1–8 889 GENERATOR PROTECTION SYSTEM – INSTRUCTION MANUALSECURITY OVERVIEW CHAPTER 1: INTRODUCTIONSecurity OverviewThe following security features are available:BASIC SECURITYThe basic security feature is present in the default offering of the 889 relay. The889 introduces the notion of roles for different levels of authority. Roles are used as loginnames with associated passwords stored on the device. The following roles are availableat present: Administrator, Operator, Factory and Observer, with a fixed permissionstructure for each one. Note that the Factory role is not available for users, but strictlyused in the manufacturing process.The 889 can still use the Setpoint access switch feature, but enabling the feature can bedone only by an Administrator. Setpoint access is controlled by a keyed switch to offersome minimal notion of security.CYBERSENTRYThe CyberSentry Embedded Security feature is a software option that provides advancedsecurity services. When the software option is purchased, the Basic Security isautomatically disabled.CyberSentry provides security through the following features:• An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-InUser Service (RADIUS) client that is centrally managed, enables user attribution, anduses secure standards based strong cryptography for authentication and credentialprotection.• A Role-Based Access Control (RBAC) system that provides a permission model thatallows access to 889 device operations and configurations based on specific rolesand individual user accounts configured on the AAA server. At present the definedroles are: Administrator, Operator and Observer.• Strong encryption of all access and configuration network messages between theEnerVista software and 889 devices using the Secure Shell (SSH) protocol, theAdvanced Encryption Standard (AES), and 128-bit keys in Galois Counter Mode (GCM)as specified in the U.S. National Security Agency Suite B extension for SSH andapproved by the National Institute of Standards and Technology (NIST) FIPS-140-2standards for cryptographic systems.• Security event reporting through the Syslog protocol for supporting SecurityInformation Event Management (SIEM) systems for centralized cyber securitymonitoring.There are two types of authentication supported by CyberSentry that can be used toaccess the 889 device:• Device Authentication – in which case the authentication is performed on the889 device itself, using the predefined roles as users (No RADIUS involvement).– 889 authentication using local roles may be done either from the front panel orthrough EnerVista.• Server Authentication - in which case the authentication is done on a RADIUS server,using individual user accounts defined on the server. When the user accounts arecreated, they are assigned to one of the predefined roles recognized by the 889– 889 authentication using RADIUS server may be done only through EnerVista.FASTPATH:WiFi and USB do not currently support CyberSentry security. For this reason WiFi isdisabled by default if the CyberSentry option is purchased. The user can enable WiFi, butbe aware that doing so violates the security and compliance model that CyberSentry issupposed to provide.
