CAE Documentation: Cybersecurity Admin Expert

CAE
Documentation
Cybersecurity Admin Expert
CAE/EN UG/E20
07/2018
User Guide
CAE 1.7.8
www.schneider-electric.com
USER GUIDE CAE/EN UG/E20
CAE Documentation Page 3/141
CHAPTERS
SAFETY (SA)
INTRODUCTION (IT)
INSTALLATION (IN)
OPERATING (HI)
CYBERSECURITY (CS)
TROUBLESHOOTING (TG)
GLOSSARY (LX)
FIGURES
FIGURE 1: CAE APPLICATION 17
FIGURE 2: CAE IN A SECURED INDUSTRIAL SYSTEM (EXAMPLE) 18
FIGURE 3: EXAMPLE OF MULTI-LAN SYSTEMS ARCHITECTURE 48
FIGURE 4: RBAC ROLE STRUCTURE 49
FIGURE 5: CAE ICON 52
FIGURE 6: LOGIN PAGE 53
FIGURE 7: CAE FIRST RUNNING 54
FIGURE 8: CAE WORKSPACE 55
FIGURE 9: CAE ELEMENT TO SECURE 57
FIGURE 10: CAE SECURITY CONFIGURATION 58
FIGURE 11: SECURITY CONFIGURATION – USER PARAMETERS 59
FIGURE 12: SECURITY CONFIGURATION – LOGS PARAMETERS 60
FIGURE 13: SECURITY CONFIGURATION – SECURITY PARAMETERS 61
FIGURE 14: CERTIFICATES LIST 63
FIGURE 15: FIELD CHOOSER FOR CERTIFICATE LIST 63
FIGURE 16: CONFIGURATION OF CENTRALIZED AUTHENTICATION (COMMON PART) 66
FIGURE 17: CONFIGURATION CENTRALIZED AUTHENTICATION FOR RADIUS CLIENTS 68
FIGURE 18: CAE WORKSPACE 71
FIGURE 19: USER ACCOUNT LIST 73
FIGURE 20: USER ACCOUNT LIST – FIELD CHOOSER 73
FIGURE 21: USER ACCOUNT LIST – SORTING BY TITLE 74
FIGURE 22: USER ACCOUNT LIST – FILTERING BY TITLE 74
FIGURE 23: USER ACCOUNT CREATION 76
FIGURE 24: USER ACCOUNT REMOVAL 77
FIGURE 25: GLOBAL SECURITY VIEW BY USER 78
FIGURE 26: GLOBAL SECURITY VIEW BY ROLE 78
FIGURE 27: DEFAULT SCOPE EDITION 79
FIGURE 28: DEFAULT SCOPE SHOWING 79
FIGURE 29: GLOBAL SECURITY – ADD NEW USER ACCOUNT 81
FIGURE 30: GLOBAL SECURITY – ASSOCIATE USER ACCOUNT TO ROLE(S) 82
FIGURE 31: GLOBAL SECURITY – ASSOCIATE USER ACCOUNT(S) TO ROLE(S) 84

FIGURE 32: SYSTEM EDITOR VIEW LAYOUT 85
FIGURE 33: SYSTEM EDITOR OPTION 85
FIGURE 34: SYSTEM EDITOR WINDOW 86
FIGURE 35: SYSTEM EDITOR → ADD SAM WINDOW 86
FIGURE 36: SYSTEM EDITOR SUBSTATION WINDOW WITH SAM ADDED 86
FIGURE 37: SYSTEM EDITOR → AOR → ADD DEVICE 87
FIGURE 38: SYSTEM EDITOR → AOR → ADD DEVICE WINDOW 87
FIGURE 39: SYSTEM EDITOR → AOR → WITH ADDED DEVICES 87
FIGURE 40: SYSTEM EDITOR→ SYSTEM→ IMPOR/EXPORT SYSTEM STRUCTURE 88
FIGURE 41: IMPORT SYSTEM STRUCTURE CONFIRM POP-UP 89
FIGURE 42: SYSTEM EDITOR→ RENAME FUNCTION 89
FIGURE 43: SYSTEM EDITOR→ RENAME SUBSTATION WINDOW 90
FIGURE 44: PREFERENCES VIEW 91
FIGURE 45: NETWORK DEVICE LIST VIEW 92
FIGURE 46: REFRESH IEDS LIST 93
FIGURE 47: PROPERTIES OF LIST OF DEVICES 93
FIGURE 48: STATUS ICON DESCRIPTION 94
FIGURE 49: FIELD CHOOSER FOR IEDS LIST 94
FIGURE 50: TEMPLATE VALUES PROPERTIES 96
FIGURE 51: EDIT DEVICE TEMPLATES 96
FIGURE 52: DEVICE TEMPLATES LIST 96
FIGURE 53: COPY AND EDIT DEVICE TEMPLATE 97
FIGURE 54: NEW DEVICE TEMPLATE 97
FIGURE 55: ADD DEVICE TEMPLATES 97
FIGURE 56: ADD DEVICE TEMPLATES (NEW) 98
FIGURE 57: DELETE DEVICE TEMPLATES 98
FIGURE 58: VISUALIZE SAM LOGS 103
FIGURE 59: CAE ROLES WORKSPACE 107
FIGURE 60: ROLES LIST 109
FIGURE 61: ROLES LIST – FIELD CHOOSER 109
FIGURE 62: ROLES LIST – SORTING BY TITLE 110
FIGURE 63: ROLE CREATION 111

FIGURE 64: ROLE REMOVAL 111
FIGURE 65: ASSOCIATED ETS FROM CURRENT ROLE 112
FIGURE 66: NEW ASSOCIATED ETS ADDED TO THE CURRENT ROLE 113
FIGURE 67: CONFIGURE PERMISSIONS FOR ASSOCIATED ETS TO CURRENT ROLE 114
FIGURE 68: ELEMENT TO SECURE VIEW 115
FIGURE 69: DATABASE IMPORTATION 118
FIGURE 70: VISUALIZE SAM LOGS 125
SAFETY AND HANDLING CAE/EN SA/E20
SAFETY AND HANDLING (SA)

CONTENT
1. INTRODUCTION 10
2. SAFETY 11
2.1 Safety Information ................................................................................................................ 11
3. GUARANTEES 12
4. COPYRIGHTS & TRADEMARKS ............................................. 13
4.1 Copyrights ............................................................................................................................ 13
4.2 Trademarks ........................................................................................................................... 13
5. USE OF SCHNEIDER ELECTRIC PRODUCTS ....................... 13

1. INTRODUCTION
This document is a chapter of the Cybersecurity Admin Expert (CAE) manual. It describes the safety, handling,
packing and unpacking procedures applicable to CAE software.
2. SAFETY
2.1 SAFETY INFORMATION
Important information
Read these instructions carefully and look at the equipment to become familiar with the device
before trying to install, operate, service or maintain it. The following special messages may appear
throughout this bulletin or on the equipment to warn of potential hazards or to call attention to
information that clarifies or simplifies a procedure.
The addition of either symbol to a “Danger” or “Warning” safety label indicates
that an electrical hazard exists which will result in personal injury if the
instructions are not followed.
This is the safety alert symbol. It is used to alert you to potential personal injury
hazards. Obey all safety messages that follow this symbol to avoid possible
injury or death.
DANGER
DANGER indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
WARNING
WARNING indicates a hazardous situation which, if not avoided, could result in death or
serious injury.
CAUTION
CAUTION indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
NOTICE
NOTICE is used to address practices not related to physical injury. The safety alert symbol shall
not be used with this signal word.
Please note
Electrical equipment should be installed, operated, serviced, and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of
the use of this material.
A qualified person is one who has skills and knowledge related to the construction, installation, and
operation of electrical equipment and has received safety training to recognize and avoid the
hazards involved.
3. GUARANTEES
The media on which you received SCHNEIDER ELECTRIC software are guaranteed not to fail executing
programming instructions, due to defects in materials and workmanship, for a period of 90 days from date of
shipment, as evidenced by receipts or other documentation.
SCHNEIDER ELECTRIC will, at its option, repair or replace software media that do not execute programming
instructions if SCHNEIDER ELECTRIC receive notice of such defects during the guaranty period. SCHNEIDER
ELECTRIC does not guaranty that the operation of the software shall be uninterrupted or error free.
A Return Material Authorization (RMA) number must be obtained from the factory and clearly marked on the package
before any equipment acceptance for guaranty work.
SCHNEIDER ELECTRIC will pay the shipping costs of returning to the owner parts, which are covered by warranty.
SCHNEIDER ELECTRIC believes that the information in this document is accurate. The document has been carefully
reviewed for technical accuracy. In the event that technical or typographical errors exist, SCHNEIDER ELECTRIC
reserves the right to make changes to subsequent editions of this document without prior notice to holders of this
edition. The reader should consult SCHNEIDER ELECTRIC if errors are suspected. In no event shall SCHNEIDER
ELECTRIC be liable for any damages arising out of or related to this document or the information contained in it.
Expect as specified herein, SCHNEIDER ELECTRIC makes no guaranties, express or implied and specifically
disclaims and guaranties of merchantability or fitness for a particular purpose.
Customer's rights to recover damages caused by fault or negligence on the part

SCHNEIDER ELECTRIC shall be limited to the amount therefore paid by the customer.
SCHNEIDER ELECTRIC will not be liable for damages resulting from loss of data, profits, use of products or
incidental or consequential damages even if advised of the possibility thereof.
This limitation of the liability of SCHNEIDER ELECTRIC will apply regardless of the form of action, whether in contract
or tort, including negligence. Any action against SCHNEIDER ELECTRIC must be brought within one year after the
cause of action accrues. SCHNEIDER ELECTRIC shall not be liable for any delay in performance due to causes
beyond its reasonable control.
The warranty provided herein dues not cover damages, defects, malfunctions, or service interruptions caused by
owner's failire detected to follow the SCHNEIDER ELECTRIC installation, operation, or maintenance instructions;
owner's modification of the product; owner's abuse, misuse, or negligent acts; and power failure detected or surges,
fire, flood, accident, actions of third parties, or other events outside reasonable control.
4. COPYRIGHTS & TRADEMARKS

4.1 COPYRIGHTS
Under the copyright laws, this publication may not be reproduced or transmitted in any form, electronic or mechanical,
including photocopying, recording, storing in an information retrieval system, or translating, in whole or in part, without
the prior written consent of SCHNEIDER ELECTRIC.
4.2 TRADEMARKS
PACiS is trademark of SCHNEIDER ELECTRIC. Product and company names mentioned herein are trademarks or
trade names of their respective companies.
5. USE OF SCHNEIDER ELECTRIC PRODUCTS

In any application, including the above reliability of operation of the software products can be impaired by adverse
factors, including -but not limited- to fluctuations in electrical power supply, computer hardware malfunctions,
computer operating system, software fitness, fitness of compilers and development software used to develop an
application, installation errors, software and hardware compatibility problems, malfunctions or failures detected of
electronic monitoring or control devices, transient failures detected of electronic systems (hardware and/or software),
unanticipated uses or misuses, or errors from the user or applications designer (adverse factors such as these are
collectively termed "System failures").
Any application where a system failure detected would create a risk of harm to property or persons (including the risk
of bodily injuries and death) should not be reliant solely upon one form of electronic system due to the risk of system
failure detected to avoid damage, injury or death, the user or application designer must take reasonably steps to
protect against system failure detected, including -but not limited- to back-up or shut-down mechanisms, not because
end-user system is customized and differs from SCHNEIDER ELECTRIC testing platforms but also a user or
application designer may use SCHNEIDER ELECTRIC products in combination with other products.
These actions cannot be evaluated or contemplated by SCHNEIDER ELECTRIC; Thus, the user or application
designer is ultimately responsible for verifying and validating the suitability of SCHNEIDER ELECTRIC products
whenever they are incorporated in a system or application, even without limitation of the appropriate design, process
and safety levels of such system or application.
INTRODUCTION CAE/EN IT/E20
INTRODUCTION (IT)
CONTENT
1. INTRODUCTION TO USER GUIDE .......................................... 16
1.1 Chapters description ............................................................................................................ 16
1.1.1 Chapter Safety (SA) ................................................................................................................................. 16
1.1.2 Chapter Introduction (IT) ........................................................................................................................... 16
1.1.3 Chapter Installation (IN) ............................................................................................................................ 16
1.1.4 Chapter User Interface (HI) ...................................................................................................................... 16
1.1.5 Chapter Cybersecurity (CS)...................................................................................................................... 16
1.1.6 Chapter Troobleshooting (TG) .................................................................................................................. 16
1.1.7 Chapter Glossary (LX) .............................................................................................................................. 16
1.2 Global Guide ......................................................................................................................... 16
2. INTRODUCTION 17
2.1 CAE Application ................................................................................................................... 17
2.2 CAE Scope ............................................................................................................................ 18
1. INTRODUCTION TO USER GUIDE

