Professional Documents
Culture Documents
3
Cyber Security Deployment Guideline
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
1 Introduction ....................................................................................................... 4
1.1 This manual ......................................................................................... 4
1.2 Use of symbols .................................................................................... 4
1.3 Document conventions ........................................................................ 4
1.4 Document revisions ............................................................................. 5
2 General............................................................................................................... 6
2.1 Definitions and Abbreviations ............................................................. 8
2.2 Reference Documents .......................................................................... 9
3 Introduction to SCADA Security .................................................................... 11
4 Configuring network........................................................................................ 16
4.1 Virtual Private Network (VPN) ......................................................... 16
Use cases ........................................................................................... 17
4.2 Network Devices ............................................................................... 19
5 Configuring security settings for Windows operating system / SYS 600 Server
......................................................................................................................... 20
5.1 BIOS settings ..................................................................................... 20
5.2 Removing unused programs .............................................................. 20
5.3 Disabled system services ................................................................... 20
5.4 Windows Updates .............................................................................. 21
Patch management ............................................................................. 21
5.5 Virus scanner ..................................................................................... 21
Patch management ............................................................................. 23
5.6 Disabling devices............................................................................... 23
5.7 User Account Control (UAC)............................................................ 27
5.8 OPC ................................................................................................... 28
5.9 SNMP – Simple Network Management Protocol ............................. 29
5.10 Security policies ................................................................................ 29
5.11 Firewall (ports and services) ............................................................. 29
5.12 Windows user account for SYS 600 system...................................... 30
5.13 Protecting SYS 600 system configuration settings ........................... 30
5.14 Backing up and restoring ................................................................... 30
Taking backup ................................................................................... 31
Restoring backup ............................................................................... 31
6 Configuring security settings for SYS 600 Workplaces .................................. 32
6.1 Configuring Windows user accounts between a server and a
workplace .......................................................................................... 33
6.2 Enabling workstation calls from the server ....................................... 34
6.3 Configuring workstation in a hot-standby (HSB) system ................. 34
OpenRemoteDesktop program .......................................................... 34
6.4 Automatic logon feature .................................................................... 34
6.5 X Windows technology ..................................................................... 35
7 Configuring security features in SYS 600 ....................................................... 36
7.1 User account management ................................................................. 36
7.2 Authorization / user account permissions.......................................... 36
1
SYS 600 9.3 MicroSCADA Pro 1MRS756796
2
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Copyright
The information in this document is subject to change without notice
and should not be construed as a commitment by ABB. ABB assumes
no responsibility for any errors that may appear in this document.
In no event shall ABB be liable for direct, indirect, special, incidental or
consequential damages of any nature or kind arising from the use of this
document, nor shall ABB be liable for incidental or consequential
damages arising from use of any software or hardware described in this
document.
This document and parts thereof must not be reproduced or copied
without written permission from ABB, and the contents thereof must
not be imparted to a third party, nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under
a license and may be used, copied, or disclosed only in accordance with
the terms of such license.
Copyright © 2010 by ABB
All rights reserved.
Trademarks
ABB is a registered trademark of ABB Group. All other brand or
product names mentioned in this document may be trademarks or
registered trademarks of their respective holders.
Guarantee
Please inquire about the terms of guarantee from your nearest ABB
representative.
3
SYS 600 9.3 MicroSCADA Pro 1MRS756796
1 Introduction
1.1 This manual
This document is a security guide for MicroSCADA Pro Control System SYS
600 versions 9.2 and 9.3 (hereafter SYS 600).
Although warning hazards are related to personal injury, and caution hazards
are associated with equipment or property damage, it should be understood
that operation of damaged equipment could, under certain operational
conditions, result in degraded process performance leading to personal injury
or death. Therefore, comply fully with all warning and caution notices.
4
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
• The names of push and toggle buttons are boldfaced. For example, click
OK.
• The names of menus and menu commands are boldfaced. For example,
the File menu.
