MicroSCADA X

Cyber Security Deployment Guideline

 Document ID: 1MRK 511 574-UEN
Issued: July 2022
Revision: A
Product version: 10.4

© 2022 Hitachi Energy. All rights reserved.

1MRK 511 574-UEN Rev. A Table of contents

Table of contents

Section 1 Copyrights......................................................................................................5

Section 2 Introduction....................................................................................................7
2.1 This manual...........................................................................................................................7
2.2 Use of symbols......................................................................................................................7
2.3 Intended audience.................................................................................................................7
2.4 Document conventions..........................................................................................................7
2.5 Document revisions...............................................................................................................8

Section 3 General........................................................................................................... 9
3.1 Definitions and Abbreviations..............................................................................................12
3.2 Reference Documents.........................................................................................................12

Section 4 Secure installation of MicroSCADA X SYS600 / DMS600 - Step-by-

step Guide.................................................................................................... 13
4.1 Preparations........................................................................................................................ 13
4.2 Installation phase................................................................................................................ 15
4.3 Post-installation Checks & Configuration............................................................................ 15
4.3.1 Centrally or Individually Managed Configurations............................................................. 16
4.3.2 Configurations Needed for All Machines........................................................................... 16

Section 5 Configuring network....................................................................................17

5.1 Active Directory................................................................................................................... 17
5.2 Virtual Private Network (VPN)............................................................................................. 18
5.2.1 Use cases..........................................................................................................................18
5.2.1.1 NCC Communication................................................................................................... 18
5.2.1.2 Maintenance Access via Remote Desktop Protocol (RDP)......................................... 19
5.2.1.3 HSB communication.....................................................................................................20
5.3 Network Devices................................................................................................................. 20

Section 6 Configuring security settings for Windows OS and MicroSCADA X

servers.......................................................................................................... 21
6.1 BIOS settings...................................................................................................................... 21
6.2 BitLocker Full Disk Encryption.............................................................................................21
6.3 Data Execution Prevention (DEP)....................................................................................... 22
6.4 Removing unused programs............................................................................................... 22
6.5 Disabled system services....................................................................................................22
6.6 Microsoft Update/Patch management................................................................................. 22
6.6.1 Windows Update vs. Microsoft Update............................................................................. 22
6.6.2 Configuration.....................................................................................................................23
6.7 Virus scanner...................................................................................................................... 24
6.7.1 CPU Utilization.................................................................................................................. 24
6.7.2 On-access scanning..........................................................................................................24
6.7.3 On-demand scanning........................................................................................................25

MicroSCADA X 1
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Table of contents 1MRK 511 574-UEN Rev. A

6.7.4 Handling of infected files................................................................................................... 25

6.7.5 Scan engine and virus definition updates..........................................................................25
6.7.6 Patch management........................................................................................................... 26
6.8 Disabling devices................................................................................................................ 26
6.8.1 Disabling autorun functionality.......................................................................................... 29
6.9 Configurable logon/warning banner.................................................................................... 29
6.10 User Account Control (UAC)............................................................................................... 30
6.11 OPC and DCOM..................................................................................................................30
6.12 Simple Network Management Protocol (SNMP)................................................................. 31
6.13 Security policies.................................................................................................................. 31
6.14 Firewall (ports and services)............................................................................................... 32
6.15 User account management................................................................................................. 32
6.16 Application allowlisting........................................................................................................ 33
6.17 Backing up and restoring.....................................................................................................34
6.17.1 Taking backup................................................................................................................... 34
6.17.2 Restoring backup.............................................................................................................. 34
6.18 LLMNR/NetBIOS and resolving hostnames........................................................................ 34

Section 7 Configuring security settings for SYS600, SYS600 Historian and

DMS600 workplaces.................................................................................... 37
7.1 Securing Vtrin client and SYS600 Historian server communication....................................37

Section 8 Configuring security features in SYS600, SYS600 Historian and

DMS600 products........................................................................................ 39
8.1 User account management................................................................................................. 39
8.2 File system permissions...................................................................................................... 41
8.3 Password policies................................................................................................................42
8.4 Authentication and authorization......................................................................................... 43
8.5 User session and inactivity time-out....................................................................................43
8.6 User activity logging............................................................................................................ 48
8.7 SYS600 hardening options..................................................................................................49
8.7.1 PostgreSQL related firewall configuration......................................................................... 49
8.7.2 SYS600 Notify...................................................................................................................51
8.8 SYS600 Historian hardening options.................................................................................. 51
8.8.1 Securing Data source and Historian server communication............................................. 51
8.9 DMS600 hardening options.................................................................................................51
8.10 Certificate management...................................................................................................... 51
8.11 Resetting administrator password....................................................................................... 54
8.12 Backdoors........................................................................................................................... 54

Section 9 Standard compliance statement................................................................ 55

Appendix A Quick Configuration Guideline...................................................................57

1.1 Downloading and Installing SCM tool..................................................................................58
1.2 Securing MicroSCADA X server..........................................................................................59
1.3 Securing MicroSCADA X workplace................................................................................... 59
1.4 Maintenance........................................................................................................................60
1.4.1 Adding new Windows users.............................................................................................. 60

2 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Table of contents

1.4.2 Adding/installing new programs........................................................................................ 60

1.4.3 Adding new SYS600 applications..................................................................................... 61
1.4.4 Adding Windows features..................................................................................................61
1.4.5 Troubleshooting.................................................................................................................62
1.5 Rollback...............................................................................................................................62

Appendix B Ports and Services...................................................................................... 63

Appendix C Windows System Services......................................................................... 73

Appendix D Security Policies.......................................................................................... 75

Appendix E Application Allowlisting - AppLocker........................................................ 79

1.1 AppLocker - Customizing Rules.......................................................................................... 82

Appendix F Virtual Private Network............................................................................... 87

1.1 Create IPSec Policy............................................................................................................ 87
1.2 Build a Filter List from SYS600 to NCC...............................................................................89
1.3 Configure a Rule for the communication............................................................................. 93

Appendix G Introduction to SCADA Security................................................................ 99

MicroSCADA X 3
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
4
1MRK 511 574-UEN Rev. A Section 1
Copyrights

Section 1 Copyrights GUID-03127CB5-2F5A-4099-A5DC-20E63835472E v5

The information in this document is subject to change without notice and should not be construed as
a commitment by Hitachi Energy. Hitachi Energy assumes no responsibility for any errors that may
appear in this document.

In no event shall Hitachi Energy be liable for direct, indirect, special, incidental or consequential
damages of any nature or kind arising from the use of this document, nor shall Hitachi Energy be
liable for incidental or consequential damages arising from the use of any software or hardware
described in this document.

This document and parts thereof must not be reproduced or copied without written permission from
Hitachi Energy, and the contents thereof must not be imparted to a third party nor used for any
unauthorized purpose.

The software or hardware described in this document is furnished under a license and may be used,
copied, or disclosed only in accordance with the terms of such license.

© 2022 Hitachi Energy. All rights reserved.

Trademarks

ABB is a registered trademark of ABB Asea Brown Boveri Ltd. Manufactured by/for a Hitachi Energy
company. All other brand or product names mentioned in this document may be trademarks or
registered trademarks of their respective holders.

Guarantee

Please inquire about the terms of guarantee from your nearest Hitachi Energy representative.

Third Party Copyright Notices

List of Third Party Copyright notices are documented in "3rd party licenses.txt" and other locations
mentioned in the file in SYS600 and DMS600 installation packages.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(https://www.openssl.org/). This product includes cryptographic software written by Eric Young
([email protected]). This product includes software written by Tim Hudson ([email protected]).

This product includes software developed by Computing Services at Carnegie Mellon University
(http://www.cmu.edu/computing/).

This product includes software developed by vbAccelerator (/index.html).

MicroSCADA X 5
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
6
1MRK 511 574-UEN Rev. A Section 2
Introduction

Section 2 Introduction GUID-A33443EA-0F78-4033-96BA-FA53DF74944E v1

2.1 This manual GUID-0A651168-43CA-4D84-ABD1-396B2F562D34 v3

This document is a cyber security guide for MicroSCADA X Control System SYS600 (hereafter
SYS600) and MicroSCADA X Distribution Management System DMS600 (hereafter DMS600). See
product versions from Section 2.5.

There are quick configuration instructions at the end of this document to configure server and
workplace in easy steps, see Appendix A. The major part of the configuration can be done
automatically with a security configuration tool, Security Compliance Manager (SCM).

The installation package for the SCM tool can be downloaded from the MicroSCADA partner portal.

2.2 Use of symbols GUID-C79F0822-D625-4234-B48F-9B2404FDF5A9 v1

This publication includes warning, caution and information symbols where appropriate to point out
safety-related or other important information. It also includes tips to point out useful hints to the
reader. The corresponding symbols should be interpreted as follows:

Warning icon indicates the presence of a hazard which could result in personal
injury.

Caution icon indicates important information or a warning related to the concept

discussed in the text. It might indicate the presence of a hazard, which could result in
corruption of software or damage to equipment/property.

Information icon alerts the reader to relevant factors and conditions.

Tip icon indicates advice on, for example, how to design a project or how to use a
certain function.

Although warning hazards are related to personal injury, and caution hazards are associated with
equipment or property damage, it should be understood that operation of damaged equipment could,
under certain operational conditions, result in degraded process performance leading to personal
injury or death. Therefore, comply fully with all warnings and caution notices.

2.3 Intended audience GUID-3B42125C-2180-4548-AE8F-677F5C0FC018 v1

This manual is intended for installation personnel, administrators and skilled operators to support
installation of the software.

2.4 Document conventions GUID-FE060440-CD35-4ECF-BDB6-EB876587B52A v2

The following conventions are used for the presentation of material:

MicroSCADA X 7
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 2 1MRK 511 574-UEN Rev. A
Introduction

• The words in names of screen elements (for example, the title in the title bar of a dialog, the
label for a field of a dialog box) are initially capitalized.
• Capital letters are used for file names.
• Capital letters are used for the name of a keyboard key if it is labeled on the keyboard. For
example, press the CTRL key. Although the Enter and Shift keys are not labeled they are written
in capital letters, for example, press ENTER.
• Lowercase letters are used for the name of a keyboard key that is not labeled on the keyboard.
For example, the space bar, comma key and so on.
• Press CTRL+C indicates that the user must hold down the CTRL key while pressing the C key
(in this case, to copy a selected object).
• Press ALT E C indicates that the user presses and releases each key in sequence (in this case,
to copy a selected object).
• The names of push and toggle buttons are boldfaced. For example, click OK.
• The names of menus and menu items are boldfaced. For example, the File menu.
• The following convention is used for menu operations: Menu Name/Menu Item/
Cascaded Menu Item. For example: select File/Open/New Project.
• The Start menu name always refers to the Start menu on the Windows Task Bar.
• System prompts/messages and user responses/input are shown in the Courier font. For
example, if the user enters a value that is out of range, the following message is displayed:
Entered value is not valid.
The user may be told to enter the string MIF349 in a field. The string is shown as follows in the
procedure: MIF349
• Variables are shown using lowercase letters: sequence name

2.5 Document revisions GUID-5791892A-BFEE-43A7-BBE1-0B41B8417961 v5

Revision Version number Date History

A MicroSCADA X SYS600 30.06.2022 Document updated for SYS600 10.4,
10.4, DMS600 4.6, DMS600 4.6 and SDM600 1.2 releases.
SDM600 1.2

8 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 3
General

Section 3 General GUID-ABFE3753-4A7C-4F37-80BD-C8AA13864081 v4

This document is a security guide for MicroSCADA X Control System SYS600 and MicroSCADA X
Distribution Management System DMS600. The guide is intended for software and project engineers,
and system verification testers and they are expected to have general familiarity with topics in the
following areas:

• PCs, servers, and Windows operating systems

• Networking, including TCP/IP and concept of ports and services
• Security policies
• Firewalls
• Anti-virus
• Application allowlisting
• Remote and secure communication

Operating systems (with the latest service packs) covered in this document are:

• Server operating systems: Windows Server 2012 R2, 2016, 2019, 2022
• Desktop operating systems: Windows 8.1, 10
• For Windows 10 installations, it is recommended to use LTSB/LTSC versions

The guide assumes that in servers:

• Windows Update is disabled, for example, WSUS used instead

• Uninterruptable Power Sources (UPS) is not controlled by the server
• Wireless network configuration is not used
• Audio is not used
• There are printers connected to the server

This guide assumes that in workplaces:

• Windows Update is disabled, for example, WSUS used instead

• Wireless network configuration is not used
• There are printers connected to the workplace

However, the guide does not specify the network configuration where the MicroSCADA X system is
installed. The network architecture may be built around Active Directory, or it may utilize workgroup
computers not joined to any domain.

This section provides general information as well as information on assumptions, operating systems
and MicroSCADA X versions this guide covers. The system is secured by configuring the network,
uninstalling irrelevant software, disabling some Windows system services, configuring the firewall
settings, configuring application allowlisting, and applying security policies. Configuring network is
discussed in Section 5. Security settings in this document are divided into the following categories:

• Security settings in Windows operating systems and MicroSCADA X servers (Section 6)

• Security settings in MicroSCADA X workplace computers (Section 7)
• Security features available in SYS600 and DMS600 products (Section 8)

There are security settings that are automatically configured in the product and those that need to be
configured manually. For example, a Windows administrator user account is created during SYS600
installation and a password is prompted for the MicroSCADA user. Since this is an administrator user
account, it is the responsibility of the system administrator to choose a valid and secure password for
this account.

MicroSCADA X 9
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 3 1MRK 511 574-UEN Rev. A
General

MicroSCADA X SYS600 uses symmetric and asymmetric cryptographic algorithms,

which are used for data encryption, such as information, messages, text, etc. TLS
versions/protocols such as TLS 1.2/1.3 are used with high encryption cipher suites,
greater than or equal to 128-bit key length. Hashing algorithms are used, for
example, for authentication/password protection purposes.
By default, all MicroSCADA X SYS600 licenses include above mentioned
cryptographic functionality. Depending on market requirements or country restrictions
some licenses can be sold without data encryption of information and messages.
That is, cryptographic functionality is disabled by the manufacturer by the means of
the licensing.

Other Windows server security settings such as firewall, security policies and disabling Windows
system services are not automatically configured during the SYS600 or DMS600 installation. This is
due to fact that the installation may conflict with existing security settings on some computers where
it is not allowed to modify these. To apply security settings, such as firewall rules, security policies
and disabling unused Windows system services, after MicroSCADA X product installation, run a
security configuration tool, Security Compliance Manager (SCM), see Appendix A 1.2.

There is general security guide for control systems and operating systems on the Hitachi Energy
Cybersecurity website [SEC]. Microsoft also has security guides for different operating systems
[MSSEC09].

MicroSCADA X SYS600C includes both SYS600 and Windows server specific

security settings by default. However, it is the responsibility of the project engineer
to:

• Activate pre-configured Windows user accounts that are meant for operators
and engineers (ScOperator etc.)
• Open Windows Firewall ports for the used communication protocols (Appendix
B)
• If there are new applications installed, these should be allowed to run in
Windows AppLocker (Appendix E)

A=automatically configured in the product, SCM=security configuration tool, M=manual configuration

Table 1: Deployment of security features in MicroSCADA X products

Security feature SYS600 SYS600C SYS600 DMS600 Remarks

installation
Windows users and - 1) A+M 2) A+M 2) SCM+M 2) 1) MicroSCADA user
groups account is automatically
created during
installation. Password
should be longer than 15
characters.
2) Some user accounts
have to be enabled
manually
OPC/DCOM settings for - A+M M M See [SYSINS]
server-workplace
communication
Firewall settings (ports - A SCM+M SCM+M Enable ports for used
and services) communication protocols
according to customer
specifications.
Virtual Private Network - A M M
(VPN)
BIOS settings - A M M
Table continues on next page

10 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 3
General

Security feature SYS600 SYS600C SYS600 DMS600 Remarks

installation
Removing unused - A M M
programs
Disabling system - A SCM SCM
services
SNMP - A M M
Security policies - A SCM SCM
Microsoft Update - M M M Not installed/services
disabled. WSUS or
manual installation to be
used instead. The latest
service packs and
security updates are
tested and verified.
User Access Control - A SCM SCM
(UAC)
Application allowlisting - A SCM SCM
Virus scanner - M M M Installation manuals
exist for some virus
scanner software and
virus definitions of those
software versions are
verified and tested.
Disabling devices
- DVD/CD-ROM drives - A SCM SCM
- USB Mass Storage - A SCM SCM
- Serial port - M M M
- Floppy disk controller - M M M
- Sound, video controller - M M M
Disabling autorun - A SCM SCM
functionality
Backing up and restoring - M M M
SYS600 user - A M -
management and
authorization
DMS600 user - - - M
management and
authorization
Encryption of SYS600 - A A -
internal communication
Encryption and - M M -
authentication of process
and control center
communication
according to IEC62351-3
and -5

MicroSCADA X 11
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 3 1MRK 511 574-UEN Rev. A
General

3.1 Definitions and Abbreviations GUID-0F83B6FA-2BBD-47F4-8D81-B5B5CD79D009 v2

Table 2: Terminology

Term Description
DCOM Distributed Component Object Model
NCC Network Control Center
OPC Open connectivity specification by OPC foundation
SCADA Supervisory Control and Data Acquisition
SCM Security Compliance Manager, a security configuration tool
SCW Security Configuration Wizard
SYS600 MicroSCADA X Control System SYS600
SYS600C MicroSCADA X SYS600C
DMS600 MicroSCADA X Distribution Management System DMS600
TCP/IP Transmission Control Protocol/Internet Protocol
WSUS Windows Server Update Services
MicroSCADA X Product family including SYS600 and DMS600

3.2 Reference Documents GUID-FA2B0B28-CE46-4653-99FC-3576BC875792 v4

Table 3: References

Ref Document title

[SEC] Hitachi Energy Cybersecurity – Control Systems, Hitachi Energy
[APPLOC12] Windows AppLocker, Microsoft
[DMSINS] DMS600 Installation Manual, Hitachi Energy
[DMSSYS] DMS600 System Administration Manual, Hitachi Energy
[HISADM] SYS600 Historian Configuration and Administration Manual
[LEMNOS11] The Lemnos Interoperable Configuration Profile - IPSec
[MSBL] BitLocker, Microsoft
[MSDCOM04] The default dynamic port range for TCP/IP has changed, Microsoft
How to configure RPC dynamic port allocation to work with firewalls, Microsoft
[MSDEP] Data Execution Prevention, Microsoft.
[MSPASS09] Strong passwords, Microsoft.
[MSSEC09] Windows OS Security Guides, Microsoft. Search for Security Guide and refine the search by
giving a specific OS name, for example, Windows Server 2019
[MSTHRE05] Threats and Countermeasures Guide: Security Settings in Windows Server 2016, Microsoft.
[MSWS03] Microsoft Security Compliance Toolkit, Microsoft.
[SYSAPL] SYS600 Application Design manual, Hitachi Energy
[SYSCON] SYS600 System Configuration manual, Hitachi Energy
[SYSINS] SYS600 Installation and Administration manual, Hitachi Energy
[SYSOBJ] SYS600 System Objects manual, Hitachi Energy
[WSUS] Windows Server Update Services, Microsoft.
[SYSCUG] SYS600C Users Guide, Hitachi Energy
[UAC] What are User Account Control settings?, Microsoft.

