COM600 series, Version 4.1 Cyber Security Deployment Guideline

COM600 series, Version 4.1

1MRS758267 Issued: 13.03.2015 Version: A/13.03.2015 COM600 series, Version 4.1 Contents: 1. About this manual... 5 1.1. Copyright... 5 1.2. Disclaimer... 5 1.3. Conformity... 6 1.4. Trademarks... 6 1.5. Document conventions... 6 1.6. Use of symbols... 7 1.7. Terminology... 7 1.8. Abbreviations... 8 1.9. Document revisions... 9 2. Introduction... 10 2.1. General about the COM600 series... 10 2.2. General about this document... 10 2.3. Reference documents... 11 3. Configuring network for COM600... 12 3.1. Configuring network... 12 4. Configuring security settings for COM600... 14 4.1. Configuring security settings... 14 4.2. BIOS settings... 14 4.3. Virus scanner... 14 4.4. Disabling devices... 14 4.5. User Account Control (UAC)... 17 4.6. OPC and DCOM... 17 4.7. Security policies... 17 4.8. Firewall (ports and services)... 17 4.9. Backing up and restoring... 18 4.9.1. General about backing up and restoring... 18 4.9.2. Taking and restoring a backup... 18 4.9.2.1. Taking backup... 18 4.9.2.2. Restoring backup... 19 4.10. User account management... 19 4.10.1. General about user account management... 19 4.10.2. Access permissions... 19 4.10.3. Adding new users... 21 4.10.4. Modifying user properties... 21 4.10.5. Changing user's password... 22 5. Configuring UAL... 23 5.1. General... 23 5.2. Functional overview... 23 3

COM600 series, Version 4.1 1MRS758267 Index... 25 4

1MRS758267 COM600 series, Version 4.1 1. About this manual 1.1. Copyright This document and parts thereof must not be reproduced or copied without written permission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed only in accordance with the terms of such license. Warranty Please inquire about the terms of warranty from your nearest ABB representative. http://www.abb.com/substationautomation 1.2. Disclaimer The data, examples and diagrams in this manual are included solely for the concept or product description and are not to be deemed as a statement of guaranteed properties. All persons responsible for applying the equipment addressed in this manual must satisfy themselves that each intended application is suitable and acceptable, including that any applicable safety or other operational requirements are complied with. In particular, any risks in applications where a system failure and/ or product failure would create a risk for harm to property or persons (including but not limited to personal injuries or death) shall be the sole responsibility of the person or entity applying the equipment, and those so responsible are hereby requested to ensure that all measures are taken to exclude or mitigate such risks. This product is designed to be connected and to communicate information and data via a network interface, which should be connected to a secure network. It is sole responsibility of person or entity responsible for network administration to ensure a secure connection to the network and to establish and maintain any appropriate measures (such as but not limited to the installation of firewalls, application of authentication measures, encryption of data, installation of anti virus programs, etc) to protect the product, the network, its system and the interface against any kind of security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information. ABB is not liable for damages and/or losses related to such security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information. This document has been carefully checked by ABB but deviations cannot be completely ruled out. In case any errors are detected, the reader is kindly requested to notify the manufacturer. Other than under explicit contractual commitments, in no event shall ABB 5

COM600 series, Version 4.1 1MRS758267 be responsible or liable for any loss or damage resulting from the use of this manual or the application of the equipment. 1.3. Conformity This product complies with the directive of the Council of the European Communities on the approximation of the laws of the Member States relating to electromagnetic compatibility (EMC Directive 2004/108/EC) and concerning electrical equipment for use within specified voltage limits (Low-voltage directive 2006/95/EC). This conformity is the result of tests conducted by ABB in accordance with the product standards EN 50263 and EN 60255-26 for the EMC directive, and with the product standards EN 60255-1 and EN 60255-27 for the low voltage directive. The product is designed in accordance with the international standards of the IEC 60255 series. 1.4. Trademarks ABB is a registered trademark of ABB Group. All other brand or product names mentioned in this document may be trademarks or registered trademarks of their respective holders. 1.5. Document conventions The following conventions are used for the presentation of material: The words in names of screen elements (for example, the title in the title bar of a window, the label for a field of a dialog box) are initially capitalized. Capital letters are used for the name of a keyboard key if it is labeled on the keyboard. For example, press the ENTER key. Lowercase letters are used for the name of a keyboard key that is not labeled on the keyboard. For example, the space bar, comma key, and so on. Press CTRL+C indicates that you must hold down the CTRL key while pressing the C key (to copy a selected object in this case). Press ESC E C indicates that you press and release each key in sequence (to copy a selected object in this case). The names of push and toggle buttons are boldfaced. For example, click OK. The names of menus and menu items are boldfaced. For example, the File menu. The following convention is used for menu operations: MenuName > Menu- Item > CascadedMenuItem. For example: select File > New > Type. The Start menu name always refers to the Start menu on the Windows taskbar. System prompts/messages and user responses/input are shown in the Courier font. For example, if you enter a value out of range, the following message is displayed: Entered value is not valid. The value must be 0-30. 6

