cyber security deployment guideline, process bus i/o ... · connection to any sam600 module in a...
TRANSCRIPT
Document ID: 1MRK 511 430-UEN Issued: April 2016
Revision: - Product version: 1.1
© Copyright 2016 ABB. All rights reserved
Copyright
This document and parts thereof must not be reproduced or copied without written
permission from ABB, and the contents thereof must not be imparted to a third
party, nor used for any unauthorized purpose.
The software and hardware described in this document is furnished under a license
and may be used or disclosed only in accordance with the terms of such license.
Trademarks
ABB is a registered trademark of the ABB Group. All other brand or product
names mentioned in this document may be trademarks or registered trademarks of
their respective holders.
Open Source License Acknowledgements
This product incorporates open source software components covered by the terms
of third party copyright notices and license agreements. For more information,
refer to 1MRK 511 428-BEN SAM600 Product Guide.
Warranty
Please inquire about the terms of warranty from your nearest ABB representative.
Disclaimer
The data, examples and diagrams in this manual are included solely for the concept
or product description and are not to be deemed as a statement of guaranteed
properties. All persons responsible for applying the equipment addressed in this
manual must satisfy themselves that each intended application is suitable and
acceptable, including that any applicable safety or other operational requirements
are complied with. In particular, any risks in applications where a system failure
and /or product failure would create a risk for harm to property or persons
(including but not limited to personal injuries or death) shall be the sole
responsibility of the person or entity applying the equipment, and those so
responsible are hereby requested to ensure that all measures are taken to exclude or
mitigate such risks.
This product is designed to be connected to and to communicate information and
data via a network interface. It is Customer’s sole responsibility to provide and
continuously ensure a secure connection between the product and Customer’s
network or any other network (as the case may be). Customer’s shall establish and
maintain any appropriate measures (such as but not limited to the installation of
firewalls, application of authentication measures, encryption of data, installation of
anti-virus programs, etc) to protect the product, the network, its system and the
interface against any kind of security breaches, unauthorized access, interference,
intrusion, leakage and/or theft of data or information. ABB and its affiliates are not
liable for damages and/or losses related to such security breaches, any unauthorized
access, interference, intrusion, leakage and/or theft of data or information.
This document has been carefully checked by ABB but deviations cannot be
completely ruled out. In case any errors are detected, the reader is kindly requested
to notify the manufacturer. Other than under explicit contractual commitments, in
no event shall ABB be responsible or liable for any loss or damage resulting from
the use of this manual or the application of the equipment.
Conformity
This product complies with the directive of the Council of the European
Communities on the approximation of the laws of the Member States relating to
electromagnetic compatibility (EMC directive 2014/30/EU) and concerning
electrical equipment for use within specified voltage limits (Low-voltage directive
2014/35/EU). This conformity is the result of tests conducted by ABB in
accordance with the product standard EN 60255-26 for the EMC directive, and
with the product standard EN 60255-27 for the low voltage directive. The product
is designed in accordance with the international standards of the IEC 60255 series.
Safety Information
Observe the following safety instructions when using the product.
Before first usage, read the product documentation in order to
ensure safe and reliable operation of SAM600 products.
Dangerous voltages can occur on the connectors, even though
auxiliary voltages are disconnected.
Each SAM600 product must be safely connected to ground using
the ground strap.
Only a competent electrician is allowed to carry out the electrical
installation.
Always follow national and local electrical safety regulations.
Non-observance of the safety information can result in death,
personal injury or substantial property damage.
Whenever changes in parameter settings are applied to SAM600
modules, take measures to avoid inadvertent tripping or malfunction
of connected protection and control devices.