12 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 4
Secure installation of MicroSCADA X SYS600 / DMS600 - Step-by-step Guide

Section 4 Secure installation of MicroSCADA X

SYS600 / DMS600 - Step-by-step
Guide GUID-B7F169B8-CCD9-4EE2-9A1C-8585B8BF83D9 v1

This chapter describes step-by-step the process for installing MicroSCADA X SYS600 / DMS600
securely. The process starts from the architectural design and ends when the system can be given
for the engineering unit to create the actual SCADA configuration. This chapter is also kind of a
checklist, which can be referenced when making the architectural decisions or the actual installation
project for the MicroSCADA X system.

Instructions in this chapter are concise on purpose, but they are referencing to other relevant manual
sections and manuals where necessary. Reading the whole manual is mandatory to get good
understanding of the security landscape around MicroSCADA X systems, this chapter alone is not
enough for that.

4.1 Preparations GUID-E18F24CA-F687-47EE-B411-FB9037DC5AA1 v1

The following topics should be handled with due care before starting the actual installation process.
These may sound trivial, but they are the base for a secure MicroSCADA environment. Even when
the actual installation and configuration phase is handled correctly, but the network segmentation
does not follow the security requirements for the particular environment, the security level is not so
high as it could be.

Not all environments require all these components, and many environments require also additional
components, but the list covers things which are often found in different types of MicroSCADA
environments.

1. Architectural design of the MicroSCADA environment

1.1. Servers
a Physical / virtual
b Location of the servers
a In the same server room
b In different server rooms
a In critical systems even separate buildings, if feasible

c Power supply for servers / network devices

a House supply
b UPS
d BIOS configuration
e IPMI (iDRAC/iLO/IMM/etc)
a Read the vendor manual
f Operating system versions
g Domain/Active Directory or workgroup

MicroSCADA X 13
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 4 1MRK 511 574-UEN Rev. A
Secure installation of MicroSCADA X SYS600 / DMS600 - Step-by-step Guide

a If workgroup, it is expected that Security Compliance Manager (SCM) is

used for security hardening
b In Windows Domain / Active Directory environments SCM is not
recommended, as it is expected that all security configurations are
managed via Group policies.
h Server roles (which roles are located in the same server and which require their
own servers)
a Active Directory related servers
b SYS600
a HSB or not
c DMS600
d SDM600
e Historian
f Remote desktop gateway
g Engineering workstations
h Software update system
i Antivirus management
j Backups
k Log collectors
l Monitoring
m Databases
n Etc.

1.2. Network
a High availability
a External
b Internal
b Proper segmentation
c VLANs & subnets
d Firewalls between different network segments (IT, DMZ, AD, Backup, SCADA, field
devices, etc)
a Port openings between different networks
b IDS / IPS configuration
e NTP & DNS
f Active Directory & requirements, if AD is used
1.3. User account policies
a Local
b Centrally managed
a Active Directory
b SDM600
c Role definitions and plans
a Admins for various systems
a Not all admins need full admin access rights for every system!
b Engineers
c Operators
d Viewers / Read only

1.4. Application Allowlisting policies

a Executable signing certificates and their relevant info
a For example

14 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 4
Secure installation of MicroSCADA X SYS600 / DMS600 - Step-by-step Guide

GUID-DAB7BAA7-F482-479F-951E-DAC3AA9B856E V1 EN-US

b The location/path of the environment specific tools / scripts

2. Gather at least the following information before proceeding to the next chapter
2.1. Relevant network configuration
a IP addresses (including netmasks and gateways)
b Hostnames
c NTP server address
d External DNS server addresses
e Required network shares
f Printer addresses
g External servers & gateways
2.2. User accounts + passwords

4.2 Installation phase GUID-44BD8E15-E01D-4166-9547-CCE7506511E9 v1

This chapter does not cover actual Windows installation or network configuration processes. Please
refer to Microsoft documentation regarding the former and your OT/SCADA network team regarding
the latter topic.

At this point it is assumed that the network is configured properly, all required operating systems are
installed, and operating systems are updated according to the latest MicroSCADA Patch
Compatibility report.

1. Install the MicroSCADA product to the server

2. If the environment type is workgroup and not Windows Domain / Active Directory, it is expected
that Security Compliance Manager (SCM) is used for security hardening
2.1. If 3rd party host firewall is planned to be installed, it’s better to install it before enforcing
settings via SCM, as it won’t otherwise know that there will be 3rd party firewall tool in use.
2.2. Install SCM
2.3. Start SCM and run audit for the correct OS + software configuration
2.4. Enforce the security settings with SCM
2.5. Verify AppLocker policies that they will meet the environment requirements and all
environment specific tools can be started

4.3 Post-installation Checks & Configuration GUID-FB5B00C4-FB71-471A-8D72-FBDFAD344B05 v1

The steps here are divided in two parts, one part is required to be done for all individual MicroSCADA
servers, and the other is done either for all when the environment type is standalone one or centrally
in other cases.

The following security related configurations are managed with the SCM tool, and they must be
handled via group policies in Domain environments

• Application Allowlisting

MicroSCADA X 15
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 4 1MRK 511 574-UEN Rev. A
Secure installation of MicroSCADA X SYS600 / DMS600 - Step-by-step Guide

• AppLocker is recommended, but also other tools can be used

• Audit policies
• Windows Firewall if no 3rd party host firewall is used
• Local security policies
• Disable unused services

4.3.1 Centrally or Individually Managed Configurations GUID-4A8AD7DA-7EA7-4151-AEEC-8B26D0CE059A v1

1. Verify that all the required user accounts are created, and they belong to the correct user groups
1.1. Verify user accounts also for the SQL Server
2. Document users and groups carefully

4.3.2 Configurations Needed for All Machines GUID-AF938986-5F4A-4B1A-B957-0932E01A8BC5 v1

1. Verify that NTP is functioning properly, as correct time is crucial for MicroSCADA usage
2. Verify host firewall rules
2.1. If SCM is used for enforcing the security configuration, disable/remove all those firewall
rules, which are not needed.
3. Go through following chapters, and verify that the configuration matches the recommended
settings
3.1. Section 6
3.2. Section 7
3.3. Section 8
4. When you are configuring SYS600, check chapter 6.2.7. "SYS objects for base system - Basic
SYS attributes - Security attributes" in 1MRS257860 – SYS600 System Objects document and
verify that all SYS600 related security configurations are correct for that environment as planned
in the architectural phase of the project.

16 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 5
Configuring network

Section 5 Configuring network GUID-63689CEE-6293-46AF-AA47-C5F87750DDB1 v3

Each host in a TCP/IP network has a unique identifier, called an IP address. The IP address is
composed of four numbers in the range from 0 to 255. The numbers are separated with dots, for
example, 192.168.0.1. Because every computer on an IP network must have a unique IP address,
careful planning of IP addresses throughout the whole system is important. Make sure to take care of
the future needs in address areas when planning large networks. A host can have multiple IP
addresses, as shown in the Figure 1. A static IP addressing should be used in SYS600 system; see
Configure a Static IP Address and [SYSINS, Host names] for more information.

Wireless networks are not recommended in a SYS600 system due to the high reliability that is
required of the control system.

If SYS600 is installed in a Windows Active Directory domain environment, it is important to design

the domain architecture correctly to meet the high reliability needs of the particular SYS600 system.
For more information, see Section 5.1.

GUID-B0D5104D-750D-431F-B742-252BAA20B024 V1 EN-US

Figure 1: An example of SYS600 with NCC connection

MicroSCADA X products do not use IPv6. To disable IPv6 on network adapter, open
Network and Sharing Center, select Change adapter settings, select a network
adapter and right-click for properties, uncheck the box for Internet Protocol Version
(TCP/IPv6) and then click OK.

See Appendix B to review secure and insecure communication protocols used in

MicroSCADA X products and recommendations how to secure communication
protocols.

5.1 Active Directory GUID-6EE7F633-BB2C-49BC-AF4C-1B8CF90E3736 v1

In corporate office networks Active Directory is often used for managing users and configuration
centrally. SCADA/ICS environments have been a bit different in the past, as Active Directory adds

MicroSCADA X 17
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 5 1MRK 511 574-UEN Rev. A
Configuring network

more complexity to the architecture, more servers which need to be installed & administered, and
more locations which can break down.

If the environment requires central user management and other things provided by Active Directory,
the architecture of the system must be designed accordingly. High availability must be taken into
account, and that affects both the server and network architecture. It is not recommended to rely only
on one domain controller, as it is then single point of failure in the authentication architecture.

It is not recommended at all to join MicroSCADA related computers to the office/enterprise Active
Directory, as this will cause unexpected issues when configurations are applied to the office Active
Directory.

Separate Active Directory for the MicroSCADA environment is the recommended solution. It is better
regarding security, as the accounts are used only for logging to the servers in the MicroSCADA
environment and they are not shared between the MicroSCADA environment and the corporate
office environment. It is also better as all configuration and security settings are related to the
MicroSCADA environment, and thus there is not so big risk that accidentally some problematic
setting is applied to all computers by a person who does not understand the specific requirements of
the MicroSCADA environment.

For more information, see Active Directory Domain Services, Microsoft.

5.2 Virtual Private Network (VPN) GUID-2B56D6A4-4E76-45D5-8E72-8839FEE52B82 v2

This guideline considers the IP communication between SYS600 server and the Network Control
Center (NCC) / Regional Control Center (RCC) via a dedicated wide area link that is not exposed to
public access. The use case is to protect the dedicated link against man-in-the-middle attacks by
guaranteeing confidentiality, integrity, and authentication via IPSec, using pre-shared key
authentication. These instructions are also applicable to DMS600 systems.

The IPSec configuration must be done on all machines that should communicate with each other by
IPSec. The configuration is shown in Appendix F.

IPSec encryption is a CPU consuming activity that can affect the maximum
throughput and the CPU utilization. In order to determine the effect of IPSec
encryption for data throughput and CPU consumption, it is important verify this with
tests.

5.2.1 Use cases GUID-2CA427DF-5992-42CE-92D1-9F4C37BE262C v1

5.2.1.1 NCC Communication GUID-778FD3CD-C821-4258-9102-52323C26FE37 v1

This use case features the IP communication between SYS600 and the NCC via a dedicated wide
area link, which can be a glass fiber optics communication link, a microwave radio link, or a leased
line that is not exposed to public access. The use of IPSec/VPN technology ensures that the
transmitted data is not readable to eavesdroppers and vulnerable man-in-the-middle attacks. In
addition, both SYS600 and NCC can authenticate using pre-shared keys before establishing the
communication link.

18 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 5
Configuring network

GUID-9999A402-4D5C-4212-9302-B1C26DA97283 V1 EN-US

Figure 2: NCC communication

Figure 2 visualizes a possible setup for the use case. The VPN connections are illustrated as blue
tubes, and multiple SYS600 devices are connected to the NCC system via the operator’s internal IP
network.

In case no network address translation (NAT) mechanism is used between SYS600 and NCC, IPSec
can be run in transport mode, which encrypts all data of an IP packet but leaves the IP header intact,
which allows for fast delivery.

5.2.1.2 Maintenance Access via Remote Desktop Protocol (RDP) GUID-CBF46DAC-1AD3-4EE8-9269-1BEA5E613270 v1

An alternative access to SYS600 is the use of the Remote Desktop Protocol (RDP). RDP provides a
graphical interface for SYS600 on another computer. The RDP access should be restricted to
Intranet access only. Authentication is done by conventional Windows user login. RDP uses
encryption to protect all transmitted data, but it is still recommended to also use IPSec/VPN for
maintenance access.

GUID-B984BF03-CBF7-4009-BA49-84AAE7F859A0 V1 EN-US

Figure 3: RDP Maintenance Access via VPN

Note that the firewall must accept incoming RDP connections, and the maintenance device
connected to the VPN must be able to access SYS600’s RDP port. As SYS600 has access to the
station bus, the service engineer connected to SYS600’s desktop can access the station bus via
SYS600’s desktop.

MicroSCADA X 19
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 5 1MRK 511 574-UEN Rev. A
Configuring network

5.2.1.3 HSB communication GUID-5A9F35C3-B93C-43C2-8897-AB9E24678536 v2

Another use case affects communication between a master SYS600 device and its redundant hot-
standby-system via a wide area network connection. This link should be protected against man-in-
the-middle attacks by guaranteeing confidentiality, authenticity, and authentication. This use case is
comparable to NCC communication.

GUID-FE344F92-B17D-4235-9D2F-1D5C5A6ABC02 V1 EN-US

Figure 4: SYS600 to SYS600 communication

See Appendix F to configure VPN.

5.3 Network Devices GUID-44407A9E-34A1-42E8-ADE8-69EABB7A3A63 v1

Network devices, such as switches, routers, firewalls, intrusion detection systems, modems, and
wireless devices, are not part of this security guide. From a security point of view, these devices
should be enabled for the following features:

• Logging
• Patches / Updates
• Backup / Recovery

For more information, see the device manuals.

20 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

Section 6 Configuring security settings for

Windows OS and MicroSCADA X
servers GUID-DF4F5196-3459-46F1-876D-2E9A31613E9F v4

Windows servers are protected with latest service packs and security updates, firewalls, security
policies, application allowlisting, and virus scanners. To reduce the attack surface in servers,
programs and services not used can also be uninstalled or disabled. See Table 1 to check the
security features automatically configured to the server. Some products need manual configuration.

Each of the sections below ends with either "This has to be configured manually" or "This is
configured automatically". The first statement means that security setting has to be manually
configured. The latter means that there is a security configuration tool to automate the configuration
process. This process is described in Appendix A 1.2.

6.1 BIOS settings GUID-92E758E4-4FB3-4365-BB76-45203DA0A31F v2

The following settings are highly recommended to be used in MicroSCADA systems.

• BIOS Password(s) are enabled

• SecureBoot is enabled
• Remote wake-up/Wake on LAN is disabled
• Boot sequence/priority: Disable boot devices, which are not required, and leave only boot from
the correct hard disk.

Manual configuration of the listed items is needed, and the exact way to do it depends on the used
computer hardware. Please consult your computer manual if unsure how BIOS settings can be
changed.

6.2 BitLocker Full Disk Encryption GUID-D84AE148-DDAA-4219-AE04-2C1DD4F2DD37 v1

BitLocker is a full disk encryption feature found on Windows systems. In addition to disk encryption,
BitLocker verifies the system integrity during startup of the computer. The computer must have TPM
(Trusted Platform Module) chip to fully utilize the security functionality provided by BitLocker.

Disk encryption is not so often needed in MicroSCADA systems, because computer hardware is
usually located in places which are physically secured. Verification of the system integrity is much
more important topic, but it is not possible to have only system integrity verification without disk
encryption.

BitLocker causes some degradation of disk I/O performance. Depending on the environment,
hardware and workload it can be anything from a couple of percents to worst case tens of percents.
Write operations are affected much more, so real life results are really dependant on the actual
environment and its requirements. Also the servers today have often enough spare CPU capacity
and thus the degraded performance is an issue only in rare cases.

Usage of BitLocker is recommended, but the effects of its performance requirements must be
analyzed thoroughly.

When BitLocker is used, the secure storage of BitLocker recovery keys must be planned in
advanced.

More information about Bitlocker can be found in [MSBL].

MicroSCADA X 21
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

6.3 Data Execution Prevention (DEP) GUID-A42167F3-F778-4671-AE2E-C156E807B7F5 v1

DEP is a security feature that can help prevent damage to the user's computer from viruses and
other security threats. DEP can help protect the user's computer by monitoring programs to make
sure they use system memory safely. If a program tries running (also known as executing) code from
memory in an incorrect way, DEP closes the program. DEP automatically monitors essential
Windows programs and services. [MSDEP]

The default configuration of the operating system is used.

6.4 Removing unused programs GUID-AAA248B6-1C86-4A3F-85D7-95C03F48151E v2

The following software is not used by SYS600 and DMS600 and can be manually removed from
Windows through Control Panel (current Windows versions). These programs are normally found on
desktop operating systems, such as Windows 10. On server operating systems, these are disabled
by default.

Windows Component
Windows Media Player / Media Features Remove manually
Games Remove manually
Windows Defender (in Windows 10 only when a 3rd party Remove manually, and uncheck Windows Defender
security program is used) > Settings > Administrator > Turn on this app.
More details in section Virus scanner.
Microsoft Office In some customer systems, Microsoft Office is
installed. Remove features such as PowerPoint and
Outlook from installation. Only leave features that are
actually used, for example, Excel and Word. See
Office documentation how to uninstall individual
components from full installation.

