MicroSCADA Pro SYS 600 9.

3
Cyber Security Deployment Guideline
Trace back information:
Workspace Main version a11
Checked in 2012-11-13
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Contents

1 Copyrights ............................................................................................. 5

2 Introduction ........................................................................................... 6
2.1 This manual .................................................................................. 6
2.2 Use of symbols ............................................................................. 6
2.3 Intended audience ........................................................................ 6
2.4 Document conventions ................................................................. 7
2.5 Document revisions ...................................................................... 7

3 General ................................................................................................... 8
3.1 Definitions and Abbreviations ....................................................... 10
3.2 Reference Documents .................................................................. 11

4 Configuring network ............................................................................. 13

4.1 Virtual Private Network (VPN) ...................................................... 13
4.1.1 Use cases ....................................................................... 14
4.2 Network Devices ........................................................................... 16

5 Configuring security settings for Windows OS and SYS 600

Servers ................................................................................................... 17
5.1 BIOS settings ................................................................................ 17
5.2 Data Execution Prevention (DEP) ................................................ 17
5.3 Removing unused programs ........................................................ 17
5.4 Disabled system services ............................................................. 18
5.5 Windows Updates / Patch management ...................................... 18
5.6 Virus scanner ................................................................................ 19
5.7 Disabling devices .......................................................................... 21
5.8 Configurable logon/warning banner .............................................. 24
5.9 User Account Control (UAC) ......................................................... 25
5.10 OPC and DCOM ........................................................................... 25
5.11 Simple Network Management Protocol (SNMP) .......................... 25
5.12 Security policies ............................................................................ 26
5.13 Firewall (ports and services) ......................................................... 26
5.14 User account management ........................................................... 26
5.15 Application whitelisting .................................................................. 28
5.16 Protecting SYS 600 system configuration settings ....................... 28
5.17 Backing up and restoring .............................................................. 28
5.17.1 Taking backup ................................................................. 28
5.17.2 Restoring backup ............................................................ 29

3
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

6 Configuring security settings for SYS 600 Workplaces .................... 30

6.1 Enabling workstation calls from the server ................................... 30
6.2 X Windows technology ................................................................. 30

7 Configuring security features in SYS 600 .......................................... 32

7.1 User account management ........................................................... 32
7.2 Authorization / user account permissions ..................................... 32
7.3 Password policies ......................................................................... 32
7.4 User session time-out ................................................................... 33
7.5 Logging of user activities .............................................................. 33
7.6 Resetting administrator password ................................................ 34
7.7 Backdoors ..................................................................................... 34

8 Maintenance .......................................................................................... 35
8.1 Configuring network location ........................................................ 35
8.2 Adding new Windows users .......................................................... 35
8.3 Adding/installing new programs .................................................... 36
8.4 Adding new SYS 600 applications ................................................ 37
8.5 Adding Windows features ............................................................. 37
8.6 Modifying security settings ............................................................ 37
8.6.1 Latest hardening scripts .................................................. 37
8.7 Troubleshooting ............................................................................ 38

Appendices

A Quick Configuration Guideline ............................................................ 39

A.1 Securing SYS 600 Server ............................................................. 40
A.2 Securing SYS 600 Workplace ...................................................... 41
A.3 Rollback ........................................................................................ 42

B Ports and Services ................................................................................ 44

C Windows System Services ................................................................... 49

D Security Policies ................................................................................... 51

E Application Whitelisting - Applications and Permissions ................ 53

F Virtual Private Network ......................................................................... 55

G Introduction to SCADA Security .......................................................... 64

4
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

1 Copyrights

The information in this document is subject to change without notice and should not be
construed as a commitment by ABB Oy. ABB Oy assumes no responsibility for any
errors that may appear in this document.
In no event shall ABB Oy be liable for direct, indirect, special, incidental or consequential
damages of any nature or kind arising from the use of this document, nor shall ABB Oy
be liable for incidental or consequential damages arising from the use of any software
or hardware described in this document.
This document and parts thereof must not be reproduced or copied without written
permission from ABB Oy, and the contents thereof must not be imparted to a third party
nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license and
may be used, copied, or disclosed only in accordance with the terms of such license.
Copyright © 2012 ABB Oy. All rights reserved.
Trademarks
ABB is a registered trademark of ABB Group. All other brand or product names
mentioned in this document may be trademarks or registered trademarks of their respective
holders.
Guarantee
Please inquire about the terms of guarantee from your nearest ABB representative.
Third Party Copyright Notices
This software uses pugixml library (http://pugixml.org). pugixml is Copyright ©
2006-2012 Arseny Kapoulkine.

5
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

2 Introduction

2.1 This manual

This document is a security guide for MicroSCADA Pro Control System SYS 600 version
9.3 FP2 (hereafter SYS 600). There is a quick configuration instructions at the end of
this document to configure server and workplace in easy steps, see Quick Configuration
Guideline.

2.2 Use of symbols

This publication includes warning, caution and information symbols where appropriate
to point out safety-related or other important information. It also includes tips to point
out useful hints to the reader. The corresponding symbols should be interpreted as follows:

Warning icon indicates the presence of a hazard which could

! result in personal injury.

Caution icon indicates important information or a warning

related to the concept discussed in the text. It might indicate
the presence of a hazard, which could result in corruption of
software or damage to equipment/property.

Information icon alerts the reader to relevant factors and

conditions.

Tip icon indicates advice on, for example, how to design your
project or how to use a certain function.

Although warning hazards are related to personal injury, and caution hazards are
associated with equipment or property damage, it should be understood that operation
of damaged equipment could, under certain operational conditions, result in degraded
process performance leading to personal injury or death. Therefore, comply fully with
all warnings and caution notices.

2.3 Intended audience

This manual is intended for installation personnel, administrators and skilled operators
to support installation of the software.

6
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

2.4 Document conventions

The following conventions are used for the presentation of material:
• The words in names of screen elements (for example, the title in the title bar of a
dialog, the label for a field of a dialog box) are initially capitalized.
• Capital letters are used for file names.
• Capital letters are used for the name of a keyboard key if it is labeled on the keyboard.
For example, press the CTRL key. Although the Enter and Shift keys are not labeled
they are written in capital letters, e.g. press ENTER.
• Lowercase letters are used for the name of a keyboard key that is not labeled on the
keyboard. For example, the space bar, comma key and so on.
• Press CTRL+C indicates that you must hold down the CTRL key while pressing
the C key (to copy a selected object in this case).
• Press ALT E C indicates that you press and release each key in sequence (to copy
a selected object in this case).
• The names of push and toggle buttons are boldfaced. For example, click OK.
• The names of menus and menu items are boldfaced. For example, the File menu.
- The following convention is used for menu operations: Menu Name > Menu
Item > Cascaded Menu Item. For example: select File > Open > New Project.
- The Start menu name always refers to the Start menu on the Windows Task
Bar.
• System prompts/messages and user responses/input are shown in the Courier font.
For example, if you enter a value out of range, the following message is displayed:
Entered value is not valid.
You may be told to enter the string MIF349 in a field. The string is shown as follows
in the procedure: MIF349
• Variables are shown using lowercase letters: sequence name

2.5 Document revisions

Version Revision number Date History
A 9.3 31.3.2010 New document
B 9.3 FP1 31.12.2010 Document updated
C 9.3 FP2 30.9.2012 Document updated

7
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

3 General

This document is a security guide for MicroSCADA Pro Control System SYS 600 version
9.3 FP2 (hereafter SYS 600). The guide is intended for software and project engineers,
and system verification testers and they are expected to have general familiarity with
topics in the following areas:
• PCs, servers, and Windows operating systems
• Networking including TCP/IP and concept of ports and services
• Security policies
• Firewalls
• Anti-virus
• Application whitelisting
• Remote and secure communication
Operating systems (with the latest service packs) covered in this document are:
• Windows 7 Enterprise and Ultimate,
• Windows Server 2008 and 2008 R2,
• Windows XP Professional, or
• Windows Server 2003 Standard Edition
The guide assumes that in SYS 600 servers:
• Windows Update is disabled, e.g. WSUS used instead
• Uninterruptable Power Sources (UPS) is not controlled by the server
• Wireless network configuration is not used
• There are printers connected to the server
This guide assumes that in SYS 600 workplaces:
• Windows Update is disabled, e.g. WSUS used instead
• Wireless network configuration is not used
• There are printers connected to the workplace
However, the guide does not specify the network configuration (forests, domains,
organizational units (OU)) where the SYS 600 system is installed. There are several
ways to deploy security settings to machines, e.g. by using the secedit command-line
tool, the Security Configuration Wizard (SCW), or Group Policy Objects (GPO). This
guide gives instructions on how to deploy security settings to servers and workplaces
using the secedit tool.
This chapter gives general information, assumptions, and operating system and SYS 600
versions this guide covers. The system is secured by configuring the network, uninstalling
irrelevant software, disabling some Windows system services, configuring the firewall
settings, configuring application whitelisting, and applying security policies. Configuring
network is discussed in Chapter 4 Configuring network. Security settings in this document
are divided into the following categories:
• General security settings in Windows servers (Chapter 5 Configuring security settings
for Windows OS and SYS 600 Servers)

8
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

• Security settings in SYS 600 servers (Chapter 5 Configuring security settings for
Windows OS and SYS 600 Servers)
• Security settings in SYS 600 workplaces (Chapter 6 Configuring security settings
for SYS 600 Workplaces)
• Security features available in SYS 600 (Chapter 7 Configuring security features in
SYS 600)
There are security settings which are automatically configured in the product and those
which need to be configured manually. An administrator user account is created during
installation and a password is prompted for the MicroSCADA user. Since this is an
administrator user account, it is the responsibility of the system administrator to choose
a valid and secure password for this account.
Other Windows server security settings such as firewall, security policies and disabling
Windows system services are not automatically configured during the SYS 600
installation. This is due to fact that SYS 600 installation may conflict with existing
security settings on some computers where it is not allowed to modify these. To apply
security settings after SYS 600 installation, read and execute hardening script, see
Section A.1 Securing SYS 600 Server. The script files are located in the SYS 600
installation folder sc\setup\security.
There is general security guide for control systems and operating systems on the ABB
website [ABBSEC09]. Microsoft also has security guides for different operating systems
[MSSEC09].