• The following convention is used for menu operations: Menu Name >
Menu Command > Cascaded Menu Command. For example, select
File > Open > New Project.
• The Start menu name always refers to the Start menu on the Windows
Task Bar.
• System prompts/messages and user responses/input are shown in the
Courier font. For example, if you enter a value out of range, the following
message is displayed:
Entered value is not valid. The value must be 0 to 30.
You may be told to enter the string MIF349 in a field. The string is shown as
follows in the procedure:
MIF349
• Variables are shown using lowercase letters: sequence name
5
SYS 600 9.3 MicroSCADA Pro 1MRS756796
2 General
This document is a security guide for MicroSCADA Pro Control System SYS
600 versions 9.2 and 9.3 (hereafter SYS 600). The guide is intended for
software and project engineers, and system verification testers and they are
expected to have general familiarity with topics in the following areas:
• PCs, servers, and Windows operating systems
• Networking including TCP/IP and concept of ports
• Firewalls
• Anti-virus
• Passwords
• Remote and secure communication
Operating systems (with the latest service packs) covered in this document are:
• Windows 7
• Windows Server 2008
• Windows XP Professional or
• Windows Server 2003 Standard Edition
However, the guide does not specify the network configuration (forests,
domains, organizational units (OU)) where the SYS 600 system is installed.
There are several ways to deploy security settings to machines, e.g. by using
the secedit command-line tool, the Security Configuration Wizard (SCW), or
Group Policy Objects (GPO). This guide gives instructions on how to deploy
security settings to servers and workplaces using the secedit tool.
6
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
There are security settings which are automatically configured in the product
and those which need to be configured manually. By default, the SYS 600
installation configures Windows security settings for DCOM security settings
only. An administrator user account is also created during installation and a
password is prompted for the MicroSCADA user. Since this is an
administrator user account, it is the responsibility of the system administrator
to choose a valid and secure password for this account; see Windows user
account for SYS 600 system.
Other Windows server security settings such as firewall, security policies and
disabling Windows system services are not automatically configured during
the SYS 600 installation. This is due to fact that SYS 600 installation may
conflict with existing security settings on some computers where it is not
allowed to modify these. To apply security settings after SYS 600 installation,
read and execute settings starting from Chapter 4. The script files are located
in the SYS 600 installation folder sc\setup\security. Detailed instructions are
given in Chapter 11 to apply security settings to SYS 600 servers.
There is general security guide for control systems and operating systems on
the ABB website [ABBSEC09]. Microsoft also has security guides for
different operating systems [MSSEC09].
SYS 600 Compact (SYS 600C) includes both SYS 600 and Windows
server-specific security settings by default. However, it is the
responsibility of the project engineer to open TCP/UDP ports for
different communication protocols such as DNP or ELCOM.
7
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Security feature SYS 600 SYS 600C > SYS 600 Remarks
installation 9.3
package
MicroSCADA user account X X X Automatically created
during the SYS 600
installation. Password
should be longer than 15
characters.
OPC/DCOM settings X X X Automatically configured
during the SYS 600
installation.
Firewall settings (ports and X S/M Enable ports for different
services) communication protocols
according to customer
specifications.
Virtual Private Network X
(VPN)
BIOS settings X Manual configuration
Removing unused programs X S/M Manual configuration
Disabled system services X S
SNMP Not installed/ Not installed/ Not installed/
services services services
disabled disabled disabled
Windows Server security X S
policies
Windows Update Not installed/ Not installed/ Not installed/
services services services
disabled disabled disabled
User Access Control (UAC) X S
Virus scanner Not installed/ Not installed/ Not installed/ Manual configuration
services services services
disabled disabled disabled
Disabling devices
DVD/CD-ROM drives X S Manual configuration
USB Mass Storage X S Manual configuration
Serial port X Manual configuration
Floppy disk controller X Manual configuration
Sound, video controller X Manual configuration
Disabling autorun X S
functionality
Backing up and restoring Manual configuration
SYS 600 user management X Manual configuration
and authorization
8
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
9
SYS 600 9.3 MicroSCADA Pro 1MRS756796
10
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
In today’s corporate environment, internal networks are used for all corporate
communications, including SCADA. SCADA systems are therefore vulnerable
to many of the same threats as any TCP/IP-based system.
