SYS600 - Security Guide PDF

MicroSCADA Pro SYS 600 9.
3
Cyber Security Deployment Guideline
1MRS756796 MicroSCADA Pro SYS 600 9.3
1 Introduction ....................................................................................................... 4
1.1 This manual ......................................................................................... 4
1.2 Use of symbols .................................................................................... 4
1.3 Document conventions ........................................................................ 4
1.4 Document revisions ............................................................................. 5
2 General............................................................................................................... 6
2.1 Definitions and Abbreviations ............................................................. 8
2.2 Reference Documents .......................................................................... 9
3 Introduction to SCADA Security .................................................................... 11
4 Configuring network........................................................................................ 16
4.1 Virtual Private Network (VPN) ......................................................... 16
Use cases ........................................................................................... 17
4.2 Network Devices ............................................................................... 19
5 Configuring security settings for Windows operating system / SYS 600 Server
......................................................................................................................... 20
5.1 BIOS settings ..................................................................................... 20
5.2 Removing unused programs .............................................................. 20
5.3 Disabled system services ................................................................... 20
5.4 Windows Updates .............................................................................. 21
Patch management ............................................................................. 21
5.5 Virus scanner ..................................................................................... 21
Patch management ............................................................................. 23
5.6 Disabling devices............................................................................... 23
5.7 User Account Control (UAC)............................................................ 27
5.8 OPC ................................................................................................... 28
5.9 SNMP – Simple Network Management Protocol ............................. 29
5.10 Security policies ................................................................................ 29
5.11 Firewall (ports and services) ............................................................. 29
5.12 Windows user account for SYS 600 system...................................... 30
5.13 Protecting SYS 600 system configuration settings ........................... 30
5.14 Backing up and restoring ................................................................... 30
Taking backup ................................................................................... 31
Restoring backup ............................................................................... 31
6 Configuring security settings for SYS 600 Workplaces .................................. 32
6.1 Configuring Windows user accounts between a server and a
workplace .......................................................................................... 33
6.2 Enabling workstation calls from the server ....................................... 34
6.3 Configuring workstation in a hot-standby (HSB) system ................. 34
OpenRemoteDesktop program .......................................................... 34
6.4 Automatic logon feature .................................................................... 34
6.5 X Windows technology ..................................................................... 35
7 Configuring security features in SYS 600 ....................................................... 36
7.1 User account management ................................................................. 36
7.2 Authorization / user account permissions.......................................... 36
1
SYS 600 9.3 MicroSCADA Pro 1MRS756796
7.3 Password policies .............................................................................. 36

7.4 Resetting administrator password...................................................... 37
7.5 User session time-out ........................................................................ 37
7.6 Logging of user activities .................................................................. 38
7.7 Backdoors .......................................................................................... 38
8 APPENDIX: Ports and services ...................................................................... 39
9 APPENDIX: Windows system services .......................................................... 44
10 APPENDIX: Security policies......................................................................... 46
10.1 Security policies ................................................................................ 46
11 APPENDIX: Deploying security settings to SYS 600 Server/Workplace ...... 48
11.1 Rollback............................................................................................. 48
11.2 Virtual Private Network .................................................................... 49
Create IPSec Policy ........................................................................... 49
Build a Filter List from SYS600 to NCC .......................................... 51
Configure a Rule for the communication .......................................... 54
11.3 SYS 600 Server ................................................................................. 57
11.4 SYS 600 Workplace .......................................................................... 57
2
Copyright
The information in this document is subject to change without notice
and should not be construed as a commitment by ABB. ABB assumes
no responsibility for any errors that may appear in this document.
In no event shall ABB be liable for direct, indirect, special, incidental or
consequential damages of any nature or kind arising from the use of this
document, nor shall ABB be liable for incidental or consequential
damages arising from use of any software or hardware described in this
document.
This document and parts thereof must not be reproduced or copied
without written permission from ABB, and the contents thereof must
not be imparted to a third party, nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under
a license and may be used, copied, or disclosed only in accordance with
the terms of such license.
Copyright © 2010 by ABB
All rights reserved.
Trademarks
ABB is a registered trademark of ABB Group. All other brand or
product names mentioned in this document may be trademarks or
registered trademarks of their respective holders.
Guarantee
Please inquire about the terms of guarantee from your nearest ABB
representative.
3
1 Introduction
1.1 This manual
This document is a security guide for MicroSCADA Pro Control System SYS
600 versions 9.2 and 9.3 (hereafter SYS 600).
1.2 Use of symbols

This publication includes warning, caution, and information icons that point
out safety related conditions or other important information. It also includes tip
icons to point out useful information to the reader. The corresponding icons
should be interpreted as follows:
The caution icon indicates important information or warning related

to the concept discussed in the text. It might indicate the presence of
a hazard which could result in corruption of software or damage to
equipment or property.
The information icon alerts the reader to relevant facts and

conditions.
Although warning hazards are related to personal injury, and caution hazards
are associated with equipment or property damage, it should be understood
that operation of damaged equipment could, under certain operational
conditions, result in degraded process performance leading to personal injury
or death. Therefore, comply fully with all warning and caution notices.
1.3 Document conventions

The following conventions are used for the presentation of material:
• The words in names of screen elements (for example, the title in the title
bar of a dialog, the label for a field of a dialog box) are initially
capitalized.
• Capital letters are used for the name of a keyboard key if it is labeled on
the keyboard. For example, press the CTRL key. Enter key is an
exception, e.g. press Enter.
• Lowercase letters are used for the name of a keyboard key that is not
labeled on the keyboard. For example, the space bar, comma key and so
on.
• Press CTRL+C indicates that you must hold down the CTRL key while
pressing the C key (to copy a selected object in this case).
• Press ESC E C indicates that you press and release each key in sequence
(to copy a selected object in this case).
4
• The names of push and toggle buttons are boldfaced. For example, click
OK.
• The names of menus and menu commands are boldfaced. For example,
the File menu.
• The following convention is used for menu operations: Menu Name >
Menu Command > Cascaded Menu Command. For example, select
File > Open > New Project.
• The Start menu name always refers to the Start menu on the Windows
Task Bar.
• System prompts/messages and user responses/input are shown in the
Courier font. For example, if you enter a value out of range, the following
message is displayed:
Entered value is not valid. The value must be 0 to 30.
You may be told to enter the string MIF349 in a field. The string is shown as
follows in the procedure:
MIF349
• Variables are shown using lowercase letters: sequence name
1.4 Document revisions

Version Revision number Date History
A 9.3 31.3.2010 New document
5
2 General
This document is a security guide for MicroSCADA Pro Control System SYS
600 versions 9.2 and 9.3 (hereafter SYS 600). The guide is intended for
software and project engineers, and system verification testers and they are
expected to have general familiarity with topics in the following areas:
• PCs, servers, and Windows operating systems
• Networking including TCP/IP and concept of ports
• Firewalls
• Anti-virus
• Passwords
• Remote and secure communication
Operating systems (with the latest service packs) covered in this document are:
• Windows 7
• Windows Server 2008
• Windows XP Professional or
• Windows Server 2003 Standard Edition
The guide assumes that in SYS 600 servers:
• Automatic Updates is disabled

• Uninterruptable Power Sources (UPS) is not controlled by the server
• Wireless network configuration is not used
• There are printers connected to the server
This guide assumes that in SYS 600 workplaces:
• Automatic Updates is disabled

• Wireless network configuration is not used
• There are printers connected to the workplace
However, the guide does not specify the network configuration (forests,
domains, organizational units (OU)) where the SYS 600 system is installed.
There are several ways to deploy security settings to machines, e.g. by using
the secedit command-line tool, the Security Configuration Wizard (SCW), or
Group Policy Objects (GPO). This guide gives instructions on how to deploy
security settings to servers and workplaces using the secedit tool.
Chapter 2 (this chapter) gives general information, assumptions, and operating

system and SYS 600 versions this guide covers. Chapter 3 is an introduction to
SCADA security. The system is hardened by configuring the network,
6
uninstalling irrelevant software, disabling Windows system services,

configuring the firewall setting and applying security policies. Configuring
network is discussed in Chapter 4. Security settings in this document are
divided into the following categories:
• General security settings in Windows servers (Chapter 5)
• Security settings in SYS 600 servers (Chapter 5)
• Security settings in SYS 600 workplaces (Chapter 6)
• Security features available in SYS 600 (Chapter 7)
There are security settings which are automatically configured in the product
and those which need to be configured manually. By default, the SYS 600
installation configures Windows security settings for DCOM security settings
only. An administrator user account is also created during installation and a
password is prompted for the MicroSCADA user. Since this is an
administrator user account, it is the responsibility of the system administrator
to choose a valid and secure password for this account; see Windows user
account for SYS 600 system.
Other Windows server security settings such as firewall, security policies and
disabling Windows system services are not automatically configured during
the SYS 600 installation. This is due to fact that SYS 600 installation may
conflict with existing security settings on some computers where it is not
allowed to modify these. To apply security settings after SYS 600 installation,
read and execute settings starting from Chapter 4. The script files are located
in the SYS 600 installation folder sc\setup\security. Detailed instructions are
given in Chapter 11 to apply security settings to SYS 600 servers.
There is general security guide for control systems and operating systems on
the ABB website [ABBSEC09]. Microsoft also has security guides for
different operating systems [MSSEC09].
SYS 600 Compact (SYS 600C) includes both SYS 600 and Windows
server-specific security settings by default. However, it is the
responsibility of the project engineer to open TCP/UDP ports for
different communication protocols such as DNP or ELCOM.
Table 1 – Deployment of security features in SYS 600 product

