1–6 869 MOTOR PROTECTION SYSTEM – INSTRUCTION MANUAL
SECURITY OVERVIEW CHAPTER 1: INTRODUCTION
Security Overview
The following security features are available:
BASIC SECURITY
The basic security feature is present in the default offering of the 869 relay. The
869 introduces the notion of roles for different lev
els of authority. Roles are used as login
names with associated passwords stored on the device. The following roles are available
at present: Administrator, Operator, Factory and Observer, with a fixed permission
structure for each one. Note that the Factory role is not available for users, but strictly used
in the manufacturing process.
The 869 can still use the Setpoint access switch feat
ure, but enabling the feature can be
done only by an Administrator. Setpoint access is controlled by a keyed switch to offer
some minimal notion of security.
CYBERSENTRY
The CyberSentry Embedded Security feature is a software option that provides advanced
security ser
vices. When the software option is purchased, the Basic Security is
automatically disabled.
CyberSentry provides security through the following features:
• An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-In
User Ser
vice (RADIUS) client that is centrally managed, enables user attribution, and
uses secure standards based strong cryptography for authentication and credential
protection.
• A Role-Based Access Control (RBAC) system that provides a permission model that
all
ows access to 869 device operations and configurations based on specific roles
and ind
ividual user accounts configured on the AAA server. At present the defined
roles are: Administrator, Operator and Observer.
• Strong encryption of all access and configuration network messages between the
EnerV
ista software and 869 devices using the Secure Shell (SSH) protocol, the
Ad
vanced Encryption Standard (AES), and 128-bit keys in Galois Counter Mode (GCM)
as specified in the U.S. National Security Agency Suite B extension for SSH and
approved by the National Institute of Standards and Technology (NIST) FIPS-140-2
standards for cryptographic systems.
• Security event reporting through the Syslog protocol for supporting Security
Informa
tion Event Management (SIEM) systems for centralized cyber security
monitoring.
There are two types of authentication supported by CyberSentry that can be used to
acc
ess the 869 device:
• Device Authentication – in which case the authentication is performed on the
869 device itself, using the predefined roles as users (No RADIUS involvement).
– 869 authentication using local roles may be done either from the front panel or
thr
ough EnerVista.
• Server Authentication - in which case the authentication is done on a RADIUS server,
using
individual user accounts defined on the server. When the user accounts are
created, they are assigned to one of the predefined roles recognized by the 869
– 869 authentication using RADIUS server may be done only through EnerVista.
FAST PATH:
WiFi and USB do not currently support CyberSentry security. For this reason WiFi is
disabled by default if the CyberSentry option is purchased. The user can enable WiFi, but
be aware that doing so violates the security and compliance model that CyberSentry is
supposed to provide.
To Next Page
Loading...
Need help?
General
