MicroSCADA Pro SYS 600 9.

3
Cyber Security Deployment Guideline
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

1 Introduction ....................................................................................................... 4
1.1 This manual ......................................................................................... 4
1.2 Use of symbols .................................................................................... 4
1.3 Document conventions ........................................................................ 4
1.4 Document revisions ............................................................................. 5
2 General............................................................................................................... 6
2.1 Definitions and Abbreviations ............................................................. 9
2.2 Reference Documents .......................................................................... 9
3 Configuring network........................................................................................ 11
3.1 Virtual Private Network (VPN) ......................................................... 11
Use cases ........................................................................................... 12
3.2 Network Devices ............................................................................... 14
4 Configuring security settings for Windows operating system / SYS 600
Server ............................................................................................................... 15
4.1 BIOS settings ..................................................................................... 15
4.2 Removing unused programs .............................................................. 15
4.3 Disabled system services ................................................................... 15
4.4 Windows Updates .............................................................................. 16
Patch management ............................................................................. 16
4.5 Virus scanner ..................................................................................... 16
Patch management ............................................................................. 18
4.6 Disabling devices............................................................................... 18
4.7 User Account Control (UAC)............................................................ 21
4.8 OPC ................................................................................................... 22
4.9 SNMP – Simple Network Management Protocol ............................. 22
4.10 Security policies ................................................................................ 23
4.11 Firewall (ports and services) ............................................................. 23
4.12 Windows user account for SYS 600 system...................................... 24
4.13 Protecting SYS 600 system configuration settings ........................... 24
4.14 Backing up and restoring ................................................................... 24
Taking backup ................................................................................... 25
Restoring backup ............................................................................... 25
5 Configuring security settings for SYS 600 Workplaces .................................. 26
5.1 Configuring Windows user accounts between a server and a
workplace .......................................................................................... 26
5.2 Enabling workstation calls from the server ....................................... 28
5.3 Configuring workstation in a hot-standby (HSB) system ................. 28
OpenRemoteDesktop program .......................................................... 28
5.4 Automatic logon feature .................................................................... 28
5.5 X Windows technology ..................................................................... 29
6 Configuring security features in SYS 600 ....................................................... 30
6.1 User account management ................................................................. 30
6.2 Authorization / user account permissions.......................................... 30
6.3 Password policies .............................................................................. 30
6.4 Resetting administrator password...................................................... 31
6.5 User session time-out ........................................................................ 31
6.6 Logging of user activities .................................................................. 31
6.7 Backdoors .......................................................................................... 32

1
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

7 APPENDIX: Ports and services ...................................................................... 33

8 APPENDIX: Windows system services .......................................................... 37
9 APPENDIX: Security policies......................................................................... 39
9.1 Security policies ................................................................................ 39
10 APPENDIX: Deploying security settings to SYS 600 Server/Workplace ...... 41
10.1 Rollback............................................................................................. 41
10.2 Virtual Private Network .................................................................... 42
Create IPSec Policy ........................................................................... 42
Build a Filter List from SYS600 to NCC .......................................... 44
Configure a Rule for the communication .......................................... 47
10.3 SYS 600 Server ................................................................................. 50
10.4 SYS 600 Workplace .......................................................................... 50
11 APPENDIX: Introduction to SCADA Security............................................... 52

2
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Copyright
The information in this document is subject to change without notice
and should not be construed as a commitment by ABB. ABB assumes
no responsibility for any errors that may appear in this document.
In no event shall ABB be liable for direct, indirect, special, incidental or
consequential damages of any nature or kind arising from the use of this
document, nor shall ABB be liable for incidental or consequential
damages arising from use of any software or hardware described in this
document.
This document and parts thereof must not be reproduced or copied
without written permission from ABB, and the contents thereof must
not be imparted to a third party, nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under
a license and may be used, copied, or disclosed only in accordance with
the terms of such license.
Copyright © 2010 by ABB
All rights reserved.
Trademarks
ABB is a registered trademark of ABB Group. All other brand or
product names mentioned in this document may be trademarks or
registered trademarks of their respective holders.
Guarantee
Please inquire about the terms of guarantee from your nearest ABB
representative.

3
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

1 Introduction
1.1 This manual
This document is a security guide for MicroSCADA Pro Control System
SYS 600 version 9.3 FP1 (hereafter SYS 600).

1.2 Use of symbols

This publication includes warning, caution, and information icons that
point out safety related conditions or other important information. It also
includes tip icons to point out useful information to the reader. The
corresponding icons should be interpreted as follows:

The caution icon indicates important information or warning

related
to the concept discussed in the text. It might indicate the presence
of
a hazard which could result in corruption of software or damage to
equipment or property.

The information icon alerts the reader to relevant facts and

conditions.

Although warning hazards are related to personal injury, and caution

hazards are associated with equipment or property damage, it should be
understood that operation of damaged equipment could, under certain
operational conditions, result in degraded process performance leading to
personal injury or death. Therefore, comply fully with all warning and
caution notices.

1.3 Document conventions

The following conventions are used for the presentation of material:
• The words in names of screen elements (for example, the title in the
title bar of a dialog, the label for a field of a dialog box) are initially
capitalized.
• Capital letters are used for the name of a keyboard key if it is labeled
on the keyboard. For example, press the CTRL key. Enter key is an
exception, e.g. press Enter.
• Lowercase letters are used for the name of a keyboard key that is not
labeled on the keyboard. For example, the space bar, comma key and
so on.
• Press CTRL+C indicates that you must hold down the CTRL key
while pressing the C key (to copy a selected object in this case).
• Press ESC E C indicates that you press and release each key in
sequence (to copy a selected object in this case).
• The names of push and toggle buttons are boldfaced. For example,
click OK.

4
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

• The names of menus and menu commands are boldfaced. For example,
the File menu.
• The following convention is used for menu operations: Menu Name >
Menu Command > Cascaded Menu Command. For example, select
File > Open > New Project.
• The Start menu name always refers to the Start menu on the
Windows Task Bar.
• System prompts/messages and user responses/input are shown in the
Courier font. For example, if you enter a value out of range, the
following message is displayed:
Entered value is not valid. The value must be 0 to 30.
You may be told to enter the string MIF349 in a field. The string is shown
as follows in the procedure:
MIF349
• Variables are shown using lowercase letters: sequence name

1.4 Document revisions

Version Revision number Date History
A 9.3 31.3.2010 New document
B 9.3 FP1 31.12.2010 Document updated

5
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

2 General
This document is a security guide for MicroSCADA Pro Control System
SYS 600 version 9.3 FP1 (hereafter SYS 600). The guide is intended for
software and project engineers, and system verification testers and they are
expected to have general familiarity with topics in the following areas:
• PCs, servers, and Windows operating systems
• Networking including TCP/IP and concept of ports
• Firewalls
• Anti-virus
• Passwords
• Remote and secure communication

Operating systems (with the latest service packs) covered in this document
are:

• Windows 7
• Windows Server 2008
• Windows XP Professional or
• Windows Server 2003 Standard Edition

The guide assumes that in SYS 600 servers:

• Automatic Updates is disabled

• Uninterruptable Power Sources (UPS) is not controlled by the server
• Wireless network configuration is not used
• There are printers connected to the server

This guide assumes that in SYS 600 workplaces:

• Automatic Updates is disabled

• Wireless network configuration is not used
• There are printers connected to the workplace

However, the guide does not specify the network configuration (forests,
domains, organizational units (OU)) where the SYS 600 system is
installed. There are several ways to deploy security settings to machines,
e.g. by using the secedit command-line tool, the Security Configuration
Wizard (SCW), or Group Policy Objects (GPO). This guide gives
instructions on how to deploy security settings to servers and workplaces
using the secedit tool.

Chapter 2 (this chapter) gives general information, assumptions, and

operating system and SYS 600 versions this guide covers. The system is
hardened by configuring the network, uninstalling irrelevant software,
disabling Windows system services, configuring the firewall setting and

6
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

applying security policies. Configuring network is discussed in Chapter 3.