X= automatically configured in the product, S = semi-automatic configuration
using batch files, M/empty=to be configured e.g. manually
7
Security feature SYS 600 SYS 600C > SYS 600 Remarks
installation 9.3
package
MicroSCADA user account X X X Automatically created
during the SYS 600
installation. Password
should be longer than 15
characters.
OPC/DCOM settings X X X Automatically configured
during the SYS 600
installation.
Firewall settings (ports and X S/M Enable ports for different
services) communication protocols
according to customer
specifications.
Virtual Private Network X
(VPN)
BIOS settings X Manual configuration
Removing unused programs X S/M Manual configuration
Disabled system services X S
SNMP Not installed/ Not installed/ Not installed/
services services services
disabled disabled disabled
Windows Server security X S
policies
Windows Update Not installed/ Not installed/ Not installed/
User Access Control (UAC) X S
Virus scanner Not installed/ Not installed/ Not installed/ Manual configuration
Disabling devices
DVD/CD-ROM drives X S Manual configuration
USB Mass Storage X S Manual configuration
Serial port X Manual configuration
Floppy disk controller X Manual configuration
Sound, video controller X Manual configuration
Disabling autorun X S
functionality
Backing up and restoring Manual configuration
SYS 600 user management X Manual configuration
and authorization
2.1 Definitions and Abbreviations

Table 2 – Terminology
Term Description
DCOM Distributed Component Object Model
NCC Network Control Center
OPC OLE for Process Control
SCADA Supervisory Control and Data Acquisition
8
SCW Security Configuration Wizard

SSLF Specialized Security-Limited Functionality
SYS 600 MicroSCADA Pro Control System SYS 600
TCP/IP Transmission Control Protocol/Internet Protocol
WSUS Windows Server Update Services
2.2 Reference Documents

Table 3 – References
Ref Document id Version Document title
[ABBSEC09] ABB Security – Control Systems,
http://www.abb.com/product/ap/seitp334/2a8e4e
5e365d17ccc1256fd800521dab.aspx (20090408),
ABB
[MSANA09] Microsoft Baseline Security Analyzer,
http://technet.microsoft.com/security/cc184924(e
n-us).aspx (20090408), Microsoft.
[MSDCOM04] How To Restrict TCP/IP Ports on Windows 2000
and Windows XP,
http://support.microsoft.com/kb/300083
[MSPASS09] Recommendation for password length,
http://support.microsoft.com/default.aspx?scid=k
b;en-us;299656, Microsoft.
[MSSEC09] Windows OS Security Guides,
http://www.microsoft.com (20090408),
Microsoft. Search for Security Guide and refine
your search by giving a specific OS name, e.g.
Windows Server 2008
[MSTHRE05] 2.0 Threats and Countermeasures Guide: Security
Settings in Windows Server 2003 and
Windows XP,
http://www.microsoft.com/downloads/details.asp
x?FamilyId=1B6ACF93-147A-4481-9346-
F93A4081EEA8&displaylang=en
[MSUPD] Windows Update,

http://www.microsoft.com/windows/downloads
/windowsupdate/overview.mspx
[MSWS03] Windows Server 2003 Security Compliance
Management Toolkit,
http://technet.microsoft.com/en-
us/library/cc163140.aspx
[SYSAPL09] 1MRS756637 A SYS 600 Application Design manual, ABB.
[SYSCON09] 1MRS756646 A SYS 600 System Configuration manual, ABB.
9
[SYSINS09] 1MRS756634 A SYS 600 Installation and Administration manual,

ABB.
[WSUS] Windows Server Update Services,
http://technet.microsoft.com/en-
us/wsus/default.aspx
[SYSCUG] SYS 600C Users Guide
[SYSPORTS] A MicroSCADA Pro Security Guide – Ports and
Services Rev A.xlsx
[UAC] What are User Account Control settings? ,
http://windows.microsoft.com/en-
us/windows7/What-are-User-Account-Control-
settings
10
3 Introduction to SCADA Security

The following excerpt is taken from Supervisory Control and Data Acquisition
(SCADA) Systems, NATIONAL COMMUNICATIONS SYSTEM, October
2004, www.ncs.gov.
In today’s corporate environment, internal networks are used for all corporate
communications, including SCADA. SCADA systems are therefore vulnerable
to many of the same threats as any TCP/IP-based system.
Security in an industrial network can be compromised in many places along

the system and is most easily compromised at the SCADA host or control
room level. SCADA computers logging data out to some back-office database
repositories must be on the same physical network as the back-end database
systems, or have a path to access these database systems. This means that there
is a path back to the SCADA systems and eventually the end devices through
their corporate network. Once the corporate network is compromised, then any
IP-based device or computer system can be accessed. These connections are
open 24x7 to allow full-time logging, which provides an opportunity to attack
the SCADA host system with any of the following attacks:
• Use a Denial of Service (DoS) attack to crash the SCADA server, leading
to a shutdown condition (System Downtime and Loss of Operations)
• Delete system files on the SCADA server (System Downtime and Loss of
Operations)
• Plant a Trojan and take complete control of system (Gain complete control
of system and be able to issue any commands available to Operators)
• Log keystrokes from Operators and obtain usernames and passwords
(Preparation for future take down)
• Log any company-sensitive operational data for personal or competition
usage (Loss of Corporate Competitive Advantage)
• Change data points or deceive Operators into thinking control process is
out of control and must be shut down (Downtime and Loss of Corporate
Data)
• Modify any logged data in remote database system (Loss of Corporate
Data)
• Use SCADA Server as a launching point to defame and compromise other
system components within corporate network.
For a company to protect its infrastructure, it should undertake the

development of a security strategy that includes specific steps to protect any
SCADA system. Such a strategy may include the following approach.
11
Developing an appropriate SCADA security strategy involves analysis of

multiple layers of both the corporate network and SCADA architectures
including firewalls, proxy servers, operating systems, application system
layers, communications, and policy and procedures. Strategies for SCADA
Security should complement the security measures implemented to keep the
corporate network secure.
The figure below illustrates the typical corporate network “ring of defenses”
and its relationship with the SCADA network. Successful attacks can originate
from either Internet paths through the corporate network to the SCADA
network, or from internal attacks from within the corporate office.
Alternatively, attacks can originate from within the SCADA network from
either upstream (applications) or downstream (RTUs) paths. What is an
appropriate configuration for one installation may not be cost-effective for
another. Flexibility and the employment of an integrated and coordinated set
of layers are critical in the design of a security approach.
Figure 1 – Relationship Between Corporate and SCADA Networks
Most corporate networks employ a number of security countermeasures to

protect their networks. Some of these and a brief description of their functions
are as follows:
• Border Router and Firewalls  Firewalls, properly configured and

coordinated, can protect passwords, IP addresses, files and more.
However, without a hardened operating system, hackers can directly
penetrate private internal networks or create a Denial of Service condition.
• Proxy Servers  A Proxy server is an internet server that acts as a
firewall, mediating traffic between a protected network and the internet.
12
They are critical to re-creating TCP/IP packets before passing them on to,
or from, application layer resources such as Hyper Text Transfer Protocol
(HTTP) and Simple Mail Transfer Protocol (SMTP). However, the
employment of proxy servers will not eliminate the threat of application
layer attacks.
• Operating Systems  Operating systems can be compromised, even
with proper patching, to allow network entry as soon as the network is
activated. This is due to the fact that operating systems are the core of
every computer system and their design and operating characteristics are
well-known worldwide. As a result, operating systems are a prime target
for hackers. Further, in-place operating system upgrades are less efficient
and secure than design-level migration to new and improved operating
systems.
• Applications  Application layer attacks; i.e., buffer overruns, worms,
Trojan horse programs and malicious ActiveX code can incapacitate anti-
virus software and bypass the firewall as if it wasn’t even there.
• Policies and Procedures  Policies and procedures constitute the
foundation of security policy infrastructures. They include requiring users
to select secure passwords that are not based on a dictionary word and
contain at least one symbol, capital letter, and number, and should be over
eight characters long. Users should not be allowed to use the name of their
spouse, child or pet as their password.
The above list is common to all entities that have corporate networks. SCADA
systems for the most part coexist on the same corporate network, as seen in the
figure above. The following list suggests ways to help protect the SCADA
network in conjunction with the corporate network:
• SCADA Firewalls  SCADA Systems and Industrial Automation

