96
DMC3S - Manual - 08 - 2021
6 CYBER SECURITY
Preface
The cyber security functions implemented by the DMC3S relays mitigate cyber threats, by providing:
• Protected communications between the DMC3S protection relays and the mapped tool via SSH
(Secure SHell)
• Password based user authentication
• Management of authorisations for Role Based Access Control (RBAC)
• Protected log filing (Syslog service)
The following operative areas can be identified:
• Configuration Management
• HW Systems and Networking Equipment
• Initial System Configuration
• Threat and Vulnerability Management
• Access Control
• Authentication and Authorization Management
• Auditing
• Network Communication Security
The described procedures have been selected in consideration of the following standards and
guidelines:
• ISO/IEC 27001:2013
• NERC CIP – North American Electric Reliability Corporation Critical Infrastructure Protection
• IEC 62351
IEC 62351 will be applied if expressly requested, to guarantee control of communications protocols
and data flows.
— Configuration management
Configuration management is a set of procedures which control modifications to hardware, firm-
ware, software and documentation to ensure that all devices are protected against unwanted mod-
ification before, during and after system implementation.
— Hardware systems and networking equipment
The devices are industrial and satisfy industrial quality and EMC standards. Only passive systems
without fans are used for heat management. The devices can be assigned IP addresses on the basis
of pertinent network planning rules. On request, HW protection systems can be installed (tamper-
proofing, etc.).
— Initial system configuration
The protection relays are equipped only with the network services required to execute their protec-
tion programs, thus limiting the number of open TCP / UDP ports. All services and operating systems
are updated to the latest version at the time of release. Access even for "known" users is eliminated
and only one local non-administrator user is left active to install and configure the device initially.
— Threat and vulnerability management
The device's operating system is supported by the vendor to ensure conformity with regular security
bulletins and patches.
— Access control
Further to the local non-administrator user, user authentication can be delegated to a centralised
platform by the RADIUS client, to obtain access to the active Windows directory.
— Authentication and authorization management
AAM ius based on the “RBAC” (Rule Based Access Control) model, i.e. the device allows execution
of functions in relation to the user's assigned role.
The following roles are available:
• “Administrator”: Complete control of the device
• “Operator1”: Limited Level 1 read/write access
• “Operator2”: Limited Level 2 read/write access
— Auditing
The device tracks the most important system operations/actions, like accesses and modifications to
the configuration, with a “syslog” service.
To Next Page
Loading...
