Release Notes

MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

1 Products
MicroSCADA Pro SYS600 9.4 Featurepack 2

2 Corrections and improvements

2.1 Base System

2.1.1 Control Panel

SYS600 Control Panel and Notify Window positioning

SYS600 Control Panel and Notify windows is now ensured to open in the visible monitor area.

2.1.2 Hot-Stand-By

Stand-by base system problem

The stand-by base system became unstable after a takeover situation when stand-by base system was declined to
go hot in shadowing command procedure SHADGOHOT. The shadowing functionality would not recover after the
incident until the stand-by base system was restarted.

Crash at hot stand-by take-over

A take-over would not succeed if an event handling object with big value of attribute VC (Value Count) existed in
an application. The problem would occur only if the Value Count was bigger than 16384.

Shadowing start failure in HSB start-up

When both MicroSCADA systems of an HSB system were started at the same time it was possible that the shadowing
start failed. Due to a timing issue it was possible that mirroring actions were performed before the mirroring host
database was completely dumped to stand-by system. The consequence of the timing issue - shadowing receiver
process crash - was possible to occur in a system with a large pcnet configuration.

Approved Document id. Rev. Lang. Page

April 23, 2019 1MRS257740 en 1 of 16

2 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

2.1.3 Mirroring

Scaling of substituted analog values in mirroring

When analog input value of a process object was substituted in a mirroring HOST application then the substituted
value was scaled and mirrored to IMAGE application. A substituted analog input value in HOST process database
shall not be scaled in mirroring.

Mirroring stopped after shadowing take-over

The issue is related to reconfiguration of process objects in a redundant system where mirroring functionality is
used to transfer process data from SCADA frontend (host) to the SCADA server (image). When all process objetcs
related to an RTU are deleted then the mirroring of the station is deactivated. When the process objects are re-created
the mirroring of the station is again activated. The reactivation of mirroring in an image system was not correctly
replicated to the stand-by application resulting to a situation where the values were not transferred from the
front-end (host) to the server (image).

2.1.4 Network Topology Coloring

Configurable behavior for devices in manual state

Network Topology Model is extended to have a new boolean variable "MANUAL_AS_UNCERTAIN". When this variable
is set to true value, all switching devices which are in manual state will propagate uncertain network feed state. The
variable can be set using NETWORK_TOPOLOGY_MANAGER SCIL function SET_MANUAL_AS_UNCERTAIN.
Example where "MANUAL_AS_UNCERTAIN" is set to TRUE for network topology model named "TEST_MODEL":
NETWORK_TOPOLOGY_MANAGER("SET_MANUAL_AS_UNCERTAIN", "TEST_MODEL", TRUE)
The network topology model must be in STOPPED state when the value is changed. The default value for new network
topology models is FALSE.

Topology Calculation
Topology calculation for feeders is optimized. Calculation is triggered only when topologically significant change
in process data occurs.

Topology Coloring
Topology coloring of the devices is enhanced to correctly indicate the device status also when the topology coloring
is turned off. For example OS (Object Status) value 10 is indicated with '?' symbol also when the topology coloring
is turned off.

2.1.5 OPC DA Server

Dynamic OPC Item Properties in SYS600 OPC DA Server

OPC specification defines standard set of OPC Item property identifiers having special meaning. An issues where
SYS 600 OPC DA server was not able to display dynamic OPC Item property id's 2-4 is now fixed. OPC Item property
definitions for these items are, 2="Item Value" 3="Item Quality" 4="Item Timestamp".
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 3

2.1.6 Process and report database

Missing measurement scaling

In a redundant station configuration when the connection to the IED via the currently active STA object has been
lost, the connection switches to use the stand-by STA object. The buffered events from stand-by STA are browsed
and new events (the events not received via the lost connection) are fed into the process database. Scaling of such
a new buffered analog value was not performed causing a wrong value be added into the process database.

2.1.7 Startup

Corrupted UAL log file prevents startup of MicroSCADA

Corrupted UAL log file(s) occasionally prevented MicroSCADA startup completely and caused storing of UAL events
to fail. Whenever corrupted UAL log file is encountered it is renamed with a timestamp trailing its file extension and
a new log file is created in place.

2.1.8 Visual SCIL

Mouse wheel scrolling in Visual SCIL

Mouse wheel scrolling in Visual SCIL drop-down list caused unexpected behavior.

2.1.9 Historian interface

SYS600 Event Handling texts in Historian

Historian visualizes SYS600 binary objects (BI and DB) using SYS600 Event Handling State Texts. Double Binary
object requires 4 state texts to indicate each possible state. Now all 4 state text entries are created to Historian.

Connection address to Historian database

SYS600 connection to Historian database can be established using Secure WebSocket communication since Historian
1.2. The default connection string has been updated accordingly to wss://<host>/history in the database logging
profile configuration.
Since Historian 1.2 earlier communication and address syntax tcp://<host>/<computer_name>-RTDB cannot be
used any more as default. Until Historian 1.1 the previous syntax is still valid.

2.2 COM500i

2.2.1 Signal Routing

Reset process command

Command procedure COM_RESPRC returned SCIL error, if IEC 60870-5-101/104 master issued a reset process
command and any signals have not cross-referenced in Signal X-References tool.

Command termination not working for 5AO command type

If an indication was connected for 5 Analog Output command type, a command termination was not sent to NCC.

