Contents:
1. About this manual ... 5
1.1. Copyright ... 5 1.2. Disclaimer ... 5 1.3. Conformity ... 6 1.4. Trademarks ... 6 1.5. Document conventions ... 6 1.6. Use of symbols ... 7 1.7. Terminology ... 7 1.8. Abbreviations ... 8 1.9. Document revisions ... 9 2. Introduction ... 10
2.1. General about the COM600 series ... 10
2.2. General about this document ... 10
2.3. Reference documents ... 11
3. Configuring network for COM600 ... 12
3.1. Configuring network ... 12
4. Configuring security settings for COM600 ... 14
4.1. Configuring security settings ... 14
4.2. BIOS settings ... 14
4.3. Virus scanner ... 14
4.4. Disabling devices ... 14
4.5. User Account Control (UAC) ... 17
4.6. OPC and DCOM ... 17
4.7. Security policies ... 17
4.8. Firewall (ports and services) ... 17
4.9. Backing up and restoring ... 18
4.9.1. General about backing up and restoring ... 18
4.9.2. Taking and restoring a backup ... 18
4.9.2.1. Taking backup ... 18
4.9.2.2. Restoring backup ... 19
4.10. User account management ... 19
4.10.1. General about user account management ... 19
4.10.2. Access permissions ... 19
4.10.3. Adding new users ... 21
4.10.4. Modifying user properties ... 21
4.10.5. Changing user's password ... 22
5. Configuring UAL ... 23
5.1. General ... 23
About this manual
1.
Copyright
1.1.
This document and parts thereof must not be reproduced or copied without written per-mission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed only in accordance with the terms of such license.
Warranty
Please inquire about the terms of warranty from your nearest ABB representative. http://www.abb.com/substationautomation
Disclaimer
1.2.
The data, examples and diagrams in this manual are included solely for the concept or product description and are not to be deemed as a statement of guaranteed properties. All persons responsible for applying the equipment addressed in this manual must satisfy themselves that each intended application is suitable and acceptable, including that any applicable safety or other operational requirements are complied with. In particular, any risks in applications where a system failure and/ or product failure would create a risk for harm to property or persons (including but not limited to personal injuries or death) shall be the sole responsibility of the person or entity applying the equipment, and those so responsible are hereby requested to ensure that all measures are taken to exclude or mitigate such risks.
This product is designed to be connected and to communicate information and data via a network interface, which should be connected to a secure network. It is sole responsib-ility of person or entity responsible for network administration to ensure a secure connec-tion to the network and to establish and maintain any appropriate measures (such as but not limited to the installation of firewalls, application of authentication measures, encryption of data, installation of anti virus programs, etc) to protect the product, the network, its system and the interface against any kind of security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information. ABB is not liable for damages and/or losses related to such security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information.
This document has been carefully checked by ABB but deviations cannot be completely ruled out. In case any errors are detected, the reader is kindly requested to notify the manufacturer. Other than under explicit contractual commitments, in no event shall ABB
be responsible or liable for any loss or damage resulting from the use of this manual or the application of the equipment.
Conformity
1.3.
This product complies with the directive of the Council of the European Communities on the approximation of the laws of the Member States relating to electromagnetic compatibility (EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive. The product is designed in accordance with the international standards of the IEC 60255 series.
Trademarks
1.4.
ABB is a registered trademark of ABB Group. All other brand or product names men-tioned in this document may be trademarks or registered trademarks of their respective holders.
Document conventions
1.5.
The following conventions are used for the presentation of material:
• The words in names of screen elements (for example, the title in the title bar of a window, the label for a field of a dialog box) are initially capitalized.
• Capital letters are used for the name of a keyboard key if it is labeled on the keyboard. For example, press the ENTER key.
• Lowercase letters are used for the name of a keyboard key that is not labeled on the keyboard. For example, the space bar, comma key, and so on.
• Press CTRL+C indicates that you must hold down the CTRL key while pressing the C key (to copy a selected object in this case).
• Press ESC E C indicates that you press and release each key in sequence (to copy a selected object in this case).
• The names of push and toggle buttons are boldfaced. For example, click OK.
• The names of menus and menu items are boldfaced. For example, the File menu.
• The following convention is used for menu operations: MenuName >
Menu-Item > CascadedMenuMenu-Item. For example: select File > New > Type. • The Start menu name always refers to the Start menu on the Windows taskbar.