Networks, like corporate network operating systems, can be compromised
using similar hacking methods. SCADA systems frequently go down due
to other internal software tools or employees who gain access to the
SCADA systems, often without any intention to take down these systems.
For these reasons, it is suggested that strong firewall protection to wall off
your SCADA networking systems from both the internal corporate
network and the Internet be implemented. This would provide at least two
layers of firewalls between the SCADA networking systems and the
Internet.
• SCADA Internal Network Design  SCADA networks should be
segmented off into their own IP segment using smart switches and proper
sub-masking techniques to protect the Industrial Automation environment
from the other network traffic, such as file and print commands. Facilities
13
using Wireless Ethernet should use sufficient encryption, e.g. WPA or

WPA2.
• SCADA Server Operating Systems  Merely installing a firewall or
segmenting SCADA IP addresses will not ensure their SCADA
Infrastructure is secure. An experienced hacker can often bypass firewalls
with ease and can even use Address Resolution Protocol (ARP) trap
utilities to steal Media Access Control (MAC) addresses. The hacker can
also deploy IP spoofing techniques to maneuver through switched
networks. Operating systems running the SCADA applications must also
be maintained. SCADA applications on Windows NT, 2000, or XP are
properly patched against the latest vulnerabilities, and all of the default
NULL NT accounts and administrator accounts have been removed or
renamed. SCADA applications running on UNIX, Linux, Novell, or any
other operating system (OS), must also be maintained as above. All
operating systems have back doors and default access accounts that should
be removed and cleaned off of these SCADA servers.
• SCADA Applications  One must also address security within the
SCADA application itself. Trojan horses and worms can be inserted to
attack application systems, and they can be used to manipulate data or
issue commands on the server. There have even been cases of Trojan
horses being deployed that completely emulate the application. The
operator or user thinks that he is clicking on a command to stop a pump or
generate a graph of the plant, but he is actually clicking on buttons
disguised to look like the SCADA screen, and these buttons start batch
files that delete the entire hard drive, or send out pre-derived packets on
the SCADA system that turn all outputs to the ON or “1” state. Trojan
horses and viruses can also be planted through an email opened by another
computer in the network, and then it is silently copied over to adjacent
SCADA servers, where they wait until a specified time to run. Plant
control rooms will often have corporate computers with the Internet and
email active on them, within the same physical room and on the same
network switches as SCADA computers. Methodologies to mitigate
against these types of situations are: the use of anti-virus software running
on the computer where the SCADA application resides; systems
administrators disabling installation of any unauthorized software unless
the user has administrator access; and policies and procedures applicable
to SCADA systems,
• SCADA Policies and Procedures  SCADA policies and procedures
associated with remote vendor and supervisory access, password
management, etc. can significantly impact the vulnerabilities of the
SCADA facilities within the SCADA network. Properly developed
policies and procedures that are enforced will greatly improve the security
posture of the SCADA system.
14
In summary, these multiple “rings of defense” must be configured in a

complementary and organized manner, and the planning process should
involve a cross-discipline team with senior staff support from operations,
facility engineering, and information technology (IT). The SCADA security
team should first analyze the current risks and threat at each of the rings of
defense, and then initiate a work plan and project to reduce the security risk.
For more information, see [ABBSEC09].
15
4 Configuring network
Each host in a TCP/IP network has a unique identifier, called an IP address.
The IP address is composed of four numbers in the range from 0 to 255. The
numbers are separated with dots, e.g. 192.168.0.1. Because every computer on
an IP network must have a unique IP address, careful planning of IP addresses
throughout the whole system is important. You should remember to take care
of the future needs in address areas when planning large networks. A host can
have multiple IP addresses, as shown in the Figure 2.
ABB does not recommend the use of domains and wireless networks in a SYS
600 system due to the high reliability and security that is required of the
control system. A domain controller being out of service might jeopardize the
stability of the control system. Therefore, static IP addressing should be used
in SYS 600 system; see http://technet.microsoft.com/en-
us/library/cc754203(WS.10).aspx and also [SYS 600 Installation and
Administration, Host names] for more information.
Figure 2 – An example of SYS 600 with NCC connection
4.1 Virtual Private Network (VPN)
This guideline considers the IP communication between SYS 600 and the
Network Control Center (NCC) / Regional Control Center (RCC) via a
16
dedicated wide area link that is not exposed to public access. The use case is to
protect the dedicated link against man-in-the-middle attacks by guaranteeing
confidentiality, integrity, and authentication via IPSec, using pre-shared key
authentication.
The IPSec configuration must be done on all machines that should

communicate with each other by IPSec. The configuration is shown in section
11.2.
IPSec encryption is a CPU consuming activity that can affect the

maximum throughput and the CPU utilization. In order to determine
the effect of IPSec encryption for data throughput and CPU
consumption, it is important verify this with tests.
Use cases
NCC Communication
This use case features the IP communication between SYS600 and the NCC
via a dedicated wide area link, which can be a glass fiber optics
communication link, a microwave radio link, or a leased line that is not
exposed to public access. The use case is to protect the dedicated link against
man-in-the-middle attacks by guaranteeing confidentiality, authenticity, and
authentication. The use of IPSec/VPN technology ensures that the transmitted
data is not readable to eavesdroppers and resists man-in-the-middle data
corruption. In addition, both SYS600 and NCC can authenticate using pre-
shared keys before establishing the communication link.
SYS600 NCC Windows System
Intranet
IPSec
VPN Endpoint
VPN Endpoint Windows
Firewall
IP: 10.10.11.10 IP: 10.10.10.10

Mask: 255.255.0.0 Mask: 255.255.0.0
SYS600
SYS600
Figure 3 – NCC communication
17
Figure 3 visualizes a possible setup for the use case. The VPN connections are
illustrated as blue tubes, and multiple SYS 600 devices are connected to the
NCC system via the operator’s internal IP network.
In case no network address translation (NAT) mechanism is used between

SYS 600 and NCC, IPSec can be run in transport mode, which encrypts all
data of an IP packet but leaves the IP header intact, which allows for fast
delivery.
Maintenance Access via Remote Desktop Protocol (RDP)

An alternative access SYS 600 is the use of the Remote Desktop Protocol
(RDP). RDP provides a graphical interface for SYS 600 on another computer,
i.e., the maintenance device. The RDP access should be restricted to Intranet
access only. RDP uses encryption to protect all transmitted data, starting with
Windows XP Service Pack 2. Authentication is by conventional Windows user
login.
Figure 4 – RDP Maintenance Access via VPN

Note that the firewall must accept incoming RDP connections, and the
maintenance device connected to the VPN must be able to access SYS 600’s
RDP port. As SYS 600 has access to the station bus, the service engineer
connected to SYS 600’s desktop can access the station bus via SYS 600’s
desktop.
18
HSB communication
Another use case affects communication between a master SYS 600 device
and its redundant hot-standby-system via a wide area network connection. This
link should be protected against man-in-the-middle attacks by guaranteeing
confidentiality, authenticity, and authentication. This use case is comparable to
NCC communication.
Figure 5 – SYS600 to SYS600 communication
See section 11.2 Virtual Private Network to configure VPN.
4.2 Network Devices

Network devices such as switches, routers, firewalls, intrusion detection
systems, modems, and wireless devices are not part of this security guide.
From a security point of view, these devices should be enabled for the
following features:
• Logging
• Patches / Updates
• Backup / Recovery
For more information, see the device manuals.
19
5 Configuring security settings for Windows

operating system / SYS 600 Server
Windows servers are protected with firewalls, security policies, Windows
Updates, and virus scanners. To reduce the attack surface in servers, programs
and services not used can also be uninstalled or disabled. See Table 1 to check
the security features automatically configured to the SYS 600. Some SYS 600
versions need manual configuration.
Below sections use following statements “This has to be configured manually”

and “This is configured automatically”. The first statement means that security
setting has to be manually configured. The latter means that there is a script
file to automate the configuration process. This process is described in
APPENDIX: Deploying security settings to SYS 600.
5.1 BIOS settings

