Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Relion® Protection and Control
670 series 1.2Cyber Security Deployment Guideline
Document ID: 1MRK 511 315-UENIssued: October 2015
Revision: AProduct version: 1.2
© Copyright 2013 ABB. All rights reserved
Copyright
This document and parts thereof must not be reproduced or copied without writtenpermission from ABB, and the contents thereof must not be imparted to a third party,nor used for any unauthorized purpose.
The software and hardware described in this document is furnished under a license andmay be used or disclosed only in accordance with the terms of such license.
This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit. (http://www.openssl.org/)
This product includes cryptographic software written/developed by: Eric Young([email protected]) and Tim Hudson ([email protected]).
TrademarksABB and Relion are registered trademarks of the ABB Group. All other brand orproduct names mentioned in this document may be trademarks or registeredtrademarks of their respective holders.
WarrantyPlease inquire about the terms of warranty from your nearest ABB representative.
Disclaimer
The data, examples and diagrams in this manual are included solely for the concept orproduct description and are not to be deemed as a statement of guaranteed properties.All persons responsible for applying the equipment addressed in this manual mustsatisfy themselves that each intended application is suitable and acceptable, includingthat any applicable safety or other operational requirements are complied with. Inparticular, any risks in applications where a system failure and/or product failurewould create a risk for harm to property or persons (including but not limited topersonal injuries or death) shall be the sole responsibility of the person or entityapplying the equipment, and those so responsible are hereby requested to ensure thatall measures are taken to exclude or mitigate such risks.
This document has been carefully checked by ABB but deviations cannot becompletely ruled out. In case any errors are detected, the reader is kindly requested tonotify the manufacturer. Other than under explicit contractual commitments, in noevent shall ABB be responsible or liable for any loss or damage resulting from the useof this manual or the application of the equipment.
Conformity
This product complies with the directive of the Council of the European Communitieson the approximation of the laws of the Member States relating to electromagneticcompatibility (EMC Directive 2004/108/EC) and concerning electrical equipment foruse within specified voltage limits (Low-voltage directive 2006/95/EC). Thisconformity is the result of tests conducted by ABB in accordance with the productstandards EN 50263 and EN 60255-26 for the EMC directive, and with the productstandards EN 60255-1 and EN 60255-27 for the low voltage directive. The product isdesigned in accordance with the international standards of the IEC 60255 series.
Table of contents
Section 1 Introduction.......................................................................3This manual........................................................................................ 3Revision notes.................................................................................... 3Related documents.............................................................................3
Section 2 IEEE1686 compliance......................................................5
Section 3 IP ports.............................................................................9
Section 4 Managing user categories and accounts ...................... 11Authorization.....................................................................................11IED User management..................................................................... 12
Starting IED user management................................................... 12General settings.......................................................................... 13User profile management............................................................ 13
Adding new users...................................................................14Adding users to new user roles.............................................. 17Deleting existing users........................................................... 18Changing password................................................................20
User role management................................................................22Adding new users to roles...................................................... 23Deleting existing User from user roles................................... 23
Verifying IED user authentication................................................ 24Writing user management settings to the IED.............................24Reading user management settings from the IED.......................25Saving user management settings.............................................. 25
Local HMI use...................................................................................25Logging on...................................................................................26Logging off...................................................................................27Saving settings............................................................................ 28Recovering password..................................................................29
Section 5 Glossary......................................................................... 33
Table of contents
670 series 1.2 1Cyber Security Deployment Guideline
2
Section 1 Introduction
1.1 This manual
Cyber Security Deployment Guidelines describes password procedures and levels ofaccess in the system.
1.2 Revision notes
Revision Description- First issue for 670 series version 1.2.
1.3 Related documents
Connection and Installation components 1MRK 513 003-BEN
Test system, COMBITEST 1MRK 512 001-BEN
Accessories for 670 series IEDs 1MRK 514 012-BEN
670 series SPA and signal list 1MRK 500 092-WEN
IEC 61850 Data objects list for 670 series 1MRK 500 091-WEN
Engineering manual 670 series 1MRK 511 240-UEN
Communication set-up for Relion 670 series 1MRK 505 260-UEN
More information can be found on www.abb.com/substationautomation.