The User Guide gives the functional and technical descriptions of user interface and a comprehensive set of
instructions for installation and use of Cybersecurity Admin Expert (CAE) application.
The User Guide contains several parts, as follows:

• Includes data about how to install, maintain and use CAE application.
• Includes data about technical description of CAE features.
The User Guide is applied for:

• Site engineers who are responsible for installation and maintain the CAE application.
• Protection and Control engineers who are concerned about how to select and apply the CAE for the
Configuration.
1.1 CHAPTERS DESCRIPTION

1.1.1 CHAPTER SAFETY (SA)
This chapter includes the safety instructions, handling and reception of electronic equipment, packing and unpacking
parts, Copyrights and Trademarks.
1.1.2 CHAPTER INTRODUCTION (IT)

This is the present document: it includes the description of each chapter of the guide. It is a brief introduction to
software capabilities.
1.1.3 CHAPTER INSTALLATION (IN)

This chapter includes the installation procedures.
1.1.4 CHAPTER USER INTERFACE (HI)

This chapter includes the operator interface description; Menu tree organization and navigation; and
Setting/configuration software.
1.1.5 CHAPTER CYBERSECURITY (CS)

This chapter includes recommendations for Cybersecurity.
1.1.6 CHAPTER TROOBLESHOOTING (TG)

This chapter helps troubleshoot most common technical facts that might arise on software.
1.1.7 CHAPTER GLOSSARY (LX)

This chapter includes definitions for technical terms and for acronyms.
1.2 GLOBAL GUIDE

This manual includes these chapters:
SA, IT, IN, HI, CS, TG, LX
2. INTRODUCTION
2.1 CAE APPLICATION

The Cybersecurity Admin Expert (CAE) is an application involved in the Security Management system inside a robust
Information and communications technology (ICT) network for electrical cyber-physical systems.
CAE allows the Security Administrator to manage system security policies and configuration parameters as well as
providing for centralized user management. System roles are defined based on a Role-Based Access Control (RBAC)
model, allowing system access points the ability to grant or deny to users the ability to perform actions by permissions
grouped by device type known as Elements To Secure (ETS).
INFORMATION PROTECTION
• For information protection, CAE encrypts communications with devices by the TLS
technology (Transport Layer Security protocol).
• However, encryption of the information is not the main function of CAE software; CAE
uses the encryption information only to protect the information in transit.
NOTE: Please consult the section Encryption on the chapter Cybersecurity (CS) for more
details
Figure 1: CAE Application

2.2 CAE SCOPE

CAE is a requirement for managing the security parameters and model of system components such as Cyber Secure
Schneider Electric products and the Security Administration Manager (SAM).
Figure 2: CAE in a secured industrial system (example)

The CAE application can be used:

• The offline edition mode allows to edit security configurations, security models, roles and the offline
system model
• The online management mode allows the supervision of the users and the devices online. CAE sends the
whole security configuration to devices.
The table resumes CAE Modes/Features:
Mode Feature Description

Edit the security properties.
Security configuration
Edit certificates.
editor
Import/Export CAE application.
Offline
edition
Security models editor Edit security models by editing permissions, objects and actions.
Edit roles by enabling/disabling permissions from security

Roles editor
models.
Manage properties of the users like login name, password,
Management of users
pincode and the links to the roles.
Network device List.
Send the security configuration.
Online
management Manage device templates (DSS).
Management of system
Send CAE database to SAM.
Display logs.
Update/get certificates.
INSTALLATION CAE/EN IN/E20
INSTALLATION (IN)
CONTENT
1. INTRODUCTION 22
1.1 Prerequisites......................................................................................................................... 22
1.2 License .................................................................................................................................. 22
1.2.1 Scope of Use ............................................................................................................................................ 22
1.2.2 The Licensee agrees NOT TO.................................................................................................................. 22
1.2.3 Duration .................................................................................................................................................... 23
1.2.4 Confidentiality ........................................................................................................................................... 23
1.2.5 The Licensee SHALL NOT ....................................................................................................................... 23
1.2.6 The Licensee SHALL ................................................................................................................................ 23
1.2.7 Warranty ................................................................................................................................................... 23
1.2.8 Limitations of Liability ................................................................................................................................ 23
1.2.9 General ..................................................................................................................................................... 24
2. MINIMUM REQUIREMENTS .................................................... 25

3. INSTALLATION 26
3.1 Purpose ................................................................................................................................. 26
3.2 Licensing .............................................................................................................................. 27
3.2.1 Schneider Electric License Manager ........................................................................................................ 27
3.2.2 Activating A Software Product .................................................................................................................. 29
3.3 Before Installation ................................................................................................................ 33
3.4 Installing CAE From Scratch ............................................................................................... 33
3.5 Setting CAE........................................................................................................................... 39
3.5.1 License Activation ..................................................................................................................................... 39
3.5.2 Changing Default Password ..................................................................................................................... 42
3.6 Upgrading CAE ..................................................................................................................... 43
3.7 Uninstalling CAE .................................................................................................................. 44
1. INTRODUCTION
This document is a chapter of the CAE documentation. It describes the procedure for a complete installation for CAE.
1.1 PREREQUISITES
The CAE software is compliant with following Operating Systems
Topic Description
• Windows® 7 Professional version 32/64 bits Service Pack 1.
Operating System
Supported • Windows® Server 2008 R2 version 64 bits
• Windows® 8
• Windows® 10 Professional version 32/64 bits.
Note: Windows® XP is not supported
1.2 LICENSE
Software License Agreement
All programs and textual works issued by Schneider Electric (hereinafter referred to as ‘The Supplier’) are protected
by copyright. They are supplied on the condition that the Licensee of copies of such programs and text, agrees to
the Terms and Conditions of this License Agreement. The Licensee (which expression includes a purchaser or a
receiver of the Supplier's software on loan) may be held legally liable for any use of the program(s), texts or
documentation which is not in accordance with this License Agreement, in certain circumstances this may involve
criminal prosecution.
The Supplier in consideration of a license fee paid on its own or as part of a purchase price and the Licensee's
agreement to the Terms and Conditions of their License Agreement, agrees to grant, and the Licensee agrees to
accept, a personal, non-exclusive, non-transferable license to use the Supplier's computer program(s), text and
associated documentation, all hereinafter referred to as the ‘Licensed Program’ under the following Terms and
1.2.1 SCOPE OF USE

The Licensee is authorized to use the Licensed Program in accordance with the Terms and Conditions of this License
Agreement for the Licensee's own purposes on any single computer system that contains no more than one central
processing unit (CPU) other than pursuant to Clause 6 hereof. If the Licensee intends to use the Licensed Program
on more than one CPU at a time, a separate set of Licensed Program is required for each additional CPU. The
Licensee may make copies of the Licensed Program in machine readable form for back-up and archive purposes
only, provided that the Licensee has no more than three full or partial copies in existence at any one time and that
the original copyright notices and/or other legends are reproduced on each copy. No rights are granted to the
Licensee other than expressed in this License Agreement.
1.2.2 THE LICENSEE AGREES NOT TO

1. Export or re-export the Licensed Program without the supplier's approval and the appropriate FRENCH or foreign
government licenses.
2. Make, or permit the making of any copy or copies of the Licensed Program other than back-up copies permitted
under this License Agreement.
3. Reverse compile, reverse engineer, disassemble, modify, adapt, list, print or translate or otherwise tamper with
the whole or any part of the Licensed Program(s).
4. Transfer, assign, rent, lease, sell or otherwise dispose of, part with, or share the possession of the Licensed
Program(s).
1.2.3 DURATION
This License Agreement becomes effective from the date of the acceptance by the Supplier of the order for the
Licensed Program and shall remain in force until terminated by the Licensee. This License Agreement will terminate
without notice if the Licensee fails to observe any of the Terms and Conditions of the License Agreement. In the
event of a termination, the Licensee agrees to delete the Licensed Program from any storage media that are the
property of the Licensee and to return all complete and partial copies of the Licensed Program together with all copies
of text and documentation to the Supplier.
1.2.4 CONFIDENTIALITY
The Licensed Program contains confidential information of the Supplier and all copyright, trademarks and other
intellectual property rights in the Licensed Program are the exclusive property of the Supplier.
1.2.5 THE LICENSEE SHALL NOT

1. Save as provided in the License Agreement copy the whole or any part of the Licensed Program.
2. Modify, merge or combine the whole or any part of the Licensed Program with any other software or
documentation.
3. Use the Licensed Program on behalf of, or make available the CAE to any third party.
1.2.6 THE LICENSEE SHALL

1. Keep confidential the Licensed Program and limit users of the CAE to those of its employees agents and sub-
contractors who either have a need to know or who are engaged in the use of the Licensed Program.
2. Maintain an up-to-date written record of the number of copies of the Licensed Program and their locations and
upon request forthwith produce such record to the Supplier, and
3. Without prejudice to the foregoing take all such other steps as shall from time to time be necessary to protect the
confidential information and intellectual property rights of the Supplier in the Licensed Program.
4. The Licensee shall inform all relevant employees agents and sub-contractors that the Licensed Program
constitutes confidential information of the Supplier and that all intellectual property rights therein are the property
of the Supplier and the Licensee shall take all such steps as shall be necessary to ensure compliance by its
employees agents and sub-contractors within the provisions of this clause.
1.2.7 WARRANTY
Subject to the exceptions set out in this clause and the limitations upon its liability:
1. The Supplier warrants that the media upon which the Licensed Program is stored will for a period of 90 days
from the date the Supplier accepts an order for a Licensed Program be free from defects in material design and
workmanship and that the Licensed Program will conform to the Supplier's specifications.
2. The Supplier shall remedy any breach of the above warranties by the replacement of the Licensed Program free
of charge.
3. The Supplier shall have no liability to remedy a breach of warranty where such breach arises as a result of:
a. The improper use, operation, or neglect of the Licensed Program, or the computer equipment it is used
on.
b. A modification of the Licensed Program, or its merging in whole or in part with any other software.
c. Any repair, adjustment, alteration or modification of the Licensed Program by any other person than the
Supplier, without the Supplier's prior written consent.
4. Subject to the foregoing, all conditions, warranties, terms and undertakings, express or implied, statutory or
otherwise, in respect of the Licensed Program are hereby excluded.
1.2.8 LIMITATIONS OF LIABILITY

1. The following provisions set out the Supplier's entire liability (including any liability for the acts and omissions of
its employees, agents and sub-contractors) to the Licensee in respect of any breach of its contractual obligations
arising under this agreement and any representation, statement or tortuous act or omission including negligence
arising under or in connection with this License Agreement.
2. Any act or omission on the part of the Supplier or its employees agents or sub-contractors shall be known as an
‘Event of Default’.
3. The Supplier's liability to the Licensees for death or injury resulting from its own negligence or that of its
employee’s agents or sub-contractors, shall not be limited.
4. Subject to the limits set out below the Supplier shall accept liability to the Licensee in respect of damage to the
tangible property of the Licensee resulting from the negligence of the Company or its employees, agents or sub-
contractors.
5. Subject to the provisions of clause above the Supplier's entire liability in respect of any Event of Default shall be
limited to damages of an amount equal to:
a. The case of an Event of Default falling within clause above the purchase price of the Licensed Program.
b. The case of any other Event of Default the License fee paid in respect of the Licensed Program.
6. Subject to clause above the Supplier shall not be liable to the Licensee in respect of any Event of Default for loss
of profits, goodwill or any type of special indirect or consequential loss (including loss or damage suffered by the
Licensee as a result of an action brought by a third party) even if such loss was reasonably foreseeable or the
Supplier had been advised of the possibility of the Licensee incurring the same.
1.2.9 GENERAL
This License Agreement overrides all prior written and oral communications regarding the Licensed Program with
the Licensee, and sets out the entire agreement between the Supplier and the Licensee. In the event of a dispute
between the Supplier and the Licensee relating to this License Agreement, the Licensee agrees to submit to the
jurisdiction of the French Courts or to the Courts of other legal systems that may from time to time be elected at the
sole discretion of the Supplier. If any provision in this License Agreement is ruled invalid under any law, such provision
shall be deemed modified or omitted only to the extent necessary to render it valid, and the remainder of this License
Agreement shall continue in full force and effect.
2. MINIMUM REQUIREMENTS
In order to install, configure and use the CAE device by operator, the following frameworks and packages are
required:
Device Description
Release package The release package permits the complete installation. It
contains a set of prerequisites and CAE application with
default settings.
The CAE release package is proposed with two setups for
different operating system:
Installing for Installing for

Windows 32 bits Windows 64 bits
Install CAE application for Install CAE application for
Windows 32 bits Operating Windows 64 bits Operating
System (package x86) System (package x64)
License ID Communicated by Schneider Electric to allow the

authorized CAE running on Machine.
Note: The license ID is managed by the Schneider Electric
License Manager application installed by CAE package
setup. Operator has to enter the license ID before the first
CAE running in order to activate it (activation procedure is
presented later).
3. INSTALLATION
3.1 PURPOSE
This section describes the procedure for a complete installation for Cybersecurity Admin Expert (CAE) software.
The CAE release contains several packages:
• CAE Application
• Prerequisites for CAE
The CAE release is provided as an InstallShield executable Setup file. The installation program is set through the
installation procedure described on below sections.
__________________________________________________________________________________________
Note
The Prerequisites package contains:
• Schneider Electric License Manager. Application to activate the CAE license.
• Database program:
CAE application CAE Version 1.6.6.0 or later

