OCTOBER 2020

CYBER SECURITY DEPLOYMENT GUIDELINEThe Relay Explorer - RXplore

Copyright

This document and parts thereof must not be reproduced or copied without written permission fromABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorizedpurpose.The software or hardware described in this document is furnished under a license and may beused, copied, or disclosed only in accordance with the terms of such license.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(www.openssl.org/ ) This product includes cryptographic software written/developed by: Eric Young(eay@cryptsoft.com) and Tim Hudson (tjh@cryptsoft.com).

Trademarks

ABB and Relion are registered trademarks of the ABB Group. All other brand or product namesmentioned in this document may be trademarks or registered trademarks of their respectiveholders. SSC600 is an approved Intel® IoT Market Ready Solution.

Open Source Software

This product contains open source software. For license information refer to productdocumentation at www.abb.com.

Warranty

Please inquire about the terms of warranty from your nearest ABB representative.

www.abb.com/mediumvoltage

Disclaimer

The data, examples and diagrams in this manual are included solely for the concept or productdescription and are not to be deemed as a statement of guaranteed properties. All personsresponsible for applying the equipment addressed in this manual must satisfy themselves thateach intended application is suitable and acceptable, including that any applicable safety or otheroperational requirements are complied with. In particular, any risks in applications where a systemfailure and/or product failure would create a risk for harm to property or persons (including but notlimited to personal injuries or death) shall be the sole responsibility of the person or entity applyingthe equipment, and those so responsible are hereby requested to ensure that all measures aretaken to exclude or mitigate such risks.This product has been designed to be connected and communicate data and information via anetwork interface which should be connected to a secure network. It is the sole responsibility of theperson or entity responsible for network administration to ensure a secure connection to thenetwork and to take the necessary measures (such as, but not limited to, installation of firewalls,application of authentication measures, encryption of data, installation of anti virus programs, etc.)to protect the product and the network, its system and interface included, against any kind ofsecurity breaches, unauthorized access, interference, intrusion, leakage and/or theft of data orinformation. ABB is not liable for any such damages and/or losses.This document has been carefully checked by ABB but deviations cannot be completely ruled out.In case any errors are detected, the reader is kindly requested to notify the manufacturer. Otherthan under explicit contractual commitments, in no event shall ABB be responsible or liable for anyloss or damage resulting from the use of this manual or the application of the equipment.In case of discrepancies between the English and any other language version, the wording of theEnglish version shall prevail.

Contents

1 Introduction.................................................................................................71.1 This manual.....................................................................................................................................71.2 Intended audience...........................................................................................................................71.3 Product documentation................................................................................................................... 7

1.3.1 Product documentation set...............................................................................................71.3.2 Document revision history................................................................................................ 71.3.3 Related documentation.................................................................................................... 8

1.4 Symbols and conventions............................................................................................................... 81.4.1 Symbols............................................................................................................................81.4.2 Document conventions.....................................................................................................8

2 Security in substation and distribution automation systems..................... 102.1 General security in distribution automation................................................................................... 102.2 RXplore network setup..................................................................................................................102.3 Reference documents................................................................................................................... 11

3 Secure system setup................................................................................ 123.1 Basic system hardening rules....................................................................................................... 123.2 TCP/IP based protocols and used IP ports................................................................................... 123.3 Secure communication..................................................................................................................13

4 User management.................................................................................... 144.1 RXplore user authentication..........................................................................................................14

5 Configuration of mobile phone..................................................................155.1 General security actions................................................................................................................155.2 Operating systems........................................................................................................................ 155.3 OS updates and patch management.............................................................................................155.4 Virus scanner................................................................................................................................ 155.5 Malware protection........................................................................................................................155.6 External storage usage................................................................................................................. 165.7 Firewall, ports and services...........................................................................................................16

Contents

RXploreCyber Security Deployment Guideline

5

6 Standard compliance statement............................................................... 17

7 Glossary....................................................................................................18

Contents

6 RXploreCyber Security Deployment Guideline

1 Introduction

1.1 This manualThe cyber security deployment guideline describes the process for handling cybersecurity when engineering and monitoring protection and control IEDs. The cyber securitydeployment guideline provides information on how to secure the environment on whichRXplore is deployed. The guideline can be used as a technical reference during theengineering phase, installation and commissioning phase, and during normal service.See also all IED-related cyber security deployment guidelines.

