cyber security deployment guideline · 2018-06-12 · to iso9001 and cmmi. 1mrk 511 315-uen a...

Relion® Protection and Control

670 series 1.2Cyber Security Deployment Guideline

Document ID: 1MRK 511 315-UENIssued: October 2015

Revision: AProduct version: 1.2

© Copyright 2013 ABB. All rights reserved

Copyright

This document and parts thereof must not be reproduced or copied without writtenpermission from ABB, and the contents thereof must not be imparted to a third party,nor used for any unauthorized purpose.

The software and hardware described in this document is furnished under a license andmay be used or disclosed only in accordance with the terms of such license.

This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit. (http://www.openssl.org/)

This product includes cryptographic software written/developed by: Eric Young([email protected]) and Tim Hudson ([email protected]).

TrademarksABB and Relion are registered trademarks of the ABB Group. All other brand orproduct names mentioned in this document may be trademarks or registeredtrademarks of their respective holders.

WarrantyPlease inquire about the terms of warranty from your nearest ABB representative.

Disclaimer

The data, examples and diagrams in this manual are included solely for the concept orproduct description and are not to be deemed as a statement of guaranteed properties.All persons responsible for applying the equipment addressed in this manual mustsatisfy themselves that each intended application is suitable and acceptable, includingthat any applicable safety or other operational requirements are complied with. Inparticular, any risks in applications where a system failure and/or product failurewould create a risk for harm to property or persons (including but not limited topersonal injuries or death) shall be the sole responsibility of the person or entityapplying the equipment, and those so responsible are hereby requested to ensure thatall measures are taken to exclude or mitigate such risks.

This document has been carefully checked by ABB but deviations cannot becompletely ruled out. In case any errors are detected, the reader is kindly requested tonotify the manufacturer. Other than under explicit contractual commitments, in noevent shall ABB be responsible or liable for any loss or damage resulting from the useof this manual or the application of the equipment.

Conformity

This product complies with the directive of the Council of the European Communitieson the approximation of the laws of the Member States relating to electromagneticcompatibility (EMC Directive 2004/108/EC) and concerning electrical equipment foruse within specified voltage limits (Low-voltage directive 2006/95/EC). Thisconformity is the result of tests conducted by ABB in accordance with the productstandards EN 50263 and EN 60255-26 for the EMC directive, and with the productstandards EN 60255-1 and EN 60255-27 for the low voltage directive. The product isdesigned in accordance with the international standards of the IEC 60255 series.

Table of contents

Section 1 Introduction.......................................................................3This manual........................................................................................ 3Revision notes.................................................................................... 3Related documents.............................................................................3

Section 2 IEEE1686 compliance......................................................5

Section 3 IP ports.............................................................................9

Section 4 Managing user categories and accounts ...................... 11Authorization.....................................................................................11IED User management..................................................................... 12

Starting IED user management................................................... 12General settings.......................................................................... 13User profile management............................................................ 13

Adding new users...................................................................14Adding users to new user roles.............................................. 17Deleting existing users........................................................... 18Changing password................................................................20

User role management................................................................22Adding new users to roles...................................................... 23Deleting existing User from user roles................................... 23

Verifying IED user authentication................................................ 24Writing user management settings to the IED.............................24Reading user management settings from the IED.......................25Saving user management settings.............................................. 25

Local HMI use...................................................................................25Logging on...................................................................................26Logging off...................................................................................27Saving settings............................................................................ 28Recovering password..................................................................29

Section 5 Glossary......................................................................... 33

Table of contents

670 series 1.2 1Cyber Security Deployment Guideline

Section 1 Introduction

1.1 This manual

Cyber Security Deployment Guidelines describes password procedures and levels ofaccess in the system.

1.2 Revision notes

Revision Description- First issue for 670 series version 1.2.

1.3 Related documents

Connection and Installation components 1MRK 513 003-BEN

Test system, COMBITEST 1MRK 512 001-BEN

Accessories for 670 series IEDs 1MRK 514 012-BEN

670 series SPA and signal list 1MRK 500 092-WEN

IEC 61850 Data objects list for 670 series 1MRK 500 091-WEN

Engineering manual 670 series 1MRK 511 240-UEN

Communication set-up for Relion 670 series 1MRK 505 260-UEN

More information can be found on www.abb.com/substationautomation.