• Use a Denial of Service (DoS) attack to crash the SCADA server, leading
to a shutdown condition (System Downtime and Loss of Operations)
• Delete system files on the SCADA server (System Downtime and Loss of
Operations)
• Plant a Trojan and take complete control of system (Gain complete control
of system and be able to issue any commands available to Operators)
• Log keystrokes from Operators and obtain usernames and passwords
(Preparation for future take down)
• Log any company-sensitive operational data for personal or competition
usage (Loss of Corporate Competitive Advantage)
• Change data points or deceive Operators into thinking control process is
out of control and must be shut down (Downtime and Loss of Corporate
Data)
• Modify any logged data in remote database system (Loss of Corporate
Data)
• Use SCADA Server as a launching point to defame and compromise other
system components within corporate network.
11
SYS 600 9.3 MicroSCADA Pro 1MRS756796
The figure below illustrates the typical corporate network “ring of defenses”
and its relationship with the SCADA network. Successful attacks can originate
from either Internet paths through the corporate network to the SCADA
network, or from internal attacks from within the corporate office.
Alternatively, attacks can originate from within the SCADA network from
either upstream (applications) or downstream (RTUs) paths. What is an
appropriate configuration for one installation may not be cost-effective for
another. Flexibility and the employment of an integrated and coordinated set
of layers are critical in the design of a security approach.
12
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
They are critical to re-creating TCP/IP packets before passing them on to,
or from, application layer resources such as Hyper Text Transfer Protocol
(HTTP) and Simple Mail Transfer Protocol (SMTP). However, the
employment of proxy servers will not eliminate the threat of application
layer attacks.
• Operating Systems Operating systems can be compromised, even
with proper patching, to allow network entry as soon as the network is
activated. This is due to the fact that operating systems are the core of
every computer system and their design and operating characteristics are
well-known worldwide. As a result, operating systems are a prime target
for hackers. Further, in-place operating system upgrades are less efficient
and secure than design-level migration to new and improved operating
systems.
• Applications Application layer attacks; i.e., buffer overruns, worms,
Trojan horse programs and malicious ActiveX code can incapacitate anti-
virus software and bypass the firewall as if it wasn’t even there.
• Policies and Procedures Policies and procedures constitute the
foundation of security policy infrastructures. They include requiring users
to select secure passwords that are not based on a dictionary word and
contain at least one symbol, capital letter, and number, and should be over
eight characters long. Users should not be allowed to use the name of their
spouse, child or pet as their password.
The above list is common to all entities that have corporate networks. SCADA
systems for the most part coexist on the same corporate network, as seen in the
figure above. The following list suggests ways to help protect the SCADA
network in conjunction with the corporate network:
13
SYS 600 9.3 MicroSCADA Pro 1MRS756796
14
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
15
SYS 600 9.3 MicroSCADA Pro 1MRS756796
4 Configuring network
Each host in a TCP/IP network has a unique identifier, called an IP address.
The IP address is composed of four numbers in the range from 0 to 255. The
numbers are separated with dots, e.g. 192.168.0.1. Because every computer on
an IP network must have a unique IP address, careful planning of IP addresses
throughout the whole system is important. You should remember to take care
of the future needs in address areas when planning large networks. A host can
have multiple IP addresses, as shown in the Figure 2.
ABB does not recommend the use of domains and wireless networks in a SYS
600 system due to the high reliability and security that is required of the
control system. A domain controller being out of service might jeopardize the
stability of the control system. Therefore, static IP addressing should be used
in SYS 600 system; see http://technet.microsoft.com/en-
us/library/cc754203(WS.10).aspx and also [SYS 600 Installation and
Administration, Host names] for more information.
