Copyright © 2013 GE Multilin Inc. All rights reserved. · Quickstart Guide Introduction CyberSentryTM Security Event Manager ... and performs security monitoring of power management

Copyright © 2013 GE Multilin Inc. All rights reserved.

CyberSentry SEM software revision 1.00.

CyberSentry, Digital Energy, Multilin, and GE Multilin are trademarks or registered trademarks of GE Multilin Inc.

The contents of this manual are the property of GE Multilin Inc. This documentation is furnished on license and may not be reproduced in whole or in part without the permission of GE Multilin. The manual is for informational use only and is subject to change without notice.

Part number: 1601-0119-A2 (March 2013)

CyberSentry SEM

Quickstart Guide

CYBERSENTRY SECURITY EVENT MANAGER QUICKSTART GUIDE 1

Quickstart Guide

IntroductionCyberSentryTM Security Event Manager (SEM) is software for automated Critical Infrastructure Protection (CIP), specifically for auditing, monitoring, and reporting of devices in electrical grids to standards of the North American Electric Reliability Corporation (NERC).Based on configuration and security policies, CyberSentry SEM initiates and performs security monitoring of power management relays and networking devices. It can record events, detect device setting changes, log security events, raises Incident Cases (ICs), and initiates IC tasks.

InstallationThe installation process is as follows:• Check system requirements• Install the software• Start the software and log in

2 CYBERSENTRY SECURITY EVENT MANAGER QUICKSTART GUIDE

QUICKSTART GUIDE

System requirements

• Windows 7 (32-bit) with the latest service pack and patches• 2.3 GHz (or better) Intel/AMD processor• 4 GB RAM (minimum 2 GB)• 1.0 GB free space on hard drive• Adobe Reader or compatible viewer for viewing compliance reports

Install the software

To install the CyberSentry SEM software from the CD:

1. With Adobe Reader installed insert the CyberSentry SEM CD in the computer drive.

2. If the installation program does not automatically start, locate the CyberSentrySEM100Setup.exe file on the CD, then click or double-click the file to start the installation. If prompted, click Yes to allow the program to make changes to the computer and also allow Microsoft .NET framework to be installed.

3. Complete the wizard.4. All components required by CyberSentry SEM are installed. Default

user accounts are created automatically. Start the software and log in, as outlined in the next section.

Installation notesCyberSentry SEM uses Microsoft SQL Server 2008 Express database for storage. The name of the SQL Server used is PMCSSQLSERVER. The name of the database is EVENTLOGGERSQL, and the database is located in C:\MSSQL7\Data.If the database is not attached to the server properly, use the database installation script DB_CMD.CMD located in the directory C:\Program Files\GE Digital Energy\CyberSentry SEM\. If your SQL Server instance is named differently, for example SQLEXPRESS instead of PMCSSQLSERVER, change the script and run the script. You need to be logged in as computer administrator to replace the file.

http://get.adobe.com/reader/

QUICKSTART GUIDE


Default user accountsFour user accounts (Administrator, Officer, COfficer, User) and four user groups are created by default.The Administrator can manage user accounts. All users can manage their contact information, address, and password. After installation, change the passwords and set the email addresses for the default accounts.

Start the software and log inA user needs to be logged in for the software to run.To start the software and log in:

1. Click the CyberSentry SEM desktop icon, or click Start > All Programs > GE Digital Energy > CyberSentry SEM.

2. In the login window, enter the user name and password. For first login, use the Administrator account and password of "password". When logging in to the default Compliance Officer account, enter the user name of COfficer.

3. If a message displays that "Your account has been disabled" this means that the user account has been temporarily disabled by the Administrator; ask the Administrator to enable the user account or log in with another account.

4. With first login for any of the default user accounts, a window

Table 1: Default user accounts

User account Password Group Permissions

Administrator password Administrators Edit preferences and accountsView workflow

Officer password Officers Edit environmentManage workflow

Compliance Officer(log in as COfficer)

password Compliance Officers

Edit environmentManage workflowClose workflow

User password Users View workflow


QUICKSTART GUIDE

prompts to specify a new password and security question for the account. Complete the information.

5. To lock the computer and leave the software running, press the Ctrl+Alt+Delete keys, then click the Lock this computer option.

Menu structure

CyberSentry SEM has the following tabs.

