Application Guide Volume VI AG2001-05

Using Passwords to Secure Relays, Controllers,

and SCADA Systems From Unauthorized Access
Paul Oman

INTRODUCTION
Our increasing reliance on automated control systems, coupled with the rise in computer
intrusions and international terrorism, has magnified the risk of unauthorized hostile access to
electric utility control and protective systems. Electric power generation systems and
transmission and distribution utilities face an increased threat of sabotage and espionage via
“electronic intrusion” and “computer hacking.” The electric power industry must be aware of this
threat and must take steps to reduce its risk and mitigate vulnerabilities. Protection, integration,
and automation engineers should use mechanisms that minimize the likelihood that persons with
hostile intent can degrade or destroy electric power systems. Responding to this risk, Schweitzer
Engineering Laboratories is distributing a series of SEL Application Guides to help the electric
power industry assess vulnerability and take steps to implement and strengthen communication
security to and from IEDs, controllers, and SCADA systems. The three SEL Application Guides
in the series are:
1. Using Passwords to Secure Relays, Controllers, and SCADA Systems From Unauthorized
Access (this document).
2. Setting and Using Secure Dial-Back Modems With SEL Relays and Communications
Processors.
3. Low-Cost Authentication Devices for Secure Modem and Network Connections.
These guides are “how-to” documents intended to help you reduce the risk of unauthorized access
to your control and protective equipment. Traditional approaches for reducing vulnerability
include password protection, audit logging, multitiered access levels, alarm conditions, automated
IED configuration and authentication, redundant controllers, time-out communication settings,
virus protection, firewalls, and intrusion detection systems. For a more detailed discussion of the
increasing risks and corresponding mitigating technologies, see the following documents:
1. IEEE Guide for Electric Power Substation Physical and Electronic Security, IEEE
Standard 1402-2000, IEEE Power Engineering Society, New York, NY, April 4, 2000.
2. “Concerns About Intrusions Into Remotely Accessible IEDs, Controllers, and SCADA
Systems,” in Proceedings of the 27th Annual Western Protective Relay Conference, by
P. Oman, E. Schweitzer, and D. Frincke, Paper No. 4, (Oct. 23–25, Spokane, WA), 2000,
available at http://www.selinc.com.

SCHWEITZER ENGINEERING LABORATORIES

2350 NE Hopkins Court • Pullman, WA • 99163-5603 • USA
Phone: (509) 332-1890 • Fax: (509) 332-7990
E-mail: info@selinc.com • Internet: www.selinc.com
 3. Electric Power Risk Assessment, National Security Telecommunications Advisory
Committee Information Assurance Task Force, March 1997, available at
http://www.ncs.gov/n5_hp/Reports/EPRA/electric.html.
Of specific concern is the growing risk of computer-based electronic intrusion, wherein a
potential intruder uses automated attack tools to gain remote access to your IEDs, controllers, and
SCADA systems. Your best defense against this type of attack is strong password protection.

THE IMPoRTANCE OF STRONG PASSWORDS

Strong password protection is your best defense against all forms of unauthorized access. A good
password not only protects a specific device against accidental and unauthorized settings, but also
safeguards the integrated system and helps ensure the reliable operation of a substation or
SCADA system. However, if your password is disabled, easily guessed, or cracked1, intruders
can not only shut down your system but they can use your system to distribute bogus data and
sabotage other interconnected systems within your company and worldwide across the Internet.
Strong passwords are virtually impossible to guess and may take thousands of hours to crack. Ill-
chosen passwords may be guessed or cracked in just a few minutes. Hence, it is extremely
important to maintain the security of your system by using strong passwords in protective relays,
controllers, and remote access points to your SCADA systems.
Used properly, passwords provide good protection against unauthorized access. Make sure you
choose strong passwords and record them in a secure location. If your passwords are forgotten or
lost, you must physically circumvent the password protection long enough to view your
passwords and/or reset them. This usually means taking the device or system off line and
rebooting or restarting it with passwords disabled or reset to factory defaults. Details can be
found in your system/device technical documentation.