Security settings in this document are divided into the following categories:
• General security settings in Windows servers (Chapter 4)
• Security settings in SYS 600 servers (Chapter 4)
• Security settings in SYS 600 workplaces (Chapter 5)
• Security features available in SYS 600 (Chapter 6)

There are security settings which are automatically configured in the

product and those which need to be configured manually. By default, the
SYS 600 installation configures Windows security settings for DCOM
security settings only. An administrator user account is also created during
installation and a password is prompted for the MicroSCADA user. Since
this is an administrator user account, it is the responsibility of the system
administrator to choose a valid and secure password for this account; see
Windows user account for SYS 600 system.

Other Windows server security settings such as firewall, security policies

and disabling Windows system services are not automatically configured
during the SYS 600 installation. This is due to fact that SYS 600
installation may conflict with existing security settings on some computers
where it is not allowed to modify these. To apply security settings after
SYS 600 installation, read and execute settings starting from Chapter 3.
The script files are located in the SYS 600 installation folder
sc\setup\security. Detailed instructions are given in Chapter 10 to apply
security settings to SYS 600 servers.

There is general security guide for control systems and operating systems
on the ABB website [ABBSEC09]. Microsoft also has security guides for
different operating systems [MSSEC09].

SYS 600 Compact (SYS 600C) includes both SYS 600 and
Windows server-specific security settings by default. However, it
is the responsibility of the project engineer to close TCP/UDP
ports for different communication protocols, such as DNP or
ELCOM, which are not used.

7
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Table 1 – Deployment of security features in SYS 600 product

X= automatically configured in the product, S = semi-automatic
configuration using batch files, M/empty=to be configured e.g. manually

Security feature SYS 600 SYS 600C > SYS 600 Remarks
installation 9.3
package
MicroSCADA user account X X X Automatically created
during the SYS 600
installation. Password
should be longer than 15
characters.
OPC/DCOM settings X X X Automatically configured
during the SYS 600
installation.
Firewall settings (ports and X S/M Enable ports for different
services) communication protocols
according to customer
specifications.
Virtual Private Network X
(VPN)
BIOS settings X Manual configuration
Removing unused programs X S/M Manual configuration
Disabled system services X S
SNMP Not installed/ Not installed/ Not installed/
services services services
disabled disabled disabled
Windows Server security X S
policies
Windows Update Not installed/ Not installed/ Not installed/
services services services
disabled disabled disabled
User Access Control (UAC) X S
Virus scanner Not installed/ Not installed/ Not installed/ Manual configuration
services services services
disabled disabled disabled
Disabling devices
DVD/CD-ROM drives X S Manual configuration
USB Mass Storage X S Manual configuration
Serial port X Manual configuration
Floppy disk controller X Manual configuration
Sound, video controller X Manual configuration
Disabling autorun X S
functionality
Backing up and restoring Manual configuration
SYS 600 user management X Manual configuration
and authorization

8
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

2.1 Definitions and Abbreviations

Table 2 – Terminology
Term Description
DCOM Distributed Component Object Model
NCC Network Control Center
OPC OLE for Process Control
SCADA Supervisory Control and Data Acquisition
SCW Security Configuration Wizard
SSLF Specialized Security-Limited Functionality
SYS 600 MicroSCADA Pro Control System SYS 600
TCP/IP Transmission Control Protocol/Internet Protocol
WSUS Windows Server Update Services

2.2 Reference Documents

Table 3 – References
Ref Document id Version Document title
[ABBSEC09] ABB Security – Control Systems,
http://www.abb.com/product/ap/seitp334/2a8e4e
5e365d17ccc1256fd800521dab.aspx (20090408),
ABB
[MSANA09] Microsoft Baseline Security Analyzer,
http://technet.microsoft.com/security/cc184924(e
n-us).aspx (20090408), Microsoft.
[MSDCOM04] How To Restrict TCP/IP Ports on Windows 2000
and Windows XP,
http://support.microsoft.com/kb/300083
[MSPASS09] Recommendation for password length,
http://support.microsoft.com/default.aspx?scid=k
b;en-us;299656, Microsoft.
[MSSEC09] Windows OS Security Guides,
http://www.microsoft.com (20090408),
Microsoft. Search for Security Guide and refine
your search by giving a specific OS name, e.g.
Windows Server 2008
[MSTHRE05] 2.0 Threats and Countermeasures Guide: Security
Settings in Windows Server 2003 and
Windows XP,
http://www.microsoft.com/downloads/details.asp
x?FamilyId=1B6ACF93-147A-4481-9346-
F93A4081EEA8&displaylang=en

[MSUPD] Windows Update,

http://www.microsoft.com/windows/downloads
/windowsupdate/overview.mspx
[MSWS03] Windows Server 2003 Security Compliance

9
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Management Toolkit,
http://technet.microsoft.com/en-
us/library/cc163140.aspx
[SYSAPL09] 1MRS756637 A SYS 600 Application Design manual, ABB.
[SYSCON09] 1MRS756646 A SYS 600 System Configuration manual, ABB.
[SYSINS09] 1MRS756634 A SYS 600 Installation and Administration manual,
ABB.
[WSUS] Windows Server Update Services,
http://technet.microsoft.com/en-
us/wsus/default.aspx
[SYSCUG] SYS 600C Users Guide
[SYSPORTS] A MicroSCADA Pro Security Guide – Ports and
Services Rev A.xlsx
[UAC] What are User Account Control settings? ,
http://windows.microsoft.com/en-
us/windows7/What-are-User-Account-Control-
settings

10
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

3 Configuring network
Each host in a TCP/IP network has a unique identifier, called an IP address.
The IP address is composed of four numbers in the range from 0 to 255.
The numbers are separated with dots, e.g. 192.168.0.1. Because every
computer on an IP network must have a unique IP address, careful planning
of IP addresses throughout the whole system is important. You should
remember to take care of the future needs in address areas when planning
large networks. A host can have multiple IP addresses, as shown in the
Figure 1.

ABB does not recommend the use of domains and wireless networks in a
SYS 600 system due to the high reliability and security that is required of
the control system. A domain controller being out of service might
jeopardize the stability of the control system. Therefore, static IP
addressing should be used in SYS 600 system; see
http://technet.microsoft.com/en-us/library/cc754203(WS.10).aspx and also
[SYS 600 Installation and Administration, Host names] for more
information.

Figure 1 – An example of SYS 600 with NCC connection

3.1 Virtual Private Network (VPN)

This guideline considers the IP communication between SYS 600 and the
Network Control Center (NCC) / Regional Control Center (RCC) via a
dedicated wide area link that is not exposed to public access. The use case
is to protect the dedicated link against man-in-the-middle attacks by

11
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

guaranteeing confidentiality, integrity, and authentication via IPSec, using

pre-shared key authentication.

The IPSec configuration must be done on all machines that should

communicate with each other by IPSec. The configuration is shown in
section 10.2.

IPSec encryption is a CPU consuming activity that can affect the

maximum throughput and the CPU utilization. In order to
determine the effect of IPSec encryption for data throughput and
CPU consumption, it is important verify this with tests.

Use cases
NCC Communication
This use case features the IP communication between SYS600 and the
NCC via a dedicated wide area link, which can be a glass fiber optics
communication link, a microwave radio link, or a leased line that is not
exposed to public access. The use case is to protect the dedicated link
against man-in-the-middle attacks by guaranteeing confidentiality,
authenticity, and authentication. The use of IPSec/VPN technology ensures
that the transmitted data is not readable to eavesdroppers and resists man-
in-the-middle data corruption. In addition, both SYS600 and NCC can
authenticate using pre-shared keys before establishing the communication
link.

Figure 2 – NCC communication

Figure 2 visualizes a possible setup for the use case. The VPN connections
are illustrated as blue tubes, and multiple SYS 600 devices are connected to
the NCC system via the operator’s internal IP network.

12
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

In case no network address translation (NAT) mechanism is used between

SYS 600 and NCC, IPSec can be run in transport mode, which encrypts all
data of an IP packet but leaves the IP header intact, which allows for fast
delivery.

Maintenance Access via Remote Desktop Protocol (RDP)

An alternative access SYS 600 is the use of the Remote Desktop Protocol
(RDP). RDP provides a graphical interface for SYS 600 on another
computer, i.e., the maintenance device. The RDP access should be
restricted to Intranet access only. RDP uses encryption to protect all
transmitted data, starting with Windows XP Service Pack 2. Authentication
is by conventional Windows user login.

