ABB Relion REX610 User manual
—
RELION® PROTECTION AND CONTROL
REX610
Cyber Security Deployment Guideline
Document ID: 2NGA000818
Issued: 2022-04-21
Revision: A
Product version: 1.0
© Copyright 2022 ABB. All rights reserved
Copyright
This document and parts thereof must not be reproduced or copied without written
permission from ABB, and the contents thereof must not be imparted to a third
party, nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license
and may be used, copied, or disclosed only in accordance with the terms of such
license.
This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.openssl.org/) This product includes cryptographic
software written/developed by: Eric Young ([email protected]) and Tim Hudson
Trademarks
ABB and Relion are registered trademarks of the ABB Group. All other brand or
product names mentioned in this document may be trademarks or registered
trademarks of their respective holders.
Warranty
Please inquire about the terms of warranty from your nearest ABB representative.
abb.com/mediumvoltage
Disclaimer
The data, examples and diagrams in this manual are included solely for the concept
or product description and are not to be deemed as a statement of guaranteed
properties. All persons responsible for applying the equipment addressed in this
manual must satisfy themselves that each intended application is suitable and
acceptable, including that any applicable safety or other operational requirements
are complied with. In particular, any risks in applications where a system failure
and/or product failure would create a risk for harm to property or persons
(including but not limited to personal injuries or death) shall be the sole
responsibility of the person or entity applying the equipment, and those so
responsible are hereby requested to ensure that all measures are taken to exclude or
mitigate such risks.
This product has been designed to be connected and communicate data and
information via a network interface which should be connected to a secure
network. It is the sole responsibility of the person or entity responsible for network
administration to ensure a secure connection to the network and to take the
necessary measures (such as, but not limited to, installation of firewalls, application
of authentication measures, encryption of data, installation of anti virus programs,
etc.) to protect the product and the network, its system and interface included,
against any kind of security breaches, unauthorized access, interference, intrusion,
leakage and/or theft of data or information. ABB is not liable for any such damages
and/or losses.
This document has been carefully checked by ABB but deviations cannot be
completely ruled out. In case any errors are detected, the reader is kindly requested
to notify the manufacturer. Other than under explicit contractual commitments, in
no event shall ABB be responsible or liable for any loss or damage resulting from
the use of this manual or the application of the equipment. In case of discrepancies
between the English and any other language version, the wording of the English
version shall prevail.
Conformity
This product complies with the directive of the Council of the European
Communities on the approximation of the laws of the Member States relating to
electromagnetic compatibility (EMC Directive 2014/30/EU) and concerning
electrical equipment for use within specified voltage limits (Low-voltage directive
2014/35/EU). This conformity is the result of tests conducted by the third party
testing laboratory KEMA in accordance with the product standard EN 60255-26
for the EMC directive, and with the product standards EN 60255-1 and EN
60255-27 for the low voltage directive. The product is designed in accordance with
the international standards of the IEC 60255 series.
Table of contents
Section 1 Introduction.......................................................................3
This manual........................................................................................ 3
Intended audience.............................................................................. 3
Product documentation.......................................................................4
Product documentation set............................................................4
Document revision history............................................................. 4
Related documentation..................................................................4
Symbols and conventions...................................................................4
Symbols.........................................................................................4
Document conventions.................................................................. 5
Section 2 Security in distribution automation................................... 7
General security in distribution automation........................................ 7
Section 3 Secure system setup........................................................9
Basic system hardening rules.............................................................9
Relay communication interfaces.......................................................10
TCP/IP based protocols and used IP ports...................................... 11
Secure communication..................................................................... 12
Certificate handling......................................................................12
Encryption algorithms.................................................................. 12
Section 4 User management..........................................................15
Local user account management..................................................... 15
Password policies.............................................................................17
Section 5 Security logging..............................................................19
Audit trail...........................................................................................19
Section 6 Using local HMI.............................................................. 21
Logging in......................................................................................... 21
Logging in via USB port...............................................................22
Logging out.......................................................................................23
Section 7 Protection of relay and system configuration................. 25
Backup files...................................................................................... 25
Creating a backup from the relay configuration...........................25
Creating a backup from the PCM600 project.............................. 25
Restoring factory settings................................................................. 26
Restoring the administrator password.............................................. 26
Table of contents
REX610 1
Cyber Security Deployment Guideline
Section 1 Introduction
1.1 This manual
The cyber security deployment guideline describes the process for handling cyber
security when communicating with the protection relay. The cyber security
deployment guideline provides information on how to secure the system on which
the protection relay is installed. The guideline can be used as a technical reference
during the engineering phase, installation and commissioning phase, and during
normal service.