This has to be configured manually.

6.5 Disabled system services GUID-5DC0A953-3BEF-4ED4-BCA3-F66E8563748B v2

Enabled and disabled system services are listed in Appendix C.

This is configured automatically using security configuration tool.

6.6 Microsoft Update/Patch management GUID-9D79D194-DFC1-4F99-8F6F-BD5CE35E418D v2

There are nine update classifications defined by Microsoft. These include, for example, critical
updates, drivers, security updates and service packs. The compatibility of MicroSCADA X products
with the latest Microsoft security updates and service packs is tested and verified monthly. The test
results can be found from the partner portal if you are a certified system integrator or if you are an
end user, these reports can be made available to you based on your service agreement. The reports
do not cover workplace computers but it is recommended to install all updates.

6.6.1 Windows Update vs. Microsoft Update GUID-278BC5FF-33A2-4B62-9A18-2E356C522933 v2

Windows Update only gets updates for Windows operating system. MicroSCADA X products are
using other Microsoft products such as SQL Server and therefore, Microsoft Update should be used
instead. See the Figure 5 to start getting updates for other products also.

22 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

GUID-C24D609A-757A-40BB-9915-2F6EB4A98258 V1 EN-US

Figure 5: Microsoft Update Windows Server 2012

GUID-E3CC1A60-30B5-4F4D-B6C0-EF582F449ED2 V1 EN-US

Figure 6: Microsoft Update Windows Server 2019

6.6.2 Configuration GUID-89DBD3A1-FDA7-4821-90E3-B80CAFB546CA v2

A dedicated server, Microsoft Windows Server Update Services (WSUS), can be used for updating
servers and workplaces. For more detailed information, see [WSUS].

MicroSCADA X 23
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

To manually get Windows security updates for the standalone server, Microsoft Update Catalog can
be used:

1. Check tested and verified security updates from MicroSCADA X Patch Compatibility Reports
(linked above) for different operating systems.
2. Go to http://catalog.update.microsoft.com
3. Enter the bulletin ID mentioned in the patch compatibility report and the operating system of the
server to the search field, for example, "4530715 Windows 2019" and press Search.
4. There might be several search results, for example, for different server architectures. Find the
correct security update for the architecture and press Add to add it to the basket.
5. Repeat steps 3 and 4 for each security update.
6. Click Show basket and the content of the basket is shown.
7. Click Download to save all security updates in the basket to the disk. Create a new folder for
the security updates, for example, 2019-12 indicating a year and a month of security updates.

This has to be configured manually.

6.7 Virus scanner GUID-A60C275A-F36A-4C3C-948E-78AF447CD4A4 v2

Whenever it cannot be guaranteed that unknown software is not executed on a machine (for
example, due to enabling of removable devices or USB ports), the use of anti-virus software is highly
recommended on servers, workstations, and maintenance laptops.

Virus scanners distinguish between on-access scanning (only files that are currently requested to
load are checked) and on-demand scanning (all files are checked during a scheduled scan).
Minimum requirements for the virus scanner are on-demand scanning and virus definition updating
features.

On-access virus scanners on servers are a trade-off between security and performance. We
recommend testing the performance of the system with normal virus scanner settings. If the
performance is not acceptable, it can be enhanced with various settings available in some virus
scanner programs, such as excluding certain directories or files (those that are frequently used) in
on-access scanning and on-demand scanning. For example, event logs, databases and some
custom file types which are accessed continuously should be put in the exception list, that is, those
files are not on-access scanned.

Various settings available in virus scanner programs for enhancing performance are shown below.

• Windows operating system directories should not be excluded

• Some virus scanner programs may not have the settings shown below

6.7.1 CPU Utilization GUID-E040223B-F5CD-4937-BFC6-C8DF46240F1C v1

• Restrict CPU Utilization to 20%

• After modifying this setting it is recommended to run the on-demand scan to local disks once to
ensure that it finishes within an acceptable amount of time.

6.7.2 On-access scanning GUID-F437A1B0-591C-4A7E-BC96-D4DAD7C74179 v1

• Scan only local disks, network scan is disabled (when each machine has its own virus scanner).
• Disable email scans.
• In general, nothing should be excluded from scanning, but in case there are some performance
issues:

24 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

• SYS600: <drive>\sc\apl\*.* (including subdirectories) are frequently used. If this does not
solve issues then exclude the whole sc directory.
• DMS600: <drive>\DMS600\*.*
• Excluded files:
• Archive files such as .cab, .rar, and .zip
• Other settings
• Enable buffer overflow protection
• Enable access protection
• Enable script scan

6.7.3 On-demand scanning GUID-684E6A4C-4DE7-4F4F-8975-931E1435474F v2

• Initiated periodically or manually

• Initiated manually if the system owner has found virus infected files on other computers in the
enterprise, for example, in the office network or on maintenance laptops or the like
• Scan only local disks, network scan is disabled (when each machine has its own virus scanner)
• Scanning should be done when normal system activity is low
• All items excluded in on-access scanning should be included in the scan

6.7.4 Handling of infected files GUID-A1A88D23-2313-4365-B6FD-00F862E7405D v2

• Automatic clean first, then quarantine. Deleting must be done manually by security specialist.
• Antivirus should not be allowed to clean, quarantine or delete SYS600 processes.
• Reporting:
• Maintenance personnel should check virus scanner log files on each site visit. In case of
virus detection, the issue must be escalated responsible personnel.
• There are several methods to report virus detection, such as email, printout to printer,
sending to a computer's syslog, launching a program locally (for example, a SCIL program
or VB script), or sending via SNMP Trap, to one or more computers. Sending an SNMP is
the preferred method.

6.7.5 Scan engine and virus definition updates GUID-322EA2A4-1093-4AF2-89C8-1B930F0161FE v3

• It is recommended that scan engines and virus definitions are updated automatically. However,
enabling this feature on all machines connected to the automation system network is not a
recommended practice. For a more secure and reliable deployment of virus definitions, a central
management (for example, F-Secure Policy Manager, McAfee® ePolicy Orchestrator, or
Symantec Endpoint Protection Manager) and update deployment host can be set up on a
corporate intranet. This allows a system administrator to have control over when updates are
made. Note that a direct Internet connection should only be allowed for the time everything is
downloaded; the connection is closed after downloading is finished. General guidelines are
provided in [SEC].
• If redundant servers exist, it is recommended to update scan engine and virus definitions to
these servers first. Reboot the server, open monitor, and perform some functional testing, for
example, opening process, event, alarm displays and control dialogs.
• New virus definition files should be taken into use immediately. See above recommendation for
redundant servers.
• Some scan engine updates may override current scan settings. In possible problem situations,
this should be checked.

This has to be configured manually.

MicroSCADA X 25
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

6.7.6 Patch management GUID-23151873-CB1D-4A93-B08B-A532321E51F3 v2

It is recommended to update scan engine and virus definition files regularly. Verify that the settings
introduced above are preserved and the performance and functionality of the system is acceptable
after updates.

Theoretically, a new virus definition file could arrive that could compromise the proper functionality of
the system. Testing the system against every new virus definition file is obviously not feasible.
Therefore, we recommend full system backup before updating virus definition files.

For information on installing McAfee and Symantec virus scanners, contact the partner portal if you
are a certified system integrator. If you are an end user, documentation is available based on service
agreement. The compatibility of MicroSCADA X product with the latest upgrades and virus definitions
is tested and verified monthly for some virus scanner programs. We recommend that servers are
updated according to MicroSCADA X SYS600 Patch Compatibility Report and MicroSCADA X
DMS600 Patch Compatibility Report.

6.8 Disabling devices GUID-2C527ACD-AFDE-4B02-B076-18491D1D9BC3 v4

In any type of a server it is a good practice to disable the devices not used. This may include USB
ports, CD/DVD drives, communication ports, and floppy disc controllers.

This has to be configured manually.

Run devmgmt.msc (Device Manager) and look for the devices to be disabled.

The following figure shows the disabling of DVD/CD-ROM driver, Floppy Disk Driver, Sound, Video
and Game controller, and finally the Universal Serial Bus (USB) ports.

Do not disable a device if it will be used, for example, USB license keys, alarm
sounds, or software installations.

GUID-F5708B2A-3A2E-44E8-8B7A-203342A48AC9 V1 EN-US

Figure 7: Disabling DVD/CD-ROM

26 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

GUID-A5DB1A78-3973-4727-948C-4BF9AAC7EB3D V1 EN-US

Figure 8: Disabling Floppy disk controller

GUID-871A9003-F358-4165-906D-E9FD3BC1DAB0 V1 EN-US

Figure 9: Disabling Serial port

USB Mass Storage devices

In most environments it is not possible to disable USB ports totally. It may be necessary to disable
USB Mass Storage devices so it is not possible to connect a USB stick or USB external hard drive to
the system. This can be done either via Group Policy in domain environments or via Local Policy in
standalone systems.

The Local Policy can be edited for example by clicking Start menu open, and starting to write group
policy until this tool is found. The tool is called gpedit.msc which you can also type.

MicroSCADA X 27
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

GUID-082B0438-B5B3-4B9C-A047-1198294AF447 V1 EN-US

Figure 10: Edit group policy

Expand Computer Configuration > Administrative Templates > System, and select Removable
Storage Access.

On the right-side pane, locate "Removable Disks: Deny execute access", "Removable Disks: Deny
read access", and "Removable Disks: Deny write access". Double-click on each of them to configure
it. By setting these settings to Enabled, the access to the USB Mass Storage devices are disabled. If
the access needs to be allowed again, just set those settings back to Disabled/Not configured.

28 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

GUID-6C18EF33-50E8-4EC0-8C83-F427903D52F9 V1 EN-US

Figure 11: Removable Storage Access

6.8.1 Disabling autorun functionality GUID-C37AD391-EDAB-48F4-A281-ADFBD2AD1CEA v1

Whenever the disabling of a device is not possible, it is good practice to disable the autorun
functionality of the device. In order to prevent the automatic start of malicious code contained in a
removable device, autorun functionality must be turned off. For more information, see How to disable
the Autorun functionality in Windows, http://support.microsoft.com/kb/967715/en-us.

This is configured automatically using security configuration tool.

6.9 Configurable logon/warning banner GUID-FF8BFD4B-16F0-4362-81D2-6E1851148788 v2

The computer must present a warning banner for authorized and unauthorized users at all access
points. This is needed for successfully prosecuting unauthorized users who improperly use the
computer. Warning banners in SYS600 are configurable and are located in:

• Windows OS login
• SYS600 Monitor Pro login
• SYS600 Monitor login

Workplace X and WebUI have pre-configured warning banners, and currently they can't be modified.

To modify texts in warning banners:

1. Start Registry Editor to modify Windows OS banner

2. Go to the following keys:

MicroSCADA X 29
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

• MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
\LegalNoticeCaption
• MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
3. Start Monitor Pro, select Tools/Engineering Tools/Display Builder and open sc\prog
\graphicsEngine\lib\views\Startup.v to modify the SYS600 Monitor Pro banner
4. Start Monitor Pro, select Tools/Engineering Tools/Tool Manager/Dialog Editor and open sc
\sa_lib\base\bbone\use\BGU_LOGIN.VSO to modify the SYS600 Monitor banner

A warning banner affects to Windows automatic logon (autologon) feature. The

banner has to be acknowledged by pressing the OK button. After pressing the button
automatic logon occurs and programs placed to Startup folder will start.
Note! It is not recommended to use Windows automatic logon feature, since
Windows stores the user name and the password in cleartext in the Windows
registry. This is a security risk. If the end-user accepts this risk, the workaround is to
clear above Windows registry keys.

This is configured automatically using security configuration tool, pre-configured dialogs and process
displays.

6.10 User Account Control (UAC) GUID-D23067B7-BE65-488C-8E85-009BF1673E85 v2

UAC is a security feature available in current Windows versions. UAC should be enabled in all
servers and workplaces. If the program requires privilege elevation, the behaviour is following:

• For administrators: Prompt for consent. A dialog is shown where either Continue or Cancel can
be selected.
• For standard users: When a standard user attempts to perform a task that requires an
administrative access a credential prompt is presented.

A user with administrative privileges starts programs by default with non-admin

privileges. If administrative privileges are needed, for example, to write some file with
Notepad to the file system where Windows standard users do not have permissions
to write, this write will fail. Start programs with "Run as administrator" if you need
administrative privileges. A consent dialog is shown that program is to be run with
administrative privileges.

A shield is used in the program icon to indicate that it requires administrative privileges to run. This is
automatically detected by the operating system if, for example, Run as administrator flag is set in the
file properties or if the program has previously asked for administrative privileges. For more
information, see [UAC].

This is configured automatically using security configuration tool.

6.11 OPC and DCOM GUID-72E69AEF-D3C9-4838-93BB-896CDF7F4BF1 v1

The usage of OPC communication between the OPC client and the server requires that Distributed
COM (DCOM) has been properly configured in the Windows operating system. This includes
configuring mutual user accounts between computers, system-wide DCOM settings, OPC server
specific DCOM settings, and firewall rules.

Distributed Component Object Model (DCOM) uses the Remote Procedure Call (RPC) dynamic port
allocation. By default, RPC dynamic port allocation randomly selects the port numbers. One can
control which ports RPC dynamically allocates for incoming communication and then configure the
firewall to confine incoming external communication to only those ports and port 135 (the RPC
Endpoint Mapper port) [MSDCOM04].

30 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

This has to be configured manually, see [SYSINS, Opening Monitor Pro using Remote Desktop
Services] and [DMSSYS, Connecting OPC]

From SYS600 9.4 version, OPC Data Access Server requires authentication. A
SYS600 login is required from OPC clients connected to the system via OPC Data
Access Server (OPCS). This setting can be found from sys_bascon.com
configuration file.

6.12 Simple Network Management Protocol (SNMP) GUID-25EBA865-532E-4182-9D42-CFE9E074D33C v3

SNMP can be used to query configurations, measured values and status data from various devices.
It is normally used to monitor network devices, but can be used also to monitor servers.

Security Compliance Manager will add two SNMP ports in the firewall policy of SYS600 baselines.
These ports are UDP/161 and UDP/162. The ports are configured to be disabled by default, as these
are not necessary ports for normal MicroSCADA usage.

Port UDP/161 is used to query data from the server. It requires that the Windows SNMP feature is
manually installed via Settings -> Apps & Features (Windows 1o) or via Server Manager
(Win2016/2019).

Port UDP/162 is used to receive SNMP Traps from the network devices. This functionality is present
in MicroSCADA environment, but requires manual configuration.

When SNMP is used to query the status of remote devices, the following firewall configuration needs
to be applied to that Windows server where SYS600 is running.

• SNMP traffic is originating from the SYS600 machine using the UDP protocol and the
destination is port 161. Allowing outgoing UDP traffic to that remote port is thus required.
• UDP is a connectionless protocol and thus, in most firewalls, the reply packets need their own
rule.
• Remote/source port UDP/161
• Path/executable: C:\sc\prog\SNMP_OPC_Server\bin\opcs_snmp.exe

For all SNMP communication it is recommended to use SNMP version 3 or later.

6.13 Security policies GUID-034436A4-71BF-4F15-B90A-470EC0839837 v3

Security policies are based on security templates from Microsoft [MSWS03]. These policies are
modified for MicroSCADA X product purposes in servers and workplaces. The templates are
categorized into the following sections:

• Account policies
• Audit policy
• User rights
• Security options
• Event log
• System services

This is configured automatically using security configuration tool. See Appendix A 1.2. See also
Appendix D to see the changes to default values.

MicroSCADA X 31
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

6.14 Firewall (ports and services) GUID-C0CC55BA-AEF7-4BA0-92B5-187922EA3DFD v4

Windows Firewall is a stateful firewall, which can be configured to allow/block inbound and outbound
connections in current Windows versions. Windows Firewall settings configured using the security
configuration tool are not configured to the public network profile. The computer might detect itself to
the public network meaning that almost all traffic will be blocked by Windows Firewall. The scope
options for the firewall settings are ALL or SUBNET. SUBNET is a general setting option allowing
only local network (subnet) traffic through the firewall. For more information, see
Windows Defender Firewall with Advanced Security.

Other general settings are:

• Firewall: enabled, block inbound, allow outbound

• Logging: enabled, %windir%\pfirewall.log, 32767kB
• Notify when an application is blocked.

Ports and services used by MicroSCADA X products as well as default firewall settings are listed in
Appendix B. We recommend using both hardware and software firewalls to have a well-protected
system.

This is configured automatically using the Security Compliance Manager (SCM) tool, see Appendix A
1.2.

Two things must be noticed when using the SCM software.

1. After enforcing the settings, it must be verified that only those ports and
protocols which are needed in the particular environment are enabled in the
firewall settings. All other rules should be disabled, and better if removed totally.
2. In many rules created by SCM the Scope / Remote IP address is 'LOCAL
SUBNET'. If the actual remote machine is not located in the same subnet as the
particular server, the rule must be updated accordingly.

6.15 User account management GUID-6FA53342-30BE-4BBB-B068-6E0245BBA1C3 v4

Below table lists Windows users and groups, which are preconfigured in the SYS600C device with
security configuration tool. MicroSCADA user account is created during SYS600 installation, as well
as Windows OS groups. There is an option to install preconfigured Windows groups during DMS600
installation.

To create new Windows user accounts, see Appendix A 1.4.1. Do not give administrative rights
(membership of Administrators) to operators, viewers, and engineers. Only system administrators
should have administrative rights. See also SYS600 and DMS600 Section 8.1 to see other user
accounts used in the product.