Figure 3 – RDP Maintenance Access via VPN

Note that the firewall must accept incoming RDP connections, and the
maintenance device connected to the VPN must be able to access SYS
600’s RDP port. As SYS 600 has access to the station bus, the service
engineer connected to SYS 600’s desktop can access the station bus via
SYS 600’s desktop.

HSB communication
Another use case affects communication between a master SYS 600 device
and its redundant hot-standby-system via a wide area network connection.
This link should be protected against man-in-the-middle attacks by
guaranteeing confidentiality, authenticity, and authentication. This use case
is comparable to NCC communication.

13
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure 4 – SYS600 to SYS600 communication

See section 10.2 Virtual Private Network to configure VPN.

3.2 Network Devices

Network devices such as switches, routers, firewalls, intrusion detection
systems, modems, and wireless devices are not part of this security guide.
From a security point of view, these devices should be enabled for the
following features:
• Logging
• Patches / Updates
• Backup / Recovery

For more information, see the device manuals.

14
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

4 Configuring security settings for Windows

operating system / SYS 600 Server
Windows servers are protected with firewalls, security policies, Windows
Updates, and virus scanners. To reduce the attack surface in servers,
programs and services not used can also be uninstalled or disabled. See
Table 1 to check the security features automatically configured to the SYS
600. Some SYS 600 versions need manual configuration.

Below sections use following statements “This has to be configured

manually” and “This is configured automatically”. The first statement
means that security setting has to be manually configured. The latter means
that there is a script file to automate the configuration process. This process
is described in APPENDIX: Deploying security settings to SYS 600.

4.1 BIOS settings

The following settings must be applied:
• Administrator password is enabled
• Remote wake-up is disabled

This has to be configured manually.

4.2 Removing unused programs

Following software is not used by SYS 600 and can be manually removed
from Windows Control Panel > Add/Remove Programs > Add/Remove
Windows Components.

Windows Component Added / Removed

Outlook Express Manually Removed
Messenger Manually Removed
MSN Explorer Manually Removed
Windows Media Player Manually Removed
Games (Windows XP) Manually Removed

This has to be configured manually.

4.3 Disabled system services

Enabled and disabled system services are listed in APPENDIX: Windows
system services.

This is configured automatically using script files.

15
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

4.4 Windows Updates

Before installing SYS 600 and delivering the system to the customer all
computers and operating systems should be patched using the latest
Windows updates. SYS 600 Workplaces should have Windows Updates
enabled.

This has to be configured manually.

Patch management
The compatibility of the latest Windows service packs and SYS 600 are
tested in system verification center at the time of the product release. After
the system is running, only security related patches should be installed to
servers. If a security patch affects to software, which is not used or
installed in the server the patch should not be installed.

A dedicated server, Microsoft Windows Server Update Services (WSUS),

can be used for Windows Updates. Windows Updates requires following
the system services to be enabled: BITS and Automatic Update services.
For more detailed information, see [WSUS] and [MSUPD].

4.5 Virus scanner

Whenever it cannot be guaranteed that unknown software is executed on a
machine (e.g., due to enabling of removable devices or USB ports), the use
of anti-virus software is highly recommended on servers and workstations.

Virus scanners distinguish between on-access scanning (only files that are
currently requested to load are checked) and on-demand scanning (all files
are checked during a scheduled scan). Minimum requirements for the virus
scanner are on-demand scanning and virus definition updating features.

On-access virus scanners on servers are a trade-off between security and

performance. We recommend testing the performance of the system with
normal virus scanner settings. If the performance is not acceptable it can be
enhanced with various settings available in some virus scanner programs,
such as excluding certain directories or files (those that are frequently used)
in on-access scanning and on-demand scanning. For example, event logs,
databases and some custom file types which are accessed continuously
should be put in the exception list; i.e., those files are not on-access
scanned.

Various settings available in virus scanner programs for enhancing

performance are shown below.

• Windows operating system directories should not be excluded

• Some virus scanner programs may not have settings shown
below

16
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

CPU Utilization
• Restrict CPU Utilization to 20%
• After modifying this setting it is recommended to run the on-demand
scan to local disks once to ensure that it finishes within an acceptable
amount of time.
• Disable virus scanner during SYS 600 product or service pack
installation

On-access scanning
• Scan only local disks, network scan is disabled (when each machine
has its own virus scanner). Disable email scans. Excluded directories:
o These directories are frequently used in SYS 600 Server
o SYS 600: <drive>\sc\apl\*.* (including subdirectories), if this
does not work then exclude the whole sc directory
o DMS 600: <drive>\DMS600\*.*
• Excluded files:
o Archive files such as .cab, .rar, and .zip
• Other settings
o Enable buffer overflow protection
o Enable access protection
o Enable script scan

On-demand scanning
• Initiated periodically or manually
• Initiated manually if the system owner has found virus infected files on
other computers in the enterprise e.g. in the office network or on
maintenance laptops or the like
• Scan only local disks, network scan is disabled (when each machine
has its own virus scanner)
• Scanning should be done when normal system activity is low
• All items excluded in on-access scanning should be included in the
scan

Handling of infected files

• Try automatically to clean first
• If cleaning fails, manual action is required
• Reporting
o Maintenance personnel should check virus scanner log files on
each site visit. In case of virus detection, the issue must be
escalated responsible personnel.
o There are several methods to report virus detection, such as
email, printout to printer, sending to a computer’s syslog,
launching a program locally (e.g. a SCIL program or VB script),
or sending via SNMP Trap, to one or more computers. Sending
an SNMP is the preferred method.

17
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Scan engine and virus definition updates

• It is recommended that scan engines and virus definitions are updated
automatically. However, enabling this feature on all machines
connected to the automation system network is not a recommended
practice. For a more secure and reliable deployment of virus
definitions, a central management (e.g. F-Secure Policy Manager or
McAfee® ePolicy Orchestrator) and update deployment host can be
set up on a corporate intranet. This allows a system administrator to
have control over when updates are made. Note that a direct Internet
connection should only be allowed for the time everything is
downloaded; the connection is closed after downloading is finished.
General guidelines are provided in [ABBSEC09, IS Security
Considerations for Automation Systems].
• If redundant servers exist, it is recommended to update these servers a
few hours later than the primary server (e.g. four hours) to reduce the
risks if the update process does not succeed in the primary server.
• New virus definition files should be taken into use immediately
• Note! Some scan engine updates may override current scan settings. In
possible problem situations, this should be checked.

This has to be configured manually.

Patch management
It is recommended to update scan engine and virus definition files
regularly, e.g. every three months. Verify that the settings introduced above
are preserved and the performance and functionality of the system is
acceptable after updates.

Theoretically, a new virus definition file could arrive that could

compromise the proper functionality of the system. Testing the system
against every new virus definition file is obviously not feasible. Therefore,
we recommend full system backup before updating virus definition files.

4.6 Disabling devices

In any type of a server it is a good practice to disable the devices not used.
This may include USB ports, CD/DVD drives, communication ports, and
floppy disc controllers.

This has to be configured manually.

Click Start > Settings > Control Panel > Administrative Tool >
Computer Management > Device Manager and look for the devices to
be disabled.

The following figure shows the disabling of DVD/CD-ROM driver; Floppy

Disk Driver; Sound, Video and Game controller; finally, the Universal
Serial Bus (USB) ports must be disabled.

18
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Do not disable a device if it will be used, e.g. USB license keys,

alarm sounds, or software installations.

Figure 5 – Disabling DVD/CD-ROM

19
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Figure 6 – Disabling Floppy disk controller

Figure 7 – Disabling Serial port

20
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Figure 8 – Disabling USB Mass Storage Device, see also

http://support.microsoft.com/kb/823732.

Disabling autorun functionality

Whenever disabling of devices is not possible, it is good practice to disable
autorun functionality of the device. In order to prevent the automatic start
of malicious code contained in a removable device, autorun functionality
must be turned off. For more information, see How to disable the Autorun
functionality in Windows, http://support.microsoft.com/kb/967715/en-us.

This is configured automatically using script files.

4.7 User Account Control (UAC)

UAC is a security feature in Windows Vista, Windows 7, and Windows
2008 Server. For more information, see [UAC]. UAC should be enabled
using its default settings in SYS 600 Server/Workplace.

This is configured automatically using script files.