• System prompts/messages and user responses/input are shown in the Courier font. For example, if you enter a value out of range, the following message is displayed:
• You can be asked to enter the string MIF349 in a field. The string is shown as follows in the procedure:
MIF349
• Variables are shown using lowercase letters: sequence name
Use of symbols
1.6.
This publication includes warning, caution, and information icons that point out safety-related conditions or other important information. It also includes tip icons to point out useful information to the reader. The corresponding icons should be interpreted as follows.
The electrical warning icon indicates the presence of a hazard which could result in electrical shock.
The warning icon indicates the presence of a hazard which could result in personal injury.
The caution icon indicates important information or warning related to the concept discussed in the text. It may indicate the presence of a hazard which could result in corruption of software or damage to equipment or property.
The information icon alerts the reader to relevant facts and conditions.
The tip icon indicates advice on, for example, how to design your project or how to use a certain function.
Terminology
1.7.
The following is a list of terms associated with COM600 that you should be familiar with. The list contains terms that are unique to ABB or have a usage or definition that is different from standard industry usage.
Description Term
An abnormal state of a condition. Alarm
Description Term
An OPC service for providing information about alarms and events to OPC clients.
Alarms and Events; AE
A physical device that behaves as its own communication node in the network, for example, protection relay.
Device
Change of process data or an OPC internal value. Normally, an event consists of value, quality, and timestamp.
Event
A physical IEC 61850 device that behaves as its own commu-nication node in the IEC 61850 protocol.
Intelligent Electronic Device
Series of standards specifications aiming at open connectivity in industrial automation and the enterprise systems that support industry.
OPC
Named data item. Property
Abbreviations
1.8.
The following is a list of abbreviations associated with COM600 that you should be familiar with. See also 1.7, Terminology.
Description Abbreviation
Alarms and Events AE
Application Service Data Unit ASDU
Buffered Report Control Block BRCB
Data Access DA
Data Message Code Definition DMCD
Data Object DO
Gateway, component connecting two communication networks together GW
Human Machine Interface HMI
International Electrotechnical Commission IEC
Intelligent Electronic Device IED
LON Application Guideline for substation automation LAG
Local Area Network LAN
Logical Device LD
LonMark interoperable device communicating in LonWorks network. In this document, the term is used for devices that do not support the ABB LON/LAG communication.
LMK
Logical Node LN
LON SPA Gateway LSG
Network Control Center NCC
Description Abbreviation
Norwegian User Convention NUC
Network Variable NV
Object Linking and Embedding OLE
OLE for Process Control OPC
Protection & Control P&C
Programmable Logic Controller PLC
Program Organization Unit POU
Request To Send RTS
Substation Automation SA
Substation Configuration Description SCD
Substation Configuration Language SCL
Sequential Function Chart SFC
Single Line Diagram SLD
Simple Network Management Protocol SNMP
Simple Network Time Protocol SNTP
Simple Object Access Protocol SOAP
Report Control Block RCB
Unbuffered Report Control Block URCB
eXtended Markup Language XML
Document revisions
1.9.
History Product revision Document version/date Document created 4.1 A/13.3.2015Introduction
2.
General about the COM600 series
2.1.
The COM600 series comprises of substation management units that are deployed together with protection and control relays and other communication devices, such as Relion® protection and control relays and Remote I/O units, to realize smart substation and grid automation solutions in utility and industrial medium voltage distribution networks. They are a unique combination of following features:
• Process visualization (HMI)
• Real-time and historical data handling
• Platform for executing industrial and utility substation applications
• Communication gateway
The COM600 series 4.1 release comprises of the following products:
• COM600S – COM600 for substation automation(for IEC and ANSI markets)
• COM600S is a substation automation and data management unit that integrates devices, facilitates operations and manages communication in utility or industrial distribution substations.
• COM600F – COM600 for feeder automation (for ANSI/US markets only)
• COM600F is a feeder automation and data management unit that runs distributed grid applications in ANSI standard-based utility power networks.
General about this document
2.2.