1MRK 511 315-UEN A Section 1Introduction


HTTP://WWW.ABB.COM/SUBSTATIONAUTOMATION

Section 2 IEEE1686 compliance

Table 1: IEEE1686 compliance

Clause Title Status Comment5 IED cyber security

featuresAcknowledge

5.1 Electronic accesscontrol

Comply Access is protected for local accessthrough control panel. Access isprotected for local access through acommunication /diagnostic port.Access is protected for remote accessthrough a communication media

5.1.1 Password defeatmechanisms

Exception By using the maintenence menu

5.1.2 Number of individualID/passwordssupported

Comply 20 unique ID/password combinationsare supported

5.1.3 Passwordconstruction

Exception The minimum enforced passwordlength is 0. Use of mix of lower andUPPERCASE characters issupported. Use of numerical values issupported. Use of non-alphanumeric(e.g. @, #, %, &, *) characters issupported

5.1.4 Authorization levelsby password

Exception

5.1.4.1 View data Comply View data feature is accessiblethrough individual user accounts

5.1.4.2 View configurationsettings

Comply View configuration settings feature isaccessible through individual useraccounts

5.1.4.3 Force values Comply Force value feature is accessiblethrough individual user accounts

5.1.4.4 Configuration change Comply Configuration feature is accessiblethrough individual user accounts

5.1.4.5 Firmware change Comply Firmware change feature isaccessible through individual useraccounts

5.1.4.6 ID/passwordmanagement

Comply User account (ID / password)management feature is accessiblethrough individual user accounts.

5.1.4.7 Audit log Exception Audit log view / download feature isnot available

5.1.5 Password display Comply

5.1.6 Access time-out Exception A time-out feature exists. The timeperiod is configurable by the user.

5.2 Audit trail Comply No Audit trail is avaiable

5.2.1 Storage capability Exception

Table continues on next page

1MRK 511 315-UEN A Section 2IEEE1686 compliance


Clause Title Status Comment5.2.2 Storage record Exception

5.2.2.1 Event record number Exception

5.2.2.2 Time and date Exception

5.2.2.3 User ID Exception

5.2.2.4 Event type Exception

5.2.3 Audit trail event types Exception

5.2.3.1 Login Exception

5.2.3.2 Manual logout Exception

5.2.3.3 Timed logout Exception

5.2.3.4 Value forcing Exception

5.2.3.5 Configuration access Exception

5.2.3.6 Configuration change Exception

5.2.3.7 Firmware change Exception

5.2.3.8 ID/password creationor modification

Exception

5.2.3.9 ID/password selection Exception

5.2.3.10 Audit-log access Exception

5.2.3.11 Time/date change Exception

5.2.3.12 Alarm incident Exception

5.3 Supervisorymonitoring and control

Exception

5.3.1 Events Exception Automated time changes and read ofconfiguration are not reported;otherwise compliance

5.3.2 Alarms Exception

5.3.2.1 Unsuccessful loginattempt

Exception

5.3.2.2 Reboot Exception

5.3.2.3 Attempted use ofunauthorizedconfiguration software

Exception Not supported

5.3.2.4 Alarm point changedetect

Exception

5.3.4 Event and alarmgrouping


5.3.5 Supervisorypermissive control


5.4 Configurationsoftware

Acknowledge

5.4.1 Authentication Exception Configuration download is handled byauthentication

5.4.2 ID/password control Comply

5.4.3 ID/password-controlled features

Comply

Table continues on next page

Section 2 1MRK 511 315-UEN AIEEE1686 compliance

6 670 series 1.2Cyber Security Deployment Guideline

Clause Title Status Comment5.4.3.1 View configuration

dataComply

5.4.3.2 Change configurationdata

Comply

5.4.3.3 Full access Comply

5.5 Communications portaccess

Comply

5.6 Firmware qualityassurance

Exception Quality control is handled accordingto ISO9001 and CMMI.

1MRK 511 315-UEN A Section 2IEEE1686 compliance


Section 3 IP ports

The IP port security guideline cannot suggest concrete products for a secure systemsetup. This must be decided within the specific project, requirements and existinginfrastructure. The required external equipment can be separate devices or devicesthat combine firewall, router and secure VPN functionality.