Database program installed Microsoft SQLite
__________________________________________________________________________________________
3.2 LICENSING
3.2.1 SCHNEIDER ELECTRIC LICENSE MANAGER
Use the Schneider Electric License Manager application to activate the CAE license.
__________________________________________________________________________________________
Notes
By activating a license for a Schneider Electric software product, the licensee declares that the software
product will be used within the boundaries described in the license agreement.
CAE functions are depending of CAE Licensing Model (Standard Edition / Premium Edition):
CAE Standard Edition CAE Premium Edition

• Manage Passwords • Manage Roles
• Manage Users • Manage Security Models
3 packages per license type according to the numbers of users:

• 1 seat (single)
• 10 seats (team)
• 100 seats (entity)
Ordering Informations
Reference License
CSBSTACZSSPMZZ License CAE Standard 1 seat
CSBSTACZSTPMZZ License CAE Standard 10 seats
CSBSTACZSEPMZZ License CAE Standard 100 seats
CSBSTACZMSPMZZ License CAE Premium 1 seat
CSBSTACZMTPMZZ License CAE Premium 10 seats
CSBSTACZMEPMZZ License CAE Premium 100 seats
CAE features are depending of CAE Licensing Model (Standard Edition / Premium Edition):
Standard Premium
CAE Features
Edition Edition
User Account
User account management
Password management
Association role to a user account
Roles Management
7 roles per default according to IEC62351-8
Roles management
Security Model Management (ETS)
Pre defined security model provided by Schneider Electric
Security Model management
Security Configuration Edition
User locking
Logs
Security banner
Certificates
Authentication configuration
Import / Export (CAE to / from CAE)
Security Policy Deployment
Transfer Security Configuration (RBAC) to system
Device Security Settings
Visualize Logs
Export Logs
Import SCL file
Preferences
Languages
__________________________________________________________________________________________
3.2.2 ACTIVATING A SOFTWARE PRODUCT

The license is activated to get a full license for software product.
Following methods are proposed to activate a node-locked license for your software product:
• By Web
• By Web Portal
• By Phone
• By e-mail
Depending on the activation method, the activation needs to be completed in a separate step.
To activate the CAE license, please refer to next section 3.5.1License Activation.
___________________________________________________________________________________________
Note
Software installation is independent of the activation of software product licenses. Operator can even activate
a license for a software product that is not yet installed.
The general activation principle is to send an activation request to Schneider Electric and subsequently to
receive an activation response from Schneider Electric. The data in the activation request provides
information to the Schneider Electric License Server about the licensee, the software product and the local
PC where the license will be activated. The data in the activation response is validated by the Schneider
Electric License Manager to allow operation of the software product within the scope of your license.
Format of Activation Request / Response

The Schneider Electric License Manager generates the activation request and transmits the data through an
internet connection to the Schneider Electric License Server. The activation response is automatically
received and processed by the Schneider Electric License Manager.
The Schneider Electric License Manager generates an XML Request File. The XML Request File needs to
be submitted to Schneider Electric through the Software Licensing Web Portal or by e-mail. In response an
XML Response File is provided for download in the Software Licensing Web Portal or sent by e-mail,
respectively. To complete the activation the XML Response File needs to be loaded in the Schneider Electric
License Manager.
Activation Comment
Method
By Web The Schneider Electric License Manager generates the activation request and
transmits the data through an internet connection to the Schneider Electric License
Server. The activation response is automatically received and processed by the
Schneider Electric License Manager.
By Web Portal The Schneider Electric License Manager generates an XML Request File. The
XML Request File needs to be submitted to Schneider Electric through the
Software Licensing Web Portal. In response an XML Response File is provided for
download in the Software Licensing Web Portal. To complete the activation the
XML Response File needs to be loaded in the Schneider Electric License Manager.
Notes:
• This option does not require a direct connection to the Internet.
• Please do not use it through Internet Explorer navigator.
• It is recommended to use the Web Browser Google Chrome for this
activation method “By Web Portal”:
• For details, please consult the Schneider Electric License Manager User
Manual.
By e-mail The Schneider Electric License Manager generates an XML Request File. In
response an XML Response File is provided by e-mail. To complete the activation
the XML Response File needs to be loaded in the Schneider Electric License
Manager.
By Phone The Schneider Electric License Manager generates a Short Code Request. The
Short Code Request is a string of characters and digits which needs to be told to
the operator during a phone call with the Software Registration Center. During the
call a Short Code Response is generated and the string is told to you by the
operator. To complete the activation the Short Code Response needs to be
entered in the Schneider Electric License Manager.
__________________________________________________________________________________________
3.3 BEFORE INSTALLATION

This section describes the procedure for preparation before the CAE Installation.
Before beginning the installation, do the following:
Step Action
1 Operator must have administrator privileges on system.
CAE software cannot be installed unless operator is logged on with administrator
privileges.
3.4 INSTALLING CAE FROM SCRATCH

This section describes the procedure for a complete Installation of the CAE application.
The complete CAE installation and configuration needs several steps:
Step Action
1 The complete CAE installation and configuration needs several steps:
• Installation CAE application on machine
• Activate CAE license with Schneider Electric Licence Manager application
• Setting CAE application
2 Operating System Hardening:

• Hardening Operating System Windows (7 / 2008 R2 Server / 10)
optional
• Hardening Server 2008 R2 SP2 Enterprise Edition
Note: The Hardening is depending on Customer Security Policy. For securing
database program, apply hardening rules (Customer Security Policy).Please refer to
chapter Cybersecurity (CS) for details.
To install CAE application, do following:
Step Action
1 Unzip the CAE installation package zipped file:
2 Double-click on executable file Cybersecurity Admin Expert Installer from unzipped

Installation package:
3 First Wizard is displayed with components for installation:
Note: The display of this window is depending of prerequisites installed or not on PC. If
the display is absent, please go to step 3 to continue the CAE installation.
4 Click Install
Note: In this example, the setup has installed prerequisites and is installing the
Schneider Electric License Manager application.
5 The Wizard is displayed with the language choose:
Choose the language

Click OK
6 The setup is preparing the CAE installation
Click Next in Wizard to start installation

7 Read the Software License Agreement, select “I accept the terms in the
license agreement” and then click Next.
8 Accept the default destination folder :

Click Next
Click Install
Note: In this example Setup is installing CAE application…

9 The installation is finished with dialog box displaying
Click Finish
Note: A Windows Installer log is displayed for information; close it
10 A successful installation displays icon License Manager and CAE applications on the
desktop
3.5 SETTING CAE

3.5.1 LICENSE ACTIVATION
To activate the CAE license, do following:
Step Action
1 Start Schneider Electric License Manager application:
• From the shortcut in the program group: Start > Programs > Schneider Electric >
License Manager
• Or, from the Schneider Electric License Manager Icon on desktop
After starting Schneider Electric License Manager the main dialog Box is displayed:
Example Local Tab

Note: The License Manager Application has been installed from the CAE installer; please refer to
previous §Installing CAE from Scratch for details
2 To activate the license:

• Activate button
• Choose the Activation Method (see note); Next > button
• Enter the Activation ID (see note) ; Next > button
Example Activation ID
• Enter email address; Next > button
Example e-mail address

Activation is in progress…
Example by Activation Method

• Finish button
Notes
• The method “By Web” is not recommended for Cybersecurity Use Case.
• The Method “By Web Portal” is recommended with latest Browser Google Chrome
version.
• The activation ID is the license number for product.
• The activation methods are By Web (default) or By Phone or By e-mail. To help to choose
in accordance with requirements, please consult the Schneider Electric License Manager
User Manual. To start user manual from:
o Select Help on the control bar

o Select Help, to open User Manual
3 The activated license is confirmed by Local Tab window:

• Quit Schneider Electric License Manager: Task > Exit
3.5.2 CHANGING DEFAULT PASSWORD

It is recommended that Security Administrator changes the default password and add an another SecurityAdmin
user for security reason.
Please refer to Chapter “HI” for details.
3.6 UPGRADING CAE
To upgrade CAE, please refer to above section Installation CAE.

3.7 UNINSTALLING CAE

If operator needs to uninstall CAE application, perform the appropriate procedure, as described below.
Keep the following in mind when removing CAE application from your system:
• The CAE application has to be closed before uninstalling.
• Operator must have administrator privileges on system to uninstall
To uninstall CAE application, do following:
Step Action
1 If CAE is running, close it.
2 Logon Windows with User Account with Administrator rights
3 From the Start menu, choose Control Panel.
4 Under Programs, click Uninstall a Program.
5 Select the CAE program and click Uninstall.
6 Click Yes to confirm, If necessary, click Allow.
7 Operator will be notified if an application has to be stopped before uninstallation
OPERATING CAE/EN HI/E20
OPERATING (HI)
CONTENT
1. PURPOSE 48
2. PRESENTATION 48
2.1 CAE Presentation ................................................................................................................. 48
2.2 RBAC Presentation .............................................................................................................. 49
3. FUNCTIONS OVERVIEW ......................................................... 51

4. EASY TO USE 51
5. GETTING STARTED ................................................................. 52
5.1 Safety precautions ............................................................................................................... 52
5.2 Starting CAE ......................................................................................................................... 52
5.3 Opening a Session ............................................................................................................... 53
5.4 Ending a Session.................................................................................................................. 54
6. USER INTERFACE OVERVIEW ............................................... 55

6.1 Workspace Presentation ...................................................................................................... 55
6.1.1 Tool Bar .................................................................................................................................................... 55
6.1.2 The CAE Workspace ................................................................................................................................ 57
7. GENERAL ADMINISTRATION FUNCTIONS ........................... 58

7.1 Security Configuration Editor .............................................................................................. 58
7.1.1 User Locking Parameters ......................................................................................................................... 59
7.1.2 Logs Parameters ...................................................................................................................................... 60
7.1.3 Security Banner Parameters..................................................................................................................... 61
7.1.4 Certificate Parameters .............................................................................................................................. 62
7.1.5 Authentication Parameters ....................................................................................................................... 66
7.1.6 Import / Export Database Management .................................................................................................... 70
7.2 User Accounts Management................................................................................................ 71
7.2.1 User Accounts Overview .......................................................................................................................... 71
7.2.2 User Account Properties ........................................................................................................................... 72
7.2.3 Manage User Account List ........................................................................................................................ 73
7.2.4 Manage User Account .............................................................................................................................. 74
7.3 Global Security Configuration ............................................................................................. 78
7.3.1 Global Security Overview ......................................................................................................................... 78
7.3.2 Global Security Management by User ...................................................................................................... 80
7.3.3 Global Security Management by Role ...................................................................................................... 83
7.4 System Editor ....................................................................................................................... 85
7.4.1 System Editor Overview ........................................................................................................................... 85
7.4.2 Add devices in system structure ............................................................................................................... 85
7.4.3 Import/Export system structure ................................................................................................................. 88
7.4.4 Rename .................................................................................................................................................... 89
7.5 Preferences ........................................................................................................................... 91
7.5.1 Language .................................................................................................................................................. 91
8. COMMUNICATION ................................................................... 92
8.1 Start Communication ........................................................................................................... 92
8.2 Refresh IEDs List .................................................................................................................. 93

8.3 Device Security Setting ........................................................................................................ 95
8.3.1 Device Security Settings (DSS) Values .................................................................................................... 95
8.3.2 Device Template ....................................................................................................................................... 96
8.3.2.1 Edit a Device Template .............................................................................................................................96
8.3.2.2 Copy a Device Template ..........................................................................................................................97
8.3.2.3 Add a Device Template ............................................................................................................................97
8.3.2.4 Delete a Device Template ........................................................................................................................98
8.3.3 Security Keys ............................................................................................................................................ 99
8.3.3.1 Edit Security Keys .....................................................................................................................................99
8.3.3.2 Add Security Keys ..................................................................................................................................100
8.3.3.3 Remove Security Keys ...........................................................................................................................101
8.4 Visualize IED Logs.............................................................................................................. 102
8.5 Visualize Logs .................................................................................................................... 103
8.6 Push Configuration ............................................................................................................ 105
9. ADVANCED ADMINISTRATION FUNCTIONS ...................... 107

9.1 Roles Management ............................................................................................................. 107
9.1.1 Roles Overview ....................................................................................................................................... 107
9.1.2 Manage Roles ......................................................................................................................................... 109
9.1.3 Manage Element To Secure (ETS) Associated to a current Role .......................................................... 112
9.2 Element To Secure Management ....................................................................................... 115
9.2.1 Element To Secure Overview ................................................................................................................. 115
9.3 Devices Rules ..................................................................................................................... 116
9.3.1 Select a Subset of Users ........................................................................................................................ 116
9.4 Import / Export Database ................................................................................................... 118
9.4.1 Import a Database .................................................................................................................................. 118
9.4.2 Export a Database .................................................................................................................................. 119
10. APPENDIX 120