This guideline considers the IP communication between SYS 600 and the
Network Control Center (NCC) / Regional Control Center (RCC) via a
16
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
dedicated wide area link that is not exposed to public access. The use case is to
protect the dedicated link against man-in-the-middle attacks by guaranteeing
confidentiality, integrity, and authentication via IPSec, using pre-shared key
authentication.
Use cases
NCC Communication
This use case features the IP communication between SYS600 and the NCC
via a dedicated wide area link, which can be a glass fiber optics
communication link, a microwave radio link, or a leased line that is not
exposed to public access. The use case is to protect the dedicated link against
man-in-the-middle attacks by guaranteeing confidentiality, authenticity, and
authentication. The use of IPSec/VPN technology ensures that the transmitted
data is not readable to eavesdroppers and resists man-in-the-middle data
corruption. In addition, both SYS600 and NCC can authenticate using pre-
shared keys before establishing the communication link.
Intranet
IPSec
VPN Endpoint
VPN Endpoint Windows
Firewall
SYS600
SYS600
17
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Figure 3 visualizes a possible setup for the use case. The VPN connections are
illustrated as blue tubes, and multiple SYS 600 devices are connected to the
NCC system via the operator’s internal IP network.
18
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
HSB communication
Another use case affects communication between a master SYS 600 device
and its redundant hot-standby-system via a wide area network connection. This
link should be protected against man-in-the-middle attacks by guaranteeing
confidentiality, authenticity, and authentication. This use case is comparable to
NCC communication.
19
SYS 600 9.3 MicroSCADA Pro 1MRS756796
20
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Patch management
The compatibility of the latest Windows service packs and SYS 600 are tested
in system verification center at the time of the product release. After the
system is running, only security related patches should be installed to servers.
If a security patch affects to software, which is not used or installed in the
server the patch should not be installed.
Virus scanners distinguish between on-access scanning (only files that are
currently requested to load are checked) and on-demand scanning (all files are
checked during a scheduled scan). Minimum requirements for the virus
scanner are on-demand scanning and virus definition updating features.
21
SYS 600 9.3 MicroSCADA Pro 1MRS756796
CPU Utilization
• Restrict CPU Utilization to 20%
• After modifying this setting it is recommended to run the on-demand scan
to local disks once to ensure that it finishes within an acceptable amount
of time.
• Disable virus scanner during SYS 600 product or service pack installation
On-access scanning
• Scan only local disks, network scan is disabled (when each machine has
its own virus scanner). Disable email scans. Excluded directories:
o These directories are frequently used in SYS 600 Server
o SYS 600: <drive>\sc\apl\*.* (including subdirectories), if this does
not work then exclude the whole sc directory
o DMS 600: <drive>\DMS600\*.*
• Excluded files:
o Archive files such as .cab, .rar, and .zip
• Other settings
o Enable buffer overflow protection
o Enable access protection
o Enable script scan
On-demand scanning
• Initiated periodically or manually
• Initiated manually if the system owner has found virus infected files on
other computers in the enterprise e.g. in the office network or on
maintenance laptops or the like
• Scan only local disks, network scan is disabled (when each machine has
its own virus scanner)
• Scanning should be done when normal system activity is low
• All items excluded in on-access scanning should be included in the scan
22
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Patch management
It is recommended to update scan engine and virus definition files regularly,
e.g. every three months. Verify that the settings introduced above are
preserved and the performance and functionality of the system is acceptable
after updates.
Theoretically, a new virus definition file could arrive that could compromise
the proper functionality of the system. Testing the system against every new
virus definition file is obviously not feasible. Therefore, we recommend full
system backup before updating virus definition files.
23
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Click Start > Settings > Control Panel > Administrative Tool > Computer
Management > Device Manager and look for the devices to be disabled.
Do not disable a device if it will be used, e.g. USB license keys, alarm
sounds, or software installations.