To set up an IP firewall the following table summarizes the IP ports used in the 670series. The ports are listed in ascending order. The column “Default state” defineswhether a port is open or closed by default. All ports that are closed can be opened asdescribed in the comment column in the table. Front and Rear refer to the physicalfront and rear port. The protocol availability on these ports is configurable.

ABB recommends using common security measures, like firewalls, up to date antivirus software and so on, to protect the IED and the equipment around it.

Table 2: Available IP ports

Port Protocol Defaultstate

Front Rear Service Comment

21 TCP open OFF OFF FTP (clear textpassword)

File transfer protocol

102 TCP open OFF ON IEC 61850 MMS communication

123 UDP closed OFF OFF SNTP Enabled when IED isconfigured as SNTPmaster.1)

7001 TCP open OFF OFF FST SPA protocol on TCP/IPused by FST (FieldService Tool)

20 000 TCP closed OFF ON DNP3 DNP3.0 DNPcommunication only

20 000 UDP closed OFF ON DNP3 DNP3.0 DNPcommunication only

1) When the IED is configured as a SNTP client it will use the first ephemeral port available. The range ofephemeral ports is 1024 to 5000.

The 670 series supports two Ethernet communication protocols, which are IEC 61850and DNP3.0. These communication protocols are enabled by configuration. Thismeans that the IP port is closed and unavailable if the configuration of the 670 seriesdoes not contain a communication line of the protocol. If a protocol is configured, thecorresponding IP port is open all the time.

See the 670 series technical manual and the corresponding protocoldocumentation on how to configure a certain communication protocolfor the 670 series.

1MRK 511 315-UEN A Section 3IP ports


There are some restrictions and dependencies:

• The IP port used for IEC 61850 (default TCP port 102) is fixed and cannot bechanged.

• The IP ports used for DNP3 are configurable. The communication protocolDNP3 could operate on UDP (default port 20 000) or TCP (default port 20 000).It is defined in the configuration which type of Ethernet communication is used.Only one type is possible at a time.

• The IP port used for FTP (default TCP port 21) can be changed in the IED ifneeded by a 3rd party FTP client.

If the FTP port is changed PCM600 cannot be used since it is notpossible to configure it to use other IP-ports than port 21 for FTP.

Two ports are used by PCM600. For configuration and settings, the IP port for SPA(TCP port 7001) and FTP (TCP port 21) are used and can not be changed. For Fieldservice tool, the IP port for a proprietary SPA protocol is used (TCP port 7001) and theport is fixed and cannot be changed.

IP routing is not possible via any of the physical interfaces.

IEC13000067-1-en.vsd

IEC13000067 V1 EN

Figure 1: Ethernet port used for PCM600 only, front view

Section 3 1MRK 511 315-UEN AIP ports


Section 4 Managing user categories and accounts

4.1 Authorization

User roles with different user rights are predefined in the IED. It is recommended touse user defined users instead of the predefined built-in users.

The IED users can be created, deleted and edited only with PCM600. One user canbelong to one or several user roles. By default, the users in Table 3 are created in theIED, and when creating new users, the predefined roles from Table 4 can be used.

At delivery, the IED has a default user defined with full access rights. PCM600 usesthis default user to access the IED. This user is automatically removed in IED whenusers are defined via the IED Users tool in PCM600.

Default User ID: Administrator

Password: Administrator

At delivery, the IED user has full access as SuperUser until users arecreated with PCM600.

Table 3: Default users

User name User rightsSuperUser Full rights, only presented in LHMI. LHMI is logged on by default until other users

are defined

Guest Only read rights, only presented in LHMI. LHMI is logged on by default when otherusers are defined (same as VIEWER)

Administrator Full rights. Password: Administrator. This user has to be used when reading outdisturbances with third party FTP-client.

Table 4: Predefined user categories

User category User rightsSystemOperator Control from LHMI, no bypass

ProtectionEngineer All settings

DesignEngineer Application configuration

UserAdministrator User and password administration

SuperUser Full rights, only presented in LHMI. LHMI is default logged on until otherusers are defined.