1MRS758267 COM600 series, Version 4.1 You can be asked to enter the string MIF349 in a field. The string is shown as follows in the procedure: MIF349 Variables are shown using lowercase letters: sequence name 1.6. Use of symbols This publication includes warning, caution, and information icons that point out safetyrelated conditions or other important information. It also includes tip icons to point out useful information to the reader. The corresponding icons should be interpreted as follows. The electrical warning icon indicates the presence of a hazard which could result in electrical shock. The warning icon indicates the presence of a hazard which could result in personal injury. The caution icon indicates important information or warning related to the concept discussed in the text. It may indicate the presence of a hazard which could result in corruption of software or damage to equipment or property. The information icon alerts the reader to relevant facts and conditions. The tip icon indicates advice on, for example, how to design your project or how to use a certain function. 1.7. Terminology The following is a list of terms associated with COM600 that you should be familiar with. The list contains terms that are unique to ABB or have a usage or definition that is different from standard industry usage. Term Alarm Description An abnormal state of a condition. 7

COM600 series, Version 4.1 1MRS758267 Term Alarms and Events; AE Device Event Intelligent Electronic Device OPC Property Description An OPC service for providing information about alarms and events to OPC clients. A physical device that behaves as its own communication node in the network, for example, protection relay. Change of process data or an OPC internal value. Normally, an event consists of value, quality, and timestamp. A physical IEC 61850 device that behaves as its own communication node in the IEC 61850 protocol. Series of standards specifications aiming at open connectivity in industrial automation and the enterprise systems that support industry. Named data item. 1.8. Abbreviations The following is a list of abbreviations associated with COM600 that you should be familiar with. See also 1.7, Terminology. Abbreviation AE ASDU BRCB DA DMCD DO GW HMI IEC IED LAG LAN LD LMK LN LSG NCC Description Alarms and Events Application Service Data Unit Buffered Report Control Block Data Access Data Message Code Definition Data Object Gateway, component connecting two communication networks together Human Machine Interface International Electrotechnical Commission Intelligent Electronic Device LON Application Guideline for substation automation Local Area Network Logical Device LonMark interoperable device communicating in LonWorks network. In this document, the term is used for devices that do not support the ABB LON/LAG communication. Logical Node LON SPA Gateway Network Control Center 8

1MRS758267 COM600 series, Version 4.1 Abbreviation NUC NV OLE OPC P&C PLC POU RTS SA SCD SCL SFC SLD SNMP SNTP SOAP RCB URCB ML Description Norwegian User Convention Network Variable Object Linking and Embedding OLE for Process Control Protection & Control Programmable Logic Controller Program Organization Unit Request To Send Substation Automation Substation Configuration Description Substation Configuration Language Sequential Function Chart Single Line Diagram Simple Network Management Protocol Simple Network Time Protocol Simple Object Access Protocol Report Control Block Unbuffered Report Control Block etended Markup Language 1.9. Document revisions Document version/date A/13.3.2015 Product revision 4.1 History Document created 9

COM600 series, Version 4.1 1MRS758267 2. Introduction 2.1. General about the COM600 series The COM600 series comprises of substation management units that are deployed together with protection and control relays and other communication devices, such as Relion protection and control relays and Remote I/O units, to realize smart substation and grid automation solutions in utility and industrial medium voltage distribution networks. They are a unique combination of following features: Process visualization (HMI) Real-time and historical data handling Platform for executing industrial and utility substation applications Communication gateway The COM600 series 4.1 release comprises of the following products: COM600S COM600 for substation automation(for IEC and ANSI markets) COM600S is a substation automation and data management unit that integrates devices, facilitates operations and manages communication in utility or industrial distribution substations. COM600F COM600 for feeder automation (for ANSI/US markets only) COM600F is a feeder automation and data management unit that runs distributed grid applications in ANSI standard-based utility power networks. 2.2. General about this document This document is a security guide for COM600 series 4.1 version (hereafter COM600). This guide is intended for software and project engineer and system verification testers and they are expected to have general familiarity with topics in the following areas: PCs, servers, and Windows operating system Networking including TCP/IP and concept of ports and services Security policies Firewalls Anti-virus Remote and secure communication However, this guide does not specify the network configuration (forests, domains, organizational units (OU)) where the COM600 system is installed. There are several ways to deploy security settings to machines, e.g. by using the secedit command-line tool, the Security Configuration Wizard (SCW), or Group Policy Objects (GPO). This chapter gives general information, assumptions, and operating system and COM600 versions this guide covers. The system is secured by configuring the network and config- 10