1.2 Intended audienceThis guideline is intended for the system engineering, commissioning, operation andmaintenance personnel handling cyber security during the engineering, installation andcommissioning phases, and during normal service.

The personnel is expected to have general knowledge about topics related to cybersecurity.

• Protection and control IEDs, gateways and Windows workstations• Networking, including Ethernet and TCP/IP with its concept of ports and services• Security policies• Firewalls• Antivirus protection• Application whitelisting• Secure remote communication

1.3 Product documentation

1.3.1 Product documentation setThe cyber security deployment guideline describes the process for handling cybersecurity when engineering and monitoring protection and control IEDs. The cyber securitydeployment guideline provides information on how to secure the environment on whichRXplore is deployed. The guideline can be used as a technical reference during theengineering phase, installation and commissioning phase, and during normal service.See also all IED-related cyber security deployment guidelines.

The quick start guide provides basic instructions on how to use RXplore. The manualprovides instructions for typical use cases in operation and field.

2NGA000487 Introduction

RXploreCyber Security Deployment Guideline

7

1.3.2 Document revision historyDocument revision/date Product version History

A/2020-10-14 RXplore 1.0 First release

1.3.3 Related documentationProduct series- and product-specific manuals can be downloaded from the ABB Web site https://www.abb.com/mediumvoltage.

1.4 Symbols and conventions

1.4.1 SymbolsWarning: The warning icon indicates the presence of a hazard which couldresult in electrical shock or other personal injury.

Caution: The caution icon indicates important information or warning relatedto the concept discussed in the text. It might indicate the presence of a hazardwhich could result in corruption of software or damage to equipment orproperty.

Note: The information icon alerts the reader of important facts and conditions.

Tip: The tip icon indicates advice on, for example, how to design your projector how to use a certain function.

Although the warning hazards are related to personal injury, it is necessary to understandthat under certain operational conditions, operation of damaged equipment may result indegraded process performance leading to personal injury or death. Therefore, complyfully with all warning and caution notices.

1.4.2 Document conventionsA particular convention may not be used in this manual.

• Abbreviations and acronyms are spelled out in the glossary. The glossary alsocontains definitions of important terms.

• Menu paths are presented in bold.

Select Main menu/Settings.• Menu, tab, button, list and box names as well as window or dialog box titles are

presented in bold.

On the File menu, click New Project.• Shortcut keys are presented in uppercase letters.

Introduction 2NGA000487

8 RXploreCyber Security Deployment Guideline

A page can also be added pressing the shortcut keys CTRL+SHIFT+P.• Command prompt commands are shown in Courier font.

Type ping <devices_IP_address>/t and wait for at least one minute to see ifthere are any communication breaks.

• Parameter names are shown in italics.

The function can be enabled and disabled with the Operation setting.

2NGA000487 Introduction

RXploreCyber Security Deployment Guideline

9

2 Security in substation and distribution automationsystems

2.1 General security in distribution automationTechnological advancements and breakthroughs have caused a significant evolution inthe electric power grid. As a result, the emerging “smart grid” and “Internet of Things” arequickly becoming a reality. At the heart of these intelligent advancements are specializedIT systems – various control and automation solutions such as distribution automationsystems. To provide end users with comprehensive real-time information, enabling higherreliability and greater control, automation systems have become ever moreinterconnected. To combat the increased risks associated with these interconnections,ABB offers a wide range of cyber security products and solutions for automation systemsand critical infrastructure.

The new generation of automation systems uses open standards such as IEC60870-5-104, DNP3 and IEC 61850 and commercial technologies, in particularETHERNET and TCP/IP based communication protocols. They also enable connectivityto external networks, such as office intranet systems and the Internet. These changes intechnology, including the adoption of open IT standards, have brought huge benefits froman operational perspective, but they have also introduced cyber security concernspreviously known only to office or enterprise IT systems.

To counter cyber security risks, open IT standards are equipped with cyber securitymechanisms. These mechanisms, developed in a large number of enterpriseenvironments, are proven technologies. They enable the design, development andcontinual improvement of cyber security solutions also for control systems, includingdistribution automation applications.

ABB understands the importance of cyber security and its role in advancing the securityof distribution networks. A customer investing in new ABB technologies can rely onsystem solutions where reliability and security have the highest priority.

