ABB GMS600 Manual
  1. Manuals
  2. Brands
  3. ABB Manuals
  4. Inverter
  5. GMS600
  6. Manual

ABB GMS600 Manual

Relion 650 series cyber security deployment guidelie
Hide thumbs
Table of Contents

Advertisement

Quick Links

R ELI O N ® 650 SERIES
GMS600
Version 1.3
Cyber security deployment guideline

Advertisement

Table of Contents
loading

Related Manuals for ABB GMS600

Summary of Contents for ABB GMS600

  • Page 1 — R ELI O N ® 650 SERIES GMS600 Version 1.3 Cyber security deployment guideline...
  • Page 3 Document ID: 1MRK 511 454-UEN Issued: November 2017 Revision: A Product version: 1.3 © Copyright 2017 ABB. All rights reserved...
  • Page 4 Copyright This document and parts thereof must not be reproduced or copied without written permission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software and hardware described in this document is furnished under a license and may be used or disclosed only in accordance with the terms of such license.
  • Page 5 In case any errors are detected, the reader is kindly requested to notify the manufacturer. Other than under explicit contractual commitments, in no event shall ABB be responsible or liable for any loss or damage resulting from the use of this manual or the application of the equipment.
  • Page 6 (EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive.

  • Page 7: Table Of Contents

    Writing user management settings to the IED......28 Reading user management settings from the IED.......29 Saving user management settings..........29 Section 5 User activity logging............31 Activity logging ACTIVLOG.............. 31 Generic security application AGSAL..........32 Security alarm SECALARM..............32 About Security events...............33 GMS600 1.3 Cyber security deployment guideline...
  • Page 8 Logging off..................39 Saving settings................. 39 Recovering password............... 40 Section 7 WebHMI Use..............43 Logging on..................43 Changing Settings................44 Logging Off..................45 Section 8 IEEE Compliance statement.......... 47 IEEE1686 compliance..............47 Section 9 Glossary................. 51 GMS600 1.3 Cyber security deployment guideline...

  • Page 9: Section 1 Introduction

    Section 1 Introduction GUID-F68E2F07-FB9F-4A24-92E2-5ED05F4A8162 v2 This manual GUID-9FF63F88-086D-41D9-8980-43573EE42430 v2 Cyber Security Deployment Guidelines describes password procedures and levels of access in the system. Document revision history GUID-52A4699C-F83B-48F8-BF4E-D853043AB731 v5.1.2 Document revision/date History A/November 2017 First release GMS600 1.3 Cyber security deployment guideline...

  • Page 11: Section 2 Security In Substation Automation

    ABB fully understands the importance of cyber security and its role in advancing the security of substation automation systems. A customer investing in new ABB technologies can rely on system solutions where reliability and security have the highest priority.
  • Page 12 Section 2 1MRK 511 454-UEN A Security in Substation Automation IEC12000189-2-en.vsd IEC12000189 V2 EN-US Figure 1: System architecture for substation automation system GMS600 1.3 Cyber security deployment guideline...

  • Page 13: Section 3 Secure System Setup

    To set up an IP firewall the following table summarizes the IP ports used in the GMS600 IED which is based on Relion 650 series of IEDs. The ports are listed in ascending order. The column “Default state” defines whether a port is open or closed by default.
  • Page 14 61850 and DNP3.0. These communication protocols are enabled by configuration. This means that the IP port is closed and unavailable if the configuration of the GMS600 does not contain a communication line of the protocol. If a protocol is configured, the corresponding IP port is open all the time.

  • Page 15: Ftp Access With Tls, Ftpaccs

    IEC13000021 V1 EN-US Figure 4: Ethernet ports LAN1A, LAN1B, rear view COM03 FTP access with TLS, FTPACCS GUID-9E64EA68-6FA9-4576-B5E9-92E3CC6AA7FD v3 The FTP Client defaults to the best possible security mode when trying to negotiate with TLS. GMS600 1.3 Cyber security deployment guideline...

  • Page 16: Encryption Algorithms

    CPU load. The function has the following outputs: • LINKUP indicates the Ethernet link status • WARNING indicates that the data rate is higher than 3000 frames/s • ALARM indicates that the IED limits the IP-communication GMS600 1.3 Cyber security deployment guideline...

