1. Manuals
  2. Brands
  3. ABB Manuals
  4. Control Unit
  5. COM600 series 5.0
  6. Cyber security deployment manualline

ABB COM600 series 5.0 Cyber Security Deployment Manualline

Substation management unit
Hide thumbs Also See for COM600 series 5.0:
Table of Contents

Advertisement

Quick Links

Download this manual
COM600 series 5.0
Cyber Security Deployment Guideline

Advertisement

Table of Contents
loading

Related Manuals for ABB COM600 series 5.0

Summary of Contents for ABB COM600 series 5.0

  • Page 1 — COM600 series 5.0 Cyber Security Deployment Guideline...

  • Page 3: Table Of Contents

    1MRS758267 COM600 series 5.0 Issued: 13.3.2015 Cyber Security Deployment Guideline Version: A/24.5.2017 Contents: About this manual .................. 5 1.1. Copyright ..................5 1.2. Disclaimer ..................5 1.3. Conformity ..................6 1.4. Trademarks ..................6 1.5. Document conventions ..............6 1.6.
  • Page 4 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 5.1. Setting up local WSUS server to update COM600 ...... 32 5.2. Add WSUS Server Role ............... 32 5.3. Open WSUS Configuration Wizard ..........37 5.4. Configuring WSUS ............... 38 5.5. Add COM600 Computer group ............ 41 5.6.

  • Page 5: About This Manual

    Copyright This document and parts thereof must not be reproduced or copied without written per- mission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed only in accordance with the terms of such license.

  • Page 6: Conformity

    (EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive.

  • Page 7: Use Of Symbols

    1.7. Terminology The following is a list of terms associated with that you should be familiar with. The list contains terms that are unique to ABB or have a usage or definition that is different from standard industry usage. Term...

  • Page 8: Abbreviations

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Term Description Alarms and Events; AE An OPC service for providing information about alarms and events to OPC clients. Device A physical device that behaves as its own communication node in the network, for example, protection relay.

  • Page 9: Related Documents

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 1.9. Related documents Name of the manual MRS number CAL and SEV OPC Server User’s Manual 1MRS201326 COM600 Operator’s Manual 1MRS756705 SNTP OPC Server User’s Manual 1MRS757277 1.10. Document revisions Document version/date...

  • Page 10: Introduction

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Introduction 2.1. General information about the COM600 series The COM600 product series are versatile Substation Management Units that help realize smart substation and grid automation solutions in industrial and utility distribution net- works.

  • Page 11: Overview

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline • COM600F is a dedicated distribution automation controller unit that runs dis- tributed grid and feeder applications for ANSI power networks and inherits all core features of the COM600 series. 2.3. Overview This document outlines key information needed to secure and harden COM600 when commissioned in a substation.
  • Page 12 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline typical_com600_network_setup.png Figure 2.3-1 Typical COM600 network setup...

  • Page 13: Security Guidelines

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Security Guidelines 3.1. Access Control 3.1.1. Access Control This section describes system hardening measures that can be taken to limit access to various components in COM600 only for users with predefined permissions/access rights.

  • Page 14: User Groups

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline a password for COM600 user account. See Appendix 1 for details on how to launch Gateway Management Tool. Administrator user account The default Administrator user account available from Windows operating system is disabled in COM600 device.
  • Page 15 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline To launch Local security policy editor: 1. Login to COM600 as administrator. 2. Go to Control Panel. 3. Click Administrative tools. 4. Click Local Security Policy. Local security policy editor opens. 5. Browse through each of the policies and make appropriate settings to align with the desired security behavior.

  • Page 16: Ports And Services

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline preconfigured_account_lockout_policy.png Figure 3.1.5-2 Preconfigured account lockout policy 3.2. Ports and services 3.2.1. Ports and services COM600 has two built-in Network Interface Cards (NIC) and an additional extension LAN card (with two more NICs) which can be added through an order code when ordering.
  • Page 17 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline The table below list the ports used by various software processes in COM600 accom- plishing a specific functionality. Application type Application Name Port Number Connection Type HTTP TCP/UDP COM600 VTRIN- Net Server...