Invalid time blocked a control to IED

If status of Loc- or LocSta process object was Time Invalid, a command was blocked to IED.
4 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

Handling of reset process command ASDU <105> improved with IEC60870-5-101 slave
Handling of the ASDU <105>, Reset Process Command has been improved with IEC60870-5-101 slave. The command
definition field QRP (Qualifier of reset process command) value <2> = 'reset of pending events' is now supported
as a new feature and it clears spontaneous events from queues. QRP value <1> = 'general reset of process' clears all
pending events. No other QRP values but 1 and 2 are accepted.

Handling of reset process command ASDU <105> improved with IEC60870-5-104

slave
Handling of the ASDU <105>, Reset Process Command has been improved with IEC60870-5-104 slave. The command
definition field QRP (Qualifier of reset process command) value <2> = 'reset of pending events' is now supported
as a new feature. Events are cleared from queues but TCP/IP connections are not closed. QRP value <1> = 'general
reset of process' clears the pending events and temporarily closes the TCP/IP connections of redundancy group in
question. No other QRP values but 1 and 2 are accepted.

2.2.2 Signal X-References Tool

Maximum amount of cross-references have been increased.

Maximum amount of the cross-referenced indications have been increased from 14000 to 50000.

2.3 Communication

2.3.1 DuoDriver

PTP signals in network

DuoDriver caused system crash, if PTP signals were connected to network.

2.3.2 IEC 61850 OPC Server

Repeated FileOpen in MMS Filetransfer

In case the MMS Filetransfer responses from IED are delayed, it was possible that a repeated FileOpen request for
the rest of the available files is sent. This was incorrect and may have caused problem in the IED. The modification
is that the repeated FileOpen is not sent anymore.

General interrogation information included to OPC Updates

In order to separate spontaneous updates from values updated due to General Interrogation (RCB initialization),
the vendor specific bit 15 of the Quality field is set in OPC updates caused by GI. Previously, the meaning of this bit
was 'Inaccurate'. External OPC DA client utilizes this information so that values are correctly updated also when the
IEC61850 IED has not been synchronized when it has recorded events.

Communication Engineering Tool -shortcut moved

The shortcut 'Communication Engineering Tool' has been moved to a new folder in the Start Menu. It's new location
is 'MicroSCADA Pro Control System SYS600\61850 OPC Server'.
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 5

2.3.3 PC-NET

DNP 3.0 Master: One-byte response fragment causes disconnection

In case the DNP3.0 message length was 7 i.e. it contained one byte of application layer data, the message has not
been accepted and in TCP/IP mode, the connection has also been closed temporarily. This functionality may have
lead to useless suspensions and message re-transmissions which have occurred randomly. The defect has been
present in version 9.4FP2 but not in older versions.

IEC 60870-5-104 Master: Random buffer loss

A random buffer loss and buffer pool exhausting may occur when IED is suspended due to network error. This has
been visible as normal buffer pool error using Windows 2008 R2 but it may affect priority pool as well and appear
also in other Windows versions.

IEC 60870-5-104 Master: The change of logical connection improved

If the switch of the logical connection has been requested using station attribute AC while existing connection is
functional, a TCP disconnection or a permanent slow-down of the communication with the new active connection
may have occurred. The probability of situation has increased with high load. Modification has an effect only when
redundancy is used.

IEC 60870-5-104 Slave: Select-execute checking for set points

Using station attribute RM, bit 11, it is possible to enable select-execute checking for set point ASDUs <48>..<50>
and <61>..<63>, similarly to single and double commands using RM bit 4. The difference is that select-execute
checking for set points is disabled by default.

IEC 60870-5-104 Slave: Buffer pool size increased

The buffer pool size of the IEC 60870-5-104 slave line has been increased to fixed value 2000. Line attribute PS is
meaningless.

IEC 60870-5-104 Slave: Confirmation class change caused troubles

If SCIL application has used optional parameter PRIO in station attribute CF and a transmission queue of that
confirmation message is defined to be different from the one in permanent configuration (defined with station
attribute RM, bit 2), data loss or even a deadlock in communication may have occurred. Standard COM500i signal
routing application does not use parameter PRIO of attribute CF.

IEC 60870-5-104 Slave: Command confirmation queue selection didn't work

Previously command confirmation message queue selection with Command Confirmation (CF) attribute didn't work
as described in the manual. The queue 2 setting produced a malformed message. Now the queue selection with CF
attribute works correctly.

IEC 60870-5-104 Slave: Incorrect COT=46 confirmation message

If STA object was configured to send cause of transmissions 44..47 (RM bit 8) and an command having unconfigured
CAA (Common Address of ASDU) was received, the response having cause of transmission 46 (Unknown Common
address of ASDU) contained the configured CAA (= station attribute SA) instead of the one which was present in
the incoming command. The functionality has been against IEC60870-5-104 standard but does not appear in real
systems because the masters usually use CAA values which match with the configured value in slave STA object.
The modification is that the negative confirmation using COT=46 is responded with the CAA of the incoming
command.
6 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

IEC 60870-5-104 Slave: Active connection change in redundant setup improved

The changing of the logical connection while both connections are operating has been improved. Before the
modification, a temporary TCP disconnection may have occurred especially in high load situation. The modification
is meaningful only when redundancy for IEC6087-5-104 slave line has been configured.

