5-16 C60 BREAKER PROTECTION SYSTEM – INSTRUCTION MANUALPRODUCT SETUP CHAPTER 5: SETTINGS5Figure 5-2: Login screen for CyberSentryWhen the "Server" Authentication Type is selected, the C60 uses the RADIUS server and not its local authenticationdatabase to authenticate the user.When the "Device" button is selected, the C60 uses its local authentication database and not the RADIUS server toauthenticate the user. In this case, it uses built-in roles (Administrator, Engineer, Supervisor, Operator, Observer, orAdministrator and Supervisor when Device Authentication is disabled), as login accounts and the associated passwordsare stored on the C60 device. In this case, access is not user-attributable. In cases where user-attributable access isrequired, especially for auditable processes for compliance reasons, use server authentication (RADIUS) only.No password or security information is displayed in plain text by the EnerVista software or the UR device, nor are they evertransmitted without cryptographic protection.When CyberSentry is enabled, Modbus communications over Ethernet is encrypted, which is not always tolerated bySCADA systems. The UR has a bypass access feature for such situations, which allows unencrypted Modbus over Ethernet.The Bypass Access setting is available on the SETTINGS PRODUCT SETUP SECURITY SUPERVISORY screen. Note thatother protocols (DNP, 101, 103, 104, EGD) are not encrypted, and they are good communications options for SCADAsystems when CyberSentry is enabled.CyberSentry settings through EnerVistaCyberSentry security settings are configured under Device > Settings > Product Setup > Security.Only (TCP/UDP) ports and services that are needed for device configuration and for customer enabled features areopen. All the other ports are closed. For example, Modbus is on by default, so its TCP port 502, is open. But ifModbus is disabled, port 502 is closed. This function has been tested and no unused ports have been found open.