1MRK 511 315-UEN A Section 1Introduction
670 series 1.2 3Cyber Security Deployment Guideline
4
Section 2 IEEE1686 compliance
Table 1: IEEE1686 compliance
Clause Title Status Comment5 IED cyber security
featuresAcknowledge
5.1 Electronic accesscontrol
Comply Access is protected for local accessthrough control panel. Access isprotected for local access through acommunication /diagnostic port.Access is protected for remote accessthrough a communication media
5.1.1 Password defeatmechanisms
Exception By using the maintenence menu
5.1.2 Number of individualID/passwordssupported
Comply 20 unique ID/password combinationsare supported
5.1.3 Passwordconstruction
Exception The minimum enforced passwordlength is 0. Use of mix of lower andUPPERCASE characters issupported. Use of numerical values issupported. Use of non-alphanumeric(e.g. @, #, %, &, *) characters issupported
5.1.4 Authorization levelsby password
Exception
5.1.4.1 View data Comply View data feature is accessiblethrough individual user accounts
5.1.4.2 View configurationsettings
Comply View configuration settings feature isaccessible through individual useraccounts
5.1.4.3 Force values Comply Force value feature is accessiblethrough individual user accounts
5.1.4.4 Configuration change Comply Configuration feature is accessiblethrough individual user accounts
5.1.4.5 Firmware change Comply Firmware change feature isaccessible through individual useraccounts
5.1.4.6 ID/passwordmanagement
Comply User account (ID / password)management feature is accessiblethrough individual user accounts.
5.1.4.7 Audit log Exception Audit log view / download feature isnot available
5.1.5 Password display Comply
5.1.6 Access time-out Exception A time-out feature exists. The timeperiod is configurable by the user.
5.2 Audit trail Comply No Audit trail is avaiable
5.2.1 Storage capability Exception
Table continues on next page
1MRK 511 315-UEN A Section 2IEEE1686 compliance
670 series 1.2 5Cyber Security Deployment Guideline
Clause Title Status Comment5.2.2 Storage record Exception
5.2.2.1 Event record number Exception
5.2.2.2 Time and date Exception
5.2.2.3 User ID Exception
5.2.2.4 Event type Exception
5.2.3 Audit trail event types Exception
5.2.3.1 Login Exception
5.2.3.2 Manual logout Exception
5.2.3.3 Timed logout Exception
5.2.3.4 Value forcing Exception
5.2.3.5 Configuration access Exception
5.2.3.6 Configuration change Exception
5.2.3.7 Firmware change Exception
5.2.3.8 ID/password creationor modification
Exception
5.2.3.9 ID/password selection Exception
5.2.3.10 Audit-log access Exception
5.2.3.11 Time/date change Exception
5.2.3.12 Alarm incident Exception
5.3 Supervisorymonitoring and control
Exception
5.3.1 Events Exception Automated time changes and read ofconfiguration are not reported;otherwise compliance
5.3.2 Alarms Exception
5.3.2.1 Unsuccessful loginattempt
Exception
5.3.2.2 Reboot Exception
5.3.2.3 Attempted use ofunauthorizedconfiguration software
Exception Not supported
5.3.2.4 Alarm point changedetect
Exception
5.3.4 Event and alarmgrouping
Exception Not supported
5.3.5 Supervisorypermissive control
Exception Not supported
5.4 Configurationsoftware
Acknowledge
5.4.1 Authentication Exception Configuration download is handled byauthentication
5.4.2 ID/password control Comply
5.4.3 ID/password-controlled features
Comply
Table continues on next page
Section 2 1MRK 511 315-UEN AIEEE1686 compliance
6 670 series 1.2Cyber Security Deployment Guideline
Clause Title Status Comment5.4.3.1 View configuration
dataComply
5.4.3.2 Change configurationdata
Comply
5.4.3.3 Full access Comply
5.5 Communications portaccess
Comply
5.6 Firmware qualityassurance
Exception Quality control is handled accordingto ISO9001 and CMMI.
1MRK 511 315-UEN A Section 2IEEE1686 compliance
670 series 1.2 7Cyber Security Deployment Guideline
8
Section 3 IP ports
The IP port security guideline cannot suggest concrete products for a secure systemsetup. This must be decided within the specific project, requirements and existinginfrastructure. The required external equipment can be separate devices or devicesthat combine firewall, router and secure VPN functionality.
To set up an IP firewall the following table summarizes the IP ports used in the 670series. The ports are listed in ascending order. The column “Default state” defineswhether a port is open or closed by default. All ports that are closed can be opened asdescribed in the comment column in the table. Front and Rear refer to the physicalfront and rear port. The protocol availability on these ports is configurable.
ABB recommends using common security measures, like firewalls, up to date antivirus software and so on, to protect the IED and the equipment around it.