IEC 60870-5-104 Slave: Event queue resetting using attribute RS did not clear
everything
If event queues were cleared using RS attribute, e.g. with value 3 which means that everything is cleared, it had no
effect on events which were already transmitted but which were waiting for acknowledgement from master. If
TCP/IP disconnection occurred, it was possible that the same events were retransmitted after a new connection
was established, despite of the RS writing which had been made. The fix is that RS writing has an effect on pending
events as well.

IEC 60870-5-104 Slave: Event queues extended

The event queues have been extended to store up to 3000 messages / queue. The default queue length defined
with station attribute AQ is unchanged from 200 but more buffering space is allocated if bigger value is given to
attribute AQ. Increasing the value of AQ may be needed if the amount of the cross-referenced points is big or there
are long communication breaks in NCC communication. For more information, see the description of station attribute
AQ from protocol specific manuals (IEC60870-5-101 or 60870-5-104 Slave protocol).

Modbus Master: Modbus RTU/ASCII over IP supported

Using line attribute OM, bit 1, it is now possible to configure Modbus TCP RTU Master or Modbus TCP ASCII Master
line to operate in 'serial over IP' mode i.e. the messaging is similar to serial versions of Modbus. Otherwise the
configuration is unchanged from normal Modbus TCP. This new mode can be used if the remote device does not
support standardized Modbus TCP or the serial Modbus is tunneled to TCP/IP as such.

2.4 External OPC DA Client

2.4.1 OPC DA Client

Highest vendor specific quality bit indicates GI with IEC61850 OPC Server
In case the used OPC server is SYS600 IEC61850 OPC Server and the bit 15 of the data item quality is set, it indicates
that the update is from general interrogation and this update is never marked as 'buffered'. The benefit is that all
values, including ones having invalid or old timestamp are updated to process objects without a need to issue a
#SET STAx:SUP=1 command in startup.

2.5 Monitor Pro

2.5.1 Alarm Display

Font in Alarm Row

Font in Alarm Row and other dropdown boxes in Monitor Pro is now fixed.

Alarm acknowledgement handling

An alarm can be raised by out of range value (attribute OR) or value overflow (attribute OF). When the alarming
object is changes to normal, not alarming value, the alarm was automatically removed from the alarming objects
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 7

list without alarm acknowledgement. This issue is now fixed and the object remains in fleeting alarm state if the
alarm receipt requirement (attribute RC = 1) is set.

2.5.2 Application Window

Command line arguments closeonce and logoutonce with extended functionality

There are now the following extensions added to closeonce and logoutonce command line arguments:
-closeonce{:all} Close all Monitor Pros with appropriate user that have the argument defined.
Ignore user with all argument.
-logoutonce{:all} Logout from all Monitor Pros with appropriate user that have the argument defined.
Ignore user with all argument.
The command line arguments are backwards compatible.

Text Center Alignment in Monitor Pro

Setting text alignment to center had a slight offset since 9.4. Manual adjustments to centering, for example with
spaces, is no longer needed and should be removed from symbols.

Monitor Pro Language Support

Monitor Pro login using unicode locale settings may have failed due to failed character decoding. This is now
improved to support all windows locale settings.

Object Not Found Dialog on Locate Object in Monitor Pro Menu Item Configurable
Additional parameter in Framewindow.ini can be used to configure, whether to show the object not found dialog
when navigating from list views to process display via Locate object in Monitor Pro -menu item and the selected
LN:IX combination isn't found in the display.
Hiding the dialog can be done by setting "HideObjectNotFoundOnLocate" value to 1 in Framewindow.ini under
MPROUI section.

2.5.3 Context menus

Instance specific context-menu items in Monitor Pro+

Instance specific context-menu items, the items in \menus\instances, in Monitor Pro+ are now shown.

2.5.4 DMS600 Integration

User settings folder

SYS600 created user specific folder structures using internal session id as a folder name. This happened when
SYS600 Monitor Pro(+) was started from DMS600. The issue is now fixed and user specific folders are created using
the logged in user name.

2.5.5 List Displays

Alarm list visible columns

It was possible to write the visible columns list longer than the configuration reader was able to read back. This
cause unexpected behavior. when the Alarm list was opened. The file reader now supports maximum size ini file
line length to prevent this issue.
8 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

Show all signals setting in Blocking Display with Preconfiguration

Show all signals setting is now honored also when preconfiguration is loaded.

Alarm list data visualization

Alarm list data is automatically sorted based on the received alarm time information. In special cases the alarm
time can be undefined and the time comparison will fail due to different data types. This issue is now handled and
alarm time comparison failure will not cause any side effect.

2.5.6 Measurement Reports and Trends Display

The length of the Operation in Report Page configuration

The length of the Operation is not limited in configuration phase. However, if the Operation contained over 100
characters, it was not possible to open the report page at run time. This limitation is now removed.

2.5.7 Migration

Display migration
SYS600 display migration process (MigrationTool.exe) exit handling, is improved to exit without Windows event
log exception entries when MicroSCADA is stopped.

2.5.8 Pipeline process library

Limit setting in measurement dialog

Measurement limits are not updated when giving the new limit values. In this way the new limits can be given
although measurement value is continuously updated from the process.