24
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
25
SYS 600 9.3 MicroSCADA Pro 1MRS756796
26
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
27
SYS 600 9.3 MicroSCADA Pro 1MRS756796
5.8 OPC
The usage of OPC communication between OPC client and server requires that
Distributed COM (DCOM) has been configured accordingly in the Windows
operating systems. This includes configuring system-wide DCOM settings and
OPC server specific DCOM settings.
Type
Name Value
Ports REG_MULTI_SZ 5000-5020
PortsInternetAvailable REG_SZ Y
UseInternetPorts REG_SZ Y
If callbacks are used, permit incoming traffic on all ports where the TCP
connection was initiated by your server.
28
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Ports and services used by SYS 600 as well as default firewall settings are
listed in APPENDIX: Ports and services. We recommend using hardware
firewalls. Software firewalls may affect performance, in which case they
should not be used.
29
SYS 600 9.3 MicroSCADA Pro 1MRS756796
30
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Taking backup
We recommend that you back up the SYS 600 Server with disc imaging
software (for example Acronis True Image or Norton Ghost). The image
should be saved to a network drive or to a USB flash drive. Refer to the
instructions from your disc imaging software manufacturer on how to
accomplish this.
Restoring backup
The method for restoring the disc image depends on the disc imaging software.
Refer to the instructions from your disc imaging software manufacturer on
how to accomplish this.
31
SYS 600 9.3 MicroSCADA Pro 1MRS756796
To operate the SYS 600 Server, a monitor (Classic Monitor or Monitor Pro)
needs to be opened. A monitor can be opened either on the server machine or
through a remote connection. If the SYS 600 Workplace is a remote machine,
connection to the server computer is established over the network by using the
remote client. Remote client means that the programs of the workplace run on
the server machine, whereas graphical output and mouse/keyboard input for
the processes happen on the remote client machine.
After the user has logged in automatically to Windows, the Start > Programs >
Startup folder is executed. This folder contains shortcut icons to launch SYS
600 monitors, which are then opened automatically. The target of the shortcut
icon is, for example, the Remote Desktop Connection program, which is
automatically configured to logon to the SYS 600 Server with a user name and
password, and to launch a monitor program (Classic Monitor or Monitor Pro)
on the server. The monitor login dialog opens for the user, where the operator
enters his/her unique user name and password.
32
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Furthermore, in the server machine, the Remote Desktop Users group should
have Modify permission to the SYS 600 installation folder, i.e., <drive>\sc.
Here are the steps to grant permission:
To create a user account for Remote Desktop access in SYS 600 Server:
1. Select Control Panel > Administrative Tools > Computer
Management > System Tools > Local Users and Groups and right-click
Users and then select New user…
a. User name: e.g. Operator
b. Full name: can be empty
c. Description: can be empty
d. Password: must meet complexity requirements (small caps, large
caps, special characters, numbers)
2. Uncheck all options in the dialog.
3. Press Create and then press Close.
4. Double-click the user created and select Member Of tab.
5. Press Add button and add membership of Remote Desktop Users and
click OK.
33
SYS 600 9.3 MicroSCADA Pro 1MRS756796
This user account has restricted rights to the Windows operating system, see
http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx. The user
has Modify access to <drive>.\sc directory but this user normally only has
access to certain applications, such as Monitor Pro.
OpenRemoteDesktop program
This program can be used for opening a connection from a workstation to an
active server in the HSB system. The program inspects both servers, detects
the active server of the HSB pair and establishes a terminal server session to it.
For more information, see [SYSCON09].
34
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
ABB does not recommend using the automatic logon feature of the
Windows operating system, since Windows stores the user name and
the password in plaintext in the Windows registry.
35
SYS 600 9.3 MicroSCADA Pro 1MRS756796
36
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
37
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Access to log viewer is restricted based on user rights. Events are stored in the
file system in binary format.