Table 2: Available IP ports
Port Protocol Defaultstate
Front Rear Service Comment
21 TCP open OFF OFF FTP (clear textpassword)
File transfer protocol
102 TCP open OFF ON IEC 61850 MMS communication
123 UDP closed OFF OFF SNTP Enabled when IED isconfigured as SNTPmaster.1)
7001 TCP open OFF OFF FST SPA protocol on TCP/IPused by FST (FieldService Tool)
20 000 TCP closed OFF ON DNP3 DNP3.0 DNPcommunication only
20 000 UDP closed OFF ON DNP3 DNP3.0 DNPcommunication only
1) When the IED is configured as a SNTP client it will use the first ephemeral port available. The range ofephemeral ports is 1024 to 5000.
The 670 series supports two Ethernet communication protocols, which are IEC 61850and DNP3.0. These communication protocols are enabled by configuration. Thismeans that the IP port is closed and unavailable if the configuration of the 670 seriesdoes not contain a communication line of the protocol. If a protocol is configured, thecorresponding IP port is open all the time.
See the 670 series technical manual and the corresponding protocoldocumentation on how to configure a certain communication protocolfor the 670 series.
1MRK 511 315-UEN A Section 3IP ports
670 series 1.2 9Cyber Security Deployment Guideline
There are some restrictions and dependencies:
• The IP port used for IEC 61850 (default TCP port 102) is fixed and cannot bechanged.
• The IP ports used for DNP3 are configurable. The communication protocolDNP3 could operate on UDP (default port 20 000) or TCP (default port 20 000).It is defined in the configuration which type of Ethernet communication is used.Only one type is possible at a time.
• The IP port used for FTP (default TCP port 21) can be changed in the IED ifneeded by a 3rd party FTP client.
If the FTP port is changed PCM600 cannot be used since it is notpossible to configure it to use other IP-ports than port 21 for FTP.
Two ports are used by PCM600. For configuration and settings, the IP port for SPA(TCP port 7001) and FTP (TCP port 21) are used and can not be changed. For Fieldservice tool, the IP port for a proprietary SPA protocol is used (TCP port 7001) and theport is fixed and cannot be changed.
IP routing is not possible via any of the physical interfaces.
IEC13000067-1-en.vsd
IEC13000067 V1 EN
Figure 1: Ethernet port used for PCM600 only, front view
Section 3 1MRK 511 315-UEN AIP ports
10 670 series 1.2Cyber Security Deployment Guideline
Section 4 Managing user categories and accounts
4.1 Authorization
User roles with different user rights are predefined in the IED. It is recommended touse user defined users instead of the predefined built-in users.
The IED users can be created, deleted and edited only with PCM600. One user canbelong to one or several user roles. By default, the users in Table 3 are created in theIED, and when creating new users, the predefined roles from Table 4 can be used.
At delivery, the IED has a default user defined with full access rights. PCM600 usesthis default user to access the IED. This user is automatically removed in IED whenusers are defined via the IED Users tool in PCM600.
Default User ID: Administrator
Password: Administrator
At delivery, the IED user has full access as SuperUser until users arecreated with PCM600.
Table 3: Default users
User name User rightsSuperUser Full rights, only presented in LHMI. LHMI is logged on by default until other users
are defined
Guest Only read rights, only presented in LHMI. LHMI is logged on by default when otherusers are defined (same as VIEWER)
Administrator Full rights. Password: Administrator. This user has to be used when reading outdisturbances with third party FTP-client.
Table 4: Predefined user categories
User category User rightsSystemOperator Control from LHMI, no bypass
ProtectionEngineer All settings
DesignEngineer Application configuration
UserAdministrator User and password administration
SuperUser Full rights, only presented in LHMI. LHMI is default logged on until otherusers are defined.
Guest Only read rights, only presented in LHMI. LHMI is default logged onwhen other users are defined.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 11Cyber Security Deployment Guideline
All changes in user management settings will cause an IED reboot.
There are different levels (or roles) of users that can access or operate different areasof the IED and tools functionality. The predefined user roles are given in table below.
The meaning of the legends used in the table:
• R= Read• W= Write• - = No access rights
The IED users can be created, deleted and edited only with the User Management Tool(UMT) within PCM600. The user can only Logon or Logoff on the local HMI on theIED, there are no users, groups or functions that can be defined on local HMI.
At delivery, the IED has a default user defined with full access rights. PCM600 usethis default user to access the IED. This user will automatically be removed in IEDwhen users are defined via User Management Tool (UMT) in PCM600.
4.2 IED User management
The IED Users tool in PCM600 is used for editing user profiles and role assignments.