  • Page 17: Certificate Handling

    The certificate is always trusted during communication between the IED and PCM600. If Windows is configured to use UAC High the certificate has to be manually trusted in a dialog box. GMS600 1.3 Cyber security deployment guideline...

  • Page 19: Section 4 Managing User Roles And User Accounts

    Security Can change role assignments and security settings administrator SECAUD Security auditor Can view audit logs RBACMNT RBAC Can change role assignment management Changes in user management settings do not cause an IED reboot. GMS600 1.3 Cyber security deployment guideline...

  • Page 20: Predefined User Roles

    Setting – Basic Setting – Advanced Control – Basic Control – Advanced IEDCmd – Basic IEDCmd – Advanced FileTransfer – Limited DB Access normal Audit log read Setting – Change Setting Group Security Advanced GMS600 1.3 Cyber security deployment guideline...
  • Page 21 User names are not case sensitive. For passwords see the Password policies in PCM600. First user created must be appointed the role SECADM to be able to write users, created in PCM600, to the IED. GMS600 1.3 Cyber security deployment guideline...

  • Page 22: Password Policies

    After password expiry the user is still able to login, but a warning dialog will be displayed on the Local HMI. Also a security event will be issued. IEC13000233-1-en.vsd IEC13000233 V1 EN-US Figure 5: Password expiry warning dialog GMS600 1.3 Cyber security deployment guideline...

  • Page 23: Ied User Management

    Always use Read User Management Settings from IED before making any changes when managing user profiles. If this is not done password changes made by users may be lost! Nothing is changed in the IED until a “writing-to-IED operation” is performed. GMS600 1.3 Cyber security deployment guideline...

  • Page 24: Starting Ied User Management

    The previous administrator user ID and password have to be given so that the writing toward the IED can be done. Editing can be continued by clicking on Restore factory settings when not connected to the IED. IEC13000017-1-en.vsd IEC13000017 V1 EN-US Figure 7: General tab GMS600 1.3 Cyber security deployment guideline...

  • Page 25: User Profile Management

    A user profile must always belong to at least one user group. IEC12000199-1-en.vsd IEC12000199 V1 EN-US Figure 8: Create new user 4.4.3.1 Adding new users GUID-85D09A73-7E14-4BD6-96E5-0959BF4326C0 v2.1.1 Click in the Users tab to open the wizard. GMS600 1.3 Cyber security deployment guideline...
  • Page 26 Follow the instructions in the wizard to define a user name, password and user group. Select at least one user group where the defined user belongs. The user profile can be seen in the User details field. GMS600 1.3 Cyber security deployment guideline...
  • Page 27 IEC12000201 V1 EN-US Figure 10: Select user groups Select the user from the user list and type a new name or description in the Description/full name field to change the name or description of the user. GMS600 1.3 Cyber security deployment guideline...

  • Page 28: Adding Users To New User Roles

    Select the user from the Users list. Select the new role from the Select a role list. Click Information about the roles to which the user belongs to can be seen in the User details area. GMS600 1.3 Cyber security deployment guideline...

  • Page 29: Deleting Existing Users

    Section 4 1MRK 511 454-UEN A Managing user roles and user accounts IEC12000203-1-en.vsd IEC12000203 V1 EN-US Figure 12: Adding user 4.4.3.3 Deleting existing users GUID-472BF39B-DDAC-4D88-9B74-E6C49D054524 v2.1.1 Select the user from the Users list. GMS600 1.3 Cyber security deployment guideline...
  • Page 30 Section 4 1MRK 511 454-UEN A Managing user roles and user accounts IEC12000204-1-en.vsd IEC12000204 V1 EN-US Figure 13: Select user to be deleted Click IEC12000205-1-en.vsd IEC12000205 V1 EN-US Figure 14: Delete existing user GMS600 1.3 Cyber security deployment guideline...

  • Page 31: Changing Password

    The passwords can be saved in the project database or sent directly to the IED. No passwords are stored in clear text within the IED. A hash representation of the passwords is stored in the IED and it is not accessible from outside via any ports. GMS600 1.3 Cyber security deployment guideline...

  • Page 32: User Role Management

    In the Roles tab, the user roles can be modified. The user's memberships to specific roles can be modified with a list of available user roles and users. IEC12000208-1-en.vsd IEC12000208 V1 EN-US Figure 17: Editing users GMS600 1.3 Cyber security deployment guideline...

