www.abb.com/substationautomation [email protected] +49 621 381-7622 381-3000 621 +49 Mannheim, Germany 68128 64 01 P.O. 10 Box Grids Power AG Germany Grids Power ABB —

known devices are allowed to communicate. allowed are devices known only to ensure managed, be centrally can devices the for rights access the server, authentication an using of option to the Thanks 802.1X. IEEE standard to the authorization in TCP/IP-based networks, according and authentication the supports series RTU500 (Authentication) Network Access Control — test security independent dedicated, at ABB‘s tested thoroughly been has series RTU500 Furthermore closed. ports unused and removed been have services unused e.g. hardened, systematically been has series RTU500 byproducts performing testing security and hardening. its of robustness and security the to improve strives ABB System Hardening — information in this document. of lack possible or errors potential for whatsoever responsibility any accept not does AG ABB prevail. shall particulars agreed the orders, purchase to regard document notice. prior without With this of contents the modify or changes technical make to right the reserve We —

process. development the of parts integrated are hardening and are documentedservices, in detail. testing Security as the resulting configurations, e.g. and open ports well as steps Hardening tools. testing security source center using commercial state-of-the-art and open All rights reserved rights All ABB 2019 Copyright© AG. ABB forbidden its of utilization or parties third to disclosure reproduction, Any therein. contained illustrations and matter subject the in and document this in rights all reserve We contents – in whole or in parts – is –is parts in or whole –in contents without prior written consentwithout prior written of

Document ID DEABB171011 (2019) Secure your RTU against attacks. RTU500 Cyber Series Security GRID AUTOMATION PRODUCTS — in security. developments latest to the systems its adapts constantly and challenges security the anticipates ABB systems. IT enterprise or office from known concerns security cyber introduced also it view, of point operational an from benefits huge brought only not has technology in change This 61850. IEC or 3.0 DNP 60870-5-104, IEC as such protocols communication TCP/IPand based standards and commercial technology, e.g. open on based more and more is systems control technology enhancements. The new generation of with to change continues and decade past the over significantly changed has grid power electric The the latest developments security. in cyber to systems and products its adapts constantly thus and security cyber address clearly that systems and products with customers to provide committed is ABB

telecommunication systems” and control secure for “Requirements Whitepaper: BDEW the of requirements the to fulfill users support functions security cyber implemented The storage.file of kinds all for used are report to ENISA according standards encryption and algorithms various Different 1686. IEEE and to NERC-CIP according implemented control, logging, security hardware hardening are access User security. cyber of level ahigh assure and industries power the of needs to the respond RTUs Our requirement. key a and it identified as has security understands the importance of cyber the couple last of years. fully ABB increased sector over in the electric steadily has Focus security on cyber

— — — User Access Control Manipulation Protection Security Logging

User Account Management RTU installation and RTU documentation are protected Local Logging Role Based Access Control RTU500 series supports user authentication and by signatures against manipulation. Manipulated RTU RTU500 series creates audit trails (log files) of all RTU500 series supports Role Based Access Control authorization on an individual user level. User download files, e.g. configuration files, are detected security relevant user activities. Security events that (RBAC) according to IEC 62351. Every user account authentication is required and authorization and refused. are being logged include user login, logout, change of can be assigned different roles and the user roles is enforced for all interactive access to the device. parameters, configurations, or updates of firmware. can be added, removed and changed as needed. — For each event date and time, user, event ID, outcome User Accounts Device Supervision via SNMP V3 and source of event are logged. Access to the audit trail Password Complexity RTU500 series allows to fully manage user accounts, is available to authorized users only. RTU500 series offers the possibility of enforcing i.e. creating, editing and deleting them freely. User Simple Network Management Protocol (SNMP) is one password policies that can be customized by names and passwords can be configured according of the most commonly used technologies for network External Security Clients specifying minimum password length, maximum to customer‘s requirements. monitoring. Security events of the RTU can be sent to external password lifetime, as well as usage of lower case, security log clients such as the System Data Manager upper case, numeric and special characters. Central Account Management By implementing SNMP, the RTU500 (SDM600). SDM600 is a monitoring and response RTU500 supports customer owned CAM systems becomes a managed device that can share: application, which enables visibility of real time security like Windows active directory server. The • Diagnosis information events. Syslog UDP/TCP and ArcSight TCP - standard implementation is based on a LDAP server and (e.g. CPU load and telegram traffic load) protocols for logging of security events - are supported complies to IEC 62351-8. Different fall back • System events (RTU and sub devices) by RTU500 series. Furthermore up to 3 clients per solutions are available with the RTU500 series in • Configurable Single Indications ethernet port can be configured. case CAM is not available. — RTU500 Series can be integrated in Network Security Events To Control System monitoring systems in parallel to a SCADA system. Security events and alarms can be sent via host protocol Secure Communication to the control systems. “Security indication” and — “security alarm” are supported. Settings of security Web Server Secure IEC 60870-5-104 Communication (IEC 62351-3) Patch Management alarms are part of the configuration. Up to 32 security RTU500 series permits encrypted communication RTU500 series allows point-to-point data traffic events can be mapped to one single alarm. Security between the web browser and the RTU. A standard encryption for TCP/IP-based communication. This is events are available in host protocols, PLC, HMI and Security patches provided for the RTU500 series can browser can be utilized such as Internet Explorer or enabled thanks to (TLS) process archives. be implemented without changing the running Firefox. Furthermore the operator can select between with respective authentication of client and server configuration. This way, vulnerabilities and https:// and http:// by configuration. In addition, using X.509 certificates. cyber security findings can be handled in a fast and self-signed certificates and customer certificates efficient way, as no release upgrade is required. (X509), can be used. Secure IEC 60870-5-104 Authentication (IEC 62351-5) Patch management is also simplified for large RTU500 series prevents “spoofing, modification numbers of RTU’s in the project by script interface. VPN Function and replay” of telegrams using IEC 60870-5-104 by RTU500 series offers an encrypted channel based adding secure authentication mechanisms. This Network control center on the hash algorithms SHA256/384/512 between protocol extension is optimized for low bandwidth the RTU and the IPsec Router on customers side. consumption and for environments with limited The VPN provides confidentiality and integrity and access to authentication servers. authenticity. A secure communication via public networks is possible. The authentication is handled Secure DNP3 Communication (IEC 62351-5) by pre-shared keys or customer certifications (X509). RTU500 series provides a secure implementation A diagnosis interface for encrypted channels is for serial and TCP IP communication based on DNP3. Firewall available and can be activated on request for This part of IEC 62351 focuses on application layer commissioning and troubleshooting. Deactivation of authentication. All application layer messages are VPN channels in customer networks is not required. defined as critical. VPN Tunnel Device supervision via SNMP V3 Patch management —

Integrated Firewall communication Secure

RTU500 enables different services on dedicated Ethernet interfaces (E1, E2, USB, PPP). The configuration of the firewall is automatically created from the RTU configuration.

User access control Backup and recovery