2.5.9 Visual SCIL tool integration

Display change events sent with incorrect arguments from Monitor Pro+
When navigating back from list displays to process graphics display change events sent to Visual SCIL tools were
given the list display name instead of the correct process display name.

2.6 Security

Cyber Security > Documentation

Sentinel HASP License Manager
ABB has released a security advisory, see
http://search.abb.com/library/Download.aspx?DocumentID=1MRS257783&LanguageCode=en&DocumentPartId=&Action=Launch.
Hotfix contains fix for vulnerabilities see Installation section for actions before installing the hotfix.
Improper access control
ABB has released a security advisory, see
http://search.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageCode=en&DocumentPartId=&Action=Launch
Due to diverse system installations, vulnerability described in the security advisory is not fixed automatically
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 9

with HF3 installation package.

Follow instructions in the security advisory and technical document after HF3 installation to fix the vulnerability.
Documentation
Secure and insecure protocols are documented in this section.
Unauthenticated and unencrypted plain-text network communications protocols are a security risk. Review Security
column in each table to see whether communication protocol supports authentication and secure communication
(encrypted traffic). Each open TCP/UDP port provides a possible access path for an attacker that can be used to
send exploits and receive data. To mitigate risks:
● Know your network perimeter, zones and conduits. Use firewalls to limit access to machines. Do not mix
Office/Corporate LAN with Industrial Control System LAN.
● All unneeded applications and services (TCP/UDP ports) should be removed/stopped. Use firewalls to limit
access to ports.
● Encrypt communication by using IPSec/VPN tunnels between machines if there is no built-in security mechanism.
● Use latest ABB product versions to get new security enhancements.

See related tables in Appendix A

Cyber Security > Remove MSXML4 (end-of-support)

Cyber Security > Removing MSXML4 (end-of-support)
Microsoft XML parser version 4 (MSXML4) is not supported by Microsoft anymore and some security auditing tools
report this as vulnerability. For more information, see
https://support.microsoft.com/en-us/help/269238/list-of-microsoft-xml-parser-msxml-versions. Some SYS600
software components still used MSXML4 but this dependency has now been removed from software components
in HF3. Before uninstalling MSXML4 from the system users should verify that no other software component in the
system use it, see instructions below.
Verify MSXML4 usage
Note! If the system only has SYS600 installation without any additional software this step can be skipped.
To monitor MSXML4 usage in the system, download SysInternals Process Explorer standalone tool, see
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer. Run this tool in the system where
SYS600 is installed and make sure that software not being part of SYS600 installation is running as well. Instructions:
1. Start procexp tool as administrator
2. Select Find > Find handle or DLL...
3. Enter search term 'msxml' in Process Explorer Search and press Search
4. Review the list and try to find usage of msxml4. If there are software components using msxml4, it cannot be
uninstalled from the system. Update the related software component or contact software vendor.

Uninstall MSXML4
Instructions to uninstall:
1. Remove MSXML4 parser from the system by opening Control Panel > Programs > Uninstall and selecting
Microsoft XML Parser. Uninstall all related security updates as well.
2. Check that the computer does not contain msxml4*.dll anymore. Open Windows Explorer and search for
'*msxml4*'.
3. If there are msxml4 files e.g. in side-by-side directory (SxS), run Disk Cleanup. See instructions below to remove
msxml4 from SxS directory.

Instructions to remove msxml4 components in side-by-side (SxS) directory with Disk Cleanup tool:
1. Open Windows Explorer, select C: and search *msxml4*. Verify that there are msxml4 files in SxS directory.
2. Start > Search: Cleanup
3. Launch Disk Cleanup tool for C: drive
4. Select all items in Files to delete list (system files also)
5. Press OK to clean
6. Reboot
7. Repeat step 1 to check that there are no msxml4 files in computer anymore
10 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

If Disk Cleanup tool is not available e.g. in Windows Server operating systems, see this article on how to clean up
the winsxs directory (Add Features > Desktop Experience):
https://blogs.technet.microsoft.com/askpfeplat/2014/05/13/how-to-clean-up-the-winsxs-directory-and-free-up-disk-space-on-windows-server-2008-r2-with-new-update/

2.7 Sequencer

Work-around for running sequence from DMS600

When a sequence is run from DMS600, interlocking and blocking conditions need to be checked for all switch devices
included in the sequence.
Sequencer is now working so that it checks the conditions only for the next step resulting that the sequence is never
started.
As a work-around the following modification can be done to the command procedure EPU_SEQ_MAIN_EXECUTE:C:
On line 195 change "CHK_STEP" to "CHK_SEQ"
On line 197 change "CHK_STEP" to "CHK_SEQ"

2.8 Tools

2.8.1 Communication Engineering Tool (CET)

Online Diagnostics
Online Diagnostics didn't display values, qualities or time stamps of IED data objects.

2.8.2 IED tools

PCM client could not be started

It was not possible to browse PCM600 Projects object tree in Display Builder after installing PCM600 2.9. In order
to launch IED Tools from Monitor Pro a Hotfix for PCM600 2.9 is required as well.

2.8.3 IET Data Loader

Maximum import amount of COM500i indications

Maximum import amount of COM500i indications have been increased from 10000 to 50000.