  • Page 33: Adding New Users To User Roles

    IED user account data can be exported from one IED and imported to another. The data is stored in an encrypted file. To export IED user account data from an IED Click the Import Export tab in the IED User tool in PCM600. Click Export IED account data. GMS600 1.3 Cyber security deployment guideline...

  • Page 34: Writing User Management Settings To The Ied

    GUID-2066776C-72CC-49CC-B8D8-F2C320541A5E v2.1.1 • Click the Write User Management Settings to IED button on the toolbar. IEC12000211-1-en.vsd IEC12000211 V1 EN-US Figure 20: Write to IED The data is saved when writing to the IED starts. GMS600 1.3 Cyber security deployment guideline...

  • Page 35: Reading User Management Settings From The Ied

    Click the Read User Management Settings from IED button on the toolbar. 4.4.7 Saving user management settings GUID-AE198606-6E71-4C77-A4E1-02B79E4270B4 v2 • Select File/Save from the menu. • Click the Save toolbar button. The save function is enabled only if the data has changed. GMS600 1.3 Cyber security deployment guideline...

  • Page 37: Section 5 User Activity Logging

    127.0.0.1 External log server 4 IP-address Address ExtLogSrv5Type External log server 5 type SYSLOG UDP/IP SYSLOG TCP/IP CEF TCP/IP ExtLogSrv5Port 1 - 65535 External log server 5 port number Table continues on next page GMS600 1.3 Cyber security deployment guideline...

  • Page 38: Generic Security Application Agsal

    SEQNUMBER: Sequence number of the generated security event SECALARM EVENTID SEQNUMBER IEC13000006-1-en.vsd IEC13000006 V1 EN-US Figure 21: Function block, Security alarm SECALARM PID-3430-SETTINGS v1 Table 7: SECALARM Non group settings (basic) Name Values (Range) Unit Step Default Description Operation Operation On/Off GMS600 1.3 Cyber security deployment guideline...

  • Page 39: About Security Events

    USER_ACCNT_DEL_OK GSAL.Ina User account deleted successfully 2130 USER_ACCNT_CREATE_FAIL GSAL.SvcViol User account creation failed 2140 USER_ACCNT_DEL_FAIL GSAL.SvcViol User account deletion failed 2160 USER_NEW_ROLE_OK GSAL.Ina New role assigned to user successfully Table continues on next page GMS600 1.3 Cyber security deployment guideline...
  • Page 40 Configuration transfer to the device started 13300 READ_CONFIG_OK Configuration files read/exported from the device successfully 13310 READ_CONFIG_STARTED_OK Configuration exporting from the device started successfully 13400 TRANSFER_FIRMW_OK Firmware transferred to the device successfully Table continues on next page GMS600 1.3 Cyber security deployment guideline...
  • Page 41 Failed to transfer firmware to the device 14500 READ_FIRMW_FAIL Failed to read firmware files from the device 14520 TRANSFER_CERTS_FAIL Failed to transfer certificates to the device 14580 READ_CERTS_FAIL Failed to read certificates from the device GMS600 1.3 Cyber security deployment guideline...

  • Page 43: Section 6 Local Hmi Use

    Select the user name by scrolling with IEC12000161-3-en.vsd IEC12000161 V3 EN-US Figure 22: Selecting the user name Enter the password when prompted and select OK. • Activate the character to be entered with • Enter the character with GMS600 1.3 Cyber security deployment guideline...
  • Page 44 If there is no user created, an attempt to log on causes the display to show a corresponding message. IEC12000160-2-en.vsd IEC12000160 V2 EN-US Figure 25: No user defined GMS600 1.3 Cyber security deployment guideline...

  • Page 45: Logging Off

    To leave the change setting mode, select No or Yes in the Save changes dialog. After changing the parameters marked with the exclamation mark “!”, the IED restarts automatically for the changes to take effect. GMS600 1.3 Cyber security deployment guideline...