21
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

4.8 OPC
The usage of OPC communication between OPC client and server requires
that Distributed COM (DCOM) has been configured accordingly in the
Windows operating systems. This includes configuring system-wide
DCOM settings and OPC server specific DCOM settings.

Distributed Component Object Model (DCOM) uses Remote Procedure

Call (RPC) dynamic port allocation. By default, RPC dynamic port
allocation randomly selects port numbers above 1024. One can control
which ports RPC dynamically allocates for incoming communication and
then configure your firewall to confine incoming external communication
to only those ports and port 135 (the RPC Endpoint Mapper port).
[MSDCOM04]

DCOM settings include:

• Setting up a mutual user account
• Configuring system-wide DCOM settings
• Configuring server-specific DCOM settings
• Configuring firewall: DCOM uses TCP port 135, which must be open.
o Deny all incoming traffic from the Internet to your server.
o Permit incoming traffic from all clients to TCP port 135 (and
UDP port 135, if necessary) on your server.
o Permit incoming traffic from all clients to the TCP ports (and
UDP ports, if necessary) on your server in the port range.
1. On the DCOM server, run regedt32 and create the
following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Inte
rnet
2. Add these values to the created key:

Type
Name Value
Ports REG_MULTI_SZ 5000-5020
PortsInternetAvailable REG_SZ Y
UseInternetPorts REG_SZ Y

If callbacks are used, permit incoming traffic on all ports where the TCP
connection was initiated by your server.

This has to be configured manually. For more information, see

[SYSCON09, Configuring OPC connectivity].

4.9 SNMP – Simple Network Management Protocol

By default, SNMP services are disabled in SYS 600 server security
settings. In Windows XP, these services must be installed on the computer
first. SNMP version 3 or later should be used. To begin using the services,

22
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

change the startup type of SNMP Service and SNMP Trap Service to
Automatic.

This has to be configured manually.

4.10 Security policies

Security policies are based on predefined SSLF (Specialized Security-
Limited Functionality) security templates from Microsoft [MSSEC09].
These policies are modified for SYS 600 purposes in servers and
workplaces. The templates are categorized into the following sections:
• Account policies
• Audit policy
• User rights
• Security options
• Event log
• System services

This is configured automatically using script files. See APPENDIX:

Deploying security settings to SYS 600 Server/Workplace. See also
APPENDIX: Security policies to see the changes to default values.

4.11 Firewall (ports and services)

Windows Firewall is a stateful firewall, which can be configured to restrict
all inbound connections, but cannot filter or block any outbound
connections. However, Windows Vista, 7, and 2008 Server support
blocking outbound connections. It is recommended that firewall settings
are applied at the latest possible engineering phase since the firewall may
increase the difficulty of troubleshooting problems with connecting to
network services.

The scope options of the firewall settings are ALL or SUBNET. SUBNET
is a general setting option allowing only local network (subnet) traffic
through the firewall (for more information, see
http://technet.microsoft.com/en-us/library/cc778362(WS.10).aspx).

Other general settings are:

• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked.

Ports and services used by SYS 600 as well as default firewall settings are
listed in APPENDIX: Ports and services. We recommend using hardware
firewalls. Software firewalls may affect performance, in which case they
should not be used.

23
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

This is configured automatically using script files. See APPENDIX:

Deploying security settings to SYS 600 Server/Workplace.

4.12 Windows user account for SYS 600 system

During the installation, a MicroSCADA user account is created in
Windows with administrator privileges. The administrator user should have
a long password, at least 15 characters long [MSPASS09]. The password of
the MicroSCADA user account should not be changed through Windows
User Management. Instead, SYS 600 Control Panel > Admin > Password
should be used where DCOM settings are automatically configured.

By default, SYS 600C contains two Windows user accounts:

MicroSCADA and SYS600C. The MicroSCADA account is used by the
SYS 600 service and should not be used by the users. The SYS600C
account is an administrator account that should be used by the system
administrator. More Windows accounts can be created by the
administrator. The passwords of the default users are noted in the delivery
documentation.

Change default passwords immediately after installation.

Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)

An ideal password is long and has letters, punctuation, symbols,

and numbers.
Whenever possible, use at least 14 characters or more.
The greater the variety of characters in your password, the better.
Use the entire keyboard, not just the letters and characters you use
or see most often.

This has to be configured manually.

4.13 Protecting SYS 600 system configuration settings

SYS 600 Workplaces connects the server through terminal services.
Terminal connection is configured so that the user of the SYS 600
Workplace only has access to the SYS 600 Monitor Pro application; i.e.,
the user has no permissions to open other applications in the server
machine. For more information, see Configuring Windows user accounts
between a server and a workplace.

4.14 Backing up and restoring

Following instructions are taken from [SYSCUG].

24
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Taking backup
We recommend that you back up the SYS 600 Server with disc imaging
software (for example Acronis True Image or Norton Ghost). The image
should be saved to a network drive or to a USB flash drive. Refer to the
instructions from your disc imaging software manufacturer on how to
accomplish this.

Recommendations for image backup:

• SYS 600 Server – every 3 month,
• SYS 600 Workplace – every 6 month

This has to be done manually.

Restoring backup
The method for restoring the disc image depends on the disc imaging
software. Refer to the instructions from your disc imaging software
manufacturer on how to accomplish this.

This has to be done manually.

25
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

5 Configuring security settings for SYS 600

Workplaces
It is not required to install SYS 600 software to SYS 600 Workplace
machines at all. It is enough that SYS 600 Workplace machine has
software installed enabling a remote connection to the SYS 600 Server.
There are separate script files for configuring Windows Firewall and
security policies in the workplace machine, see APPENDIX: Deploying
security settings to SYS 600 Server/Workplace. See also Chapters 3 and 4
for configuring the network and hardening the operating system.

To operate the SYS 600 Server, a monitor (Classic Monitor or Monitor

Pro) needs to be opened. A monitor can be opened either on the server
machine or through a remote connection. If the SYS 600 Workplace is a
remote machine, connection to the server computer is established over the
network by using the remote client. Remote client means that the programs
of the workplace run on the server machine, whereas graphical output and
mouse/keyboard input for the processes happen on the remote client
machine.

Normally, SYS 600 Workplace machines are configured so that Windows’

automatic logon feature is enabled to automatically log an operator onto the
Windows operating system. Thus, there is a shared mutual Windows user
account in SYS 600 Workplace machine and this account is used for
automatic logon.

After the user has logged in automatically to Windows, the Start >
Programs > Startup folder is executed. This folder contains shortcut icons
to launch SYS 600 monitors, which are then opened automatically. The
target of the shortcut icon is, for example, the Remote Desktop Connection
program, which is automatically configured to logon to the SYS 600 Server
with a user name and password, and to launch a monitor program (Classic
Monitor or Monitor Pro) on the server. The monitor login dialog opens for
the user, where the operator enters his/her unique user name and password.

Promoted technologies between the MicroSCADA server and remote the

workplace computer are the Windows Remote Desktop Protocol (RDP)
and the Citrix Independent Computing Architecture (ICA). For more
information, see [SYSCON09, Configuring Workplaces].

5.1 Configuring Windows user accounts between a server and a

workplace
The SYS 600 Server machine has to have a Windows user account(s) that
is used for SYS 600 Workplace remote connections. This user has
membership of the Users (restricted user) and Remote Desktop Users
groups. By default, Remote Desktop Users group is available in Windows.

26
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Normally, operators are using the same Windows user account to connect
to the server machine; however, there may be separate Windows user
accounts for each operator. In the SYS 600 system, operators normally
have individual SYS 600 user accounts they are using to log in to the
system.

Furthermore, in the server machine, the Remote Desktop Users group

should have Modify permission to the SYS 600 installation folder, i.e.,
<drive>\sc. Here are the steps to grant permission:

1. Right-click <drive>\sc in Windows Explorer and select Properties.

2. Select Security tab.
3. Add Remote Desktop Users group to Group or user names list by
clicking Add button.
4. Select the group in the list and allow Modify permission for the group.
5. Click OK.