Guest Only read rights, only presented in LHMI. LHMI is default logged onwhen other users are defined.

1MRK 511 315-UEN A Section 4Managing user categories and accounts


All changes in user management settings will cause an IED reboot.

There are different levels (or roles) of users that can access or operate different areasof the IED and tools functionality. The predefined user roles are given in table below.

The meaning of the legends used in the table:

• R= Read• W= Write• - = No access rights

The IED users can be created, deleted and edited only with the User Management Tool(UMT) within PCM600. The user can only Logon or Logoff on the local HMI on theIED, there are no users, groups or functions that can be defined on local HMI.

At delivery, the IED has a default user defined with full access rights. PCM600 usethis default user to access the IED. This user will automatically be removed in IEDwhen users are defined via User Management Tool (UMT) in PCM600.

4.2 IED User management

The IED Users tool in PCM600 is used for editing user profiles and role assignments.

In the IED Users tool, the data can be retrieved from an IED or data can be written toan IED if permitted. The data from an IED can be saved to the project database.

Always use Read User Management Settings from IED beforemaking any changes when managing user profiles. If this is not donepassword changes made by users may be lost!

Nothing is changed in the IED until a “writing-to-IED operation” isperformed.

4.2.1 Starting IED user management

• Connect the PC to the IED• Start PCM600• Select an IED in the object tree.• Select Tools/IED Users or,• Right-click an IED in the object tree and select IED Users from the shortcut

menu.The IED User Management window appears.

Section 4 1MRK 511 315-UEN AManaging user categories and accounts


4.2.2 General settings

In the General tab, by clicking Restore factory settings the default users can berestored in the IED Users tool. For the 670 series this means reverting back to thefactory delivered users. Performing this operation does not remove the users in theIED. Nothing is changed in the IED until a “writing-to-IED operation” is performed.

This is not the same action as Revert to IED defaults in the recoverymenu.

The previous administrator user ID and password have to be given so that the writingtoward the IED can be done.

Editing can be continued by clicking on Restore factory settings when not connectedto the IED.


IEC13000068 V1 EN

Figure 2: General tab

4.2.3 User profile management

In the User Management tab, the user profiles of the selected IED can be edited. Newusers can be created, existing users can be deleted and different user group memberscan be edited.

A user profile must always belong to at least one user group.




IEC13000069 V1 EN

Figure 3: Create new user

4.2.3.1 Adding new users

1. Click in the Users tab to open the wizard.




IEC12000200 V1 EN

Figure 4: Create new user

2. Follow the instructions in the wizard to define a user name, password and usergroup. Select at least one user group where the defined user belongs. The userprofile can be seen in the User details field.




IEC13000078 V1 EN

Figure 5: Select user groups

3. Select the user from the user list and type a new name or description in theDescription/full name field to change the name or description of the user.




IEC13000071 V1 EN

Figure 6: Enter description

4.2.3.2 Adding users to new user roles

1. Select the user from the Users list.2. Select the new role from the Select a role list.3. Click .

Information about the roles to which the user belongs to can be seen in the Userdetails area.




IEC13000070 V1 EN

Figure 7: Adding user

4.2.3.3 Deleting existing users

1. Select the user from the Users list.




IEC13000072 V1 EN

Figure 8: Select user to be deleted

2. Click .




IEC13000073 V1 EN

Figure 9: Delete existing user

4.2.3.4 Changing password

1. Select the user from the Users list.




IEC13000074 V1 EN

Figure 10: Select user

2. Click .3. Type the old password once and the new password twice in the required

fields.The passwords can be saved in the project database or sent directly to the IED.

No passwords are stored in clear text within the IED. A hashrepresentation of the passwords is stored in the IED and it is notaccessible from outside via any ports.




IEC13000076 V1 EN

Figure 11: Change password

4.2.4 User role management

In the Roles tab, the user roles can be modified. The user's memberships to specificroles can be modified with a list of available user roles and users.




IEC13000075 V1 EN

Figure 12: Editing users

4.2.4.1 Adding new users to roles

1. Select the required role from the Roles list.The role profile can be seen under the Role details field.

2. Select the new user from the Select a user list.3. Click to assign a user this role.

The new user is shown in the Users assigned list.