MicroSCADA Pro SYS 600C includes both SYS 600 and

Windows server-specific security settings by default. However,
it is the responsibility of the project engineer to:
• Activate pre-configured Windows user accounts
(ScOperator etc.)
• Open Windows Firewall ports for the used communication
protocols
• Allow applications to run in Windows AppLocker
For more information, see section Maintenance.

X=automatically configured in the product, S=script files exist, M=manual configuration

Table 3.1: Deployment of security features in SYS 600 product
Security feature SYS 600 installa- SYS 600C SYS 600 9.3 and Remarks
tion later
Windows users and groups - 1) X+M 2) S+M 2) 1) MicroSCADA user account
is automatically created during
installation. Password should
be longer than 15 characters.

2) Some user accounts have

to be enabled manually

9
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Security feature SYS 600 installa- SYS 600C SYS 600 9.3 and Remarks
tion later
OPC/DCOM settings for SYS 600 - S+M S+M See [SYSINS]
server-workplace
Firewall settings (ports and services) - X S+M Enable ports for used commu-
nication protocols according to
customer specifications.
Virtual Private Network (VPN) - X M
BIOS settings - X M
Removing unused programs - X M
Disabling system services - X S
SNMP - X M
Security policies - X S
Windows Update - M M Not installed/services disabled.
WSUS or manual installation
to be used instead. ABB is
verifying and testing latest
service packs and security up-
dates.
User Access Control (UAC) - X S
Application whitelisting - X S
Virus scanner - M M Installation manuals exist for
some virus scanner software
and ABB is also verifying and
testing virus definitions of
those.
Disabling devices
- DVD/CD-ROM drives - X S
- USB Mass Storage - X S
- Serial port - M M
- Floppy disk controller - M M
- Sound, video controller - M M
Disabling autorun functionality - X S
Backing up and restoring - M M
SYS 600 user management and au- - X M
thorization

3.1 Definitions and Abbreviations

Table 3.2: Terminology
Term Description
DCOM Distributed Component Object Model

10
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Term Description
NCC Network Control Center
OPC Open connectivity specification by OPC foundation
SCADA Supervisory Control and Data Acquisition
SCW Security Configuration Wizard
SSLF Specialized Security-Limited Functionality
SYS 600 MicroSCADA Pro Control System SYS 600
SYS 600C MicroSCADA Pro SYS 600C
TCP/IP Transmission Control Protocol/Internet Protocol
WSUS Windows Server Update Services

3.2 Reference Documents

Table 3.3: References
Ref Document title
[ABBSEC09] ABB Security – Control Systems, ABB
[APPLOC12] Windows AppLocker, Microsoft
[MSANA09] Microsoft Baseline Security Analyzer, Microsoft.
[MSDCOM04] Restrict TCP/IP Ports (Windows 2000 and XP), Microsoft

The default dynamic port range for TCP/IP has changed (Win-
dows 7 and Server 2008), Microsoft

How to configure RPC dynamic port allocation to work with fire-

walls (Windows 2003 and 2008), Microsoft
[MSDEP] Data Execution Prevention, Microsoft.
[MSPASS09] Strong passwords, Microsoft.
[MSSEC09] Windows OS Security Guides, Microsoft. Search for Security
Guide and refine your search by giving a specific OS name, e.g.
Windows Server 2008
[MSTHRE05] Threats and Countermeasures Guide: Security Settings in Win-
dows Server 2003 and Windows XP, Microsoft.

Threats and Countermeasures Guide: Security Settings in Win-

dows Server 2008 and Windows 7, Microsoft.
[MSUPD] Windows Update, Microsoft.
[MSWS03] Security Compliance Manager, Microsoft.
[SYSAPL] SYS 600 Application Design manual, 1MRS756637, ver. C,
ABB.
[SYSCON] SYS 600 System Configuration manual, 1MRS756646, ver. C,
ABB.
[SYSINS] SYS 600 Installation and Administration manual, 1MRS756634,
ver. C, ABB.

11
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Ref Document title

[WSUS] Windows Server Update Services, Microsoft.
[SYSCUG] SYS 600C Users Guide, 1MRS757257, ver. C, ABB.
[UAC] What are User Account Control settings?, Microsoft.

12
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

4 Configuring network

Each host in a TCP/IP network has a unique identifier, called an IP address. The IP
address is composed of four numbers in the range from 0 to 255. The numbers are
separated with dots, e.g. 192.168.0.1. Because every computer on an IP network must
have a unique IP address, careful planning of IP addresses throughout the whole system
is important. You should remember to take care of the future needs in address areas when
planning large networks. A host can have multiple IP addresses, as shown in the
Figure 4.1. A static IP addressing should be used in SYS 600 system; see Configure a
Static IP Address and [SYSINS, Host names] for more information.
ABB does not recommend the use of domains and wireless networks in a SYS 600 system
due to the high reliability that is required of the control system. A domain controller that
is unavailable might affect to the stability of the control system. If a domain network is
used it is good to understand what are the risks in this solution. For more information,
see Active Directory Domain Services, Microsoft.

Figure 4.1: An example of SYS 600 with NCC connection

4.1 Virtual Private Network (VPN)

This guideline considers the IP communication between SYS 600 and the Network
Control Center (NCC) / Regional Control Center (RCC) via a dedicated wide area link
that is not exposed to public access. The use case is to protect the dedicated link against

13
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

man-in-the-middle attacks by guaranteeing confidentiality, integrity, and authentication

via IPSec, using pre-shared key authentication.
The IPSec configuration must be done on all machines that should communicate with
each other by IPSec. The configuration is shown in section Appendix F Virtual Private
Network.

IPSec encryption is a CPU consuming activity that can affect

the maximum throughput and the CPU utilization. In order to
determine the effect of IPSec encryption for data throughput
and CPU consumption, it is important verify this with tests.

4.1.1 Use cases

NCC Communication
This use case features the IP communication between SYS 600 and the NCC via a
dedicated wide area link, which can be a glass fiber optics communication link, a
microwave radio link, or a leased line that is not exposed to public access. The use of
IPSec/VPN technology ensures that the transmitted data is not readable to eavesdroppers
and vulnerable man-in-the-middle attacks. In addition, both SYS 600 and NCC can
authenticate using pre-shared keys before establishing the communication link.

Figure 4.2: NCC communication

14
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Figure 4.2 visualizes a possible setup for the use case. The VPN connections are illustrated
as blue tubes, and multiple SYS 600 devices are connected to the NCC system via the
operator’s internal IP network.
In case no network address translation (NAT) mechanism is used between SYS 600 and
NCC, IPSec can be run in transport mode, which encrypts all data of an IP packet but
leaves the IP header intact, which allows for fast delivery.
Maintenance Access via Remote Desktop Protocol (RDP)
An alternative access to SYS 600 is the use of the Remote Desktop Protocol (RDP).
RDP provides a graphical interface for SYS 600 on another computer. The RDP access
should be restricted to Intranet access only. Authentication is by conventional Windows
user login. RDP uses encryption to protect all transmitted data, but it is still recommended
to use IPSec/VPN for maintenance access also.

Figure 4.3: RDP Maintenance Access via VPN

Note that the firewall must accept incoming RDP connections, and the maintenance
device connected to the VPN must be able to access SYS 600’s RDP port. As SYS 600
has access to the station bus, the service engineer connected to SYS 600’s desktop can
access the station bus via SYS 600’s desktop.
HSB communication
Another use case affects communication between a master SYS 600 device and its
redundant hot-standby-system via a wide area network connection. This link should be
protected against man-in-the-middle attacks by guaranteeing confidentiality, authenticity,
and authentication. This use case is comparable to NCC communication.

15
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure 4.4: SYS 600 to SYS 600 communication

See section Appendix F Virtual Private Network to configure VPN.

4.2 Network Devices

Network devices such as switches, routers, firewalls, intrusion detection systems, modems,
and wireless devices are not part of this security guide. From a security point of view,
these devices should be enabled for the following features:
• Logging
• Patches / Updates
• Backup / Recovery
For more information, see the device manuals.

16
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

5 Configuring security settings for Windows OS and

SYS 600 Servers

Windows servers are protected with latest service packs and security updates, firewalls,
security policies, application whitelisting, and virus scanners. To reduce the attack surface
in servers, programs and services not used can also be uninstalled or disabled. See
Table 3.1 to check the security features automatically configured to the SYS 600. Some
SYS 600 versions need manual configuration.
Below sections use following statements “This has to be configured manually” and “This
is configured automatically”. The first statement means that security setting has to be
manually configured. The latter means that there is a script file to automate the
configuration process. This process is described in Securing SYS 600 Server.