The following settings must be applied:
• Administrator password is enabled
• Remote wake-up is disabled
This has to be configured manually.
5.2 Removing unused programs

Following software is not used by SYS 600 and can be manually removed
from Windows Control Panel > Add/Remove Programs > Add/Remove
Windows Components.
Windows Component Added / Removed

Outlook Express Manually Removed
Messenger Manually Removed
MSN Explorer Manually Removed
Windows Media Player Manually Removed
Games (Windows XP) Manually Removed
5.3 Disabled system services

Enabled and disabled system services are listed in APPENDIX: Windows
system services.
20
This is configured automatically using script files.
5.4 Windows Updates

Before installing SYS 600 and delivering the system to the customer all
computers and operating systems should be patched using the latest Windows
updates. SYS 600 Workplaces should have Windows Updates enabled.
Patch management
The compatibility of the latest Windows service packs and SYS 600 are tested
in system verification center at the time of the product release. After the
system is running, only security related patches should be installed to servers.
If a security patch affects to software, which is not used or installed in the
server the patch should not be installed.
A dedicated server, Microsoft Windows Server Update Services (WSUS), can

be used for Windows Updates. Windows Updates requires following the
system services to be enabled: BITS and Automatic Update services. For more
detailed information, see [WSUS] and [MSUPD].
5.5 Virus scanner

Whenever it cannot be guaranteed that unknown software is executed on a
machine (e.g., due to enabling of removable devices or USB ports), the use of
anti-virus software is highly recommended on servers and workstations.
Virus scanners distinguish between on-access scanning (only files that are
currently requested to load are checked) and on-demand scanning (all files are
checked during a scheduled scan). Minimum requirements for the virus
scanner are on-demand scanning and virus definition updating features.
On-access virus scanners on servers are a trade-off between security and

performance. We recommend testing the performance of the system with
normal virus scanner settings. If the performance is not acceptable it can be
enhanced with various settings available in some virus scanner programs, such
as excluding certain directories or files (those that are frequently used) in on-
access scanning and on-demand scanning. For example, event logs, databases
and some custom file types which are accessed continuously should be put in
the exception list; i.e., those files are not on-access scanned.
21
Various settings available in virus scanner programs for enhancing

performance are shown below.
• Windows operating system directories should not be excluded

• Some virus scanner programs may not have settings shown below
CPU Utilization
• Restrict CPU Utilization to 20%
• After modifying this setting it is recommended to run the on-demand scan
to local disks once to ensure that it finishes within an acceptable amount
of time.
• Disable virus scanner during SYS 600 product or service pack installation
On-access scanning
• Scan only local disks, network scan is disabled (when each machine has
its own virus scanner). Disable email scans. Excluded directories:
o These directories are frequently used in SYS 600 Server
o SYS 600: <drive>\sc\apl\*.* (including subdirectories), if this does
not work then exclude the whole sc directory
o DMS 600: <drive>\DMS600\*.*
• Excluded files:
o Archive files such as .cab, .rar, and .zip
• Other settings
o Enable buffer overflow protection
o Enable access protection
o Enable script scan
On-demand scanning
• Initiated periodically or manually
• Initiated manually if the system owner has found virus infected files on
other computers in the enterprise e.g. in the office network or on
maintenance laptops or the like
• Scan only local disks, network scan is disabled (when each machine has
its own virus scanner)
• Scanning should be done when normal system activity is low
• All items excluded in on-access scanning should be included in the scan
Handling of infected files

• Try automatically to clean first
• If cleaning fails, manual action is required
• Reporting
22
o Maintenance personnel should check virus scanner log files on each

site visit. In case of virus detection, the issue must be escalated
responsible personnel.
o There are several methods to report virus detection, such as email,
printout to printer, sending to a computer’s syslog, launching a
program locally (e.g. a SCIL program or VB script), or sending via
SNMP Trap, to one or more computers. Sending an SNMP is the
preferred method.
Scan engine and virus definition updates

• It is recommended that scan engines and virus definitions are updated
automatically. However, enabling this feature on all machines connected
to the automation system network is not a recommended practice. For a
more secure and reliable deployment of virus definitions, a central
management (e.g. F-Secure Policy Manager or McAfee® ePolicy
Orchestrator) and update deployment host can be set up on a corporate
intranet. This allows a system administrator to have control over when
updates are made. Note that a direct Internet connection should only be
allowed for the time everything is downloaded; the connection is closed
after downloading is finished. General guidelines are provided in
[ABBSEC09, IS Security Considerations for Automation Systems].
• If redundant servers exist, it is recommended to update these servers a few
hours later than the primary server (e.g. four hours) to reduce the risks if
the update process does not succeed in the primary server.
• New virus definition files should be taken into use immediately
• Note! Some scan engine updates may override current scan settings. In
possible problem situations, this should be checked.
Patch management
It is recommended to update scan engine and virus definition files regularly,
e.g. every three months. Verify that the settings introduced above are
preserved and the performance and functionality of the system is acceptable
after updates.
Theoretically, a new virus definition file could arrive that could compromise
the proper functionality of the system. Testing the system against every new
virus definition file is obviously not feasible. Therefore, we recommend full
system backup before updating virus definition files.
5.6 Disabling devices

In any type of a server it is a good practice to disable the devices not used.
This may include USB ports, CD/DVD drives, communication ports, and
floppy disc controllers.
23
Click Start > Settings > Control Panel > Administrative Tool > Computer
Management > Device Manager and look for the devices to be disabled.
The following figure shows the disabling of DVD/CD-ROM driver; Floppy

Disk Driver; Sound, Video and Game controller; finally, the Universal Serial
Bus (USB) ports must be disabled.
Do not disable a device if it will be used, e.g. USB license keys, alarm
sounds, or software installations.
Figure 6 – Disabling DVD/CD-ROM
24
Figure 7 – Disabling Floppy disk controller
25
Figure 8 – Disabling Serial port
26
Figure 9 – Disabling USB Mass Storage Device, see also

http://support.microsoft.com/kb/823732.
Disabling autorun functionality

Whenever disabling of devices is not possible, it is good practice to disable
autorun functionality of the device. In order to prevent the automatic start of
malicious code contained in a removable device, autorun functionality must be
turned off. For more information, see How to disable the Autorun functionality
in Windows, http://support.microsoft.com/kb/967715/en-us.
5.7 User Account Control (UAC)

UAC is a security feature in Windows Vista, Windows 7, and Windows 2008
Server. For more information, see [UAC]. UAC should be enabled using its
default settings in SYS 600 Server/Workplace.
27
5.8 OPC
The usage of OPC communication between OPC client and server requires that
Distributed COM (DCOM) has been configured accordingly in the Windows
operating systems. This includes configuring system-wide DCOM settings and
OPC server specific DCOM settings.
Distributed Component Object Model (DCOM) uses Remote Procedure Call

(RPC) dynamic port allocation. By default, RPC dynamic port allocation
randomly selects port numbers above 1024. One can control which ports RPC
dynamically allocates for incoming communication and then configure your
firewall to confine incoming external communication to only those ports and
port 135 (the RPC Endpoint Mapper port). [MSDCOM04]
DCOM settings include:

• Setting up a mutual user account (MicroSCADA user)
• Configuring system-wide DCOM settings
• Configuring server-specific DCOM settings
• Configuring firewall: DCOM uses TCP port 135, which must be open.
o Deny all incoming traffic from the Internet to your server.
o Permit incoming traffic from all clients to TCP port 135 (and UDP
port 135, if necessary) on your server.
o Permit incoming traffic from all clients to the TCP ports (and UDP
ports, if necessary) on your server in the port range.
1. On the DCOM server, run regedt32 and create the following
key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
2. Add these values to the created key:
Type
Name Value
Ports REG_MULTI_SZ 5000-5020
PortsInternetAvailable REG_SZ Y
UseInternetPorts REG_SZ Y
If callbacks are used, permit incoming traffic on all ports where the TCP
connection was initiated by your server.
This has to be configured manually. For more information, see [SYSCON09,

