Multi-Level Security Concept - Siemens SIPROTEC 5 Manual

11.2

Multi-Level Security Concept

DIGSI 5 offers many useful functions for the configuration and testing of your SIPROTEC 5 devices. Constant
password prompts are not sensible during this phase. During operation, however, the focus is on the reading
of data. Reconfiguration and switching are safety-critical operations. These operations lead to failures in oper-
ation if they are carried out inadvertently or without authorization. After completion of commissioning, you
can activate a multi-level security concept in the device.
Before DIGSI 5 can communicate with the SIPROTEC 5 device via its Ethernet services, the device carries out
secure authentication. Only DIGSI 5 has the authorization for communication with the device. In addition, a
connection password that meets the strict rules of NERC-CIP can be configured. The password is securely
stored in the device. The password must contain upper-case and lower-case letters, digits, and special charac-
ters and must be at least 8 to 24 characters long. It is queried before connection is established. A connection
to the SIPROTEC 5 device cannot be established until the correct password has been entered. You now have
read access.
All write-access rights to the SIPROTEC 5 device such as, for example, changing setting values or switching are
protected by other security prompts, the confirmation IDs. If changes are done via the integrated operation,
these confirmation IDs are queried on the on-site operation panel. The confirmation ID contains only numbers
that you must enter at the on-site operation panel or in DIGSI 5.
NOTE
i
i
The confirmation IDs are only needed if the role-based access control (RBAC) is not activated in the
SIPROTEC 5 device.
The 3-level security concept consists of secure authentication, the connection password, and other confirma-
tion IDs. This concept provides the highest possible degree of access protection during operation. Even remote
access to devices is protected. You can also use an Ethernet module exclusively for the communication with
DIGSI 5. Access by a substation control network with the unsecured IEC 61850 protocol and remote access
with DIGSI 5 are then carried out via completely separate networks. Even though the SIPROTEC 5 device
communicates with DIGSI 5 via an Ethernet module, communication between DIGSI 5 and the device is
encrypted using tap-proof technology.
Wrong password entries are identified and logged. An alarm can be triggered via a telecontrol connection.
Safety-critical operations are also logged and cannot be deleted in the device. If files on the PC were manipu-
lated by malware (for example, viruses), they cannot be loaded into the device.
NOTE
i i
You can find more information about the security settings of the device in the Security Manual (C53000-
H5000-C081).
SIPROTEC 5, Operation, Manual
C53000-G5040-C003-C, Edition 08.2020
Security Settings in the Device
11.2 Multi-Level Security Concept
261