCDFFB440 v3

The user rights can be edited in the IED by using the PCM600 user tool.

One user can have one or several user roles. By default, the users in Table 13 are created in the
IED, and when creating new users in the CAM server, the predefined roles from Table 14 can be
used.

At delivery, the IED user has full access as SuperUser when using the LHMI and
as Administrator when using FTP or PCM600 until Central Account
Management is activated.

Table 13: Default users

Table 14: Predefined user roles according to IEC 62351-8

This User role is vendor specific and not defined in

IEC 62351–8

Changes in user management settings do not cause an IED reboot.

The successful activation of Central Account Management will disable built-in users or remove
all local created users from PCM600.

Management of user credentials and roles is handled on the Central Account Management
server e.g. SDM600. The IED employs two strategies to ensure availability of the
authentication system even if there is a problem with the network or authentication server:

• A substation can be equipped with two redundant authentication servers operating in a

hot standby mode.
• If configured by the security administrator, the IED itself maintains a local replica in the
database with selected users. This database is periodically updated with data from the
server and used as fallback if none of the servers are reachable.
• If there is no replication support in the CAM server, then there is a possibility to configure
the emergency account in the IED, which gets activated when CAM server is offline.

Note that not all users in the SDM600 server are part of the replica. There might be users that
are not assigned to any replication group. IED only replicates those users which are part of
replication group configured in the IED.

All communication between the central management and the IEDs is protected using secure
communication. Customers are required to generate and distribute certificates during the
engineering process of the substation. These certificates ensure mutual trust between IED and
CAM server for example SDM600.

Table 15: Authority-related IED functions

Function Description
Authority status This function is an indication function block for user logon activity.
ATHSTAT User denied attempt to logon and user successful logon are reported.
Authority check To safeguard the interests of our customers, both the IED and the tools that are
ATHCHCK accessing the IED are protected, by means of authorization handling. The
authorization handling of the IED and the PCM600 is implemented at both access
points to the IED:

• local, through the local HMI

• remote, through the communication ports

For more information on the functions Authority Management (AUTHMAN), Authority Status
(ATHSTAT), and Authority Check (ATHCHCK) functions, refer to chapter “Basic IED functions”
in the Technical Manual.

5.12 PCM600 access to Central Account Management

enabled IED GUID-D7C470F9-465E-494F-8345-D0B311C4F3CD v2

During normal access, e.g. parameter writing to the IED from PCM600, the user interaction will
be very similar as to a non Central Account Management enabled IED. The following steps are
included in the process:

• When a login is needed the login dialog is presented to the user

• When the user name and password is entered the user credentials are sent to the IED
• The IED forwards these credentials to the Central Account Management server to
authenticate the user and get the user roles back. If a user has multiple roles, then the
privilege he gets is the union of all the roles.
• If the IED fails in accessing the Central Account Management server, the local replica
of the users are used to authenticate the user and get the user roles back or if there

is no replication support and emergency account is configured, in case of

unavailability of CAM server, emergency account can be used.
• The IED check the Rights for the Roles and secure that only authorized things according to
the Rights are allowed

If communication with the Central Account Management server is lost, the

current password for the replicated user will not expire until the
communication with the server is re-established.

When the user tries to communicate with an IED using PCM600, then PCM600
will validate the “Certificate” presented by the IED and if there are new
warnings/errors found during certificate validation, PCM600 will display a
Security Warning to the user. In this situation, user needs to take appropriate
action on the security warning to continue communicating with the IED.

If the user tries to authenticate towards a Central Account Management

enabled IED using PCM600, with credentials that will expire in the near future, a
new warning will be shown to the user and an option to change the password
will be provided.

5.12.1 Changing password GUID-C36A2E99-0BA8-42BA-A73E-77CC28DCDE65 v3

The user can also change the own password from PCM600 or LHMI. The following process is
used:

1. A change password dialog is presented for the user in PCM600 or LHMI

2. The IED will forward this to the Central Account Management server
• Password can only be changed if the IED has contact with Central Account
Management server
3. The Central Account Management server verifies the password towards the password
policies
• If it fails an error code will be sent back to the user
4. An acknowledgement is sent back to the IED and forwarded to PCM600 or LHMI
5. The user gets an acknowledge that the password has changed

As soon as the IED get feedback from the Central Account Management server that the
password is about to expire or that the password need to be changed, the user will be forced
to change the password in case of SDM600.

The CAM Server will issue a warning message that the password is going to expire (for
instance in 5 days) if this feature is configured in CAM Server. If the password has expired or is
not valid for other reasons, a new password must be set in the Central Account Management
server.

A change of password for any user, via PCM600 or LHMI, will force a replication of the users to
the IED. Otherwise, if the communication to the Central Account Management server is lost
shortly after the passwords is changed, the old password must be used until the connection to
Central Account Management server is restored. All other IEDs in the system need to wait until
next cyclic replication.

Changing password

1. Right click on the IED in plant structure and select IED users tool.
2. Go to General Tab.
3. Click on Change Own Password, then following dialog will appear

IEC15000295-1-en.vsdx

IEC15000295 V1 EN-US

Figure 79: Change own password

4. User can enter details and click on OK button. Password will be changed and the result of
the operation will be indicated in the PCM600 output window.

5.12.2 Error messages GUID-A90A0E1E-0581-4BE4-A34A-879BD1782793 v2

When a user wants to access the IED or change the password, it might fail. In such cases the
user will be presented that it failed and also a reason.

The tables below list the possible error messages. The UAL column marks if the error is logged
as a security event. The User feedback column marks the message to the user. In some cases
another error is listed and will be presented for the user.

Table 16: Error indications from failed login

Description EVENT NUMBER User feedback
Login successful. 1110 *: Your password will expire in x
An additional password expiry days. Do you want to change it?
time can be sent by the CAM **: Password for this user account
server. This information contains never expires.
the number of seconds for which ***: Password must be changed.
the password is still valid at the
time the authentication was
executed.*
If the password policy for an user
is set as Password never
expires in AD server.**
If the password policy for an user
is set as User must change the
password at next login in AD
server.***
Login successful. 1115 *: Password must be changed.
When in Central Account **: Login OK, password expired.
Management: Password has
expired and the user had grace
logins left. (Of which one was used
for this login).*
When in PCM600 users: Password
expired login OK.**
Login failed 1120 Access denied
Login failed. 1150 Password expired
Password has expired. User should
contact the system administrator
to reset the password.
Login failed 3 times (in case of 1170 Login blocked for this ID!
PCM600 users only)
An error occurred during *Error in the Central Account
authentication. (E.g. No server Server!
connection and replica.)* ** Centralized Account
An error occurred during Management Server is offline or
authentication and when communication problem, please
emergency account is login with emergency account.
configured.**
User authentication has failed due 1130 Access denied
to wrong username and/or
password.

Table 17: Error indications from failed change password

Description EVENT NUMBER User feedback
Password of <User name> has 2210 Password change successful
been successfully changed to
<new password>
Provided credentials <old 1130 + 2220 Old password invalid.
password> could not be used to
login.
Password is not changed.
Provided credentials <old 1150 + 2220 Password expired
password> already expired.
Password is not changed.
Password <new password> did 2235 Password do not meet policy
not fulfill the password policy of requirement
the CAM server.
Password is not changed.
Table continues on next page

Description EVENT NUMBER User feedback

CAM server failed to write 2220 Error in the Central Account
password to the provider. Server!
Password is not changed.
Connection to CAM server could 2220 Error in the Central Account
not be established or connection Server!
has been terminated
unexpectedly. Verify status and
connectivity of the CAM server.
Password is not changed.
Generic error. 2220 Error in the Central Account
Password is not changed. Server!

Section 6 User activity logging

6.1 Activity logging protocol GUID-9D7788E2-F94D-40E5-BE3E-3C47C39D34FC v2

Activity Logging can be reported from the IED through two different protocols; either IEC
61850 or Syslog. Syslog is a standard for computer message logging (RFC 5424). For IEC
61850, configuration is as for buffered reporting. Syslog is configured through a number of
parameters where the Syslog server is defined. The IED is the Syslog client and it sends the
events to the Syslog server.

Both IEC 61850 and Syslog are to be seen as online protocols when it comes to activity
logging. If an event has occurred while 61850 or Syslog communication has been down, the
events will not be retransmitted. In this case, use PCM600 to read out the activity logging from
the IED.

6.2 Activity logging ACTIVLOG GUID-BED7C3D6-6BE3-4DAC-84B3-92239E819CC0 v1

ACTIVLOG contains all settings for activity logging.

There can be 6 external log servers to send syslog events to. Each server can be configured
with IP address; IP port number and protocol format. The format can be either syslog (RFC
5424) or Common Event Format (CEF) from ArcSight.