This document is a security guide for COM600 series 4.1 version (hereafter COM600). This guide is intended for software and project engineer and system verification testers and they are expected to have general familiarity with topics in the following areas:
• PCs, servers, and Windows operating system
• Networking including TCP/IP and concept of ports and services
• Security policies
• Firewalls
• Anti-virus
• Remote and secure communication
However, this guide does not specify the network configuration (forests, domains, organizational units (OU)) where the COM600 system is installed. There are several ways to deploy security settings to machines, e.g. by using the secedit command-line tool, the Security Configuration Wizard (SCW), or Group Policy Objects (GPO). This chapter gives general information, assumptions, and operating system and COM600 versions this guide covers. The system is secured by configuring the network and
config-uring the firewall settings. Configconfig-uring network is discussed in Chapter 3.1, Configconfig-uring network.
There are security settings which are automatically configured in the product and those which need to be configured manually. Disabled administrator user account is available in the COM600. Since this is an administrator user account, it is the responsibility of the system administrator to choose a valid and secure password for this account, in case it gets enabled.
Other Windows server security settings such as firewall, security policies and disabling Windows system services are configured for COM600 during development. During commissioning it is recommended to close ports for communication protocols that are not required.
There is general security guide for control systems and operating systems on the ABB website [ABBSEC09]. Microsoft also has security guides for different operating systems [MSSEC09].
Reference documents
2.3.
Document title Ref
ABB Security – Control Systems, ABB [ABBSEC09]
Windows AppLocker, Microsoft [APPLOC12]
Microsoft Baseline Security Analyzer, Microsoft. [MSANA09]
Restrict TCP/IP Ports (Windows 2000 and XP), Microsoft The default dynamic port range for TCP/IP has changed (Windows 7 and Server 2008), Microsoft
How to configure RPC dynamic port allocation to work with fire-walls (Windows 2003 and 2008), Microsoft
[MSDCOM04]
Data Execution Prevention, Microsoft. [MSDEP]
Strong passwords, Microsoft. [MSPASS09]
Windows OS Security Guides, Microsoft. Search for Security Guide and refine the search by giving a specific OS name, e.g. Windows Server 2008
[MSSEC09]
Threats and Countermeasures Guide: Security Settings in Win-dows Server 2003 and WinWin-dows XP, Microsoft.
Threats and Countermeasures Guide: Security Settings in Win-dows Server 2008 and WinWin-dows 7, Microsoft.
[MSTHRE05]
Windows Update, Microsoft. [MSUPD]
Security Compliance Manager, Microsoft. [MSWS03]
What are User Account Control settings?, Microsoft. [UAC]
Configuring network for COM600
3.
Configuring network
3.1.
Each host in a TCP/IP network has a unique identifier, called an IP address. The IP address is composed of four numbers in the range from 0 to 255. The numbers are sep-arated with dots, e.g. 192.168.0.1. Because every computer on an IP network must have a unique IP address, careful planning of IP addresses throughout the whole system is important. You should remember to take care of the future needs in address areas when planning large networks. A host can have multiple IP addresses, as shown in Figure 3.1-1. A static IP addressing should be used in COM600 system; see Configure a Static IP Address [http://technet.microsoft.com/en-us/library/cc754203(WS.10).aspx] for more information.
COM600withNCCConnection.png
ABB does not recommend the use of domains and wireless networks in a COM600 system due to the high reliability that is required of the control system. A domain con-troller that is unavailable might affect to the stability of the control system. If a domain network is used it is good to understand what are the risks in this solution. For more information, see Active Directory Domain Services, Microsoft
Configuring security settings for COM600
4.
Configuring security settings
4.1.
COM600 is an embedded device. Operating system for COM600 is Windows Embedded Standard 7. During product development WES7 has been tailored to be used in our hardware based on the requirements for utility and industrial distribution networks. To further reduce the attack surface in COM600, programs and services that are not used can be uninstalled or disabled. The sections below use the following statements “This has to be configured manually” and “This is pre-configured”. The first statement means that security setting has to be manually configured. The latter means that it is pre-con-figured.
BIOS settings
4.2.
The following settings must be applied:
• Password(s) are enabled
• Remote wake-up/Wake on LAN is disabled This has to be configured manually.
Virus scanner
4.3.
It is not recommended to use virus scanner in the COM600 system.
Disabling devices
4.4.
In COM600, it is a good practice to disable the devices that are not used. This may include USB ports and communication ports. This has to be configured manually. Run devmgmt.msc (Device Manager) and look for the devices to be disabled. Figure 4.4-1 shows the disabling of devices and finally the Universal Serial Bus (USB) ports must be disabled.