5.1 BIOS settings

The following settings must be applied:
• Password(s) are enabled
• Remote wake-up/Wake on LAN is disabled
This has to be configured manually.

5.2 Data Execution Prevention (DEP)

DEP is a security feature that can help prevent damage to your computer from viruses
and other security threats. DEP can help protect your computer by monitoring programs
to make sure they use system memory safely. If a program tries running (also known as
executing) code from memory in an incorrect way, DEP closes the program. DEP
automatically monitors essential Windows programs and services. [MSDEP]
The default configuration of the operating system is used.

5.3 Removing unused programs

Following software is not used by SYS 600 and can be manually removed from Windows
Control Panel > Add/Remove Programs > Add/Remove Windows Components.
These programs are normally found in the desktop operating systems such as Windows
XP and Windows 7.
Windows Component Added / Removed
Outlook Express Manually Removed
Messenger Manually Removed
MSN Explorer Manually Removed

17
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Windows Component Added / Removed

Windows Media Player Manually Removed
Games (Windows XP) Manually Removed

This has to be configured manually.

5.4 Disabled system services

Enabled and disabled system services are listed in Appendix C Windows System Services.
This is configured automatically using script files.

5.5 Windows Updates / Patch management

There are nine update classifications defined by Microsoft. These include, for example,
critical updates, drivers, security updates and service packs. The compatibility of SYS
600 product with the latest Windows security updates and service packs is tested and
verified monthly by ABB. We recommend that servers are updated according to
MicroSCADA Pro SYS 600 Patch Compatibility Report. The report does not cover SYS
600 workplace computer but it is recommended to install all updates.

Configuration
A dedicated server, Microsoft Windows Server Update Services (WSUS), can be used
for updating servers and workplaces. For more detailed information, see [WSUS].
To manually get Windows security updates for the standalone server, Microsoft Update
Catalog can be used:
1. Check tested and verified security updates from patch compatibility report for
different operating systems.
2. Go to http://catalog.update.microsoft.com
3. Enter the bulletin ID mentioned in the patch compatibility report and the operating
system of the server to the search field, e.g. "MS12-055 Windows 2008 R2" and
press Search.
4. There might be several search results e.g. for different server architectures. Find the
correct security update for the architecture and press Add to add it to the basket.
5. Repeat steps 3 and 4 for each security update.
6. Click Show basket and the content of the basket is shown.
7. Click Download to save all security updates in the basket to the disk. Create a new
folder for the security updates e.g. 2012-10 indicating a year and a month of security
updates.
This has to be configured manually.

18
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

5.6 Virus scanner

Whenever it cannot be guaranteed that unknown software is executed on a machine (e.g.,
due to enabling of removable devices or USB ports), the use of anti-virus software is
highly recommended on servers, workstations, and maintenance laptops.
Virus scanners distinguish between on-access scanning (only files that are currently
requested to load are checked) and on-demand scanning (all files are checked during a
scheduled scan). Minimum requirements for the virus scanner are on-demand scanning
and virus definition updating features.
On-access virus scanners on servers are a trade-off between security and performance.
We recommend testing the performance of the system with normal virus scanner settings.
If the performance is not acceptable it can be enhanced with various settings available
in some virus scanner programs, such as excluding certain directories or files (those that
are frequently used) in on-access scanning and on-demand scanning. For example, event
logs, databases and some custom file types which are accessed continuously should be
put in the exception list, i.e., those files are not on-access scanned.
Various settings available in virus scanner programs for enhancing performance are
shown below.

• Windows operating system directories should not be

excluded
• Some virus scanner programs may not have settings shown
below

CPU Utilization
• Restrict CPU Utilization to 20%
• After modifying this setting it is recommended to run the on-demand scan to local
disks once to ensure that it finishes within an acceptable amount of time.
On-access scanning
• Scan only local disks, network scan is disabled (when each machine has its own
virus scanner).
• Disable email scans.
• In general, nothing should be excluded from scanning, but in case there are some
performance issues:
- SYS 600: <drive>\sc\apl\*.* (including subdirectories) are frequently used. If
this does not solve issues then exclude the whole sc directory.
- DMS 600: <drive>\DMS600\*.*
• Excluded files:
- Archive files such as .cab, .rar, and .zip
• Other settings
- Enable buffer overflow protection
- Enable access protection

19
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

- Enable script scan

On-demand scanning
• Initiated periodically or manually
• Initiated manually if the system owner has found virus infected files on other
computers in the enterprise e.g. in the office network or on maintenance laptops or
the like
• Scan only local disks, network scan is disabled (when each machine has its own
virus scanner)
• Scanning should be done when normal system activity is low
• All items excluded in on-access scanning should be included in the scan
Handling of infected files
• Automatic clean first, then quarantine. Deleting must be done manually by security
specialist.
• Antivirus should not be allowed to clean, quarantine or delete SYS 600 processes.
• Reporting:
- Maintenance personnel should check virus scanner log files on each site visit.
In case of virus detection, the issue must be escalated responsible personnel.
- There are several methods to report virus detection, such as email, printout to
printer, sending to a computer’s syslog, launching a program locally (e.g. a
SCIL program or VB script), or sending via SNMP Trap, to one or more
computers. Sending an SNMP is the preferred method.
Scan engine and virus definition updates
• It is recommended that scan engines and virus definitions are updated automatically.
However, enabling this feature on all machines connected to the automation system
network is not a recommended practice. For a more secure and reliable deployment
of virus definitions, a central management (e.g. F-Secure Policy Manager, McAfee®
ePolicy Orchestrator, or Symantec Endpoint Protection Manager) and update
deployment host can be set up on a corporate intranet. This allows a system
administrator to have control over when updates are made. Note that a direct Internet
connection should only be allowed for the time everything is downloaded; the
connection is closed after downloading is finished. General guidelines are provided
in [ABBSEC09, IS Security Considerations for Automation Systems].
• If redundant servers exist, it is recommended to update scan engine and virus
definitions to these servers first. Reboot the server, open monitor, and perform some
functional testing e.g. opening process, event, alarm displays and control dialogs.
• New virus definition files should be taken into use immediately, but see above
recommendation for reduntant servers.
• Some scan engine updates may override current scan settings. In possible problem
situations, this should be checked.
This has to be configured manually.

20
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Patch management
It is recommended to update scan engine and virus definition files regularly. Verify that
the settings introduced above are preserved and the performance and functionality of the
system is acceptable after updates.
Theoretically, a new virus definition file could arrive that could compromise the proper
functionality of the system. Testing the system against every new virus definition file is
obviously not feasible. Therefore, we recommend full system backup before updating
virus definition files.
MicroSCADA Pro Portal contains manuals for installing McAfee and Symantec virus
scanners. The compatibility of SYS 600 product with the latest upgrades and virus
definitions is tested and verified monthly by ABB for some virus scanner programs. We
recommend that servers are updated according to MicroSCADA Pro SYS 600 Patch
Compatibility Report.

5.7 Disabling devices

In any type of a server it is a good practice to disable the devices not used. This may
include USB ports, CD/DVD drives, communication ports, and floppy disc controllers.
This has to be configured manually.
Run devmgmt.msc (Device Manager) and look for the devices to be disabled.
The following figure shows the disabling of DVD/CD-ROM driver; Floppy Disk Driver;
Sound, Video and Game controller; finally, the Universal Serial Bus (USB) ports must
be disabled.

Do not disable a device if it will be used, e.g. USB license

keys, alarm sounds, or software installations.

21
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure 5.1: Disabling DVD/CD-ROM

Figure 5.2: Disabling Floppy disk controller

22
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Figure 5.3: Disabling Serial port

23
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure 5.4: Disabling USB Mass Storage Device, see also http://support.microsoft.com/kb/823732.

Disabling autorun functionality

Whenever disabling of devices is not possible, it is good practice to disable autorun
functionality of the device. In order to prevent the automatic start of malicious code
contained in a removable device, autorun functionality must be turned off. For more
information, see How to disable the Autorun functionality in Windows,
http://support.microsoft.com/kb/967715/en-us.
This is configured automatically using script files.

5.8 Configurable logon/warning banner

The computer must have a warning banner for authorized and unauthorized users shown
at all access points. This is needed for successfully prosecuting unauthorized users who
improperly use the computer. Warning banners in SYS 600 are configurable and are
located in:
• Windows OS login
• SYS 600 Monitor Pro login
• SYS 600 Monitor login
To modify texts in warning banners:

24
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

1. Start Registry Editor to modify Windows OS banner

2. Go to the following keys:
• MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\LegalNoticeCaption
• MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\LegalNoticeText
3. Start Monitor Pro and select Tools > Engineering Tools > Display Builder and
open sc\prog\graphicsEngine\lib\views\Startup.v to modify SYS 600 Monitor Pro
banner
4. Start Monitor Pro and select Tools > Engineering Tools > Tool Manager > Dialog
Editor and and open sc\sa_lib\base\bbone\use\BGU_LOGIN.VSO to modify SYS
600 Monitor banner
This is configured automatically using script files, pre-configured dialogs and process
displays.

5.9 User Account Control (UAC)

UAC is a security feature in Windows 7, and Windows Server 2008. For more
information, see [UAC]. UAC should be enabled using its default settings in SYS 600
Server/Workplace.
This is configured automatically using script files.