6.3 Settings
PID-6908-SETTINGS v2

Table 18: ACTIVLOG Non group settings (basic)

Name Values (Range) Unit Step Default Description
ExtLogSrv1Type Off - - Off External log server 1 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv1Port 1 - 65535 - 1 514 External log server 1 port number
ExtLogSrv1IP 0 - 18 IP 1 127.0.0.1 External log server 1 IP-address
Address
ExtLogSrv2Type Off - - Off External log server 2 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv2Port 1 - 65535 - 1 514 External log server 2 port number
ExtLogSrv2IP 0 - 18 IP 1 127.0.0.1 External log server 2 IP-address
Address
ExtLogSrv3Type Off - - Off External log server 3 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv3Port 1 - 65535 - 1 514 External log server 3 port number
ExtLogSrv3IP 0 - 18 IP 1 127.0.0.1 External log server 3 IP-address
Address
Table continues on next page

Name Values (Range) Unit Step Default Description

ExtLogSrv4Type Off - - Off External log server 4 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv4Port 1 - 65535 - 1 514 External log server 4 port number
ExtLogSrv4IP 0 - 18 IP 1 127.0.0.1 External log server 4 IP-address
Address
ExtLogSrv5Type Off - - Off External log server 5 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv5Port 1 - 65535 - 1 514 External log server 5 port number
ExtLogSrv5IP 0 - 18 IP 1 127.0.0.1 External log server 5 IP-address
Address
ExtLogSrv6Type Off - - Off External log server 6 type
SYSLOG UDP/IP
SYSLOG TCP/IP
CEF TCP/IP
ExtLogSrv6Port 1 - 65535 - 1 514 External log server 6 port number
ExtLogSrv6IP 0 - 18 IP 1 127.0.0.1 External log server 6 IP-address
Address

6.4 Generic security application GSAL GUID-D0CE0102-C651-4914-8FBF-854151D7E360 v3

As a logical node GSAL is used for monitoring security violation regarding authorization,
access control and inactive association including authorization failure. Therefore, all the
information in GSAL can be configured to report to 61850 client. For more information about
GSAL, see IEC 61850 Edition 2 Communication Protocol Manual.

6.5 Security alarm SECALARM GUID-205B0024-DA06-4369-8707-5E1D2D035995 v2

The function creates and distributes security events for mapping the security events on
protocols such as DNP3.

It is possible to map respective protocol to the signals of interest and configure them for
monitoring with the Communication Management tool (CMT) in PCM600. No events are
mapped by default.

Parameter names:

• EVENTID: Event ID of the generated security event

• SEQNUMBER: Sequence number of the generated security event

SECALARM
EVENTID
SEQNUMBER

IEC13000006-1-en.vsd
IEC13000006 V1 EN-US

Figure 80: Function block, Security alarm SECALARM

6.5.1 Signals
PID-3430-OUTPUTSIGNALS v6

Table 19: SECALARM Output signals

Name Type Description
EVENTID INTEGER EventId of the generated security event
SEQNUMBER INTEGER Sequence number of the generated security event

6.5.2 Settings
PID-3430-SETTINGS v6

Table 20: SECALARM Non group settings (basic)

Name Values (Range) Unit Step Default Description
Operation Off - - On Operation On/Off
On

6.6 About Security events GUID-6D781865-211F-4009-AAB1-C00C3A919E49 v3

Relevant user operations are logged as security events. A security event contains an event ID, a
time stamp, a sequence number, the user name, the severity of the action and the name of the
source. These events can be sent to external security log servers using Syslog. The log servers
are configured from PCM600. Syslog is a standard protocol for event logging.

To be able to access the security logs the user need the role SECAUD (security
auditor) or the access right “Audit log read”.

Relion® 670 series can store up to 10240 security events.

6.7 Event types GUID-F56B592A-FA2E-4812-BED2-337115AAAF60 v3

The following table contains the event types that can be logged, including their 61850
mapping on the logical node GSAL

Table 21: Event type codes

Event Acronyms GSAL mapping English
number
1110 LOGIN_OK GSAL.Ina Login successful
1115 LOGIN_OK_PW_EXPIRED GSAL.Ina Password expired, login successful
1120 LOGIN_FAIL_UNKNOWN_USER GSAL.AuthFail Login failed - Unknown user
1130 LOGIN_FAIL_WRONG_CR GSAL.AuthFail Login failed - Wrong credentials
1150 LOGIN_FAIL_PW_EXPIRED GSAL.AuthFail Login failed - Password expired
1170 LOGIN_FAIL_3_TIMES GSAL.AuthFail Login failed 3 times
Table continues on next page

Event Acronyms GSAL mapping English

number
1210 LOGOUT_USER GSAL.Ina Logout (user logged out)
1370 VIEW_SEC_EV_LIST_OK GSAL.Ina Viewed security event logs
successfully
1380 PARAM_CHANGE_OK GSAL.Ina Parameter changed successfully
1460 PARAM_CHANGE_FAIL_RIGHTS GSAL.AcsCtlFail Parameter changes failed — no
rights
1470 PARAM_CHANGE_FAIL_RANGE GSAL.SvcViol Parameter change failed - out of
range
1510 SW_UPDATE_INIT GSAL.Ina Software update initiated
successfully
1520 SW_UPDATE_OK GSAL.Ina Software updated successfully
1610 SW_UPDATE_FAIL GSAL.Ina Device software update failed
1680 DEL_DIST_REC_OK GSAL.Ina Disturbance records deleted
successfully
1682 DEL_DIST_REC_FAIL GSAL.Ina Deleted disturbance records failed
1710 CONFIG_RESET_FACTORY_DEF GSAL.Ina Device reset to factory default
2110 USER_ACCNT_CREATE_OK GSAL.Ina User account created successfully
2120 USER_ACCNT_DEL_OK GSAL.Ina User account deleted successfully
2130 USER_ACCNT_CREATE_FAIL GSAL.SvcViol User account creation failed
2140 USER_ACCNT_DEL_FAIL GSAL.SvcViol User account deletion failed
2160 USER_NEW_ROLE_OK GSAL.Ina New role assigned to user
successfully
2170 USER_ROLE_REMOVED_OK GSAL.Ina User role assignment removed
successfully
2210 USER_PW_CHANGE_OK GSAL.SvcViol User password changed
successfully
2220 USER_PW_CHANGE_FAIL GSAL.SvcViol Change of user password failed
2233 USER_PW_CHANGE_FAIL_SHORT GSAL.SvcViol User password change failed —
too short
2235 USER_PW_CHANGE_FAIL_POLICY GSAL.SvcViol User Password change failed -
policy check failed
3710 CAM_SRV_COMM_OK GSAL.Ina CAM Server communication
successful
3810 CAM_SRV_COMM_FAIL GSAL.Ina CAM Server communication failed
3820 CAM_REPLICATION_NO_USERS GSAL.Ina Replication performed. No users
replicated!
3830 CAM_REPLICATION_NO_CAPACITY GSAL.Ina Replication attempted but failed.
No capacity.
4210 SSL_CONN_FAIL_CERT GSAL.AuthFail SSL Connection failed - Certificate
validation failed
5110 MANUAL_RESET GSAL.Ina Manual reset
5270 SYS_STARTUP GSAL.Ina System startup
5280 SYS_SHUTTING_DOWN GSAL.Ina System shutting down
6110 TEST_MODE_START_OK GSAL.Ina Test Mode started successfully
6120 TEST_MODE_END GSAL.Ina Test mode ended successfully
6130 CONTRL_OP_PERF_OK GSAL.Ina Control operation performed
successfully
Table continues on next page

Event Acronyms GSAL mapping English

number
6132 CONTRL_OP_PERF_FAIL GSAL.Ina Failed to perform a control
operation
6140 SIGN_FORCED_VALUE GSAL.Ina Signal forced - value changed
successfully
6170 SIMULATION_MODE_START_OK GSAL.Ina Simulation mode started
successfully
6175 SIMULATION_MODE_END GSAL.Ina Simulation mode ended
successfully
7310 HW_CHANGE_DETECTED GSAL.Ina Hardware change detected
8010 RECOV_PREV_CONFIG_OK GSAL.Ina Recovery of previous configuration
successful
8020 DATE_TIME_SET_OK GSAL.Ina Date and time set successfully
8030 NEW_CERT_GEN_OK GSAL.Ina New certificate generated
successfully
8210 RECOV_PREV_CONFIG_FAIL GSAL.Ina Recovery of previous configuration
failed
8230 NEW_CERT_GEN_FAIL GSAL.Ina New certificate generation failed
9010 ATT_DET_FLOODING GSAL.Ina Flooding attack detected
9530 PKI_CERT_EXP_NEAR GSAL.Ina Certificate about to expire
9620 X509_CERT_EXPIRED GSAL.Ina Certificate validation failed -
Certificate expired
9640 X509_CERT_UNTRUSTED GSAL.Ina Certificate validation failed -
Certificate signature check failed
10010 MAINT_ENTER_MENU_OK GSAL.Ina Device successfully entered
maintenance menu due to user
action
10020 MAINT_FORCED_MENU_OK GSAL.Ina Device successfully forced into
maintenance menu due to new
state
10030 MAINT_FTP_ACTIV_OK GSAL.Ina FTP server successfully activated
from maintenance menu
10032 MAINT_FTP_ACTIV_FAIL GSAL.Ina Activation of FTP server from
maintenance menu failed
10040 MAINT_UPDATE_ABORT_OK GSAL.Ina Firmware update procedure
aborted successfully
10042 MAINT_UPDATE_ABORT_FAIL GSAL.Ina Failed to abort firmware update
procedure
10050 MAINT_RECOVERY_ENTER_OK GSAL.Ina Recovery menu entered
successfully
10052 MAINT_RECOVERY_ENTER_FAIL GSAL.Ina Failed to enter Recovery menu
10060 MAINT_AUTH_DIS_OK GSAL.Ina Authentication disabled from
maintenance menu successfully
10070 MAINT_CHANGE_LOCK_DIS_OK GSAL.Ina Change lock disabled successfully
from Maintenance menu
10080 MAINT_61850_DIS_OK GSAL.Ina IEC 61850 disabled successfully
from Maintenance menu
13200 TRANSFER_CONFIG_OK GSAL.Ina Configuration transferred to the
device successfully
13250 CONFIG_MODE_ENTER_OK GSAL.Ina Entered configuration mode
successfully
Table continues on next page