Configuring OPC connectivity].
28
5.9 SNMP – Simple Network Management Protocol

By default, SNMP services are disabled in SYS 600 server security settings. In
Windows XP, these services must be installed on the computer first. SNMP
version 3 or later should be used. To begin using the services, change the
startup type of SNMP Service and SNMP Trap Service to Automatic.
5.10 Security policies

Security policies are based on predefined SSLF (Specialized Security-Limited
Functionality) security templates from Microsoft [MSSEC09]. These policies
are modified for SYS 600 purposes in servers and workplaces. The templates
are categorized into the following sections:
• Account policies
• Audit policy
• User rights
• Security options
• Event log
• System services
This is configured automatically using script files. See APPENDIX:

Deploying security settings to SYS 600 Server/Workplace. See also
APPENDIX: Security policies to see the changes to default values.
5.11 Firewall (ports and services)

Windows Firewall is a stateful firewall, which can be configured to restrict all
inbound connections, but cannot filter or block any outbound connections.
However, Windows Vista, 7, and 2008 Server support blocking outbound
connections. It is recommended that firewall settings are applied at the latest
possible engineering phase since the firewall may increase the difficulty of
troubleshooting problems with connecting to network services.
Ports and services used by SYS 600 as well as default firewall settings are
listed in APPENDIX: Ports and services. We recommend using hardware
firewalls. Software firewalls may affect performance, in which case they
should not be used.
This is configured automatically using script files. See APPENDIX:

Deploying security settings to SYS 600 Server/Workplace.
29
5.12 Windows user account for SYS 600 system

During the installation, a MicroSCADA user account is created in Windows
with administrator privileges. The administrator user should have a long
password, at least 15 characters long [MSPASS09]. The password of the
MicroSCADA user account should not be changed through Windows User
Management. Instead, SYS 600 Control Panel > Admin > Password should
be used where DCOM settings are automatically configured.
By default, SYS 600C contains two Windows user accounts: MicroSCADA

and SYS600C. The MicroSCADA account is used by the SYS 600 service and
should not be used by the users. The SYS600C account is an administrator
account that should be used by the system administrator. More Windows
accounts can be created by the administrator. The passwords of the default
users are noted in the delivery documentation.
Change default passwords immediately after installation.
Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)
An ideal password is long and has letters, punctuation, symbols, and

numbers.
Whenever possible, use at least 14 characters or more.
The greater the variety of characters in your password, the better.
Use the entire keyboard, not just the letters and characters you use or
see most often.
5.13 Protecting SYS 600 system configuration settings

SYS 600 Workplaces connects the server through terminal services. Terminal
connection is configured so that the user of the SYS 600 Workplace only has
access to the SYS 600 Monitor Pro application; i.e., the user has no
permissions to open other applications in the server machine. For more
information, see Configuring Windows user accounts between a server and a
workplace.
5.14 Backing up and restoring

Following instructions are taken from [SYSCUG].
30
Taking backup
We recommend that you back up the SYS 600 Server with disc imaging
software (for example Acronis True Image or Norton Ghost). The image
should be saved to a network drive or to a USB flash drive. Refer to the
instructions from your disc imaging software manufacturer on how to
accomplish this.
Recommendations for image backup:

• SYS 600 Server – every 3 month,
• SYS 600 Workplace – every 6 month
This has to be done manually.
Restoring backup
The method for restoring the disc image depends on the disc imaging software.
Refer to the instructions from your disc imaging software manufacturer on
how to accomplish this.
This has to be done manually.
31
6 Configuring security settings for SYS 600

Workplaces
It is not required to install SYS 600 software to SYS 600 Workplace machines
at all. It is enough that SYS 600 Workplace machine has software installed
enabling a remote connection to the SYS 600 Server. There are separate script
files for configuring Windows Firewall and security policies in the workplace
machine, see APPENDIX: Deploying security settings to SYS 600
Server/Workplace. See also Chapters 4 and 5 for configuring the network and
hardening the operating system.
To operate the SYS 600 Server, a monitor (Classic Monitor or Monitor Pro)
needs to be opened. A monitor can be opened either on the server machine or
through a remote connection. If the SYS 600 Workplace is a remote machine,
connection to the server computer is established over the network by using the
remote client. Remote client means that the programs of the workplace run on
the server machine, whereas graphical output and mouse/keyboard input for
the processes happen on the remote client machine.
Normally, SYS 600 Workplace machines are configured so that Windows’

automatic logon feature is enabled to automatically log an operator onto the
Windows operating system. Thus, there is a shared mutual Windows user
account in SYS 600 Workplace machine and this account is used for automatic
logon.
After the user has logged in automatically to Windows, the Start > Programs >
Startup folder is executed. This folder contains shortcut icons to launch SYS
600 monitors, which are then opened automatically. The target of the shortcut
icon is, for example, the Remote Desktop Connection program, which is
automatically configured to logon to the SYS 600 Server with a user name and
password, and to launch a monitor program (Classic Monitor or Monitor Pro)
on the server. The monitor login dialog opens for the user, where the operator
enters his/her unique user name and password.
Promoted technologies between the MicroSCADA server and remote the

workplace computer are the Windows Remote Desktop Protocol (RDP) and
the Citrix Independent Computing Architecture (ICA). For more information,
see [SYSCON09, Configuring Workplaces].
32
6.1 Configuring Windows user accounts between a server and a

workplace
The SYS 600 Server machine has to have a Windows user account(s) that is
used for SYS 600 Workplace remote connections. This user has membership
of the Users (restricted user) and Remote Desktop Users groups. By default,
Remote Desktop Users group is available in Windows. Normally, operators
are using the same Windows user account to connect to the server machine;
however, there may be separate Windows user accounts for each operator. In
the SYS 600 system, operators normally have individual SYS 600 user
accounts they are using to log in to the system.
Furthermore, in the server machine, the Remote Desktop Users group should
have Modify permission to the SYS 600 installation folder, i.e., <drive>\sc.
Here are the steps to grant permission:
1. Right-click <drive>\sc in Windows Explorer and select Properties.

2. Select Security tab.
3. Add Remote Desktop Users group to Group or user names list by clicking
Add button.
4. Select the group in the list and allow Modify permission for the group.
5. Click OK.
To create a user account for Remote Desktop access in SYS 600 Server:
1. Select Control Panel > Administrative Tools > Computer
Management > System Tools > Local Users and Groups and right-click
Users and then select New user…
a. User name: e.g. Operator
b. Full name: can be empty
c. Description: can be empty
d. Password: must meet complexity requirements (small caps, large
caps, special characters, numbers)
2. Uncheck all options in the dialog.
3. Press Create and then press Close.
4. Double-click the user created and select Member Of tab.
5. Press Add button and add membership of Remote Desktop Users and
click OK.
To enable Remote Desktop on the server:

1. Open Windows Explorer.
2. Right-click My Computer and select Properties.
3. Select Remote tab and check Enable Remote Desktop on this computer
option.
4. Click Select Remote Users… and verify that the list includes users,
which are allowed to access the computer. Click OK to close the dialog.
5. Click OK.
33
This user account has restricted rights to the Windows operating system, see
http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx. The user
has Modify access to <drive>.\sc directory but this user normally only has
access to certain applications, such as Monitor Pro.
6.2 Enabling workstation calls from the server

Classic monitors – CAP 50x or SMS510 – can receive calls from the server,
e.g. to open some program in the workstation. For this purpose, there is an
executable called wserver.exe. By default, this program is disabled. To enable
the service:
1. Paste a shortcut of <drive>\sc\prog\exec\wserver.exe to Start >

Programs > Startup folder.
2. Configure the firewall to unblock incoming port 12221.
3. Execute the shortcut to enable workstation calls from the server
immediately.
6.3 Configuring workstation in a hot-standby (HSB) system
OpenRemoteDesktop program
This program can be used for opening a connection from a workstation to an
active server in the HSB system. The program inspects both servers, detects
the active server of the HSB pair and establishes a terminal server session to it.
For more information, see [SYSCON09].
Using this program and configuring it changes the default security

settings used in the automatic script files. This program should be
configured after the deployment of security policies, see APPENDIX:
Deploying security settings to SYS 600 Server/Workplace.
6.4 Automatic logon feature

By default, the SYS 600 service is started directly after Windows has been
started. This is an automatic startup of the service, i.e., no user needs to log in.
The automatic logon feature in the server machine can be used to
automatically open MicroSCADA monitors in remote SYS 600 workplaces.
34
ABB does not recommend using the automatic logon feature of the
Windows operating system, since Windows stores the user name and
the password in plaintext in the Windows registry.
This feature is disabled by default and has to be enabled manually, see