  • Page 18: Windows Firewall

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Application type Application Name Port Number Connection Type COM600 VTRIN- Net Server 7605 COM600 VTRIN- Net Server 7606 COM600 Configuration Service, 8080 Remoting Server COM600 GOOSE Analyzer Tool 8089 Server COM600 CoDeSys ControlSer-...
  • Page 19 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline • Action – specifies the action that needs to be taken when its corresponding condition mentioned in the rule matches. The action specified can either allow a connection or block a connection.
  • Page 20 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline To access Windows Firewall: 1. Login to COM600 using a user account that has administrative priveleges. 2. Go to Control Panel. 3. Click Windows Firewall. 4. Click Advanced Settings to open the Windows Firewall settings window.

  • Page 21: Com600 Configuration Service

    COM600 to upload additional configuration settings. Configuration Service running in COM600 will accept the connection. A COM600 user with administrative privileges can enable/disable Configuration Service using COM600 WebHMI. ABB recomments that Configuration Service is enabled only at times when a new application configuration...
  • Page 22 Gateway Management. By default, Configuration Service is preconfigured to use LOCAL NIC. Although Configuration Service can be changed to use REMOTE NIC, ABB recommends that LOCAL NIC is used for Gateway Management purposes. Allowing Configuration Service to use REMOTE NIC implies that this service is available for remote connection from entities which may be located outside the physical perimeter of COM600.

  • Page 23: Remote Desktop

    Before using Windows remote desktop application, the remote settings in COM600 should be enabled to allow remote desktop connections. This can be done using COM600 WebHMI. ABB recommends that remote desktop connections are enabled only when needed. To configure Remote desktop settings from WebHMI: 1.

  • Page 24: Time Service

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 3.2.6. Time service Time used in COM600 can be synchronized using SNTP to an external clock device either by using Windows time service or by using COM600 SNTP OPC Sever. The SNTP OPC Server available in COM600 offers an SNTP server and an SNTP client.

  • Page 25: Com600 Security Events

    COM600 is part of a domain. Policy configuration made using any one of these options may not necessarily reflect configuration made by another. Therefore, ABB recommends that “auditpol” command line tool in COM600 is always used to view/edit any audit policy.

  • Page 26: Malicious Code Prevention

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Centralized user Activity Logging (CAL) server The CAL server in COM600 is capable of receiving and storing security events in the form of syslog messages. The security events include events generated both from within COM600 and/or from other devices (such as protection relays/RTUs) that share the same physical perimeter with COM600.

  • Page 27: Antivirus Programs

    Multiple methods are offered by various anti-virus vendors to keep these definitions up to date. ABB recommends to choose a convenient method, without exposing COM600 to internet or to any public networks.

  • Page 28: Secure Patch Management

    Available updates from Microsoft should be tracked periodically and checked for com- patibility prior to installation. The compatibility of latest updates from Microsoft with COM600 specific functionality is tested and verified monthly by ABB. The test results can be found from COM600 product page, which includes a COM600 Patch Compatib- ility Report specifying the details.
  • Page 29 COM600 through a physical medium for installa- tion. For both online and offlines setups, careful measures should be taken for this purpose without compromising electronic security perimeter of COM600. ABB recommends that the updates are installed by an authorized system administrator.
  • Page 30 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Offline Updates manually To manually get Windows security updates for Microsoft Update Catalog website: 1. Check available security updates that are tested and verified for compatibility from COM600 compatibility reports. 2. Go to Microsoft Update Catalog website (http://catalog.update.microsoft.com/).

  • Page 31: Launch Gateway Management Tool

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Appendix 1 Launch Gateway Management Tool Gateway Management tool can be used to maintain application configuration in COM600- To launch Gateway Management tool from SAB600: 1. Open SAB600 from Engineering PC/workstation. 2. Open an existing project if available, or create a new project 3.

  • Page 32: Setting Up Local Wsus Server To Update Com600

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Appendix 2 Setting up local WSUS server to update COM600 Updates from Microsoft for Windows and related features are managed through WSUS. This setup requires a server running Windows 2012 R2 in a 64 bit machine, connected to COM600 in a private network.
  • Page 33 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_Installation_Type.png Figure 5.2-2 Add Roles Wizard, Installation Type 3. In the Server Selection section click Select a server from the server pool. Make sure the intended machine running Windows Server 2012 is selected in Server Pool and click Next as shown in Figure 5.2-3.
  • Page 34 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 4. In the Server Roles section scroll to Roles selection and select Windows Server Update Services. Click Next as shown in Figure 5.2-4. Add_Roles_Wizard_Server_Roles.png Figure 5.2-4 Add Roles Wizard, Server Roles 5. In theAdd Roles and Features Wizard define additional Roles which are necessary for WSUS functionality, but are deemed to be missing in Windows Server 2012 R2.
  • Page 35 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_Add_additional_features.png Figure 5.2-5 Add Roles Wizard, Add additional features 6. In the Features section click Next as shown in Figure 5.2-6. Add_Roles_Wizard_Features.png Figure 5.2-6 Add Roles Wizard, Features...
  • Page 36 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 7. In the WSUS/Role Services section check that the WID Database and WSUS Services is selected and click Next as shown in Figure 5.2-7. Add_Roles_Wizard_WSUS_Role.png Figure 5.2-7 Add Roles Wizard, WSUS Role Services 8.