In the IED Users tool, the data can be retrieved from an IED or data can be written toan IED if permitted. The data from an IED can be saved to the project database.
Always use Read User Management Settings from IED beforemaking any changes when managing user profiles. If this is not donepassword changes made by users may be lost!
Nothing is changed in the IED until a “writing-to-IED operation” isperformed.
4.2.1 Starting IED user management
• Connect the PC to the IED• Start PCM600• Select an IED in the object tree.• Select Tools/IED Users or,• Right-click an IED in the object tree and select IED Users from the shortcut
menu.The IED User Management window appears.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
12 670 series 1.2Cyber Security Deployment Guideline
4.2.2 General settings
In the General tab, by clicking Restore factory settings the default users can berestored in the IED Users tool. For the 670 series this means reverting back to thefactory delivered users. Performing this operation does not remove the users in theIED. Nothing is changed in the IED until a “writing-to-IED operation” is performed.
This is not the same action as Revert to IED defaults in the recoverymenu.
The previous administrator user ID and password have to be given so that the writingtoward the IED can be done.
Editing can be continued by clicking on Restore factory settings when not connectedto the IED.
IEC13000068-1-en.vsd
IEC13000068 V1 EN
Figure 2: General tab
4.2.3 User profile management
In the User Management tab, the user profiles of the selected IED can be edited. Newusers can be created, existing users can be deleted and different user group memberscan be edited.
A user profile must always belong to at least one user group.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 13Cyber Security Deployment Guideline
IEC13000069-1-en.vsd
IEC13000069 V1 EN
Figure 3: Create new user
4.2.3.1 Adding new users
1. Click in the Users tab to open the wizard.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
14 670 series 1.2Cyber Security Deployment Guideline
IEC12000200-1-en.vsd
IEC12000200 V1 EN
Figure 4: Create new user
2. Follow the instructions in the wizard to define a user name, password and usergroup. Select at least one user group where the defined user belongs. The userprofile can be seen in the User details field.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 15Cyber Security Deployment Guideline
IEC13000078-1-en.vsd
IEC13000078 V1 EN
Figure 5: Select user groups
3. Select the user from the user list and type a new name or description in theDescription/full name field to change the name or description of the user.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
16 670 series 1.2Cyber Security Deployment Guideline
IEC13000071-1-en.vsd
IEC13000071 V1 EN
Figure 6: Enter description
4.2.3.2 Adding users to new user roles
1. Select the user from the Users list.2. Select the new role from the Select a role list.3. Click .
Information about the roles to which the user belongs to can be seen in the Userdetails area.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 17Cyber Security Deployment Guideline
IEC13000071-1-en.vsd
IEC13000070 V1 EN
Figure 7: Adding user
4.2.3.3 Deleting existing users
1. Select the user from the Users list.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
18 670 series 1.2Cyber Security Deployment Guideline
IEC13000072-1-en.vsd
IEC13000072 V1 EN
Figure 8: Select user to be deleted
2. Click .
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 19Cyber Security Deployment Guideline
IEC13000073-1-en.vsd
IEC13000073 V1 EN
Figure 9: Delete existing user
4.2.3.4 Changing password
1. Select the user from the Users list.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
20 670 series 1.2Cyber Security Deployment Guideline
IEC13000074-1-en.vsd
IEC13000074 V1 EN
Figure 10: Select user
2. Click .3. Type the old password once and the new password twice in the required
fields.The passwords can be saved in the project database or sent directly to the IED.
No passwords are stored in clear text within the IED. A hashrepresentation of the passwords is stored in the IED and it is notaccessible from outside via any ports.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 21Cyber Security Deployment Guideline
IEC13000076-1-en.vsd
IEC13000076 V1 EN
Figure 11: Change password
4.2.4 User role management
In the Roles tab, the user roles can be modified. The user's memberships to specificroles can be modified with a list of available user roles and users.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
22 670 series 1.2Cyber Security Deployment Guideline
IEC13000075-1-en.vsd
IEC13000075 V1 EN
Figure 12: Editing users
4.2.4.1 Adding new users to roles
1. Select the required role from the Roles list.The role profile can be seen under the Role details field.
2. Select the new user from the Select a user list.3. Click to assign a user this role.
The new user is shown in the Users assigned list.
4.2.4.2 Deleting existing User from user roles
1. Right-click the user in the Users assigned list.2. Select Remove this Role from Selected Member.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 23Cyber Security Deployment Guideline
IEC13000077-1-en.vsd
IEC13000077 V1 EN
Figure 13: Remove Role from User
4.2.5 Verifying IED user authentication
Some of the IEDs or the protocols require a password to transmit the data between anIED and PCM600. Depending on whether the full user management control issupported or not, the software requests for either a user name and password or only apassword.