[SYSINS09, Automatic Logon]
6.5 X Windows technology

Hummingbird eXceed version 7.0 or newer is required as an X-server on the
workstation computer whenever the system includes distributed HSI (Human
System Interface), and uses MicroSCADA X and VS Remote monitor types
(Classic monitors). Note that technically, X Windows can use a range of ports
between 6000 and 6063. In particular, if the display number is changed from
the default of 0 using Xconfig/Communications, this will change the port that
Exceed uses. If you change the display number to 1, it will use 6001; if you
change it to 2, it will use 6002.
X Windows technology is not configured to the preconfigured firewall

settings. You will have to change your firewall settings manually if X
windows is used.
35
7 Configuring security features in SYS 600

This chapter lists security features, user account management and
authorization, available in SYS 600 product.
All settings in this chapter have to be configured manually.
7.1 User account management

SYS 600 system allows the creation, modification, and removal of user
accounts. SYS 600 supports several user accounts. By default, the first user
logging onto SYS 600 Monitor Pro after the SYS 600 installation gets system
administrator privileges and is able to use user account management tools of
SYS 600.
To configure user accounts:

1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…
For more information, see [SYSAPL09, User Management].
7.2 Authorization / user account permissions

The system allows user roles with permissions individually configurable. User
names are associated with a certain user profile that restricts the user’s access
rights.
To configure user authorization:

For more information, see [SYSAPL09, Authorization].
7.3 Password policies

SYS 600 supports passwords with alphanumeric and special characters
(!”#%&*+-./=?@_). Upper (A-Z) and lowercase (a-z) characters and
characters from other character sets (localization) are also supported. Password
handling is case-sensitive.
By default, password complexity is turned off. The system administrator may

enable password complexity. Other settings include a minimum password
length, and a setting for forcing characters to be used in the password (a
36
combination of alphanumeric and special characters). The maximum password

length is 63 bytes (63 ASCII characters).
To configure password policies:

3. In the user management dialog, open Tools > Password Policy…
Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)
• An ideal password is long and has letters, punctuation, symbols,

and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password, the better.
• Use the entire keyboard, not just the letters and characters you
use or see most often.
For more information, see [SYSAPL09, User Management].
7.4 Resetting administrator password

This feature is available if the user name or the password of system manager is
lost. In this case, it is possible to login to the system using a temporary
administrator password. Contact the support line.
7.5 User session time-out

SYS 600 workplaces operate in Windows. It is possible to configure the user
inactivity time and then lock the workstation; this is accomplished through
screensaver settings. SYS 600 system has a setting for logging the user out
after certain period of time. The time period is given in hours (from 1 to 255)
and it is also possible to configure notifications about session expiration.
To configure user session time-out:

2. Open Settings > Application settings… and select Logout Duration tab.
For more information, see [SYSAPL09, Application Settings].
37
7.6 Logging of user activities

The SYS 600 system can be configured to log events from the process, such as
switching device opened/closed. Furthermore, the following events are user
activity events which are logged from the monitors:
• Login successful
• Login failed
• Logout
• Monitor opened
For example, following events are not logged:

• User created
• User removed
• Password changed
• Password policies changed – setting X changed from value Y to Z
Access to log viewer is restricted based on user rights. Events are stored in the
file system in binary format.
For more information, see [SYSCON09, Event and Alarm Handling].
7.7 Backdoors
The following feature has a backdoor to the system: Resetting
administrator password
The administrator password reset feature is enabled by default. ABB

recommends that this feature is permanently disabled before delivering the
system to the customer. Using this function requires system manager authority.
Note that after the feature has been disabled, it is no longer possible to login to
the system if the user name or the password of system manager has been lost.
To disable this feature:

1. Open Monitor Pro and select Tools > Engineering Tools > User
Management.
2. Press Ctrl + R in the main window and confirm the operation.
3. A notification is shown that the feature has been disabled. If the feature
has been disabled before, this is also notified.
38
8 APPENDIX: Ports and services

General firewall settings are as follows:
• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked
Since all inbound traffic is blocked by default, there are exceptions (firewall
rules) which are needed to be configured. Windows Firewall rules are
configured automatically using script files. See APPENDIX: Deploying
security settings to SYS 600 Server/Workplace.
The complete list of ports and services can be found in the following tables
and the file MicroSCADA Pro Security Guide – Ports and Services Rev A.xlsx
[SYSPORTS].
Windows Operating System Services
Inbound (listening) Outbound
Service: Service UDP TCP Inbound Port number Port status Outbound Miscellaneous Used by
Description port fixed/ open always/ port
number configurable configurable number
msrpc / Remote X 135 fixed always 1024-65535 Outbound range [System,
dcom-scm procedure call can be svchost.exe]
/ DCOM restricted:
Service http://msdn.micr
Control osoft.com/en-
Manager us/library/ms809
327.aspx
netbios-ssn Netbios X 139 fixed always [System]
Session
Service
microsoft-ds Microsoft X X 445 fixed always [System]
Active
Directory,
shares
lsass.exe Local Security X X 1025 fixed always [System]
Authentication
Server
ntp SNTP - X 123 fixed always [System]
Simple
network time
protocol
Netbios-ns Netbios Name X 137 fixed always [IEC 61850
Service OPC Server]
Netbios- Netbios X 138 fixed always [System]
dgm Datagram
Service
Isakmp IPSec in X 500 fixed always [System]
Windows
lsass.exe sae-urn, IPsec X 4500 fixed always [System]
NAT-Traversal
wininit.exe, 49152- fixed always [System]
svchost.exe 49158
39
SYS 600
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/ always/
number configurable configurable
inet.exe X 21845, Fixed Always Base system program,
21846 process and APL-APL
communication, ACP
protocol used for
communication. Used
by other SYS 600
base
wserver.exe X 12221 Configurable Configurable Routing server
peripherals to client
machines [SYS 600
Remote VS Monitors].
This port must be
open in workstation
machine only if old
monitors are used (X
windowing).
daopccl.exe - - - - - MicroSCADA OPC
Data Access Client
uses DCOM port 135
opcs.exe - - - - - MicroSCADA OPC
Data Access Server
uses DCOM port 135
Opcenum.exe X 1049 Fixed Always OpenRemoteDesktop
program uses this
service
hasplsm.exe x 1947 Fixed Always Aladdin HASP License
Manager Service for
handling USB license
keys. For internal use
only.
40
SYS 600 - Communication protocols Note! All master protocols using TCP/IP (IEC60870-5-104 master,
DNP3.0 TCP master, Modbus TCP, SPA-TCP) are operating as TCP
clients. Consequently, no protocol specific port numbers are
reserved.
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/configurable always/configurable
number
IEC60870-5-104 X 2404 fixed configurable IEC 60870-5-104 for
Slave telecontrol equipment and
systems with coded bit
serial data transmission in
TCP/IP based networks for
monitoring and controlling
geographically widespread
processes. Network Control
Center (NCC).
IEC60870-5-104 X 2501- configurable configurable Localhost only
Slave - 2414
Communication
lines
IEC60870-5-104 X 2501- configurable configurable Localhost only
Master - 2414
communication
lines
DNP 3.0 Slave x X fixed configurable The Distribute Networks
Protocol (DNP) 3.0 is a
standards-based
communication protocol
designed for electric utility,
water, oil & gas and security
systems.
DNP 3.0 Slave - X 2501- configurable configurable Localhost only
Communication 2414
lines
DNP 3.0 Master - x X 2501- configurable configurable Localhost only
Communication 2414
lines
Modbus TCP X 2501- Localhost only
Master - 2414
Communication
lines
SPA-TCP - X 2501- configurable configurable Localhost only
Communication 2414
lines
ELCOM-90 X 6997 configurable configurable
Provider
ELCOM-90 X 6998 configurable configurable
UserElem
ELCOM-90 Admin X 6999 configurable configurable
Opcs_iec61850.exe - - - - IEC 61850 OPC Server,
which contains SNTP
Server as TCP/IP Server.
See ntp service.
Opcs_iec61850.exe - 102 fixed configurable IEC 61850 OPC Client / IEC
61850 System Supervision
Server, which contains
MMS Server as TCP/IP
server
41
SYS 600 - Other