5.10 OPC and DCOM

The usage of OPC communication between OPC client and server requires that Distributed
COM (DCOM) has been configured properly in the Windows operating system. This
includes configuring mutual user accounts between computers, system-wide DCOM
settings, OPC server specific DCOM settings, and firewall rules.
Distributed Component Object Model (DCOM) uses Remote Procedure Call (RPC)
dynamic port allocation. By default, RPC dynamic port allocation randomly selects port
numbers. One can control which ports RPC dynamically allocates for incoming
communication and then configure the firewall to confine incoming external
communication to only those ports and port 135 (the RPC Endpoint Mapper port)
[MSDCOM04].
This is configured automatically using script files.

5.11 Simple Network Management Protocol (SNMP)

By default, SNMP services are enabled in SYS 600 server security settings. In Windows
XP, these services must be installed on the computer first. SNMP version 3 or later
should be used.

25
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

This is configured automatically using script files.

5.12 Security policies

Security policies are based on predefined SSLF (Specialized Security-Limited
Functionality) security templates from Microsoft [MSSEC09]. These policies are modified
for SYS 600 purposes in servers and workplaces. The templates are categorized into the
following sections:
• Account policies
• Audit policy
• User rights
• Security options
• Event log
• System services
This is configured automatically using script files. See Section A.1 Securing SYS 600
Server. See also Appendix D Security Policies to see the changes to default values.

5.13 Firewall (ports and services)

Windows Firewall is a stateful firewall, which can be configured to restrict all inbound
connections, but cannot filter or block any outbound connections. However, Windows
7, and Server 2008 support blocking outbound connections. Windows Firewall settings
configured in security scripts are not configured to the public network profile. For more
information about profiles, see Understanding Firewall Profiles. The scope options of
the firewall settings are ALL or SUBNET. SUBNET is a general setting option allowing
only local network (subnet) traffic through the firewall (for more information, see
http://technet.microsoft.com/en-us/library/cc778362(WS.10).aspx.
Other general settings are:
• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked.
Ports and services used by SYS 600 as well as default firewall settings are listed in
Appendix B Ports and Services. We recommend using hardware firewalls. Software
firewalls may affect performance, in which case they should not be used.
This is configured automatically using script files, see Section A.1 Securing SYS 600
Server.

5.14 User account management

During the SYS 600 installation, a MicroSCADA user account is created in Windows
with administrator privileges. The administrator user should have a long password, at

26
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

least 15 characters long [MSPASS09]. The password of the MicroSCADA user account
should not be changed through Windows User Management. Instead, SYS 600 Control
Panel > Admin > Password should be used where DCOM settings are automatically
configured.
By default, SYS 600C contains following Windows user accounts:
• MicroSCADA user (admin): This is used by the MicroSCADA service and should
not be used by interactive users.
• ScAdmin user (admin): This account should be used by the system administrator.
• ScEngineer, ScOperator, and ScViewer users (non-admin): These accounts are
disabled by default for security reasons.
• ScSysAdmins, ScEngineers, ScOperators, and ScViewers groups: Scripts configuring
other security areas such as Local security policy and application whitelisting are
based on these groups.

To configure these user accounts and groups automatically in SYS 600, the hardening
script has to be executed. To create new Windows user accounts, see Section 8.2 Adding
new Windows users. Do not give administrative rights (membership of Administrators)
to operators, viewers, and engineers. Only system administrators should have
administrative rights.

During the hardening built-in Administrator user account name

is renamed. Administrator user account name cannot be used
to login to the computer anymore, ScAdmin must be used
instead. In Windows 7, built-in administrator user account has
to be activated manually and password has to be set:
net user ScAdmin <password>/active:yes

After activating and successfully logging in with ScAdmin

user account, it is recommended to delete the user account that
was created during Windows 7 installation to have a clear user
account set. This means that before adding new users to the
server there are two administrative users only: MicroSCADA
and ScAdmin.

Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)
• An ideal password is long and has letters, punctuation,
symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password,
the better.
• Use the entire keyboard, not just the letters and characters
you use or see most often.

27
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

This is configured automatically using script files.

5.15 Application whitelisting

Windows AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that
allows you to specify which users or groups can run particular applications in your
organization based on unique identities of files. If you use AppLocker, you can create
rules to allow or deny applications from running. Today's organizations face a number
of challenges in controlling application execution, including the following:
• Which applications should a user have access to run?
• Which users should be allowed to install new software?
• Which versions of applications should be allowed? [APPLOC12]
This is configured automatically using script files. See Appendix E Application
Whitelisting - Applications and Permissions.

5.16 Protecting SYS 600 system configuration settings

SYS 600 system is protected through file system permissions and restrictions on remote
connection. SYS 600 Workplaces connects the server through Remote Desktop Services.
Remote connection should be configured so that the user of the SYS 600 Workplace
only has access to the SYS 600 Monitor Pro application, i.e., the user has no permissions
to open other applications in the server machine. For more information, see [SYSINS,
SYSCON].
File system permissions are configured automatically using script files. Remote connection
has to be configured manually.

5.17 Backing up and restoring

Following instructions are taken from [SYSCUG].

5.17.1 Taking backup

We recommend that you back up the SYS 600 Server with disc imaging software (for
example Acronis True Image or Norton Ghost). The image should be saved to a network
drive or to a USB flash drive. Refer to the instructions from your disc imaging software
manufacturer on how to accomplish this.
Recommendations for image backup:
• SYS 600 Server – every 3 month,
• SYS 600 Workplace – every 6 month
This has to be done manually.

28
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

5.17.2 Restoring backup

The method for restoring the disc image depends on the disc imaging software. Refer to
the instructions from your disc imaging software manufacturer on how to accomplish
this.
This has to be done manually.

29
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

6 Configuring security settings for SYS 600

Workplaces

It is not required to install SYS 600 software to SYS 600 Workplace machines at all. It
is enough that SYS 600 Workplace machine has software installed enabling a remote
connection to the SYS 600 Server. There are separate script files for hardening the
workplace machine, see Section A.2 Securing SYS 600 Workplace.
To operate the SYS 600 Server, a monitor (Monitor Pro or classic monitor) needs to be
opened. A monitor can be opened either on the server machine or through a remote
connection. If the SYS 600 Workplace is a remote machine, connection to the server
computer is established over the network by using the remote client. By default, the SYS
600 service is started in the server directly after Windows has been started. This is an
automatic startup of the service, i.e., no user needs to log in.
Promoted technology between the SYS 600 server and remote workplace computer is
Windows Remote Desktop Services. For more information about opening monitors, see
[SYSINS, Opening SYS 600 Monitor Pro].

Windows automatic logon feature in the server machine have

been used to automatically open MicroSCADA monitors in
remote SYS 600 workplaces. However, it is not recommended
to use this feature of the Windows operating system, since
Windows stores the user name and the password in cleartext
in the Windows registry. This is a security risk.

6.1 Enabling workstation calls from the server

Classic monitors – CAP 50x or SMS510 – can receive calls from the server, e.g. to open
some program in the workstation. For this purpose, there is an executable called
wserver.exe. By default, this program is disabled. To enable the service:
1. Paste a shortcut of <drive>\sc\prog\exec\wserver.exe to Start > Programs > Startup
folder.
2. Configure the firewall to unblock incoming port 12221, see Appendix B Ports and
Services for details.
3. Execute the shortcut to enable workstation calls from the server immediately.
This has to be configured manually.

6.2 X Windows technology

OpenText (formerly Hummingbird) eXceed is required as an X-server on the workstation
computer whenever the system includes distributed HSI (Human System Interface), and

30
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

uses MicroSCADA X and VS Remote monitor types (Classic monitors). Note that
technically, X Windows can use a range of ports between 6000 and 6063. In particular,
if the display number is changed from the default of 0 using Xconfig/Communications,
this will change the port that Exceed uses. If you change the display number to 1, it will
use 6001; if you change it to 2, it will use 6002, see Appendix B Ports and Services for
details
X Windows technology is not configured to the preconfigured firewall settings. You
will have to change your firewall settings manually if X windows is used.
This has to be configured manually.

31
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

7 Configuring security features in SYS 600

This chapter lists security features, user account management and authorization, available
in SYS 600 product.
All settings in this chapter have to be configured manually.

7.1 User account management

SYS 600 system allows the creation, modification, and removal of user accounts. SYS
600 supports several user accounts. By default, the first user logging onto SYS 600
Monitor Pro after the SYS 600 installation gets system administrator privileges and is
able to use user account management tools of SYS 600.
To configure user accounts:
1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…
For more information, see [SYSAPL, User Management].

7.2 Authorization / user account permissions

The system allows user roles with permissions individually configurable. User names
are associated with a certain user profile that restricts the user’s access rights.
To configure user authorization:
1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…
For more information, see [SYSAPL, Authorization].

7.3 Password policies

SYS 600 supports passwords with alphanumeric and special characters. Upper (A-Z)
and lowercase (a-z) characters and characters from other character sets (localization) are
also supported. Password handling is case-sensitive.
By default, password complexity is turned off. The system administrator may enable
password complexity. Other settings include a minimum password length, and a setting
for forcing characters to be used in the password (a combination of alphanumeric and
special characters). The maximum password length is 63 bytes (63 ASCII characters).
To configure password policies:
1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…

32
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

3. In the user management dialog, open Tools > Password Policy…

Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)
• An ideal password is long and has letters, punctuation,
symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password,
the better.
• Use the entire keyboard, not just the letters and characters
you use or see most often.