If PCM600 authentication is used, the user name and password should be specified inthe User Management window. The software can remember the password if theRemember Me check box is selected. Otherwise, the Login window appears everytime when data transmission is needed.
4.2.6 Writing user management settings to the IED
• Click the Write User Management Settings to IED button on the toolbar.
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
24 670 series 1.2Cyber Security Deployment Guideline
IEC13000079-1-en.vsd
IEC13000079 V1 EN
Figure 14: Write to IED
The data is saved when writing to the IED starts.
4.2.7 Reading user management settings from the IED
• Click the Read from the IED button on the toolbar.
4.2.8 Saving user management settings
• Select File/Save from the menu.• Click the Save toolbar button.
The save function is enabled only if the data has changed.
4.3 Local HMI use
At delivery, logging on is not required and the user has full access until users andpasswords are created with PCM600 and written into the IED. The LHMI is logged onas SuperUser by default until other users are defined.
Commands, changing parameter values and resetting indications, for example, areactions requiring password when the password protection is activated. Readinginformation on the LHMI is always allowed without password. The LHMI is loggedon as Guest by default when other users are defined.
Utility security policies and practical consideration should always betaken on the feasibility of using passwords. In emergency situations,
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 25Cyber Security Deployment Guideline
the use of passwords could delay urgent actions. When security issuesmust be met, the two factors must be seriously considered.
The auxiliary power supply to the IED must not be switched off beforechanges such as passwords, setting parameter or local/remote controlstate changes are saved.
4.3.1 Logging on
1. Select REx670/Authorization/Log on.The log on is also activated when attempting a password-protected operation.
2. Select the user name from the list.Press to confirm the selected user name.
3. Enter the password when prompted digit by digit and click OK.
• Activate the digit to be entered with and .• Enter the character with and .
Upper and lower case letters are also found by scrolling with the vertical arrows.
GUID-F5A224FA-FC21-4975-814B-CBA725F7110D V1 EN
Figure 15: Entering the password
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
26 670 series 1.2Cyber Security Deployment Guideline
Passwords are case sensitive.
4. Press to confirm the log on or press to cancel the procedure.If the log on fails, the Log on window opens again. The Log on window remainsopen until the log on succeeds or till the user presses .
The Log on window will open if the attempted operation requiresanother level of user rights.
Once a user is created and written into the IED, log on is possible withthe password assigned in the tool. If there is no user created, an attemptto log on causes the display to show a corresponding message.
GUID-73DAA7C2-778D-4A06-AE9A-C91A12389442 V1 EN
Figure 16: No user defined
4.3.2 Logging off
The user is automatically logged off after the display timeout. The IED returns to astate where only reading is enabled. Manual log off is also possible.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 27Cyber Security Deployment Guideline
1. Select REx670/Authorization/Log off.2. To confirm log off, select Yes and press .
GUID-D2769FFE-E788-40CF-9E98-7B30AA6FB38C V1 EN
Figure 17: Logging off
• To cancel log off, press .
4.3.3 Saving settings
Editable values are stored in the non-volatile flash memory. Most of the parameterchanges take effect immediately after storing, but some parameter changes requireapplication restart. Values stored in the flash memory remain in effect after reboot aswell.
1. Press to confirm any changes.2. Press to move upwards in the menu tree or to enter the Main menu.3. To save the changes in non-volatile memory, select Yes and press .
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
28 670 series 1.2Cyber Security Deployment Guideline
GUID-6A5487FB-4937-4708-A749-3501B829FBD3 V1 EN
Figure 18: Confirming and saving settings
• To exit without saving changes, select No and press .• To cancel saving settings, select Cancel and press .
Pressing Cancel in the Save changes dialog closes only the Savechanges dialog box, but the IED remains in editing mode. All thechanges applied to any setting are not lost and the user can continue tochange settings. To leave the change setting mode, select No or Yesin the Save changes dialog.
After changing the parameters marked with !, the IED restartsautomatically for the changes to take effect.
4.3.4 Recovering password
In case of password loss the user and password can be reset to default in theMaintenance Menu, in case of other file system error that prevents the IED fromworking properly, the whole file system can be restored to IED default state. All thedefault settings and configuration files stored in the IED at the factory are restored.