Inbound (listening)
Service: UDP: TCP: Inbound Port number Used by
port fixed/configurable
number
mqsvc.exe X 1053 fixed Message Queuing Service (MSMQ) [SYS 600 Network Topology
Coloring (NTC)]. Localhost only.
mqsvc.exe X 1330 fixed Message Queuing Service (MSMQ) [SYS 600 NTC Client/Server]
Localhost only.
Localhost only.
Localhost only.
Localhost only.
Localhost only.
ntcmanager.exe X 52444 Configurable Manages NTC Server start/stop [SYS 600 NTC Server, NTC
Starter] Localhost only.
ntcserver.exe X 53001 Configurable NTC Server provides topology info to the NTC clients [SYS 600
Monitor Pro] Localhost only.
SYS 600 – Remote Access

Inbound (listening)
Service: Service UDP TCP Inbound Port number Port status Used by
Descripti : port fixed/ open always/
on number configurable configurable
Microsoft X 3389 Fixed Configurable Microsoft Windows Terminal
Windows Services [Terminal Server
Terminal Client, RDP Client]
Services
Citrix ICA X 1494 Fixed Configurable MetaFrame Application Server
for Windows / Citrix ICA
Hummingb X windows X 6000- Configurable Configurable Classic monitors/workplaces
ird eXceed system 6003
MS Pro Ms-sql-s X X 1433 Fixed Always Microsoft SQL Server

DMS Ms-sql-m X X 1434 Fixed Always Microsoft SQL Monitor
600 4.3 DMSSock X 51772 Configurable Always DMS Socket Service,
etService. communication between
exe applications [DMS 600 SA,
WS, NE]
UnknownS X 51773 Fixed Configurable Socket service to be used by
ocketServi 3rd party programs for sending
ce.exe messages
CaCe TE CaCe X 8087 Configurable (Only fileserver)
FaultSend
er
CaCe TE CaCe X 8086 Configurable (Only fileserver)
Faultrecei
ver
Webgrid X 8087 Configurable Customer specific fault service
(Only fileserver)
PG_Port PG Server X 3000 Fixed Configurable Optional, depending customer
TECS- license / needs.
service
42
43
9 APPENDIX: Windows system services

Windows system services are described in detail in Threats and
Countermeasures Guides. The guide also includes the Excel workbook
“Windows Default Security and Services Configuration”, which
documents the default startup settings for services.
The settings below are a collection of services which are automatically

disabled, using the script, in Windows XP, Windows Server 2003,
Windows 7, and Windows Server 2008.
Not all services are running in each operating system, and may not
even exist. The script is built so that it ignores the unavailable
services and therefore it is normal to have these kinds of messages
in the log file:
• Error 1060: The specified service does not exist as an
installed service. Error opening <service name>.
• Error 1060: The specified service does not exist as an
installed service. Opening service <service name> for stop
access failed.
• Legacy audit settings are disabled. Skipped configuration of
legacy audit settings.
See exceptions to these services after the table, since some functionality
needs certain services to be enabled.
Table 4 – Disabled Windows system services

Service Display Name
Alerter Alerter
aspnet_state ASP .NET State Service
AudioSrv Windows Audio
CiSvc Indexing Service
ClipSrv ClipBook
Fax Fax
Helpsvc Help and Support
IISAdmin IIS Admin
ImapiService IMAPI CD-Burning COM Service
Messenger Messenger
Mnmsrvc NetMeeting Remote Desktop Sharing
MSFtpsvc FTP Publishing Service
SCardSvr Smart Card
44
Schedule Task Scheduler

SMTPSVC Simple Mail Transfer Protocol
Stisvc Windows Image Acquisition
TapiSrv Telephony
Themes Themes
TlntSvr Telnet
TrkSrv Distributed Link Tracking Server
Upnphost Universal Plug and Play Device Host
UPS Uninterruptable Power System
W3SVC World Wide Web Publishing
WebClient Web Client
WmdmPmSN Portable Media Serial Number Service
WZCSVC Wireless Zero Configuration
Exceptions
The table below shows the services which have to be changed from the
default if some functionality is required.
Functionality Service to be enabled

Wireless connection Enable ‘Wireless Zero Configuration’
Sounds Enable ‘Windows Audio’
45
10 APPENDIX: Security policies
10.1 Security policies

The table below shows what settings are changed in the SYS 600 servers
and workplaces compared to the default, domain, and member server
settings.
Note! The default value is the operating system default value. There is a
separate default value for SSLF settings not shown here.
Table 5 – SYS 600 security policies

Setting:Name Default Value Win2k8- Win2k8- Remarks
SYS600Server: SYS600
Value Workplace:Va
lue
Maximum 42 days 0 MicroSCADA
password age user account
never expires
Minimum 0 days 0 MicroSCADA

password age user account
never expires
Account lockout 0 invalid logon 0 0 Denial-of-service

threshold attempts attack is possible
if this value is
more than zero.
Therefore, never
lockout.
Debug programs Administrators Administrators
Deny access to guests Guests,

this computer ANONYMOUS
from the network LOGON
Allow log on Administrators, Administrators,

through Terminal Remote Desktop Remote Desktop
Services Users Users
46
Deny log on Guests Guests, MicroSCADA

locally MicroSCADA user account is
only used to
running the
service
Deny log on No One Guests, MicroSCADA
through Terminal MicroSCADA user account is
Services only used to
running the
service
Log on as a No one MicroSCADA
service
Accounts: Guest Guestrenamed Guestrenamed Guest account is

Rename guest disabled, but still
account renaming
Devices: Restrict Disabled Enabled Enabled Remote control is

CD-ROM access denied
to locally logged-
on user only
Devices: Restrict Disabled Enabled Enabled Remote control is
floppy access to denied
locally logged-on
user only
MSS: 5 seconds 0 5
(ScreenSaverGra
cePeriod) The
time in seconds
before the screen
saver grace
period expires (0
recommended)
47
11 APPENDIX: Deploying security settings to SYS

600 Server/Workplace
It is recommended that security settings are applied at the system setup
time to prevent undesired effects of settings from the very start.
• The main steps in security settings deployment:
• Deploy virtual private network
• Deploy security policy to server/workplace
• Deploy firewall settings to server/workplace
• Deploy other security settings, such as BIOS settings, USB drive
disabling, virus scanners etc.
Security settings for servers and workplaces are located in SYS 600
installation folder <drive>\sc\setup\security.
11.1 Rollback
In case system does not work as expected, these are the instructions for the
rollback. Run these commands with admin rights.
Windows XP/Server 2003

1. netsh firewall reset
a. Open Control Panel > Windows Firewall and verify that
Windows Firewall is on and that File and Print Sharing is
allowed.
2. secedit /configure /cfg
%windir%\repair\secsetup.inf /db
secsetup.sdb /verbose /log rollback.log
3. Open Control Panel > Administrative Tools > Local Security
Policy > Security Settings > Local Policies > User Rights
Assignment.
4. Set Log on as service and Log on as a batch job to value
MicroSCADA and confirm changes.
5. Close Local Security Policy.
Windows 7/Server 2008

1. netsh advfirewall reset
48
a. Open Control Panel > Windows Firewall and verify that

Windows Firewall is on and that File and Print Sharing is
allowed.
2. secedit /configure /cfg
%windir%\inf\defltbase.inf /db defltbase.sdb
/verbose /log rollback.log
3. Open Control Panel > Administrative Tools > Local Security
Policy > Security Settings > Local Policies > User Rights
Assignment.
4. Set Log on as service and Log on as a batch job to value
MicroSCADA and confirm changes.
5. Close Local Security Policy.
11.2 Virtual Private Network

The configuration for Windows Server 2003 is shown below. Server 2008
is not much different.
Windows Vista and Windows 7 Home and Starter versions do not

support the IPSec function.
Create IPSec Policy

An IPSec policy secures all IP traffic that is specified in the configured
IPSec filters. The decision to allow unsecured IP traffic is up to the user.
We explain how to configure SYS 600 for IPSec transport mode.
1. Click Start, click Run, and then type secpol.msc to start the IP
Security Policy Management snap-in.
2. Right-click IP Security Policies on Local Computer, and then click

Create IP Security Policy.
49
3. Click Next, and then type a name for your policy (for example, IPSec
Tunnel with Network Control Center).
4. Add additional information in the Description box if desired. Click

Next.
5. Click to clear the Activate the default response rule check box, and
then click Next.
6. Click Finish (leave the Edit check box selected).
50
Build a Filter List from SYS600 to NCC