1MRS758267 COM600 series, Version 4.1 uring the firewall settings. Configuring network is discussed in Chapter 3.1, Configuring network. There are security settings which are automatically configured in the product and those which need to be configured manually. Disabled administrator user account is available in the COM600. Since this is an administrator user account, it is the responsibility of the system administrator to choose a valid and secure password for this account, in case it gets enabled. Other Windows server security settings such as firewall, security policies and disabling Windows system services are configured for COM600 during development. During commissioning it is recommended to close ports for communication protocols that are not required. There is general security guide for control systems and operating systems on the ABB website [ABBSEC09]. Microsoft also has security guides for different operating systems [MSSEC09]. 2.3. Reference documents Ref [ABBSEC09] [APPLOC12] [MSANA09] [MSDCOM04] Document title ABB Security Control Systems, ABB Windows AppLocker, Microsoft Microsoft Baseline Security Analyzer, Microsoft. Restrict TCP/IP Ports (Windows 2000 and P), Microsoft The default dynamic port range for TCP/IP has changed (Windows 7 and Server 2008), Microsoft How to configure RPC dynamic port allocation to work with firewalls (Windows 2003 and 2008), Microsoft [MSDEP] [MSPASS09] [MSSEC09] [MSTHRE05] Data Execution Prevention, Microsoft. Strong passwords, Microsoft. Windows OS Security Guides, Microsoft. Search for Security Guide and refine the search by giving a specific OS name, e.g. Windows Server 2008 Threats and Countermeasures Guide: Security Settings in Windows Server 2003 and Windows P, Microsoft. Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows 7, Microsoft. [MSUPD] [MSWS03] [UAC] Windows Update, Microsoft. Security Compliance Manager, Microsoft. What are User Account Control settings?, Microsoft. 11

COM600 series, Version 4.1 1MRS758267 3. Configuring network for COM600 3.1. Configuring network Each host in a TCP/IP network has a unique identifier, called an IP address. The IP address is composed of four numbers in the range from 0 to 255. The numbers are separated with dots, e.g. 192.168.0.1. Because every computer on an IP network must have a unique IP address, careful planning of IP addresses throughout the whole system is important. You should remember to take care of the future needs in address areas when planning large networks. A host can have multiple IP addresses, as shown in Figure 3.1-1. A static IP addressing should be used in COM600 system; see Configure a Static IP Address [http://technet.microsoft.com/en-us/library/cc754203(ws.10).aspx] for more information. Figure 3.1-1 COM600 with NCC Connection COM600withNCCConnection.png 12

1MRS758267 COM600 series, Version 4.1 ABB does not recommend the use of domains and wireless networks in a COM600 system due to the high reliability that is required of the control system. A domain controller that is unavailable might affect to the stability of the control system. If a domain network is used it is good to understand what are the risks in this solution. For more information, see Active Directory Domain Services, Microsoft [http://technet.microsoft.com/en-us/windowsserver/dd448614]. 13

COM600 series, Version 4.1 1MRS758267 4. Configuring security settings for COM600 4.1. Configuring security settings COM600 is an embedded device. Operating system for COM600 is Windows Embedded Standard 7. During product development WES7 has been tailored to be used in our hardware based on the requirements for utility and industrial distribution networks. To further reduce the attack surface in COM600, programs and services that are not used can be uninstalled or disabled. The sections below use the following statements This has to be configured manually and This is pre-configured. The first statement means that security setting has to be manually configured. The latter means that it is pre-configured. 4.2. BIOS settings The following settings must be applied: Password(s) are enabled Remote wake-up/wake on LAN is disabled This has to be configured manually. 4.3. Virus scanner It is not recommended to use virus scanner in the COM600 system. 4.4. Disabling devices In COM600, it is a good practice to disable the devices that are not used. This may include USB ports and communication ports. This has to be configured manually. Run devmgmt.msc (Device Manager) and look for the devices to be disabled. Figure 4.4-1 shows the disabling of devices and finally the Universal Serial Bus (USB) ports must be disabled. Do not disable a device if it will be used, e.g. alarm sounds. 14