Event Acronyms GSAL mapping English

number
13260 CONFIG_MODE_EXIT_OK GSAL.Ina Exited configuration mode
successfully
13400 TRANSFER_FIRMW_OK GSAL.Ina Firmware transferred to the device
successfully
13500 READ_FIRMW_OK GSAL.Ina Firmware files read/exported from
the device successfully
13520 TRANSFER_CERTS_OK GSAL.Ina Certificates transferred to the
device successfully
13580 READ_CERTS_OK GSAL.Ina Exported/read certificates from
device successfully
13610 ADD_ENTITY_CERT_OK GSAL.Ina Installed entity certificate
successfully
13620 REMOVE_ENTITY_CERT_OK GSAL.Ina Removed entity certificate
successfully
13630 ADD_TRUST_ANCHOR_CERT_OK GSAL.Ina Installed trust anchor certificate
successfully
13640 REMOVE_TRUST_ANCHOR_CERT_OK GSAL.Ina Removed entity certificate
successfully
14200 TRANSFER_CONFIG_FAIL GSAL.SvcViol Failed to transfer configuration to
the device
14250 CONFIG_MODE_ENTER_FAIL GSAL.Ina Failed to enter configuration mode
14260 CONFIG_MODE_EXIT_FAIL GSAL.Ina Failed to exit configuration mode
14400 TRANSFER_FIRMW_FAIL GSAL.SvcViol Failed to transfer firmware to the
device
14500 READ_FIRMW_FAIL GSAL.Ina Failed to read firmware files from
the device
14520 TRANSFER_CERTS_FAIL GSAL.Ina Failed to transfer certificates to
the device
14580 READ_CERTS_FAIL GSAL.Ina Failed to read certificates from the
device

Section 7 Local HMI use GUID-9D51F5A5-B05A-4BEC-9E71-8BD0BEB87764 v4

At delivery, login is not required and the user has full access until users and passwords are
created with PCM600 and written into the IED. The LHMI is logged on as SuperUser by default
until other users are defined.

Commands, changing parameter values and resetting indications, for example, are actions
requiring password when the password protection is activated. Reading information on the
LHMI is always allowed without password. The LHMI is logged on as Guest by default when
other users are defined.

Utility security policies and practical consideration should always be taken on

the feasibility of using passwords. In emergency situations, the use of
passwords could delay urgent actions. When security issues must be met, the
two factors must be seriously considered.

The auxiliary power supply to the IED must not be switched off before changes
such as passwords, setting parameter or local/remote control state changes
are saved.

7.1 Logging on GUID-E0F937A9-78EC-4528-AB34-FD6EC79A7815 v5

1. Press to activate the login procedure.

The login is also activated when attempting a password-protected operation.
2. Press to activate the User field.
If CAM is activated an on-screen keyboard is shown.
3. Type in the user name using the on-screen keyboard.
You can end user name editing at any time by pressing while the user field is focused
(or navigate to the OK button and press ), or press (or navigate to the Cancel
button and press ) to abort the login attempt.
If CAM is not activated select the user by scrolling with and , and press to
confirm.

IEC12000161-3-en.vsd
IEC12000161 V3 EN-US

Figure 81: Selecting the user name

4. Select OK on the on-screen keyboard and press to stop editing the user name.
5. Press to select the Password field and press to activate it.
An on-screen keyboard is shown.

Each added character is shown for a short time, then hidden with an asterisk character ‘*’
to enhance security. You can end password editing at any time by pressing while the
password field is focused (or navigate to the OK button and press ) to attempt to
login, or press (or navigate to the Cancel button and press ) to abort the login
attempt.
When the cursor is moved, the newly selected character is shown for a short time.

IEC150000 61-2-en.vsdx
IEC15000061 V2 EN-US

6. Type in the password using the on-screen keyboard.

IEC12000157-3-en.vsd
IEC12000157 V3 EN-US

Figure 82: Entering the password

Passwords are case sensitive.

Only characters A - Z, a - z and 0 - 9 shall be used in user names. User

names are not case sensitive. For passwords see the Password policies in
PCM600.

7. Select OK on the on-screen keyboard and press to stop editing the password.
8. Select OK in the Log on dialog and press to confirm the login, or press or Cancel
to cancel the procedure.
If the login fails, a message is displayed on the display.

IEC12000158.vsdx
IEC12000158 V4 EN-US

Figure 83: Error message indicating an incorrect password

If a false password is entered three times, the login is blocked for that ID and the
following message is displayed:

IEC13000283-1-en.vsdx
IEC13000283 V1 EN-US

Figure 84: Error message indicating blocked ID

The logon dialog appears if the attempted operation requires another

level of user rights.

Once a user is created and written into the IED, login is possible with the
password assigned in the tool. If there is no user created, an attempt to
login causes the display to show a corresponding message.

IEC12000160-2-en.vsd
IEC12000160 V2 EN-US

Figure 85: No user defined

7.2 Logging off GUID-0FDDB51B-D1C2-4442-AAE5-865BC39AE253 v1

The user is automatically logged off after the display timeout. The IED returns to a state where
only reading is enabled. Manual logoff is also possible.

1. Press .
2. To confirm logoff, select Yes and press .

IEC12000159-3-en.vsd
IEC12000159 V3 EN-US

Figure 86: Logging off

• To cancel logoff, press .

7.3 Saving settings GUID-47AFC39B-6EE3-40BB-8EB7-FAFBD1120F5E v3

Editable values are stored in the nonvolatile flash memory. Most of the parameter changes
take effect immediately after storing, but some parameter changes require application
restart. Values stored in the flash memory remain in effect also after reboot.

1. Press to confirm any changes.

2. Press to move upwards in the menu tree or to enter the Main Menu.
3. To save the changes in nonvolatile memory, select Yes and press .
• To exit without saving changes, select No and press .
• To cancel saving settings, select Cancel and press .

Pressing Cancel in the Save changes dialog closes only the Save changes dialog
box, but the IED remains in the editing mode. All the changes applied to any
setting are not lost, and changing settings can continue. To leave the change
setting mode, select No or Yes in the Save changes dialog.

After changing the parameters marked with the exclamation mark “!”, the IED
restarts automatically for the changes to take effect.

7.4 Function Keys GUID-40E7A081-9B2A-4CAB-AC36-A8956B2080D8 v1

Function keys are used as a short keys to traverse the Menu or it can be mapped as an input to
any function/component to control or block the component from the LHMI.

IEC18001001-1-en.vsd

IEC18001001 V1 EN-US

Figure 87: LHMI keypad with function buttons

1...5 Function buttons

100 670 series

When users are configured through local or central account management, the default behavior
of the function keys are to only operate if a user is logged in, and the user have the required
rights. This authentication check can be configured to be bypassed per function key by
changing the ReqAuthority from ON to OFF. To be able to change this, the user changing it
have to have the Security advanced right.

By disabling the authentication, control operation mapped to the function key

will be performed without user authentication.

7.5 Maintenance menu GUID-6E41F1AC-A4AB-40A0-B48D-2F4C91D838AF v1

It is possible to disable the Maintenance menu. This is done by setting the parameter
MaintMenuEnable to No in the Group AUTHMAN: 1 using the Parameter settings in PCM600.

If the Maintenance menu is disabled, there is no way to bypass authority if

passwords are forgotten. To be able to field update; the maintenance menu
has to be re-enabled.

To enter this menu, the IED must be rebooted and a specific key combination must be pressed
on the LHMI during the IED boot sequence.

1. Switch off the power supply to the IED and leave it off for one minute.
2.
Switch on the power supply to the IED and press and hold down and until the
Maintenance Menu appears on the LHMI (this takes around 20-60s).

Maintenance Menu
1. Activate FTP server
2. Abort IED-update
3. Display IP address
4. View system event log
5. Recovery Menu (Password protected)
Press Clear to continue start-up7

Enter Maintenance
menu=IEC12000168=4=en-
IEC1200 0168-4-en. vsdx

us=Original.vsdx
IEC12000168 V5 EN-US

Figure 88: Maintenance menu

7.5.1 Maintenance menu default pin change GUID-A9B7A64D-F10F-4A6E-9C75-02C63F86A996 v1

This section will help the users to change Maintenance Menu default pin value.

1. In Maintenance Menu, navigate down and select Recovery Menu and press or .

670 series 101

Maintenance Menu
1. Activate FTP server
2. Abort IED-update
3. Display IP address
4. View system event log
5. Recovery Menu (Password protected)
Press Clear to continue start-up7

Enter Maintenance
menu=IEC12000168=4=en-
IEC1200 0168-4-en. vsdx

us=Original.vsdx
IEC12000168 V5 EN-US

Figure 89: Select Recovery menu

2. Enter PIN code and press .

Enter PIN code

****
IEC1300 0036-6-en. vsdx

IEC13000036 V6 EN-US

Figure 90: Enter PIN code

In the newly produced IED, the default PIN is (8282). Default PIN 8282 is
valid only if PIN is never changed, if the PIN is changed use new PIN to
enter Recovery Menu.

3. On the Recovery Menu, select the Change PIN option to change the PIN.

Figure 91: Change PIN

The Change PIN screen is displayed.

Change PIN

Enter PIN : ****

Re-enter : ****

OK Cancel
IEC20000109-1-en.vsdx

IEC20000109 V2 EN-US

Figure 92: Change PIN screen

4. Provide the required PIN and press OK.

102 670 series

The allowed characters are only numeric (0-9) with scrolling option.