1.2 Intended audience
This guideline is intended for the system engineering, commissioning, operation
and maintenance personnel handling cybersecurity during the product lifecycle.
The personnel is expected to have general knowledge about topics related to
cybersecurity.
• Protection and control devices, gateways and workstations
• Networking, including Ethernet and TCP/IP with its concept of ports and
services
• Security policies
• Firewalls
• Antivirus protection
• Application whitelisting
• Secure remote communication
2NGA000818 A Section 1
Introduction
REX610 3
Cyber Security Deployment Guideline
1.3 Product documentation
1.3.1 Product documentation set
Communication protocol manual
Cyber security deployment guideline
Planning &
purchase
Engineering
Installation
Commissioning
Operation
Maintenance
Decommissioning,
deinstallation & disposal
Quick start guide
Quick installation guide
Brochure
Product guide
Operation manual
Installation manual
Connection diagram
Engineering manual
Technical manual
IEC 61850 engineering guide
GUID-36243071-4B06-48B2-B2D9-3CE41B04C031 V1 EN-US
Figure 1: The intended use of documents during the product life cycle
1.3.2 Document revision history
Document revision/date Product version History
A/2022-04-21 1.0 First release
1.3.3 Related documentation
Download the latest documents from the ABB Web site abb.com/mediumvoltage.
1.4 Symbols and conventions
1.4.1 Symbols
The caution icon indicates important information or warning related
to the concept discussed in the text. It might indicate the presence
of a hazard which could result in corruption of software or damage
to equipment or property.
Section 1 2NGA000818 A
Introduction
4REX610
Cyber Security Deployment Guideline
The information icon alerts the reader of important facts and
conditions.
The tip icon indicates advice on, for example, how to design your
project or how to use a certain function.
Although warning hazards are related to personal injury, it is necessary to
understand that under certain operational conditions, operation of damaged
equipment may result in degraded process performance leading to personal injury
or death. Therefore, comply fully with all warning and caution notices.
1.4.2 Document conventions
A particular convention may not be used in this manual.
• Abbreviations and acronyms are spelled out in the glossary. The glossary also
contains definitions of important terms.
• Push button navigation in the LHMI menu structure is presented by using the
push button icons.
To navigate between the options, use and .
• Menu paths are presented in bold.
Select Main menu/Settings.
• LHMI messages are shown in Courier font.
To save the changes in nonvolatile memory, select Yes and press .
• Parameter names are shown in italics.
The function can be enabled and disabled with the Operation setting.
• Parameter values are indicated with quotation marks.
The corresponding parameter values are "On" and "Off".
• Input/output messages and monitored data names are shown in Courier font.
When the function starts, the START output is set to TRUE.
• Values of quantities are expressed with a number and an SI unit. The
corresponding imperial units may be given in parentheses.
• This document assumes that the parameter setting visibility is "Advanced".
•A functional earth terminal is indicated in figures with the symbol .
• Equipment protected throughout by double insulation or reinforced insulation
(equivalent to class II of IEC 61140) is indicated in figures with the symbol
.
2NGA000818 A Section 1
Introduction
REX610 5
Cyber Security Deployment Guideline
6
Section 2 Security in distribution automation
2.1 General security in distribution automation
Technological advancements and breakthroughs have caused a significant
evolution in the electric power grid. As a result, the emerging “smart grid” and
“Internet of Things” are quickly becoming a reality. At the heart of these intelligent
advancements are specialized IT systems – various control and automation
solutions such as distribution automation systems. To provide end users with
comprehensive real-time information, enabling higher reliability and greater
control, automation systems have become ever more interconnected. To combat the
increased risks associated with these interconnections, ABB offers a wide range of
cyber security products and solutions for automation systems and critical
infrastructure.