To create a user account for Remote Desktop access in SYS 600 Server:
1. Select Control Panel > Administrative Tools > Computer
Management > System Tools > Local Users and Groups and right-
click Users and then select New user…
a. User name: e.g. Operator
b. Full name: can be empty
c. Description: can be empty
d. Password: must meet complexity requirements (small caps, large
caps, special characters, numbers)
2. Uncheck all options in the dialog.
3. Press Create and then press Close.
4. Double-click the user created and select Member Of tab.
5. Press Add button and add membership of Remote Desktop Users and
click OK.

To enable Remote Desktop on the server:

1. Open Windows Explorer.
2. Right-click My Computer and select Properties.
3. Select Remote tab and check Enable Remote Desktop on this computer
option.
4. Click Select Remote Users… and verify that the list includes users,
which are allowed to access the computer. Click OK to close the
dialog.
5. Click OK.

This user account has restricted rights to the Windows operating system,
see http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx. The
user has Modify access to <drive>.\sc directory but this user normally only
has access to certain applications, such as Monitor Pro.

This has to be configured manually.

27
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

5.2 Enabling workstation calls from the server

Classic monitors – CAP 50x or SMS510 – can receive calls from the
server, e.g. to open some program in the workstation. For this purpose,
there is an executable called wserver.exe. By default, this program is
disabled. To enable the service:

1. Paste a shortcut of <drive>\sc\prog\exec\wserver.exe to Start >

Programs > Startup folder.
2. Configure the firewall to unblock incoming port 12221.
3. Execute the shortcut to enable workstation calls from the server
immediately.

This has to be configured manually.

5.3 Configuring workstation in a hot-standby (HSB) system

OpenRemoteDesktop program
This program can be used for opening a connection from a workstation to
an active server in the HSB system. The program inspects both servers,
detects the active server of the HSB pair and establishes a terminal server
session to it. For more information, see [SYSCON09].

This has to be configured manually.

Using this program and configuring it changes the default security

settings used in the automatic script files. This program should be
configured after the deployment of security policies, see
APPENDIX: Deploying security settings to SYS 600
Server/Workplace.

5.4 Automatic logon feature

By default, the SYS 600 service is started directly after Windows has been
started. This is an automatic startup of the service, i.e., no user needs to log
in. The automatic logon feature in the server machine can be used to
automatically open MicroSCADA monitors in remote SYS 600
workplaces.

ABB does not recommend using the automatic logon feature of the
Windows operating system, since Windows stores the user name
and the password in plaintext in the Windows registry.

This feature is disabled by default and has to be enabled manually, see

[SYSINS09, Automatic Logon]

28
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

5.5 X Windows technology

Hummingbird eXceed version 7.0 or newer is required as an X-server on
the workstation computer whenever the system includes distributed HSI
(Human System Interface), and uses MicroSCADA X and VS Remote
monitor types (Classic monitors). Note that technically, X Windows can
use a range of ports between 6000 and 6063. In particular, if the display
number is changed from the default of 0 using Xconfig/Communications,
this will change the port that Exceed uses. If you change the display
number to 1, it will use 6001; if you change it to 2, it will use 6002.

X Windows technology is not configured to the preconfigured firewall

settings. You will have to change your firewall settings manually if X
windows is used.

This has to be configured manually.

29
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

6 Configuring security features in SYS 600

This chapter lists security features, user account management and
authorization, available in SYS 600 product.

All settings in this chapter have to be configured manually.

6.1 User account management

SYS 600 system allows the creation, modification, and removal of user
accounts. SYS 600 supports several user accounts. By default, the first user
logging onto SYS 600 Monitor Pro after the SYS 600 installation gets
system administrator privileges and is able to use user account
management tools of SYS 600.

To configure user accounts:

1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…

For more information, see [SYSAPL09, User Management].

6.2 Authorization / user account permissions

The system allows user roles with permissions individually configurable.
User names are associated with a certain user profile that restricts the
user’s access rights.

To configure user authorization:

1. Open SYS 600 Monitor Pro.
2. Open Tools > Engineering Tools > User Management…

For more information, see [SYSAPL09, Authorization].

6.3 Password policies

SYS 600 supports passwords with alphanumeric and special characters
(!”#%&*+-./=?@_). Upper (A-Z) and lowercase (a-z) characters and
characters from other character sets (localization) are also supported.
Password handling is case-sensitive.

By default, password complexity is turned off. The system administrator

may enable password complexity. Other settings include a minimum
password length, and a setting for forcing characters to be used in the
password (a combination of alphanumeric and special characters). The
maximum password length is 63 bytes (63 ASCII characters).

To configure password policies:

1. Open SYS 600 Monitor Pro.

30
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

2. Open Tools > Engineering Tools > User Management…

3. In the user management dialog, open Tools > Password Policy…

Keys to password strength: length and complexity

(http://www.microsoft.com/protect/fraud/passwords/create.aspx)

• An ideal password is long and has letters, punctuation,

symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password, the
better.
• Use the entire keyboard, not just the letters and characters you
use or see most often.

For more information, see [SYSAPL09, User Management].

6.4 Resetting administrator password

This feature is available if the user name or the password of system
manager is lost. In this case, it is possible to login to the system using a
temporary administrator password. Contact the support line.

6.5 User session time-out

SYS 600 workplaces operate in Windows. It is possible to configure the
user inactivity time and then lock the workstation; this is accomplished
through screensaver settings. SYS 600 system has a setting for logging the
user out after certain period of time. The time period is given in hours
(from 1 to 255) and it is also possible to configure notifications about
session expiration.

To configure user session time-out:

1. Open SYS 600 Monitor Pro.
2. Open Settings > Application settings… and select Logout Duration
tab.

For more information, see [SYSAPL09, Application Settings].

6.6 Logging of user activities

The SYS 600 system can be configured to log events from the process,
such as switching device opened/closed. Furthermore, the following events
are user activity events which are logged from the monitors:
• Login successful
• Login failed
• Logout
• Monitor opened

31
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

For example, following events are not logged:

• User created
• User removed
• Password changed
• Password policies changed – setting X changed from value Y to Z

Access to log viewer is restricted based on user rights. Events are stored in
the file system in binary format.

For more information, see [SYSCON09, Event and Alarm Handling].

6.7 Backdoors
The following feature has a backdoor to the system: Resetting
administrator password

The administrator password reset feature is enabled by default. ABB

recommends that this feature is permanently disabled before delivering the
system to the customer. Using this function requires system manager
authority. Note that after the feature has been disabled, it is no longer
possible to login to the system if the user name or the password of system
manager has been lost.

To disable this feature:

1. Open Monitor Pro and select Tools > Engineering Tools > User
Management.
2. Press Ctrl + R in the main window and confirm the operation.
3. A notification is shown that the feature has been disabled. If the
feature has been disabled before, this is also notified.

32
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

7 APPENDIX: Ports and services

General firewall settings are as follows:
• Firewall: enabled, block inbound, allow outbound
• Logging: enabled, %windir%\pfirewall.log, 32767kB
• ICMP settings: disabled
• Notify when an application is blocked

Since all inbound traffic is blocked by default, there are exceptions

(firewall rules) which are needed to be configured. Windows Firewall rules
are configured automatically using script files. See APPENDIX: Deploying
security settings to SYS 600 Server/Workplace.

The complete list of ports and services can be found in the following tables
and the file MicroSCADA Pro Security Guide – Ports and Services Rev
A.xlsx [SYSPORTS].
Windows Operating System Services
Inbound (listening) Outbound
Service: Service UDP TCP Inbound Port number Port status Outbound Miscellaneous Used by
Description port fixed/ open always/ port
number configurable configurable number
msrpc / Remote X 135 fixed always 1024-65535 Outbound range [System,
dcom-scm procedure call can be svchost.exe]
/ DCOM restricted:
Service http://msdn.micr
Control osoft.com/en-
Manager us/library/ms809
327.aspx
netbios-ssn Netbios X 139 fixed always [System]
Session
Service
microsoft-ds Microsoft X X 445 fixed always [System]
Active
Directory,
shares
lsass.exe Local Security X X 1025 fixed always [System]
Authentication
Server
ntp SNTP - X 123 fixed always [System]
Simple
network time
protocol
Netbios-ns Netbios Name X 137 fixed always [IEC 61850
Service OPC Server]
Netbios- Netbios X 138 fixed always [System]
dgm Datagram
Service
Isakmp IPSec in X 500 fixed always [System]
Windows
lsass.exe sae-urn, IPsec X 4500 fixed always [System]
NAT-Traversal
wininit.exe, 49152- fixed always [System]
svchost.exe 49158

33
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

SYS 600
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/ always/
number configurable configurable
inet.exe X 21845, Fixed Always Base system program,
21846 process and APL-APL
communication, ACP
protocol used for
communication. Used
by other SYS 600
base
wserver.exe X 12221 Configurable Configurable Routing server
peripherals to client
machines [SYS 600
Remote VS Monitors].
This port must be
open in workstation
machine only if old
monitors are used (X
windowing).
daopccl.exe - - - - - MicroSCADA OPC
Data Access Client
uses DCOM port 135
opcs.exe - - - - - MicroSCADA OPC
Data Access Server
uses DCOM port 135
Opcenum.exe X 1049 Fixed Always OpenRemoteDesktop
program uses this
service
hasplsm.exe x 1947 Fixed Always Aladdin HASP License
Manager Service for
handling USB license
keys. For internal use
only.