To enter this menu, the IED must be rebooted and a specific key combination must bepressed on the LHMI during the IED boot sequence.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 29Cyber Security Deployment Guideline
1. Switch off the power supply to the IED and leave it off for one minute.2. Switch on the power supply to the IED and press and hold down . and until
the Maintenance Menu appears on the LHMI (this takes around 20-60s).3. Navigate down and select Advanced options and press or .
Maintenance Menu
1. Revert to factory default
2. Revert to last known good state
3. Paus start sequence
4. Display IP address
5. Advanced options. PIN code protected
Press C to continue start-up
IEC15000418-1-en.vsdx
IEC15000418 V1 EN
Figure 19: Select Advanced options
“Revert to factory default” and “Revert to last known good state”shall not be used.
4. Enter PIN code 8282 and press .
IEC15000419-1-en.vsdx
Enter PIN
8282
IEC15000419 V1 EN
Figure 20: Enter PIN code
5. Select Revert to default user/password and press or .
Section 4 1MRK 511 315-UEN AManaging user categories and accounts
30 670 series 1.2Cyber Security Deployment Guideline
IEC15000420-1-en.vsdx
Advanced Options
4.1: Revert to default user/passwd
4.2: View sysevent log
4.3: Clear sysevent log
4.4: Clear all databases
Press C to continue start-up
IEC15000420 V1 EN
Figure 21: Revert to default user/password
To cancel the operation in any step, press .
The IED perform a reboot and the new settings are activated.
The Maintenance Menu is only available on the Local HMI. Thepurpose of this menu is to have a way to recover in the field at differentsituations. The recovery menu is also protected with a 4–digit PINcode, fixed for all IEDs.
1MRK 511 315-UEN A Section 4Managing user categories and accounts
670 series 1.2 31Cyber Security Deployment Guideline
32
Section 5 Glossary
AC Alternating current
ACT Application configuration tool within PCM600
A/D converter Analog-to-digital converter
ADBS Amplitude deadband supervision
ADM Analog digital conversion module, with timesynchronization
AI Analog input
ANSI American National Standards Institute
AR Autoreclosing
ArgNegRes Setting parameter/ZD/
ArgDir Setting parameter/ZD/
ASCT Auxiliary summation current transformer
ASD Adaptive signal detection
AWG American Wire Gauge standard
BBP Busbar protection
BFP Breaker failure protection
BI Binary input
BIM Binary input module
BOM Binary output module
BOS Binary outputs status
BR External bistable relay
BS British Standards
BSR Binary signal transfer function, receiver blocks
BST Binary signal transfer function, transmit blocks
C37.94 IEEE/ANSI protocol used when sending binary signalsbetween IEDs
CAN Controller Area Network. ISO standard (ISO 11898) forserial communication
CB Circuit breaker
CBM Combined backplane module
1MRK 511 315-UEN A Section 5Glossary
670 series 1.2 33Cyber Security Deployment Guideline
CCITT Consultative Committee for International Telegraph andTelephony. A United Nations-sponsored standards bodywithin the International Telecommunications Union.
CCM CAN carrier module
CCVT Capacitive Coupled Voltage Transformer
Class C Protection Current Transformer class as per IEEE/ ANSI
CMPPS Combined megapulses per second
CMT Communication Management tool in PCM600
CO cycle Close-open cycle
Codirectional Way of transmitting G.703 over a balanced line. Involvestwo twisted pairs making it possible to transmit informationin both directions
COMTRADE Standard format according to IEC 60255-24
Contra-directional Way of transmitting G.703 over a balanced line. Involvesfour twisted pairs, two of which are used for transmittingdata in both directions and two for transmitting clock signals
CPU Central processing unit
CR Carrier receive
CRC Cyclic redundancy check
CROB Control relay output block
CS Carrier send
CT Current transformer
CVT Capacitive voltage transformer
DAR Delayed autoreclosing
DARPA Defense Advanced Research Projects Agency (The USdeveloper of the TCP/IP protocol etc.)