The new generation of automation systems uses open standards such as IEC 61850
and commercial technologies, in particular Ethernet and TCP/IP based
communication protocols. They also enable connectivity to external networks, such
as office intranet systems and the Internet. These changes in technology, including
the adoption of open IT standards, have brought huge benefits from an operational
perspective, but they have also introduced cyber security concerns previously
known only to office or enterprise IT systems.
To counter cyber security risks, open IT standards are equipped with cyber security
mechanisms. These mechanisms, developed in a large number of enterprise
environments, are proven technologies. They enable the design, development and
continuous improvement of cyber security solutions for control systems, including
distribution automation applications.
ABB understands the importance of cyber security and its role in advancing the
security of distribution networks. A customer investing in new ABB technologies
can rely on system solutions where reliability and security have the highest
priority.
At ABB, we are addressing cyber security requirements on a system level as well
as on a product level to support cyber security standards or recommendations from
organizations such as NERC CIP, IEC 62351, IEC 62443, IEEE 1686, ENISA and
BDEW Whitepaper.
Reporting of vulnerability or cyber security issues related to any ABB product can
be done via [email protected].
2NGA000818 A Section 2
Security in distribution automation
REX610 7
Cyber Security Deployment Guideline
8
Section 3 Secure system setup
3.1 Basic system hardening rules
Today's distribution automation systems are basically specialized IT systems.
Therefore, several rules of hardening an automation system apply to these systems,
too. Protection and control relays are from the automation system perspective on
the lowest level and closest to the actual primary process. It is important to apply
defense-in-depth information assurance concept where each layer in the system is
capable of protecting the automation system and therefore protection and control
relays are also part of this concept. The following should be taken into
consideration when planning the system protection.
• Recognizing and familiarizing all parts of the system and the system's
communication links
• Removing all unnecessary communication links in the system
• Rating the security level of remaining connections and improving with
applicable methods
• Hardening the system by removing or deactivating all unused processes,
communication ports and services
• Checking that the whole system has backups available from all applicable
parts
• Collecting and storing backups of the system components and keeping those
up-to-date
• Removing all unnecessary user accounts
• Defining password policies
• Changing default passwords and using strong passwords
• Checking that the link from substation to upper level system uses strong
encryption and authentication
• Segregating public network (untrusted) from automation networks (trusted)
• Segmenting traffic and networks
• Using firewalls and demilitarized zones
• Assessing the system periodically
• Using malware protection in workstations and keeping those up-to-date
It is important to utilize the defence-in-depth concept when designing automation
system security. It is not recommended to connect a device directly to the Internet
without adequate additional security components. The different layers and
interfaces in the system should use security controls. Robust security means,
besides product features, enabling and using the available features and also
enforcing their use by company policies. Adequate training is also needed for the
personnel accessing and using the system.
2NGA000818 A Section 3
Secure system setup
REX610 9
Cyber Security Deployment Guideline
GUID-9C3524CC-091F-4333-A707-FAC0A835C1ED V5 EN-US
Figure 2: Distribution substation example
3.2 Relay communication interfaces
Some physical ports dedicated for station bus communication can be opened and
closed in relay configuration. Few ports are always open as they are needed in
communication for monitoring, control and configuration. The front port is used
for engineering and it can be used only for point-to-point configuration access with
PCM600.
Table 1: Physical ports on relay's communication cards
Port ID Type Default state Description
A2 RJ-45 Open Ethernet station bus
A2 RS-485 Closed Serial station bus
Front port USB Closed Service access
Serial ports are closed by default and Ethernet ports are open. All protocol
instances, except for IEC 61850 and FTP, are by default off and do not respond to
protocol requests in serial or Ethernet ports. The IEC 61850 protocol and rear
Section 3 2NGA000818 A
Secure system setup
10 REX610
Cyber Security Deployment Guideline
Ethernet ports are by default activated as those are used for protection relay
engineering. The front port is segregated from rear ports' station bus
communication.