For more information, see [SYSAPL, User Management].

7.4 User session time-out

SYS 600 workplaces operate in Windows. It is possible to configure the user inactivity
time and then lock the workstation; this is accomplished through screensaver settings.
SYS 600 system has a setting for logging the user out after certain period of time. The
time period is given in hours (from 1 to 255) and it is also possible to configure
notifications about session expiration.
To configure user session time-out:
1. Open SYS 600 Monitor Pro.
2. Open Settings > Application settings… and select Logout Duration tab.
For more information, see [SYSAPL, Application Settings].

7.5 Logging of user activities

The SYS 600 system can be configured to log events from the process, such as switching
device opened/closed. Furthermore, the following events are user activity events which
are logged from the monitors:
• Login successful
• Login failed
• Logout
• Monitor opened
For example, following events are not logged:
• User created
• User removed
• Password changed
• Password policies changed – setting X changed from value Y to Z

33
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Controlling events e.g. adding a comment is restricted based on user rights. Events are
stored in the file system in binary format.
For more information, see [SYSCON, Event and Alarm Handling].

7.6 Resetting administrator password

This feature is available if the user name or the password of system manager is lost. In
this case, it is possible to login to the system using a temporary administrator password.
Contact the support line.

7.7 Backdoors

The following feature has a backdoor to the system: Resetting

administrator password

The administrator password reset feature is enabled by default. ABB recommends that
this feature is permanently disabled before delivering the system to the customer. Using
this function requires system manager authority. Note that after the feature has been
disabled, it is no longer possible to login to the system if the user name or the password
of system manager has been lost.
To disable this feature:
1. Open Monitor Pro and select Tools > Engineering Tools > User Management.
2. Press Ctrl + R in the main window and confirm the operation.
3. A notification is shown that the feature has been disabled. If the feature has been
disabled before, this is also notified.

34
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

8 Maintenance

8.1 Configuring network location

Windows Firewall settings configured in security scripts are not configured to the public
network profile. For more information about profiles, see Microsoft documentation
Understanding Firewall Profiles.
To change to Private or Domain network in Windows 7 and Server 2008:
1. Open Control Panel > Network and Sharing Center
2. Check if Public network is used. If yes, then click Public network and change it to
Private/Home or Domain/Work network.

8.2 Adding new Windows users

In the hardening script, preconfigured Windows user accounts and groups are created.
To add a new remote operator and system administrator:
1. Add new Windows user e.g. ScOperator2 and ScAdmin2
2. Add a membership of ScOperators, Remote Desktop Users for ScOperator2
(non-admin)
3. Add a membership of Administrators, ScSysAdmins for ScAdmin2 (admin)
This can be achieved with following commands to the command prompt:
net user ScOperator2 <password> /add
net localgroup ScOperators ScOperator2 /add
net localgroup "Remote Desktop Users" ScOperator2 /add
net user ScAdmin2 <password> /add
net localgroup ScSysAdmins ScAdmin2 /add
net localgroup Administrators ScAdmin2 /add

Always assign a membership of ScOperators, ScEngineers,

ScViewers or ScSysAdmins for the new Windows user since
scripts configuring other security areas such as Local security
policy and application whitelisting are based on these groups.
Do not give administrative rights (membership of
Administrators) to operators/viewers/engineers. Only system
administrators should have administrative rights.

35
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

8.3 Adding/installing new programs

Allowing programs through Windows Firewall

Windows Firewall blocks each program and gives a notification of the blocking of the
program, which has no rules defined.
The default firewall settings for SYS 600 block all communication protocols such as
DNP, ELCOM, and IEC 104. Therefore, ports for used communication protocols must
be manually opened. To customize firewall settings:
1. Windows XP/Server 2003: Open Windows Firewall from Start > Control Panel
> Windows Firewall and select the Exceptions tab. Find the communication
protocols from the list, e.g. “SYS 600: DNP 3.0 Slave”, and check/uncheck the
protocol according to customer specifications. A checked line means that the traffic
is allowed. Unchecked means that the traffic is blocked. Confirm the changes when
done.
2. Windows 7/Server 2008: Run wf.msc and browse to Inbound Rules. Find the
communication protocols from the list, e.g. “SYS 600: DNP 3.0 Slave”, and
enable/disable rule according to customer specifications. A green balloon means
that the traffic is allowed. A grey balloon means that the traffic is blocked. Confirm
the changes when done.

“SYS 600:“ and “DMS 600:” prefix is used in the rule names
to help finding settings.

Allowing programs to run in Windows AppLocker

In Windows 7/Server 2008, AppLocker is used for application whitelisting.
To allow program to run:
1. Run secpol.msc (Local Security Policy)
2. Browse to Security Settings > Application Control Policies > AppLocker >
Executable Rules
3. Right-click Rules area and select Create new rule... and enter following information:
• Permission: Allow
• Group: ScSysAdmins / ScEngineers / ScOperators / ScViewers
• Condition: Publisher (signed) or Path (unsigned)
• Reference file or Path: Browse and select executable file
• Name: Use prefix to indicate user group, e.g. "eng: ", and "oper: ". See existing
rules.
4. Press Create

36
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

8.4 Adding new SYS 600 applications

Operators, viewers, and engineers can use non-admin Windows user accounts. However,
there are few permissions that these user accounts require. File system permissions for
non-admin users are configured automatically for default SYS 600 application called
main when the hardening script is executed. To configure permissions for other SYS
600 applications than main:
1. Right-click cmd.exe and select “Run as administrator” and then go to directory
<drive>:\sc\setup\security.
2. Execute following command:
“GrantScUserAccessRights.cmd” <drive>:\sc <application_name>
/quiet

8.5 Adding Windows features

The table below shows the services, which have to be changed from the default, if some
functionality is required.
Functionality Display Name Service Name
Wireless Connection Wireless Zero Configuration WZCSVC
Sounds Windows Audio AudioSrv
HASP License Key Sentinel HASP License Man- hasplms
ager
Windows Updates Background Intelligent Transfer bits
Service
wuauserv
Automatic Updates

8.6 Modifying security settings

In some cases it might be needed to lower security settings to make some program or
functionality to work. Some organizations might have instructions to harden computers
more. All changes after running the hardening script must be documented. If the hardening
script is re-run it will override current settings.

8.6.1 Latest hardening scripts

When SYS 600 is upgraded, it might include updated hardening scripts. Running an
updated script will override all current settings. It is recommended to read release notes
to see modified sections.

37
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

8.7 Troubleshooting
When troubleshooting network problems, it is recommended to check firewall logs
(Windows Firewall: %windir%\pfirewall.log). It is also possible to disable firewall
temporarily to solve network problems. Windows event logs, especially Security,
Application, and System logs may have events related to security/access problems.
Windows AppLocker has a log, which can be accessed from Event Viewer >
Applications and Services Logs > Microsoft > Windows > AppLocker and there it
is possible to find which applications are blocked. AppLocker can also be set to Audit
Only mode meaning that applications are allowed to run and the log contains events if
the application would have been blocked if the rules were enforced.

38
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Appendix A Quick Configuration Guideline

This section describes how to configure computers (servers and workplaces) used in
SYS 600 control systems in simple steps. It is recommended to deploy security settings
right after installing SYS 600 software. This is to reduce the risk of having malware
planted to the system in the engineering phase.
ABB recommends that basic security steps are taken to secure all computers in the system.
SYS 600 installation includes script files for configuring following security areas in the
computer:
• Windows users and groups: ScAdmin, ScEngineer, ScOperator, and ScViewer
users and respective groups are created. Configurations of other security areas are
based on these. Non-admin user accounts are automatically created.
• Firewall: Firewall is enabled and SYS 600 and DMS 600 specific ports are
preconfigured
• Local security policy: Hardens the computer with Password policy, Account policy,
System services etc.
• File system permissions: Restricts user access to sc folder and assigns permissions
for non-admin user accounts automatically.
• Application whitelisting: AppLocker is enabled and configured

During the hardening Windows user accounts and groups are

created and built-in Administrator user account name is
renamed. Administrator user account name cannot be used to
login to the computer anymore, ScAdmin must be used instead.
However, home folder will still be named as Administrator.
Users and groups, which are created:
• Administrator --> ScAdmin (admin)
• ScEngineer, ScOperator, and ScViewer (non-admin)
• ScSysAdmins, ScEngineers, ScOperators, and ScViewers
groups
In Windows 7, built-in administrator user account has to be
activated manually and password has to be set:
net user ScAdmin <password>/active:yes

After activating and successfully logging in with ScAdmin

user account, it is recommended to delete the user account that
was created during Windows 7 installation to have a clear user
account set. This means that before adding new users to the
server there are two administrative users only: MicroSCADA
and ScAdmin.
ScEngineer, ScOperator, and ScViewer user accounts are
disabled by default.

39
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Scripts configuring other security areas such as Local security

policy are based on these users and groups.
It is recommended to deploy security settings locally to avoid
remote access denied problems.
Before configuring security settings the server needs to be
updated with the latest service packs and security updates.

Hardening scripts OVERRIDE current security configuration

in the computer, e.g.:
• RENAMES built-in administrator user account to
ScAdmin
• Enables Windows Firewall with new rules
• Configures local security policies
For more information, see section Rollback.

Create strong passwords

• An ideal password is long and has letters, punctuation,
symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password,
the better.
• Use the entire keyboard, not just the letters and characters
you use or see most often.
For more information, see Create strong passwords.