5. Validation process is performed on the entered PIN and Re-enter PIN.

• If the validation fails, appropriate message is displayed to the user and “Change
Menu” prompt is displayed.
• If the validation is success, PIN changed successful message is displayed and the
new PIN is hashed and stored in MRAM.
6. Press Cancel to discard the PIN change operation.
GUID-51A43045-999A-417E-8C8F-1A1688C06C23 v1

Resetting the PIN

SecAdmin can reset the PIN to factory default (8282) on the LHMI using the Clear PIN option.
This option is available in the menu option of /Main menu/Clear.

This menu option is enabled only when the PIN is changed.

IEC20000110-1-en.vsdx
IEC20000110 V1 EN-US

Figure 93: Menu option screen

UAL event
There are few UAL scenarios related to Maintenance menu default PIN change:

Table 22: UAL events

Events Description
UAL_EV_2210_USER_PW_CHANGE_OK USER_PW_CHANGE_OK UAL event is generated with
Extra information “Maintenance Menu PIN” and
username “Anonymous”, when the PIN is changed.
UAL_EV_1730_PW_RESET_FACTORY_DEF PW_RESET_FACTORY_DEF event is generated with
extra information “Maintenance Menu PIN RESET”
and username of the SecAdm user who has Reset the
pin, when the PIN is reset to default.

670 series 103

FST upgrade/ update:

Based on the changing behavior of FST, the PIN value is also affected:

• For the FST update, PIN is not modified.

• For the FST upgrade, the PIN is set to default 8282.

7.5.2 Recovering password GUID-51505CE4-C9FF-40E9-B903-2B0AD4A2DAB0 v6

This section is only valid for PCM600 users. For Central Account Management
users, the administrator should reset the password in the Central Account
Management server (SDM600/LDAP server/AD server).

In case of password loss or any other file system error that prevents the IED from working
properly, the whole file system can be restored to IED default state. All the default settings and
configuration files stored in the IED at the factory are restored. One important usage of this
menu is to disable the authority system. This can be used to recover an IED where the user-
defined passwords are lost

To enter this menu, the IED must be rebooted and a specific key combination must be pressed
on the LHMI during the IED boot sequence.

1. In Maintenance menu, navigate down and select Recovery Menu and press or .

Maintenance Menu
1. Activate FTP server
2. Abort IED-update
3. Display IP address
4. View system event log
5. Recovery Menu (Password protected)
Press Clear to continue start-up7

Enter Maintenance
menu=IEC12000168=4=en-
IEC1200 0168-4-en. vsdx

us=Original.vsdx
IEC12000168 V5 EN-US

Figure 94: Select Recovery menu

2. Enter PIN code and press .

Enter PIN code

****
IEC1300 0036-6-en. vsdx

IEC13000036 V6 EN-US

Figure 95: Enter PIN code

3. Select Turn off authority and press or .

104 670 series

Figure 96: Turn off Authority

4. Select OK to turn off the authority and press .

IEC12000169-4-en.vsdx
IEC12000169 V4 EN-US

Figure 97: Confirm selection

In a Central Account Management enabled IED, the IED will be set to default after “Turn off
authority”. For an IED with local account management, the below sequence is applicable.
5. Press to continue the startup sequence, (now the authority is temporarily disabled
until next reboot of the IED).

To cancel the operation in any step, press .

Open PCM600 and start the IED Users tool.

• Remove the faulty user

• Create a new user with the same access rights
• Write the user management settings to the IED

The IED perform a reboot, new settings are activated and the authority system is enabled
again.

The Maintenance Menu is only available on the Local HMI. The purpose of this
menu is to have a way to recover in the field at different situations. The
recovery menu is also protected with a 4–digit PIN code, fixed for all IEDs.

Avoid unnecessary restoring of factory IED default setting (Revert to IED

defaults), since all parameter settings earlier written to the IED are overwritten
with factory default values.

When we restore to factory defaults, PIN is reset to default 8282, default

password is reset back to administrator. Confirmation of the restored factory
IED default settings is shown on the display for a few seconds, after which the
IED restarts.

670 series 105

Revert to IED defaults will not remove the security events in the IED.

7.5.3 Fallback access GUID-01011DB8-0BBD-420C-B2ED-F22E46906592 v2

There exist a fallback solution, to access the IED via Maintenance menu. Since the Maintenance
menu requires direct access to the IED and a restart of the device, this will be reported in the
system.

In the Maintenance menu there are two options:

• Temporarily disable authentication until next reboot of the device. This is also applicable
for local account management IEDs.
• Delete Certificates, Disable CAM? : This will delete all certificates in the IED and disables
Central Account Management. It is persistent and Central Account Management
deployment has to be done again in the IED.

For customers that do not allow any fallback, this fallback functionality can be disabled by
setting parameter MaintMenuDisAuth in: Main Menu/Configuration/Communication/Cyber
security/AuthMan:1

When the IED is reverted to IED defaults through Maintenance menu, the
certificates will be deleted.

7.5.4 Restore points GUID-AD24F69B-BEEE-4370-8E8C-F245B947F1DD v1

Restore points can be used to restore the IED to a previous configuration.

A total of three restore points can be active, one of these is reserved to the “IED update
functionality” and two can be created by the user in the “Maintenance menu”.

1. In Maintenance menu, navigate down and select Recovery Menu and press or .

Maintenance Menu
1. Activate FTP server
2. Abort IED-update
3. Display IP address
4. View system event log
5. Recovery Menu (Password protected)
Press Clear to continue start-up7

Enter Maintenance
menu=IEC12000168=4=en-
IEC1200 0168-4-en. vsdx

us=Original.vsdx
IEC12000168 V5 EN-US

Figure 98: Select Recovery menu

2. Enter PIN code 8282 and press .

106 670 series

Enter PIN code

****
IEC1300 0036-6-en. vsdx

IEC13000036 V6 EN-US

Figure 99: Enter PIN code

3. Select Restore points menu and press .

IEC12000170-4-en.vsdx
IEC12000170 V4 EN-US

Figure 100: Select Restore points

Listing of the restore points in the system is shown.

IEC17000034-1-en.vsdx
IEC17000034 V1 EN-US

Figure 101: List of restore points

4. To create a restore point, navigate to “User restore point” and press .
5. To confirm, select OK and press .

IEC17000035-1-en.vsdx
IEC17000035 V1 EN-US

Figure 102: Confirm selection

This will start a save of the current system state to a restore point and a progress screen
is shown during the update.

IEC17000036-1-en.vsdx
IEC17000036 V1 EN-US

Figure 103: Current system state

6. Now the listing will include the created restore point.

670 series 107

IEC17000037-1-en.vsdx
IEC17000037 V1 EN-US

Figure 104: Created restore points

7. For information about a specific restore point, select User restore point and press .

IEC17000038-1-en.vsdx
IEC17000038 V1 EN-US

Figure 105: List of restore points

Here the system can be reverted to the system state of the restore point. In this menu,
currently active restore point can be deleted or replaced.

IEC17000039-1-en.vsdx
IEC17000039 V1 EN-US

Figure 106: Confirm selection

If a “Revert to restore point” is confirmed the system will initiate a restore

and reboot.

108 670 series

Section 8 Standard compliance statement GUID-716DC304-B1C7-417E-BA01-DF9C5AD6660A v2

8.1 Applicable standards GUID-EE0D9238-4DCF-4D2D-96FE-D2879C4CC6C3 v3

Cyber security issues have been the subject of standardization initiatives by ISA, IEEE, or IEC
for some time and ABB plays an active role in all these organizations, helping to define and
implement cyber security standards for power and industrial control systems.

Some of the cyber security standards which are most important for substation automation are
still under active development such as IEC 62351 and IEC 62443 (former ISA S99). ABB is
participating in the development by delegating subject matter experts to the committee
working on the respective standard. Since these standards are still under development ABB
strongly recommends to use existing common security measures as available on the market,
for example, VPN for secure Ethernet Communication.

An overview of applicable security standards and their status is shown in Table 23:

Table 23: Overview of cyber security standards

Standard Main focus Status
NERC CIP v5 NERC CIP cyber security regulation Released, ongoing *
for North American power utilities
IEC 62351 Data and communications security Partly released, ongoing
IEEE 1686 IEEE standard for substation Finalized
intelligent electronic devices
(IEDs) cyber security capabilities
IEC 62443-4-2 The standard IEC 62443-4-2 Finalized
Security is for industrial
automation and control systems –
Part 4-2: Technical security
requirements for IACS
components.

* Ongoing: major changes will affect the final solution.

ABB has identified cyber security as a key requirement and has developed a large number of
product features to support international cyber security standards such as NERC-CIP,
IEEE1686, as well as local activities like the German BDEW white paper.

The two standards IEC 62351 and IEC 62443 are still under revision. Due to interoperability
reasons ABB recommend not to implement these standards yet. Nevertheless, ABB considers
these standards already today as a guideline to implement product features or system
architectures.

Relion 670 IED supports compliance to FIPS algorithms enforced in the PCM600.

