cyber security deployment guideline, process bus i/o ... · connection to any sam600 module in a...

Grid Automation Products

SAM600 Process Bus I/O System Cyber Security Deployment Guideline

Document ID: 1MRK 511 430-UEN Issued: April 2016

Revision: - Product version: 1.1

© Copyright 2016 ABB. All rights reserved

Copyright

This document and parts thereof must not be reproduced or copied without written

permission from ABB, and the contents thereof must not be imparted to a third

party, nor used for any unauthorized purpose.

The software and hardware described in this document is furnished under a license

and may be used or disclosed only in accordance with the terms of such license.

Trademarks

ABB is a registered trademark of the ABB Group. All other brand or product

names mentioned in this document may be trademarks or registered trademarks of

their respective holders.

Open Source License Acknowledgements

This product incorporates open source software components covered by the terms

of third party copyright notices and license agreements. For more information,

refer to 1MRK 511 428-BEN SAM600 Product Guide.

Warranty

Please inquire about the terms of warranty from your nearest ABB representative.

Disclaimer

The data, examples and diagrams in this manual are included solely for the concept

or product description and are not to be deemed as a statement of guaranteed

properties. All persons responsible for applying the equipment addressed in this

manual must satisfy themselves that each intended application is suitable and

acceptable, including that any applicable safety or other operational requirements

are complied with. In particular, any risks in applications where a system failure

and /or product failure would create a risk for harm to property or persons

(including but not limited to personal injuries or death) shall be the sole

responsibility of the person or entity applying the equipment, and those so

responsible are hereby requested to ensure that all measures are taken to exclude or

mitigate such risks.

This product is designed to be connected to and to communicate information and

data via a network interface. It is Customer’s sole responsibility to provide and

continuously ensure a secure connection between the product and Customer’s

network or any other network (as the case may be). Customer’s shall establish and

maintain any appropriate measures (such as but not limited to the installation of

firewalls, application of authentication measures, encryption of data, installation of

anti-virus programs, etc) to protect the product, the network, its system and the

interface against any kind of security breaches, unauthorized access, interference,

intrusion, leakage and/or theft of data or information. ABB and its affiliates are not

liable for damages and/or losses related to such security breaches, any unauthorized

access, interference, intrusion, leakage and/or theft of data or information.

This document has been carefully checked by ABB but deviations cannot be

completely ruled out. In case any errors are detected, the reader is kindly requested

to notify the manufacturer. Other than under explicit contractual commitments, in

no event shall ABB be responsible or liable for any loss or damage resulting from

the use of this manual or the application of the equipment.

Conformity

This product complies with the directive of the Council of the European

Communities on the approximation of the laws of the Member States relating to

electromagnetic compatibility (EMC directive 2014/30/EU) and concerning

electrical equipment for use within specified voltage limits (Low-voltage directive

2014/35/EU). This conformity is the result of tests conducted by ABB in

accordance with the product standard EN 60255-26 for the EMC directive, and

with the product standard EN 60255-27 for the low voltage directive. The product

is designed in accordance with the international standards of the IEC 60255 series.

Safety Information

Observe the following safety instructions when using the product.

Before first usage, read the product documentation in order to

ensure safe and reliable operation of SAM600 products.

Dangerous voltages can occur on the connectors, even though

auxiliary voltages are disconnected.

Each SAM600 product must be safely connected to ground using

the ground strap.

Only a competent electrician is allowed to carry out the electrical

installation.

Always follow national and local electrical safety regulations.

Non-observance of the safety information can result in death,

personal injury or substantial property damage.

Whenever changes in parameter settings are applied to SAM600

modules, take measures to avoid inadvertent tripping or malfunction

of connected protection and control devices.

Table of contents

SAM600 Process Bus I/O System 1

Cyber Security Deployment Guideline

Table of contents

Section 1 Introduction ................................................................ 3

1.1 This manual ...................................................................................... 3

1.2 Intended audience ............................................................................ 3

1.3 Related documents ........................................................................... 3

1.4 Symbols and conventions ................................................................. 4

1.4.1 Symbols .......................................................................................... 4

1.4.2 Document conventions ................................................................... 4

Section 2 Secure access ............................................................ 5

2.1 Secure system setup ........................................................................ 5

2.2 Ethernet ports ................................................................................... 5

Section 3 User account management .......................................... 7

Section 4 Security event logging ................................................. 9

Appendix A Glossary ................................................................... 11

1MRK 511 430-UEN - Section 1 Introduction



Section 1 Introduction

1.1 This manual

The cyber security deployment guideline describes the process for handling cyber

security when communicating with SAM600 modules. The guideline can be used

as a technical reference during the engineering phase, installation and

commissioning phase, and during normal service of the product.

1.2 Intended audience

This guideline is intended for system engineering, commissioning, operation and

maintenance personnel handling cyber security during the engineering, installation

and commissioning phases, and during normal service.

The personnel is expected to have general knowledge about topics related to cyber

security.

1.3 Related documents

SAM600 Product documentation Document number

SAM600 Product Guide 1MRK 511 428-BEN

SAM600 Engineering Manual 1MRK 511 431-UEN

SAM600 Operation Manual 1MRK 511 429-UEN

SAM600 Cyber Security Deployment Guideline 1MRK 511 430-UEN

SAM600 Accessory List 1MRK 511 432-BEN

SAM600-TS Wiring Diagram 1KHL511910

SAM600-VT Wiring Diagram 1KHL511911

SAM600-CT Wiring Diagram 1KHL511912

Section 1 1MRK 511 430-UEN - Introduction

4 SAM600 Process Bus I/O System


1.4 Symbols and conventions

1.4.1 Symbols

The electrical warning icon indicates the presence of a hazard which

could result in electrical shock.