3.3 TCP/IP based protocols and used IP ports
IP port security depends on specific installation, requirements and existing
infrastructure. The required external equipment can be separate devices or devices
that combine firewall, router and secure VPN functionality. When the network is
divided into security zones, it is done with substation devices having firewall
functionality or with dedicated firewall products. Security zone boundaries are
inside the substation or between the substation and the outside world.
To set up an IP firewall the following table summarizes the IP ports used by the
device. All closed ports can be opened in the configuration. Ports which are by
default open are used for configuring the protection relay.
Table 2: IP ports used by the relay
Port number Type Default state Description
20, 21 TCP Open File transfer protocol
(FTP/FTPS)
102 TCP Open IEC 61850
502 TCP Closed Modbus TCP
FTP/FTPS and IEC 61850 are primary services needed for relay configuration and
those cannot be disabled. Additionally, the protection relay uses layer 2
communications in GOOSE, which needs to be taken into account when designing
the network.
In addition to the FTP/FTPS protocol, the relay supports two Ethernet-based
substation automation communication protocols, IEC 61850 and Modbus. IEC
61850 is always enabled, and the relay can be ordered with one additional station
bus protocol. Additional protocols must be enabled in the configuration, otherwise
the communication protocol TCP port is closed and unavailable. If the protocol
service is configured, the corresponding port is open all the time.
See the technical manual and the corresponding protocol documentation for
configuring a certain communication protocol.
In Modbus it is possible to assign the TCP port number if required and it is also
possible to allow connection requests only from a configured client IP address.
2NGA000818 A Section 3
Secure system setup
REX610 11
Cyber Security Deployment Guideline
3.4 Secure communication
The protection relay supports secure communication for file transfer protocol using
Transport Layer Security protocol. File transfer client must use explicit FTPS to
communicate to the relay.
FTPS is always enabled by default but the relay also supports FTP communication.
PCM600 always uses FTPS to communicate with the relay.
It is recommended to always use FTPS communication.
3.4.1 Certificate handling
For encryption and secure identification, FTPS protocols in the protection relay use
public key certificates that bind together a public key with an identity, that is,
information such as the name of an organization, their address and so on. The
server certificate used by the protection relay is generated by the relay itself as a
self-signed certificate and not issued by any certification authority (CA).
Certificates use encryption to provide secure communication over the network. A
self-signed X.509 certificate and an RSA key-pair with key-length of 1024 bits is
generated by the protection relay. The RSA key stored in the certificate is used to
establish secure communication.
The certificate is used to verify that a public key belongs to an identity. The public
key is one part of an asymmetric key algorithm in which one key is used to encrypt
a message and another key is used to decrypt it. The public private key pair
(asymmetric key) is used to exchange the symmetric key, which is used to encrypt
and decrypt the data that is exchanged between server and client.
Messages encrypted with the public key can only be decrypted with the other part
of the algorithm, the private key. Public and private key are related mathematically
and represent a cryptographic key pair. The private key is kept secret and stored
safely in the protection relay, while the public key may be widely distributed.
Once the protection relay certificate has been manually trusted in a separate dialog
box, the certificate is trusted in communication between the relay and PCM600.
3.4.2 Encryption algorithms
TLS connections are encrypted with either AES 256 or AES 128. At start-up a
negotiation decides between these two options.
Section 3 2NGA000818 A
Secure system setup
12 REX610
Cyber Security Deployment Guideline
A hashed representation of the passwords with SHA 256 is stored in the protection
relay. These are not accessible from outside via any ports. No passwords are stored
in clear text within the protection relay.
2NGA000818 A Section 3
Secure system setup
REX610 13
Cyber Security Deployment Guideline
14
Other manuals for Relion REX610
3
Table of contents
Other ABB Industrial Equipment manuals
Popular Industrial Equipment manuals by other brands
erowa
erowa PowerChuck P manual
Ceriotti
Ceriotti C3000 Assembly instructions
stellar labs
stellar labs TireMan 12154 owner's manual
Renishaw
Renishaw RenAM 500Q Original instructions
SKF
SKF LINCOLN SP/SMB3 Series Assembly instructions
Porvair Sciences
Porvair Sciences Ultravap Mistral User instruction manual