670 series 109

8.2 IEEE 1686 compliance GUID-009DC366-9ABB-430B-A71C-AA4E5FD1B631 v4

Table 24: IEEE 1686 compliance

Clause Title Status Comment
5 IED cyber security Acknowledge
features
5.1 Electronic access control Acknowledge
5.1.1 IED access control Comply Access is protected for local
overview access through control panel.
Access is protected for local
access through communication /
diagnostic ports. Access is
protected for remote access
through a communication media
5.1.2 Password defeat Comply
mechanisms
5.1.3 Number of individual Exceed 20 unique ID/password
users combinations are supported (only
applicable in Local User Account
Management)
5.1.4 Password construction Comply The minimum enforced password
length is configurable. If password
policy is enforced, minimum is 6.
Use of mix of lower and
UPPERCASE characters is
enforced, configurable in
password policies Use of
numerical values is enforced,
configurable in password policies.
Use of non-alphanumeric
character (e.g. @, #, %, &, *) is
enforced, configurable in
password policies. When Central
Account Management is active the
password policy is not defined in
the IED.
5.1.5 IED access control Acknowledge
5.1.5.1 Authorization levels by Comply
password
5.1.5.2 Authorization using role- Exceed IED provides 8 user-defined roles.
based access control
(RBAC)
5.1.6 IED main security Acknowledge
functions
5.1.6 a) View data Comply Feature is accessible through
individual user accounts.
5.1.6 b) View configuration Comply Feature is accessible through
settings individual user accounts.
5.1.6 c) Force values Comply Feature is accessible through
individual user accounts.
5.1.6 d) Configuration change Comply Feature is accessible through
individual user accounts.
5.1.6 e) Firmware change Comply Feature is accessible through
individual user accounts.
5.1.6 f) ID/password or RBAC Comply Feature is accessible through
management individual user accounts.
Table continues on next page

110 670 series

Clause Title Status Comment

5.1.6 g) Audit log Comply Feature is accessible through
individual user accounts.
5.1.7 Password display Comply
5.1.8 Access time-out Comply A time-out feature exists. The time
period is configurable by the user.
5.2 Audit trail Acknowledge
5.2.1 Audit trail background Comply The Audit log can be viewed
through PCM 600
5.2.2 Storage capability Comply
5.2.3 Storage record Comply
5.2.3 a) Event record number Comply
5.2.3 b) Time and date Comply
5.2.3 c) User identification Comply
5.2.3 d) Event type Comply
5.2.4 Audit trail event types Acknowledge
5.2.4 a) Login Comply
5.2.4 b) Manual logout Comply
5.2.4 c) Timed logout Comply
5.2.4 d) Value forcing Comply
5.2.4 e) Configuration access Exception
5.2.4 f) Configuration change Comply
5.2.4 g) Firmware change Comply
5.2.4 h) ID/password creation or Comply
modification
5.2.4 i) ID/password deletion Comply
5.2.4 j) Audit-log access Comply
5.2.4 k) Time/date change Comply
5.2.4 l) Alarm incident Comply
5.3 Supervisory monitoring Acknowledge
and control
5.3.1 Overview of supervisory Comply Made available through IEC 61850
monitoring and control and syslog
5.3.2 Events Exception Time/date change and
configuration access not reported;
Otherwise compliance
5.3.3 Alarms Acknowledge
5.3.3 a) Unsuccessful login Comply
attempt
5.3.3 b) Reboot Comply A start-up event is created every
boot
5.3.3 c) Attempted use of Exception Client certificates are not in use
unauthorized
configuration software
5.3.3 d) Invalid configuration or Comply
firmware download
5.3.3 e) Unauthorized Exception Not supported
configuration or firmware
file
Table continues on next page

670 series 111

Clause Title Status Comment

5.3.3 f) Time signal out of Exception IED validates the time
tolerance synchronization messages but it
does not alarm if message is not
within the tolerances of the IED's
clock
5.3.3 g) Invalid field hardware Comply IED send a hardware changed
changes detected alarm.
5.3.4 Alarm point change detect Comply
5.3.5 Event and alarm grouping Exception Not supported
5.3.6 Supervisory permissive Exception Not supported
control
5.4 IED cyber security Acknowledge
features
5.4.1 IED functionality Comply Services and ports used for real-
compromise time protocols are listed in the
user documentation.
5.4.2 Specific cryptographic Exception File transfer functionality provided
features by the IED user File transter
protocol over TLS.
5.4.2 a) Webserver functionality Comply Feature not supported
5.4.2 b) File transfer functionality Exception File transfer protocol over TLS
5.4.2 c) Text-oriented terminal Comply Feature not supported
connections
5.4.2 d) SNMP network Comply Feature not supported
management
5.4.2 e) Network time Comply
synchronization
5.4.2 f) Secure tunnel Comply Feature not supported
functionality
5.4.3 Cryptographic techniques Comply Recommendation from the NIST
Computer Security Division are
taken into account in the
cryptographic techniques
implemented by the IED
5.4.4 Encrypting serial Comply Feature not supported
communications
5.4.5 Protocol-specific security Comply
features
5.5 IED configuration Acknowledge
software
5.5.1 Authentication Exception IED can be configured using
unauthorized copies of the
configuration software. However
configuration download is
handled by authentication.
5.5.2 Digital signature Exception Feature not supported
5.5.3 ID/password control Comply Stored in the IED.
5.5.4 ID/password controlled Comply
features
5.5.4.1 View configuration data Comply
Table continues on next page

112 670 series

Clause Title Status Comment

5.5.4.2 Change configuration Comply
data
5.6 Communications port Comply
access
5.7 Firmware quality Exception Quality control is handled
assurance according to ISO9001 and CMMI.

8.3 Compliance Statement IEC 62443-4-2 GUID-EDCA8177-52C1-46AB-832E-A9E342BCDAE4 v1

This chapter contains a compliance statement of the 670 series security functionality against
the standard IEC 62443-4-2 Security for industrial automation and control systems – Part 4-2:
Technical security requirements for IACS components.

670 series devices are considered as embedded devices, so "Embedded device requirements"
have been selected.

Following requirement selections from the standard are not considered:

• Host device requirements

• Network device requirements

8.3.1 FR 1 – Identification and authentication control (IAC) GUID-0EC0F630-CEC9-4EFF-B1A1-B9F7404543C2 v1

Table 25: FR 1 – Identification and authentication control (IAC)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 1.1 CR Human user identification and 1
authentication
IEC 62443-4-2 - 1.1.1 CR RE Unique identification and 2
authentication
IEC 62443-4-2 - 1.1.2 CR RE Multifactor authentication for all 3
interfaces
IEC 62443-4-2 - 1.2 CR Software process and device 2
identification and authentication
IEC 62443-4-2 - 1.2.1 CR RE Unique identification and 3
authentication
IEC 62443-4-2 - 1.3 CR Account management 1
IEC 62443-4-2 - 1.4 CR Identifier management 1
IEC 62443-4-2 - 1.5 CR Authenticator management 1
IEC 62443-4-2 - 1.5.1 CR RE Hardware security for 3
authenticators
IEC 62443-4-2 - 1.6 NDR Wireless access management 1
IEC 62443-4-2 - 1.6.1 NDR RE Unique identification and 2
authentication
IEC 62443-4-2 - 1.7 CR Strength of password-based 1
authentication
IEC 62443-4-2 - 1.7.1 CR RE Password generation and lifetime 3
restrictions for human users
Table continues on next page

670 series 113

CR Security requirements Security Level (SL-C)

IEC 62443-4-2 - 1.7.2 CR RE Password lifetime restrictions for 4
all users (human, software
process, or device)
IEC 62443-4-2 - 1.8 CR Public key infrastructure 2
certificates
IEC 62443-4-2 - 1.9 CR Strength of public key 2
authentication
IEC 62443-4-2 - 1.9.1 CR RE Hardware security for public key 3
authentication
IEC 62443-4-2 - 1.10 CR Authenticator feedback 1
IEC 62443-4-2 - 1.11 CR Unsuccessful login attempts 1
IEC 62443-4-2 - 1.12 CR System use notification 1
IEC 62443-4-2 - 1.13 NDR Access via untrusted networks 1
IEC 62443-4-2 - 1.13.1 NDR RE Explicity access request approval 3
IEC 62443-4-2 - 1.14 CR Strength of symmetric key 2
authentication
IEC 62443-4-2 - 1.14.1 CR RE Hardware security for symmetric 3
key-based authentication

8.3.2 FR 2 - Use control (UC) GUID-69489BD6-20BA-4D00-9FD7-8ABCB45B3865 v1

Table 26: FR 2 - Use control (UC)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 2.1 CR Authorization enforcement 1
IEC 62443-4-2 - 2.1.1 CR RE Authorization enforcement for all 2
users (humans, software
processes and devices)
IEC 62443-4-2 - 2.1.2 CR RE Permission mapping to roles 2
IEC 62443-4-2 - 2.1.3 CR RE Supervisor override 3
IEC 62443-4-2 - 2.1.4 CR RE Dual approval 4
IEC 62443-4-2 - 2.2 CR Wireless use control 1
IEC 62443-4-2 - 2.3 CR Use control for portable and 0
mobile devices
IEC 62443-4-2 - 2.4 SAR Mobile code 1
IEC 62443-4-2 - 2.4.1 SAR RE Mobile code authenticity check 2
IEC 62443-4-2 - 2.4 EDR Mobile code 1
IEC 62443-4-2 - 2.4.1 EDR RE Mobile code authenticity check 2
IEC 62443-4-2 - 2.4 HDR Mobile code 1
IEC 62443-4-2 - 2.4.1 HDR RE Mobile code authenticity check 2
IEC 62443-4-2 - 2.4 NDR Mobile code 1
IEC 62443-4-2 - 2.4.1 NDR RE Mobile code authenticity check 2
IEC 62443-4-2 - 2.5 CR Session lock 1
IEC 62443-4-2 - 2.6 CR Remote session termination 2
IEC 62443-4-2 - 2.7 CR Concurrent session control 3
IEC 62443-4-2 - 2.8 CR Auditable events 1
Table continues on next page