Reporting of vulnerability or cyber security issues related to any ABB product can bedone via cybersecurity@ch.abb.com.

2.2 RXplore network setupBelow picture shows the RXplore network setup:

• Mobile network is used for reading product information.• RXplore mobile application is connected to IEDs over wireless access point.

It is recommended to use the latest wireless technologies for the communication betweenRXplore and the IEDs.

Security in substation and distributionautomation systems

2NGA000487

10 RXploreCyber Security Deployment Guideline

RXplore App

IED

Product information

WiFi access point in same network as IED

Wired/ Physical connectionWireless connection

Station networkInternet/ outside network

Figure 1 RXplore network setup

2.3 Reference documentsInformation security in critical infrastructure like electrical distribution and transmissionnetworks has been in high focus for both vendors and utilities. This together withdeveloping technology, for example, appliance of ETHERNET and IP basedcommunication networks in substations, power plants and network control centerscreates a need of specifying systems with cyber security.

ABB is involved in the standardization and definition of several cyber standards, the mostapplicable and referred ones are ISO 2700x, IEC 62443, IEEE P1686 and IEC 62351.Besides standardization efforts there are also several governments initiated requirementsand practices like NERC CIP and BDEW. ABB fully understands the importance of cybersecurity for substation automation systems and is committed to support users in efforts toachieve or maintain compliance to these.

See also all IED-related cyber security deployment guidelines.

2NGA000487 Security in substation and distributionautomation systems

RXploreCyber Security Deployment Guideline

11

3 Secure system setup

3.1 Basic system hardening rulesToday's distribution automation systems are basically specialized IT systems. Therefore,several rules of hardening an automation system apply to these systems, too. Protectionand control IEDs are from the automation system perspective on the lowest level andclosest to the actual primary process. It is important to apply defense- in-depthinformation assurance concept where each layer in the system is capable of protectingthe automation system and therefore protection and control IEDs are also part of thisconcept. The following should be taken into consideration when planning the systemprotection.

• Recognizing and familiarizing all parts of the system and the system's communicationlinks

• Removing all unnecessary communication links in the system• Rating the security level of remaining connections and improving with applicable

methods• Hardening the system by removing or deactivating all unused processes,

communication ports and services• Checking that the whole system has backups available from all applicable parts• Collecting and storing backups of the system components and keeping those up- to-

date• Removing all unnecessary user accounts• Changing default passwords and using strong enough passwords• Checking that the link from substation to upper level system uses strong enough

encryption and authentication• Separating public network from automation network• Segmenting traffic and networks• Using firewalls and demilitarized zones• Assessing the system periodically• Using antivirus software in workstations and keeping those up-to-date• Using principle of least privilege• Physical access control

It is important to utilize the defence-in-depth concept when designing system security.The different layers and interfaces in the system should use security controls. Robustsecurity means, besides product features, enabling and using the available features andalso enforcing their use by company policies. Adequate training is also needed for thepersonnel accessing and using the system.

3.2 TCP/IP based protocols and used IP portsTo set up an IP firewall, see the IED-specific cyber security deployment guidelines for theports that are used to communicate and to configure the IEDs. All closed ports can beopened in the configuration. Ports that are open by default are used for configuring ormonitoring the protection IED.

Secure system setup 2NGA000487

12 RXploreCyber Security Deployment Guideline

3.3 Secure communicationSome of the protection IEDs support encrypted communication according to theprinciples of IEC 62351 in secured communication for WHMI and file transfer protocol. Ifthe Secure Communication parameter is activated in the IED, protocols require TLSprotocol based encryption method support from the clients. In case of file transfer, theclient must use FTPS. RXplore supports FTPS and is able to download and uploadconfiguration files in encrypted format from IED.

2NGA000487 Secure system setup

RXploreCyber Security Deployment Guideline

13

4 User management

4.1 RXplore user authenticationRXplore mobile application does not have own user management, but it supports workingwith IEDs where user authorization is enabled.

In case IED user authorization has been enabled, user is indicated in RXplore userinterface that communicating with the IED requires entering user credentials. If givenusername and password were chosen to be used as default credentials, they arepersisted in mobile device storage securely so that they can be used when needed.

For IED user authentication, see the IED-specific cyber security deployment guidelines.