10.1 Security Logs Category List .............................................................................................. 120
1. PURPOSE
This chapter is addressed to users of the Cybersecurity Admin Expert (CAE) User Interface. This guide focuses on
the CAE interface and describes its functionalities.
All illustrations and views are examples.
2. PRESENTATION
2.1 CAE PRESENTATION

The Cybersecurity Admin Expert (CAE) is the security configuration tool of the system.
The Security Administrator uses CAE to define the system security policy and manage users and roles (RBAC).
CAE is also used to configure Cybersecurity parameters for devices in the system.
Figure 3: Example of Multi-LAN Systems Architecture

2.2 RBAC PRESENTATION

The Role Based Access Control (RBAC) is a method to restrict resource access to authorized users. RBAC is an
alternative to traditional Mandatory Access Control (MAC) and Discretionary Access Control (DAC).
A key feature of RBAC model is that all access is through roles. A role is essentially a collection of permissions, and
all users receive permissions only through the roles to which they are assigned, or through roles they inherit through
the role hierarchy.
User Permission
Assignement Assignement
Operations
Functional Objects
Users Roles Permissions
Figure 4: RBAC Role structure
Roles are created for various job activities. The permissions to perform certain operations are assigned to specific
roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments
acquire the computer permissions to perform particular computer-system functions. Since users are not assigned
permissions directly, but only acquire them through their role (or roles), management of individual user rights
becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations,
such as adding a user, or changing user's account.
RBAC defines four different concepts:
RBAC Standard
Definition Description
Object An object can represent information containers (e.g. files, directories in an

operating system, tables and views in a database management system) or device
resources, such as IEDs.
Subject A subject is a user of the system. Note that a subject can be a person, or an
automated agent / device.
Right A right is the ability to access an object in order to perform certain operations
(e.g. setting a data or reading a file)
Role A role defines a certain authority level in the system. Rights are assigned to roles.
RBAC defines three primary rules:
RBAC Rule Description

1. Role assignment
A subject can exercise a permission only if the subject has selected or been
assigned a role.
2. Role authorization
A subject's active role must be authorized for the subject. With rule 1 above,
this rule helps to ensure that users can take on only roles for which they are
authorized.
3. Permission
A subject can exercise permission only if the permission is authorized for the
authorization
subject's active role. With rules 1 and 2, this rule helps to ensure that users can
exercise only permissions for which they are authorized.
___________________________________________________________________________________________
Note
Please see http://csrc.nist.gov/groups/SNS/rbac/standards.html website for RBAC standards.
___________________________________________________________________________________________
3. FUNCTIONS OVERVIEW
CAE allows administrator to configure User Accounts, Roles, Permission, Elements to Secure (ETS) and System
Security Parameters without connection with devices. Information is stored on the database. This is the Offline
mode.
CAE allows devices supervision connected on network. This is the online mode.
Here are the main functions:
• General Administration
o Security Parameters & Models
o User Accounts Management
o Users Accounts & Roles association Management
o Security Configuration (user locking, logs, security banner, autentification)
• Advanced Administration
o Roles
o Element to Secure
o Import / Export database
o Certificate
• Administration
o Devices rules
o Edit Device Security Settings
o Import Network File
• Communication
o Refresh IED list
o Display IED Logs
o Display SAM Logs
o Push RBAC and Security Policies
o Export IED Logs
4. EASY TO USE
This section contains recommendations and best pratices to help operator to use CAE.
INOPERATIVE ACCESS TO CAE

To reduce the risk to lose the Administration Password(s), it is recommended to create two security administration
accounts (linked to the role SECADM).
In case of the administration password(s) is (are) lost, operator actions and impacts are:
• Re-install CAE (all data will be overwritten).
• All devices will have to be reset from factory in order to be able to communicate with CAE again.
5. GETTING STARTED
5.1 SAFETY PRECAUTIONS

The use of this software and the generation of security configurations must be performed by personnel having
received the proper training in Cybersecurity Admin Expert software. The following safety message applies to this
software in its entirety:
CAUTION
UNEXPECTED EQUIPMENT BEHAVIOR
• Cybersecurity Admin Expert software must be used by properly trained

personnel.
• Do not push into the system incorrect security configurations.
• Follow the instructions in this user guide.
Failure to follow these instructions can result in injury or equipment

damage
5.2 STARTING CAE

To Start CAE:
• Logon with Windows User Account
• Select and double-click the shortcut "CAE" on the Windows desktop
Figure 5: CAE Icon

• Open a CAE session (please refer to the next section)
___________________________________________________________________________________________
Note
At the first starting CAE, operator has to activate the license for product software.
An unavailable license is indicated by displaying window:
Please refer to chapter Installation, § License Activation for License activation procedure.
___________________________________________________________________________________________
5.3 OPENING A SESSION

To logon the CAE session:
• enter Username and Password
• press Login button
Figure 6: Login page

___________________________________________________________________________________________
Note
For the first use the default Username is “SecurityAdmin” and the default Password is “AAAAAAAA”. Please
refer to next section User Account Management for the default Password modification.
___________________________________________________________________________________________
Figure 7: CAE First running
5.4 ENDING A SESSION

A logout link is available on the window top-right corner.
To close the session, click on this icon link

6. USER INTERFACE OVERVIEW
6.1 WORKSPACE PRESENTATION

The graphical area is split into different workspaces.
The application contains different frames:
• Tool Bar (1)
• CAE workspace (2)
Figure 8: CAE Workspace
6.1.1 TOOL BAR

The toolbar shows:
• The Title banner
• The Command banner
The title banner shows:
• The Schneider Electric logo
• The currently logged user name
• The logout icon
• The minimize, maximize and close icons
Through user-friendly icons, the command banner gives an immediate access to the general functions of CAE.
The commander banner shows main action tools:

• Basic controls (New, Open, Save, Download, Upload and Print)
• Editing commands (Cut, Copy, Paste)
• Supporting Tools
• Full screen
• Help
The toolbar allows the user to quickly access relevant functions. Move the mouse over the icons will show the
function tooltip info.
Icon Function Description
New To create a new project
Open To open an existing project
Save To save any new element or change
Import To import different kinds of files
Export To export different kinds of files
Print To print data
Undo Reverses the last action you performed
Redo Redoes the last actions you undid
Cut Cut the selected item and put it in the clipboard
Copy Copy the selected item in the clipboard
Paste Paste an item from the clipboard.
Zoom To zoom in data
Supporting Tools Access to supporting tools such as Diagnostics
Work in CAE's full screen mode. Using full screen mode will hide the
menu bar, tab bar and the tool bar, allowing you to better focus on your
Full Screen
tasks. To turn off full screen mode, click this icon in the top right hand
corner of the screen
Help To get help on CAE. The online user manual displays on screen.
The toolbar is in fixed position and cannot be moved. Depending on the active module and the context, icon buttons
may be disabled (they will be grayed in the toolbar). The top line of the shows the name of the application, the user
name, logout and window size (minimize, restore, maximize and close) buttons).
6.1.2 THE CAE W ORKSPACE

The CAE workspace shows:
• The Navigation banner (1)
• The View banner (2)
Figure 9: CAE Element To Secure
The navigation banner (1) contains tabs for presentation views and tab control button .
To open a tab, do the following:
• On the top left, click on control button

• Select a tab on the list
The view (2) shows information corresponding to selected tab.

7. GENERAL ADMINISTRATION FUNCTIONS
7.1 SECURITY CONFIGURATION EDITOR

The Security Configuration Edition view contains 2 areas:
• The navigation area (Workspace 1)
• The properties area (Workspace 2)
1 2
Figure 10: CAE Security Configuration

7.1.1 USER LOCKING PARAMETERS
This feature allows the security administrator to edit the User Parameters for security, including the user locking
(passwords, locking, login) defined for the system.
Figure 11: Security Configuration – user parameters
User Parameters contains fields:
Label Description Field

Minimum inactivity period (min) Minimum inactivity period (minutes) 15 by default
After the duration without any action from user,
CAE is locked. User needs to re-enter their
password to unlock it.
Password Complexity Set the policy that will be applied during None by default
creation or modification of password.
Choose supported:
• Size: 1 character
None
minimum.
• Characters allowed:
ASCII[33,122]
• Size: 8 characters
IEEEStd1686
minimum.
ASCII[33,122]
• 1 letter lowercase, 1
uppercase,1 digit and 1
non alphanumeric
• Size: 8 characters
NERC
minimum
ASCII[33,122]
• The lesser of three or
more different types of
characters (e.g.,
uppercase alphabetic,
lowercase alphabetic,
numeric,
nonalphanumeric)
Number of previous passwords The number of last previous passwords that 3 by default
which cannot be reused cannot be reused.
Allow user locking Check/unckeck allows user account locking Checked by default
Maximum login attempts The Maximum login attempts 5 by default
Password attempts timer (min) The Password attempts timer (minutes) 3 by default
Automatic user account unlocking Check/unckeck Automatic user account Checked by default
unlocking
Locking period duration (s) The Locking period duration (seconds) 240 by default
7.1.2 LOGS PARAMETERS

This feature allows the security administrator to edit the User Parameters for security, including the logs (standard
used, IP address for client/server) defined for the system.
Figure 12: Security Configuration – Logs Parameters

Logs Parameters contains fields:

Log and monitoring standard List of standards supported: BDEW by default
• BDEW
• E3
• NERC_CIP
• IEEE1686
• IEC62351
• CS_PH1
• CS_PH2
NOTE: If no standard is selected, no security

logs are treated.
Syslog server IP address The Syslog server IP address (see Note) mandatory
Syslog server IP port The Syslog server IP port (see Note) 601 by default
SNMP client IP address The SNMP client IP address (see Note)
__________________________________________________________________________________________
Note
Syslog server IP address, Syslog server IP port and SNMP client IP address settings are not required for
Standalone environnement.
__________________________________________________________________________________________
7.1.3 SECURITY BANNER PARAMETERS

This feature allows the security administrator to edit the User Parameters for security, including the Security
Banner defined for the system.
Figure 13: Security Configuration – Security Parameters

Security Parameters contains fields:

The large banner propagated to devices.
Security Banner Large (see Note) • 1024 characters max
Unicode/UTF-8 characters are allowed.
The medium banner propagated to devices
Security Banner Medium (see Note) • 32 characters max
The small banner propagated to device
Security Banner Small (see Note) • 8 characters max
__________________________________________________________________________________________
Note
Security Banner appears on the device front panel. It is made up of two parts:
• One page containing a disclaimer that the user must accept once,
• Another page that identifies the device (its label) that the user must accept or not. This text is customizable
using the Security Banner Large, Security Banner Medium and Security Banner Small fields.
__________________________________________________________________________________________
7.1.4 CERTIFICATE PARAMETERS

CAE contains a library of certificates, stored in the CAE database. Then, the security administrator can send these
certificates to the devices.
The security administrator can:
• Add a new certificate (importation from certificate file)
• Modify certificate properties
• Delete certificate
• Export certificate
Figure 14: Certificates List


Filtering inside column is applied by clicking the filter icon:
• Click on the filter control

• Choose an option to display or hide the column
Figure 15: Field Chooser for Certificate List
To add a new Certificate, do following:

• Click on Add new certificate button
• Fill Name and Description
• Select certificate file with Browse… button
• Click on Apply button to save
New certificate window contains fields:

Name Name of Certificate mandatory
Description Description of certificate
Certificate to be imported Path and file name of certificate file mandatory
To modify current Certificate, do following:

• Double click on certificate selected
• Fill Name and Description
• Click on Apply button to save
To delete current Certificate, do following:
• click on for certificate selected

• Confirm to delete it by Yes button
7.1.5 AUTHENTICATION PARAMETERS
Configuration Common Parameters

CAE allows to choose an authentication mode:
• Local
• Local then centralized
• Centralized then local
The authenticated server available is RADIUS.
The window below allows customer to define the authentication mode and the common parameters.
Figure 16: Configuration of centralized authentication (Common Part)

Common parameters window contains fields:

Authentication Mode Indicates the kind of authentication used Local by
• Local default
• Local then centralized
• Centralized then local
Default role for centralized authentication The role assigned by default when the VIEWER by
Application uses the centralized access and default
that the role is not given.
This is the complete list of available roles:
• ENGINEER
• INSTALLER
• OPERATOR
• RBACMNT
• SECADM
• SECAUD
• VIEWER
Centralized autentification timeout (s) The maximum time that the Security 5 by default
Application waiting for an authentication
answer from each server.
Centralized authentication protocol The Centralized authentication protocol None by
selected: default
• None (see Note 1)
• RADIUS (see Note 2)
Note 1: if none centralized authentication
protocol is selected, then no centralized
authentication parameters will be included in
the Security Policies.
Note 2: If the centralized authentication
protocol RADIUS is selected, then the
administrator shall fill up the RADIUS client
configuration.
Configuration RADIUS Parameters

CAE allows to configure the RADIUS parameters of the Cybersecurity clients including:
• the IP address of the Radius server,
• the shared secret,
• the default role,
• the authentication mode as depicted in figure below.
Figure 17: Configuration centralized authentication for RADIUS clients

RADIUS parameters Windows contains fields:

Mode It indicates the mode of connection of the RADIUS client. It can RADIUS_CLEAN
takes two values: by default
• RADIUS_CLEAN
• EAP-TTLS
IP Address The IP address of the RADIUS Server

Port The port number used by the RADIUS Server to establish the
communication with the Security Application.
Shared secret The text string that serves as a password between the RADIUS
client and the RADIUS server.
Backup server IP The IP address of the second RADIUS Server, used as backup. This field is
address optional.
Backup server port The port number of the second RADIUS Server, used as backup. This field is
optional.
Backup server shared This is a text string that serves as a password between the This field is
secret RADIUS client and the second RADIUS server, used as backup. optional.
Role attribute name Name of the attribute in the Radius protocol accepted answer
where the role assignement is stored.
AoR attribute name Name of the attribute in the Radius protocol accepted answer
where the AoR assignement is stored.
Date attribute name Name of the attribute in the Radius protocol accepted answer
where the date assignement is stored.
Attributes separator Character that splits the attributes in case of several attributes
returned.
Dictionary It is a long string storing contents of RADIUS dictonary.