  • Page 46: Recovering Password

    Navigate down and select Recovery Menu and press IEC12000168-4-en.vsdx IEC12000168 V4 EN-US Figure 27: Select Recovery menu Enter PIN code 8282 and press IEC13000036-4-en.vsdx IEC13000036 V4 EN-US Figure 28: Enter PIN code Select Turn off authority and press GMS600 1.3 Cyber security deployment guideline...
  • Page 47 PIN code, fixed for all IEDs. Avoid unnecessary restoring of factory IED default setting (Revert to IED defaults), since all parameter settings earlier written to the IED are overwritten with factory default values. GMS600 1.3 Cyber security deployment guideline...
  • Page 48 When Revert to IED defaults is selected the IED restores the factory IED default settings and restarts. Restoring can take several minutes. Confirmation of the restored factory IED default settings is shown on the display for a few seconds, after which the IED restarts. GMS600 1.3 Cyber security deployment guideline...

  • Page 49: Section 7 Webhmi Use

    Click on the Continue to this website. IEC17000058-1-en.vsdx IEC17000058 V1 EN-US Click on Enter the username and password. EC17000060-1-en.vsdx IEC17000060 V1 EN-US Upon successful authentication, the application page will be displayed. GMS600 1.3 Cyber security deployment guideline...

  • Page 50: Changing Settings

    To enable change of settings from Web, Enable the WriteMode parameter under Main Menu/Configuration/HMI/Webserver/WEBSERVER:1. To edit the setting, navigate to the Function under setting or configuration. Click on Enable Write button. IEC17000153-1-en.vsdx IEC17000153 V1 EN-US All the writable settings will be Enabled for writing. GMS600 1.3 Cyber security deployment guideline...

  • Page 51: Logging Off

    WebHMI Use IEC17000154-1-en.vsdx IEC17000154 V1 EN-US Change the parameter and click on Write to IED. IEC17000155-1-en.vsdx IEC17000155 V1 EN-US Logging Off GUID-08D3E3F3-033A-47D9-9028-D4833F2A5F70 v1 Click Logout on top right corner of the web page to logout. GMS600 1.3 Cyber security deployment guideline...

  • Page 53: Section 8 Ieee Compliance Statement

    Feature is accessible through individual user accounts. 5.1.6 b) View configuration Comply Feature is accessible through settings individual user accounts. 5.1.6 c) Force values Comply Feature is accessible through individual user accounts. Table continues on next page GMS600 1.3 Cyber security deployment guideline...
  • Page 54 5.3.1 Overview of Comply Made available through IEC61850 supervisory and syslog monitoring and control 5.3.2 Events Exception Time/date change and configuration access not reported; Otherwise compliance 5.3.3 Alarms Acknowledge Table continues on next page GMS600 1.3 Cyber security deployment guideline...
  • Page 55 Secure tunnel Comply Feature not supported functionality 5.4.3 Cryptographic Comply Recommendation from the NIST techniques Computer Security Division are taken into account in the cryptographic techniques implemented by the IED Table continues on next page GMS600 1.3 Cyber security deployment guideline...
  • Page 56 Stored in the IED. 5.5.4 ID/password Comply controlled features 5.5.4.1 View configuration Comply data 5.5.4.2 Change configuration Comply data Communications port Comply access Firmware quality Exception Quality control is handled according assurance to ISO9001 and CMMI. GMS600 1.3 Cyber security deployment guideline...

  • Page 57: Section 9 Glossary

    RTUs or IEDs'. Electromagnetic compatibility EN 50263 Electromagnetic compatibility (EMC) - Product standard for measuring relays and protection equipment. EN 60255-26 Electromagnetic compatibility (EMC) - Product standard for measuring relays and protection equipment. GMS600 1.3 Cyber security deployment guideline...
  • Page 58 1. Internet protocol. The network layer for the TCP/IP protocol suite widely used on Ethernet networks. IP is a connectionless, best-effort packet-switching protocol. It provides packet routing, fragmentation and reassembly through the data link layer. GMS600 1.3 Cyber security deployment guideline...
  • Page 59 SSL/TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections at the Application GMS600 1.3 Cyber security deployment guideline...
  • Page 60 Internet. It enables a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network. GMS600 1.3 Cyber security deployment guideline...
  • Page 62 — ABB AB Grid Automation Products 721 59 Västerås, Sweden Phone: +46 (0) 21 32 50 00 abb.com/protection-control © Copyright 2017 ABB. All rights reserved. Specifications subject to change without notice.

Table of Contents