1MRS758267 COM600 series, Version 4.1 DevManager-DisableCommPorts.png Figure 4.4-1 Disable communication ports 15

COM600 series, Version 4.1 1MRS758267 DevManager-DisableUsbMassStorage.png Figure 4.4-2 Disable USB Mass Storage See also How can I prevent users from connecting to a USB storage device, http://support.microsoft.com/kb/823732. Applies to: Microsoft Windows P Home Edition Microsoft Windows P Professional Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Professional Edition Microsoft Windows 2000 Server Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) Microsoft Windows Server 2003, Standard Edition (32-bit x86). Disabling autorun functionality Whenever disabling of devices is not possible, it is good practice to disable autorun functionality of the device. In order to prevent the automatic start of malicious code contained in a removable device, autorun functionality must be turned off. For more information, see How to disable the Autorun functionality in Windows, http://support2.microsoft.com/kb/967715/en-us. 16

1MRS758267 COM600 series, Version 4.1 4.5. User Account Control (UAC) UAC is a security feature in Windows Embedded Standard 7. For more information, see [UAC]. This is pre-configured. 4.6. OPC and DCOM The usage of OPC communication between OPC client and server requires that Distributed COM (DCOM) has been configured properly in the Windows operating system. This includes configuring mutual user accounts between computers, system-wide DCOM settings, OPC server specific DCOM settings, and firewall rules. Distributed Component Object Model (DCOM) uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers. One can control which ports RPC dynamically allocates for incoming communication and then configure the firewall to confine incoming external communication to only those ports and port 135 (the RPC Endpoint Mapper port) [MSDCOM04]. This is pre-configured. 4.7. Security policies Security policies are based on predefined SSLF (Specialized Security-Limited Functionality) security templates from Microsoft [MSSEC09]. Following policies are modified for COM600: Account policies Audit policy User rights Security options Event log System services These policies are pre-configured. 4.8. Firewall (ports and services) Windows Firewall is a stateful firewall, which can be configured to restrict all inbound connections, but cannot filter or block any outbound connections. However, Windows 7 supports blocking outbound connections. For more information about profiles, see Understanding Firewall Profiles, http://technet.microsoft.com/fi-fi/library/getting-startedwfas-firewall-profiles-ipsec%28v=ws.10%29.aspx. The scope options of the firewall settings are ALL or SUBNET. SUBNET is a general setting option allowing only local 17

COM600 series, Version 4.1 1MRS758267 network (subnet) traffic through the firewall (for more information, see http://technet.microsoft.com/en-us/library/cc778362(ws.10).aspx. COM600 has two different firewall profiles private (within the substation) and public (towards outside of the substation). Other general settings are: Firewall: enabled, block inbound, allow outbound Logging: enabled, %windir%\pfirewall.log, 32767kB ICMP settings: disabled Notify when an application is blocked. Ports and services used by COM600 as well as default firewall settings are listed in Appendix B Ports and Services. We recommend using hardware firewalls. Software firewalls may affect performance, in which case they should not be used. These are pre-configured. Unnecessary ports should be closed. Logging needs to be enabled if required. 4.9. Backing up and restoring 4.9.1. General about backing up and restoring Configuration can be backed up by storing the Exported Project from SAB600 to a location that is regularly backed up. It is recommended to copy the Exported project also to the COM600 device. 4.9.2. Taking and restoring a backup 4.9.2.1. Taking backup Backing up the COM600 with disc imaging software (for example Acronis True Image or Norton Ghost) is highly recommended. The image should be saved on a network drive or on a USB flash drive. Refer to the instructions from the disc imaging software manufacturer on how to accomplish this. We recommend to take image backup every 3 months. This has to be configured manually. Selectively also contents of data historian and events lists can be backed up. Please refer to COM600 Data Historian Operator s Manual and COM600 User s guide for additional details. 18

1MRS758267 COM600 series, Version 4.1 4.9.2.2. Restoring backup The method for restoring the disc image depends on the disc imaging software. Refer to the instructions from the disc imaging software manufacturer on how to accomplish this. This has to be configured manually. Selectively also contents of data historian and events lists can be restored. Please refer to COM600 Data Historian Operator s Manual and COM600 User s guide for additional details. 4.10. User account management 4.10.1. General about user account management This has to be configured manually. 4.10.2. Access permissions COM600 has the following user levels: Viewer = Only allowed to view Operator = Authorized to make operations Engineer = Allowed to change IED parameters, but no operation rights Administrator = Full access The administrator can add users and define access rights with the User Management tool. The user levels of the selected user are displayed in the User Information view and they can be modified by the administrator. The purpose of the user groups is mainly to provide customized user interfaces for different users. Functionality Viewers Operators Engineers Administrators SLD Control Dialogs view view Event list Alarm list view view User management *1 *1 *1 Parameter setting view view 19