DevManager-DisableCommPorts.png
DevManager-DisableUsbMassStorage.png
Figure 4.4-2 Disable USB Mass Storage
See also How can I prevent users from connecting to a USB storage device, http://sup-port.microsoft.com/kb/823732.
Applies to:
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
• Microsoft Windows 2000 Server
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Standard Edition (32-bit x86).
Disabling autorun functionality
Whenever disabling of devices is not possible, it is good practice to disable autorun functionality of the device. In order to prevent the automatic start of malicious code contained in a removable device, autorun functionality must be turned off. For more information, see How to disable the Autorun functionality in Windows, http://sup-port2.microsoft.com/kb/967715/en-us.
User Account Control (UAC)
4.5.
UAC is a security feature in Windows Embedded Standard 7. For more information, see [UAC].
This is pre-configured.
OPC and DCOM
4.6.
The usage of OPC communication between OPC client and server requires that Distributed COM (DCOM) has been configured properly in the Windows operating system. This includes configuring mutual user accounts between computers, system-wide DCOM settings, OPC server specific DCOM settings, and firewall rules.
Distributed Component Object Model (DCOM) uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers. One can control which ports RPC dynamically allocates for incoming commu-nication and then configure the firewall to confine incoming external commucommu-nication to only those ports and port 135 (the RPC Endpoint Mapper port) [MSDCOM04].
This is pre-configured.
Security policies
4.7.
Security policies are based on predefined SSLF (Specialized Security-Limited Function-ality) security templates from Microsoft [MSSEC09]. Following policies are modified for COM600: • Account policies • Audit policy • User rights • Security options • Event log • System services
These policies are pre-configured.
Firewall (ports and services)
4.8.
Windows Firewall is a stateful firewall, which can be configured to restrict all inbound connections, but cannot filter or block any outbound connections. However, Windows 7 supports blocking outbound connections. For more information about profiles, see Understanding Firewall Profiles, http://technet.microsoft.com/fi-fi/library/getting-started-wfas-firewall-profiles-ipsec%28v=ws.10%29.aspx. The scope options of the firewall settings are ALL or SUBNET. SUBNET is a general setting option allowing only local
network (subnet) traffic through the firewall (for more information, see http://tech-net.microsoft.com/en-us/library/cc778362(WS.10).aspx.
COM600 has two different firewall profiles private (within the substation) and public (towards outside of the substation).
Other general settings are:
• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked.
Ports and services used by COM600 as well as default firewall settings are listed in Appendix B Ports and Services. We recommend using hardware firewalls. Software firewalls may affect performance, in which case they should not be used.
These are pre-configured. Unnecessary ports should be closed. Logging needs to be enabled if required.
Backing up and restoring
4.9.
General about backing up and restoring
4.9.1.
Configuration can be backed up by storing the Exported Project from SAB600 to a loc-ation that is regularly backed up. It is recommended to copy the Exported project also to the COM600 device.
Taking and restoring a backup
4.9.2.
Taking backup
4.9.2.1.
Backing up the COM600 with disc imaging software (for example Acronis True Image or Norton Ghost) is highly recommended. The image should be saved on a network drive or on a USB flash drive. Refer to the instructions from the disc imaging software manu-facturer on how to accomplish this.
We recommend to take image backup every 3 months. This has to be configured manually.
Selectively also contents of data historian and events lists can be backed up. Please refer to COM600 Data Historian Operator’s Manual and COM600 User’s guide for additional details.
Restoring backup
4.9.2.2.
The method for restoring the disc image depends on the disc imaging software. Refer to the instructions from the disc imaging software manufacturer on how to accomplish this. This has to be configured manually.
Selectively also contents of data historian and events lists can be restored. Please refer to COM600 Data Historian Operator’s Manual and COM600 User’s guide for additional details.
User account management
4.10.
General about user account management
4.10.1.
This has to be configured manually.
Access permissions
4.10.2.
COM600 has the following user levels:
• Viewer = Only allowed to view
• Operator = Authorized to make operations
• Engineer = Allowed to change IED parameters, but no operation rights
• Administrator = Full access
The administrator can add users and define access rights with the User Management tool.
The user levels of the selected user are displayed in the User Information view and they can be modified by the administrator.