32 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

Table 4: SYS600 Windows users and groups

User account type Name Password Privileges Remarks

Windows OS user MicroSCADA Configurable Administrator Created during the SYS600 installation.
Use SYS600 Control Panel to change this
password so that DCOM settings are
automatically configured. Used by the
MicroSCADA service, interactive logon is not
allowed.
Windows OS user ScAdmin Configurable Administrator Created by security configuration tool.
The built-in Administrator user account name is
renamed to ScAdmin, see also caution below.
Windows OS user ScEngineer Configurable Standard user Created by security configuration tool.
The user account is disabled by default. End-
users may enable this user and create a
password.
Windows OS user ScOperator Configurable Standard user See above
Windows OS user ScViewer Configurable Standard user See above
Windows OS ScSecAdmins N/A N/A Created during installation of SYS600.
groups ScSecAuditors Other security areas such as Local security
ScRBACManagers policy, Application allowlisting and Windows
ScSysAdmins standard user (file system permissions) are
ScEngineers based on these groups.
ScOperators See Section 8.2.
ScViewers

The built-in Administrator user account name is renamed during the hardening.
Administrator user account name cannot be used to login to the computer anymore,
ScAdmin must be used instead. This means that before adding new users to the
server, there are two administrative users only: MicroSCADA and ScAdmin.

Keys to password strength: length and complexity

• An ideal password is long and has letters, punctuation, symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in the password, the better.
• Use the entire keyboard, not just the letters and characters used or seen most
often.

This is configured automatically using security configuration tool.

6.16 Application allowlisting GUID-13BD83B7-709A-4EDD-9EA2-8BC041891854 v3

Windows AppLocker is a feature in Windows OS's that allows the user to specify which users or
groups can run particular applications in the organization based on unique identities of files. If the
AppLocker is used, rules to allow or deny applications from running can be created. Today's
organizations face a number of challenges in controlling application execution, including the
following:

• Which applications should a user have access to run?

• Which users should be allowed to install new software?
• Which versions of applications should be allowed? [APPLOC12]

This is configured automatically using security configuration tool. See Appendix E.

MicroSCADA X 33
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 6 1MRK 511 574-UEN Rev. A
Configuring security settings for Windows OS and MicroSCADA X servers

6.17 Backing up and restoring GUID-6AAD9AC8-C0B4-44AB-A145-494504E3EEA4 v1

The following instructions are taken from [SYSCUG].

6.17.1 Taking backup GUID-7E730150-A6D9-42BD-8A1F-93F805D3E4C5 v1

Backing up the MicroSCADA X server with disc imaging software (for example Acronis True Image or
Norton Ghost) is highly recommended. The image should be saved on a network drive or on a USB
flash drive. Refer to the instructions from the disc imaging software manufacturer on how to
accomplish this.

Recommendations for image backup:

• Servers: every 3 months.

• Workplaces: every 6 months.

This has to be done manually.

6.17.2 Restoring backup GUID-727A508B-1885-4350-ABE8-6F38492E56DE v1

The method for restoring the disc image depends on the disc imaging software. Refer to the
instructions from the disc imaging software manufacturer on how to accomplish this.

This has to be done manually.

6.18 LLMNR/NetBIOS and resolving hostnames GUID-7CCEEEA1-6418-4A7E-8B5F-7ECF883F0FB2 v2

Link-Local Multicast Name Resolution (LLMNR) is a protocol which is used for resolving IP
addressess from host names when DNS server is not available in the environment. It has been
reported recently that LLMNR has big protocol level security issues, which cannot be easily fixed.
Unfortunately the functionality it provides is necessary in non-domain environments where DNS
server is not available. This basically means many environments where only one or two SYS600
installations are running in standalone configuration.

NetBIOS over TCP/IP (NBT-NS) is a protocol which predates LLMNR and offers same functionality. It
also has similar security issues, so should be disabled if environment does not require it.

This issue can be mitigated in two different ways.

1. Disable LLMNR and NetBIOS name resolving functionality. Use IP addresses instead of names
for communicating.
1.1. Unfortunately the hostnames are in most cases required when TLS-certificates are
needed.
2. Disable LLMNR and NetBIOS name resolving functionality. Add required IP addressess and
hostnames to C:\Windows\System32\drivers\etc\hosts file in all computers.

LLMNR can be disabled by editing Local Group Policy. In domain environments it should also be
disabled by editing Domain Group Policy in the same way as shown in the next figure.

34 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 6
Configuring security settings for Windows OS and MicroSCADA X servers

GUID-1D2338F1-B8B5-4747-9AD1-587C0BCB6BF3 V1 EN-US

Figure 12: Local Group Policy Editor

Disabling NetBIOS over TCP/IP (NBT-NS) is not so straightforward, as it must be done individually
for all network interfaces found in the server. The following figure shows how it is done.

Disabling NBT-NS can also cause issues, especially in environments where legacy components or
software is used. So it is strongly advised to test the change thoroughly before applying it to all
production computers.

GUID-352B6FF2-175B-42B8-BF04-B5DB53D1F232 V1 EN-US

Figure 13: Disabling NetBIOS setting

The setting can be configured via PowerShell to all available interfaces.

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"Get-
ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name
NetbiosOptions -Value 2 -Verbose}

MicroSCADA X 35
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
36
1MRK 511 574-UEN Rev. A Section 7
Configuring security settings for SYS600, SYS600 Historian and DMS600 workplaces

Section 7 Configuring security settings for

SYS600, SYS600 Historian and
DMS600 workplaces GUID-43822599-D3B4-4B50-9D19-67B3FBB74FFB v2

To harden the workplace computers, see Appendix A 1.2.

The preferred technology between the SYS600 server and the remote workplace computer is
Workplace X or WebUI (via browser). For more information about opening monitors, see [SYSINS,
Opening SYS600 Monitor Pro].

To support applications not build with new graphics, a monitor (Monitor Pro or classic monitor) needs
to be opened. For this purpose an installation of the SYS600 software into SYS600 Workplace
computers is not required. It is enough that SYS600 Workplace computer has software installed
enabling a remote connection to the SYS600 Server. A monitor can be opened either on the server
computer or through a remote connection. If the SYS600 Workplace is a remote computer,
connection to the server computer is established over the network by using the remote client. By
default, the SYS600 service is started in the server directly after Windows has been started. This is
an automatic startup of the service, that is, no user needs to log in.

Windows automatic logon feature has been used on the server machine to
automatically open MicroSCADA monitors in remote SYS600 workplaces. However,
the use of this feature of the Windows operating system is not recommended since
Windows stores the user name and the password in cleartext in the Windows
registry, which is a security risk.

7.1 Securing Vtrin client and SYS600 Historian server

communication GUID-918F52E9-97C5-4BCF-8407-1D8D42BDB328 v1

Historian server installation creates a self-signed certificate, which is used to encrypt communication
between Vtrin client and Historian server. The certificate is imported to the workstation computer
where Vtrin client is to run. For more information, see [HISADM, Managing Client Software
Distribution]

MicroSCADA X 37
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
38
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Section 8 Configuring security features in

SYS600, SYS600 Historian and
DMS600 products GUID-5F0A6D87-3203-40C6-BE1D-B2DE40AD8B3A v1

This section lists the security features such as user account management and authorization available
in the MicroSCADA X products.

All the settings presented in this section have to be configured manually.

8.1 User account management GUID-D4749E86-4788-4C00-BB37-8781FA7E281C v5

MicroSCADA X products SYS600 and DMS600 have their own user account management and they
allow user account creation, modification, and removal. They support several user accounts. The
products allow user roles with individually configurable permissions. User names are associated with
a certain user profile that restricts the user's access rights to the system. For Windows operating
system related user accounts, see Section 6.15. SYS600 Historian authentication is based on
Windows user accounts. It does not have user management of its own.

SYS600 supports local and centralized user account management scenarios. For centralized
management, a separate feature Authentication Service has to be installed that then communicates
with SDM600 server. For more information, [SYSINS, Authentication Service].

Windows single sign-on

From SYS600 9.4 FP2 HF2 version onwards there is Windows single-sign-on (SSO) functionality.
For more information, see [SYSOBJ, WS attribute] and [SYSAPL, Windows single sign-on].

Currently SSO is not supported with Workplace X.

MicroSCADA X 39
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Table 5: SYS600, SYS600 Historian and DMS600 users and groups

User account type Name Password Privileges Remarks

SYS600 Configurable Configurable Administrator There are no preconfigured user accounts in
application SYS600 application. By default, the first user logging
onto SYS600 Monitor Pro after the SYS600
installation automatically gets system administrator
privileges and is able to use the user account
management tools for SYS600. For more
information, see [SYSAPL, User Management].
SYS600 Configurable N/A Configurable There are no anonymous users by default in SYS600
application application. However, it is possible to create, for
(anonymous example, a user having no password and with viewer
user) privileges. For more information, see [SYSAPL, User
Management].

By enabling this feature the

product behavior is against
industry cyber security
recommendations/standards. It
enables to operate the system
from remote computer
anonymously with admin
privileges (if configured).

SYS600 CET/MS SystemUser Configurable Administrator Created during SYS600/CET installation.

SQL Server Password can be changed from CET or by using
database SQL Server tools.
SQL Server database users cannot be used for login
to the Windows operating system.
By default, Mixed mode authentication is configured
by SYS600/CET installation.
SYS600 CET/MS sa Configurable Administrator Created during SYS600/CET installation.
SQL Server Password can be changed from SQL Server tools,
database see link.
SYS600 Configurable N/A Configurable Created during communication engineering
IEC62351-5 (Authority Tool) if IEC62351-5 based authentication
based is enabled.
authentication for
DNP3 and
IEC60870-5-101/
104
SYS600 Configurable Configurable Configurable Created during communication engineering.
communication For example, IEC 61850 MMS and FTP protocol
protocols users and passwords may be needed for
communication to IEDs, for example, disturbance
recording.
Other protocols such as LON, SPA,
IEC60870-5-101, IEC60870-5-104 may require
protocol specific user credentials.
SYS600 Historian Configurable Configurable Configurable SYS600 Historian uses Windows user accounts. It
does not have separate user management of its
own.
These users have to be assigned a membership to
rtdb-* Windows groups.
Table continues on next page

40 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

User account type Name Password Privileges Remarks

DMS600 WS/NE ADMIN Configurable Administrator Created during DMS600 installation.
To prevent unauthorized access to the system, the
password of this user has to be changed right after
the DMS600 installation.
DMS600 MS SQL sa Configurable Administrator Created during DMS600 installation when MS SQL
Server database Server Express is installed. This user is
automatically created by the Express installation and
it is by default disabled.
Password can be changed from SQL Server tools,
see link.
By default, Windows authentication is used by
DMS600.
DMS600 SCIL Configurable Configurable Administrator Created during DMS600-SYS600 interoperability
API configuration. This is a legacy protocol: The use of
Removed in SCIL API has been replaced with OPC
DMS600 version communication.
4.6

User credentials are stored in

plaintext in the filesystem.

To configure user accounts in SYS600:

1. Open SYS600 Monitor Pro.

2. Open Tools/Engineering Tools/User Management...

To get information about user accounts in SYS600 Historian:

1. Open Vtrin client

2. Select Maintenance > System > Users to get information about users
3. Select Maintenance > System > Vtrin > Roles to manage and get information about roles

To configure user accounts in DMS600:

1. Open DMS600 Workstation

2. Select Settings > User Manager...

In addition to user roles, DMS600 also has a region management for each user.

8.2 File system permissions GUID-8BA690BD-A941-4157-ADE8-8F2495AB947D v2

File system permissions restrict user access to the product installation directory and system files and
those also allow granting more permissions for non-admin user accounts. MicroSCADA X supports
running operator applications such as SYS600 Monitor Pro, DMS600 Workstation and Vtrin historian
client as non-admin user accounts. Following file system permissions are deployed by security
configuration tool:

MicroSCADA X 41
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Windows user group s Permissions

ScViewers, ScOperators Read and execute permissions to the product installation directory.
In SYS600 modify permissions are given to sc\apl\<aplname>\PAR and PICT
directories to write user or tool specific information. These permissions are
required by Monitor Pro, for example.
In DMS600 modify permissions are given to DMS600\doc and logs directories.
These permissions are required by DMS600 Workstation and Network Editor, for
example.
ScEngineers, ScSysAdmins Full permissions to the product installation directory. The user running the
security configuration tool is automatically assigned to ScSysAdmins group.
These permissions are required by engineering tools, for example, those
available in Tool Manager dialog and also Communication Engineering Tool
(SYS600).
RTDB-admin In addition to file system permissions, in SYS600 Historian these groups are
RTDB-operator used to limit access to Vtrin tree.
RTDB-readonly RTDB-admin: Apply Vtrin administrator users (for example Administrator and
MicroSCADA) as the member of this group to have full access within Vtrin user
interface.
RTDB-operator: Apply Vtrin users (for example Engineer) as the member of this
group to have limited access control to the tree view nodes/leafs and to have
those hidden.
RTDB-readonly: Apply Vtrin users (for example User) as the member of this
group to have mostly Read and Execute access rights.

8.3 Password policies GUID-9B916192-409B-4797-9C6D-2367A606E9B8 v1

MicroSCADA X products support passwords with alphanumeric and special characters. Uppercase
(A-Z) and lowercase (a-z) characters as well as characters from other character sets (localization)
are also supported. Password handling is case-sensitive.

By default, password complexity is disabled. The system administrator may enable password
complexity. Other settings include a minimum password length, as well as forcing different characters
to be used in the password (a combination of alphanumeric and special characters). The maximum
password length is 63 bytes (63 ASCII characters).

To configure password policies in SYS600:

1. Open SYS600 Monitor Pro.

2. Open Tools/Engineering Tools/User Management...
3. In the user management dialog, open Tools/Password Policy...

For more information, see [SYSAPL, User Management].

SYS600 Historian user accounts are managed by Windows operating system, see secpol.msc >
Account Policies > Password Policy

To configure password policies in DMS600:

1. Open DMS600 Workstation

2. Open Settings > User Manager...
3. In the user management dialog, open Password Policy...

For more information, see [DMSSYS].

42 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Keys to password strength: length and complexity

• An ideal password is long and has letters, punctuation, symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in the password, the better.
• Use the entire keyboard, not just the letters and characters used or seen most
often.

8.4 Authentication and authorization GUID-4E40BBF8-1C33-4DFE-87B4-130A4E6077D5 v1

There is individual user authentication to control access to MicroSCADA X products that allows
tracing operations back to individual user accounts for the purpose of accountability. Products
support role management that can be given individually configurable permissions, which are used in
authorization. For more information, see:

• [SYSAPL, sections User Management and Authorization]

• [DMSSYS, sections User and Region Management and User Level Rights]
• [HISADM, sections Access Control and Roles]

8.5 User session and inactivity time-out GUID-B7108704-26DD-4EB9-BDA7-3CF70B781613 v3

MicroSCADA X SYS600, SYS600 Historian and DMS600 workstations operate in Windows operating
system and Windows offers multiple possibilities for controlling the user session after the specified
time of inactivity.

If it is required that the workstation is locked automatically after the specified time of inactivity, there
are two possible ways to configure this in Windows systems: By configuring screensaver with
password protection individually for all users, or by configuring machine inactivity timeout limit via
Local Policies (standalone computer) or Group Policies (domain joined computer).

Screen saver

The screensaver way means that when the screensaver is activated, the workstation is locked and
when the user wants to continue work, Windows prompts for password.

The following configuration change is per user, so it must be done for all users.

1. Open Start menu and click Settings dialog open

2. Start to write 'lock screen' on the text box and select 'Lock screen settings'

MicroSCADA X 43
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

GUID-C6DE3F2C-EDC0-4AD8-AFC6-08FD0987645B V1 EN-US

3. Scroll down and select 'Screen saver settings'

GUID-9919F44F-3899-44E5-9AA2-B7EB5C3F2083 V1 EN-US

4. Enable 'On resume display log-on screen' check box and click 'OK'.

44 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

GUID-4ABC8E62-1956-4129-A77B-FBDEC23F102B V1 EN-US

In addition to Screen saver settings, display power off is controlled via system power settings. Open
the Settings dialog as described above in step #1 and start to write 'power' to the search box.

MicroSCADA X 45
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

GUID-C612E493-8ACA-4C39-8D4E-957B54A4BF3A V1 EN-US

GUID-46B5F9D6-6B8B-44B1-A50D-EBD16B52EB36 V1 EN-US

Local/Group Policies or Registry

46 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

It is also possible to configure the behavior for locking Windows via machine wide inactivity timeout
config. This can be configured via Local Policy for standalone workstations or Group Policy for
domain joined workstations.

The Local Policy can be edited for example by clicking Start menu open, and starting to write 'group
policy' until this tool is found.

GUID-082B0438-B5B3-4B9C-A047-1198294AF447 V1 EN-US

In the Local Policy editor select next the following path and configure the required timeout in
seconds.

Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Security Options -> Interactive logon: Machine inactivity limit

MicroSCADA X 47
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

GUID-7FC91108-901C-4E45-9450-E38C1745B07B V1 EN-US

The same policy path is available in Group Policies in domain environments.

That policy actually configures the following registry path, so it can be be also edited directly. If the
DWORD field is missing, it can be added manually.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\

DWORD: InactivityTimeoutSecs

MicroSCADA

SYS600 product also has user session and inactivity time-out after certain period of time. The time
period is given in hours (from 1 to 255). It is also possible to configure session expiration
notifications. When user is logged out from SYS600 after some time period, the user is also logged
out from DMS600.

To configure user session and inactivity time-out in SYS600:

1. Open SYS600 Monitor Pro.

2. Open Tools/Engineering Tools/User Management... and select Timeouts.

This setting affects also to Workplace X and WebUI sessions. For more information, see [SYSAPL,
User Management].