34
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

SYS 600 - Communication protocols Note! All master protocols using TCP/IP (IEC60870-5-104
master, DNP3.0 TCP master, Modbus TCP, SPA-TCP) are
operating as TCP clients. Consequently, no protocol specific
port numbers are reserved.
Inbound (listening)
Service: UDP: TCP: Inbound Port number Port status open Used by
port fixed/configurable always/configurable
number
IEC60870-5-104 X 2404 fixed configurable IEC 60870-5-104 for
Slave telecontrol equipment
and systems with
coded bit serial data
transmission in TCP/IP
based networks for
monitoring and
controlling
geographically
widespread processes.
Network Control Center
(NCC).
IEC60870-5-104 X 2501- configurable configurable Localhost only
Slave - 2414
Communication
lines
IEC60870-5-104 X 2501- configurable configurable Localhost only
Master - 2414
communication
lines
DNP 3.0 Slave x X fixed configurable The Distribute
Networks Protocol
(DNP) 3.0 is a
standards-based
communication
protocol designed for
electric utility, water, oil
& gas and security
systems.
DNP 3.0 Slave - X 2501- configurable configurable Localhost only
Communication 2414
lines
DNP 3.0 Master - x X 2501- configurable configurable Localhost only
Communication 2414
lines
Modbus TCP X 2501- Localhost only
Master - 2414
Communication
lines
SPA-TCP - X 2501- configurable configurable Localhost only
Communication 2414
lines
ELCOM-90 X 6997 configurable configurable
Provider
ELCOM-90 X 6998 configurable configurable
UserElem
ELCOM-90 Admin X 6999 configurable configurable
Opcs_iec61850.exe - - - - IEC 61850 OPC
Server, which contains
SNTP Server as
TCP/IP Server. See ntp
service.
Opcs_iec61850.exe - 102 fixed configurable IEC 61850 OPC Client
/ IEC 61850 System
Supervision Server,
which contains MMS
Server as TCP/IP
server

35
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

SYS 600 – Remote Access

Inbound (listening)
Service: Service UDP TCP Inbound Port number Port status Used by
Descripti : port fixed/ open always/
on number configurable configurable
Microsoft X 3389 Fixed Configurable Microsoft Windows Terminal
Windows Services [Terminal Server
Terminal Client, RDP Client]
Services
Citrix ICA X 1494 Fixed Configurable MetaFrame Application Server
for Windows / Citrix ICA
Hummingb X windows X 6000- Configurable Configurable Classic monitors/workplaces
ird eXceed system 6003

MS Pro Ms-sql-s X X 1433 Fixed Always Microsoft SQL Server

DMS Ms-sql-m X X 1434 Fixed Always Microsoft SQL Monitor
600 4.3 DMSSock X 51772 Configurable Always DMS Socket Service,
etService. communication between
exe applications [DMS 600 SA,
WS, NE]
UnknownS X 51773 Fixed Configurable Socket service to be used by
ocketServi 3rd party programs for sending
ce.exe messages
CaCe TE CaCe X 8087 Configurable (Only fileserver)
FaultSend
er
CaCe TE CaCe X 8086 Configurable (Only fileserver)
Faultrecei
ver
Webgrid X 8087 Configurable Customer specific fault service
(Only fileserver)
PG_Port PG Server X 3000 Fixed Configurable Optional, depending customer
TECS- license / needs.
service

36
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

8 APPENDIX: Windows system services

Windows system services are described in detail in Threats and
Countermeasures Guides. The guide also includes the Excel workbook
“Windows Default Security and Services Configuration”, which
documents the default startup settings for services.

The settings below are a collection of services which are automatically

disabled, using the script, in Windows XP, Windows Server 2003,
Windows 7, and Windows Server 2008.

Not all services are running in each operating system, and may
not even exist. The script is built so that it ignores the
unavailable services and therefore it is normal to have these
kinds of messages in the log file:
• Error 1060: The specified service does not exist as an
installed service. Error opening <service name>.
• Error 1060: The specified service does not exist as an
installed service. Opening service <service name> for
stop access failed.
• Legacy audit settings are disabled. Skipped configuration
of legacy audit settings.

See exceptions to these services after the table, since some

functionality needs certain services to be enabled.

Table 4 – Disabled Windows system services

Service Display Name
Alerter Alerter
aspnet_state ASP .NET State Service
AudioSrv Windows Audio
CiSvc Indexing Service
ClipSrv ClipBook
Fax Fax
Helpsvc Help and Support
IISAdmin IIS Admin
ImapiService IMAPI CD-Burning COM Service
Messenger Messenger
Mnmsrvc NetMeeting Remote Desktop Sharing
MSFtpsvc FTP Publishing Service
RDSessMgr Remote Desktop Help Session Manager Service
SCardSvr Smart Card
Schedule Task Scheduler
SMTPSVC Simple Mail Transfer Protocol

37
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

SNMP Simple Network Management Protocol

SNMPTRAP SNMP Trap Service
Stisvc Windows Image Acquisition
TapiSrv Telephony
Themes Themes
TlntSvr Telnet
TrkSrv Distributed Link Tracking Server
Upnphost Universal Plug and Play Device Host
UPS Uninterruptable Power System
W3SVC World Wide Web Publishing
WebClient Web Client
WmdmPmSN Portable Media Serial Number Service
WZCSVC Wireless Zero Configuration

Exceptions
The table below shows the services which have to be changed from the
default if some functionality is required.

Functionality Service to be enabled

Wireless connection Enable ‘Wireless Zero Configuration’
Sounds Enable ‘Windows Audio’

38
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

9 APPENDIX: Security policies

9.1 Security policies

The table below shows what settings are changed in the SYS 600
servers and workplaces compared to the default, domain, and member
server settings.

Note! The default value is the operating system default value. There is
a separate default value for SSLF settings not shown here.

Table 5 – SYS 600 security policies

Setting:Name Default Value Win2k8- Win2k8- Remarks
SYS600Server: SYS600
Value Workplace:V
alue
Maximum 42 days 0 MicroSCADA
password age user account
never expires

Minimum 0 days 0 MicroSCADA

password age user account
never expires

Account lockout 0 invalid logon 0 0 Denial-of-service

threshold attempts attack is possible
if this value is
more than zero.
Therefore, never
lockout.
Debug programs Administrators Administrators

Deny access to guests Guests,

this computer ANONYMOUS
from the network LOGON

Allow log on Administrators, Administrators,

through Terminal Remote Desktop Remote Desktop
Services Users Users

Deny log on Guests Guests, MicroSCADA

locally MicroSCADA user account is
only used to
running the
service

39
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Deny log on No One Guests, MicroSCADA

through Terminal MicroSCADA user account is
Services only used to
running the
service
Log on as a No one MicroSCADA
service

Accounts: Guest Guestrenamed Guestrename Guest account is

Rename guest d disabled, but still
account renaming

Devices: Restrict Disabled Enabled Enabled Remote control

CD-ROM access is denied
to locally logged-
on user only
Devices: Restrict Disabled Enabled Enabled Remote control
floppy access to is denied
locally logged-on
user only
MSS: 5 seconds 0 5
(ScreenSaverGr
acePeriod) The
time in seconds
before the
screen saver
grace period
expires (0
recommended)

40
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

10 APPENDIX: Deploying security settings to

SYS 600 Server/Workplace
It is recommended that security settings are applied at the system setup
time to prevent undesired effects of settings from the very start.
The main steps in security settings deployment:
• Deploy virtual private network
• Deploy security policy to server/workplace
• Deploy firewall settings to server/workplace
• Deploy other security settings, such as BIOS settings, USB drive
disabling, virus scanners etc.