Parsing debug Check/unckeck allows parsing debug Uncheck by default
7.1.6 IMPORT / EXPORT DATABASE MANAGEMENT
This feature allows database file importation / exportation.
To import and export the database please refer to section Import / Export database for operations.
EXPORT / IMPORT PASSWORD RULE
Export feature allows making backups of the whole data of CAE, including password. Then, after
the backup importation, the customer has to know his password active at the date of the backup
Note: Do not follow this instruction will result a not established access with CAE.
7.2 USER ACCOUNTS MANAGEMENT

7.2.1 USER ACCOUNTS OVERVIEW
A user account is a logical representation of a person with some configurable parameters. It includes information
about the user identity and gives him a login to be recognized within the tool suite. A user account is principally
interesting when it is associated to some roles that will grant him authorizations.
User Interface User Accounts Tab displays the list of the existing user accounts and allows to the security
administrator to manage them.
• View , sort and filter the user account list
• Add a new User Account
• Edit, delete an User Account
The User Accounts area contains different parts:
• The User Accounts List (Workspace 1)
• The current User Account properties (Workspace 2)
Figure 18: CAE Workspace

7.2.2 USER ACCOUNT PROPERTIES

User account is defined by several categories of parameters:
Category Presentation
User Information Includes editable fields:
• User name (mandatory)
• Phone number
• Email
• Work details
Contains fixed fields:
• The creation date of the current account
• The last modification date of the current account
User Authentication Includes editable fields:

• Login (mandatory)
• Password
• Deactivated option
• Pin Code
Note: Login and Password follows Devices Rules (see §Devices Rules
for details)
7.2.3 MANAGE USER ACCOUNT LIST

The User Accounts List contains two parts:
• The Toolbar (Workspace 1)
• The List (Workspace 2)
Figure 19: User Account List

The Toolbar shows:
• Sort and filter controls
• Column titles
Displaying/hiding column is defined with the Field Chooser:
• Click on filter control

• Choose to check or un-check options on the Field Chooser to display or hide column
Figure 20: User Account List – Field Chooser
Sorting options is applied by clicking the title column:
• Sort by Login
• Sort by First Name
• Sort by Last Name
• Sort by Phone Number
• Sort by Email
• Sort by Works details
• Sort by Deactivated
• Sort Creation (user account)
• Sort Last Modification (user account)
Sorting by column is applied by clicking the title:

Figure 21: User Account List – Sorting by title

Figure 22: User Account List – Filtering by title
7.2.4 MANAGE USER ACCOUNT
Create User Account is applied by clicking “Add a User Account” button.

2 parameters categories are proposed with default values:
Some parameters are mandatory and others are optional. Mandatory user account parameters are:
• First Name
• Last Name
• Login
User Information category contains fields:

First Name The first name of the user. mandatory
• 50 characters maximum.
• Allowed characters: Alphanumeric, “– [SPACE]”.
Last Name The last name of the user mandatory
Phone Number Phone number of the user
• Must be digits
• Separators allowed: “+ ( ) –S [SPACE]”
Email Email of the user
• Must contain: @: left and right local part must not be
empty.
• Right part must include at least a “dot” and cannot
start/finish by it.
• 7-bit ASCII format; each character has a value from 1
to 127.
Work Details Details for user activity, 1000 characters maximum.
Date of Creation Date of creation of user account Not editable
Last Modification Date of last modification of user account Not editable
User Authentication category contains fields:

Login The login of the user account. Login has to be unique. Mandatory
• 4 characters minimum.
• Non alphanumeric characters and [SPACE] are
forbidden.
Note: Login follows Devices Rules. Please, refer to
§Devices Rules, on Constraints Table for limitations.
Password The password of the user account is limited to 50 Empty by default

characters by default. The limitation is depending on
device type. Please contact Schneider Electric customer
care for details.
• Each password shall be a minimum of 8 characters.
• Each password shall consist of a combination of
alpha (with 1 capital minimum), numeric, and
“special” characters.

Note: Password follows Devices Rules. The password
complexity depends on the complexity defined in
"Security Configuration Editor/User Locking" tab."
Confirm password Password confirmation
Arrow Password The password of the user account configured with
graphical location
Deactivated Option allows deactivating the user account. The date of

deactivation is displayed / hidden.
Note: A security administrator cannot deactivate their own

User Account.
To create a new User Account, do the following:

• Click on Add a User Account button
• Fill mandatory (Password is mandatory for creation) and optional fields
• Click on Apply button to save user account parameters
• Click on OK button; the new User Account is added on the User Accounts List
Figure 23: User Account Creation

To modify a User Account, do the following:

• Select user account on the User Accounts List
• Double-click and modify fields
• Click on Apply button to save user account parameters
• Click on OK button
To delete a User Account, do the following:

• Select user account on the User Accounts List (1)
• Click on Trash (2) or right button and select option Delete
• Press Yes button to confirm delete on Information window (3); the user account is removed from User
Account List; if No button is pressed, the remove operation is cancelled.
1
Figure 24: User Account Removal

__________________________________________________________________________________________
Note
A security administrator cannot deactivate his own User Account.
__________________________________________________________________________________________
7.3 GLOBAL SECURITY CONFIGURATION

7.3.1 GLOBAL SECURITY OVERVIEW
The nodes of the hierarchy are viewed as scopes and can be secured independently. Each node could include
some roles and user accounts defined and create a specific security policy.
The Global Security allows scope(s) and associate or disassociate role(s) management for each user account.
The security administrator manages the current scope by the Roles.
• View Roles List, User Account List and associations User-Roles or Role-Users
• Associate / dissociate role(s) for each User Account
• Add / Remove User account(s) for each Role
The Global Security contains different areas and displays by 2 views (User and Role):
• The Scope Tree view (Workspace 1)
• The Association area (Workspace 2)
1 2 1 2
Figure 25: Global security View by User

Figure 26: Global security View by Role
The Scope Tree view allows:

• Edit the Default Scope (see Note below)
• Show the Default Scope versioning
__________________________________________________________________________________________
Note
To configure the Local Default Access for Default Scope, do the following:
• Right button
• Select Edit (1)
• Check Local Default Access option (2)
• Choose Roles associated to local default access on list (3)
• Click Apply button
Figure 27: Default Scope Edition
To show the history for Access for Default Scope versioning, do the following:
• Right button
• Select Show History
• The View of Histories is displayed:
Figure 28: Default Scope Showing

The versioning involves the quadruplet (Users Version/Roles Version/Permission Version/Security Policies
Version). Please refer to section Push Configuration for more details.
_________________________________________________________________________________________
7.3.2 GLOBAL SECURITY MANAGEMENT BY USER

The Global Security by User contains 3 parts:
• The List of User Accounts (1)
• The List of Associated Roles by User Account (2)
• Associated Roles Details of selected role (3)
1 2
When a new user account is created, it must be associated to role(s). This operation is configured by security
administrator by two steps:
STEP 1: Add user account on List

• Click on Add User Account button (1)
• Check user account(s) on the windows (2)
• Press on OK button (3); the new user account is added on User Accounts List (4)
Figure 29: Global security – Add new User Account

_______________________________________________________________________________
Note
To remove an user account on the List, click on X icon and confirm by Yes from Information Window
_______________________________________________________________________________
STEP 2: Associated user account to Role(s)

• Select the user account on List (1)
• Click on Associate Role button (2)
• Check Role(s) displayed on Associate Role Window (3) and press OK button (4); the List of Associated
Roles is now displayed (5)
Figure 30: Global security – Associate user account to role(s)

7.3.3 GLOBAL SECURITY MANAGEMENT BY ROLE

The Global Security by Role contains 3 parts:
• The List of Roles (1)
• The List of Associated User Accounts by Role (2)
• Associated User Details of selected role (3)
1 2
Security administrator can associate or disassociate user account(s) to each role.

To Associate Associated User Account(s) to Role(s):

• Select the role on List (1)
• Click on Associate User Accounts button (2)
• Check User account(s) displayed on Associate User Account Window (3) and press OK button; the List of
Associated User accounts is now displayed (4)
Figure 31: Global security – Associate user account(s) to role(s)

7.4 SYSTEM EDITOR

7.4.1 SYSTEM EDITOR OVERVIEW
With System Editor the user can define the devices within a system. This option is available since the CAE
Network Device List→ Refresh discovery feature only finds devices using DPWS protocol. In addition, any device
without UDP communication will not be discovered by Network Device List→ Refresh feature.
System Editor view is divided in two main areas:
• Left panel. This is the System structure tree view containing the Substation node and the AOR node. From
here the user can Import/Export system structure and rename System, Substation or AOR names.
Note: Up to date, this structure is fixed and no other nodes can be added.
• Right panel. All the devices declared within the system structure will be displayed in this area. The user can
add devices, import, delete or edit them.
Left panel Right panel
Figure 32: System Editor view layout
7.4.2 ADD DEVICES IN SYSTEM STRUCTURE

In order to allow CAE the discovery of every device within the Network, the user has to declare all of them by using
System Editor option.
To declare all the devices within a system, follow next steps:
• On the top left corner, click the icon

• Select System Editor option:
Figure 33: System Editor option

• From Substation, click Add SAM button on the bottom right corner of the window to add the SAM
connected to the system:
Note: Only one SAM device can be defined.
Figure 34: System Editor window
• This window will appear. Fill in the required information and click OK:
Figure 35: System Editor → Add SAM window
• Now the SAM has been declared as a device within the system structure:
Figure 36: System Editor Substation window with SAM added

• Once SAM has been added, go to AOR node and click Add Device button to add a device.
To go faster, the user can use Import devices from a CSV file button to add all or several devices at a
time. To do so, create a CSV file containing the devices and import it.
Note: This action will not remove or replace any other device already added.
Figure 37: System Editor → AOR → Add Device
• This window will appear: Fill in the required information and click OK:
Figure 38: System Editor → AOR → Add Device window
• Devices added will show as follows and by right clicking on them the user can Delete (also by clicking the
Trash icon) or Edit them:
Figure 39: System Editor → AOR → with added devices

Once all the devices in the system have been declared use Network Device List→Refresh option to do the
discovery of the complete system. See how in section 8.2 Refresh IEDs List.
These are examples of valid CSV files:
Each row in the file defines a device.The following information, separated by one of the allowed delimiter, has to be
provided per device:
• Name of the device.

• Type.
• Firmware.
• IP address.
• Ethernet port number (optional. If blank, the default value 9867 will be used).
File with semicolon-separated File with tab-separated File with comma-separated

values values values
7.4.3 IMPORT/EXPORT SYSTEM STRUCTURE

The user can use this function to import/export an XML file with the complete system structure.
• Go to System Editor→System and right click on System.

• Select Import system structure or Export system structure:
Figure 40: System Editor→ System→ Impor/Export system structure
• Choose the XML file to be imported or save the file to be exported:

• Before the import of the XML file, this pop-up will show up to inform the user that the System structure that
is going to be imported will replace the existing declared one, if any. Click Yes to continue:
Figure 41: Import system structure confirm pop-up
Once all the devices in the system have been declared, use Network Device List→Refresh option to do the
discovery of the complete system. See how in section 8.2 Refresh IEDs List.
This is an example of a valid xml file:
7.4.4 RENAME
System, Substation and AOR menu names are customizable. Use Rename function in order to name these
menus according to your project needs:
• Select the menu/node to be renamed, right click on it and select Rename function:
Figure 42: System editor→ Rename function
• Enter the new name and click OK:

Figure 43: System editor→ Rename substation window
• Now in our example, the name of the substation has been changed:
7.5 PREFERENCES
7.5.1 LANGUAGE
In the Preferences view the Security Administrator can choose the language of CAE user Interface.
The available languages are:
• English (default value).