8.6 User activity logging GUID-B4A91503-6084-45A7-AEB1-1291CAE791FD v1

MicroSCADA X system can be configured to log events from the process, such as switching device
opened/closed and these are shown in the event list. Furthermore, the user activity events related to
security are logged. This includes events such as:

• Login success/failure
• Logout
• User created/deleted
• Role created/deleted/assigned
• Password changed/expired

48 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

In addition to these, communication modules may log security and diagnostic related UAL events.
See protocol specific manuals for details.

Furthermore, these events can be forwarded to external log servers such as Syslog or ArcSight.
Windows operating system also includes events, which can be accessed with Windows Event
Viewer.

For more information, see [SYSCON, User Account Logging] and [DMSSYS, User Activity Logging]
and [HISADM, Diagnostics].

8.7 SYS600 hardening options GUID-63E7C6BD-F0DA-4E26-AE3A-2219B57B0FB1 v2

SYS600 system configuration settings are protected through file system permissions and restrictions
on remote connection. Workplace X and WebUI are preferred ways to use application. However, due
to backward compatibility reasons SYS600 Workplaces can connect the server through Remote
Desktop Services. Remote connection should be configured so that the user of the SYS600
Workplace only has access to the SYS600 Monitor Pro application, that is, the user has no
permissions to open other applications in the server machine. For more information, see [SYSINS,
SYSCON].

File system permissions are configured automatically during the installation of SYS600. Remote
connection has to be configured manually.

SYS600 base system contains system hardening attribute SYS:BHD. This attribute can be used for
toggling certain cyber security features on and off. The exact list of attributes and their values are
described in the SYS600 Base System Objects manual. The default values are recommended when
system is set up. On production systems the REQUIRE_KNOWN_ACP_CERTIFICATE should be set
to TRUE. In certain legacy configurations it might be necessary that certain security features are
turned off. This should be done only when system can’t be set up otherwise. For more information,
see [SYSCON, Encrypted communication].

8.7.1 PostgreSQL related firewall configuration GUID-9EA48540-FCFF-445B-9E96-5D64B67694DB v1

MicroSCADA X is using the PostgreSQL to store user settings related to Workplace X. In one node
systems, the connection to the PostgreSQL database is needed only from the localhost, but in HSB
configurations the remote HSB pairs need the PostgreSQL port to be open. By default, it is TCP port
5432, but in custom configurations it can be different.

SCM creates the required firewall rules for PostgreSQL connections which are set to disabled. The
Remote Address is set to 127.0.0.1 by default.

Before SCM 1.6, which is released with SYS600 10.2, the rules were set to enabled
and Remote Address was set to Local Subnet.

If you are not using SCM in your systems, you can create the rule(s) manually.

GUID-FA7C8556-80C7-4FE5-8328-21AC66FD6768 V1 EN-US

Figure 14: Firewall rules for PostgreSQL created by SCM

While configuring the HSB system, enable the firewall rule and allow the connections only from the
remote HSB server. This must be done on all HSB servers.

MicroSCADA X 49
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

1. Go to Start/Windows Defender Firewall with Advanced Security.

2. Select Inbound Rules.
3. Find the sys600: pgsql rule, right click on the rule with the correct Profile (Domain/Private,
depends whether this server is domain joined or not) and select Properties.
4. Go to Scope tab and add/edit the correct remote HSB server IP address and click OK.
You can add multiple remote addresses, if necessary.
5. Go to General tab, select Enabled and click OK.

GUID-C4850D41-9D0D-47F5-8979-54D5329BE470 V1 EN-US

Figure 15: Adding the IP address of the remote HSB pair to the firewall rule

GUID-DF1D8444-D24D-4173-BD32-26B238B6BF72 V1 EN-US

Figure 16: Enabling the PostgreSQL firewall rule

Now the rule is Enabled, and the connection is allowed only from the remote HSB server IP, as
shown in the Figure 17.

GUID-A129E172-2DFA-4DDB-9BDA-9AE0DF1BCE0B V1 EN-US

Figure 17: PostgreSQL firewall rule is enabled with the correct remote IP address

50 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

8.7.2 SYS600 Notify GUID-E45603C8-2727-45C4-8CD4-7F0924C08D60 v1

SYS600 Notify is a service to see the status of the SYS600 server. In addition to normal notify
messages from MicroSCADA applications, it shows system messages and errors during start-up,
runtime, and shutdown.

SYS600 Notify is a read-only monitoring service available by default on TCP port 21850. In one node
systems, this port should not be opened in the firewall, as it is normally needed only on localhost.

If system architecture requires that this service be accessed remotely as well, firewall configuration
must allow connections only from the required and specified remote addresses. Port information is
also found in Appendix B.

8.8 SYS600 Historian hardening options GUID-E269FB24-F8C2-4996-9C09-DD8B3690731F v1

8.8.1 Securing Data source and Historian server communication GUID-79A77179-4EA2-4842-8226-E4A4C5085659 v1

SYS600 data source connection to Historian server database is established using WebSocket
Secure communication (SYS600 Historian 1.2 or later). The connection string to be used is wss://
<host>/history in the SYS600 database logging profile configuration. For more information about data
source configuration, see [SYSCON, Historian] and [SYSAPL, SYS600 Historian]

8.9 DMS600 hardening options GUID-392D7A53-4BD0-499A-A023-2ACB8D3235E5 v2

DMS600 system configuration settings are mainly stored to the relational database. Authentication is
required to read and write to the database. It is recommended to use Windows authentication and
preconfigured Windows groups such as ScViewers and ScOperators to access the database. For
more information, see [DMSINS, Database Server Installation].

Use of TLS Version 1.0 is flagged as an old version (from July 2018) by several
security auditing tools based on PCI DSS (payment card industry security standard).
Because DMS600 is using WCF communication TLS 1.0 setting is enabled in
DMS600 security baseline included in the security configuration tool (SCM). To be
changed in future versions.
TLS 1.0 is controlled by MACHINE\SYSTEM\CurrentControlSet\Control
\SecurityProviders\Schannel\Protocols\TLS 1.0\Server\Enabled registry setting.

DMS600 Workstation and Network Editor can be opened with non-admin rights (Windows standard
user). There are some file system permissions, which are needed and these are configured
automatically using security configuration tool.

8.10 Certificate management GUID-5899C92B-B68C-482A-B724-380593C75BB9 v4

Private keys, which are used in encrypted communication, should not be left
unprotected in the file system and must be protected with access control lists (ACL).
Verify that only users needing read/write access have permissions to access private
keys. This is normally Administrators group in Windows.
SYS600 10.x installation protects many of certificates listed below automatically.
However, in customer deployments it is required to manually configure access
control list of certificates needed, for example, in DNP 3.0 and IEC60870-5-104
secure communication.

MicroSCADA X 51
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Secure communication such as HTTPS uses private keys and public certificates to encrypt
communication channels. By default, self-signed certificates are generated when the product is
initialized. It is recommended to replace self-signed certificates with certificates generated by, for
example, internal certificate authority (CA). Following table lists certificates used in SYS600.

Table 6: Certificates used in SYS600

Description and usage Location Protection Supports externally Remarks

generated certificates
Web server secure Windows certificate store Self-signed certificate is Yes • Self-signed
communication (HTTPS) > Certificates (Local accessible for certificate is
Computer) > Personal > Administrators group created at
Certificates: and LocalService MicroSCADA
MicroSCADA account in Windows startup.
certificate store. • Documentation:
see System
Private key and public Configuration
certificate (self-signed Manual >
certificate) Configuring web
server.

IEC60870-5-104 secure Location of private key ASCII PEM format, Yes • Self-signed
communication between and public certificates human readable. certificate is
master and slaves. IEC can be chosen freely, for Passphrase protection created according
60870-5-104 secure example, by creating a can be configured. to IEC
authentication (IEC/TS new directory such as sc 60870-5-104
62351-5) with TLS \prog\pc_net\ certs\. protocol settings if
(IEC62351-3). configured.
• Documentation:
SYS600 IEC
TLS should only be used 60870-5-104 Slave
when secure Protocol Manual >
authentication is Instructions >
configured. By default, Configuration >
there is no secure Communication
authentication. system
configuration >
Security attributes;
SYS600 System
Configuration
Manual >
Configuration >
Configuring
process
communication >
Configuring
process
communication
units > Secure
communication
using TLS (IEC
62351-3)

Table continues on next page

52 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 8
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Description and usage Location Protection Supports externally Remarks

generated certificates
DNP 3.0 secure See IEC 104 above See IEC 104 above Yes • Self-signed
communication between certificate is
master and slaves. DNP created according
3.0 v5 secure to DNP 3.0
authentication (IEC/TS protocol settings if
62351-5) with TLS configured.
(IEC62351-3). • Documentation:
TLS should only be used SYS600 DNP
when secure v3.00 Slave
authentication is Protocol Manual >
configured. By default, Instructions >
there is no secure Configuration >
authentication. Communication
system
configuration >
Security attributes;
SYS600 System
Configuration
Manual >
Configuration >
Configuring
process
communication >
Configuring
process
communication
units > Secure
communication
using TLS (IEC
62351-3)

Hot-stand-by (HSB) sc\sys\active\sys_\keys ASCII PEM format, No • Self-signed

replication secure file or directory human readable. certificate is
communication created at
MicroSCADA
Private key and public startup.
certificate (self-signed • Documentation:
certificate) SYS600 System
Configuration
Manual >
Encrypted
communication.

Postgre database Programdata\abb ASCII PEM format, Yes • Self-signed

replication secure \microscada pro human readable. certificate is
communication \postgresql\postgredata created at
\server.key MicroSCADA
startup.
• Documentation: No
Programdata\abb
\microscada pro
\postgresql\postgredata
\server.crt
Table continues on next page

MicroSCADA X 53
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Section 8 1MRK 511 574-UEN Rev. A
Configuring security features in SYS600, SYS600 Historian and DMS600 products

Description and usage Location Protection Supports externally Remarks

generated certificates
Remote desktop protocol Windows certificate store Self-signed certificate is Yes • By default, self-
(RDP) > Certificates (Local accessible for signed certificate is
computer) > Remote Administrators group created for RDP by
desktop > Certificates only in Windows Windows. Users
certificate store. Private can replace this.
key cannot be exported. However, from the
security
perspective it is
more important to
configure Network
Level
Authentication
(NLA) for RDP.
• Documentation:
Using custom
certificate in RDP,
see link. Configure
NLA, see link.

Used for DuoDriver Sc\setup\duodriver\ - - • Included in the

drivers vendor.cer installation
package. Do not
modify.
• Documentation:
Duodriver 5.0
Installation Guide.

Used for license Sc\prog - - • Included in the

protection \61850_opc_server\ cet\ installation
bin\ iec61850 libraries\ package. Do not
chpau.pfxserver.key modify.
• Documentation: No

8.11 Resetting administrator password GUID-7A85AEFA-2236-499E-BEF9-27EA210C7C15 v1

This feature is used if the SYS600 system administrator's user name or password is lost. In this
case, it is possible to login to the system using a temporary password. For more information, see
[SYSOBJ, EY attribute].

This feature is used if the DMS600 administrator's user name or password is lost. To reset password:

1. Open relational database and find user management table

2. Remove user account 'admin'
3. Close the database and login with 'admin' user name, see [DMSSYS, User Management].
Change the password immediately.

8.12 Backdoors GUID-4530A60F-75AC-4AAD-B878-A1B8F2AE4B78 v1

The following feature has a backdoor to the system: Resetting administrator

password.

To reset SYS600 administrator password, Windows user has to have administrative privileges to the
Windows operating system. If the attacker has these privileges, then the system has already been
compromised and it is, for example, possible to install keylogger to find users and passwords of the
industrial control system.

54 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Section 9
Standard compliance statement

Section 9 Standard compliance statement GUID-796B4BEC-F068-48FD-A2C4-846CE30A6BB5 v3

Cyber security issues have been the subject of standardization initiatives by ISA, IEEE, or IEC for
some time. Hitachi Energy plays an active role in all these organizations, helping to define and
implement cyber security standards for power and industrial control systems. Hitachi Energy
participates in the development by delegating subject matter experts to the committee working on the
respective standard.

Hitachi Energy strongly recommends to use also existing common security measures available in the
market, for example, VPN for secure Ethernet communication.

Table 7: Overview of cyber security standards

Standard Main focus

NERC CIP NERC CIP cyber security regulation for North American power utilities
IEC 62443-4-1 Product and product development security
IEC 62443-4-2
IEC 62351 Data and communications security
IEEE 1686 IEEE standard for substation intelligent electronic devices (IEDs) cyber
security capabilities

Hitachi Energy has identified cyber security as a key requirement and has developed a large number
of product features to support the international cyber security standards such as NERC CIP, IEEE
1686 and IEC 62351/62443.

MicroSCADA X 55
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
56
1MRK 511 574-UEN Rev. A Appendix A
Quick Configuration Guideline

Appendix A Quick Configuration Guideline GUID-69B08705-4445-4EBB-94AB-9B6A448C7F68 v4

In this section, the configuration of computers (both servers and workplaces) used in MicroSCADA X
systems is described in simple steps.

In order to reduce the risk of having malware planted into the system in the engineering phase,
deploying security settings right after installing MicroSCADA X software is recommended and that
basic security steps are taken to secure all computers in the system. MicroSCADA X product
includes a security configuration tool for configuring several security categories in the computer:

• Windows users and groups: Users and respective groups are created according to IEC 62351
roles. Non-admin user accounts are automatically created. Note that configurations of other
security categories, namely Application Allowlisting, Local security policy, and File system
permissions, are based on these groups.
• Firewall: Enables firewall and preconfigures product specific ports. Communication protocols
are by default blocked.
• Local security policy: Secures the computer with Password policy, Account policy etc.
• Services: Unnecessary services are disabled
• Windows standard user/File system permissions: Restricts user access to MicroSCADA X
installation folder and assigns permissions for non-admin user accounts automatically.
• Audit policies: Configures what events are logged into Windows event logs.
• Application allowlisting: Windows AppLocker is used to restrict access to programs.

MicroSCADA X 57
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix A 1MRK 511 574-UEN Rev. A
Quick Configuration Guideline

Security configuration tool overrides current security configuration of the computer.

This might be a problem if some 3rd party software has made changes to the
system, for example, to firewall rules. If these changes are known they can be
defined in a custom baseline, which is then enforced along with MicroSCADA X
baselines and thus reducing the problems. In addition to firewall rules, local security
policies and especially user rights assignments might produce problems. The
security configuration tool is designed to take into account user rights where other
than built-in Windows group is used. For example, if some 3rd party backup software
has created an individual Windows user account and changed user rights, then
security configuration tool does not remove this setting.
Windows user accounts and groups/local security policies
During the hardening, Windows user accounts and groups are created and built-in
Administrator user account name is renamed. Administrator user account name
cannot be used to login to the computer anymore, ScAdmin must be used instead.
However, home folder will still be named as Administrator. Created users and groups
are:

• Administrator renamed to ScAdmin (member of Administrators)

• ScEngineer, ScOperator, and ScViewer (member of Windows standard users,
accounts are disabled by default)
• ScSecAdmins, ScSecAuditors, ScRBACManagers, ScSysAdmins,
ScEngineers, ScOperators, and ScViewers groups

Tool configuring other security areas, such as Local security policy and Application
allowlisting, are based on these users and groups.
It is recommended to deploy security settings locally to avoid remote access denied
problems.
Before configuring security settings, the server should be updated with the latest
service packs and security updates.
User Account Control (UAC)
A user with administrative privileges starts programs by default with non-admin
privileges. If administrative privileges are needed, for example, to write some file to
the file system where Windows standard users do not have permissions to write, this
write will fail. Start programs with "Run as administrator" if you need administrative
privileges. A consent dialog is shown that program is to be run with administrative
privileges.
For more information, see Appendix A 1.5.

Create strong passwords

• An ideal password is long and has letters, punctuation, symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in the password, the better.
• Use the entire keyboard, not just the letters and characters used or seen most
often.

1.1 Downloading and Installing SCM tool GUID-6AA7C8FA-F816-4E2C-9D9D-AFEAF8891C32 v1

Security Compliance Manager (SCM) was previously delivered with SYS600 and DMS600
installation packages, but is now delivered separately. It can be downloaded from the MicroSCADA
Partner Portal.

Steps for installation:

1. Start the downloaded SCM.exe

2. Click Install.

58 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix A
Quick Configuration Guideline

2.1. The destination folder can be changed, but it is highly recommended to use the default
path. Changing the installation path is not supported.

1.2 Securing MicroSCADA X server GUID-701ED969-540A-4F67-B41C-DC095036F5FA v3

BIOS SETTINGS

- Password(s) is enabled

- Remote wake-up/Wake on LAN is disabled

MICROSOFT UPDATES

Before configuring security settings, the computer needs to be updated with the latest security
updates and service packs from Windows that are tested and certified. The test results can be found
from the partner portal if you are a certified system integrator or if you are an end user, these reports
can be made available to you based on your service agreement.

REMOVE UNUSED PROGRAMS

See Section 6.4

RUNNING HARDENING

To run hardening in MicroSCADA X server:

1. Browse to \Program Files (x86)\ABB\MicroSCADA Pro\ABB.SCM\ and run ABB.SCM.exe

security configuration tool with admin rights, or from start menu folder MicroSCADA X run the
"Security Compliance Manager" with admin rights
2. Check that selected baselines are according to the server, for example, Windows Server 2019/
microscada/SYS600 10 server.

If there are several Hitachi Energy products installed, for example, SYS600 and
DMS600 in the server, follow instructions in the Help page of the tool.
3. Press Audit. It will take a while to finish. Log page gives details of the audit process and there is
also a log file that can be accessed.
4. After auditing is finished, select all security categories in the tree and press Enforce to continue.
It will take a while to finish. Log page gives details of the audit process and there is also a log file
that can be accessed.
5. Reboot the computer

You can visit the Help page in the security configuration tool at any time.