User management 2NGA000487

14 RXploreCyber Security Deployment Guideline

5 Configuration of mobile phone

5.1 General security actionsIn general, the mobile phone operating system can be protected from the maliciousattacks by keeping the device operating system up to date, installing latest securityupdates and by using with PIN code protection.

5.2 Operating systemsTable 1: Supported operating systems for RXplore

Operating system Version

Android 7.0 or neweriOS 12 or newer

See the operating system related documentation and best practices to further reduce theattack surface in the operating system.

5.3 OS updates and patch managementThe compatibility of RXplore with the latest supported Operating System updates istested and verified regularly by ABB.

Note: It’s recommended to install latest Operating System updates.

5.4 Virus scannerRXplore does not create specific requirements for anti-virus software. It is recommendedto use organization specific de facto anti-virus software, which has to be configuredmanually.

5.5 Malware protectionIt is recommended to use organization specific de facto malware protection software,which has to be configured manually.

2NGA000487 Configuration of mobile phone

RXploreCyber Security Deployment Guideline

15

5.6 External storage usageRXplore supports installation on external storage, e.g. SD card. There might be operatingsystem dependent differences on how installation on external storage needs to be done.

5.7 Firewall, ports and servicesRXplore does not have specific firewall requirements. RXplore is a client system from thecommunication point of view. The firewall has to be configured manually.

Table 2: IP ports used from RXplore to IED

Port number Type Description

20,21 TCP File Transfer protocol (FTP/FTPS)102 TCP IEC 6185050000 TCP SWICOM application

Table 3: IP ports used from RXplore to Cloud

Port number Type Description

80,443 TCP Web Server HTTPS

Configuration of mobile phone 2NGA000487

16 RXploreCyber Security Deployment Guideline

6 Standard compliance statementCyber security issues have been the subject of standardization initiatives by ISA, IEEE orIEC for some time. ABB plays an active role in all these organizations, helping to defineand implement cyber security standards for power and industrial control systems.

Some of the cyber security standards which are most important for substationautomation, such as IEC 62351 and IEC 62443 (former ISA S99), are still under activedevelopment. ABB participates in the development by delegating subject matter expertsto the committee working on the respective standard. Since these standards are stillunder development, ABB strongly recommends to use existing common securitymeasures available in the market, for example, VPN for secure Ethernet communication.

Table 4: Overview of cyber security standards

Standard Main focus Status

NERC CIP NERC CIP cyber security regulation forNorth American power utilities

Released, ongoing 1

IEC 62351 Data and communications security Partly released, ongoingIEEE 1686 IEEE standard for substation intelligent

electronic devices (IEDs) cyber security ca-pabilities

Finalized

ABB has identified cyber security as a key requirement and has developed a largenumber of product features to support the international cyber security standards such asNERC CIP, IEEE 1686, as well as local activities like the German BDEW white paper.

1 Ongoing: major changes will affect the final solution

2NGA000487 Standard compliance statement

RXploreCyber Security Deployment Guideline

17

7 GlossaryBDEW Bundesverband der Energie- und WasserwirtschaftDNP3 A distributed network protocol originally developed by Westronic. The DNP3

Users Group has the ownership of the protocol and assumes responsibilityfor its evolution.

ETHERNET A standard for connecting a family of frame-based computer networkingtechnologies into a LAN

FTP File Transfer ProtocolFTPS FTP SecureIDS Intrusion Detection SystemIEC International Electrotechnical CommissionIEC 60870-5-104 Network access for IEC 60870-5-101IEC 61850 International standard for substation communication and modelingIED Intelligent Electronic DeviceIEEE Institute of Electrical and Electronics Engineers, Inc.IEEE 1686 Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security

CapabilitiesIP Internet protocolISO International Standard OrganizationLAN Local area networkNERC CIP North American Electric Reliability Corporation - Critical Infrastructure Pro-

tectionSD Secure DigitalTCP/IP Transmission Control Protocol/Internet ProtocolUAC User Account ControlVPN Virtual Private NetworkWHMI Web human-machine interface

Glossary 2NGA000487

18 RXploreCyber Security Deployment Guideline

© Copyright 2020 ABB. All rights reserved.

Specifications subject to change without notice.

Do

cum

entI

D 2

NG

A0

00

487

ABB Distribution SolutionsDistribution AutomationP.O. Box 699FI-65101 VAASA, FinlandPhone +358 10 22 11Fax +358 10 22 41094www.abb.com/mediumvoltage