Copyright This document and parts thereof must not be reproduced or copied without written per- mission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed only in accordance with the terms of such license.
(EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive.
1.7. Terminology The following is a list of terms associated with that you should be familiar with. The list contains terms that are unique to ABB or have a usage or definition that is different from standard industry usage. Term...
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Term Description Alarms and Events; AE An OPC service for providing information about alarms and events to OPC clients. Device A physical device that behaves as its own communication node in the network, for example, protection relay.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 1.9. Related documents Name of the manual MRS number CAL and SEV OPC Server User’s Manual 1MRS201326 COM600 Operator’s Manual 1MRS756705 SNTP OPC Server User’s Manual 1MRS757277 1.10. Document revisions Document version/date...
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Introduction 2.1. General information about the COM600 series The COM600 product series are versatile Substation Management Units that help realize smart substation and grid automation solutions in industrial and utility distribution net- works.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline • COM600F is a dedicated distribution automation controller unit that runs dis- tributed grid and feeder applications for ANSI power networks and inherits all core features of the COM600 series. 2.3. Overview This document outlines key information needed to secure and harden COM600 when commissioned in a substation.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Security Guidelines 3.1. Access Control 3.1.1. Access Control This section describes system hardening measures that can be taken to limit access to various components in COM600 only for users with predefined permissions/access rights.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline a password for COM600 user account. See Appendix 1 for details on how to launch Gateway Management Tool. Administrator user account The default Administrator user account available from Windows operating system is disabled in COM600 device.
Page 15
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline To launch Local security policy editor: 1. Login to COM600 as administrator. 2. Go to Control Panel. 3. Click Administrative tools. 4. Click Local Security Policy. Local security policy editor opens. 5. Browse through each of the policies and make appropriate settings to align with the desired security behavior.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline preconfigured_account_lockout_policy.png Figure 3.1.5-2 Preconfigured account lockout policy 3.2. Ports and services 3.2.1. Ports and services COM600 has two built-in Network Interface Cards (NIC) and an additional extension LAN card (with two more NICs) which can be added through an order code when ordering.
Page 17
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline The table below list the ports used by various software processes in COM600 accom- plishing a specific functionality. Application type Application Name Port Number Connection Type HTTP TCP/UDP COM600 VTRIN- Net Server...
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Application type Application Name Port Number Connection Type COM600 VTRIN- Net Server 7605 COM600 VTRIN- Net Server 7606 COM600 Configuration Service, 8080 Remoting Server COM600 GOOSE Analyzer Tool 8089 Server COM600 CoDeSys ControlSer-...
Page 19
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline • Action – specifies the action that needs to be taken when its corresponding condition mentioned in the rule matches. The action specified can either allow a connection or block a connection.
Page 20
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline To access Windows Firewall: 1. Login to COM600 using a user account that has administrative priveleges. 2. Go to Control Panel. 3. Click Windows Firewall. 4. Click Advanced Settings to open the Windows Firewall settings window.
COM600 to upload additional configuration settings. Configuration Service running in COM600 will accept the connection. A COM600 user with administrative privileges can enable/disable Configuration Service using COM600 WebHMI. ABB recomments that Configuration Service is enabled only at times when a new application configuration...
Page 22
Gateway Management. By default, Configuration Service is preconfigured to use LOCAL NIC. Although Configuration Service can be changed to use REMOTE NIC, ABB recommends that LOCAL NIC is used for Gateway Management purposes. Allowing Configuration Service to use REMOTE NIC implies that this service is available for remote connection from entities which may be located outside the physical perimeter of COM600.
Before using Windows remote desktop application, the remote settings in COM600 should be enabled to allow remote desktop connections. This can be done using COM600 WebHMI. ABB recommends that remote desktop connections are enabled only when needed. To configure Remote desktop settings from WebHMI: 1.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 3.2.6. Time service Time used in COM600 can be synchronized using SNTP to an external clock device either by using Windows time service or by using COM600 SNTP OPC Sever. The SNTP OPC Server available in COM600 offers an SNTP server and an SNTP client.
COM600 is part of a domain. Policy configuration made using any one of these options may not necessarily reflect configuration made by another. Therefore, ABB recommends that “auditpol” command line tool in COM600 is always used to view/edit any audit policy.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Centralized user Activity Logging (CAL) server The CAL server in COM600 is capable of receiving and storing security events in the form of syslog messages. The security events include events generated both from within COM600 and/or from other devices (such as protection relays/RTUs) that share the same physical perimeter with COM600.
Multiple methods are offered by various anti-virus vendors to keep these definitions up to date. ABB recommends to choose a convenient method, without exposing COM600 to internet or to any public networks.
Available updates from Microsoft should be tracked periodically and checked for com- patibility prior to installation. The compatibility of latest updates from Microsoft with COM600 specific functionality is tested and verified monthly by ABB. The test results can be found from COM600 product page, which includes a COM600 Patch Compatib- ility Report specifying the details.
Page 29
COM600 through a physical medium for installa- tion. For both online and offlines setups, careful measures should be taken for this purpose without compromising electronic security perimeter of COM600. ABB recommends that the updates are installed by an authorized system administrator.