A.1 Securing SYS 600 Server

BIOS SETTINGS
- Password(s) is enabled
- Remote wake-up/Wake on LAN is disabled
WINDOWS UPDATES
Before configuring security settings the computer needs to be updated with the latest
security updates and service packs from Windows that are tested and certified by ABB.
For more information, see MicroSCADA Pro SYS 600 Patch Compatibility Report.
REMOVE UNUSED PROGRAMS
Following software is not used by SYS 600 and can be manually removed from Windows
Control Panel > Add/Remove Programs > Add/Remove Windows Components.

40
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

These programs are normally found in the desktop operating systems such as Windows
XP and Windows 7.

Windows Component Added / Removed

Outlook Express Manually Removed
Messenger Manually Removed
MSN Explorer Manually Removed
Windows Media Player Manually Removed
Games (Windows XP) Manually Removed

RUNNING HARDENING SCRIPT

To run hardening script in SYS 600 Server:
1. Right-click cmd.exe and select “Run as administrator” and then go to directory
<drive>:\sc\setup\security.
2. To harden the computer, execute command: “Harden.cmd” server /appl <applname>
/quiet > harden.log 2>&1. <applname> is a SYS 600 application where file system
permissions for non-admin users are automatically configured. If this parameter is
not given the permissions are set to default SYS 600 application called “main”. To
configure permissions for other SYS 600 applications, see Section 8.4 Adding new
SYS 600 applications.
3. Wait for the security script to finish; file system permissions might take a long time
depending on the file structure.
4. Revise the harden.log for failures. After the script has been executed some manual
configuration is needed, see following steps.
5. Change default passwords of following users: ScViewer, ScOperator, and ScEngineer.
Run lusrmgr.msc and browse to Local Users and Groups > Users.
a. Right-click user account and select Change password...
b. Write down these passwords and store carefully.
6. Enable user accounts listed in step 4
a. Right-click user account and select Properties...
b. Uncheck ‘Account is disabled’ and press OK
7. Reboot the computer

A.2 Securing SYS 600 Workplace

SYS 600 Workplace does not have the SYS 600 installation. Instead, the workplace has
remote client software e.g. Remote Desktop Connection to connect to a SYS 600 Server
where workplace sessions are managed. Hardening scripts are copied from the server to
the workplace.
BIOS SETTINGS, WINDOWS UPDATES, REMOVE UNUSED PROGRAMS
Same settings as in SYS 600 Server are applied, see Securing SYS 600 Server.
RUNNING HARDENING SCRIPT

41
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

To run hardening script in SYS 600 Workplace:

1. Create <drive>:\scws\security folder to the workplace computer and copy
<drive>:\sc\setup\security folder from the server computer to this location.
2. Open a Command window and go to directory <drive>:\scws\setup\security.
3. To deploy security settings, execute command: “Harden.cmd” workplace /quiet >
harden.log 2>&1
4. Wait for the security script to finish.

A.3 Rollback

Rollback is for situations where the problem can not be solved

in any other way. Instead of rollback, instructions given in
section Troubleshooting should be tried.

Hardening scripts take a backup of firewall settings and these can be found from
sc\setup\security\backup folder after running the hardening script. There are also other
backup files depending on the operating system. It is also possible to manually take a
backup of local security policies.
In case system does not work as expected, these are the instructions for the rollback.
Run these commands with admin rights.
Windows XP/Server 2003
1. netsh firewall reset

a. Open Control Panel > Windows Firewall and verify that Windows Firewall
is on and that File and Print Sharing is allowed.
2. secedit /configure /cfg %windir%\repair\secsetup.inf /db
secsetup.sdb /verbose /log rollback.log

3. Open Control Panel > Administrative Tools > Local Security Policy > Security
Settings > Local Policies > User Rights Assignment.
4. Set Log on as service and Log on as a batch job to value MicroSCADA and confirm
changes.
5. Close Local Security Policy.
Windows 7/Server 2008
1. netsh advfirewall reset

a. Open Control Panel > Windows Firewall and verify that Windows Firewall
is on and that File and Print Sharing is allowed.
2. secedit /configure /cfg %windir%\inf\defltbase.inf /db
defltbase.sdb /verbose /log rollback.log

3. Open Control Panel > Administrative Tools > Local Security Policy > Security
Settings > Local Policies > User Rights Assignment.
4. Set Log on as service and Log on as a batch job to value MicroSCADA and confirm
changes.

42
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

5. Close Local Security Policy.

43
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Appendix B Ports and Services

General firewall settings are as follows:

• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked
Since all inbound traffic is blocked by default, there are exceptions (firewall rules) which
are needed to be configured. Windows Firewall rules are configured automatically using
script files. See Section A.1 Securing SYS 600 Server.
Table B.1: Windows Operating System Services
Inbound listening Outbound
Service: Service UDP TCP Inbound Port num- Port Outbound Miscellaneous Used by
Descrip- port num- ber status port num-
tion ber fixed/con- open al- ber
figurable ways/con-
figurable
msrpc / Remote X 135 Fixed Always Inbound range for [System,
dcom-scm procedure DCOM servers svchost.exe]
call / are automatically
DCOM restricted by
Service scripts, see also
Control [MSDCOM04]
Manager
netbios- Netbios X 139 Fixed Always [System]
ssn Session
Service
microsoft- Microsoft X X 445 Fixed Always [System]
ds Active Dir-
ectory,
shares
lsass.exe Local Se- X X 1025 Fixed Always [System]
curity Au-
thentica-
tion Server
ntp SNTP - X 123 Fixed Always [System]
Simple net-
work time
protocol
Netbios-ns Netbios X 137 Fixed Always [IEC 61850 OPC
Name Ser- Server]
vice
Netbios- Netbios X 138 Fixed Always [System]
dgm Datagram
Service
Isakmp IPSec in X 500 Fixed Always [System]
Windows

44
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Inbound listening Outbound

Service: Service UDP TCP Inbound Port num- Port Outbound Miscellaneous Used by
Descrip- port num- ber status port num-
tion ber fixed/con- open al- ber
figurable ways/con-
figurable
lsass.exe sae-urn, X 4500 Fixed Always [System]
IPsec
NAT-Tra-
versal
wininit.exe, 49152- Fixed Always [System]
svchost.exe 49158

Table B.2: SYS 600

SYS 600 Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
inet.exe X 21845, Fixed Always Base system program, pro-
21846 cess and APL-APL communic-
ation, ACP protocol used for
communication. Used by other
SYS 600 base
wserver.exe X 12221 Configurable Configurable Routing server peripherals to
client machines [SYS 600 Re-
mote VS Monitors]. This port
must be open in workstation
machine only if old monitors
are used (X windowing).
daopccl.exe - - Dynamic, Configurable Configurable MicroSCADA OPC Data Ac-
see [MSD- cess Client requires DCOM
COM04] port 135
opcs.exe - - Dynamic, Configurable Always MicroSCADA OPC Data Ac-
see [MSD- cess Server requires DCOM
COM04] port 135
Opcenum.exe - - Dynamic, Configurable Always OpenRemoteDesktop program
see [MSD- uses this service
COM04]
hasplsm.exe X 1947 Fixed Always Aladdin HASP License Man-
ager Service for handling USB
license keys. For internal use
only.
(Web server for - - - - - Java API requires a web serv-
Java API) er. See web server manuals
for port configuration.

bdu_ssiser.exe X 1333 Configurable Configurable DMS 600 Server Application

for SCIL-API connection
SYS 600 Histori- - - - - - See SYS 600 Historian manu-
an als

45
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

All master protocols using TCP/IP (IEC60870-5-104 master,

DNP3.0 TCP master, Modbus TCP, SPA-TCP) are operating
as TCP clients. Consequently, no protocol specific port
numbers are reserved.

Table B.3: SYS 600 - Communication protocols

Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
IEC60870-5-104 X 2404 configurable configurable IEC 60870-5-104 for telecon-
Slave trol equipment and systems
with coded bit serial data
transmission in TCP/IP based
networks for monitoring and
controlling geographically
widespread processes. Net-
work Control Center (NCC).
IEC60870-5-104 X 2501-2514 configurable configurable Localhost only
Slave - Commu-
nication lines
IEC60870-5-104 X 2501-2514 configurable configurable Localhost only
Master - commu-
nication lines
DNP 3.0 X X 20000 configurable configurable The Distribute Networks Pro-
LAN/WAN Slave tocol (DNP) 3.0 LAN/WAN is
a standards-based communic-
ation protocol designed for
electric utility, water, oil & gas
and security systems.
DNP 3.0 X 2501-2514 configurable configurable Localhost only
LAN/WAN Slave
- Communica-
tion lines
DNP 3.0 X X 2501-2514 configurable configurable Localhost only
LAN/WAN Mas-
ter - Communic-
ation lines
Modbus TCP X 2501-2514 Localhost only
Master - Com-
munication lines
SPA-TCP - X 2501-2514 configurable configurable Localhost only
Communication
lines
ELCOM-90 Pro- X 6997 configurable configurable
vider
ELCOM-90 X 6998 configurable configurable
UserElem

46
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
ELCOM-90 Ad- X 6999 configurable configurable
min
Opcs_iec61850.exe - - - - IEC 61850 OPC Server, which
contains SNTP Server as
TCP/IP Server. See ntp ser-
vice.
Opcs_iec61850.exe - 102 fixed configurable IEC 61850 OPC Client / IEC
61850 System Supervision
Server, which contains MMS
Server as TCP/IP server