The warning icon indicates the presence of a hazard which could

result in personal injury.

The caution icon indicates important information or warning related

to the concept discussed in the text. It might indicate the presence of

a hazard which could result in corruption of software or damage to

equipment or property.

The information icon alerts the reader of important facts and

conditions.

The tip icon indicates advice on, for example, how to design your

project or how to use a certain function.

Although warning hazards are related to personal injury, it is necessary to

understand that under certain operational conditions the operation of damaged

equipment may result in degraded process performance leading to personal injury

or death. Therefore, it is recommended to comply fully with all warning and

caution notices.

1.4.2 Document conventions

A particular convention may not be used in this manual.

Abbreviations and acronyms in this manual are spelled out in the glossary. The

glossary also contains definitions of important terms.

HMI menu paths are presented in bold.

For example, select Main menu/Settings.

Parameter names are shown in italics.

For example, the function can be enabled and disabled with the Operation

setting.

1MRK 511 430-UEN - Section 2 Secure access



Section 2 Secure access

2.1 Secure system setup

Access to a SAM600 system is only possible through PCM600 and a physical

connection to any SAM600 module in a SAM600 system through USB as

illustrated in Figure 1.

Once a SAM600 system is configured, each Ethernet port of the system supports

only the functionality that is configured. The following communication services are

configurable per port:

Closed port (both Tx and Rx)

IEC 61850-9-2 uplink (Tx enabled, Rx disabled)

IEC 61850-9-2 downlink (Tx disabled, Rx enabled)

IEC 61850-9-2 uplink and downlink (both Tx and Rx enabled)

IEC 61850-9-3 (IEEE 1588 V2, both Tx and Rx enabled)

SAM600

-TS

SAM600

-CT

SAM600

-VT

IED

Prot

IED

Ctrl

Sensor

PCM600

IEC 61850 Station Bus

USB

IEC 61850-9-2

uplink ports

IEC 61850-9-2

downlink ports

IEC

618

50-9

-3

Figure 1: SAM600 secure system overview

2.2 Ethernet ports

SAM600 modules only use Ethernet based protocols. Those protocols are IEC

61850-9-2 and IEC 61850-9-3 (IEEE 1588 V2).

No TCP/IP or UDP ports are used and opened by a configured SAM600 system.

1MRK 511 430-UEN - Section 3 User account management



Section 3 User account management

A SAM600 system does not provide any local or central user account management

services.

1MRK 511 430-UEN - Section 4 Security event logging



Section 4 Security event logging

A SAM600 system provides general event logging functionality that includes

security relevant events as documented in Table 1.

A SAM600 system does not provide any user activity logging as it does not support

user management and authorization.

Table 1: Security event types

Severity Event name Description Required action

Error Event buffer

overflow

Created when the internal event

queue overflows and log events are

lost

None

Error Serial

communication

failure

Created when a SAM600 module

fails to receive a command from

PCM600 on its USB port, or when a

SAM600 module fails to send a

command to PCM600 from its USB

port

Check the SAM600

module’s USB

connection. If the error

persists, contact ABB

support line.

Information Configuration

mode

Created when a SAM600 module is

set to wait in configuration state

None

Information Event log reset Created when the event log on a

SAM600 module is deleted

None

Information New application

configuration

applied

Created when SAM600 parameter

settings are modified as part of a

configuration download

None

Information New

configuration

applied

Created when a SAM600 module has

successfully applied a configuration

None

Information New

configuration

received

Created when a SAM600 module has

received a configuration

None

Information New system time

set

Created when a new system time is

set on the SAM600-TS module

None

Information Port settings

modified

Created when a SAM600 system bus

port settings are modified

None

Information Reset to factory

defaults

Created when the configuration of a

SAM600 module is erased

None

Information Simulation mode Created when the simulation mode is

switched ON or OFF

None

For more information about event logging functionality, event types, and event

names, refer to 1MRK 511 429-UEN SAM600 Operation Manual.

1MRK 511 430-UEN - Appendix A Glossary



Appendix A Glossary

Abbreviation Description

1PPS One Pulse Per Second

AC Alternating Current

AIS Air Isolated Switchgear

BMC Best Master Clock

DC Direct Current

FOCS Fiber Optic Current Sensor

FTDI Future Technology Devices International Ltd.

(http://www.ftdichip.com/)

GIS Gas Isolated Switchgear

ICT IED Configuration Tool

IEC 61850 Substation Automation Communication Standard

IED Intelligent Electronic Device

IID Instantiated IED Description

LE IEC 61850-9-2LE Light Edition

LED Light Emitting Diode

MAC Media Access Control

MSVCB Multicast Sample Value Control Block

PCM600 Protection and Control IED Manager

PTP IEEE 1588 Precision Time Protocol

RCB Report Control Block

SAM600 SAM600 Standalone Merging Unit

SAMU Standalone Merging Unit

SCD Substation Communication Description

SCL System Configuration Description Language

SCT System Configuration Tool

SFP Small Form-Factor Pluggable

SMVID Sample Value Identifier

Appendix A 1MRK 511 430-UEN -

Glossary

12 SAM600 Process Bus I/O System


Abbreviation Description

SST System Specification Tool

SV Sample Value

USB Universal Serial Bus

UTC Coordinated Universal Time

Contact us

ABB AB

Grid Automation Products

SE-721 59 Västerås, Sweden

Phone: +46 (0) 21 32 50 00

Fax: +46 (0) 21 14 69 18

www.abb.com/protection-control

1M

RK

511 4

30

-UE

N -

© C

op

yrig

ht

201

6 A

BB

. A

ll rig

hts

rese

rved

.

http://www.abb.com/protection-control

cyber security deployment guideline, process bus i/o ... · connection to any sam600 module in a...

Documents