Table of contents
SAM600 Process Bus I/O System 1
Cyber Security Deployment Guideline
Table of contents
Section 1 Introduction ................................................................ 3
1.1 This manual ...................................................................................... 3
1.2 Intended audience ............................................................................ 3
1.3 Related documents ........................................................................... 3
1.4 Symbols and conventions ................................................................. 4
1.4.1 Symbols .......................................................................................... 4
1.4.2 Document conventions ................................................................... 4
Section 2 Secure access ............................................................ 5
2.1 Secure system setup ........................................................................ 5
2.2 Ethernet ports ................................................................................... 5
Section 3 User account management .......................................... 7
Section 4 Security event logging ................................................. 9
Appendix A Glossary ................................................................... 11
1MRK 511 430-UEN - Section 1 Introduction
SAM600 Process Bus I/O System 3
Cyber Security Deployment Guideline
Section 1 Introduction
1.1 This manual
The cyber security deployment guideline describes the process for handling cyber
security when communicating with SAM600 modules. The guideline can be used
as a technical reference during the engineering phase, installation and
commissioning phase, and during normal service of the product.
1.2 Intended audience
This guideline is intended for system engineering, commissioning, operation and
maintenance personnel handling cyber security during the engineering, installation
and commissioning phases, and during normal service.
The personnel is expected to have general knowledge about topics related to cyber
security.
1.3 Related documents
SAM600 Product documentation Document number
SAM600 Product Guide 1MRK 511 428-BEN
SAM600 Engineering Manual 1MRK 511 431-UEN
SAM600 Operation Manual 1MRK 511 429-UEN
SAM600 Cyber Security Deployment Guideline 1MRK 511 430-UEN
SAM600 Accessory List 1MRK 511 432-BEN
SAM600-TS Wiring Diagram 1KHL511910
SAM600-VT Wiring Diagram 1KHL511911
SAM600-CT Wiring Diagram 1KHL511912
Section 1 1MRK 511 430-UEN - Introduction
4 SAM600 Process Bus I/O System
Cyber Security Deployment Guideline
1.4 Symbols and conventions
1.4.1 Symbols
The electrical warning icon indicates the presence of a hazard which
could result in electrical shock.
The warning icon indicates the presence of a hazard which could
result in personal injury.
The caution icon indicates important information or warning related
to the concept discussed in the text. It might indicate the presence of
a hazard which could result in corruption of software or damage to
equipment or property.
The information icon alerts the reader of important facts and
conditions.
The tip icon indicates advice on, for example, how to design your
project or how to use a certain function.
Although warning hazards are related to personal injury, it is necessary to
understand that under certain operational conditions the operation of damaged
equipment may result in degraded process performance leading to personal injury
or death. Therefore, it is recommended to comply fully with all warning and
caution notices.
1.4.2 Document conventions
A particular convention may not be used in this manual.
Abbreviations and acronyms in this manual are spelled out in the glossary. The
glossary also contains definitions of important terms.
HMI menu paths are presented in bold.
For example, select Main menu/Settings.
Parameter names are shown in italics.
For example, the function can be enabled and disabled with the Operation
setting.
1MRK 511 430-UEN - Section 2 Secure access
SAM600 Process Bus I/O System 5
Cyber Security Deployment Guideline
Section 2 Secure access
2.1 Secure system setup
Access to a SAM600 system is only possible through PCM600 and a physical
connection to any SAM600 module in a SAM600 system through USB as
illustrated in Figure 1.
Once a SAM600 system is configured, each Ethernet port of the system supports
only the functionality that is configured. The following communication services are
configurable per port:
Closed port (both Tx and Rx)
IEC 61850-9-2 uplink (Tx enabled, Rx disabled)
IEC 61850-9-2 downlink (Tx disabled, Rx enabled)
IEC 61850-9-2 uplink and downlink (both Tx and Rx enabled)
IEC 61850-9-3 (IEEE 1588 V2, both Tx and Rx enabled)
SAM600
-TS
SAM600
-CT
SAM600
-VT
IED
Prot
IED
Ctrl
Sensor
PCM600
IEC 61850 Station Bus
USB
IEC 61850-9-2
uplink ports
IEC 61850-9-2
downlink ports
IEC
618
50-9
-3
Figure 1: SAM600 secure system overview
2.2 Ethernet ports
SAM600 modules only use Ethernet based protocols. Those protocols are IEC
61850-9-2 and IEC 61850-9-3 (IEEE 1588 V2).
