C.2
SEL-400 Series Relays Instruction Manual Date Code 20171006
Cybersecurity Features
Authentication and Authorization Controls
Segregating Ethernet Ports
In most modes, the enabled Ethernet ports support both IP traffic and layer 2 pro-
tocols (i.e. IEC 61850 GOOSE). If NETMODE = ISOLATEIP, then one port only
permits GOOSE traffic. This allows this port to be routed outside of a security
perimeter while retaining the ability to perform basic monitoring and control. See
Using Redundant Ethernet Ports on page 15.10 for more information on this mode.
EtherCAT Ports
SEL-400 series relays with a TiDL configuration have eight EtherCAT ports.
These communicate with remote Axion nodes. The ports are used exclusively for
exchanging analog and digital data with Axions; they will not recognize any
other types of communication.
Once the system is configured and commissioned, the relay will only communi-
cate with recognized Axions. Any other traffic on these ports will be ignored.
After commissioning, the loss of communications to any configured Axion or
Axion module will cause the relay to disable.
Authentication and Authorization Controls
Local Accounts
SEL-400 series relays support eight levels of access, as described in the Access
Levels and Passwords on page 3.7. Refer to this section to learn how each level is
accessed and what the default passwords are. It is good security practice to
change the default passwords of each access level and to use a unique password for
each level.
Relays have the capability to limit the level of access on a port basis. The MAX-
ACC setting may be used on each port to restrict these authorization levels. This
permits you to operate under the principle of “least privilege,” restricting ports to
the levels needed for the functions performed on those ports.
Each relay supports strong passwords of as many as 12 characters including any
printable character, allowing users to select complex passwords if they so choose.
SEL recommends that passwords contain a minimum of eight characters contain-
ing at least one of each of the following: lowercase letter, uppercase letter, num-
ber, and special character.
Authentication Failures
When three successive login attempts fail as a result of an incorrect password
entry, the relay locks out login attempts on that port for 30 seconds. It also pulses
the BADPASS Relay Word bit.
To Next Page
Loading...