1. In the new policy properties, click to clear the Use Add Wizard check
box, and then click Add to create a new rule.
2. Click the IP Filter List tab, and then click Add.
51
3. Type an appropriate name for the filter list (e.g., IP traffic to NCC),
click to clear the Use Add Wizard check box, and then click Add.
4. In the Source address box, click A specific IP Address, and then

type the IP Address of SYS600 towards NCC (the IP address that
communicates with the NCC), as this filter should only apply to the
network interface connected to the WAN.
52
5. In the Destination address box, click A specific IP Address, and then

type the IP Address of the NCC (the NCC’s IP address that SYS600
connects to).
6. Leave the Mirrored check box selected.
7. Click the Protocol tab. Make sure that the protocol type is set to Any,
because IPSec does not support protocol-specific or port-specific
filters.
8. If you want to type a description for your filter, click the Description
tab. Click OK.
53
9. Click OK to close IP Filter List dialog
Configure a Rule for the communication

1. Click the IP Filter List tab, and then click to select the filter list that
you created.
2. Click the Tunnel Setting tab, click This rule does not specify an
IPSec tunnel.
3. Click the Connection Type tab, click Local area network (LAN)
4. Click the Filter Action tab, click on one of the following options,
depending on the decision of how to handle non-IPSec traffic:
• Permit – Permits unsecured IP packets to pass through.
This means the device does not try to establish IPSec
encryption, but reacts if a request for security is made. If both
devices are configured as “Permit”, no encryption is established
at all.
• Request Security (Optional) – Accepts unsecured
communication, but requests clients to establish trust and
security methods. Will communicate insecurely to untrusted
clients if they do not respond to request.
This means the device tries to establish a secure IPSec
connection, but if this fails (e.g., if the client does not provide
the correct Pre-Shared Key or is not capable of IPSec
encryption), it falls back to normal operation
54
• Require Security – Accepts unsecured communication, but

always requires clients to establish trust and security method.
Will NOT communicate with untrusted devices.
This means that devices for which this policy applies cannot
communicate with the server without the correct pre-shared key
and encryption method.
Note: None of the check boxes at the bottom of the Filter Action dialog
box are selected as an initial configuration for a filter action that applies to
tunnel rules.
Note: As the currently configured IP Filter rule matches only a single IP, it
does not discard non-IPSec traffic originating from a different wide area
network IP address. In order to prohibit any non-IPSec connections from
the wide area network, the IP filter list would have to match the subnet of
the wide area network, and the Filter Action would have to be set to
“Require Security”.
5. Click the Authentication Methods tab to configure the authentication
method. Mark the default Kerberos method and click Remove.
Confirm the inquiry.
6. Click Add.
7. Select Use this string (preshared key) and enter a long key that also
contains special characters. This string must be the same on the
machine that matches the IP filter rule (in this case, the NCC). Click
OK.
55
8. Click Close to close New Rule Properties dialog.

9. Click OK.
10. In the Local Security Settings, right-click on the created rule (e.g.,
IPSec Tunnel with Network Control Center) and select Assign. The
rule indicates by a green dot that it is active. Close the Local Security
Settings.
Repeat the steps for all machines that should use IPSec. It is possible to
export and import the policies on a different computer. Here are the
instructions:
1. In the Local Security Settings, where the VPN configuration is set,
select IP Security Policies on Local Computer.
2. Select Action > All Tasks > Export Policies... and write a file name.
56
3. In the other computer, where VPN configuration is needed: open

Local Security Settings and select select IP Security Policies on
Local Computer.
4. Select Action > All Tasks > Import Policies…
5. Select a file exported in item 2 and press Import/OK.
6. The rules should be checked and adapted, e.g. swap Source address
and Destination address in IP Filter Properties dialog.
11.3 SYS 600 Server
Use following steps to configure security settings to SYS 600 server:
1. Open a Command window and browse to <drive>\sc\setup\security

folder.
2. Execute command “Deploy Security Settings.cmd” server /quiet to
apply security policies and wait for the operation to finish.
3. Execute command “Windows Firewall.cmd” server <drive>:\sc /quiet
to apply firewall settings to Windows XP and Server 2003. Use
“Advanced Windows Firewall.cmd” server <drive>:\sc/quiet to apply
firewall settings to Windows Vista/7/Server 2008. The target and SYS
600 installation path must be given as an argument.
4. Wait for operation to finish.
5. The default firewall settings for SYS 600 allow (ports are open) all
communication protocols such as DNP and ELCOM. Therefore, ports
for communication protocols must be manually closed/blocked.
Follow these steps to block/unblock communication protocols:
a. Open Windows Firewall from Start > Control Panel >
Windows Firewall
b. Select the Exceptions tab
c. Find the communication protocols from the list and
check/uncheck the protocol according to customer
specifications. A checked line means that the protocol is
unblocked (port is open). Unchecked means that the protocol is
blocked (port is closed).
d. Confirm the changes
11.4 SYS 600 Workplace

SYS 600 Workplace does not have the SYS 600 installation. Instead, the
workplace has remote client e.g. Remote Desktop Connection to connect
to a SYS 600 Server where workplace sessions are managed. Firewall
settings and security policies differ from the SYS 600 Server.
57
Use the following steps to configure security settings to SYS 600

workplace:
1. Open a Command window and browse to <drive>\sc\setup\security

folder.
2. Execute command “Deploy Security Settings.cmd” workplace /quiet
to apply security policies and wait for the operation to finish.
3. Execute command “Windows Firewall.cmd” workplace /quiet to
apply firewall settings to Windows XP and Server 2003. Use
“Advanced Windows Firewall.cmd” workplace /quiet to apply firewall
settings to Windows Vista/7/Server 2008.
4. Wait for operation to finish.
58
Contact us
© Copyright 2010 ABB. All rights reserved.

ABB Oy
Substation Automation Products
P.O. Box 699
FI-65101 Vaasa
FINLAND
Tel. +358 10 22 11
Fax. +358 10 224 1094
www.abb.com/substationautomation
1MRS756796 A/31.3.2010

SYS600 - Security Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SYS600 - Security Guide PDF

Uploaded by

Copyright:

Available Formats

MicroSCADA Pro SYS 600 9.

Cyber Security Deployment Guideline

7.3 Password policies .............................................................................. 36

Cyber Security Deployment Guideline

1.2 Use of symbols

The caution icon indicates important information or warning related

The information icon alerts the reader to relevant facts and

1.3 Document conventions

1.4 Document revisions

Cyber Security Deployment Guideline

The guide assumes that in SYS 600 servers:

• Automatic Updates is disabled

This guide assumes that in SYS 600 workplaces:

• Automatic Updates is disabled

Chapter 2 (this chapter) gives general information, assumptions, and operating

uninstalling irrelevant software, disabling Windows system services,

Table 1 – Deployment of security features in SYS 600 product

Cyber Security Deployment Guideline

2.1 Definitions and Abbreviations

SCW Security Configuration Wizard

2.2 Reference Documents

[MSUPD] Windows Update,

Cyber Security Deployment Guideline

[SYSINS09] 1MRS756634 A SYS 600 Installation and Administration manual,

3 Introduction to SCADA Security

Security in an industrial network can be compromised in many places along

For a company to protect its infrastructure, it should undertake the

Cyber Security Deployment Guideline

Developing an appropriate SCADA security strategy involves analysis of

Figure 1 – Relationship Between Corporate and SCADA Networks

Most corporate networks employ a number of security countermeasures to

• Border Router and Firewalls  Firewalls, properly configured and

• SCADA Firewalls  SCADA Systems and Industrial Automation

Cyber Security Deployment Guideline

using Wireless Ethernet should use sufficient encryption, e.g. WPA or

In summary, these multiple “rings of defense” must be configured in a

For more information, see [ABBSEC09].

Cyber Security Deployment Guideline

Figure 2 – An example of SYS 600 with NCC connection

4.1 Virtual Private Network (VPN)

The IPSec configuration must be done on all machines that should

IPSec encryption is a CPU consuming activity that can affect the

SYS600 NCC Windows System

IP: 10.10.11.10 IP: 10.10.10.10

Figure 3 – NCC communication

Cyber Security Deployment Guideline

In case no network address translation (NAT) mechanism is used between

Maintenance Access via Remote Desktop Protocol (RDP)

Figure 4 – RDP Maintenance Access via VPN

Figure 5 – SYS600 to SYS600 communication

See section 11.2 Virtual Private Network to configure VPN.

4.2 Network Devices

For more information, see the device manuals.

Cyber Security Deployment Guideline

5 Configuring security settings for Windows

Below sections use following statements “This has to be configured manually”

5.1 BIOS settings

This has to be configured manually.

5.2 Removing unused programs

Windows Component Added / Removed

This has to be configured manually.

5.3 Disabled system services

This is configured automatically using script files.