7.7 Backdoors
The following feature has a backdoor to the system: Resetting
administrator password
38
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Since all inbound traffic is blocked by default, there are exceptions (firewall
rules) which are needed to be configured. Windows Firewall rules are
configured automatically using script files. See APPENDIX: Deploying
security settings to SYS 600 Server/Workplace.
The complete list of ports and services can be found in the following tables
and the file MicroSCADA Pro Security Guide – Ports and Services Rev A.xlsx
[SYSPORTS].
Windows Operating System Services
Inbound (listening) Outbound
Service: Service UDP TCP Inbound Port number Port status Outbound Miscellaneous Used by
Description port fixed/ open always/ port
number configurable configurable number
msrpc / Remote X 135 fixed always 1024-65535 Outbound range [System,
dcom-scm procedure call can be svchost.exe]
/ DCOM restricted:
Service http://msdn.micr
Control osoft.com/en-
Manager us/library/ms809
327.aspx
netbios-ssn Netbios X 139 fixed always [System]
Session
Service
microsoft-ds Microsoft X X 445 fixed always [System]
Active
Directory,
shares
lsass.exe Local Security X X 1025 fixed always [System]
Authentication
Server
ntp SNTP - X 123 fixed always [System]
Simple
network time
protocol
Netbios-ns Netbios Name X 137 fixed always [IEC 61850
Service OPC Server]
Netbios- Netbios X 138 fixed always [System]
dgm Datagram
Service
Isakmp IPSec in X 500 fixed always [System]
Windows
lsass.exe sae-urn, IPsec X 4500 fixed always [System]
NAT-Traversal
wininit.exe, 49152- fixed always [System]
svchost.exe 49158
39
SYS 600 9.3 MicroSCADA Pro 1MRS756796
SYS 600
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/ always/
number configurable configurable
inet.exe X 21845, Fixed Always Base system program,
21846 process and APL-APL
communication, ACP
protocol used for
communication. Used
by other SYS 600
base
wserver.exe X 12221 Configurable Configurable Routing server
peripherals to client
machines [SYS 600
Remote VS Monitors].
This port must be
open in workstation
machine only if old
monitors are used (X
windowing).
daopccl.exe - - - - - MicroSCADA OPC
Data Access Client
uses DCOM port 135
opcs.exe - - - - - MicroSCADA OPC
Data Access Server
uses DCOM port 135
Opcenum.exe X 1049 Fixed Always OpenRemoteDesktop
program uses this
service
hasplsm.exe x 1947 Fixed Always Aladdin HASP License
Manager Service for
handling USB license
keys. For internal use
only.
40
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
SYS 600 - Communication protocols Note! All master protocols using TCP/IP (IEC60870-5-104 master,
DNP3.0 TCP master, Modbus TCP, SPA-TCP) are operating as TCP
clients. Consequently, no protocol specific port numbers are
reserved.
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/configurable always/configurable
number
IEC60870-5-104 X 2404 fixed configurable IEC 60870-5-104 for
Slave telecontrol equipment and
systems with coded bit
serial data transmission in
TCP/IP based networks for
monitoring and controlling
geographically widespread
processes. Network Control
Center (NCC).
IEC60870-5-104 X 2501- configurable configurable Localhost only
Slave - 2414
Communication
lines
IEC60870-5-104 X 2501- configurable configurable Localhost only
Master - 2414
communication
lines
DNP 3.0 Slave x X fixed configurable The Distribute Networks
Protocol (DNP) 3.0 is a
standards-based
communication protocol
designed for electric utility,
water, oil & gas and security
systems.
DNP 3.0 Slave - X 2501- configurable configurable Localhost only
Communication 2414
lines
DNP 3.0 Master - x X 2501- configurable configurable Localhost only
Communication 2414
lines
Modbus TCP X 2501- Localhost only
Master - 2414
Communication
lines
SPA-TCP - X 2501- configurable configurable Localhost only
Communication 2414
lines
ELCOM-90 X 6997 configurable configurable
Provider
ELCOM-90 X 6998 configurable configurable
UserElem
ELCOM-90 Admin X 6999 configurable configurable
Opcs_iec61850.exe - - - - IEC 61850 OPC Server,
which contains SNTP
Server as TCP/IP Server.