2.8.4 System Configuration Tool

Buffer storage extension for IEC101/104 Slave

The tool supports the new PC-NET maximum ASDU queue lengths for IEC101/104.
The upper limit of STA object attribute AQ has been increased from 200 to 3000.
The default value 200 for AQ stays unchanged.

OM bits for Modbus TCP Master line

Tool support implemented for two new OM bits for Modbus TCP ASCII Master and Modbus TCP RTU Master lines:
OM bit 1 "Serial over IP mode enabled"
OM bit 2 "CRC checking in serial over IP mode disabled"
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 11

2.8.5 Calendar Tool

Day type changes in Calendar tool generate SCIL error

First time changing of default day type in calendar settings generated SCIL_UNDEFINED_VARIABLE error. Whenever
policy and day type is changed for the first time, undefined variables are now properly handled. This makes it possible
to change the calendar types from 'Default type for Sunday/other days' to 'one default type' without an error .

2.9 User Account Management

User Language of the Single Sign-On User

SYS600 was not able to correctly resolve the Windows users language for Monitor Pro Single Sign-On instances.
This is now resolved.

Centralized Account Management and Area of Responsibility

Area of Responsibility (AoR) cannot be used when Centralized Account Management (CAM) is in use. SYS600 Base
System automatically disables AoR if also CAM is enabled. Warning message about such configuration is logged to
SYS600 Notify.

2.10 Monitor Pro Plus

Navigating Large Displays Caused Monitor Pro+ to Lose Connection

Switching between two large displays, or in some cases just navigating to a very large display, caused Monitor Pro+
to lose connection.

Monitor Pro data subscription

Monitor Pro+ now supports SYS600 Process Object Logical Names (LN) starting with number or having only numbers.
Also LN's containing period ("."') characters are now fully supported.

Visual SCIL SetDialogPosition clicked object coordinates

In case the Visual SCIL dialog tool launcher action was defined for a primitive graphics element (e.g. rectangle, text)
directly in the main process view, without embedding the action to a sub drawing, the clicked object bounds were
not passed correctly to SetDialogPosition Visual SCIL method and dialog was not opened in the intended position.

Alarm Display Template Toolbar disappear

In Monitor Pro Plus the toolbar Alarm Display Template disappeared when display was changed and Alarm Display
reopened.

Monitor Pro specific arguments passed to tools from Monitor Pro+

Monitor Pro specific arguments were not properly delivered to tools launched from Monitor Pro+.

Monitor Pro+ Windows Stop Working Occasionally

All Monitor Pro+ windows could sometimes stop working, when the service used to communicate with SYS600 base
system stopped working with the following error printed in windows application logs for MPro "Assertion failed:
!(handle->flags & UV_HANDLE_CLOSED), file src\win\async.c". The only way to recover Monitor Pro+ functionality
was to restart SYS600.

Monitor Pro+ display navigation

Error displayed when navigating from process display to preconfigured list display.
12 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

NodeJs version upgrade

NodeJs, SYS600 Web Server, version upgraded to 8.12.0. Sqlite3 node module version updated to 4.0.2. This fixes
known security vulnerabilities in earlier NodeJs version.

Pro+ SLD not updated correctly if POs recreated

Pro+ SLD was not updated correctly if processs objects were recreated

WebSocket Communication
The handling of a large view caused too much processing which created an error situation in the WebSocket
communication.
Error handling code in WebSocket communication caused an infinite loop. This resulted server to be non-responsive.
This is now fixed.

3 New features
This chapter highlights the main new features of this release.

IEC 60870-5-104 Slave: Support of broadcast addressing

Broadcast addressing, i.e. Common Address of ASDU = 65535 is now supported with General Interrogation, Counter
Interrogation, Time Syncronisation and Reset Process command (ASDUs <100>, <101>, <103> and <105>. The
incoming broadcast command is handled with all STA objects using the same TCP/IP connection.

IEC 60870-5-104 Slave: Deleting of oldest event in buffer overflow supported

In case station attribute RM bit 10 is set and event queue overflow occurs, the oldest event from the same queue
is deleted instead of the returning the SCIL error 13856 = ICCC_ASDU_QUEUE_FULL. Setting of bit 10 should be
used if newest events are preferred e.g. when connection to network control center is lost. The default value for RM
bit 10 is 0 i.e. the oldest events are kept in the queue and newest events are discarded when queue is full.

LON: Support for Loytec IP1E100

Support for network-based Loytec IP1E100 device has been added. For more information see the Application Note
SYS600 LON Setup using Loytec interface.

Topology Calculation Mode

A new topology calculation mode is introduced. Topology calculation can be forced to propagate uncertain network
state for simulated devices. The setting for "Simulated switch propagates uncertain network state" is available in
Network Topology Manager Visual SCIL tool and in Display Builder. The state of the setting can be changed only
when the topology model is created or when it is stopped.