DBDL Dead bus dead line
DBLL Dead bus live line
DC Direct current
DFC Data flow control
DFT Discrete Fourier transform
DHCP Dynamic Host Configuration Protocol
DIP-switch Small switch mounted on a printed circuit board
DI Digital input
DLLB Dead line live bus
DNP Distributed Network Protocol as per IEEE Std 1815-2012
Section 5 1MRK 511 315-UEN AGlossary
34 670 series 1.2Cyber Security Deployment Guideline
DR Disturbance recorder
DRAM Dynamic random access memory
DRH Disturbance report handler
DSP Digital signal processor
DTT Direct transfer trip scheme
EHV network Extra high voltage network
EIA Electronic Industries Association
EMC Electromagnetic compatibility
EMF Electromotive force
EMI Electromagnetic interference
EnFP End fault protection
EPA Enhanced performance architecture
ESD Electrostatic discharge
FCB Flow control bit; Frame count bit
FOX 20 Modular 20 channel telecommunication system for speech,data and protection signals
FOX 512/515 Access multiplexer
FOX 6Plus Compact time-division multiplexer for the transmission ofup to seven duplex channels of digital data over opticalfibers
G.703 Electrical and functional description for digital lines used bylocal telephone companies. Can be transported overbalanced and unbalanced lines
GCM Communication interface module with carrier of GPSreceiver module
GDE Graphical display editor within PCM600
GI General interrogation command
GIS Gas-insulated switchgear
GOOSE Generic object-oriented substation event
GPS Global positioning system
GSAL Generic security application
GTM GPS Time Module
HDLC protocol High-level data link control, protocol based on the HDLCstandard
HFBR connector type Plastic fiber connector
HMI Human-machine interface
1MRK 511 315-UEN A Section 5Glossary
670 series 1.2 35Cyber Security Deployment Guideline
HSAR High speed autoreclosing
HV High-voltage
HVDC High-voltage direct current
IDBS Integrating deadband supervision
IEC International Electrical Committee
IEC 60044-6 IEC Standard, Instrument transformers – Part 6:Requirements for protective current transformers fortransient performance
IEC 60870-5-103 Communication standard for protective equipment. A serialmaster/slave protocol for point-to-point communication
IEC 61850 Substation automation communication standard
IEC 61850–8–1 Communication protocol standard
IEEE Institute of Electrical and Electronics Engineers
IEEE 802.12 A network technology standard that provides 100 Mbits/son twisted-pair or optical fiber cable
IEEE P1386.1 PCI Mezzanine Card (PMC) standard for local bus modules.References the CMC (IEEE P1386, also known as CommonMezzanine Card) standard for the mechanics and the PCIspecifications from the PCI SIG (Special Interest Group) forthe electrical EMF (Electromotive force).
IEEE 1686 Standard for Substation Intelligent Electronic Devices(IEDs) Cyber Security Capabilities
IED Intelligent electronic device
I-GIS Intelligent gas-insulated switchgear
IOM Binary input/output module
Instance When several occurrences of the same function areavailable in the IED, they are referred to as instances of thatfunction. One instance of a function is identical to another ofthe same kind but has a different number in the IED userinterfaces. The word "instance" is sometimes defined as anitem of information that is representative of a type. In thesame way an instance of a function in the IED isrepresentative of a type of function.
IP 1. Internet protocol. The network layer for the TCP/IPprotocol suite widely used on Ethernet networks. IP is aconnectionless, best-effort packet-switching protocol. Itprovides packet routing, fragmentation and reassemblythrough the data link layer.2. Ingression protection, according to IEC standard
IP 20 Ingression protection, according to IEC standard, level 20
Section 5 1MRK 511 315-UEN AGlossary
36 670 series 1.2Cyber Security Deployment Guideline
IP 40 Ingression protection, according to IEC standard, level 40
IP 54 Ingression protection, according to IEC standard, level 54
IRF Internal failure signal
IRIG-B: InterRange Instrumentation Group Time code format B,standard 200
ITU International Telecommunications Union
LAN Local area network
LIB 520 High-voltage software module
LCD Liquid crystal display
LDCM Line differential communication module
LDD Local detection device
LED Light-emitting diode
LNT LON network tool
LON Local operating network
MCB Miniature circuit breaker
MCM Mezzanine carrier module
MIM Milli-ampere module
MPM Main processing module
MVB Multifunction vehicle bus. Standardized serial busoriginally developed for use in trains.
NCC National Control Centre
NUM Numerical module
OCO cycle Open-close-open cycle
OCP Overcurrent protection
OEM Optical ethernet module
OLTC On-load tap changer
OV Over-voltage
Overreach A term used to describe how the relay behaves during a faultcondition. For example, a distance relay is overreachingwhen the impedance presented to it is smaller than theapparent impedance to the fault applied to the balance point,that is, the set reach. The relay “sees” the fault but perhapsit should not have seen it.