114 670 series

CR Security requirements Security Level (SL-C)

IEC 62443-4-2 - 2.9 CR Audit storage capacity 1
IEC 62443-4-2 - 2.9.1 CR RE Warn when audit record storage 3
capacity threshold reached
IEC 62443-4-2 - 2.10 CR Response to audit processing 1
failures
IEC 62443-4-2 - 2.11 CR Timestamps 1
IEC 62443-4-2 - 2.11.1 CR RE Time synchronization 2
IEC 62443-4-2 - 2.11.2 CR RE Protection of time source integrity 4
IEC 62443-4-2 - 2.12 CR Non-repudiation 3
IEC 62443-4-2 - 2.12.1 CR RE Non-repudiation for all users 4
IEC 62443-4-2 - 2.13 EDR Use of physical diagnostic and 2
test interfaces
IEC 62443-4-2 - 2.13.1 EDR RE Active monitoring 3
IEC 62443-4-2 - 2.13 HDR Use of physical diagnostic and 2
test interfaces
IEC 62443-4-2 - 2.13.1 HDR RE Active monitoring 3
IEC 62443-4-2 - 2.13 NDR Use of physical diagnostic and 2
test interfaces
IEC 62443-4-2 - 2.13.1 NDR RE Active monitoring 3

8.3.3 FR 3 - System integrity (SI) GUID-CAAEDE36-3E74-4DDC-8E57-A368C7D9B140 v1

Table 27: FR 3 - System integrity (SI)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 3.1 CR Communication integrity 1
IEC 62443-4-2 - 3.1.1 CR RE Communication authentication 2
IEC 62443-4-2 - 3.2 SAR Protection from malicious code 1
IEC 62443-4-2 - 3.2 EDR Protection from malicious code 1
IEC 62443-4-2 - 3.2 HDR Protection from malicious code 1
IEC 62443-4-2 - 3.2.1 HDR RE Report version of code protection 2
IEC 62443-4-2 - 3.2 NDR Protection from malicious code 1
IEC 62443-4-2 - 3.3 CR Security functionality verification 1
IEC 62443-4-2 - 3.3.1 CR RE Security functionality verification 4
during normal operation
IEC 62443-4-2 - 3.4 CR Software and information 1
integrity
IEC 62443-4-2 - 3.4.1 CR RE Authenticity of software and 2
information
IEC 62443-4-2 - 3.4.2 CR RE Automated notification of 3
integrity violations
IEC 62443-4-2 - 3.5 CR Input validation 1
IEC 62443-4-2 - 3.6 CR Deterministic output 1
IEC 62443-4-2 - 3.7 CR Error handling 1
IEC 62443-4-2 - 3.8 CR Session Integrity 2
IEC 62443-4-2 - 3.9 CR Protection of audit information 2
Table continues on next page

670 series 115

CR Security requirements Security Level (SL-C)

IEC 62443-4-2 - 3.9.1 CR RE Audit records on write-once media 4
IEC 62443-4-2 - 3.10 EDR Support for updates 1
IEC 62443-4-2 - 3.10.1 EDR RE Update authenticity and integrity 2
IEC 62443-4-2 - 3.10 HDR Support for updates 1
IEC 62443-4-2 - 3.10.1 HDR RE Update authenticity and integrity 3
IEC 62443-4-2 - 3.10 NDR Support for updates 1
IEC 62443-4-2 - 3.10.1 NDR RE Update authenticity and integrity 2
IEC 62443-4-2 - 3.11 EDR Physical tamper resistance and 2
detection
IEC 62443-4-2 - 3.11.1 EDR RE Notification of a tampering 3
attempt
IEC 62443-4-2 - 3.11 HDR Physical tamper resistance and 2
detection
IEC 62443-4-2 - 3.11.1 HDR RE Notification of a tampering 3
attempt
IEC 62443-4-2 - 3.11 NDR Physical tamper resistance and 2
detection
IEC 62443-4-2 - 3.11.1 NDR RE Notification of a tampering 3
attempt
IEC 62443-4-2 - 3.12 EDR Provisioning product supplier 2
roots of trust
IEC 62443-4-2 - 3.12 HDR Provisioning product supplier 2
roots of trust
IEC 62443-4-2 - 3.12 NDR Provisioning product supplier 2
roots of trust
IEC 62443-4-2 - 3.13 EDR Provisioning asset owner roots of 2
trust
IEC 62443-4-2 - 3.13 HDR Provisioning asset owner roots of 2
trust
IEC 62443-4-2 - 3.13 NDR Provisioning asset owner roots of 2
trust
IEC 62443-4-2 - 3.14 EDR Integrity of the boot process 1
IEC 62443-4-2 - 3.14.1 EDR RE Authenticity of the boot process 2
IEC 62443-4-2 - 3.14 HDR Integrity of the boot process 1
IEC 62443-4-2 - 3.14.1 HDR RE Authenticity of boot process 2
IEC 62443-4-2 - 3.14 NDR Integrity of the boot process 1
IEC 62443-4-2 - 3.14.1 NDR RE Authenticity of boot process 2

116 670 series

8.3.4 FR 4 – Data confidentiality (DC) GUID-AB2257B1-42DE-4169-9DCF-C2EC73168A6E v1

Table 28: FR 4 – Data confidentiality (DC)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 4.1 CR Information confidentiality 1
IEC 62443-4-2 - 4.2 CR Information persistence 2
IEC 62443-4-2 - 4.2.1 CR RE Erase of shared memory resources 3
IEC 62443-4-2 - 4.2.2 CR RE Erase verification 3
IEC 62443-4-2 - 4.3 CR Use of cryptography 1

8.3.5 FR 5 – Restricted data flow (RDF) GUID-49E62552-6403-4AB3-B456-D5C427EBAA2F v1

Table 29: FR 5 – Restricted data flow (RDF)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 5.1 CR Network segmentation 1
IEC 62443-4-2 - 5.2 NDR Zone boundary protection 1
IEC 62443-4-2 - 5.2.1 NDR RE Deny all, permit by exception 2
IEC 62443-4-2 - 5.2.2 NDR RE Island mode 3
IEC 62443-4-2 - 5.2.3 NDR RE Fail close 3
IEC 62443-4-2 - 5.3 NDR General, person-to-person 1
communication restrictions
IEC 62443-4-2 - 5.4 CR Application partitioning 0

8.3.6 FR 6 – Timely response to events (TRE) GUID-FF953016-BB69-48A7-A091-DF69E298F5CA v1

Table 30: FR 6 – Timely response to events (TRE)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 6.1 CR Audit log accessibility 1
IEC 62443-4-2 - 6.1.1 CR RE Programmatic access to audit logs 3
IEC 62443-4-2 - 6.2 CR Continuous monitoring 2

8.3.7 FR 7 – Resource availability (RA) GUID-F4D9D004-EC41-4EB8-80BE-9ECF83AB2F5F v1

Table 31: FR 7 – Resource availability (RA)

CR Security requirements Security Level (SL-C)
IEC 62443-4-2 - 7.1 CR Denial of Service protection 1
IEC 62443-4-2 - 7.1.1 CR RE (1) Manage communication load 2
from component
IEC 62443-4-2 - 7.2 CR Resource management 1
IEC 62443-4-2 - 7.3 CR Control system backup 1
IEC 62443-4-2 - 7.3.1 CR RE Backup integrity verification 2
IEC 62443-4-2 - 7.4 CR Control system recovery and 1
reconstitution
Table continues on next page

670 series 117

CR Security requirements Security Level (SL-C)

IEC 62443-4-2 - 7.5 CR Emergency Power 0
IEC 62443-4-2 - 7.6 CR Network and security 1
configuration settings
IEC 62443-4-2 - 7.6.1 CR RE Machine-readable reporting of 3
current security settings
IEC 62443-4-2 - 7.7 CR Least functionality 1
IEC 62443-4-2 - 7.8 CR Control system component 2
inventory

118 670 series

Section 9 Glossary
GUID-2282AE1E-7E51-4F9F-8066-70614FB38695 v5

AES Advanced Encryption Standard (AES) is a specification for the encryption

of electronic data. The key size used for an AES cipher specifies the
number of repetitions of transformation rounds that convert the input,
called the plaintext, into the final output, called the ciphertext. The
number of cycles of repetition are as follows: 10 cycles of repetition for
128-bit keys. 12 cycles of repetition for 192-bit keys. 14 cycles of repetition
for 256-bit keys.
AGSAL Generic security application
ANSI American National Standards Institute
ASCII American Standard Code for Information Interchange (ASCII) is a
character-encoding scheme originally based on the English alphabet.
ASCII codes represent text in computers, communications equipment,
and other devices that use text.
CA In cryptography, certificate authority, or certification authority, (CA) is an
entity that issues digital certificates. The digital certificate certifies the
ownership of a public key by the named subject of the certificate
CAM Central Account Management. User, roles and rights are handled in a
Central Account Management server.
CMT Communication Management tool in PCM600
CPU Central processor unit
CRC Cyclic redundancy check
DARPA Defense Advanced Research Projects Agency (The US developer of the
TCP/IP protocol etc.)
DHCP Dynamic Host Configuration Protocol
DNP3 DNP3 (Distributed Network Protocol) is a set of communications
protocols used between components in process automation systems. Its
main use is in utilities such as electric and water companies. It plays a
crucial role in SCADA systems, where it is used by SCADA Master Stations
(aka Control Centers), Remote Terminal Units (RTUs), and Intelligent
Electronic Devices (IEDs). It is primarily used for communications
between a master station and RTUs or IEDs'.
DOS Denial of service
EMC Electromagnetic compatibility
EN 50263 Electromagnetic compatibility (EMC) - Product standard for measuring
relays and protection equipment.
EN 60255-26 Electromagnetic compatibility (EMC) - Product standard for measuring
relays and protection equipment.
EN 60255-27 Electromagnetic compatibility (EMC) - Product standard for measuring
relays and protection equipment.
ESD Electrostatic discharge
FIPS Federal Information Processing Standards
FTP File Transfer Protocol (FTP) is a standard network protocol used to
transfer files from one host or to another host over a TCP-based network,
such as the Internet.
FST Field Service Tool