CREATING STRONG PASSWORDS

Strong passwords consist of six characters, with at least one special character or digit and mixed-
case sensitivity, but do not form a name, date, acronym, or word. Passwords formed in this
manner are less susceptible to password guessing and automated attacks. Examples of valid,
distinct strong passwords include:
Ot3579 A24.68 Ih2dcs 4u-Iwg Ic-4.7
An easy way to create strong passwords is to take the first letter of each word in a memorable
phrase and insert a non-alpha character somewhere in the resulting password. For example, the
phrase “I love to ride my horse, Blue” can be used to form and remember the password Il2rmhB,
which is difficult to crack because it cannot be pronounced and it is not meaningful. Similarly,
the phrase “The Palouse has four beautiful seasons” can be used to create the password tPh4bs,
which is simple and easy to remember because of the sentence from which it is formed.

1
Password cracking refers to automated programs that can try up to several hundred password
combinations per minute.

2 SEL Application Guide 2001-05 Date Code 20010517

GUIDELINES FOR CREATING AND MAINTAINING STRONG PASSWORDS
The following are simple guidelines to bear in mind while creating and managing your
passwords:
• Default passwords shipped with factory devices and application software should always be
changed upon installation.
• Passwords should be known only by individuals with authorized access to the devices being
installed or updated.
• Passwords should be kept in a secure location that is not easily found or viewed.
• Passwords should be at least six characters long.
• Passwords should contain both upper- and lower-case characters.
• Passwords should contain at least one non-alpha character (i.e., a number or punctuation
mark).
• Passwords should not form a common word, date, name, or acronym.
• Passwords should be changed periodically and whenever the security of your password is
compromised through personnel turnover, strife, intrusion, or threat.
• When possible, implement two levels of password protected access control–one for
viewing settings and another for changing settings.
• On integrated systems, implement multitiered password protection, with one set of
passwords for accessing relays and another set for accessing controllers and SCADA
systems.

CHANGING YOUR PASSWORDS, STEP-BY-STEP

Reference the following three examples of changing passwords in SEL relays and
communications processors. The examples assume you can connect your SEL device to a serial
terminal or a PC and terminal emulation program like HyperTerminal or CROSSTALK.
Alternatively, you can access your relays via a transparent connection through an SEL-2020 or
SEL-2030 Communications Processor. In any case, refer to your device’s technical
documentation for instructions on how to establish a serial connection to change settings.

Example 1. Changing SEL-2020 and SEL-2030 Passwords

1. Connect to one of the serial ports on the SEL-2020 or SEL-2030 and open a connection.
2. Press a carriage return, <ENTER>, and verify that a “*” prompt is returned. The “*”
indicates that you are in Access Level 0. A “*>” or “*>>” prompt indicates that your
serial connection has been left in Access Level 1 or 2, respectively. Refer to your
SEL-2020/2030 Reference Manual for instructions on how to set serial port “time-out”
parameters.
3. If you do not get a prompt with each carriage return, then something is wrong with your
connection. Terminate your serial connection, check your cable connections and your
communications settings, and restart your serial I/O connection.
4. To change passwords, you must move through Access Level 1 to Access Level 2. Type
ACC <ENTER> to go to Access Level 1. The SEL-2020/2030 responds with:
Password: ? @@@@@@

Date Code 20010517 SEL Application Guide 2001-05 3

 5. The default factory password for Access Level 1 is listed in your SEL-2020 or SEL-2030
Reference Manual under the PAS command. At the prompt, enter your existing or default
Access Level 1 password and press <ENTER>. The SEL-2020/2030 responds with the
Access Level 1 notification and the “*>” prompt indicating that you are in Access Level
1.
6. Type 2AC <ENTER> to go to Access Level 2. The SEL-2020/2030 responds with the
same password prompt that you saw for Access Level 1. The default factory password for
Access Level 2 is also listed in your Reference Manual, so at the password prompt, enter
your existing or default Access Level 2 password and press <ENTER>. The
SEL-2020/2030 responds with the Access Level 2 notification and the “*>>” prompt to
indicate that you are in Access Level 2.
7. The PAS command is used to view and set passwords. Type PAS <ENTER> to see the
existing passwords settings. Use the command PAS 1 followed by a password string to
change the Access Level 1 password. For example, PAS 1 Ot3579 <ENTER> sets
“Ot3579” as the password for Access Level 1. Similarly, the command PAS 2 followed
by a password sets the Access Level 2 password.
8. After entering your new passwords, use the PAS command to view the new settings.
When setting your passwords, be sure to choose “strong” passwords that cannot be easily
guessed or broken with an automated password cracker.
The following example demonstrates how to change your SEL-2020/2030 passwords from
“BADPAS” and “TOOEZY” to “Ot3579” and “Ta2468” for Access Levels 1 and 2, respectively.
Default factory password settings are shown under the PAS command in your SEL-2020 or
SEL-2030 Reference Manual.