Table B.4: SYS 600 – Remote Access

Inbound (listening)
Service: UDP TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
Microsoft Win- X 3389 Fixed Configurable Microsoft Windows Terminal
dows Remote Services [Terminal Server Cli-
Desktop Ser- ent, RDP Client]
vices
Citrix ICA X 1494 Fixed Configurable MetaFrame Application Server
for Windows / Citrix ICA
OpenText/Hum- X 6000-6003 Configurable Configurable Classic monitors/workplaces
mingbird eX-
ceed,X windows
system

Table B.5: DMS 600

Inbound (listening)
Service: UDP TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
Ms-sql-s X X 1433 Fixed Always Microsoft SQL Server
Ms-sql-m X X 1434 Fixed Always Microsoft SQL Monitor
DMSSocketSer- X 51772 Configurable Always DMS Socket Service, commu-
vice.exe nication between applications
[DMS 600 SA, WS, NE]
UnknownSocket- X 51773 Fixed Configurable Socket service to be used by
Service.exe 3rd party programs for sending
messages
CaCe Fault X 8087 Configurable (Only fileserver)
Sender, TE
CaCe

47
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Inbound (listening)
Service: UDP TCP: Inbound Port number Port status open al- Used by
port num- fixed/configur- ways/configurable
ber able
CaCe Fault Re- X 8086 Configurable (Only fileserver)
ceiver, TE CaCe
PowerGrid X 3000 Fixed Configurable Optional, depending customer
Server, PG license / needs.
Server TECS-
service
AMR (http) X 80 - Configurable
AMR (https) X 443 - Configurable

48
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Appendix C Windows System Services

Windows system services are described in detail in Threats and Countermeasures Guides.
The guide also includes the Excel workbook “Windows Default Security and Services
Configuration”, which documents the default startup settings for services.
The settings below are a collection of services which are automatically disabled, using
the script, in Windows XP, Windows Server 2003, Windows 7, and Windows Server
2008.

Not all services are running in each operating system, and may
not even exist. The script is built so that it ignores the
unavailable services and therefore it is normal to have these
kinds of messages in the log file:
• Error 1060: The specified service does not exist as an
installed service. Error opening <service name>.
• Error 1060: The specified service does not exist as an
installed service. Opening service <service name> for stop
access failed.
• Legacy audit settings are disabled. Skipped configuration
of legacy audit settings.

Some functionality needs certain services to be enabled. To enable some feature, see
Section 8.5 Adding Windows features.
Table C.1: Disabled Windows system services
Service Display Name
Alerter Alerter
aspnet_state ASP .NET State Service
AudioSrv Windows Audio
CiSvc Indexing Service
ClipSrv ClipBook
Fax Fax
Helpsvc Help and Support
IISAdmin IIS Admin
ImapiService IMAPI CD-Burning COM Service
Messenger Messenger
Mnmsrvc NetMeeting Remote Desktop Sharing
MSFtpsvc FTP Publishing Service
RDSessMgr Remote Desktop Help Session Manager Service
SCardSvr Smart Card

49
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Service Display Name

Schedule Task Scheduler
SMTPSVC Simple Mail Transfer Protocol
Stisvc Windows Image Acquisition
TapiSrv Telephony
TlntSvr Telnet
TrkSrv Distributed Link Tracking Server
Upnphost Universal Plug and Play Device Host
UPS Uninterruptable Power System
W3SVC World Wide Web Publishing
WebClient Web Client
WmdmPmSN Portable Media Serial Number Service
WZCSVC Wireless Zero Configuration

50
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Appendix D Security Policies

The table below shows what settings are changed in the SYS 600 servers and workplaces
compared to the default, domain, and member server settings.
Note! The default value is the operating system default value. There is a separate default
value for SSLF settings not shown here.
Table D.1: SYS 600 security policies
Setting:Name Default Value Win2k8- Win2k8- Remarks
SYS600Serv- SYS600Work-
er:Value place:Value
Maximum pass- 42 days 0 Not defined MicroSCADA user
word age account never ex-
pires
Minimum pass- 0 days 0 Not defined MicroSCADA user
word age account never ex-
pires
Account lockout 0 invalid logon at- 0 0 Denial-of-service
threshold tempts attack is possible
if this value is
more than zero.
Therefore, never
lockout.
Debug programs Administrators Administrators Not defined
Deny access to guests Guests, ANONYM- Not defined
this computer OUS LOGON
from the network
Allow log on Administrators, Re- Administrators, Re- Not defined
through Terminal mote Desktop mote Desktop
Services Users Users
Deny log on loc- Guests Guests, Micro- Not defined MicroSCADA user
ally SCADA account is only
used to running
the service
Deny log on Not defined Guests, Micro- Not defined MicroSCADA user
through Terminal SCADA account is only
Services used to running
the service
Log on as a ser- Not defined MicroSCADA Not defined
vice
Accounts: Re- Guest Guestrenamed Guestrenamed Guest account is
name guest ac- disabled, however
count still renaming
Accounts: Re- Administrator ScAdmin Not defined Administrator user
name built-in Ad- name cannot be
ministrator ac- used to login to
count Windows any-
more.

51
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Setting:Name Default Value Win2k8- Win2k8- Remarks

SYS600Serv- SYS600Work-
er:Value place:Value
Devices: Restrict Disabled Enabled Enabled Remote control is
CD-ROM access denied
to locally logged-
on user only
Devices: Restrict Disabled Enabled Enabled Remote control is
floppy access to denied
locally logged-on
user only
MSS: 5 seconds 0 5
(ScreenSaverGra-
cePeriod) The
time in seconds
before the screen
saver grace peri-
od expires (0 re-
commended)
User Account Prompt for consent Prompt for consent Prompt for con-
Control: Behavior for non-Windows for non-Windows sent for non-
of the elevation binaries binaries Windows binar-
prompt for admin- ies
istrators in Admin
Approval Mode

52
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Appendix E Application Whitelisting - Applications and

Permissions

Applocker rules are implemented for ScEngineers, ScOperators and ScViewers. Users
being member of ScSysAdmins group are also members of Administrators group and
this is why there are no rules for ScSysAdmins group. Administrators group has full
access to all applications. Rules that are defined for ScOperators group are also given
to ScViewers, and ScEngineers groups. ScEngineers group has some extra rules needed
for engineering.
Note that Everyone is allowed to execute applications in the Windows and Program Files
folders but there are exceptions: cmd.exe, regedit.exe, regedt32.exe, and regsvr32.exe.

53
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure E.1: Windows AppLocker rules

54
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Appendix F Virtual Private Network

The configuration for Windows Server 2003 is shown below. Server 2008 is not much
different.

Windows Vista and Windows 7 Home and Starter versions do

not support the IPSec function.

Create IPSec Policy

An IPSec policy secures all IP traffic that is specified in the configured IPSec filters.
The decision to allow unsecured IP traffic is up to the user. We explain how to configure
SYS 600 for IPSec transport mode.
1. Click Start, click Run, and then type secpol.msc to start the IP Security Policy
Management snap-in.

2. Right-click IP Security Policies on Local Computer, and then click Create IP Security
Policy.
3. Click Next, and then type a name for your policy (for example, IPSec Tunnel with
Network Control Center).

55
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

4. Click to clear the Activate the default response rule check box, and then click
Next.
5. Add additional information in the Description box if desired. Click Next.

6. Click Finish (leave the Edit check box selected).

56
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

Build a Filter List from SYS 600 to NCC

1.
2. In the new policy properties, click to clear the Use Add Wizard check box, and
then click Add to create a new rule.

3. Click the IP Filter List tab, and then click Add.

57
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

4. Type an appropriate name for the filter list (e.g., IP traffic to NCC), click to clear
the Use Add Wizard check box, and then click Add.

5. In the Source address box, click A specific IP Address, and then type the IP
Address of SYS600 towards NCC (the IP address that communicates with the NCC),
as this filter should only apply to the network interface connected to the WAN.

58
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

6. In the Destination address box, click A specific IP Address, and then type the IP
Address of the NCC (the NCC’s IP address that SYS600 connects to).
7. Leave the Mirrored check box selected.
8. Click the Protocol tab. Make sure that the protocol type is set to Any, because IPSec
does not support protocol-specific or port-specific filters.

59
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

9. If you want to type a description for your filter, click the Description tab. Click
OK.
10. Click OK to close IP Filter List dialog

Configure a Rule for the communication

1. Click the IP Filter List tab, and then click to select the filter list that you created.

2. Click the Tunnel Setting tab, click This rule does not specify an IPSec tunnel.
3. Click the Connection Type tab, click Local area network (LAN)
4. Click the Filter Action tab, click on one of the following options, depending on the
decision of how to handle non-IPSec traffic:
• Permit – Permits unsecured IP packets to pass through.
• Request Security (Optional) – Accepts unsecured communication, but requests
clients to establish trust and security methods. Will communicate insecurely to
untrusted clients if they do not respond to request.
• Require Security – Accepts unsecured communication, but always requires
clients to establish trust and security method. Will NOT communicate with
untrusted devices.

None of the check boxes at the bottom of the Filter Action

dialog box are selected as an initial configuration for a
filter action that applies to tunnel rules.