Security settings for servers and workplaces are located in SYS 600
installation folder <drive>\sc\setup\security.

10.1 Rollback
In case system does not work as expected, these are the instructions for
the rollback. Run these commands with admin rights.

Windows XP/Server 2003

1. netsh firewall reset
a. Open Control Panel > Windows Firewall and verify
that Windows Firewall is on and that File and Print
Sharing is allowed.
2. secedit /configure /cfg
%windir%\repair\secsetup.inf /db
secsetup.sdb /verbose /log rollback.log
3. Open Control Panel > Administrative Tools > Local
Security Policy > Security Settings > Local Policies > User
Rights Assignment.
4. Set Log on as service and Log on as a batch job to value
MicroSCADA and confirm changes.
5. Close Local Security Policy.

Windows 7/Server 2008

1. netsh advfirewall reset
a. Open Control Panel > Windows Firewall and verify
that Windows Firewall is on and that File and Print
Sharing is allowed.

41
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

2. secedit /configure /cfg

%windir%\inf\defltbase.inf /db
defltbase.sdb /verbose /log rollback.log
3. Open Control Panel > Administrative Tools > Local
Security Policy > Security Settings > Local Policies > User
Rights Assignment.
4. Set Log on as service and Log on as a batch job to value
MicroSCADA and confirm changes.
5. Close Local Security Policy.

10.2 Virtual Private Network

The configuration for Windows Server 2003 is shown below. Server
2008 is not much different.

Windows Vista and Windows 7 Home and Starter versions do

not support the IPSec function.

Create IPSec Policy

An IPSec policy secures all IP traffic that is specified in the configured
IPSec filters. The decision to allow unsecured IP traffic is up to the
user. We explain how to configure SYS 600 for IPSec transport mode.
1. Click Start, click Run, and then type secpol.msc to start the
IP Security Policy Management snap-in.

2. Right-click IP Security Policies on Local Computer, and then click

Create IP Security Policy.
3. Click Next, and then type a name for your policy (for example,
IPSec Tunnel with Network Control Center).

42
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

4. Add additional information in the Description box if desired. Click

Next.
5. Click to clear the Activate the default response rule check box,
and then click Next.

6. Click Finish (leave the Edit check box selected).

43
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Build a Filter List from SYS600 to NCC

1. In the new policy properties, click to clear the Use Add Wizard
check box, and then click Add to create a new rule.

2. Click the IP Filter List tab, and then click Add.

44
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

3. Type an appropriate name for the filter list (e.g., IP traffic to

NCC), click to clear the Use Add Wizard check box, and then
click Add.

4. In the Source address box, click A specific IP Address, and then

type the IP Address of SYS600 towards NCC (the IP address that
communicates with the NCC), as this filter should only apply to
the network interface connected to the WAN.

45
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

5. In the Destination address box, click A specific IP Address, and

then type the IP Address of the NCC (the NCC’s IP address that
SYS600 connects to).
6. Leave the Mirrored check box selected.
7. Click the Protocol tab. Make sure that the protocol type is set to
Any, because IPSec does not support protocol-specific or port-
specific filters.

8. If you want to type a description for your filter, click the

Description tab. Click OK.
9. Click OK to close IP Filter List dialog

46
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

Configure a Rule for the communication

1. Click the IP Filter List tab, and then click to select the filter list
that you created.

2. Click the Tunnel Setting tab, click This rule does not specify an
IPSec tunnel.
3. Click the Connection Type tab, click Local area network (LAN)
4. Click the Filter Action tab, click on one of the following options,
depending on the decision of how to handle non-IPSec traffic:
• Permit – Permits unsecured IP packets to pass through.
This means the device does not try to establish IPSec
encryption, but reacts if a request for security is made. If
both devices are configured as “Permit”, no encryption is
established at all.
• Request Security (Optional) – Accepts unsecured
communication, but requests clients to establish trust and
security methods. Will communicate insecurely to untrusted
clients if they do not respond to request.
This means the device tries to establish a secure IPSec
connection, but if this fails (e.g., if the client does not
provide the correct Pre-Shared Key or is not capable of
IPSec encryption), it falls back to normal operation
• Require Security – Accepts unsecured communication, but
always requires clients to establish trust and security method.
Will NOT communicate with untrusted devices.
This means that devices for which this policy applies cannot
communicate with the server without the correct pre-shared
key and encryption method.

47
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

Note: None of the check boxes at the bottom of the Filter Action dialog
box are selected as an initial configuration for a filter action that
applies to tunnel rules.

Note: As the currently configured IP Filter rule matches only a single

IP, it does not discard non-IPSec traffic originating from a different
wide area network IP address. In order to prohibit any non-IPSec
connections from the wide area network, the IP filter list would have to
match the subnet of the wide area network, and the Filter Action would
have to be set to “Require Security”.
5. Click the Authentication Methods tab to configure the
authentication method. Mark the default Kerberos method and
click Remove. Confirm the inquiry.
6. Click Add.
7. Select Use this string (preshared key) and enter a long key that
also contains special characters. This string must be the same on
the machine that matches the IP filter rule (in this case, the NCC).
Click OK.

48
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

8. Click Close to close New Rule Properties dialog.

9. Click OK.
10. In the Local Security Settings, right-click on the created rule
(e.g., IPSec Tunnel with Network Control Center) and select
Assign. The rule indicates by a green dot that it is active. Close the
Local Security Settings.

Repeat the steps for all machines that should use IPSec. It is possible to
export and import the policies on a different computer. Here are the
instructions:
1. In the Local Security Settings, where the VPN configuration is
set, select IP Security Policies on Local Computer.
2. Select Action > All Tasks > Export Policies... and write a file
name.
3. In the other computer, where VPN configuration is needed: open
Local Security Settings and select select IP Security Policies on
Local Computer.
4. Select Action > All Tasks > Import Policies…
5. Select a file exported in item 2 and press Import/OK.

49
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

6. The rules should be checked and adapted, e.g. swap Source

address and Destination address in IP Filter Properties dialog.

10.3 SYS 600 Server

Use following steps to configure security settings to SYS 600 server:

1. Open a Command window and browse to

<drive>\sc\setup\security folder.
2. Execute command “Deploy Security Settings.cmd” server /quiet to
apply security policies and wait for the operation to finish.
3. Execute command “Windows Firewall.cmd” server <drive>:\sc
/quiet to apply firewall settings to Windows XP and Server 2003.
Use “Advanced Windows Firewall.cmd” server <drive>:\sc/quiet
to apply firewall settings to Windows Vista/7/Server 2008. The
target and SYS 600 installation path must be given as an argument.
4. Wait for operation to finish.
5. The default firewall settings for SYS 600 allow (ports are open) all
communication protocols such as DNP and ELCOM. Therefore,
ports for communication protocols must be manually
closed/blocked. Follow these steps to block/unblock
communication protocols:
a. Open Windows Firewall from Start > Control Panel >
Windows Firewall
b. Select the Exceptions tab
c. Find the communication protocols from the list and
check/uncheck the protocol according to customer
specifications. A checked line means that the protocol is
unblocked (port is open). Unchecked means that the protocol
is blocked (port is closed).
d. Confirm the changes

10.4 SYS 600 Workplace

SYS 600 Workplace does not have the SYS 600 installation. Instead,
the workplace has remote client e.g. Remote Desktop Connection to
connect to a SYS 600 Server where workplace sessions are managed.
Firewall settings and security policies differ from the SYS 600 Server.

Use the following steps to configure security settings to SYS 600

workplace:

1. Open a Command window and browse to

<drive>\sc\setup\security folder.
2. Execute command “Deploy Security Settings.cmd” workplace
/quiet to apply security policies and wait for the operation to finish.
3. Execute command “Windows Firewall.cmd” workplace /quiet to
apply firewall settings to Windows XP and Server 2003. Use

50
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

“Advanced Windows Firewall.cmd” workplace /quiet to apply

firewall settings to Windows Vista/7/Server 2008.
4. Wait for operation to finish.