670 series 119

FTPS FTPS (also known as FTP-ES, FTP-SSL and FTP Secure) is an extension to
the commonly used File Transfer Protocol (FTP) that adds support for the
Transport Layer Security (TLS) and the Secure Sockets Layer (SSL)
cryptographic protocols.
GDE Graphical display editor within PCM600
GOOSE Generic object-oriented substation event
GPS Global positioning system
GSM GPS time synchronization module
GTM GPS Time Module
HMI Human-machine interface
ID IDentification
IEC International Electrical Committee
IEC 60255 This standard specifies the general performance requirements of all
electrical measuring relays and protection equipment used in the
electrotechnical fields covered by the IEC.
IEC 60870-5-103 Communication standard for protective equipment. A serial master/slave
protocol for point-to-point communication
IEC 61850 Substation automation communication standard
IEC 61850–8–1 Communication protocol standard
IED Intelligent electronic device
IEDUM IED User Management
IEEE Institute of Electrical and Electronics Engineers
IEEE 1344 A standard that defines parameters for synchrophasors for power
systems. The standard also added extension to the IRIG-B time code to
cover year, time quality, daylight saving time, local time offset and leap
second information. IEEE 1344 was published in 1994 and was
superseded by IEEE C37.118 in 2005 and the time extensions were
adopted as part of the IRIG timing standard in the 2004 edition.
IEEE 1686 Standard for Substation Intelligent Electronic Devices (IEDs') Cyber
Security Capabilities
IEEE C37.118-2005 IEEE standard for synchrophasors for power systems. The standard was
published in 2006 and a new version of the standard was published in
December 2011 which split the IEEE C37.118-2005 into IEEE C37.118.1-2011
and IEEE C37.118.2-2011.
IEEE IEEE standard for synchrophasor measurements for power systems. IEEE
C37.118.1-2011 C37.118.1-2011 is superseded by IEEE C37.118.1a-2014.
IEEE IEEE standard for synchrophasor data transfer for power systems.
C37.118.2-2011
IP 1. Internet protocol. The network layer for the TCP/IP protocol suite
widely used on Ethernet networks. IP is a connectionless, best-effort
packet-switching protocol. It provides packet routing, fragmentation and
reassembly through the data link layer.
2. Ingression protection, according to IEC standard
IP 20 Ingression protection, according to IEC standard, level 20
ISO 9001 Set of standards for quality management.
IT Information technology
KEK key encryption key. Key used to protect other keys (e.g. TEK, TSK).

120 670 series

LAN Local area network

LDAPS Secure Lightweight Directory Access Protocol
LED Light-emitting diode
LHMI Local Human Machine Interface, also Local HMI.
MicroSCADA System for supervision, control and data acquisition
NCC National Control Centre
ODBC Open Database Connectivity is a standard for accessing database
management systems (DBMS).
PC Personal Computer
PCI Peripheral component interconnect, a local data bus
PCM600 Protection and control IED manager
PIN Personal Identification Number
PKCS#12 Archive file format of the Public-Key Cryptography Standards for bundle
all the member of a chain of trust
PST Parameter setting tool within PCM600
RTU Remote terminal unit
SA Substation Automation
SCADA Supervision, control and data acquisition, see also MicroSCADA
SCT System configuration tool according to standard IEC 61850
SHA The Secure Hash Algorithm is a family of cryptographic hash functions.
The SHA 2 family comprise two similar hash functions, with different
block sizes, known as SHA-256 and SHA-512.
SMT Signal matrix tool within PCM600
SNTP Simple network time protocol – is used to synchronize computer clocks
on local area networks. This reduces the requirement to have accurate
hardware clocks in every embedded system in a network. Each embedded
node can instead synchronize with a remote clock, providing the required
accuracy.
SPA Strömberg protection acquisition, a serial master/slave protocol for
point-to-point communication
TLS Transport Layer Security (TLS) is a cryptographic protocol that provides
communication security over the Internet. TLS encrypt the segments of
network connections at the Application Layer for the Transport Layer,
using asymmetric cryptography for key exchange, symmetric encryption
for confidentiality, and message authentication codes for message
integrity.
Syslog Syslog is a standard for computer data logging. Syslog can be used for
computer system management and security auditing as well as
generalized informational, analysis, and debugging messages
TCP Transmission control protocol. The most common transport layer
protocol used on Ethernet and the Internet.
TCP/IP Transmission control protocol over Internet Protocol. The de facto
standard Ethernet protocols incorporated into 4.2BSD Unix. TCP/IP was
developed by DARPA for Internet working and encompasses both
network layer and transport layer protocols. While TCP and IP specify two
protocols at specific protocol layers, TCP/IP is often used to refer to the
entire US Department of Defense protocol suite based upon these,
including Telnet, FTP, UDP and RDP.

670 series 121

UDP The User Datagram Protocol (UDP) is one of the core members of the
Internet protocol suite. With UDP, computer applications can send
messages, in this case referred to as datagrams, to other hosts on an
Internet Protocol (IP) network without prior communications to set up
special transmission channels or data paths.
UMT User management tool
UTC Coordinated Universal Time. A coordinated time scale, maintained by the
Bureau International des Poids et Mesures (BIPM), which forms the basis
of a coordinated dissemination of standard frequencies and time signals.
UTC is derived from International Atomic Time (TAI) by the addition of a
whole number of "leap seconds" to synchronize it with Universal Time 1
(UT1), thus allowing for the eccentricity of the Earth's orbit, the rotational
axis tilt (23.5 degrees), but still showing the Earth's irregular rotation, on
which UT1 is based. The Coordinated Universal Time is expressed using a
24-hour clock, and uses the Gregorian calendar. It is used for aeroplane
and ship navigation, where it is also sometimes known by the military
name, "Zulu time." "Zulu" in the phonetic alphabet stands for "Z", which
stands for longitude zero.
VPN A Virtual Private Network (VPN) extends a private network across public
networks like the Internet. It enables a host computer to send and receive
data across shared or public networks as if it were a private network with
all the functionality, security and management policies of the private
network.

122 670 series

Cyber security deployment guideline
© Copyright 2017 ABB Power Grids. All rights reserved
123
ABB Power Grids Sweden AB
Grid Automation Products
SE-721 59 Västerås, Sweden
Phone +46 (0) 10 738 00 00
Scan this QR code to visit our website

