GE D30 Instruction Manual

Also see for D30 series: Communications manual Communications guide Instruction manual Instruction manual Instruction manual

Contents

2-4 D30 LINE DISTANCE PROTECTION SYSTEM – INSTRUCTION MANUALSECURITY CHAPTER 2: PRODUCT DESCRIPTION22.2.0.1 EnerVista securityThe EnerVista security management system is a role-based access control (RBAC) system that allows an administrator tomanage the privileges of multiple users. This allows for access control of UR devices by multiple personnel within asubstation and conforms to the principles of RBAC as defined in ANSI INCITS 359-2004. The EnerVista securitymanagement system is disabled by default to allow the administrator direct access to the EnerVista software afterinstallation. It is recommended that security be enabled before placing the device in service.Basic password or enhanced CyberSentry security applies, depending on purchase.2.2.0.2 Password securityPassword security is a basic security feature present by default.Two levels of password security are provided: command and setting. Use of a password for each level controls whetherusers can enter commands and/or change settings.The D30 supports password entry from a local or remote connection. Local access is defined as any access to settings orcommands via the faceplate interface. This includes both keypad entry and the through the faceplate RS232 port. Remoteaccess is defined as any access to settings or commands via any rear communications port. This includes both Ethernetand RS485 connections. Any changes to the local or remote passwords enables this functionality.When entering a settings or command password via EnerVista or any serial interface, the user must enter thecorresponding connection password. If the connection is to the back of the D30, the remote password must be used. If theconnection is to the RS232 port of the faceplate, the local password applies.Password access events are logged in the Event Recorder.2.2.0.3 CyberSentry securityCyberSentry embedded security is a software option that provides advanced security services. When this option ispurchased, the basic password security is disabled automatically.CyberSentry provides security through the following features:• An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-In User Service (RADIUS) client that iscentrally managed, enables user attribution, provides accounting of all user activities, and uses secure standards-based strong cryptography for authentication and credential protection• A Role-Based Access Control (RBAC) system that provides a permission model that allows access to UR deviceoperations and configurations based on specific roles and individual user accounts configured on the AAA server (thatis, Administrator, Supervisor, Engineer, Operator, Observer roles)• Security event reporting through the Syslog protocol for supporting Security Information Event Management (SIEM)systems for centralized cybersecurity monitoring• Strong encryption of all access and configuration network messages between the EnerVista software and UR devicesusing the Secure Shell (SSH) protocol, the Advanced Encryption Standard (AES), and 128-bit keys in Galois CounterMode (GCM) as specified in the U.S. National Security Agency Suite B extension for SSH and approved by the NationalInstitute of Standards and Technology (NIST) FIPS-140-2 standards for cryptographic systemsExample: Administrative functions can be segmented away from common operator functions, or engineering type access,all of which are defined by separate roles (see figure) so that access of UR devices by multiple personnel within asubstation is allowed. Permissions for each role are outlined in the next section.