1.3 Securing MicroSCADA X workplace GUID-92D3B6F3-8E04-498E-BAFE-B42C0FB6A772 v3

BIOS SETTINGS, MICROSOFT UPDATES, REMOVE UNUSED PROGRAMS

Same settings as in MicroSCADA X server are applied, see Appendix A 1.2.

RUNNING HARDENING

To run hardening in the workplace computer:

MicroSCADA X 59
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix A 1MRK 511 574-UEN Rev. A
Quick Configuration Guideline

1. Copy \Program Files (x86)\ABB\MicroSCADA Pro\ABB.SCM\ folder on the USB stick. From the
USB stick, run ABB.SCM.exe security configuration tool.
2. Check that selected baselines are according to the computer, for example, Windows 10/
Microscada/SYS600 10 workstation.
3. Press Audit. It will take a while to finish. Log page gives details of the audit process.
4. After auditing is finished, select all security categories in the tree and press Enforce to continue.
5. Reboot the computer

You can visit the Help page in the security configuration tool at any time.

1.4 Maintenance GUID-FBE1D91E-4B07-4E9D-B8A7-AC9A8BFCEF53 v1

1.4.1 Adding new Windows users GUID-F752BA64-94CC-411F-A00D-931103218A30 v4

Always assign a membership of ScOperators, ScEngineers, ScViewers or

ScSysAdmins for the new Windows user since scripts configuring other security
areas such as Local security policy and application allowlisting are based on these
groups.
Do not give administrative rights (membership of Administrators) to operators/
viewers/engineers. Only system administrators should have administrative rights.
Note that Windows standard users or users with less privileges should have
additional file system permissions to SYS600 and DMS600 system, see Appendix A
1.4.3.

Preconfigured Windows user accounts and groups are created in the hardening script.

To add a new remote operator and system administrator:

1. Add new Windows user, for example, ScOperator2 and ScAdmin2

2. Add a membership of ScOperators, Remote Desktop Users for ScOperator2 (non-admin)
3. Add a membership of Administrators, ScSysAdmins for ScAdmin2 (admin)

This can be achieved with lusrmgr.msc tool or with following commands to the command prompt:

net user ScOperator2 <password> /add

net localgroup ScOperators ScOperator2 /add
net localgroup "Remote Desktop Users" ScOperator2 /add
net user ScAdmin2 <password> /add
net localgroup ScSysAdmins ScAdmin2 /add
net localgroup Administrators ScAdmin2 /add

1.4.2 Adding/installing new programs GUID-6FE03102-EF75-4BF4-9D6D-B7F32C5EFCA8 v3

Allowing programs through Windows Firewall

Hardening and enables Windows Firewall and blocks each program that has no defined rules, and
notifies the user of the program blocking.

The default firewall settings in SYS600 product block all communication protocols, such as DNP,
ELCOM-90, and IEC60870-5-104. Therefore, ports for the used communication protocols must be
manually opened. To customize firewall settings in a single computer:

1. Windows 10/Server 2012R2/2016/2019: Run wf.msc and browse to Inbound Rules. Find the
communication protocols from the list, for example, “SYS600: DNP 3.0 Slave”, and enable/
disable the rule according to customer specifications. A green balloon means that the traffic is
allowed. A grey balloon means that the traffic is blocked. Confirm the changes when done.
2. DMS600 specific firewall ports are indicated with 'DMS600' prefix

60 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix A
Quick Configuration Guideline

If a new program needs to be allowed to several computers or to each delivered computer, the best
way is to create a custom baseline, which is then enforced to all computers. For more information,
see Help page on the security configuration tool.

“SYS600:“ and “DMS600:” prefix is used in the rule names to help finding settings.

Allowing programs to run in Windows AppLocker

In current Windows versions, AppLocker is used for application allowlisting.

To allow a program to run in a single computer:

1. Run secpol.msc (Local Security Policy)

2. Browse to Security Settings/Application Control Policies/AppLocker/Executable Rules
3. Right-click Rules area and select Create new rule... and enter following information:
• Permission: Allow
• Group: ScEngineers / ScOperators / ScViewers etc.
• Condition: Publisher (signed) or Path (unsigned)
• Reference file or Path: Browse and select executable file
• Name: Use prefix to indicate user group, for example, "eng: ", and "oper: ". See examples
in existing rules.
4. Press Create

If a new program needs to be allowed to several computers or to each delivered computer, the best
way is to create a custom baseline, which is then enforced to all computers. For more information,
see Help page on the security configuration tool.

1.4.3 Adding new SYS600 applications GUID-AE6A820D-F83B-4DAB-A36F-1E86C83411BD v1

Operators, viewers, and engineers can use non-admin Windows user accounts. However, these user
accounts require a few permissions. File system permissions for non-admin users are configured
automatically in the security configuration tool. To prepare computer for non-admin users:

1. Open security configuration tool

2. Audit the computer, select to enforce Windows standard users category and Press Enforce. This
will prepare all SYS600 applications found under sc\apl to non-admin users.

1.4.4 Adding Windows features GUID-7DCC8A4A-E470-4A62-B0F4-3874943AE4FE v1

The table below shows the services, which have to be changed from the default if a functionality is
required. For example, to take audio in use the following commands can be used for each service
listed below:

sc config AudioSrv start= auto

sc start AudioSrv

Functionality Display Name Service Name

Wireless Connection Wireless Zero Configuration WZCSVC
Sounds Windows Audio AudioSrv
AudioEndpointBuilder
MMCSS
HASP License Key Sentinel HASP License Manager hasplms
Windows Updates Background Intelligent Transfer bits
Service wuauserv
Automatic Updates

MicroSCADA X 61
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix A 1MRK 511 574-UEN Rev. A
Quick Configuration Guideline

1.4.5 Troubleshooting GUID-D491C59D-94F6-4791-987E-D1F21ABD0EFE v3

Windows 7 and later versions support network location awareness. The operating
system detects the following network location types automatically: Public, Private,
and Domain. If the computer automatically changes the network location to Public,
where the firewall rules are the most restrictive, some SYS600 functionalities are
blocked. The network location of SYS600 server and workplace should be Private or
Domain. To manually change the location, see Appendix Configuring network
location.

When troubleshooting network problems, it is recommended to check the firewall logs (Windows
Firewall: %windir%\pfirewall.log). It is also possible to disable firewall temporarily to solve network
problems. Windows event logs, especially Security, Application, and System logs may have events
related to security/access problems. Windows AppLocker has a log, where blocked applications can
be found. The log can be accessed from Event Viewer/Applications and Services Logs/
Microsoft/Windows/AppLocker. AppLocker can also be set to Audit Only mode, which means that
applications are allowed to run and the log contains events of when the application would have been
blocked if the rules were enforced.

Configuring network location

The firewall profiles associated with the currently detected network location types are the ones that
are applied to the computer. Windows Firewall rules in security baselines are not configured to the
Public network profile, which is used for unidentified networks. Security configuration tool detects
public networks and warns about that.

To check the current network location manually:

1. Open Control Panel/Network and Sharing Center.

2. Check all items in the section View your active networks and their network location.
3. If the used network location is Public, then the network connection needs to be modified.

If a user manually changes the network profile of an unidentified network from the Network and
Sharing Center, the new setting will only apply until a change, such as a new gateway, disconnect/
reconnect, reboot, new IP settings, etc., on that connection occurs. If the network is not a Domain
network and there is no default gateway configured, or the gateway is not available, the network will
be categorized as unidentified and the Public profile and Public firewall policy will be applied to the
computer.

Normally, in MicroSCADA X system, a static IP addressing is used. If the network adapter has a
static IP address and a subnet mask but not a default gateway, the operating system does not
recognize the Private network. To change the default gateway from Network and Sharing Center:

1. Click Change adapter settings

2. Right-click the network adapter, for example, Local Area Connection, and select Properties
3. Select Internet Protocol Version 4 and click Properties
4. In the General tab, in addition to IP address and Subnet mask, add Default gateway address.
5. Click OK
6. Go back to Network and Sharing Center and the operating system should have recognized the
Private network

For more information, see Microsoft documentation

Windows Defender Firewall with Advanced Security.

1.5 Rollback GUID-76DBE044-4186-48F4-9C3A-CB43268A2F3C v1

See Help in the security configuration tool.

62 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix B
Ports and Services

Appendix B Ports and Services GUID-D4394772-24C2-4D39-AE93-629AE9095238 v5

General firewall settings are as follows:

• Firewall: enabled, block inbound, allow outbound

• Logging: enabled, %windir%\pfirewall.log, 32767kB
• Notify when an application is blocked

Since all inbound traffic is blocked by default, there are exceptions (firewall rules) which need to be
configured. Windows Firewall rules are configured automatically using security configuration tool, see
Appendix A 1.2.

The columns in the tables below mean the following:

Port number configurable: System is designed so that this port number can be
easily changed via the service specific configuration method.
Port status: Is the port designed to be always open, or should it be opened only
when the system configuration requires access to this specific service.
Configured by SCM: Does the SCM tool create a firewall rule for this port, and is
the rule enabled (open) or disabled (closed) by default.

Communication protocols and TCP port numbers such as DNP3, IEC60870-5-104

and Modbus are well-known by port scanners and receive more connection attempts
than other port numbers. See below table if the inbound port number is configurable
for the communication protocol.

Table 8: Windows Operating System Services

Inbound listening
Service: Service Port Port number Port status Configured Miscellaneous Used by
Description number configurable by SCM
msrpc / dcom- Remote TCP 135 Always Open Inbound range for [System,
scm procedure call / Open DCOM servers svchost.exe]
DCOM Service are automatically
Control Manager restricted by
scripts, see also
[MSDCOM04]
netbios-ssn Netbios Session TCP 139 Always Open [System]
Service Open
microsoft-ds Microsoft Active TCP 445 Always Open [System]
Directory, shares Open
microsoft-ds Microsoft Active UDP 445 [System]
Directory, shares
ntp SNTP - Simple UDP 123 Always Open [System]
network time Open
protocol
Netbios-ns Netbios Name UDP 137 Always Open [IEC 61850 OPC
Service Open Server]
Netbios-dgm Netbios UDP 138 Always Open [System]
Datagram Service Open
Table continues on next page

MicroSCADA X 63
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix B 1MRK 511 574-UEN Rev. A
Ports and Services

Inbound listening
Service: Service Port Port number Port status Configured Miscellaneous Used by
Description number configurable by SCM
Isakmp IPSec in UDP 500 Always Open [System]
Windows Open
lsass.exe sae-urn, IPsec UDP 4500 Always Open [System]
NAT-Traversal Open
wininit.exe, * TCP X Always [System]
svchost.exe 49152-491 Open *) Dynamic port
etc. 58 range can be
configured

Table 9: SYS600

SYS600 Inbound (listening)

Service: Port Port number Port status Configured by Description Security
number configurable SCM
node.exe TCP 80 Configurable By default, http port (TCP Secure:Yes
(http) 80) and https port (TCP and no
443) are both open. http Limit or block
port redirects all traffic to access to this
https port. Thus all port from
communication is secure. remote
If https is configured not computers
to used (disabled in depending if
SYS600 Control Panel), the web server
then http port is not is used for
secure meaning that http operator
traffic is plaintext. workplaces.
node.exe TCP X Configurable Open Web server hosting web- Secure: Yes
443 based applications, for Limit or block
(https) example, internal tools access to this
and operator workplaces port from
(Workplace X). remote
This port was only computers
listening connections from depending if
localhost computer in the web server
SYS600 9.4 FP2 version is used for
but in SYS600 10.0 it is operator
listening connections from workplaces.
remote computer
postgres.exe TCP X Configurable Closed (Needs to PostgreSQL database for Secure:Yes
5432 (Needed for HSB be open only in storing setting values.
configurations) HSB scenarios, This port is used for
and access replicating database
should be between HSB computers.
restricted only to Port can be configured in
the remote HSB SYS_BASCON.COM,
pair with firewall default is 5432.
configuration)
inet.exe TCP Always Open Open Hot-stand-by Secure:Yes
21844 communication (APL-
APL). This traffic is
encrypted. For more
information, see
[SYSCON, Encrypted
communication].
inet.exe TCP Always Open Open External OPC DA Clients Secure:No
21845 connect to this port and
process data is received
through this port.
Table continues on next page

64 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix B
Ports and Services

SYS600 Inbound (listening)

Service: Port Port number Port status Configured by Description Security
number configurable SCM
inet.exe TCP Always Open Open Used by SYS600 base Secure:No
21846 system processes for
internal communication.
java.exe TCP Localhost Apache QPID Broker. Secure:No
(Apache QPID 5672 connections only Accepts localhost
Broker) connections only.
LogService.exe TCP Configurable MicroSCADA system log/ Secure:No
21850 events, MicroSCADA Limit or block
system version access to this
information, and port from
application state remote
information. This port is computers.
used by Notify window.
aopcs.exe Dynamic X Configurable Open MicroSCADA Application N/A
TCP, OPC Server requires
see DCOM port 135 to be
[MSDC open
OM04]
opcs.exe Dynamic X Always Open Open MicroSCADA OPC Data N/A
TCP, Access Server requires
see DCOM port 135 to be
[MSDC open
OM04]
Opcenum.exe Dynamic X Always Open Open OpenRemoteDesktop N/A
TCP, program uses this service
see
[MSDC
OM04]
hasplsm.exe UDP Configurable Closed Aladdin HASP License Secure:No
and Manager Service for
TCP handling USB license
1947 keys
(Web server for - - - Java API requires a web Secure:No
Java API) server. See web server
manuals for port
configuration.
bdu_ssiser.exe TCP X Configurable DMS600 Server Secure:No
Removed with 1333 Application uses for SCIL-
SCIL_API API connection
interface
removal in 4.6
version

All master protocols using TCP/IP (IEC60870-5-104 master, DNP3.0 TCP master,
Modbus TCP, SPA-TCP) operate as TCP clients. Consequently, no protocol specific
port numbers are reserved.

MicroSCADA X 65
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix B 1MRK 511 574-UEN Rev. A
Ports and Services

Unauthenticated and unencrypted plain-text network communications protocols are a

security risk. Review Security column in each table to see whether communication
protocol supports authentication and secure communication (encrypted traffic). Each
open TCP/UDP port provides a possible access path for an attacker that can be
used to send exploits and receive data. To mitigate risks:

• Know your network perimeter, zones and conduits. Use firewalls to limit access
to machines. Do not mix Office/Corporate LAN with Industrial Control System
LAN.
• All unneeded applications and services (TCP/UDP ports) should be removed/
stopped. Use firewalls to limit access to ports.
• Encrypt communication by using IPSec/VPN tunnels between machines if there
is no built-in security mechanism.
• Use latest product versions to get new security enhancements.

Table 10: SYS600 - Communication protocols

Inbound (listening)
Service: Port Port number Port status Configured by Description Security
number configurable SCM
IEC60870-5-10 TCP X Configurable Closed IEC 60870-5-104 for Secure: No
4 Slave 2404 telecontrol equipment and Threat:
systems with coded bit Through the
serial data transmission in communication
TCP/IP based networks protocol it is
for monitoring and possible to
controlling geographically control electric
widespread processes. network.
Network Control Center
(NCC).
IEC60870-5-10 TCP X Configurable Secure communication for IEC60870-5-10
4 Secure 19998 IEC60870-5-104 4 secure
Authentication communication
Slave is
authenticated
and encrypted.
IEC60870-5-10 TCP X Configurable Accepts localhost N/A
4 Slave - 2501-25 connections only, open
Communication 14 only a short period of time
lines in system startup.
IEC60870-5-10 TCP X Configurable Accepts localhost N/A
4 Master - 2501-25 connections only, open
communication 14 only a short period of time
lines in system startup.
DNP 3.0 TCP X Configurable Closed Secure communication for DNP 3.0
Secure 19999 DNP 3.0 secure
Authentication communication
Version 5 is
LAN/WAN authenticated
Slave and encrypted.
DNP 3.0 UDP X Configurable Closed The Distribute Networks Secure: No.
LAN/WAN and Protocol (DNP) 3.0 Use DNP 3.0
Slave TCP LAN/WAN is a standards- Secure instead.
20000 based communication Threat:
protocol designed for Through the
electric utility, water, oil & communication
gas and security systems. protocol it is
possible to
control electric
network.
Table continues on next page

66 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix B
Ports and Services

Inbound (listening)
Service: Port Port number Port status Configured by Description Security
number configurable SCM
DNP 3.0 TCP X Configurable Accepts localhost N/A
LAN/WAN 2501-25 connections only, open
Slave - 14 only a short period of time
Communication in system startup.
lines
DNP 3.0 UDP X Configurable Accepts localhost N/A
LAN/WAN and connections only, open
Master - TCP only a short period of time
Communication 2501-25 in system startup.
lines 14
Modbus TCP X Configurable Closed Modbus Protocol is a Secure: No
TCP/IP Slave 502 messaging structure used Threat:
to establish master-slave/ Through the
client-server communication
communication between protocol it is
intelligent devices. It is possible to
used in gas and oil and control electric
substation applications network.
but also in building,
infrastructure,
transportation and energy
applications. There is no
built-in security in Modbus
protocol.
Modbus TCP X Configurable Accepts localhost N/A
TCP/IP Master 2501-25 connections only, open
- 14 only a short period of time
Communication in system startup.
lines
SPA-TCP - TCP X Configurable Accepts localhost N/A
Communication 2501-25 connections only, open
lines 14 only a short period of time
in system startup.
ELCOM-90 TCP X Configurable Closed ELCOM-90 is used to Secure:No
Provider 6997 transfer information Threat:
between control centers Through
and it is inter-control ELCOM-90 it is
center communication possible to
protocol (ICCP). control remote
systems.
ELCOM-90 TCP X Configurable Closed Inter-process Secure:No
UserElem 6998 communication Threat:
Through
ELCOM-90 it is
possible to
control remote
systems.
ELCOM-90 TCP X Configurable Closed Used to debug Provider Secure:No
Admin 6999
Opcs_iec61850 Dynamic X Configurable IEC 61850 OPC DA Secure:No
.exe TCP, Server. By default accepts Threat:
see local COM/DCOM Through the
[MSDC connections only. communication
OM04]. protocol it is
possible to
control electric
network.
Table continues on next page

MicroSCADA X 67
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix B 1MRK 511 574-UEN Rev. A
Ports and Services

Inbound (listening)
Service: Port Port number Port status Configured by Description Security
number configurable SCM
Opcs_iec61850 TCP X Configurable IEC 61850 OPC DA Secure:No
.exe 123 Server, which contains
SNTP Server as TCP/IP
Server (IEDs
synchronizes time with
this) and also SNTP
Client. See ntp service.
61850_server.e TCP Configurable Open IEC 61850 Server (10.1 Secure:No
xe 102 and later). IEC 61850 Threat:
(MMS) server is a TCP/IP Through the
server. communication
protocol it is
possible to
control electric
network.
61850_server.e TCP Configurable Open IEC 61850 Server (10.1 Secure: Yes
xe 3782 and later). IEC 61850
(MMS) server is a TCP/IP
server.
Used for secure MMS.