51
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

11 APPENDIX: Introduction to SCADA Security

The following excerpt is taken from Supervisory Control and Data
Acquisition (SCADA) Systems, NATIONAL COMMUNICATIONS
SYSTEM, October 2004, www.ncs.gov.

In today’s corporate environment, internal networks are used for all

corporate communications, including SCADA. SCADA systems are
therefore vulnerable to many of the same threats as any TCP/IP-based
system.

Security in an industrial network can be compromised in many places

along the system and is most easily compromised at the SCADA host
or control room level. SCADA computers logging data out to some
back-office database repositories must be on the same physical network
as the back-end database systems, or have a path to access these
database systems. This means that there is a path back to the SCADA
systems and eventually the end devices through their corporate
network. Once the corporate network is compromised, then any IP-
based device or computer system can be accessed. These connections
are open 24x7 to allow full-time logging, which provides an
opportunity to attack the SCADA host system with any of the
following attacks:

• Use a Denial of Service (DoS) attack to crash the SCADA server,

leading to a shutdown condition (System Downtime and Loss of
Operations)
• Delete system files on the SCADA server (System Downtime and
Loss of Operations)
• Plant a Trojan and take complete control of system (Gain complete
control of system and be able to issue any commands available to
Operators)
• Log keystrokes from Operators and obtain usernames and
passwords (Preparation for future take down)
• Log any company-sensitive operational data for personal or
competition usage (Loss of Corporate Competitive Advantage)
• Change data points or deceive Operators into thinking control
process is out of control and must be shut down (Downtime and
Loss of Corporate Data)
• Modify any logged data in remote database system (Loss of
Corporate Data)
• Use SCADA Server as a launching point to defame and
compromise other system components within corporate network.

For a company to protect its infrastructure, it should undertake the

development of a security strategy that includes specific steps to

52
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

protect any SCADA system. Such a strategy may include the following
approach.

Developing an appropriate SCADA security strategy involves analysis

of multiple layers of both the corporate network and SCADA
architectures including firewalls, proxy servers, operating systems,
application system layers, communications, and policy and procedures.
Strategies for SCADA Security should complement the security
measures implemented to keep the corporate network secure.

The figure below illustrates the typical corporate network “ring of

defenses” and its relationship with the SCADA network. Successful
attacks can originate from either Internet paths through the corporate
network to the SCADA network, or from internal attacks from within
the corporate office. Alternatively, attacks can originate from within
the SCADA network from either upstream (applications) or
downstream (RTUs) paths. What is an appropriate configuration for
one installation may not be cost-effective for another. Flexibility and
the employment of an integrated and coordinated set of layers are
critical in the design of a security approach.

Figure 9 – Relationship Between Corporate and SCADA Networks

Most corporate networks employ a number of security countermeasures

to protect their networks. Some of these and a brief description of their
functions are as follows:

• Border Router and Firewalls  Firewalls, properly configured

and coordinated, can protect passwords, IP addresses, files and
more. However, without a hardened operating system, hackers can
directly penetrate private internal networks or create a Denial of
Service condition.

53
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

• Proxy Servers  A Proxy server is an internet server that acts as

a firewall, mediating traffic between a protected network and the
internet. They are critical to re-creating TCP/IP packets before
passing them on to, or from, application layer resources such as
Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer
Protocol (SMTP). However, the employment of proxy servers will
not eliminate the threat of application layer attacks.
• Operating Systems  Operating systems can be compromised,
even with proper patching, to allow network entry as soon as the
network is activated. This is due to the fact that operating systems
are the core of every computer system and their design and
operating characteristics are well-known worldwide. As a result,
operating systems are a prime target for hackers. Further, in-place
operating system upgrades are less efficient and secure than
design-level migration to new and improved operating systems.
• Applications  Application layer attacks; i.e., buffer overruns,
worms, Trojan horse programs and malicious ActiveX code can
incapacitate anti-virus software and bypass the firewall as if it
wasn’t even there.
• Policies and Procedures  Policies and procedures constitute the
foundation of security policy infrastructures. They include
requiring users to select secure passwords that are not based on a
dictionary word and contain at least one symbol, capital letter, and
number, and should be over eight characters long. Users should not
be allowed to use the name of their spouse, child or pet as their
password.

The above list is common to all entities that have corporate networks.
SCADA systems for the most part coexist on the same corporate
network, as seen in the figure above. The following list suggests ways
to help protect the SCADA network in conjunction with the corporate
network:

• SCADA Firewalls  SCADA Systems and Industrial Automation

Networks, like corporate network operating systems, can be
compromised using similar hacking methods. SCADA systems
frequently go down due to other internal software tools or
employees who gain access to the SCADA systems, often without
any intention to take down these systems. For these reasons, it is
suggested that strong firewall protection to wall off your SCADA
networking systems from both the internal corporate network and
the Internet be implemented. This would provide at least two
layers of firewalls between the SCADA networking systems and
the Internet.

54
1MRS756796 MicroSCADA Pro SYS 600 9.3
Cyber Security Deployment Guideline

• SCADA Internal Network Design  SCADA networks should

be segmented off into their own IP segment using smart switches
and proper sub-masking techniques to protect the Industrial
Automation environment from the other network traffic, such as
file and print commands. Facilities using Wireless Ethernet should
use sufficient encryption, e.g. WPA or WPA2.
• SCADA Server Operating Systems  Merely installing a
firewall or segmenting SCADA IP addresses will not ensure their
SCADA Infrastructure is secure. An experienced hacker can often
bypass firewalls with ease and can even use Address Resolution
Protocol (ARP) trap utilities to steal Media Access Control (MAC)
addresses. The hacker can also deploy IP spoofing techniques to
maneuver through switched networks. Operating systems running
the SCADA applications must also be maintained. SCADA
applications on Windows NT, 2000, or XP are properly patched
against the latest vulnerabilities, and all of the default NULL NT
accounts and administrator accounts have been removed or
renamed. SCADA applications running on UNIX, Linux, Novell,
or any other operating system (OS), must also be maintained as
above. All operating systems have back doors and default access
accounts that should be removed and cleaned off of these SCADA
servers.
• SCADA Applications  One must also address security within
the SCADA application itself. Trojan horses and worms can be
inserted to attack application systems, and they can be used to
manipulate data or issue commands on the server. There have even
been cases of Trojan horses being deployed that completely
emulate the application. The operator or user thinks that he is
clicking on a command to stop a pump or generate a graph of the
plant, but he is actually clicking on buttons disguised to look like
the SCADA screen, and these buttons start batch files that delete
the entire hard drive, or send out pre-derived packets on the
SCADA system that turn all outputs to the ON or “1” state. Trojan
horses and viruses can also be planted through an email opened by
another computer in the network, and then it is silently copied over
to adjacent SCADA servers, where they wait until a specified time
to run. Plant control rooms will often have corporate computers
with the Internet and email active on them, within the same
physical room and on the same network switches as SCADA
computers. Methodologies to mitigate against these types of
situations are: the use of anti-virus software running on the
computer where the SCADA application resides; systems
administrators disabling installation of any unauthorized software
unless the user has administrator access; and policies and
procedures applicable to SCADA systems,

55
SYS 600 9.3 MicroSCADA Pro 1MRS756796

Cyber Security Deployment Guideline

• SCADA Policies and Procedures  SCADA policies and

procedures associated with remote vendor and supervisory access,
password management, etc. can significantly impact the
vulnerabilities of the SCADA facilities within the SCADA
network. Properly developed policies and procedures that are
enforced will greatly improve the security posture of the SCADA
system.

In summary, these multiple “rings of defense” must be configured in a

complementary and organized manner, and the planning process should
involve a cross-discipline team with senior staff support from
operations, facility engineering, and information technology (IT). The
SCADA security team should first analyze the current risks and threat
at each of the rings of defense, and then initiate a work plan and project
to reduce the security risk.

For more information, see [ABBSEC09].

56
Contact us

© Copyright 2010 ABB. All rights reserved.

ABB Oy
Substation Automation Products
P.O. Box 699
FI-65101 Vaasa
FINLAND
Tel. +358 10 22 11
Fax. +358 10 224 1094

www.abb.com/substationautomation

1MRS756796 B/31.12.2010