Home tabUse this tab to access status windows, log out, and exit the software.

System tabThis tab provides access to administration and configuration functions.

QUICKSTART GUIDE


Security Dashboard tabThis tab provides functions available for the Security Dashboard window and events/cases.

PreferencesAdministrator access is required to change preferences. The first step is to set email defaults.

Set email notification

CyberSentry SEM can be configured to send emails when it detects new Security Events, Incident Cases, or other parameters. Recipients are based on the parameter.An example of an email notification is the following for a missed deadline to respond to an event/case:


QUICKSTART GUIDE

Subject: [CyberSentry SEM 12-000011] Deadline Date ExpiredCase: CS12-000011Activity: Deadline Date ExpiredDeadline: 2012-09-22

GE recommends configuring this function, which is disabled by default.An email server compliant with the Simple Mail Transfer Protocol (SMTP) is required, located within your company.To set email notification:

1. Log in as Administrator.2. Click System > Preferences.3. Click the Emailing option.4. Configure the settings, which are explained as follows.5. Click the Test button to send a test email to the user with the

message "This is a test email from CyberSentry SEM."When an address is entered here that is not registered in the software for the user, a message displays to that effect; add the address under System > Users.If nothing happens when you click the button, this means that you do not have an SMTP server configured correctly in the panel or there is a connection issue with it .

6. Click the OK button to exit.

SMTP server address

Send emailEnable to send emails for the notification types specified in this panel.

SMTP mail serverSpecify the name of your server, such as hpserver or mail.yourcompany.com. Do not specify the path. Servers located at Internet service providers (ISPs) are not supported; the SMTP server needs to be your own, located within your network.

QUICKSTART GUIDE


SMTP user credentials

CyberSentry SEM emails originate fromEnter the email address to be used in the From field of emails sent. This address is typically that of the Administrator of CyberSentry SEM. An example is [email protected]

Security domainA Security Domain (SD) is a set of devices. Its purpose is to group devices in order to apply rules for monitoring. All devices monitored by CyberSentry SEM must belong to at least one Security Domain.Editing of the Security Domains is limited to Compliance Officers and Officers. Administrators cannot edit the Security Domains.

Add security domain

The advantage of naming domains is that each domain has its own set of rules, referred to as Authorized Configuration Profiles (ACPs). The ACPs define how CyberSentry SEM determines Security Events and Incident Cases.To add a Security Domain:

1. Log in as a Compliance Officer or Officer.2. Click System > SDs.3. Click the New SD icon.4. Complete the fields and click the OK button to exit. The order of the

domains displayed cannot be changed, so add them in the order in which you want them to appear. Because devices have yet to be assigned to the domain, a message displays when you click OK; click Yes to continue.

5. Complete the Security Domain by adding devices (next section).


QUICKSTART GUIDE

Add device

The following devices can be monitored:• UR series (versions 5.4x to 6.0x, Modbus)• URPlus series (versions 1.7x and 1.8x, Modbus)• ML2400 (version 4.01, SNMP)• Modbus• SNMPWhen adding a device, you select a protocol (Modbus or SNMP), then complete the fields.Depending on the CyberSentry SEM license, 25, 50, 100, or 150 devices can be added. When in trial/demonstration mode, the number of devices is limited to 25. If the device is a third-party device, a profile for the device must first be created under System > Profiles.To add a device:

1. Log in as a Compliance Officer or Officer.2. Click System > SDs.3. Select the Security Domain on the left side.4. Click the New Device icon.5. Select the Protocol from the drop-down list. Select Modbus for UR

and URPlus devices. Select SNMP for the ML2400.6. From the Device type drop-down list, select the device, then click

the Test communication button for SNMP or Read order code button for Modbus to verify communication with the device.

7. Complete the remaining fields, which depend on the communication protocol (Modbus or SNMP) and which are explained as follows. Examples of device names are UR, B30, and ML2400.

8. Click the OK button to exit.

QUICKSTART GUIDE


Authorized configuration profileAn Authorized Configuration Profile (ACP) is a set of rules applied to a Security Domain and the devices in the domain. CyberSentry SEM uses the rules to determine when Security Events and Incident Cases have occurred. An Incident Case is more serious than a Security Event; some Security Events become Incident Cases, while an Incident Case cannot become a Security Event. Individual security parameters are created that comprise the ACPs. Some are added by default as examples for UR and URPlus devices.Users in the Compliance Officers and Officers groups modify these functions. Administrators can view them.