Page 30
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Offline Updates manually To manually get Windows security updates for Microsoft Update Catalog website: 1. Check available security updates that are tested and verified for compatibility from COM600 compatibility reports. 2. Go to Microsoft Update Catalog website (http://catalog.update.microsoft.com/).
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Appendix 1 Launch Gateway Management Tool Gateway Management tool can be used to maintain application configuration in COM600- To launch Gateway Management tool from SAB600: 1. Open SAB600 from Engineering PC/workstation. 2. Open an existing project if available, or create a new project 3.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Appendix 2 Setting up local WSUS server to update COM600 Updates from Microsoft for Windows and related features are managed through WSUS. This setup requires a server running Windows 2012 R2 in a 64 bit machine, connected to COM600 in a private network.
Page 33
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_Installation_Type.png Figure 5.2-2 Add Roles Wizard, Installation Type 3. In the Server Selection section click Select a server from the server pool. Make sure the intended machine running Windows Server 2012 is selected in Server Pool and click Next as shown in Figure 5.2-3.
Page 34
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 4. In the Server Roles section scroll to Roles selection and select Windows Server Update Services. Click Next as shown in Figure 5.2-4. Add_Roles_Wizard_Server_Roles.png Figure 5.2-4 Add Roles Wizard, Server Roles 5. In theAdd Roles and Features Wizard define additional Roles which are necessary for WSUS functionality, but are deemed to be missing in Windows Server 2012 R2.
Page 35
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_Add_additional_features.png Figure 5.2-5 Add Roles Wizard, Add additional features 6. In the Features section click Next as shown in Figure 5.2-6. Add_Roles_Wizard_Features.png Figure 5.2-6 Add Roles Wizard, Features...
Page 36
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline 7. In the WSUS/Role Services section check that the WID Database and WSUS Services is selected and click Next as shown in Figure 5.2-7. Add_Roles_Wizard_WSUS_Role.png Figure 5.2-7 Add Roles Wizard, WSUS Role Services 8.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline Add_Roles_Wizard_WSUS_Content.png Figure 5.2-8 Add Roles Wizard, WSUS Content 9. In the Web Server Role (IIS)/Role Services section click Next without changing the default settings. 10. In the Confirmation section click Install and wait for the installation to complete.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Open_WSUS_Configuration_Wizard.png Figure 5.3-1 Open WSUS Configuration Wizard Configuring WSUS This section explains how to configure WSUS settings through WSUS Configuration Wizard. It is recommended to make appropriate settings that are specific to deployed environment.
Page 39
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline WSUS_Wizard_Choose_Upstream_Server.png Figure 5.4-1 WSUS Wizard, Choose Upstream Server 4. In the Specify Proxy Server section of the configuration wizard, specify any intermediary proxy settings to connect to internet, and click Next. 5. In the subsequent section, click Start Connecting to verify the connection to Microsoft Update Server.
Page 40
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline COM600 Product Version Products chosen in WSUS Configuration COM600 v5.0 and above 1. Developer Tools, Runtimes, and Redistributables 1.1. Visual Studio 2005 1.2. Visual Studio 2008 1.3. Visual Studio 2010 1.4. Visual Studio 2013 2.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline WSUS_Server_Status.png Figure 5.4-3 WSUS Server Status Add COM600 Computer group Add a new computer group in WSUS server for each of the COM600 product versions deployed. This is done uder Computers as shown in Figure 5.5-1.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Add_Computer_Group.png Figure 5.5-1 Add Computer Group Rename COM600 computer name This section describes configuration changes that need to be done in COM600 before connecting to WSUS server. Before proceeding, make sure COM600 device is assigned a unique computer name.
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 4. In the services listed, find Windows Update service and double click to open the properties dialog. 5. In the properties window, set Startup Type to be Automatic. Click Start to start the service.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline Specify_WSUS_server_in_COM600.png Figure 5.8-1 Specify WSUS server in COM600 Connecting COM600 to WSUS Server To connect to COM600 after changing group policy settings: 1. Open command prompt in administrator mode and execute command...
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline later on for a computer group, all COM600 device under a group would automatically receive approved updates. To change group membership from Unassigned Computers to COM600 Computer Group, right click the COM600 item and select Change Membership,as shown in Figure 5.10-1.
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline View_needed_updates_in_Update_Services_console.png Figure 5.11-1 View needed updates in Update Services console To approve each of the needed updates, right click on an update and select Approve. The Approve Updates dialog open (see Figure 5.11-2). Select the desired COM600 Computer Group and click Approved for Install.
Page 47
1MRS758267 COM600 series 5.0 Cyber Security Deployment Guideline 2. Open Control Panel > Windows Update. 3. Then click Check for Updates to install approved updates available from WSUS server. Install_updates_in_COM600.png Figure 5.12-1 Install updates in COM600 To configure COM600 to install updates automatically: 1.
Page 48
COM600 series 5.0 1MRS758267 Cyber Security Deployment Guideline COM600_Windows_Update_Change_Settings.png Figure 5.12-2 COM600 Windows Update Change Settings...