No TCP/IP or UDP ports are used and opened by a configured SAM600 system.
1MRK 511 430-UEN - Section 3 User account management
SAM600 Process Bus I/O System 7
Cyber Security Deployment Guideline
Section 3 User account management
A SAM600 system does not provide any local or central user account management
services.
1MRK 511 430-UEN - Section 4 Security event logging
SAM600 Process Bus I/O System 9
Cyber Security Deployment Guideline
Section 4 Security event logging
A SAM600 system provides general event logging functionality that includes
security relevant events as documented in Table 1.
A SAM600 system does not provide any user activity logging as it does not support
user management and authorization.
Table 1: Security event types
Severity Event name Description Required action
Error Event buffer
overflow
Created when the internal event
queue overflows and log events are
lost
None
Error Serial
communication
failure
Created when a SAM600 module
fails to receive a command from
PCM600 on its USB port, or when a
SAM600 module fails to send a
command to PCM600 from its USB
port
Check the SAM600
module’s USB
connection. If the error
persists, contact ABB
support line.
Information Configuration
mode
Created when a SAM600 module is
set to wait in configuration state
None
Information Event log reset Created when the event log on a
SAM600 module is deleted
None
Information New application
configuration
applied
Created when SAM600 parameter
settings are modified as part of a
configuration download
None
Information New
configuration
applied
Created when a SAM600 module has
successfully applied a configuration
None
Information New
configuration
received
Created when a SAM600 module has
received a configuration
None
Information New system time
set
Created when a new system time is
set on the SAM600-TS module
None
Information Port settings
modified
Created when a SAM600 system bus
port settings are modified
None
Information Reset to factory
defaults
Created when the configuration of a
SAM600 module is erased
None
Information Simulation mode Created when the simulation mode is
switched ON or OFF
None
For more information about event logging functionality, event types, and event
names, refer to 1MRK 511 429-UEN SAM600 Operation Manual.
1MRK 511 430-UEN - Appendix A Glossary
SAM600 Process Bus I/O System 11
Cyber Security Deployment Guideline
Appendix A Glossary
Abbreviation Description
1PPS One Pulse Per Second
AC Alternating Current
AIS Air Isolated Switchgear
BMC Best Master Clock
DC Direct Current
FOCS Fiber Optic Current Sensor
FTDI Future Technology Devices International Ltd.
(http://www.ftdichip.com/)
GIS Gas Isolated Switchgear
ICT IED Configuration Tool
IEC 61850 Substation Automation Communication Standard
IED Intelligent Electronic Device
IID Instantiated IED Description
LE IEC 61850-9-2LE Light Edition
LED Light Emitting Diode
MAC Media Access Control
MSVCB Multicast Sample Value Control Block
PCM600 Protection and Control IED Manager
PTP IEEE 1588 Precision Time Protocol
RCB Report Control Block
SAM600 SAM600 Standalone Merging Unit
SAMU Standalone Merging Unit
SCD Substation Communication Description
SCL System Configuration Description Language
SCT System Configuration Tool
SFP Small Form-Factor Pluggable
SMVID Sample Value Identifier
Appendix A 1MRK 511 430-UEN -
Glossary
12 SAM600 Process Bus I/O System
Cyber Security Deployment Guideline
Abbreviation Description
SST System Specification Tool
SV Sample Value
USB Universal Serial Bus
UTC Coordinated Universal Time
Contact us
ABB AB
Grid Automation Products
SE-721 59 Västerås, Sweden
Phone: +46 (0) 21 32 50 00
Fax: +46 (0) 21 14 69 18
www.abb.com/protection-control
1M
RK
511 4
30
-UE
N -
© C
op
yrig
ht
201
6 A
BB
. A
ll rig
hts
rese
rved
.