Types of security parameters

Several types are rules can be applied to devices: Configuration Changes, Device Events, Loss of Communication, Security, and System. Device support is outlined in the table.

Security parameters are automatically created as examples for supported UR, URPlus, and ML2400 devices. By editing the profile of a device, data items can be added to the categories (Configuration Changes, Device Events, Security). Review and customize security parameters, add new ones, and/or delete those not used.The software supports positive and negative logic. Positive logic is supported in the Configuration Changes, Device Events, and Loss of Communication categories. Examples are detecting any settings change

Table 2: Security parameters

Security parameter Devices supported

Configuration Changes UR, URPlus, ML2400

Device Events UR, URPlus, ML2400

Loss of Communication UR, URPlus, ML2400, Modbus, SNMP

Security UR, URPlus, ML2400

System ML2400


QUICKSTART GUIDE

for a relay and detecting when the firmware run by the relay changed. Negative logic refers to expected values or expected range of values. It is supported in all categories. An example is setting a software trigger when there are more than three invalid password attempts.Enable the Raise IC checkbox to create Incident Cases when issues are detected. Disable the checkbox to create a Security Event instead.

Security dashboardThe Security Dashboard is part of the main interface. It allows access to events, cases, devices, and so on. It is viewable by all users.

Check online, scan, and error statuses

The taskbar at the bottom of the dashboard indicates online, scan, and error statuses. It provides the ability to manually invoke a scan.

Table 3: TaskbarIcon Description

(green) CyberSentry SEM is online and running properly

CyberSentry SEM is offline or one of the monitoring systems is not running properly

QUICKSTART GUIDE


Times display using the 24-hour format, using the computer's clock. This includes preferences, emails, dashboard, and compliance reports. The timestamp for the taskbar follows the format mm/dd hh:mm:ss. An example is 04/16 09:28:26 for April 16 at 9:28 and 26 seconds in the morning.

To show or hide the taskbar:

1. Double-click anywhere outside the Security Dashboard in the main window. Or enable/disable the Status Bar checkbox in the Security Dashboard tab.

To check online, scan, or error status:

1. View the appropriate icon on the taskbar.2. Click it to view details.Scheduled scans are not performed while a user configures the system.

Security dashboard explained

The Security Dashboard provides information about Security Domains, Security Events, Incident Cases, devices, and configuration. It is the main interface for viewing, filtering, and resolving issues.All users can view issues. Officers and Compliance Officers can assign and respond to issues. They can create Incident Cases. Compliance Officers close issues.Two statuses are possible, as outlined in the table.

(blue) CyberSentry SEM is actively performing a scan of the devices

CyberSentry SEM is idle and waiting for the next scheduled time to perform a scan

(red) There are system errors that require immediate attention

No errors. CyberSentry SEM is operating in normal condition.


QUICKSTART GUIDE

A single issue can generate alarms in multiple categories. For example, when a device is offline, alarms are generated on the Security Dashboard the following categories: Incident Cases, Affected SDs, Affected Devices, and Loss of Communication. Simply click one of the buttons to view information about the issue.

Event/case workflow

Monitor and fix event/case

Cases are assigned unique IDs in the format CSYY-nnnnnn, where CS refers to CyberSentry, YY is the last two digits of the calendar year, and nnnnnn is a number that resets to 1 at the beginning of the year. An example is CS13-000001 for the first case in the calendar year 2013.The following figure shows the workflow for Security Events. From the Security Dashboard, you click buttons to open Event Viewer windows, adding comments and assigning Security Events/Incident Cases, and

Table 4: Dashboard button status

Button Description

Normal Operation

Click the button to open a blank Event Viewer window.

Alarm state

The number of matches is indicated, the last timestamp, the device, and issue. Click the button to open the Event Viewer.In the example shown, changes to configuration settings of a UR device were being monitored and such a change was flagged as a Security Event.

QUICKSTART GUIDE


then the Compliance Officer closes them when complete. The workflow must be respected, for exampleAssign > Review > Closeotherwise the event/case cannot be closed.