PCI Peripheral component interconnect, a local data bus
PCM Pulse code modulation
PCM600 Protection and control IED manager
1MRK 511 315-UEN A Section 5Glossary
670 series 1.2 37Cyber Security Deployment Guideline
PC-MIP Mezzanine card standard
PMC PCI Mezzanine card
POR Permissive overreach
POTT Permissive overreach transfer trip
Process bus Bus or LAN used at the process level, that is, in nearproximity to the measured and/or controlled components
PSM Power supply module
PST Parameter setting tool within PCM600
PT ratio Potential transformer or voltage transformer ratio
PUTT Permissive underreach transfer trip
RASC Synchrocheck relay, COMBIFLEX
RCA Relay characteristic angle
RFPP Resistance for phase-to-phase faults
RFPE Resistance for phase-to-earth faults
RISC Reduced instruction set computer
RMS value Root mean square value
RS422 A balanced serial interface for the transmission of digitaldata in point-to-point connections
RS485 Serial link according to EIA standard RS485
RTC Real-time clock
RTU Remote terminal unit
SA Substation Automation
SBO Select-before-operate
SC Switch or push button to close
SCS Station control system
SCADA Supervision, control and data acquisition
SCT System configuration tool according to standard IEC 61850
SDU Service data unit
SLM Serial communication module. Used for SPA/LON/IEC/DNP3 communication.
SMA connector Subminiature version A, A threaded connector withconstant impedance.
SMT Signal matrix tool within PCM600
SMS Station monitoring system
SNTP Simple network time protocol – is used to synchronizecomputer clocks on local area networks. This reduces the
Section 5 1MRK 511 315-UEN AGlossary
38 670 series 1.2Cyber Security Deployment Guideline
requirement to have accurate hardware clocks in everyembedded system in a network. Each embedded node caninstead synchronize with a remote clock, providing therequired accuracy.
SPA Strömberg protection acquisition, a serial master/slaveprotocol for point-to-point communication
SRY Switch for CB ready condition
ST Switch or push button to trip
Starpoint Neutral point of transformer or generator
SVC Static VAr compensation
TC Trip coil
TCS Trip circuit supervision
TCP Transmission control protocol. The most common transportlayer protocol used on Ethernet and the Internet.
TCP/IP Transmission control protocol over Internet Protocol. Thede facto standard Ethernet protocols incorporated into4.2BSD Unix. TCP/IP was developed by DARPA forInternet working and encompasses both network layer andtransport layer protocols. While TCP and IP specify twoprotocols at specific protocol layers, TCP/IP is often used torefer to the entire US Department of Defense protocol suitebased upon these, including Telnet, FTP, UDP and RDP.
TEF Time delayed earth-fault protection function
TNC connector Threaded Neill-Concelman, a threaded constant impedanceversion of a BNC connector
TPZ, TPY, TPX, TPS Current transformer class according to IEC
UMT User management tool
Underreach A term used to describe how the relay behaves during a faultcondition. For example, a distance relay is underreachingwhen the impedance presented to it is greater than theapparent impedance to the fault applied to the balance point,that is, the set reach. The relay does not “see” the fault butperhaps it should have seen it. See also Overreach.
UTC Coordinated Universal Time. A coordinated time scale,maintained by the Bureau International des Poids etMesures (BIPM), which forms the basis of a coordinateddissemination of standard frequencies and time signals.UTC is derived from International Atomic Time (TAI) bythe addition of a whole number of "leap seconds" tosynchronize it with Universal Time 1 (UT1), thus allowingfor the eccentricity of the Earth's orbit, the rotational axis tilt(23.5 degrees), but still showing the Earth's irregularrotation, on which UT1 is based. The Coordinated Universal
1MRK 511 315-UEN A Section 5Glossary
670 series 1.2 39Cyber Security Deployment Guideline
Time is expressed using a 24-hour clock, and uses theGregorian calendar. It is used for aeroplane and shipnavigation, where it is also sometimes known by themilitary name, "Zulu time." "Zulu" in the phonetic alphabetstands for "Z", which stands for longitude zero.
UV Undervoltage
WEI Weak end infeed logic
VT Voltage transformer
X.21 A digital signalling interface primarily used for telecomequipment
3IO Three times zero-sequence current. Often referred to as theresidual or the earth-fault current
3UO Three times the zero sequence voltage. Often referred to asthe residual voltage or the neutral point voltage
Section 5 1MRK 511 315-UEN AGlossary
40 670 series 1.2Cyber Security Deployment Guideline
41
Contact us
ABB ABSubstation Automation ProductsSE-721 59 Västerås, SwedenPhone +46 (0) 21 32 50 00Fax +46 (0) 21 14 69 18
www.abb.com/substationautomation
1MR
K 5
11 3
15-U
EN
A©
Cop
yrig
ht 2
013
AB
B. A
ll rig
hts
rese
rved
.