4.2.4.2 Deleting existing User from user roles

1. Right-click the user in the Users assigned list.2. Select Remove this Role from Selected Member.




IEC13000077 V1 EN

Figure 13: Remove Role from User

4.2.5 Verifying IED user authentication

Some of the IEDs or the protocols require a password to transmit the data between anIED and PCM600. Depending on whether the full user management control issupported or not, the software requests for either a user name and password or only apassword.

If PCM600 authentication is used, the user name and password should be specified inthe User Management window. The software can remember the password if theRemember Me check box is selected. Otherwise, the Login window appears everytime when data transmission is needed.

4.2.6 Writing user management settings to the IED

• Click the Write User Management Settings to IED button on the toolbar.




IEC13000079 V1 EN

Figure 14: Write to IED

The data is saved when writing to the IED starts.

4.2.7 Reading user management settings from the IED

• Click the Read from the IED button on the toolbar.

4.2.8 Saving user management settings

• Select File/Save from the menu.• Click the Save toolbar button.

The save function is enabled only if the data has changed.

4.3 Local HMI use

At delivery, logging on is not required and the user has full access until users andpasswords are created with PCM600 and written into the IED. The LHMI is logged onas SuperUser by default until other users are defined.

Commands, changing parameter values and resetting indications, for example, areactions requiring password when the password protection is activated. Readinginformation on the LHMI is always allowed without password. The LHMI is loggedon as Guest by default when other users are defined.

Utility security policies and practical consideration should always betaken on the feasibility of using passwords. In emergency situations,



the use of passwords could delay urgent actions. When security issuesmust be met, the two factors must be seriously considered.

The auxiliary power supply to the IED must not be switched off beforechanges such as passwords, setting parameter or local/remote controlstate changes are saved.

4.3.1 Logging on

1. Select REx670/Authorization/Log on.The log on is also activated when attempting a password-protected operation.

2. Select the user name from the list.Press to confirm the selected user name.

3. Enter the password when prompted digit by digit and click OK.

• Activate the digit to be entered with and .• Enter the character with and .

Upper and lower case letters are also found by scrolling with the vertical arrows.

GUID-F5A224FA-FC21-4975-814B-CBA725F7110D V1 EN

Figure 15: Entering the password



Passwords are case sensitive.

4. Press to confirm the log on or press to cancel the procedure.If the log on fails, the Log on window opens again. The Log on window remainsopen until the log on succeeds or till the user presses .

The Log on window will open if the attempted operation requiresanother level of user rights.

Once a user is created and written into the IED, log on is possible withthe password assigned in the tool. If there is no user created, an attemptto log on causes the display to show a corresponding message.

GUID-73DAA7C2-778D-4A06-AE9A-C91A12389442 V1 EN

Figure 16: No user defined

4.3.2 Logging off

The user is automatically logged off after the display timeout. The IED returns to astate where only reading is enabled. Manual log off is also possible.



1. Select REx670/Authorization/Log off.2. To confirm log off, select Yes and press .

GUID-D2769FFE-E788-40CF-9E98-7B30AA6FB38C V1 EN

Figure 17: Logging off

• To cancel log off, press .

4.3.3 Saving settings

Editable values are stored in the non-volatile flash memory. Most of the parameterchanges take effect immediately after storing, but some parameter changes requireapplication restart. Values stored in the flash memory remain in effect after reboot aswell.

1. Press to confirm any changes.2. Press to move upwards in the menu tree or to enter the Main menu.3. To save the changes in non-volatile memory, select Yes and press .



GUID-6A5487FB-4937-4708-A749-3501B829FBD3 V1 EN

Figure 18: Confirming and saving settings

• To exit without saving changes, select No and press .• To cancel saving settings, select Cancel and press .

Pressing Cancel in the Save changes dialog closes only the Savechanges dialog box, but the IED remains in editing mode. All thechanges applied to any setting are not lost and the user can continue tochange settings. To leave the change setting mode, select No or Yesin the Save changes dialog.

After changing the parameters marked with !, the IED restartsautomatically for the changes to take effect.

4.3.4 Recovering password

In case of password loss the user and password can be reset to default in theMaintenance Menu, in case of other file system error that prevents the IED fromworking properly, the whole file system can be restored to IED default state. All thedefault settings and configuration files stored in the IED at the factory are restored.

