ABB COM600 series 5.0 Cyber Security Deployment Manualline

Also see for COM600 series 5.0: Technical reference manual Technical reference manual

ABB COM600 series 5.0 Cyber Security Deployment Manualline Manual pdf 11 page image

• COM600F is a dedicated distribution automation controller unit that runs dis-tributed grid and feeder applications for ANSI power networks and inherits allcore features of the COM600 series.Overview2.3.This document outlines key information needed to secure and harden COM600 whencommissioned in a substation. This document is intended for system administrators,network security personnel and automation engineers/experts, involved in commissioninga COM600 in a substation or in an industrial environment. The reader is expected tohave general familiarity with:• PCs, servers, and Windows operating system• networking including TCP/IP and the concepts of ports and services• Windows Audit policies• firewalls• anti-virus• remote and secure communication• Windows updates.The COM600 commissioned within a substation communicates with downstream andupstream devices for its functioning. The downstream devices represent devices that arelocal to substation typically located along with COM600, and include devices like pro-tection relays, RTUs and Remote I/O units. The upstream devices represent devices thatare remote to substation and not physically present in the same location with COM600.The upstream devices include devices like SCADA servers and WSUS servers locatedat the Network Control Center/ Utility Control Center. Figure 2.3-1 shows a typicalnetwork setup when using COM600.These downstream and upstream devices can be connected to COM600 through twodifferent LANs, allowing a further separation/isolation of resources. COM600 has twoEthernet adapters which are pre-configured, to be identified as Local and Remote Ethernetadapters. Through Local Ethernet adapter in COM600, downstream devices can beconnected to it through a Local LAN and through Remote adapter in COM600, upstreamdevices can be connected to it through a Remote LAN. Also different firewall policycan be enforced for each of the LANs, allowing more stringent connection rules toentities outside of the substation.Windows Server Update Services (WSUS) is an infrastructure that allows softwareupdates from Microsoft to be distributed to COM600. These updates include OS relatedcritical/security patches for COM600. Typical WSUS would include at a minimum oneWindows 2012 server machine capable of connecting to Microsoft Update Server throughInternet. It is important to isolate the WSUS server from other network resources throughmultiple LANs and firewall rules. The WSUS server should be managed by a Systemadministrator who approves/rejects, available updates for installation. After approval,the update installation process in COM600 can be configured to proceed automatically.11COM600 series 5.01MRS758267Cyber Security Deployment Guideline