The purpose of the user groups is mainly to provide customized user interfaces for dif-ferent users. Administrators Engineers Operators Viewers Functionality X X X X SLD X view X view Control Dialogs X X X X Event list X view X view Alarm list X *1 *1 *1 User manage-ment X X view view Parameter set-ting
Administrators Engineers Operators Viewers Functionality X X X view Disturbance recording X X X view System supervi-sion X Security Event List X = Access enabled
*1 = Can change own password view = View-only
Operating system access permissions using local browser
If enabled, in COM600 local browser, only administrator users are allowed to resize the HMI window, access COM600 files, launch and switch to other application, access Windows taskbar, and shut down COM600.
This is a configurable feature. For more information about configuring the access rights, see section Operating system access permissions using local browser in COM600 HMI Configuration Manual.
• When a non-administrator user logs in, or user logs out, the Minimize, Maximize, and Close buttons are not shown.
• The Windows taskbar is not shown.
• ALT-TAB, CTRL-ESC, and other Windows keys (such as Windows logo, logo + E…) are disabled.
• If the user presses CTRL-ALT-DEL, in the pop-up dialog only the Cancel button is enabled.
Table 4.10.2-1 Windows access permissions using local browser
Administrators Engineers Operators Viewers Function X Resize HMI
Win-dow
X Close HMI
Win-dow X Access COM600 files X Launch other application X Switch to other application
Administrators Engineers Operators Viewers Function X Access Windows Taskbar X Shut down COM600 X = Access enabled blank = No access
Adding new users
4.10.3.
The administrator can add users in the Add User window. To add a new user:
1. Click the Users tab on the left. 2. Select Add User.
3. Type in a new user name. The length of the user name can be 1 - 99 characters and it can only contain characters a - z and 0 - 9.
4. Type in a password and confirm it. The length of the password can be 9 - 99 charac-ters and it can only contain characcharac-ters a - z and 0 - 9.
5. Select a user group from the drop-down menu. 6. Click Apply to save the user information.
Modifying user properties
4.10.4.
The administrator can modify user information by using the toolbar on top of the User Information view.
To remove a user:
1. Click the Users tab on the left. 2. Select the user you want to remove.
3. Click Remove User and confirm by clicking OK. To change a user's user group:
1. Click the Users tab on the left.
2. Select the user whose user group you want to change. 3. Click Change User Group.
4. In the Change User's Group view, select a new group from the drop-down menu. 5. Click Apply.
Changing user's password
4.10.5.
To change the password (administrator): 1. Click the Users tab on the left.
2. Select the user whose password you want to change. 3. Click Change password.
4. Type in a new password and confirm it. 5. Click Apply.
To change your own password: 1. Click the Settings tab on the left. 2. Click Change password.
3. Type in the old password.
4. Type in a new password and confirm it. 5. Click Apply.
Configuring UAL
5.
General
5.1.
This has to be configured manually.
Please refer to the CAL/SEV OPC Server manual for the actual configuration.
Functional overview
5.2.
There are security related servers available within COM600. The security-related servers are capable of
• Generating security-related events caused by user activity on COM600 and other software operation
• Capturing security-related events occurring in downstream devices, which COM600 is connected to
• Forwarding security-related events that are generated from COM600 and other downstream devices (like IED, RTU) to upstream control systems like DMS, or to other station computers
• Storing security events to an internal database for future auditing purposes. The security events are sent and received between various devices using standard com-munication protocols like Syslog/ IEC61850. These messages follow a prescribed format when forwarded using Syslog.
System_Overview.png
Figure 5.2-1 System overview
The security events that are generated in COM600 will always follow the ABB-prescribed format when forwarded to an upstream external device using Syslog, or to the CAL server functioning within COM600.
The security events that are received by COM600 and generated in downstream devices will always follow the format used in the source/downstream device when forwarded to upstream devices by COM600.
Index
A
access permission ... 19F
functional overview ... 23O
overview functional ... 23U
users adding ... 21 change group ... 21 change password ... 22 modifying properties ... 211MRS758267 A/13.03.2015 © Copyright 2015 ABB. All rights reserved. ABB Oy
Substation Automation Products
P.O. Box 699
FI-65101 VAASA, FINLAND Tel. +358 10 22 11 Fax. +358 10 224 1094
ABB Inc.
Distribution Automation
655 Century Point
Lake Mary, FL 32746, USA Tel: +1 407 732 2000 Fax: +1 407 732 2335