  • Page 37: Open Wsus Configuration Wizard

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_WSUS_Content.png Figure 5.2-8 Add Roles Wizard, WSUS Content 9. In the Web Server Role (IIS)/Role Services section click Next without changing the default settings. 10. In the Confirmation section click Install and wait for the installation to complete.

  • Page 38: Configuring Wsus

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Open_WSUS_Configuration_Wizard.png Figure 5.3-1 Open WSUS Configuration Wizard Configuring WSUS This section explains how to configure WSUS settings through WSUS Configuration Wizard. It is recommended to make appropriate settings that are specific to deployed environment.
  • Page 39 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline WSUS_Wizard_Choose_Upstream_Server.png Figure 5.4-1 WSUS Wizard, Choose Upstream Server 4. In the Specify Proxy Server section of the configuration wizard, specify any intermediary proxy settings to connect to internet, and click Next. 5. In the subsequent section, click Start Connecting to verify the connection to Microsoft Update Server.
  • Page 40 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline COM600 Product Version Products chosen in WSUS Configuration COM600 v5.0 and above 1. Developer Tools, Runtimes, and Redistributables 1.1. Visual Studio 2005 1.2. Visual Studio 2008 1.3. Visual Studio 2010 1.4. Visual Studio 2013 2.

  • Page 41: Add Com600 Computer Group

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline WSUS_Server_Status.png Figure 5.4-3 WSUS Server Status Add COM600 Computer group Add a new computer group in WSUS server for each of the COM600 product versions deployed. This is done uder Computers as shown in Figure 5.5-1.

  • Page 42: Rename Com600 Computer Name

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Add_Computer_Group.png Figure 5.5-1 Add Computer Group Rename COM600 computer name This section describes configuration changes that need to be done in COM600 before connecting to WSUS server. Before proceeding, make sure COM600 device is assigned a unique computer name.

  • Page 43: Group Policy Setting In Com600

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 4. In the services listed, find Windows Update service and double click to open the properties dialog. 5. In the properties window, set Startup Type to be Automatic. Click Start to start the service.

  • Page 44: Connecting Com600 To Wsus Server

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Specify_WSUS_server_in_COM600.png Figure 5.8-1 Specify WSUS server in COM600 Connecting COM600 to WSUS Server To connect to COM600 after changing group policy settings: 1. Open command prompt in administrator mode and execute command...

  • Page 45: Approving Updates In Wsus

    1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline later on for a computer group, all COM600 device under a group would automatically receive approved updates. To change group membership from Unassigned Computers to COM600 Computer Group, right click the COM600 item and select Change Membership,as shown in Figure 5.10-1.

  • Page 46: Installing Approved Updates In Com600

    COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline View_needed_updates_in_Update_Services_console.png Figure 5.11-1 View needed updates in Update Services console To approve each of the needed updates, right click on an update and select Approve. The Approve Updates dialog open (see Figure 5.11-2). Select the desired COM600 Computer Group and click Approved for Install.
  • Page 47 1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 2. Open Control Panel > Windows Update. 3. Then click Check for Updates to install approved updates available from WSUS server. Install_updates_in_COM600.png Figure 5.12-1 Install updates in COM600 To configure COM600 to install updates automatically: 1.
  • Page 48 COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline COM600_Windows_Update_Change_Settings.png Figure 5.12-2 COM600 Windows Update Change Settings...
  • Page 52 Fax. +358 10 224 1094 ABB Inc. Medium Voltage Products 655 Century Point Lake Mary, FL 32746, USA Tel: +1 407 732 2000 Fax: +1 407 732 2335 www.abb.com/medium-voltage 1MRS758267 A/24.5.2017 © Copyright 2017 ABB. All rights reserved. Specifications subject to change without notice.

Table of Contents