5-16 C70 CAPACITOR BANK PROTECTION AND CONTROL SYSTEM – INSTRUCTION MANUALPRODUCT SETUP CHAPTER 5: SETTINGS5Figure 5-2: Login screen for CyberSentryWhen the "Server" Authentication Type is selected, the C70 uses the RADIUS server and not its local authenticationdatabase to authenticate the user.When the "Device" button is selected, the C70 uses its local authentication database and not the RADIUS server toauthenticate the user. In this case, it uses built-in roles (Administrator, Engineer, Supervisor, Operator, Observer), as loginaccounts and the associated passwords are stored on the C70 device. In this case, access is not user-attributable. In caseswhere user-attributable access is required, especially for auditable processes for compliance reasons, use serverauthentication (RADIUS) only.No password or security information is displayed in plain text by the EnerVista software or the UR device, nor are they evertransmitted without cryptographic protection.When CyberSentry is enabled, Modbus communications over Ethernet is encrypted, which is not always tolerated bySCADA systems. The UR has a bypass access feature for such situations, which allows unencrypted Modbus over Ethernet.This "Bypass Access" setting is available on the SETTINGS PRODUCT SETUP SECURITY SUPERVISORY screen. Note thatother protocols (DNP, 101, 103, 104, EGD) are not encrypted, and they are good communications options for SCADAsystems when CyberSentry is enabled.CyberSentry settings through EnerVistaCyberSentry security settings are configured under Device > Settings > Product Setup > Security.NOTEOnly (TCP/UDP) ports and services that are needed for device configuration and for customer enabled featuresare open. All the other ports are closed. For example, Modbus is on by default, so its TCP port 502, is open. But ifModbus is disabled, port 502 is closed. This function has been tested and no unused ports have been foundopen.