$&&
3DVVZRUG " %$'3$6
&20081,&$7,216 352&(6625  61  'DWH  7LPH 
/HYHO 
!$&
3DVVZRUG " 722(=<
&20081,&$7,216 352&(6625  61  'DWH  7LPH 
/HYHO 
!!
!!3$6
%$'3$6
722(=<
!!3$6  2W
6HW
!!3$6  7D
6HW
!!3$6
2W
7D
!!48,7
&20081,&$7,216 352&(6625  61  'DWH  7LPH 

4 SEL Application Guide 2001-05 Date Code 20010517

Example 2. Changing SEL-3XX Relay Passwords (SEL-300G, -311, -321, -351, -352, and
–387)
1. Connect to one of the serial ports on the SEL-3XX Relay and open a connection.
2. Press a carriage return, <ENTER>, and verify that a “=” prompt is returned. The “=”
indicates that you are in Access Level 0. A “=>” or “=>>” prompt indicates that your
serial port connection has been left in Access Level 1 or 2, respectively. Refer to your
SEL-3XX Instruction Manual for instructions on how to set serial port “time-out”
parameters.
3. If you do not get a prompt with each carriage return, then something is wrong with your
connection. Terminate your serial connection, check your cable connections and your
communications settings, and restart your serial I/O connection.
4. To change passwords you need to move through Access Level 1 to Access Level 2. Type
ACC <ENTER> to go to Access Level 1. The SEL-3XX Relay responds with:
Password: ? @@@@@@
5. The default factory password for Access Level 1 is listed in your SEL-3XX Instruction
Manual under the PAS command. At the above prompt, enter your existing or default
Access Level 1 password and press <ENTER>. The SEL-3XX Relay responds with the
Access Level 1 notification and the “=>” prompt to indicate that you are in Access
Level 1.
6. Type 2AC <ENTER> to go to Access Level 2. The SEL-3XX Relay responds with the
same password prompt that you saw for Access Level 1. The default factory password for
Access Level 2 is also listed in your instruction manual. At the password prompt, enter
your existing or default Access Level 2 password and press <ENTER>. The SEL-3XX
Relay responds with the Access Level 2 notification and the “=>>” prompt to indicate that
you are in Access Level 2.
7. The PAS command is used to view and set passwords. Type PAS <ENTER> to see the
existing passwords settings. Use the command PAS 1 followed by a password string to
change the Access Level 1 password. For example, PAS 1 Ot3579 <ENTER> sets
“Ot3579” as the password for Access Level 1. Similarly, the command PAS B followed
by a password sets the Access Level B password, and the command PAS 2 followed by a
password sets the Access Level 2 password.
8. After entering your new passwords use the PAS command to view the new settings.
When setting your passwords, be sure to choose “strong” passwords that cannot be easily
guessed or broken with an automated password cracker.
The following example demonstrates how to change your SEL-300G, -311, -321, -351, -352, and
-387 Relay passwords. It assumes the existing passwords are “BADPAS”, “BRAKER”, and
“TOOEZY” for Access Levels 1, B, and 2, respectively. It changes the passwords to “Ot3579”,
“Bkr351”, and “Ta2468”, respectively. Default factory password settings are shown under the
PAS command in your SEL-3XX Instruction Manual.