To enter this menu, the IED must be rebooted and a specific key combination must bepressed on the LHMI during the IED boot sequence.



1. Switch off the power supply to the IED and leave it off for one minute.2. Switch on the power supply to the IED and press and hold down . and until

the Maintenance Menu appears on the LHMI (this takes around 20-60s).3. Navigate down and select Advanced options and press or .

Maintenance Menu

1. Revert to factory default

2. Revert to last known good state

3. Paus start sequence

4. Display IP address

5. Advanced options. PIN code protected

Press C to continue start-up

IEC15000418-1-en.vsdx

IEC15000418 V1 EN

Figure 19: Select Advanced options

“Revert to factory default” and “Revert to last known good state”shall not be used.

4. Enter PIN code 8282 and press .


Enter PIN

8282

IEC15000419 V1 EN

Figure 20: Enter PIN code

5. Select Revert to default user/password and press or .




Advanced Options

4.1: Revert to default user/passwd

4.2: View sysevent log

4.3: Clear sysevent log

4.4: Clear all databases

Press C to continue start-up

IEC15000420 V1 EN

Figure 21: Revert to default user/password

To cancel the operation in any step, press .

The IED perform a reboot and the new settings are activated.

The Maintenance Menu is only available on the Local HMI. Thepurpose of this menu is to have a way to recover in the field at differentsituations. The recovery menu is also protected with a 4–digit PINcode, fixed for all IEDs.



Section 5 Glossary

AC Alternating current

ACT Application configuration tool within PCM600

A/D converter Analog-to-digital converter

ADBS Amplitude deadband supervision

ADM Analog digital conversion module, with timesynchronization

AI Analog input

ANSI American National Standards Institute

AR Autoreclosing

ArgNegRes Setting parameter/ZD/

ArgDir Setting parameter/ZD/

ASCT Auxiliary summation current transformer

ASD Adaptive signal detection

AWG American Wire Gauge standard

BBP Busbar protection

BFP Breaker failure protection

BI Binary input

BIM Binary input module

BOM Binary output module

BOS Binary outputs status

BR External bistable relay

BS British Standards

BSR Binary signal transfer function, receiver blocks

BST Binary signal transfer function, transmit blocks

C37.94 IEEE/ANSI protocol used when sending binary signalsbetween IEDs

CAN Controller Area Network. ISO standard (ISO 11898) forserial communication

CB Circuit breaker

CBM Combined backplane module

1MRK 511 315-UEN A Section 5Glossary


CCITT Consultative Committee for International Telegraph andTelephony. A United Nations-sponsored standards bodywithin the International Telecommunications Union.

CCM CAN carrier module

CCVT Capacitive Coupled Voltage Transformer

Class C Protection Current Transformer class as per IEEE/ ANSI

CMPPS Combined megapulses per second

CMT Communication Management tool in PCM600

CO cycle Close-open cycle

Codirectional Way of transmitting G.703 over a balanced line. Involvestwo twisted pairs making it possible to transmit informationin both directions

COMTRADE Standard format according to IEC 60255-24

Contra-directional Way of transmitting G.703 over a balanced line. Involvesfour twisted pairs, two of which are used for transmittingdata in both directions and two for transmitting clock signals

CPU Central processing unit

CR Carrier receive

CRC Cyclic redundancy check

CROB Control relay output block

CS Carrier send

CT Current transformer

CVT Capacitive voltage transformer

DAR Delayed autoreclosing

DARPA Defense Advanced Research Projects Agency (The USdeveloper of the TCP/IP protocol etc.)