4 Known Limitations

Installation on W2008 (32-bit, Not R2)

If you are using operating system W2008 (32-bit, NOT R2), please contact customer support for installation
instructions.
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 13

5 Dependencies
This Hotfix should only be used with SYS600 9.4 FP2 installation.

6 Recommendations
It is recommended to install this Hotfix in all SYS600 9.4 FP2

7 Installation
7.1 To install the Hotfix:
1. Stop the SYS600 system
2. Before installing SYS600 9.4 FP2 HF3, uninstall previous version of CET for IEC61850 OPC Server from Windows
programs and features
3. Before installing SYS600 9.4 FP2 HF3, uninstall old Sentinel HASP drivers manually:
a. Stop hasplms service by opening Command Prompt window (run as admin) and running command ‘sc the service,
run command ‘sc query hasplms’ to verify that the service is stopped.
b. Locate haspdinst.exe in old SYS600 installation (sc\drivers\HASP). Run ‘haspdinst.exe -info’ to check installed
to the system and versions included in the installation package.
c. Run ‘haspdinst.exe -purge’ to uninstall old Sentinel HASP component versions
d. Hotfix can now be installed that includes an update to Sentinel HASP
4. Run the installation program SYS600_94-2_HF3.exe
5. Due to diverse system installations, vulnerability described in Improper Access Control Vulnerability in MicroSCADA
Pro SYS600 9.x security advisory is not fixed automatically. See section Cyber Security > Improper Access Control
for instructions.
The Hotfix will install the following new files or file versions:

sc\stool\sysconf\UAM.VSO
sc\stool\sysconf\SYSCONF.VSO
sc\stool\sysconf\ATTR_DEF.VSO
sc\stool\Misc\7z.exe
sc\stool\Misc\7z.dll
sc\stool\AplBuild\OBJGP.VSO
sc\stool\AplBuild\NT_MANAGER.VSO
sc\Setup\DuoDriver\vendor.cer
sc\Setup\DuoDriver\SnmpExtensionAgentSetup.exe
sc\Setup\DuoDriver\SnmpExtensionAgentSetup_x64.exe
sc\Setup\DuoDriver\SetupGuiNG.exe
sc\Setup\DuoDriver\SetupGuiNG_x64.exe
sc\Setup\DuoDriver\setup.ini
sc\Setup\DuoDriver\setup.exe
sc\Setup\DuoDriver\ProtocolSetup.exe
sc\Setup\DuoDriver\ProtocolSetup_x64.exe
sc\Setup\DuoDriver\iec62439_snmp_agent.dll
sc\Setup\DuoDriver\iec62439_snmp_agent_x64.dll
sc\Setup\DuoDriver\iec62439_mgmt.dll
sc\Setup\DuoDriver\iec62439_mgmt_x64.dll
sc\Setup\DuoDriver\duodrv_prot.inf
sc\Setup\DuoDriver\duodrv_prot.cat
sc\Setup\DuoDriver\duodrv_mp.inf
sc\Setup\DuoDriver\duodrv_mp.cat
sc\Setup\DuoDriver\DuoDriverNotifyObj-DB3268CB-818D-41AE-8940-D4706D65AFE1.dll
sc\Setup\DuoDriver\DuoDriverNotifyObj-DB3268CB-818D-41AE-8940-D4706D65AFE1_x64.dll
14 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

sc\Setup\DuoDriver\DuoDriverMgmtGUI.exe
sc\Setup\DuoDriver\duodriver.sys
sc\Setup\DuoDriver\duodriver_x64.sys
sc\sa_lib\defaults\misc\SDIActiveBar.tb2
sc\sa_lib\defaults\misc\FrameWindow.ini
sc\sa_lib\base\bbone\use\BGU_CALTC.TXT
sc\prog\sa_lib\ualctl.dll
sc\prog\sa_lib\MicroSCADALoginManager.dll
sc\prog\sa_lib\MeasReport.dll
sc\prog\sa_lib\InstanceHandler.exe
sc\prog\sa_lib\FrameWindow.exe
sc\prog\sa_lib\eventctl.dll
sc\prog\sa_lib\en\ualctl_EN.dll
sc\prog\sa_lib\en\FrameWindow_EN.dll
sc\prog\sa_lib\en\eventctl_EN.dll
sc\prog\sa_lib\en\blockingctl_EN.dll
sc\prog\sa_lib\en\alarmctl_EN.dll
sc\prog\sa_lib\eablistcomm.dll
sc\prog\sa_lib\blockingctl.dll
sc\prog\sa_lib\alarmctl.dll
sc\prog\sa_lib\Actbar3.ocx
sc\prog\pcm_client\PcmClientSetup.exe
sc\prog\pcm_client\PcmClient2.dll
sc\prog\pcm_client\PcmClient.dll
sc\prog\pc_net\pc_nets.exe
sc\prog\OPC_Client\DA_Client\daopccl.exe
sc\prog\graphicsEngine\system\OpcConnection.dll
sc\prog\graphicsEngine\system\dvwin.dll
sc\prog\graphicsEngine\system\DVUOM.tlb
sc\prog\graphicsEngine\system\Dvuom.dll
sc\prog\graphicsEngine\system\dvtools.dll
sc\prog\graphicsEngine\system\DVPaletteUI.ocx
sc\prog\graphicsEngine\system\DVnames.dll
sc\prog\graphicsEngine\system\DVFillEffectControl.ocx
sc\prog\graphicsEngine\system\DVDraw.exe
sc\prog\graphicsEngine\system\DVDataEditor.ocx
sc\prog\graphicsEngine\system\DVCustomEditor.ocx
sc\prog\graphicsEngine\system\dvaxvp.tlb
sc\prog\graphicsEngine\system\dvaxvp.ocx
sc\prog\graphicsEngine\system\dvactive.tlb
sc\prog\graphicsEngine\system\dvactive.ocx
sc\prog\graphicsEngine\system\DataViewsEditor.ocx
sc\prog\exec\WmiAccess_WinIO.dll
sc\prog\exec\vgal7.dll
sc\prog\exec\UALW.exe
sc\prog\exec\UALP.exe
sc\prog\exec\sysm.exe
sc\prog\exec\status.txt
sc\prog\exec\status.bin
sc\prog\exec\ssleay32.dll
sc\prog\exec\shad.exe
sc\prog\exec\scsshr.dll
sc\prog\exec\scspico.dll
sc\prog\exec\SCSPCNET.dll
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 15