• French.
• German.
Figure 44: Preferences view

To change the language, follow instructions:
• Select language on list :
• Apply button :
8. COMMUNICATION
8.1 START COMMUNICATION

This session explains how to establish the online mode.
Cybersecurity Admin Expert (CAE) allows the communication with devices over the network via Network Device
List feature.
Before establishing the online mode, please check that each of the devices within the system Network has been
previously declared in CAE System Editor (refer to section 7.4).
To open the online communication, do the following:
• On the top left, click on icon (1)

• Select Network Device List… option (2); the Network Device List view is displayed (3)
• Press Refresh button (4)
Figure 45: Network Device List view
___________________________________________________________________________________________
Note
The communication needs operational network and devices. In case of SAM is not detected in network, there
is none information displayed to operator.
___________________________________________________________________________________________
8.2 REFRESH IEDS LIST

The List of connected devices is displayed by IEDs List. The CAE sends multicast message via communication
network and each device connected delivery identification and available services (Versions of Users Account,
Roles, Permission, Security Polities, IP address).
The Refresh IEDs List is a manually procedure. To Refresh IEDs List, do the following:
• Click Refresh button
Figure 46: Refresh IEDs List
The IEDs List displays the following information:
Field Description Note

SAM Display the IP address of SAM and the version of
Configuration
Status Display the status of the IED (see legend below) If icon is different than ,
by hovering the mouse over the icon. please refer to section 7.4 for
actions. (see legend below)
IED Name Display the name of IED
Version Display the name of Push Configuration Updated by successful Push
Configuration operation
User Version Display the User Account version of IED Updated by successful Push
Role Version Display the Roles version of IED Updated by successful Push
Permission Version Display the Permission version of IED Updated by successful Push
Discovery Version Display the Security Policies version of IED Updated by successful Push
Main Type Display the first known type among ones declared
Firmware Display the firmware version declared
IP Display the IP address of IED
Figure 47: Properties of list of devices
Status icon Tooltip Content Description
Device discovered matches with device declared in CAE

System Editor and its security configuration is up-to-date.
Device discovered matches with device declared in CAE

System Editor but the security configuration is not
updated. Please, push the security configuration and
Refresh again.
Device discovered but not declared in CAE System

Editor. Please, go to System Editor to properly
declare/add the device.
Device declared in CAE System Editor but not discovered

by Network Device List → Refresh. Please, check for
connection issues in the network.
Device declared in CAE System Editor and discovered,

but some information mismatches. Please, check in
System Editor that the information of the specific device
is properly declared.
Figure 48: Status icon description

Figure 49: Field Chooser for IEDs List

8.3 DEVICE SECURITY SETTING

A protection relay is referenced by a device model containing the type of device and its firmware version.
This device model is linked to a specific set of Device Security Setting keys, also called "Device Template".
Device Security Settings (DSS) are security variables which may have different values depending on the
associated IED.
They are represented as a collection of key/value pairs.
Security Administrator can manage Device Security Settings (DSS):
• Retrieve the device template from discovered devices.
• Edit the value of each security variable included in the device template.
• Create and edit a device template by adding, deleting, renaming the keys included in the device template.
8.3.1 DEVICE SECURITY SETTINGS (DSS) VALUES

Users can update the values of a device template, present in the security database.
To edit a device Security Settings, do the following :

• From the Network Device List, choose and select the equipement on the IED List
• Right button
• click on option Edit Template Values (see Note)
_________________________________________________________________________________________
Note
If the Edit Template Values option is not available, please refer to the next section and Add a Device
Template
_________________________________________________________________________________________
The Template Values (SetBrick) tab appears on screen.

• Change the key(s) value in entry field(s)
• Click Apply button to save these parameters
• Click OK to exit the tab.
Figure 50: Template Values Properties
8.3.2 DEVICE TEMPLATE
8.3.2.1 Edit a Device Template

To edit a device template, do the following:
• Click Edit Device templates button in the Network Device List
Figure 51: Edit Device Templates

The Device templates tab appears on screen and shows the list of existing device templates.
• Each record can be edited by clicking the edit icon to change the key value or
add a new key :
Figure 52: Device Templates List

• Click Apply to save modifications
8.3.2.2 Copy a Device Template

To create a copy of an existing template, do the following:
• Right-click selected template
• Select Copy and Edit Device Template
Figure 53: Copy and Edit Device Template

The brand new template is pre-filled with the key and default values coming from the original template:
Figure 54: New Device Template

Proceed to the relevant changes according to your needs (add key, change default values...) and validate to save
the newly created template.
8.3.2.3 Add a Device Template

Users can add new device templates to their security system.
To add a device template, do the following:
• In the Network Device List, click Edit Device templates button.
• In the Device templates tab, click on Add device template
Figure 55: Add Device Templates
A new Device template (new) tab appears on screen.

In the dedicated entry fields, enter the following information:
• Model type
• Firmware
• Click Add Key button to assign a security key to the current device template.
Figure 56: Add Device Templates (new)
• Click Apply
• click OK
8.3.2.4 Delete a Device Template

Users can delete a device templates present in the security database.
To delete a device template, do the following:
• Click Edit Device templates in the Network Device List view. The list of device templates appears in a
tab. Each record can be edited or deleted.
• Select the desired raw and click the delete icon
Figure 57: Delete Device Templates

A popup window appears on screen for you to confirm the key deletion:
• Click on Yes to confirm.
8.3.3 SECURITY KEYS

Device Security Setting Keys are security variables which may have different values depending on the associated
IED. They are represented as a collection of key/value pairs.
8.3.3.1 Edit Security Keys

Users can edit the key of a device template present in the security database, or add a new one.
To edit Setting Keys, do the following:
• In the Network Device List view, click Edit Device templates
• In the Device templates tab, click the edit button
A new Device templates (<device type> <firmware>) tab appears on screen. It shows the selected device model
type, its firmware version (not editable) and a grid containing the security keys that have been assigned to the
current device template.
• If you need to edit a key, click the edit icon (pencil)
• In the Key Editor window that appears on screen, change the name of the key, its type and its default
value:
Note that the Type field is for information only. There is no control of consistency between the type and the value.
• Click Apply to save these parameters
• Click OK to exit the Key Editor window.
The record in the Device Key panel is now updated.

• Click Apply to save these parameters
8.3.3.2 Add Security Keys

Users can add a key to a device template present in the security database.
To add Security Keys, do the following:
• In the Network Device List view, click Edit Device templates
• In the Device templates tab, select the desired device template and click the edit button (pencil)
In the Device template (<device type> <firmware>), click Add key button at the bottom of the tab.
• In the Key Editor window that appears on screen, enter a name for the key, select a type and enter a
default value:
Note that the Type field is for information only. There is no control of consistency between the type and the value.
• Click Apply to save these changes,
• Click OK to exit the Key Editor window
The new key appears in the table:
• Click again on Apply to save modifications

• Click OK to close the Device Template tab.
8.3.3.3 Remove Security Keys

Users can delete the key of a device template present in the security database.
To remove Security Keys, do the following:
• In the Network Device List view, click the Edit Device templates button.
• In the Device templates tab, select a device template and then, click the delete button:
A popup window appears on screen for you to confirm the key deletion:
• Click on Yes to confirm.

8.4 VISUALIZE IED LOGS

All the operations related to the security (connection, configuration…) are automatically caught in events that are
logged in order to provide a good visibility of the previous actions to the security administrators.
The Event Viewer Utility is used to visualize the export logs.
To Visualize the selected IED Logs, do the following:
• Select the IED on the IED List
• Click on Visualize Logs option
• The View of IED Logs is displayed (please consult the Visualize SAM Logs section on next for feature
details)
___________________________________________________________________________________________
Note
The case of none Security Logs is informed by Information Window
___________________________________________________________________________________________
8.5 VISUALIZE LOGS

The Logs visualization is a manual procedure. The list of Logs is named ‘SAM Log List’.
To Visualize SAM Log List, do the following:
• Click on Visualize SAM Logs button, from Network Device List tab
• The new view Logs SAM is displayed with current Logs
Figure 58: Visualize SAM Logs
The Logs SAM view contains 2 parts (see previous Figure above):
• The Tool bar (1)
• The List of Logs (2)
The Tool bar allows to:
• Refresh the list
Refresh button
• Export the list to document file
Standard format proposed:
CSV (default), XML and HTML
Export Logs button
• Search log(s) by key word
Search function
Field Description
DateTime Date and hour of Log
Date format: Day/Mouth/Year
Hour format: Hour: Minute: Second
LogId Identify number of Log
Level Level of Log
Note: The security logs model is available on APPENDIX
section
Type Security logs category in standard.
Please refer to section APPENDIX on section Security Logs
AppName Application name source of log
AppMsg Application cause of log
IssuerId Name device source of log
IssuerAddr IP address device source of log
PeerId Login of user source of log
PeerAddr IP address client source of log
Logs Properties
___________________________________________________________________________________________
Notes
Logs are only available if SAM is detected by Network Device List.
In the logs panel, to display a large content, please double-click on the splitter.
The case of none Security Logs is informed by Information Window.
___________________________________________________________________________________________
8.6 PUSH CONFIGURATION

The Security Administrator sends RBAC and Security policies to IEDs. This operation is called “Push configuration”
described below.
The push configuration operation generates 4 xml files for Permissions, Roles, Users and Security policies from
database and sends these files to each IED. A confirmation message displays the push status. After push
configuration success the version number for Users, Roles, Permission and Policies are incremented on Transfer
Administration list view.
The push configuration also sends DSS to devices (whose that have specified any) and also synchronises the SAM
database.
To Push Configuration, security administrator does the following:
Action Result
• Select on Network Device List
tab
• Click on Refresh button
The list of devices connected is refreshed:
• Click on Send to All button

The window Create Version is displayed
• Enter Configuration version name
The Window “Push RBAC status summary” is displayed
when the pushing configuration is finished:
And, the view is refreshed with IED updated with new

version:
Note : The window 3rd line "Sending device security settings

files was skipped" indicates the information that none DSS
has been defined for the corresponding device(s).
___________________________________________________________________________________________
Notes
The first RBAC pushing operation to the device, with factory settings, has to be executed with SECADM role.
The Configuration Version Name identifies which configuration has been pushed.
The successful Push RBAC operation involves the increment of quadruplet (Users Version, Roles
Version, Permission Version, Security Policies Version). Each version of quadruplet is incremented + 1
(VXX.YY) from the device highest version detected.
___________________________________________________________________________________________
Please refer to Chapter TG on section 2.3 Push Configuration Issue to find exception use cases after a
Push configuration
9. ADVANCED ADMINISTRATION FUNCTIONS
9.1 ROLES MANAGEMENT

9.1.1 ROLES OVERVIEW
A role is a logical representation of the activity of a person. This activity authorizes or forbids operations within the
tool suite thanks to permissions that are associated to the role. A role needs to be attached to a user account to
have a real purpose.
The same role can be attached to several user accounts.
User Interface Roles Tab displays the list of the existing roles and allows to the security administrator to manage
them.
By default, the security administrator can:
• View , sort and filter the Roles list
• Edit, delete a current Role
• Add a new Role
• Associate an ETS to a current Role
• Disassociate an ETS to a current Role
• Configure Permissions of an Associated ETS
The Roles area contains different parts:
• The Roles List (Workspace 1)
• The current Associated Element To Secure (ETS) List (Workspace 2)
Figure 59: CAE Roles Workspace

CAE embeds default Roles defined by the standard IEC62351:

• Engineer,
• Installer,
• Operator,
• RBACMNT,
• SECADM,
• SECAUD
• Viewer.
Role Description
Can View what objects are present within a Logical-Device by presenting the type ID of
VIEWER
those objects.
An Operator can view what objects and values are present within a Logical-Device by
OPERATOR
presenting the type ID of those objects as well as perform control actions.
An Engineer can view what objects and values are present within a Logical-Device by
ENGINEER presenting the type ID of those objects. Moreover, an engineer has full access to Datasets
and Files and can configure the server locally or remotely.
An Installer can view what objects and values are present within a Logical-Device by
INSTALLER presenting the type ID of those objects. Moreover, an installer can write files and can
configure the server locally or remotely.
Security Administrator can change subject-to-role assignments (outside the device) and
SECADM role-to-permission assignment (inside the device) and validity periods; change security
setting such as certificates for subject authentication and access token verification.
SECAUD Security Auditor can view audit logs.
RBACMNT RBAC Management can change role-to-permission assignment.
Default User Roles Summary
9.1.2 MANAGE ROLES

The Roles List contains two parts:
• The Toolbar (Workspace 1)
• The List (Workspace 2)
Figure 60: Roles List