The following actions can be performed:• Add comments• Add attachments• Assign• Change deadline date• Root cause analysis• Review• Reject• Close• Reopen


QUICKSTART GUIDE

When a Security Event gets "promoted," it is considered closed because it is now an Incident Case. An Incident Case cannot revert back to a Security Event.

To view and fix event/case (example using Loss of Communication):

1. Click the appropriate button on the dashboard, for example Loss of Communication.

2. In the window that opens, any issues are listed at the top.3. To filter events/cases, select parameters on the left side of the

window and click the Refresh button. Specifying a date or date range is optional. An example of a relative date is -2m for two months before the current date (options are d for day, w for week, m for month, and y for year). Or, sort the list by clicking the column headings of the event/case list.

4. To assign or comment on the issue, enter the information in the

QUICKSTART GUIDE


Perform Action area at the bottom of the window. You need to be logged in as an Officer or Compliance Officer. Set the Deadline Date field. Then click the Commit button. In the example shown, a comment was added and the case assigned to someone else for follow up.

5. The Assignee then selects Review and adds comments after investigating the event/case.

6. To close the case, a Compliance Officer selects Close from the Action drop- down list. The workflow is Assign > Review > Close. When the Close option does not display, it means that this workflow order has not been followed or that you are not logged in as a Compliance Officer.

Search for event/case

Search for Security Events and Incident Cases in the Event Viewer window. To search for an event/case:

1. Click Security Dashboard > Event Viewer.2. In the Event Viewer window that opens, enter the search criteria on

the left side. Specifying a date or date range is optional. An example of a relative date is -2m for two months before the current date (options are d for day, w for week, m for month, and y for year).

3. Click the Refresh button.

Close or delete event/case

To close the case, a Compliance Officer selects Close from the Action drop-down list. When the Close option does not display, it means that this workflow order has not been followed or that you are not logged in as a Compliance Officer.To delete an event or case that is invalid, for example a test case, follow the workflow order to close it . It cannot be deleted outright.


QUICKSTART GUIDE

Compliance reportsThe purpose of the compliance report is to demonstrate that best-effort has been made to ensure the security and integrity of the devices and electrical grid.Reports can include details of action taken and comments made by staff. They are viewed and generated from the Security Dashboard, the main menu, or within the Event Viewer window. They use the Portable Document Format (PDF).Any user with access to the computer can view the reports when they know the path of the location.

View report

All users can view reports.The file name is based on date and time generated, such as CyberSentry_Compliance_Report_2012-11-24 18-07-00.pdf, where the timestamp format is YYYY-MM-DD HH-MM-SS.To view an existing report:

1. Click the Compliance Reports button on the Security Dashboard. Or click Security Dashboard > Reports.

2. Select the report from the Existing reports drop-down list. All reports generated and located in the default folder are available for selection.

3. Click the View button. The report launches.

Generate report

Filter options include parameters being monitored, dates, and devices. An example is to view all open Incident Cases for a device.To generate a report:

1. Log in as an Officer or Compliance Officer.2. Click the Compliance Reports button on the Security Dashboard. Or

click Security Dashboard > Reports.3. In the window that opens, select the filter options (outlined as

QUICKSTART GUIDE


follows), and specify the time period and the device(s). Specifying a date or date range is optional. An example of a relative date is -2m for two months before the current date (options are d for day, w for week, m for month, and y for year). To view details, enable the Show Details checkbox. To view comments by staff, attachments, and assignments, also enable the Include History checkbox.

4. Click the Generate button. When the button is not active, it means that you are not logged in as an Officer or Compliance Officer.

For further assistanceFor product support, contact the information and call center as follows. Have your software key(s) ready.

GE Digital Energy650 Markland StreetMarkham, OntarioCanada L6C 0M1Worldwide telephone: +1 905 927 7070Europe/Middle East/Africa telephone: +34 94 4854 88 54North America toll-free: 1 877 547 8630Fax: +1 905 927 5098E-mail: [email protected]: http://gedigitalenergy.com/multilin

Comments about new features or modifications for specific requirements are welcome.

http://www.gedigitalenergy.com/multilin

Documents

Copyright © 2013 GE Multilin Inc. All rights reserved. · Quickstart Guide Introduction CyberSentryTM Security Event Manager ... and performs security monitoring of power management