sc\prog\exec\SCSINT.dll
sc\prog\exec\scs.exe
sc\prog\exec\SCINFO.EXE
sc\prog\exec\scil.exe
sc\prog\exec\SAPI.exe
sc\prog\exec\repr.exe
sc\prog\exec\REPL.exe
sc\prog\exec\repf.exe
sc\prog\exec\qpidtypes.dll
sc\prog\exec\qpidcommon.dll
sc\prog\exec\qpidclient.dll
sc\prog\exec\pros.exe
sc\prog\exec\prof.exe
sc\prog\exec\proc.exe
sc\prog\exec\prnc.exe
sc\prog\exec\prin.exe
sc\prog\exec\picv.exe
sc\prog\exec\picn.exe
sc\prog\exec\picg.exe
sc\prog\exec\PCNI.exe
sc\prog\exec\OSEX.exe
sc\prog\exec\oseh.exe
sc\prog\exec\OPCS.exe
sc\prog\exec\opcc.exe
sc\prog\exec\oaes.exe
sc\prog\exec\oaec.exe
sc\prog\exec\notify.exe
sc\prog\exec\LICV.dll
sc\prog\exec\libeay32.dll
sc\prog\exec\inet.exe
sc\prog\exec\hasp_windows_69167.dll
sc\prog\exec\file.exe
sc\prog\exec\ddex.exe
sc\prog\exec\CPMW.exe.config
sc\prog\exec\CPMW.exe
sc\prog\exec\Control.exe
sc\prog\exec\CAMP.exe
sc\prog\61850_OPC_Server\IEC61850 OPC Server\bin\opcs_iec61850.exe
sc\drivers\HASP\haspdinst.exe
sc\Com\active\COM_\COMTOOL.VSO
sc\Com\active\COM_\COM_UPDT.TXT
sc\Com\active\COM_\COM_REVDTA.TXT
sc\Com\active\COM_\COM_RESPRC.TXT
sc\Com\active\COM_\COM_IESEI.TXT
sc\Com\active\COM_\COM_IESA.TXT
sc\Com\active\COM_\COM_GENINT.TXT
sc\Com\active\COM_\COM_DSAO.TXT

Due to diverse system installations, vulnerability described in Improper Access Control

Vulnerability in MicroSCADA Pro SYS600 9.x security advisory is not fixed automatically
Note! with HF3 installation package. Follow instructions in the security advisory after HF3
installation to fix the vulnerability.

7.2 To uninstall the Hotfix:

1. Stop the SYS600 system
16 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

2. Run the installation program SYS600_94-2_HF3.exe /r

3. Uninstall ABB CET for IEC61850 OPC Server using the Windows Add or Remove Programs utility.
4. Re-install the main product SYS600 9.4 FP2.

Revision History

Revision Date Description Approved by

A 2019-04-23 Final version Mikko Oksanen

— — —
ABB Grid Automation Products Copyright © 2019 ABB. We reserve all rights in this document and in the
abb.com/substation-automation All rights reserved. subject matter and illustrations contained therein.
Any reproduction, disclosure to third parties or
utilization of its contents
– in whole or in parts – is forbidden without prior
written consent of ABB.
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 17

Appendix A Appendix Title

Table A.1: SYS600

SYS600 Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

postgres.exe TCP Fixed Always PostgreSQL database for Secure:Yes

5433, storing setting values. This
5434.. port is also used for replic-
ating database between
HSB computers. There is a
separate port number for
each SYS600 application.

inet.exe TCP Fixed Always Hot-stand-by communica- Secure:Yes

21844 tion (APL-APL). This traffic
is encrypted. For more in-
formation, see [SYSCON,
Encrypted communica-
tion].

inet.exe TCP Fixed Always External OPC DA Clients Secure:No

21845 connect to this port and
process data is received
through this port.

inet.exe TCP Fixed Always Used by SYS600 base sys- Secure:No

21846 tem processes for internal
communication.