COM600 series, Version 4.1 1MRS758267 Functionality Viewers Operators Engineers Administrators Disturbance recording view System supervision view Security Event List = Access enabled *1 = Can change own password view = View-only Operating system access permissions using local browser If enabled, in COM600 local browser, only administrator users are allowed to resize the HMI window, access COM600 files, launch and switch to other application, access Windows taskbar, and shut down COM600. This is a configurable feature. For more information about configuring the access rights, see section Operating system access permissions using local browser in COM600 HMI Configuration Manual. When a non-administrator user logs in, or user logs out, the Minimize, Maximize, and Close buttons are not shown. The Windows taskbar is not shown. ALT-TAB, CTRL-ESC, and other Windows keys (such as Windows logo, logo + E ) are disabled. If the user presses CTRL-ALT-DEL, in the pop-up dialog only the Cancel button is enabled. Table 4.10.2-1 Windows access permissions using local browser Function Viewers Operators Engineers Administrators Resize HMI Window Close HMI Window Access COM600 files Launch other application Switch to other application 20

1MRS758267 COM600 series, Version 4.1 Function Viewers Operators Engineers Administrators Access Windows Taskbar Shut down COM600 = Access enabled blank = No access 4.10.3. Adding new users The administrator can add users in the Add User window. To add a new user: 1. Click the Users tab on the left. 2. Select Add User. 3. Type in a new user name. The length of the user name can be 1-99 characters and it can only contain characters a - z and 0-9. 4. Type in a password and confirm it. The length of the password can be 9-99 characters and it can only contain characters a - z and 0-9. 5. Select a user group from the drop-down menu. 6. Click Apply to save the user information. 4.10.4. Modifying user properties The administrator can modify user information by using the toolbar on top of the User Information view. To remove a user: 1. Click the Users tab on the left. 2. Select the user you want to remove. 3. Click Remove User and confirm by clicking OK. To change a user's user group: 1. Click the Users tab on the left. 2. Select the user whose user group you want to change. 3. Click Change User Group. 4. In the Change User's Group view, select a new group from the drop-down menu. 5. Click Apply. 21

COM600 series, Version 4.1 1MRS758267 4.10.5. Changing user's password To change the password (administrator): 1. Click the Users tab on the left. 2. Select the user whose password you want to change. 3. Click Change password. 4. Type in a new password and confirm it. 5. Click Apply. To change your own password: 1. Click the Settings tab on the left. 2. Click Change password. 3. Type in the old password. 4. Type in a new password and confirm it. 5. Click Apply. 22

1MRS758267 COM600 series, Version 4.1 5. Configuring UAL 5.1. General This has to be configured manually. Please refer to the CAL/SEV OPC Server manual for the actual configuration. 5.2. Functional overview There are security related servers available within COM600. The security-related servers are capable of Generating security-related events caused by user activity on COM600 and other software operation Capturing security-related events occurring in downstream devices, which COM600 is connected to Forwarding security-related events that are generated from COM600 and other downstream devices (like IED, RTU) to upstream control systems like DMS, or to other station computers Storing security events to an internal database for future auditing purposes. The security events are sent and received between various devices using standard communication protocols like Syslog/ IEC61850. These messages follow a prescribed format when forwarded using Syslog. 23

COM600 series, Version 4.1 1MRS758267 System_Overview.png Figure 5.2-1 System overview The security events that are generated in COM600 will always follow the ABB-prescribed format when forwarded to an upstream external device using Syslog, or to the CAL server functioning within COM600. The security events that are received by COM600 and generated in downstream devices will always follow the format used in the source/downstream device when forwarded to upstream devices by COM600. 24

1MRS758267 COM600 series, Version 4.1 Index A access permission... 19 F functional overview... 23 O overview functional... 23 U users adding... 21 change group... 21 change password... 22 modifying properties... 21 25

26

Contact us ABB Oy Substation Automation Products P.O. Box 699 FI-65101 VAASA, FINLAND Tel. +358 10 22 11 Fax. +358 10 224 1094 ABB Inc. Distribution Automation 655 Century Point Lake Mary, FL 32746, USA Tel: +1 407 732 2000 Fax: +1 407 732 2335 www.abb.com/substationautomation 1MRS758267 A/13.03.2015 Copyright 2015 ABB. All rights reserved.