Table 11: SYS600 – Remote Access

Inbound (listening)
Service: Port Port number Port status Configured by SCM Description Security
number configurable
Microsoft TCP Configurable Open Microsoft Windows Remote
Windows 3389 Terminal Services desktop
Remote [Terminal Server Client, sessions
Desktop RDP Client] operate over
Services an encrypted
channel.
Citrix ICA TCP Configurable MetaFrame Application Remote
1494 Server for Windows / desktop
Citrix ICA sessions
operate over
an encrypted
channel.

Table 12: SYS600 Historian 1.3

SYS600 Inbound (listening)

Historian
Service: Port Port number Port status Configured by Description Security
number configurable SCM
Vtrin- TCP X Always Open Open This port is used by client Secure:Yes
NetServer.exe 443 and data collector nodes
connecting Historian
database.
ClickOnce installation of
Historian client.
Vtrin- Dynamic X Always Open This port is used for N/A
NetServer.exe TCP HTTP communication but
in SYS600 Historian 1.3
only TCP 443 (HTTPS) is
used/enforced.

68 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix B
Ports and Services

Table 13: SYS600 Historian 1.1

SYS600 Historian Inbound (listening)

1.1 and earlier
Service: Port Port number Port status Description Security
number configurable
IIS TCP 80 X Always Open ClickOnce installation of Secure:No
Historian client
SimbaServer.exe TCP 1583 X Always Open ODBC/SQL interface for system Secure:No
configuration
OPC UA Server TCP and X Configurable OPC UA is a machine-to- Secure:Yes
UDP machine communication
4840-4843 protocol for industrial
automation
Vtrin- TCP 7605 X Configurable Kerberos authentication (if Secure:No
NetServer.exe used)
Vtrin- TCP 7606 X Always Open Historian client access to the Secure:No
NetServer.exe server
Vtrin- UDP 7609 X Configurable Multicast events from server to Secure:No
NetServer.exe client for the system internal
communication
Vtrin- TCP 7614 X Always Open System internal data & Secure:No
NetServer.exe configuration transfer
Vtrin- TCP 7618 X Configurable Events from server to client for Secure:No
NetServer.exe the system internal
communication

Table 14: DMS600 4.5 (in addition to those listed in DMS600 4.4)

Inbound (listening)
Service: Port Port number Port status Configured by Description Security
number configurable SCM
PostgreSQL TCP X Only localhost PostgreSQL instances
5433 used by WebMap.
DMSService.ex TCP X Always Open Closed Modules in this service Secure: No.
e 9000 provides data. Communication
MBTileServer for is encrypted
background maps, (HTTPS) but it
NetworkTileServer for is not
network model and authenticated.
NGDMSFileServer for file Threat: It might
transfer. be possible to
access electric
network maps
and network
state data.

MicroSCADA X 69
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix B 1MRK 511 574-UEN Rev. A
Ports and Services

Table 15: DMS600 4.4

Inbound (listening)
Service: Port Port number Port status Configured by SCM Description Security
number configurable
Ms-sql-s TCP Always Open Open Microsoft SQL Server Secure:Yes,
and see link
UDP
1433
Ms-sql-m TCP Always Open Open Microsoft SQL Monitor Secure:Yes,
and see link
UDP
1434
DMSSocketSer TCP X Always Open Open DMS WebSocket Secure: Yes
vice.exe 51772 Is optionally Service,
DMSWebSock defined using communication
etService.exe OS System between applications
(New in 4.6 variable [DMS600 SA, WS, NE]
version. DMSComPort and DMS and SA
Secured Service.
communication
with certificate)
UnknownSocke TCP Configurable Open Socket service to be Secure: No
tService.exe 51773 used by 3rd party Threat:
Removed in programs for sending Through the
DMS600 4.6 messages communication
protocol it
might be
possible to
access manual
process points
and tamper
outage/
interruption
data.
DMS Service TCP Always Open Open DMS600 Service Secure: Yes
Framework 51777 Monitor
DMS SA TCP Always Open Open DMS600 Service Secure: No
Service, 51785 Monitor uses this Threat: It might
DMS600SA.ex service to monitor the be possible to
e status. control DMS
SA Service.
CaCe Fault TCP Configurable Open Tieto Care Center Secure: No
Receiver 8086 (CaCe) WMS. Work Threat: It might
management system be possible to
and LV reporting and access work
fault information. management
Optional software, system and
depending customer fault
license/needs. information.
CaCe Fault TCP Configurable Open Tieto Care Center Secure: No
Sender 8087 (CaCe) WMS. Work Threat: It might
management system be possible to
and LV reporting and access to work
fault information. management
Optional software, system and
depending customer fault
license/needs. information.
Table continues on next page

70 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix B
Ports and Services

Inbound (listening)
Service: Port Port number Port status Configured by SCM Description Security
number configurable
PowerGrid NIS TCP Configurable Open Tieto PowerGrid NIS Secure: No
Server, PG 3000 (Network Information Threat: It might
Server TECS- System). Network be possible to
service information, customer access electric
and energy data. network,
Optional software, customer and
depending customer energy data.
license/needs.
AMR (http) TCP 80 - Configurable Open Automatic Meter Secure: No
Reading (AMR), energy Threat: It might
data. Microsoft Internet be possible to
Information Server (IIS) access energy
runs AMR Service. data.
Optional software,
depending customer
license/needs.
AMR (https) TCP - Configurable Open Secure: Yes
443

Table 16: SDM600 1.2

Inbound (listening)
Service Port number Port status Configured by SCM Description
ICMP Open Open ICMP Ping
SFTP TCP 22 Configurable Close Port used only if
SFTP file transfer
option is used for
Disturbance Records
retrieval.
LDAP TCP 389 Open Open SDM600 Centralized
Account
Management (LDAP
Authentication)
HTTPS TCP 443 Open Open HTTPS web access
SYSLOG UDP 514 Open Open Centralized Activity
Logging Service
(Syslog over UDP)
LDAPS TCP 636 Open Open Centralized Account
Management secure
connection (LDAP
Authentication)
FTPS TCP 989-990 Configurable Close Port used only if
FTPS file transfer
option is used for
Disturbance Records
retrieval.
SQL Server TCP 1433 Open Open SQL Server
Syslog TCP 1468 Open Open Centralized Activity
Logging Service
(Syslog over TCP)
RADIUS (TCP) TCP 1812 Open Open Centralized Account
Management
Service (RADIUS
communication)
Table continues on next page

MicroSCADA X 71
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix B 1MRK 511 574-UEN Rev. A
Ports and Services

Inbound (listening)
Service Port number Port status Configured by SCM Description
RADIUS (UDP) UDP 1812 Open Open Centralized Account
Management
Service (RADIUS
communication)
SQL Server TCP 58900 Open Open SQL Server
HRC Init TCP 59100-59199 Open Open SDM600 internal
service (Parent-Child
Initialization)
CAL Event TCP 59200 Open Open SDM600 internal
Aggregator service (Centralized
Activity Logging
Service)
SDM Clustering TCP 59960 Configurable Close Parent/child, needed
only on the child
system
HSB Init/HRC Run TCP 59990-59999 Open Open SDM600 internal
service (Parent -
Child, HotStandby
Initialization)
HSB Run TCP 60000-600010 Open Open SDM600 internal
service (Hot -
Standby)
HRC Migration TCP 61743 Configurable Close SDM600 internal
service - open only
during migration
from previous
versions of SDM600

72 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix C
Windows System Services

Appendix C Windows System Services GUID-DC44CCDA-E863-4F06-9E12-DBBA77729705 v3

Windows system services are described in detail in Threats and Countermeasures Guides.

The settings below are a collection of services which are automatically disabled by security
configuration tool.

Not all services are running in each operating system, and may not even exist. The
detailed list of recommended service settings can be found from security
configuration tool. The security configuration is deployed so that it ignores the
unavailable services. Therefore, it is normal to have these kinds of messages in the
log file:

• Error 1060: The specified service does not exist as an installed service. Error
opening <service name>.
• Error 1060: The specified service does not exist as an installed service.
Opening service <service name> for stop access failed.
• Legacy audit settings are disabled. Skipped configuration of legacy audit
settings.

Some functionalities need certain services to be enabled. To enable some feature, see Appendix A
1.4.4.

Table 17: Disabled Windows system services

Service Display Name

Alerter Alerter
ALG Application Layer Gateway Service
aspnet_state ASP .NET State Service
AudioEndpointBuilder Windows Audio Endpoint Builder
AudioSrv Windows Audio
Browser Computer Browser
bthserv Bluetooth Support Service
CiSvc Indexing Service
ClipSrv ClipBook
CscService Offline Files
ehRecvr Windows Media Center Receiver Service
ehSched Windows Media Center Scheduler Service
Fax Fax
ftpsvc Microsoft FTP Service
Helpsvc Help and Support
IISAdmin IIS Admin
ImapiService IMAPI CD-Burning COM Service
IPBusEnum PnP-X IP Bus Enumerator
Mcx2Svc Media Center Extender Service
Messenger Messenger
MMCSS Multimedia Class Scheduler
Mnmsrvc NetMeeting Remote Desktop Sharing
Table continues on next page

MicroSCADA X 73
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix C 1MRK 511 574-UEN Rev. A
Windows System Services

Service Display Name

MSFtpsvc FTP Publishing Service
NetDDE Network DDE
NetDDEdsdm Network DDE DSDM
pla Performance Logs & Alerts
QWAVE Quality Windows Audio Video Experience
RDSessMgr Remote Desktop Help Session Manager Service
RemoteRegistry Remote Registry
SCardSvr Smart Card
Schedule Task Scheduler
SensrSvc Adaptive Brightness
SMTPSVC Simple Mail Transfer Protocol
SCPolicySvc Smart Card Removal Policy
srservice System Restore Service
Stisvc Windows Image Acquisition
SysmonLog Performance Logs & Alerts
TabletInputService Tablet PC Input Service
TapiSrv Telephony
TlntSvr Telnet
TrkSrv Distributed Link Tracking Server
TrkWks Distributed Link Tracking Client
Upnphost Universal Plug and Play Device Host
UPS Uninterruptable Power System
W3SVC World Wide Web Publishing
WbioSrvc Windows Biometric Service
WebClient Web Client
Wlansvc WLAN AutoConfig
WmdmPmSN Portable Media Serial Number Service
WMPNetworkSvc Windows Media Player Network Sharing Service
WPCSvc Parental Controls
WZCSVC Wireless Zero Configuration

Table 18: Enabled Windows system services

Service Display Name

appidsvc Application Identity (AppLocker)
SNMP
SNMPTRAP

74 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix D
Security Policies

Appendix D Security Policies GUID-DE568804-35BA-417A-9FB9-8243A4E78627 v2

The table below shows an overview what settings are changed in the MicroSCADA X servers and
workplaces compared to the hardened operating system settings (Microsoft Security Compliance
Manager baselines). Full listing of changed settings can be seen from the security configuration tool.

Table 19: MicroSCADA X security policies

Setting Name Default Value MicroSCADA X Server MicroSCADA X Remarks

Workplace
Maximum password 42 days -1 or 0 Not defined MicroSCADA user
age account never
expires
Minimum password 0 days 0 Not defined MicroSCADA user
age account never
expires
Account lockout 0 invalid login 10 10 Note! A denial-of-
threshold attempts service attack can
(LockoutBadCount) occur if an attacker
abuses the Account
lockout threshold
setting and
repeatedly attempts
to log on to an
account.
Account lockout Not defined 1 1 The account will be
duration locked a duration of
(LockoutDuration) 1 minute
Reset account Not defined 1 1
lockout counter after
(ResetLockoutCount
)
Deny access to this Guests Guests, Not defined
computer from the ANONYMOUS
network LOGON
Allow log on through Administrators, Administrators, Not defined
Terminal Services Remote Desktop Remote Desktop
Users Users
Deny log on locally Guests Guests, MicroSCADA Not defined MicroSCADA user
account is only used
to running the
service. It is not
meant for interactive
purposes.
Deny log on through Not defined Guests, MicroSCADA Not defined MicroSCADA user
Terminal Services account is only used
to running the
service. It is not
meant for interactive
purposes.
Log on as a service Not defined MicroSCADA Not defined
Accounts: Rename Guest Guestrenamed Guestrenamed Guest account is
guest account disabled, however
still renaming
Table continues on next page

MicroSCADA X 75
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix D 1MRK 511 574-UEN Rev. A
Security Policies

Setting Name Default Value MicroSCADA X Server MicroSCADA X Remarks

Workplace
Accounts: Rename Administrator ScAdmin ScAdmin Administrator user
built-in Administrator name cannot be
account used to login to
Windows anymore.
ScAdmin should be
used instead with
same password.
Accounts: Enable Disabled Enabled Enabled The server should
Administrator not have hidden user
account accounts
Devices: Restrict Disabled Enabled Enabled Remote control is
CD-ROM access to denied
locally logged-on
user only
Devices: Restrict Disabled Enabled Enabled Remote control is
floppy access to denied
locally logged-on
user only
User Account 0 1 1 1 = remotely connect
Control: Disable with full
UAC remote administrator rights
restrictions
(localaccounttokenfilt
erpolicy)
User Account Prompt for consent Prompt for consent Prompt for If the user wants
Control: Behavior of for non-Windows consent administrator
the elevation prompt binaries privileges, "run as
for administrators in administrator" have
Admin Approval to be used to open a
Mode program.
(consentpromptbeha
vioradmin)
Interactive Logon: Not defined NOTICE TO USERS NOTICE TO Login warning
Message title for USERS banner
users attempting to
logon
Interactive logon: Not defined WARNING: This is a WARNING: This is Login warning
Message text for private system. Do a private system. banner
users attempting to not attempt to logon Do not attempt to
log on unless you are an logon unless you
authorized user. Any are an authorized
authorized or user. Any
unauthorized access authorized or
and use may be unauthorized
monitored and can access and use
result in criminal or may be monitored
civil prosecution and can result in
under applicable law. criminal or civil
prosecution under
applicable law.
Interactive logon: Do Disabled Enabled Enabled
not display last user
name
RPC: Remote Not defined 50000-50100 50000-50100
Procedure Call
dynamic port range
Table continues on next page

76 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix D
Security Policies

Setting Name Default Value MicroSCADA X Server MicroSCADA X Remarks

Workplace
Terminal server: Remote desktop Remote desktop Remote desktop
Enable Remote disabled enabled enabled
Desktop
(fDenyTSConnection
s)
Terminal server: 1 (Medium) 2 (High) 2 (High)
Security level
Terminal server: 2 (Client compatible) 3 (High, 128-bit) 3 (High, 128-bit)
Minimum encryption
level

MicroSCADA X 77
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
78
1MRK 511 574-UEN Rev. A Appendix E
Application Allowlisting - AppLocker

Appendix E Application Allowlisting - AppLocker GUID-757922E6-9E4D-42D9-9012-0121229ACCAA v3

AppLocker is a Windows internal technology to control who can open/run specified applications. The
AppLocker approach and rules were updated for SYS600 10.4 and DMS600 4.6. The updated rules
are included in System Compliance Manager (SCM) release 2.0.

With AppLocker, you can say that these users/groups can run applications from this path or signed
by this signature. Both approaches are used in MicroSCADA related rules.

There are no restrictions set for accounts in the Administrators group, as those accounts can anyway
change rules manually. Thus, it would cause only a short delay for the attacker, not real protection.
Windows security relies on the principle that an attacker does not have admin rights to the computer.

The rules for SYS600 are shown in the figures below, and they can be found in the SCM installation
directory. In most cases, SYS600 related rules are found in C:\Program Files (x86)\ABB
\MicroSCADA Pro\SCM\baselines\product\SYS600\10 server\applocker.xml. The rules for other
programs may differ slightly, but the basic principle is the same.

If a non-admin user tries to start a program which does not match the rules, the following notification
window appears.

GUID-E8483A73-9406-4AE2-AEA8-628C4C83E311 V1 EN-US

Figure 18: AppLocker - Notification when program is not allowed to be run

The rules set by the SCM tool allow everyone to run programs from the Windows-folder and from
Program Files/Program Files (x86) -folders, with the exception of some specific temp/log folders.
Also, programs signed by ABB/Hitachi Energy signatures are allowed to be run by everyone. The
target of the function is that the attacker with only operator level access to the machine can not
download attack tools/scripts from the Internet and run those.