DBDL Dead bus dead line

DBLL Dead bus live line

DC Direct current

DFC Data flow control

DFT Discrete Fourier transform

DHCP Dynamic Host Configuration Protocol

DIP-switch Small switch mounted on a printed circuit board

DI Digital input

DLLB Dead line live bus

DNP Distributed Network Protocol as per IEEE Std 1815-2012

Section 5 1MRK 511 315-UEN AGlossary


DR Disturbance recorder

DRAM Dynamic random access memory

DRH Disturbance report handler

DSP Digital signal processor

DTT Direct transfer trip scheme

EHV network Extra high voltage network

EIA Electronic Industries Association

EMC Electromagnetic compatibility

EMF Electromotive force

EMI Electromagnetic interference

EnFP End fault protection

EPA Enhanced performance architecture

ESD Electrostatic discharge

FCB Flow control bit; Frame count bit

FOX 20 Modular 20 channel telecommunication system for speech,data and protection signals

FOX 512/515 Access multiplexer

FOX 6Plus Compact time-division multiplexer for the transmission ofup to seven duplex channels of digital data over opticalfibers

G.703 Electrical and functional description for digital lines used bylocal telephone companies. Can be transported overbalanced and unbalanced lines

GCM Communication interface module with carrier of GPSreceiver module

GDE Graphical display editor within PCM600

GI General interrogation command

GIS Gas-insulated switchgear

GOOSE Generic object-oriented substation event

GPS Global positioning system

GSAL Generic security application

GTM GPS Time Module

HDLC protocol High-level data link control, protocol based on the HDLCstandard

HFBR connector type Plastic fiber connector

HMI Human-machine interface



HSAR High speed autoreclosing

HV High-voltage

HVDC High-voltage direct current

IDBS Integrating deadband supervision

IEC International Electrical Committee

IEC 60044-6 IEC Standard, Instrument transformers – Part 6:Requirements for protective current transformers fortransient performance

IEC 60870-5-103 Communication standard for protective equipment. A serialmaster/slave protocol for point-to-point communication

IEC 61850 Substation automation communication standard

IEC 61850–8–1 Communication protocol standard

IEEE Institute of Electrical and Electronics Engineers

IEEE 802.12 A network technology standard that provides 100 Mbits/son twisted-pair or optical fiber cable

IEEE P1386.1 PCI Mezzanine Card (PMC) standard for local bus modules.References the CMC (IEEE P1386, also known as CommonMezzanine Card) standard for the mechanics and the PCIspecifications from the PCI SIG (Special Interest Group) forthe electrical EMF (Electromotive force).

IEEE 1686 Standard for Substation Intelligent Electronic Devices(IEDs) Cyber Security Capabilities

IED Intelligent electronic device

I-GIS Intelligent gas-insulated switchgear

IOM Binary input/output module

Instance When several occurrences of the same function areavailable in the IED, they are referred to as instances of thatfunction. One instance of a function is identical to another ofthe same kind but has a different number in the IED userinterfaces. The word "instance" is sometimes defined as anitem of information that is representative of a type. In thesame way an instance of a function in the IED isrepresentative of a type of function.

IP 1. Internet protocol. The network layer for the TCP/IPprotocol suite widely used on Ethernet networks. IP is aconnectionless, best-effort packet-switching protocol. Itprovides packet routing, fragmentation and reassemblythrough the data link layer.2. Ingression protection, according to IEC standard

IP 20 Ingression protection, according to IEC standard, level 20





IRF Internal failure signal

IRIG-B: InterRange Instrumentation Group Time code format B,standard 200

ITU International Telecommunications Union

LAN Local area network

LIB 520 High-voltage software module

LCD Liquid crystal display

LDCM Line differential communication module

LDD Local detection device

LED Light-emitting diode

LNT LON network tool

LON Local operating network

MCB Miniature circuit breaker

MCM Mezzanine carrier module

MIM Milli-ampere module

MPM Main processing module

MVB Multifunction vehicle bus. Standardized serial busoriginally developed for use in trains.

NCC National Control Centre

NUM Numerical module

OCO cycle Open-close-open cycle

OCP Overcurrent protection

OEM Optical ethernet module

OLTC On-load tap changer

OV Over-voltage

Overreach A term used to describe how the relay behaves during a faultcondition. For example, a distance relay is overreachingwhen the impedance presented to it is smaller than theapparent impedance to the fault applied to the balance point,that is, the set reach. The relay “sees” the fault but perhapsit should not have seen it.