LogService.exe TCP Fixed Always MicroSCADA system Secure:No

21850 log/events, MicroSCADA Limit or block ac-
system version informa- cess to this port
tion, and application state from remote
information. This port is computers.
used by Notify window.

aopcs.exe Dynamic Configurable Configurable MicroSCADA Application N/A

TCP, see OPC Server requires DCOM
[MSD- port 135 to be open
COM04]

opcs.exe Dynamic Configurable Always MicroSCADA OPC Data Ac- N/A

TCP, see cess Server requires DCOM
[MSD- port 135 to be open
COM04]

Opcenum.exe Dynamic Configurable Always OpenRemoteDesktop pro- N/A

TCP, see gram uses this service
[MSD-
COM04]

hasplsm.exe UDP and Fixed Always Aladdin HASP License Secure:No

TCP 1947 Manager Service for hand-
ling USB license keys

(Web server - - - Java API requires a web Secure:No

for Java API) server. See web server
manuals for port configur-
ation.
18 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

SYS600 Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

bdu_ssiser.exe TCP 1333 Configurable Configurable DMS600 Server Application Secure:No

uses for SCIL-API connec-
tion

Table A.2: SYS600 - Communication protocols

Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

IEC60870-5- TCP 2404 configurable configurable IEC 60870-5-104 for tele- Secure: No
104 Slave control equipment and Risks: Through
systems with coded bit IEC104 it is pos-
serial data transmission in sible to control
TCP/IP based networks for electric network.
monitoring and controlling
geographically widespread
processes. Network Con-
trol Center (NCC).

IEC60870-5- TCP configurable configurable Secure communication for IEC104 secure

104 Secure Au- 19998 IEC104 communication
thentication is authenticated
Slave and encrypted.

IEC60870-5- TCP configurable configurable Accepts localhost connec- N/A

104 Slave - 2501- tions only, open only a
Communica- 2514 short period of time in
tion lines system startup.

IEC60870-5- TCP configurable configurable Accepts localhost connec- N/A

104 Master - 2501- tions only, open only a
communica- 2514 short period of time in
tion lines system startup.

DNP 3.0 Secure TCP configurable configurable Secure communication for DNP 3.0 secure
Authentication 19999 DNP 3.0 communication
Version 5 is authenticated
LAN/WAN and encrypted.
Slave

DNP 3.0 UDP and configurable configurable The Distribute Networks Secure: No. Use
LAN/WAN TCP Protocol (DNP) 3.0 DNP 3.0 Secure
Slave 20000 LAN/WAN is a standards- instead.
based communication Risks: Through
protocol designed for DNP3 it is pos-
electric utility, water, oil & sible to control
gas and security systems. electric network.

DNP 3.0 TCP configurable configurable Accepts localhost connec- N/A

LAN/WAN 2501- tions only, open only a
Slave - Commu- 2514 short period of time in
nication lines system startup.

DNP 3.0 UDP and configurable configurable Accepts localhost connec- N/A
LAN/WAN TCP tions only, open only a
 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3 19

Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

Master - Com- 2501- short period of time in

munication 2514 system startup.
lines

Modbus TCP 502 configurable configurable Modbus Protocol is a mes- Secure: No

TCP/IP Slave saging structure used to Risks: Through
establish master-slave/cli- Modbus it is pos-
ent-server communication sible to control
between intelligent remote systems.
devices. It is used in gas
and oil and substation ap-
plications but also in
building, infrastructure,
transportation and energy
applications. There is no
built-in security in Modbus
protocol.

Modbus TCP configurable configurable Accepts localhost connec- N/A

TCP/IP Master 2501- tions only, open only a
- Communica- 2514 short period of time in
tion lines system startup.

SPA-TCP - TCP configurable configurable Accepts localhost connec- N/A

Communica- 2501- tions only, open only a
tion lines 2514 short period of time in
system startup.

ELCOM-90 TCP 6997 configurable configurable ELCOM-90 is used to Secure:No

Provider transfer information Risks: Through
between control centers ELCOM-90 it is
and it is inter-control cen- possible to con-
ter communication pro- trol remote sys-
tocol (ICCP). tems.

ELCOM-90 TCP 6998 configurable configurable Inter-process communica- Secure:No

UserElem tion Risks: Through
ELCOM-90 it is
possible to con-
trol remote sys-
tems.

ELCOM-90 Ad- TCP 6999 configurable configurable Used to debug Provider Secure:No
min

Opcs_iec61850.exe Dynamic configurable configurable IEC 61850 OPC DA Server. Secure:No

TCP, see By default accepts local Risks: Through
[MSD- COM/DCOM connections IEC 61850 OPC
COM04]. only. DA Server it is
possible to con-
trol electric net-
work.

Opcs_iec61850.exe TCP 123 configurable configurable IEC 61850 OPC DA Server, Secure:No
which contains SNTP Serv-
er as TCP/IP Server (IEDs
synchronizes time with
20 1MRS257740, MicroSCADA Pro SYS600 9.4 FP2 Hotfix3

Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

this) and also SNTP Client.

See ntp service.

Op- TCP 102 fixed configurable IEC 61850 System Supervi- Secure:No
cc_iec61850.exe sion Server (obsolete from Risks: Through
SYS600 9.4 FP2 and later). MMS server it is
OPC client in this compon- possible to con-
ent is connected to SYS600 trol electric net-
OPC DA Server. IEC 61850 work.
(MMS) server is a TCP/IP
server. There is no built-in
security in MMS protocol.

Table A.3: SYS600 – Remote Access

Inbound (listening)

Service: Inbound Port number Port status open al- Description Security
port num- fixed/configur- ways/configurable
ber able

Microsoft Win- TCP 3389 Fixed Configurable Microsoft Windows Termin- Remote desktop
dows Remote al Services [Terminal Server sessions operate
Desktop Ser- Client, RDP Client] over an encryp-
vices ted channel.

Citrix ICA TCP 1494 Fixed Configurable MetaFrame Application Remote desktop
Server for Windows / Citrix sessions operate
ICA over an encryp-
ted channel.