The Toolbar shows:
• Sort and filter controls
• Column titles
Displaying/hiding column is defined with the Field Chooser:
• Click on filter control

• Choose to check or un-check options on the Field Chooser to display or hide column
Figure 61: Roles List – Field Chooser
Sorting options is applied by clicking the title column:
• Sort by Role
• Sort by Description
• Sort by Associated ETS
• Sort by Creation
• Sort by Last Modification
Sorting by column is applied by clicking the title:

Figure 62: Roles List – Sorting by title

Create Role is applied by clicking Add new Role button. Several parameters categories are proposed with default
values; some parameters are mandatory and others are optional.
Mandatory Role parameter is:
• Role Name
Role Parameters contains fields:

Role The name of role. mandatory
Description The description of role optional
To create a new Role, do the following:
• Click on Add new Role button

• Fill fields as described above
• Click on Apply button to save parameters
• Click on OK button; the new Role is added on the Roles List
Figure 63: Role Creation

To modify a Role, do the following:
• Select role on the Role List
• Double-click and fill fields as described above
• Click on Apply button to save parameters
To remove a Role, do the following:
• Select role on the Role List (1)
• Click on garbage icon (2)
• Press Yes button to confirm remove on Information window (3); the role selected is removed from Roles
List; if No button is pressed, the remove operation is cancelled.
1 2
Figure 64: Role Removal

__________________________________________________________________________________________
Note
Some system/built-in roles may appear in the library of roles after installation. They are blue colored
and are not editable.
__________________________________________________________________________________________
9.1.3 MANAGE ELEMENT TO SECURE (ETS) ASSOCIATED TO A CURRENT ROLE
The Associated ETS contains 2 parts:

• The List of ETS (2) associated to the Role (1)
• The List of Permissions associated to the current ETS (3)
Figure 65: Associated ETS from current role

To Add an Associate ETS to a current Role, do the following:

• Select Role on list of Roles (1)
• Click on Add ETS Permission button (see Figure above)
• Check Element To Secure(s) displayed on Element To Secure Association Window (2) and press OK button
(3); the List of Associated ETS for the current role is updated (4)
Figure 66: new Associated ETS added to the current role

___________________________________________________________________________________________
Note
The library of ETS is delivered with the CAE Software.
___________________________________________________________________________________________
To Disassociate an ETS to a current Role, do the following:

• Select Role on list of Roles (1)
• Select the ETS on list of Associated ETS (4)
• Click on x icon and confirm by Yes from Confirmation Window; the List of Associated ETS for the current
role is updated.
To Configure Permissions of an Associated ETS, do the following:

• Select Role on list of Roles
• Select the ETS on list of Associated ETS (1)
• Choose value option Enable/Disable or True/False for each permission (2) in accordance with needs
• Click on Apply button (3)
2
Figure 67: Configure Permissions for Associated ETS to current role

___________________________________________________________________________________________
Note
The definition of permission is available on the documentation of device associated for ETS selected.
___________________________________________________________________________________________
9.2 ELEMENT TO SECURE MANAGEMENT

9.2.1 ELEMENT TO SECURE OVERVIEW
An Element To Secure (ETS) is an entity that represents a tool, a utility or an application function block that can
be protected within the System. It gathers a list of corresponding permissions with their set of values. This list is
pre-defined and cannot be edited by any business user.
A same ETS can be associated to many roles with different set of authorizations.
___________________________________________________________________________________________
Note
ETS management is an advanced administration feature. The ETS management customization will be
described in future document version.
___________________________________________________________________________________________
Figure 68: Element To Secure View

9.3 DEVICES RULES

CAE manages constraints imposed by legacy devices such as:
• Maximum number of users.
• Minimum and maximum login and password length.
• Interval of ASCII codes which must contain all characters of user passwords.
___________________________________________________________________________________________
Best Practice Note
To save time, it is recommended to respect constraints, as much as possible. On the other hand, the
solution proposed is described on the next section Select a Subset of Users. In the case of all User
Accounts are respecting these rules for device types, therefore the Subset of User creation becomes
useless. If only one user account does not respect these rules, therefore the Subset of user creation
becomes mandatory.
___________________________________________________________________________________________
These constraints are device specificities and are stored in the CAE.Constraints.xml file:
Rules / Constraints CAE

P40 P30 C264 EcoSUI Gateway
Minimum
4 4 4 4 4 4
Length
Maximum
Login 16 16 20 16 16 16
Length
Characters ASCII ASCII ASCII ASCII ASCII ASCII

Allowed [33,122] [33,122] [33,122] [33,122] [33,122] [33,122]
Minimum
1 1 1 1 1
Length Depends on password
complexity. ASCII ASCII ASCII ASCII ASCII
Characters
Allowed [33,122] [33,122] [33,122] [33,122] [33,122]
Password
Maximum
50 32 N/A 18 32 32
Length
Length
requiring arrow N/A 16 N/A N/A N/A N/A
password
Disable 0 0 0 0 N/A N/A
Enable / Min
Arrow 1 1 1 1 N/A N/A
Length
Password
Enable / Max
8 8 8 8 N/A N/A
Lenght
20 (tested)
Maximum number of users 255 15 Not limited 255 255
expandable
Devices Rules – Constraints Table
9.3.1 SELECT A SUBSET OF USERS

For the current scope, and each device type / firmware defined in the constraint file, you will have to select a subset
of users.
To select a subset of user, do the following:
• From left top button , select Devices Rules option.

The elements to be selected appear on screen.
• Select the scope using the drop-down list.

• Select the desired device type/firmware using the drop-down list.
• Then, drag and drop the desired users or click a user and then click the > button.
• Repeat this operation until the maximum number of authorized users is reached.
___________________________________________________________________________________________
Note
The subset of selected users must contain a user with high privileges on Cybersecurity Admin Expert
(SecurityAdmin for example):
• Click Save button to save these parameters.
For more details, please refer to Push Configuration Issue where Use Case #3 contains an example
to create of a subset of user account.
___________________________________________________________________________________________
9.4 IMPORT / EXPORT DATABASE

9.4.1 IMPORT A DATABASE
CAE allows import data into database from files containing XML data. This is useful to restore a backup of a
database, or update existing tables.
By default, only the role SECADM is authorized to import.
EXPORT / IMPORT PASSWORD RULE
Export feature allows making backups of the whole data of CAE, including password. Then, after
the backup importation, the customer has to know his password active at the date of the backup
Note: Do not follow this instruction will result a not established access with CAE.
To import the Security Database, do the following:
• Click on Import button from CAE toolbar or open the Security Configuration Editor tab and choose
on left the option

• Click the Browse button and localize the xml file to be imported.
Figure 69: Database importation
• Then, click the Import button to start the import process.

9.4.2 EXPORT A DATABASE

CAE allows export (to xml file) all the security related statements that are declared in the CAE database for
example:
• All the users
• All the user-defined roles
• All permissions at database level
• All permissions at the device level
This feature is protected by a permission defined in CAE itself.
From factory settings, only the role SECADM is authorized to export.
To export the Security Database, do the following:
• Click on Export button from CAE toolbar or open the Security Configuration Editor tab, choose on
left the option Import/export and click on Export Button
The Save as window appears on screen and you are prompted to provide:
• The path to save the database xml file.
• The filename
• Click Save.
10. APPENDIX
10.1 SECURITY LOGS CATEGORY LIST
Security logs emissions depend on well-known security standards. The next table presents the list of security logs
category available for each standard:
CS Phase 2
CS Phase I
NERC CIP
IEEE 1686
IEC62351
BDEW
E3
Log ID SEVERITY EXPLANATION
CONNECTION_SUCCESS INFO Succesful connection X X X X X

Unsuccessful connection (wrong
CONNECTION_FAILURE WARNING X X X X X
credentials)
Unsuccessful connection (wrong
CONNECTION_FAILURE_AND_BLOCK EMERGENCY credentials) triggering the blocking of the X X X X X
account on the IED
CONNECTION_FAILURE_ALREADY_BL Unsuccessful connection because of a
EMERGENCY X X X X X
OCKED blocked user ID on this IED
DISCONNECTION INFO Disconnection triggered by the peer / user X X X X X
DISCONNECTION_TIMEOUT INFO Disconnection triggered by a timeout X X X X X
Trace and control / override of real data
CONTROL_OPERATION INFO X
from a peer
Download of the configuration file (CID)
CONFIGURATION_DOWNLOAD INFO X
from the device
Upload of a new configuration file (CID)
CONFIGURATION_UPLOAD INFO X
into the device
FIRMWARE_UPDATE INFO Upload of a new firmware in the device X
Update of the RBAC cache or security

RBAC_UPDATE INFO X X
policies in the IED
SECURITY_UPDATE INFO Update of the Security policy database X X
DSS_UPDATE INFO Update of the DSS database X X
SEC_LOGS_RETRIEVAL INFO Retrieval of the security logs of the IED X
TIME_CHANGE INFO Modification of the time of the IED X
Unexpected time signal outside of

TIME_DRIFT INFO X X
tolerance
REBOOT_ORDER EMERGENCY Reboot order sent to the IED X X
Any port, either physical (Serial, USB) or

PORT_MANAGEMENT INFO logical (telnet, FTP) activation / X
deactivation
Any network physical port status change.
Can be the simple status of a Ethernet
NETWORK_PORT_STATUS_CHANGE WARNING port, or information gathered from RSTP / X X
HSR / PRP algorithm for redundant
systems
Any topology change detected from RSTP
NETWORK_TOPOLOGY_CHANGE WARNING / HSR / PRP algorithms for redundant X
systems
Any authorization request sent to the CS
AUTHORIZATION_REQ INFO X X X
application
CS Phase 2
CS Phase I
NERC CIP
IEEE 1686
IEC62351
BDEW
E3
Log ID SEVERITY EXPLANATION
Failure to access a file (different access X

FILESYSTEM_ACCESS_ERROR INFO
modes: read/write/etc…).
INTEGRITY_CHECK_ERROR INFO Integrity (hash) error. X
Error during signature verification of X

SIGNATURE_CHECK_ERROR INFO
data/firmware
Program Operating Mode change (Run, X
OPERATING_MODE_CHANGE INFO
Stop, Init, …)
Hardware change (SD card insert, X
HARDWARE_CHANGE INFO
replacement of a module, … )
Device had to renew its local key and X
CERT_RENEW INFO
certificate
CERT_SIGN INFO Certificate signing request X
CERT_EXPIRE INFO Certificate expired X
Detection of intentional attack on system X

CS_ATTACK_DETECTED INFO
security.
DEVICE_FAILURE INFO Failure of critical functions of the device. X
Backup of part or total of device X

DEVICE_BACKUP INFO
firmware/configuration
Restore of part or total of device X
DEVICE_RESTORE INFO
firmware/configuration
A corruption is detected in parsing of the X
LOSS_OF_LOG INFO
filestorage module.
Table 1: Security logs Model

CYBERSECURITY CAE/EN CS/E20
CYBERSECURITY (CS)
CONTENT
1. SCOPE OF THE DOCUMENT ................................................ 124
2. DOCUMENTATION REFERENCE ......................................... 124
3. CYBERSECURITY POLICY ................................................... 124
3.1 Encryption........................................................................................................................... 124
3.2 Password ............................................................................................................................ 124
3.2.1 Privileges and Default password ............................................................................................................ 124
3.2.2 Security Policy ........................................................................................................................................ 125
3.3 Security logs ....................................................................................................................... 125
3.4 Antivirus .............................................................................................................................. 125
3.5 Hardening............................................................................................................................ 126
1. SCOPE OF THE DOCUMENT

This document describes the measures taken and tools to decrease the risk of attacks and heps to ensure
Confidentiality, Integrity, Availability / Authentication and Non-Repudiation.
2. DOCUMENTATION REFERENCE
Document Title
PACiS CS-SCS_EN_TG_D30 PACiS System Cybersecurity (SCS) User Guide
PACiS CS-HARDENING_EN_AN_E20 PACiS HARDENING Application Note
Table 2: Reference Documents
3. CYBERSECURITY POLICY
3.1 ENCRYPTION
This product contains a cybersecurity function, which manages the encryption of the data exchanged through some
of the communication channels. The aim is to protect the data (configuration and process data) from any corruption,
malice, attack. Subsequently, this product might be subject to control from customs authorities, and it might be
necessary to request special authorization from these customs authorities before any export/import operation. For
any technical question relating to the characteristics of this encryption please contact your Customer Care Centre -
www.schneider-electric.com/CCC.
3.2 PASSWORD
A password is required to place a command or set a parameter (whether from the front panel or via a PC-based
application). For this purpose, at some point, the user chooses a profile that depends on the intended activity.
Access without a proper password is denied as soon as the security administrator has defined the passwords.
___________________________________________________________________________________________
Note
Please refer to chapter HI for password configuration.
___________________________________________________________________________________________
3.2.1 PRIVILEGES AND DEFAULT PASSWORD