PCI Peripheral component interconnect, a local data bus

PCM Pulse code modulation

PCM600 Protection and control IED manager



PC-MIP Mezzanine card standard

PMC PCI Mezzanine card

POR Permissive overreach

POTT Permissive overreach transfer trip

Process bus Bus or LAN used at the process level, that is, in nearproximity to the measured and/or controlled components

PSM Power supply module

PST Parameter setting tool within PCM600

PT ratio Potential transformer or voltage transformer ratio

PUTT Permissive underreach transfer trip

RASC Synchrocheck relay, COMBIFLEX

RCA Relay characteristic angle

RFPP Resistance for phase-to-phase faults

RFPE Resistance for phase-to-earth faults

RISC Reduced instruction set computer

RMS value Root mean square value

RS422 A balanced serial interface for the transmission of digitaldata in point-to-point connections

RS485 Serial link according to EIA standard RS485

RTC Real-time clock

RTU Remote terminal unit

SA Substation Automation

SBO Select-before-operate

SC Switch or push button to close

SCS Station control system

SCADA Supervision, control and data acquisition

SCT System configuration tool according to standard IEC 61850

SDU Service data unit

SLM Serial communication module. Used for SPA/LON/IEC/DNP3 communication.

SMA connector Subminiature version A, A threaded connector withconstant impedance.

SMT Signal matrix tool within PCM600

SMS Station monitoring system

SNTP Simple network time protocol – is used to synchronizecomputer clocks on local area networks. This reduces the



requirement to have accurate hardware clocks in everyembedded system in a network. Each embedded node caninstead synchronize with a remote clock, providing therequired accuracy.

SPA Strömberg protection acquisition, a serial master/slaveprotocol for point-to-point communication

SRY Switch for CB ready condition

ST Switch or push button to trip

Starpoint Neutral point of transformer or generator

SVC Static VAr compensation

TC Trip coil

TCS Trip circuit supervision

TCP Transmission control protocol. The most common transportlayer protocol used on Ethernet and the Internet.

TCP/IP Transmission control protocol over Internet Protocol. Thede facto standard Ethernet protocols incorporated into4.2BSD Unix. TCP/IP was developed by DARPA forInternet working and encompasses both network layer andtransport layer protocols. While TCP and IP specify twoprotocols at specific protocol layers, TCP/IP is often used torefer to the entire US Department of Defense protocol suitebased upon these, including Telnet, FTP, UDP and RDP.

TEF Time delayed earth-fault protection function

TNC connector Threaded Neill-Concelman, a threaded constant impedanceversion of a BNC connector

TPZ, TPY, TPX, TPS Current transformer class according to IEC

UMT User management tool

Underreach A term used to describe how the relay behaves during a faultcondition. For example, a distance relay is underreachingwhen the impedance presented to it is greater than theapparent impedance to the fault applied to the balance point,that is, the set reach. The relay does not “see” the fault butperhaps it should have seen it. See also Overreach.

UTC Coordinated Universal Time. A coordinated time scale,maintained by the Bureau International des Poids etMesures (BIPM), which forms the basis of a coordinateddissemination of standard frequencies and time signals.UTC is derived from International Atomic Time (TAI) bythe addition of a whole number of "leap seconds" tosynchronize it with Universal Time 1 (UT1), thus allowingfor the eccentricity of the Earth's orbit, the rotational axis tilt(23.5 degrees), but still showing the Earth's irregularrotation, on which UT1 is based. The Coordinated Universal



Time is expressed using a 24-hour clock, and uses theGregorian calendar. It is used for aeroplane and shipnavigation, where it is also sometimes known by themilitary name, "Zulu time." "Zulu" in the phonetic alphabetstands for "Z", which stands for longitude zero.

UV Undervoltage

WEI Weak end infeed logic

VT Voltage transformer

X.21 A digital signalling interface primarily used for telecomequipment

3IO Three times zero-sequence current. Often referred to as theresidual or the earth-fault current

3UO Three times the zero sequence voltage. Often referred to asthe residual voltage or the neutral point voltage



Contact us

ABB ABSubstation Automation ProductsSE-721 59 Västerås, SwedenPhone +46 (0) 21 32 50 00Fax +46 (0) 21 14 69 18

www.abb.com/substationautomation

1MR

K 5

11 3

15-U

EN

A©

Cop

yrig

ht 2

013

AB

B. A

ll rig

hts

rese

rved

.

cyber security deployment guideline · 2018-06-12 · to iso9001 and cmmi. 1mrk 511 315-uen a...

Documents