MicroSCADA X 79
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix E 1MRK 511 574-UEN Rev. A
Application Allowlisting - AppLocker

GUID-8697EEE4-5901-445D-A5D1-8032A8050D7D V1 EN-US

Figure 19: AppLocker Properties dialog set by SCM

GUID-DEBFAB8A-1EF5-485A-BA77-C47A4FEC0735 V1 EN-US

Figure 20: AppLocker rules - Executables

80 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix E
Application Allowlisting - AppLocker

GUID-B7096FF3-F454-43C6-B6D0-436C062F229B V1 EN-US

Figure 21: AppLocker rules - Exceptions for Executables and Scripts

GUID-EA1E0780-4271-427F-B872-C53772A6CCF1 V1 EN-US

Figure 22: AppLocker rules - Windows installer

GUID-DD35D3D0-8CE9-41C5-80D6-AB1B61DA97AF V1 EN-US

Figure 23: AppLocker rules - Scripts

MicroSCADA X 81
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix E 1MRK 511 574-UEN Rev. A
Application Allowlisting - AppLocker

GUID-60B56B13-3C77-49E6-BA71-307F193DD944 V1 EN-US

Figure 24: AppLocker rules - AppX

1.1 AppLocker - Customizing Rules GUID-C109D6C8-BFA3-4712-B989-9FD2D3C2778E v1

If there is a need to customize the rules for a specific environment, it can be done easily. The
changes require admin-level access to the computer. One normal use case is that there are 3rd party
tools which require either a path or a signature to be added to the policy.

AppLocker rules are 'Deny by default' type, so everything not covered by the rules is denied.

AppLocker rules can be configured either manually (via Domain/Local Group Policy) or via
PowerShell. Instructions for the PowerShell can be found at:
https://docs.microsoft.com/en-us/powershell/module/applocker/

The xml required for PowerShell can be found from C:\Program Files (x86)\ABB\MicroSCADA Pro
\SCM\baselines\product\SYS600\10 server\applocker.xml. This can be edited and then imported
with PowerShell.

1. Go to the Start menu, and in the search field, type group and select the Edit group policy tool.
See Figure 25 for more details.

GUID-6D13262E-6B47-4C2A-A51C-3791C649902C V1 EN-US

Figure 25: Start menu - Edit group policy

2. Select Local Computer Policy/Computer Configuration/Windows Settings/Security

Settings/Application Control Policies/Applocker and under Applocker, edit the required
policy. See Figure 26 for more details.

82 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix E
Application Allowlisting - AppLocker

GUID-A2E139CE-0F92-4DC0-8A6A-35D18A31D66F V1 EN-US

Figure 26: AppLocker rules - Where to find the rules

GUID-B778192C-0B9D-42DD-8B8F-BA3305A2E1E8 V1 EN-US

Figure 27: AppLocker - Create a new rule

For every rule, it is necessary to configure the user or group that the particular rule affects.

MicroSCADA X 83
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix E 1MRK 511 574-UEN Rev. A
Application Allowlisting - AppLocker

GUID-CDBE3222-FEFF-4EEE-8B1E-FB209B6C336C V1 EN-US

Figure 28: AppLocker rules - Configure permissions

Rules can be created either by utilizing the properties of the code signing certificate (Publisher
information), the path where the file is located, or a file hash. In MicroSCADA default rules, the first
two of those are utilized.

GUID-E18DF99A-1759-4A26-B583-924D9ABDC910 V1 EN-US

Figure 29: AppLocker rules - Conditions

With the publisher rule, you need to have a proper certificate used to sign the code. It is not possible
to use a self-signed certificate.

When configuring a publisher rule, a properly signed binary is required to give the baseline for the
rule.

84 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix E
Application Allowlisting - AppLocker

After the correct binary has been selected, various fields can be set to '*', which means that the
particular field accepts every string. The settings can be changed by moving the slider or selecting
'Use custom values'.

GUID-67B572E9-A872-44C8-A1E2-8E33BB84BDAC V1 EN-US

Figure 30: AppLocker rules- Configure a Publisher rule

For every rule, it is possible to configure exceptions in the same way as the actual rules are
configured.

GUID-1A10BD0C-198F-41E4-859F-ED66DE939859 V1 EN-US

Figure 31: AppLocker rules - Configure an Exception

Rules covering executable paths can either use the whole directory or the exact path to the specific
file. For the path type of rules, an exception can also be configured.

MicroSCADA X 85
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix E 1MRK 511 574-UEN Rev. A
Application Allowlisting - AppLocker

GUID-118ED305-7E21-4F2D-8CC7-569D7A302B04 V1 EN-US

Figure 32: AppLocker rules - Configure a Path

86 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

Appendix F Virtual Private Network GUID-907AE46C-B359-4E77-A8FA-0151367186F6 v1

The configuration for Windows Server 2019 is shown below. Same method applies to other Windows
Server versions.

1.1 Create IPSec Policy GUID-6DDACB52-D48F-4EBE-97AE-0499A8C21391 v3

An IPSec policy secures all IP traffic that is specified in the configured IPSec filters. The decision to
allow unsecured IP traffic is up to the user. To configure SYS600 for IPSec transport mode:

1. Open the Start menu, click Run, and type in secpol.msc to start the IP Security Policy
Management snap-in.

GUID-F33E6FC0-F43A-44D5-84F4-BAE6477423D1 V1 EN-US

2. Right-click IP Security Policies on Local Computer, and then click Create IP Security Policy.
3. Click Next, and type in a name for the policy (for example, IPSec Tunnel with Network Control
Center).

MicroSCADA X 87
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix F 1MRK 511 574-UEN Rev. A
Virtual Private Network

4. Click to clear the Activate the default response rule check box, and then click Next.

5. Add additional information in the Description box if desired. Click Next.

GUID-D0342254-9914-4B3E-8EBA-78542D77DAAF V1 EN-US

6. Click Finish (leave the Edit check box selected).

88 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

1.2 Build a Filter List from SYS600 to NCC GUID-683D5542-CA1B-416A-AD4D-0C19B685BF70 v2

1. In the new policy properties, click to clear the Use Add Wizard check box, and then click Add to
create a new rule.

MicroSCADA X 89
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix F 1MRK 511 574-UEN Rev. A
Virtual Private Network

GUID-997CAC70-5FC4-4D8D-96CC-68FC8C32A6AD V1 EN-US

2. Click the IP Filter List tab, and then click Add.

90 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

3. Type in an appropriate name for the filter list (for example, IP traffic to NCC), click to clear the
Use Add Wizard check box, and then click Add.

MicroSCADA X 91
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix F 1MRK 511 574-UEN Rev. A
Virtual Private Network

4. In the Source address, click A specific IP Address, and type the IP Address of SYS600
towards NCC (the IP address that communicates with the NCC), as this filter should only apply
to the network interface connected to the WAN.

5. In the Destination address box, click A specific IP Address, and then type the IP Address of
the NCC (the NCC’s IP address that SYS600 connects to).
6. Leave the Mirrored selected.
7. Click the Protocol tab. Make sure that the protocol type is set to Any because IPSec does not
support protocol-specific or port-specific filters.

92 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

8. If a description for the filter is desired, click the Descriptions tab. Click OK.
9. Click OK to close IP Filter List dialog.

1.3 Configure a Rule for the communication GUID-551E2105-3353-4458-A1E0-378EEDC07C71 v2

1. Click the IP Filter List tab, and then click to select the created filter list.

MicroSCADA X 93
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix F 1MRK 511 574-UEN Rev. A
Virtual Private Network

2. Click the Tunnel Setting tab, click This rule does not specify an IPSec tunnel.
3. Click the Connection Type tab, click Local area network (LAN)
4. Click the Filter Action tab, unselect the option Use Add Wizard, click Add. In New Filter Action
Properties window choose Security Methods tab, and select one of the options
• Permit - Permits unsecured IP packets to pass through.
• Block - Blocks unsecured IP packets to pass through.
• Negotiate Security – Traffic is handled based on configuration done from Add-button,
recommendation is to use Integrity and encryption. For debugging purposes Integrity only
can be used.
5. Click the General tab, and give name for the filter

94 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

None of the check boxes at the bottom of the Filter Action dialog box are selected as
an initial configuration for a filter action that applies to tunnel rules.

GUID-394272E8-58F6-428A-AC2D-1659670DDA43 V1 EN-US

As the currently configured IP Filter rule matches only a single IP, it does not discard
non-IPSec traffic originating from a different wide area network IP address. In order
to prohibit any non-IPSec connections from the wide area network, the IP filter list
has to match the subnet of the wide area network, and the Filter Action has to be set
to “Negotiate Security”.
6. Click the Authentication Methods tab to configure the authentication method.
7. Click Add.
8. Select Use a certificate from this certification authority (CA) if there is a possibility to use such
certificate (preferred), or Use this string (preshared key) and enter a long key that also contains
special characters. This string must be the same on the machine that matches the IP filter rule
(in this case, the NCC). Click OK.

MicroSCADA X 95
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix F 1MRK 511 574-UEN Rev. A
Virtual Private Network

9. Mark the default Kerberos method and click Remove the inquiry. Click Close to close New
Rule Properties dialog.
10. Click OK.
11. In the Local Security Settings, right-click on the created rule (for example, IPSec Tunnel with
Network Control Center) and select Assign The rule indicates by a green dot that it is active.
Close the Local Security Settings.

Repeat the steps for all machines that should use IPSec. It is possible to export and import the
policies on a different computer. Here are the instructions:

96 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix F
Virtual Private Network

1. In the Local Security Settings, where the VPN configuration is set, select IP Security Policies
on Local Computer.
2. Select Action/All Tasks/Export Policies... and write a file name.
3. In the other computer, where VPN configuration is needed: open Local Security Settings and
select IP Security Policies on Local Computer.
4. Select Action/All Tasks/Import Policies....
5. Select a file exported in item 2 and press Import/OK.
6. The rules should be checked and adapted, for example, swap Source address and Destination
address in IP Filter Properties dialog.

For IPSec interoperability between different devices and vendors, see configuration profile in
[LEMNOS11].

MicroSCADA X 97
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
98
1MRK 511 574-UEN Rev. A Appendix G
Introduction to SCADA Security

Appendix G Introduction to SCADA Security GUID-7E23B9B5-A547-49EF-8323-C96F1FABCD51 v3

The following excerpt is taken from Supervisory Control and Data Acquisition (SCADA) Systems,
CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY, cisa.gov.

In today’s corporate environment, internal networks are used for all corporate communications,
including SCADA. SCADA systems are therefore vulnerable to many of the same threats as any
TCP/IP-based system.

Security in an industrial network can be compromised in many places along the system and is most
easily compromised at the SCADA host or control room level. SCADA computers logging data out to
some back-office database repositories must be on the same physical network as the back-end
database systems, or have a path to access these database systems. This means that there is a
path back to the SCADA systems and eventually the end devices through their corporate network.
Once the corporate network is compromised, then any IP-based device or computer system can be
accessed. These connections are open 24x7 to allow full-time logging, which provides an opportunity
to attack the SCADA host system with any of the following attacks:

• Use a Denial of Service (DoS) attack to crash the SCADA server, leading to a shutdown
condition (System Downtime and Loss of Operations)
• Delete system files on the SCADA server (System Downtime and Loss of Operations)
• Plant a Trojan and take complete control of system (Gain complete control of system and be
able to issue any commands available to Operators)
• Log keystrokes from Operators and obtain usernames and passwords (Preparation for future
take down)
• Log any company-sensitive operational data for personal or competition usage (Loss of
Corporate Competitive Advantage)
• Change data points or deceive Operators into thinking control process is out of control and must
be shut down (Downtime and Loss of Corporate Data)
• Modify any logged data in remote database system (Loss of Corporate Data)
• Use SCADA Server as a launching point to defame and compromise other system components
within corporate network.

For a company to protect its infrastructure, it should undertake the development of a security strategy
that includes specific steps to protect any SCADA system. Such a strategy may include the following
approach.

Developing an appropriate SCADA security strategy involves analysis of multiple layers of both the
corporate network and SCADA architectures including firewalls, proxy servers, operating systems,
application system layers, communications, and policy and procedures. Strategies for SCADA
Security should complement the security measures implemented to keep the corporate network
secure.

The figure below illustrates the typical corporate network “ring of defenses” and its relationship with
the SCADA network. Successful attacks can originate from either Internet paths through the
corporate network to the SCADA network, or from internal attacks from within the corporate office.
Alternatively, attacks can originate from within the SCADA network from either upstream
(applications) or downstream (RTUs) paths. What is an appropriate configuration for one installation
may not be cost-effective for another. Flexibility and the employment of an integrated and
coordinated set of layers are critical in the design of a security approach.

MicroSCADA X 99
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
Appendix G 1MRK 511 574-UEN Rev. A
Introduction to SCADA Security

GUID-D64DB089-8882-43D0-B40B-1248FA8F93AA V1 EN-US

Figure 33: Relationship Between Corporate and SCADA Networks

Most corporate networks employ a number of security countermeasures to protect their networks.
Some of these and a brief description of their functions are as follows:

• Border Router and Firewalls: Firewalls, properly configured and coordinated, can protect
passwords, IP addresses, files and more. However, without a hardened operating system,
hackers can directly penetrate private internal networks or create a Denial of Service condition.
• Proxy Servers: A Proxy server is an internet server that acts as a firewall, mediating traffic
between a protected network and the internet. They are critical to re-creating TCP/IP packets
before passing them on to, or from, application layer resources such as Hyper Text Transfer
Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). However, the employment of proxy
servers will not eliminate the threat of application layer attacks.
• Operating Systems: Operating systems can be compromised, even with proper patching, to
allow network entry as soon as the network is activated. This is due to the fact that operating
systems are the core of every computer system and their design and operating characteristics
are well-known worldwide. As a result, operating systems are a prime target for hackers.
Further, in-place operating system upgrades are less efficient and secure than design-level
migration to new and improved operating systems.
• Applications: Application layer attacks; that is, buffer overruns, worms, Trojan horse programs
and malicious ActiveX code can incapacitate anti-virus software and bypass the firewall as if it
wasn’t even there.
• Policies and Procedures: Policies and procedures constitute the foundation of security policy
infrastructures. They include requiring users to select secure passwords that are not based on a
dictionary word and contain at least one symbol, capital letter, and number, and should be over
eight characters long. Users should not be allowed to use the name of their spouse, child or pet
as their password.

The above list is common to all entities that have corporate networks. SCADA systems for the most
part coexist on the same corporate network, as seen in the figure above. The following list suggests
ways to help protect the SCADA network in conjunction with the corporate network:

• SCADA Firewalls: SCADA Systems and Industrial Automation Networks, like corporate
network operating systems, can be compromised using similar hacking methods. SCADA
systems frequently go down due to other internal software tools or employees who gain access
to the SCADA systems, often without any intention to take down these systems. For these
reasons, it is suggested that strong firewall protection to wall off the SCADA networking systems
from both the internal corporate network and the Internet be implemented. This would provide at
least two layers of firewalls between the SCADA networking systems and the Internet.
• SCADA Internal Network Design: SCADA networks should be segmented off into their own IP
segment using smart switches and proper sub-masking techniques to protect the Industrial

100 MicroSCADA X
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
1MRK 511 574-UEN Rev. A Appendix G
Introduction to SCADA Security

Automation environment from the other network traffic, such as file and print commands.
Facilities using Wireless Ethernet should use sufficient encryption, for example, WPA or WPA2.
• SCADA Server Operating Systems: Merely installing a firewall or segmenting SCADA IP
addresses will not ensure their SCADA Infrastructure is secure. An experienced hacker can
often bypass firewalls with ease and can even use Address Resolution Protocol (ARP) trap
utilities to steal Media Access Control (MAC) addresses. The hacker can also deploy IP
spoofing techniques to maneuver through switched networks. Operating systems running the
SCADA applications must also be maintained. SCADA applications on Windows NT, 2000, or
XP are properly patched against the latest vulnerabilities, and all of the default NULL NT
accounts and administrator accounts have been removed or renamed. SCADA applications
running on UNIX, Linux, Novell, or any other operating system (OS), must also be maintained as
above. All operating systems have back doors and default access accounts that should be
removed and cleaned off of these SCADA servers.
• SCADA Applications: One must also address security within the SCADA application itself.
Trojan horses and worms can be inserted to attack application systems, and they can be used to
manipulate data or issue commands on the server. There have even been cases of Trojan
horses being deployed that completely emulate the application. The operator or user thinks that
he is clicking on a command to stop a pump or generate a graph of the plant, but he is actually
clicking on buttons disguised to look like the SCADA screen, and these buttons start batch files
that delete the entire hard drive, or send out pre-derived packets on the SCADA system that turn
all outputs to the ON or “1” state. Trojan horses and viruses can also be planted through an
email opened by another computer in the network, and then it is silently copied over to adjacent
SCADA servers, where they wait until a specified time to run. Plant control rooms will often have
corporate computers with the Internet and email active on them, within the same physical room
and on the same network switches as SCADA computers. Methodologies to mitigate against
these types of situations are: the use of anti-virus software running on the computer where the
SCADA application resides; systems administrators disabling installation of any unauthorized
software unless the user has administrator access; and policies and procedures applicable to
SCADA systems,
• SCADA Policies and Procedures: SCADA policies and procedures associated with remote
vendor and supervisory access, password management, etc. can significantly impact the
vulnerabilities of the SCADA facilities within the SCADA network. Properly developed policies
and procedures that are enforced will greatly improve the security posture of the SCADA
system.

In summary, these multiple “rings of defense” must be configured in a complementary and organized
manner, and the planning process should involve a cross-discipline team with senior staff support
from operations, facility engineering, and information technology (IT). The SCADA security team
should first analyze the current risks and threat at each of the rings of defense, and then initiate a
work plan and project to reduce the security risk.

For more information, see [SEC].

MicroSCADA X 101
Cyber Security Deployment Guideline
© 2022 Hitachi Energy. All rights reserved.
102
103
Hitachi Energy Finland Oy
Grid Automation
PL 688
65101 Vaasa, Finland

https://hitachienergy.com/microscadax Scan this QR code to visit our website

1MRK 511 574-UEN

© 2022 Hitachi Energy.

All rights reserved.