___________________________________________________________________________________________
Note
Please refer to the documentation “PACiS System Cybersecurity (SCS) User Guide” on chapter FT and
section “RBAC Definition with CAE” for overview and to chapter HI for password details.
___________________________________________________________________________________________
3.2.2 SECURITY POLICY

The Security policy is the collection of all the security parameters that apply to the system. Security policy parameters
are setup by Security Administrator using the CAE tool.
___________________________________________________________________________________________
Note
Please refer to chapter HI for CAE Security Policy Parameters default definition.
___________________________________________________________________________________________
3.3 SECURITY LOGS

Security logs produced by application are archived to SAM device. A Security Logs viewer allows displaying
security logs. The viewer allows sorting logs based on several criteria (ID, Security Level and UTC time).
Figure 70: Visualize SAM Logs

___________________________________________________________________________________________
Note
Please refer to documentations “SAM User Guide” on section Display Substation Security Logs and “PACiS
System Cybersecurity (SCS) User Guide” on section Security Log Management for details.
___________________________________________________________________________________________
3.4 ANTIVIRUS
The Windows-based PCs are vulnerable to viruses.
The PCs hosting NON time-critical application CAE can be permanently scanned.
___________________________________________________________________________________________
Note
For PC guard with antivirus solution, please refer to the documentation “PACiS System Cybersecurity
(SCS) User Guide” on section Hardening PC based solution.
___________________________________________________________________________________________
3.5 HARDENING
The CAE hardening involves installation operations for:
• Hardening Operating System Windows (7 / 2008 R2 Server / 10)
• Hardening Server 2008 R2 SP2 Enterprise Edition
The Hardening is depending on Customer Security Policy. For securing database program, apply hardening rules
(Customer Security Policy).
___________________________________________________________________________________________
Note
For CAE integrated on PACiS offer, please refer to the documentation “PACiS HARDENING Application
Note” on section Installation to follow hardening procedures for CAE and the documentation “PACiS System
Cybersecurity (SCS) User Guide” on section Device Hardening for overview.
TROUBLESHOOTING CAE/EN TG/E20
TROUBLESHOOTING (TG)
CONTENT
1. INTRODUCTION 129
2. ISSUES 129
2.1 Installation Issues .............................................................................................................. 129
2.2 Operating System Network Configuration Issue .............................................................. 129
2.3 Push Configuration Issue .................................................................................................. 131
2.4 Communication Issue ........................................................................................................ 135
1. INTRODUCTION
This document is a chapter of the Cybersecurity Admin Expert (CAE) manual. It helps troubleshoot most common
technical facts that might arise on CAE software.
2. ISSUES
2.1 INSTALLATION ISSUES
Use Case #1 Unsuccessful Installation

Observation Impossible to install CAE
Possible causes Issue 1 - In case of antivirus software active on machine, the antivirus can stop the
CAE installation procedure
Possible resolution Procedure for Issue 1

• deactivate or uninstall antivirus software
• re-launch CAE installation
• reactivate or re-install antivirus software
Recommendation The Identified antivirus software is Avast
2.2 OPERATING SYSTEM NETWORK CONFIGURATION ISSUE

Use Case #1 Operating System Network Configuration Issue
Observation Clicking the Refresh button in the Network Device List view may result in
unexpected behavior:
• IED list extremely slow to display
• Empty IED list
• '...waiting...' message permanently displayed in the IED Name column
Possible causes Please check the following points:

Issue 1 - Content of routing tables is not up-to-date

Some operations can conduct to an unsynchronization of routing tables (IP / MAC
address mapping table). For example, on a PC with 2 ethernet ports, switching cables
from ethernet plug #1 to ethernet plug #2 can conduct to this situation.
Issue 2 - Usage of Virtual Network Ports

Depending on software/hardware installed on the PC, some virtual network ports can
be opened by the operating system.
Examples of software/hardware using virtual network ports:
• Virtual machines
• VPN connection
• USB/Ethernet adaptators
Possible resolution Procedure for Issue 1

• Exit CAE application to reset the routing tables (any other appropriate method
is acceptable).
• Restart CAE and in the Network Device List view, click Refresh
Procedure for Issue 2

• Deactivate or uninstall softwares/hardwares that are opening virtual network
ports.
• Restart CAE and in the Network Device List view, click Refresh
Recommendation To avoid communication troubles between CAE and devices, we recommend the link
between CAE application and devices through a point to point ethernet connection.
2.3 PUSH CONFIGURATION ISSUE
Find the following exception use cases after a Push configuration:
Use case #1 IED is not connected

Observation • Click Send to All button in the Network Device List ;
• This Alert message is displayed :
Alert message example

• CAE does not allow to send the configuration and the device has not been
configured.
Possible causes • The connection to the device can not be established

• User not recognized
• RBAC in device invalid
Possible resolutions • Check the network link

• Check, for each IED, the communication link
• Restore security configuration from factory
Use case #2 A type of device does not exist

Observation • Click Send to All button in the Network Device List ;
• This Alert message is displayed :
Alert message example
configured.
Possible cause A type of device is not included on the list of Element To Secure
Element to Secure List example
• Add the corresponding the new ETS type inside the list of Element To
Possible resolution
Secure.
Use case #3 User password length is out of limit for a device type
• Click Send to All button in the Network Device List;
Observation
• The Alert message is displayed:
Device constraints information example
configured.
Possible cause The password length is out of limit for a device.

This use case appears in this condition: The password length defined for the current
user profile exceeds the limit for a device type.
Note: The maximum length constraint for password depends of type of device.
Please consult the table on §Devices Rules for details.
For example: the “John Smith” user Password length is 20. The RBAC configuration
is sent to 2 types of device (C264 and EcoSUI):
Password length Note

User 20 The user password length
should be less than 18 !
Type: C264 18 maximum Definition is included on the
Constraints Table in §Devices
Rules
Type: EcoSUI 32 maximum Definition is included on the
Constraints Table in §Devices
Rules
Possible resolution If the user password length cannot be reduced, the solution is to modify devices rules
by creating of subset of user.
The devices rules modification procedure below is described from the previous
example “John Smith”:
Action Result
• Select on
Security
Administration
> Devices
Rules tab
• Select device
type with
password length
less than 20
(Type: C264)
• Select the user
(John Smith)
• Add (> button)

the user
selected as
subset of users
• Save button
• OK button and
The RBAC files have been sent to devices.
push the
configuration
operation
2.4 COMMUNICATION ISSUE
Use Case #1 Inoperative Communication

Observation Impossible to communication with CAE
Possible causes The Transport Layer Security (TLS) protocol is required to communicate properly with
a device for which the communication is configured in secure mode. However the
TLS library is not available on Windows XP.
Possible resolution Use Operating System supported
Recommendation Do not use Windows XP platform.
GLOSSARY CAE/EN LX/E20
GLOSSARY (LX)
NAME DESCRIPTION
AOR Area Of Responsibility

Business Service Layer This layer coordinates the application, processes commands, make logical decision
and calculation according to the business rules
CAE Cybersecurity Admin Expert.

Software used by Security Administrator to manage substation security
Data Layer Consists of the domain-related objects and their relationships that are manipulated
by the user during the interaction with the software
DPWS Device Profile for Web Services
ETS Element To Secure.

An ETS is an entity that represents a tool, utility or application function block that
can be protected within the tool suite. It gathers a list of corresponding permissions
with their set of values. This list is pre-defined and cannot be edited by any business
user, however only the security administrator can edit it.
A same ETS can be associated to many roles with different set of authorizations.
This list is pre-defined and cannot be edited by any business user.
Only the security administrator can edit it.
HMI Human Machine Interface.
IED Intelligent Electronic Device.

It is a power industry term to describe microprocessor-based controllers of power
system equipments (e.g. Circuit breaker, transformer, etc)
LAN Local Area Network
Logs All the operations related to the security (connection, configuration…) are
automatically caught in events that are logged in order to provide a good visibility
of the previous actions to the security administrators.
PACiS Protection, Automation and Control Integrated Solutions
Permission Level of access applied to system elements. A user assigned a role that possesses
the matching permission can access it.
RBAC Role Based Access Control.
Authentication and authorization mechanism based on roles granted to a user.
Roles are made of rights, themselves being actions that can be applied on objects.
Each user’s action is authorized or not based on their roles
Role Defined set of permissions that are assigned to specific users.
A role is a logical representation of a person activity. This activity authorizes or
forbids operations within the tool suite thanks to permissions that are associated to
the role. A role needs to be attached to a user account to have a real purpose.
SAM Security Administration Manager.
Device in charge of security management on an IP over Ethernet based network
Scope The nodes of the hierarchy are viewed as scopes and can be secured
independently. Each node could include some roles and user accounts defined in
the tool suite and create a specific security policy.
Security Administrator User of the system granted to manage its security
Security Policies System security policies are security settings that are applied throughout the entire
secured system. These policies generally refer to the use of standards but not only.
They are used to define any security related configuration shared between all the
devices. Some example of security policies: Log security events as requested by
BDEW standard; Use NERC passwords
SNMP Simple Network Management Protocol (SNMP) is an "Internet-standard protocol
for managing devices on IP networks.
Syslog Protocol defining system logs events service and how to exchange these logs.
System The document refers to word “System”. The “System” is also called “Digital Control
System for Substation Automation”.
TAT Transfer Administration Tool
TLS Transport Layer Security protocol
TSF Tool Suite Foundation (Schneider-Electric Framework).
UA User Account.
A user account is a logical representation of a person with some configurable
parameters. It includes information about the user identity and gives him a login to
be recognized within the tool suite.
A user account is principally interesting when it is associated to some roles that will
grant him authorizations.
UDP User Datagram Protocol
User User accounts for individual or groups to restrict access to the runtime system.
Login user names and passwords need to be set up.
Customer Care Centre
http://www.schneider-electric.com/CCC
 2018 Schneider Electric. All rights reserved.
Schneider Electric
35 rue Joseph Monier
92506 Rueil-Malmaison
FRANCE
Phone: +33 (0) 1 41 29 70 00
Fax: +33 (0) 1 41 29 71 00
www.schneider-electric.com Publishing: Schneider Electric
Publication: CAE/EN UG/E20 07/2018

CAE Documentation: Cybersecurity Admin Expert

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CAE Documentation: Cybersecurity Admin Expert

Uploaded by

Copyright:

Available Formats

CAE

FIGURE 31: GLOBAL SECURITY – ASSOCIATE USER ACCOUNT(S) TO ROLE(S) 84

FIGURE 63: ROLE CREATION 111

SAFETY AND HANDLING (SA)

5. USE OF SCHNEIDER ELECTRIC PRODUCTS ....................... 13

Customer's rights to recover damages caused by fault or negligence on the part

4. COPYRIGHTS & TRADEMARKS

5. USE OF SCHNEIDER ELECTRIC PRODUCTS

1. INTRODUCTION TO USER GUIDE

The User Guide contains several parts, as follows:

The User Guide is applied for:

1.1 CHAPTERS DESCRIPTION

1.1.2 CHAPTER INTRODUCTION (IT)

1.1.3 CHAPTER INSTALLATION (IN)

1.1.4 CHAPTER USER INTERFACE (HI)

1.1.5 CHAPTER CYBERSECURITY (CS)

1.1.6 CHAPTER TROOBLESHOOTING (TG)

1.1.7 CHAPTER GLOSSARY (LX)

1.2 GLOBAL GUIDE

2.1 CAE APPLICATION

Figure 1: CAE Application

2.2 CAE SCOPE

Figure 2: CAE in a secured industrial system (example)

The CAE application can be used:

Mode Feature Description

Edit roles by enabling/disabling permissions from security

2. MINIMUM REQUIREMENTS .................................................... 25

1.2.1 SCOPE OF USE

1.2.2 THE LICENSEE AGREES NOT TO

1.2.5 THE LICENSEE SHALL NOT

1.2.6 THE LICENSEE SHALL

1.2.8 LIMITATIONS OF LIABILITY

Installing for Installing for

License ID Communicated by Schneider Electric to allow the

CAE application CAE Version 1.6.6.0 or later

CAE Standard Edition CAE Premium Edition

3 packages per license type according to the numbers of users:

User account management

Association role to a user account

7 roles per default according to IEC62351-8

Security Model Management (ETS)

Pre defined security model provided by Schneider Electric

Security Model management

Security Configuration Edition

Import / Export (CAE to / from CAE)

Security Policy Deployment

Transfer Security Configuration (RBAC) to system

Device Security Settings

Import SCL file

3.2.2 ACTIVATING A SOFTWARE PRODUCT

Format of Activation Request / Response

3.3 BEFORE INSTALLATION

3.4 INSTALLING CAE FROM SCRATCH

2 Operating System Hardening:

To install CAE application, do following:

2 Double-click on executable file Cybersecurity Admin Expert Installer from unzipped

3 First Wizard is displayed with components for installation:

5 The Wizard is displayed with the language choose:

Choose the language

6 The setup is preparing the CAE installation

Click Next in Wizard to start installation

license agreement” and then click Next.

8 Accept the default destination folder :