60
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

As the currently configured IP Filter rule matches only a

single IP, it does not discard non-IPSec traffic originating
from a different wide area network IP address. In order
to prohibit any non-IPSec connections from the wide area
network, the IP filter list would have to match the subnet
of the wide area network, and the Filter Action would
have to be set to “Require Security”.

5. Click the Authentication Methods tab to configure the authentication method.

Mark the default Kerberos method and click Remove. Confirm the inquiry.
6. Click Add.
7. Select Use this string (preshared key) and enter a long key that also contains
special characters. This string must be the same on the machine that matches the IP
filter rule (in this case, the NCC). Click OK.

61
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

8. Click Close to close New Rule Properties dialog.

9. Click OK.
10. In the Local Security Settings, right-click on the created rule (e.g., IPSec Tunnel
with Network Control Center) and select Assign. The rule indicates by a green dot
that it is active. Close the Local Security Settings.

Repeat the steps for all machines that should use IPSec. It is possible to export and import
the policies on a different computer. Here are the instructions:
1. a. In the Local Security Settings, where the VPN configuration is set, select IP
Security Policies on Local Computer.
b. Select Action > All Tasks > Export Policies... and write a file name.
c. In the other computer, where VPN configuration is needed: open Local Security
Settings and select select IP Security Policies on Local Computer.
d. Select Action > All Tasks > Import Policies…

62
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

e. Select a file exported in item 2 and press Import/OK.

f. The rules should be checked and adapted, e.g. swap Source address and
Destination address in IP Filter Properties dialog.

63
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Appendix G Introduction to SCADA Security

The following excerpt is taken from Supervisory Control and Data Acquisition (SCADA)
Systems, NATIONAL COMMUNICATIONS SYSTEM, October 2004, www.ncs.gov.
In today’s corporate environment, internal networks are used for all corporate
communications, including SCADA. SCADA systems are therefore vulnerable to many
of the same threats as any TCP/IP-based system.
Security in an industrial network can be compromised in many places along the system
and is most easily compromised at the SCADA host or control room level. SCADA
computers logging data out to some back-office database repositories must be on the
same physical network as the back-end database systems, or have a path to access these
database systems. This means that there is a path back to the SCADA systems and
eventually the end devices through their corporate network. Once the corporate network
is compromised, then any IP-based device or computer system can be accessed. These
connections are open 24x7 to allow full-time logging, which provides an opportunity to
attack the SCADA host system with any of the following attacks:
• Use a Denial of Service (DoS) attack to crash the SCADA server, leading to a
shutdown condition (System Downtime and Loss of Operations)
• Delete system files on the SCADA server (System Downtime and Loss of Operations)
• Plant a Trojan and take complete control of system (Gain complete control of system
and be able to issue any commands available to Operators)
• Log keystrokes from Operators and obtain usernames and passwords (Preparation
for future take down)
• Log any company-sensitive operational data for personal or competition usage (Loss
of Corporate Competitive Advantage)
• Change data points or deceive Operators into thinking control process is out of
control and must be shut down (Downtime and Loss of Corporate Data)
• Modify any logged data in remote database system (Loss of Corporate Data)
• Use SCADA Server as a launching point to defame and compromise other system
components within corporate network.
For a company to protect its infrastructure, it should undertake the development of a
security strategy that includes specific steps to protect any SCADA system. Such a
strategy may include the following approach.
Developing an appropriate SCADA security strategy involves analysis of multiple layers
of both the corporate network and SCADA architectures including firewalls, proxy
servers, operating systems, application system layers, communications, and policy and
procedures. Strategies for SCADA Security should complement the security measures
implemented to keep the corporate network secure.
The figure below illustrates the typical corporate network “ring of defenses” and its
relationship with the SCADA network. Successful attacks can originate from either
Internet paths through the corporate network to the SCADA network, or from internal
attacks from within the corporate office. Alternatively, attacks can originate from within
the SCADA network from either upstream (applications) or downstream (RTUs) paths.

64
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

What is an appropriate configuration for one installation may not be cost-effective for
another. Flexibility and the employment of an integrated and coordinated set of layers
are critical in the design of a security approach.

Figure G.1: Relationship Between Corporate and SCADA Networks

Most corporate networks employ a number of security countermeasures to protect their

networks. Some of these and a brief description of their functions are as follows:
• Border Router and Firewalls Firewalls, properly configured and coordinated,
can protect passwords, IP addresses, files and more. However, without a hardened
operating system, hackers can directly penetrate private internal networks or create
a Denial of Service condition.
• Proxy Servers A Proxy server is an internet server that acts as a firewall, mediating
traffic between a protected network and the internet. They are critical to re-creating
TCP/IP packets before passing them on to, or from, application layer resources such
as Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP).
However, the employment of proxy servers will not eliminate the threat of application
layer attacks.
• Operating Systems Operating systems can be compromised, even with proper
patching, to allow network entry as soon as the network is activated. This is due to
the fact that operating systems are the core of every computer system and their
design and operating characteristics are well-known worldwide. As a result, operating
systems are a prime target for hackers. Further, in-place operating system upgrades
are less efficient and secure than design-level migration to new and improved
operating systems.
• Applications Application layer attacks; i.e., buffer overruns, worms, Trojan horse
programs and malicious ActiveX code can incapacitate anti-virus software and
bypass the firewall as if it wasn’t even there.
• Policies and Procedures Policies and procedures constitute the foundation of
security policy infrastructures. They include requiring users to select secure

65
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

passwords that are not based on a dictionary word and contain at least one symbol,
capital letter, and number, and should be over eight characters long. Users should
not be allowed to use the name of their spouse, child or pet as their password.
The above list is common to all entities that have corporate networks. SCADA systems
for the most part coexist on the same corporate network, as seen in the figure above. The
following list suggests ways to help protect the SCADA network in conjunction with
the corporate network:
• SCADA Firewalls SCADA Systems and Industrial Automation Networks, like
corporate network operating systems, can be compromised using similar hacking
methods. SCADA systems frequently go down due to other internal software tools
or employees who gain access to the SCADA systems, often without any intention
to take down these systems. For these reasons, it is suggested that strong firewall
protection to wall off your SCADA networking systems from both the internal
corporate network and the Internet be implemented. This would provide at least two
layers of firewalls between the SCADA networking systems and the Internet.
• SCADA Internal Network Design SCADA networks should be segmented off
into their own IP segment using smart switches and proper sub-masking techniques
to protect the Industrial Automation environment from the other network traffic,
such as file and print commands. Facilities using Wireless Ethernet should use
sufficient encryption, e.g. WPA or WPA2.
• SCADA Server Operating Systems Merely installing a firewall or segmenting
SCADA IP addresses will not ensure their SCADA Infrastructure is secure. An
experienced hacker can often bypass firewalls with ease and can even use Address
Resolution Protocol (ARP) trap utilities to steal Media Access Control (MAC)
addresses. The hacker can also deploy IP spoofing techniques to maneuver through
switched networks. Operating systems running the SCADA applications must also
be maintained. SCADA applications on Windows NT, 2000, or XP are properly
patched against the latest vulnerabilities, and all of the default NULL NT accounts
and administrator accounts have been removed or renamed. SCADA applications
running on UNIX, Linux, Novell, or any other operating system (OS), must also be
maintained as above. All operating systems have back doors and default access
accounts that should be removed and cleaned off of these SCADA servers.
• SCADA Applications One must also address security within the SCADA
application itself. Trojan horses and worms can be inserted to attack application
systems, and they can be used to manipulate data or issue commands on the server.
There have even been cases of Trojan horses being deployed that completely emulate
the application. The operator or user thinks that he is clicking on a command to stop
a pump or generate a graph of the plant, but he is actually clicking on buttons
disguised to look like the SCADA screen, and these buttons start batch files that
delete the entire hard drive, or send out pre-derived packets on the SCADA system
that turn all outputs to the ON or “1” state. Trojan horses and viruses can also be
planted through an email opened by another computer in the network, and then it is
silently copied over to adjacent SCADA servers, where they wait until a specified
time to run. Plant control rooms will often have corporate computers with the Internet
and email active on them, within the same physical room and on the same network
switches as SCADA computers. Methodologies to mitigate against these types of
situations are: the use of anti-virus software running on the computer where the

66
1MRS756796 MicroSCADA Pro SYS 600 9.3
Issued: 31.3.2010 Cyber Security Deployment Guideline
Version: C/30.9.2012

SCADA application resides; systems administrators disabling installation of any

unauthorized software unless the user has administrator access; and policies and
procedures applicable to SCADA systems,
• SCADA Policies and Procedures SCADA policies and procedures associated
with remote vendor and supervisory access, password management, etc. can
significantly impact the vulnerabilities of the SCADA facilities within the SCADA
network. Properly developed policies and procedures that are enforced will greatly
improve the security posture of the SCADA system.
In summary, these multiple “rings of defense” must be configured in a complementary
and organized manner, and the planning process should involve a cross-discipline team
with senior staff support from operations, facility engineering, and information technology
(IT). The SCADA security team should first analyze the current risks and threat at each
of the rings of defense, and then initiate a work plan and project to reduce the security
risk.
For more information, see [ABBSEC09].

67
Contact us

1MRS756796 C/30.9.2012 © Copyright 2012 ABB. All rights reserved.

ABB Oy
Substation Automation Products
P.O. Box 699
FI-65101 Vaasa
FINLAND
Tel. +358 10 22 11
Fax. +358 10 224 1094

www.abb.com/substationautomation