Date Code 20010517 SEL Application Guide 2001-05 5

 $&&
3DVVZRUG " %$'3$6
)(('(5  'DWH  7LPH  67$7,21 $
/HYHO 
!$&
3DVVZRUG " 722(=<
)(('(5  'DWH  7LPH  67$7,21 $
/HYHO 
!!3$6
%$'3$6
%%5$.(5
722(=<
!!3$6  2W
6HW
!!3$6 % %NU
6HW
!!3$6  7D
6HW

!!3$6
2W
%%NU
7D
!!48,7

Example 3. Changing SEL-5XX Relay Passwords (SEL-501, -551, -587)

1. Connect to one of the serial ports on the SEL-5XX Relay and open a connection.
2. Press a carriage return, <ENTER>, and verify that a “=” prompt is returned. The “=”
indicates that you are in Access Level 0. A “=>” or “=>>” prompt indicates that your
serial port connection has been left in Access Level 1 or 2, respectively. Refer to your
SEL-5XX Instruction Manual for instructions on how to set serial port “time-out”
parameters.
3. If you do not get a prompt with each carriage return, then something is wrong with your
connection. Terminate your serial connection, check your cable connections and your
communications settings, and restart your serial I/O connection.
4. To change passwords you need to move through Access Level 1 to Access Level 2. Type
ACC <ENTER> to go to Access Level 1. The SEL-5XX Relay responds with one of the
following two prompts:
Passcode: ? @@@@@@ Password: ? @@@@@@
5. The Access Level 1 default factory passwords are listed under the PAS command in your
SEL-501, -551, and –587 Instruction Manuals, so when you get the above prompt, type in
the existing or default Access Level 1 password corresponding to your relay and press
<ENTER>. The relay responds with the Access Level 1 access notification and the “=>”
prompt indicating that you are in Access Level 1.

6 SEL Application Guide 2001-05 Date Code 20010517

 6. Type 2AC <ENTER> to go to Access Level 2. The relay responds with the same
password prompt that you saw for Access Level 1. The Access Level 2 default passwords
are also listed in the instruction manual. When you get the password prompt, type in the
existing or default Access Level 2 password corresponding to your relay and press
<ENTER>. The relay responds with the Access Level 2 notification and the “=>>”
prompt indicating that you are in Access Level 2.
7. The PAS command is used to view and set passwords. Type PAS <ENTER> to see the
existing passwords settings. Use the command PAS 1 followed by a password string to
change the Access Level 1 password. For example, PAS 1 Ot3579 <ENTER> sets
“Ot3579” as the password for Access Level 1. Similarly, the command PAS 2 followed
by a password sets the Access Level 2 password.
8. After entering your new passwords, use the PAS command to view the new settings.
When setting your passwords, be sure to choose “strong” passwords that cannot be easily
guessed or broken with an automated password cracker. If your SEL-5XX Relay does not
allow letters in the password string, you are running an older version of the relay’s
firmware. Your instruction manual explains how to upgrade your firmware.
The following example demonstrates how to change your SEL-501, -551, and –587 Relay
passwords from “BADPAS” and “TOOEZY” to “Ot3579” and “Ta2468”, for Access Levels 1
and 2, respectively. Default factory password settings are shown under the PAS command in
your SEL-5XX Instruction Manual.

$&&
3DVVFRGH " %$'3$6

(;$03/( )(('(5 'DWH  7LPH  67$7,21 $

/HYHO 
!$&
3DVVFRGH " 722(=<
(;$03/( )(('(5 'DWH  7LPH  67$7,21 $
/HYHO 
!!3$6
%$'3$6
722(=<
!!3$6  2W
6HW
!!3$6  7D
6HW
!!3$6
2W
7D
!!48,7

Date Code 20010517 SEL Application Guide 2001-05 7

FACTORY ASSISTANCE
The employee-owners of Schweitzer Engineering Laboratories, Inc. are dedicated to making
electric power safer, more reliable, and more economical.
We appreciate your interest in SEL products, and we are committed to making sure you are
satisfied. If you have any questions, please contact us at:
Schweitzer Engineering Laboratories
2350 NE Hopkins Court
Pullman, WA USA 99163-5603
Tel: (509) 332-1890
Fax: (509) 332-7990
Web: www.selinc.com
We provide prompt, courteous, and professional service.
We appreciate receiving any comments and suggestions about new products or product
improvements that would help us make your job easier.

All brand or product names appearing in this document are the trademark or registered trademark of their respective holders.

Schweitzer Engineering Laboratories, SELOGIC, Connectorized, Job Done, SEL-PROFILE, and are registered trademarks of Schweitzer
Engineering Laboratories.
Copyright © SEL 2001 (All rights reserved) Printed in USA.

8 SEL Application Guide 2001-05 Date Code 20010517