www.abb.com/protection-control
1MRK 511 399-UEN

Guidelines for Engineering Design for Process Safety
From Everand
Guidelines for Engineering Design for Process Safety
CCPS (Center for Chemical Process Safety)
5/5 (2)
RE 630 Iec61850prot 756793 ENd
100% (1)
RE 630 Iec61850prot 756793 ENd
304 pages
Manual de Lista de Puntos
No ratings yet
Manual de Lista de Puntos
128 pages
ABB 630 - Series - Eng - 756800 - ENf PDF
No ratings yet
ABB 630 - Series - Eng - 756800 - ENf PDF
156 pages
RER615 IEC 60870-5-101 - 104 Communication Protocol Manual
No ratings yet
RER615 IEC 60870-5-101 - 104 Communication Protocol Manual
40 pages
Abb Relion Ref615 Applications Manual: - Simplified Manuals
No ratings yet
Abb Relion Ref615 Applications Manual: - Simplified Manuals
405 pages
1MRK511373-UEN en Security Deployment Guideline Distributed Busbar Protection REB500 8.2
No ratings yet
1MRK511373-UEN en Security Deployment Guideline Distributed Busbar Protection REB500 8.2
42 pages
REF 630 Manualul Inginerului PDF
No ratings yet
REF 630 Manualul Inginerului PDF
156 pages
Cyber Security Deployment Guideline
No ratings yet
Cyber Security Deployment Guideline
40 pages
REF615 5.0 IEC Application Manual - N
No ratings yet
REF615 5.0 IEC Application Manual - N
404 pages
1MRK511315-UEN A en Cyber Security Deployment Guideline 670 Series 1.2
No ratings yet
1MRK511315-UEN A en Cyber Security Deployment Guideline 670 Series 1.2
48 pages
Transformer Protection RET670 Version 2.1 IEC: Application Manual
No ratings yet
Transformer Protection RET670 Version 2.1 IEC: Application Manual
744 pages
670 Version 2.2 IEC Engineering Manual
No ratings yet
670 Version 2.2 IEC Engineering Manual
152 pages
620 Series Modbus Communication Protocol Manual
No ratings yet
620 Series Modbus Communication Protocol Manual
88 pages
REF630
No ratings yet
REF630
124 pages
REV615 Appl 757946 ENa PDF
No ratings yet
REV615 Appl 757946 ENa PDF
108 pages
RE 620 Tech 757644 ENc
No ratings yet
RE 620 Tech 757644 ENc
888 pages
Reay 615 - 615
No ratings yet
Reay 615 - 615
224 pages
1MRK511375-UEN A en Communication Protocol Manual IEC61850 Edition 1 650 Series 2.1
No ratings yet
1MRK511375-UEN A en Communication Protocol Manual IEC61850 Edition 1 650 Series 2.1
108 pages
ABB 630 - Series - Tech - 756508 - ENf PDF
No ratings yet
ABB 630 - Series - Tech - 756508 - ENf PDF
1,408 pages
630 Series Tech 756508 ENg
No ratings yet
630 Series Tech 756508 ENg
1,420 pages
Modbus Communication Protocol
No ratings yet
Modbus Communication Protocol
80 pages
ABB Manual
No ratings yet
ABB Manual
896 pages
REM615 Appl 756885 ENh
No ratings yet
REM615 Appl 756885 ENh
172 pages
REG630 Appl 757582 ENb
No ratings yet
REG630 Appl 757582 ENb
64 pages
Reb 670 Manul PDF
No ratings yet
Reb 670 Manul PDF
508 pages
620 Series IEC 2.0 FP1 - IEC 61850 Engineering Guide
No ratings yet
620 Series IEC 2.0 FP1 - IEC 61850 Engineering Guide
110 pages
RE 615 Tech 756887 ENk
No ratings yet
RE 615 Tech 756887 ENk
992 pages
REF615 Appl 756378 ENr
No ratings yet
REF615 Appl 756378 ENr
408 pages
Function Block Abb
No ratings yet
Function Block Abb
224 pages
RE 615 Tech 756887 ENm PDF
No ratings yet
RE 615 Tech 756887 ENm PDF
1,224 pages
Manual de Instalacion PDF
No ratings yet
Manual de Instalacion PDF
104 pages
Ref 611
No ratings yet
Ref 611
188 pages
Transformer Protection and Control RET620: Application Manual
No ratings yet
Transformer Protection and Control RET620: Application Manual
112 pages
UNI GEAR ZS1 Current and Voltage Sensors With IEC 61850 - Engineering - Guide - 1VLG500007 - ENh
No ratings yet
UNI GEAR ZS1 Current and Voltage Sensors With IEC 61850 - Engineering - Guide - 1VLG500007 - ENh
122 pages
IEC 60870-5-103, 670 Series: Communication Protocol Manual
No ratings yet
IEC 60870-5-103, 670 Series: Communication Protocol Manual
66 pages
REG615 5.0 FP1 CN Application Manual
No ratings yet
REG615 5.0 FP1 CN Application Manual
156 pages
1MRK506353-UEN B en Application Manual Line Distance Protection REL670 2.1 IEC
No ratings yet
1MRK506353-UEN B en Application Manual Line Distance Protection REL670 2.1 IEC
750 pages
RE 615 Tech 756887 ENl PDF
No ratings yet
RE 615 Tech 756887 ENl PDF
1,116 pages
RE 615 Tech 756887 ENl
No ratings yet
RE 615 Tech 756887 ENl
1,116 pages
RET670
No ratings yet
RET670
930 pages
Feeder Protection and Control REF620: Application Manual
No ratings yet
Feeder Protection and Control REF620: Application Manual
164 pages
630 Series: IEC 60870-5-103 Communication Protocol Manual
No ratings yet
630 Series: IEC 60870-5-103 Communication Protocol Manual
60 pages
615 Series ANSI: Technical Manual
No ratings yet
615 Series ANSI: Technical Manual
1,196 pages
Relay 611 PDF
No ratings yet
Relay 611 PDF
188 pages
Abb Reg615 Ansi Appl 859072 End
No ratings yet
Abb Reg615 Ansi Appl 859072 End
124 pages
Application Manual Line Distance Protection REL670 Version 2.2 IEC PDF
100% (1)
Application Manual Line Distance Protection REL670 Version 2.2 IEC PDF
798 pages
1MRK511399-UEN - en - S - Cyber Security Deployment Guideline, 670 Series Version 2.2
No ratings yet
1MRK511399-UEN - en - S - Cyber Security Deployment Guideline, 670 Series Version 2.2
128 pages
IEC 60870-5-104 COMMUNICATION Protocol Manual
No ratings yet
IEC 60870-5-104 COMMUNICATION Protocol Manual
43 pages
611 Series Tech 757454 ENd PDF
No ratings yet
611 Series Tech 757454 ENd PDF
536 pages
NextECMUpload 1871379 20200221154425
No ratings yet
NextECMUpload 1871379 20200221154425
724 pages
REX640 Csdepl 759122 ENa
No ratings yet
REX640 Csdepl 759122 ENa
68 pages
670 Version 2.2 IEC CPM 61850 Ed2
No ratings yet
670 Version 2.2 IEC CPM 61850 Ed2
68 pages
Application Manual
No ratings yet
Application Manual
918 pages
REF615 Appl 756378 ENt PDF
No ratings yet
REF615 Appl 756378 ENt PDF
404 pages
Safe Use of Smart Devices in Systems Important to Safety in Nuclear Power Plants
From Everand
Safe Use of Smart Devices in Systems Important to Safety in Nuclear Power Plants
IAEA
No ratings yet
Computer Security Aspects of Design for Instrumentation and Control Systems at Nuclear Power Plants
From Everand
Computer Security Aspects of Design for Instrumentation and Control Systems at Nuclear Power Plants
IAEA
No ratings yet
InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security
From Everand
InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security
Richard Clark
No ratings yet
Framework for SCADA Cybersecurity
From Everand
Framework for SCADA Cybersecurity
Richard Clark
5/5 (1)
Challenges and Approaches for Selecting, Assessing and Qualifying Commercial Industrial Digital Instrumentation and Control Equipment for Use in Nuclear Power Plant Applications
From Everand
Challenges and Approaches for Selecting, Assessing and Qualifying Commercial Industrial Digital Instrumentation and Control Equipment for Use in Nuclear Power Plant Applications
IAEA
No ratings yet
Mapua Institute of Technology at Laguna Academic Year 2019-2020
No ratings yet
Mapua Institute of Technology at Laguna Academic Year 2019-2020
17 pages
Case Studies 1 To 5 ITM8
No ratings yet
Case Studies 1 To 5 ITM8
5 pages
Complaint: X Incorporated
No ratings yet
Complaint: X Incorporated
6 pages
KK Bullet Constraints-Builder PDF
No ratings yet
KK Bullet Constraints-Builder PDF
7 pages
Penawaran Adendum
No ratings yet
Penawaran Adendum
1 page
RobotiCad An Educational Tool For Robotics-Riccardo Falconi & Claudio Melchiorri
No ratings yet
RobotiCad An Educational Tool For Robotics-Riccardo Falconi & Claudio Melchiorri
6 pages
MultithreadingInterview Questions
No ratings yet
MultithreadingInterview Questions
31 pages
Service Manual Service Level 1&2: Nokia
No ratings yet
Service Manual Service Level 1&2: Nokia
20 pages
Contour Label - Cel
No ratings yet
Contour Label - Cel
10 pages
Aladon Integrity Operating Windows e Brochure 062116
100% (2)
Aladon Integrity Operating Windows e Brochure 062116
2 pages
Cover Letters Should Answer The Following Questions
No ratings yet
Cover Letters Should Answer The Following Questions
4 pages
C500C User Guide
No ratings yet
C500C User Guide
80 pages
Lotus Notes Keyboard Shortcuts
No ratings yet
Lotus Notes Keyboard Shortcuts
8 pages
Chapter 1 Slides Posted
No ratings yet
Chapter 1 Slides Posted
26 pages
BPMN by Example: Bizagi Suite
No ratings yet
BPMN by Example: Bizagi Suite
17 pages
Guide For Writing TC Server Plugin PDF
No ratings yet
Guide For Writing TC Server Plugin PDF
13 pages
Reference Architecture For Self Healing Distribution Networks
No ratings yet
Reference Architecture For Self Healing Distribution Networks
5 pages
Mhia Kotler - Space
100% (2)
Mhia Kotler - Space
410 pages
Basic Unix
No ratings yet
Basic Unix
4 pages
Ebook - Top 100 Interview Questions & Answers On IOT
No ratings yet
Ebook - Top 100 Interview Questions & Answers On IOT
22 pages
Magic Quadrant - Identity - Gartner
No ratings yet
Magic Quadrant - Identity - Gartner
34 pages
Design Issues and Challenges
No ratings yet
Design Issues and Challenges
11 pages
Edc17Cv41 Can Faults: Vin: Customer Number Plate: Pic: Model: Engine Type: Engine Serial No
No ratings yet
Edc17Cv41 Can Faults: Vin: Customer Number Plate: Pic: Model: Engine Type: Engine Serial No
2 pages
Java Assignments (1&2) : Assignment 1
No ratings yet
Java Assignments (1&2) : Assignment 1
46 pages
Mechatronics Chapter 4 - PLC
No ratings yet
Mechatronics Chapter 4 - PLC
76 pages
Mr-1cp-Nwim Module 0 Intro
No ratings yet
Mr-1cp-Nwim Module 0 Intro
5 pages
Job Description Network Engineer
No ratings yet
Job Description Network Engineer
4 pages
Project File Quiz App
No ratings yet
Project File Quiz App
12 pages
Variables in Visual Basic 6
No ratings yet
Variables in Visual Basic 6
64 pages
Algorithm and Flowchart: Computer Programming (Object Oriented Programming)
No ratings yet
Algorithm and Flowchart: Computer Programming (Object Oriented Programming)
31 pages