See ntp service.
Opcs_iec61850.exe - 102 fixed configurable IEC 61850 OPC Client / IEC
61850 System Supervision
Server, which contains
MMS Server as TCP/IP
server
41
SYS 600 9.3 MicroSCADA Pro 1MRS756796
42
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
43
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Not all services are running in each operating system, and may not
even exist. The script is built so that it ignores the unavailable
services and therefore it is normal to have these kinds of messages
in the log file:
• Error 1060: The specified service does not exist as an
installed service. Error opening <service name>.
• Error 1060: The specified service does not exist as an
installed service. Opening service <service name> for stop
access failed.
• Legacy audit settings are disabled. Skipped configuration of
legacy audit settings.
See exceptions to these services after the table, since some functionality
needs certain services to be enabled.
44
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Exceptions
The table below shows the services which have to be changed from the
default if some functionality is required.
45
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Note! The default value is the operating system default value. There is a
separate default value for SSLF settings not shown here.
46
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
47
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Security settings for servers and workplaces are located in SYS 600
installation folder <drive>\sc\setup\security.
11.1 Rollback
In case system does not work as expected, these are the instructions for the
rollback. Run these commands with admin rights.
48
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
49
SYS 600 9.3 MicroSCADA Pro 1MRS756796
3. Click Next, and then type a name for your policy (for example, IPSec
Tunnel with Network Control Center).
50
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
51
SYS 600 9.3 MicroSCADA Pro 1MRS756796
3. Type an appropriate name for the filter list (e.g., IP traffic to NCC),
click to clear the Use Add Wizard check box, and then click Add.
52
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
8. If you want to type a description for your filter, click the Description
tab. Click OK.
53
SYS 600 9.3 MicroSCADA Pro 1MRS756796
2. Click the Tunnel Setting tab, click This rule does not specify an
IPSec tunnel.
3. Click the Connection Type tab, click Local area network (LAN)
4. Click the Filter Action tab, click on one of the following options,
depending on the decision of how to handle non-IPSec traffic:
• Permit – Permits unsecured IP packets to pass through.
This means the device does not try to establish IPSec
encryption, but reacts if a request for security is made. If both
devices are configured as “Permit”, no encryption is established
at all.
• Request Security (Optional) – Accepts unsecured
communication, but requests clients to establish trust and
security methods. Will communicate insecurely to untrusted
clients if they do not respond to request.
This means the device tries to establish a secure IPSec
connection, but if this fails (e.g., if the client does not provide
the correct Pre-Shared Key or is not capable of IPSec
encryption), it falls back to normal operation
54
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
Note: As the currently configured IP Filter rule matches only a single IP, it
does not discard non-IPSec traffic originating from a different wide area
network IP address. In order to prohibit any non-IPSec connections from
the wide area network, the IP filter list would have to match the subnet of
the wide area network, and the Filter Action would have to be set to
“Require Security”.
5. Click the Authentication Methods tab to configure the authentication
method. Mark the default Kerberos method and click Remove.
Confirm the inquiry.
6. Click Add.
7. Select Use this string (preshared key) and enter a long key that also
contains special characters. This string must be the same on the
machine that matches the IP filter rule (in this case, the NCC). Click
OK.
55
SYS 600 9.3 MicroSCADA Pro 1MRS756796
Repeat the steps for all machines that should use IPSec. It is possible to
export and import the policies on a different computer. Here are the
instructions:
1. In the Local Security Settings, where the VPN configuration is set,
select IP Security Policies on Local Computer.
2. Select Action > All Tasks > Export Policies... and write a file name.
56
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline
57
SYS 600 9.3 MicroSCADA Pro 1MRS756796
58
Contact us
www.abb.com/substationautomation
1MRS756796 A/31.3.2010