Content

1 ABB BDEW Whitepaper ............................................................................................................. 2

2 Requirements ............................................................................................................................. 2
2.1 General Requirements and Housekeeping ......................................................................... 2
2.1.1 General ................................................................................................................. 2
2.1.2 Documentation ...................................................................................................... 6
2.2 Base System....................................................................................................................... 8
2.2.1 System Hardening ................................................................................................. 8
2.2.2 Anti Virus Software ................................................................................................ 8
2.2.3 Autonomous User Authentication .......................................................................... 9
2.3 Networks / Communication ................................................................................................. 9
2.3.1 Secure Network Design and Communication Standards ....................................... 9
2.3.2 Secure Maintenance Processes and Remote Access ......................................... 12
2.3.3 Wireless Technologies: Assessment and Security Requirements........................ 13
2.4 Application ........................................................................................................................ 13
2.4.1 User Account Management ................................................................................. 13
2.4.2 Authorization of Activities on User and System Level .......................................... 15
2.4.3 Application Protocols ........................................................................................... 15
2.4.4 Web Applications ................................................................................................ 16
2.4.5 Integrity Checks of Relevant Data ....................................................................... 17
2.4.6 Logging, Audit Trails, Timestamps, Alarm Concepts ........................................... 17
2.4.7 Self-Test and System Behaviour ......................................................................... 18
2.5 Development, Test and Rollout ......................................................................................... 18
2.5.1 Secure Development Standards, Quality Management and Release Processes . 18
2.5.2 Secure Data Storage and Transmission .............................................................. 19
2.5.3 Secure Development, Test– and Staging Systems, Integrity Checks .................. 20
2.5.4 Secure Update and Maintenance Processes. ...................................................... 20
2.5.5 Configuration and Change Management, Rollback.............................................. 21
2.5.6 Fixing Security Vulnerabilities .............................................................................. 21
2.5.7 Source Code Escrow........................................................................................... 22
2.6 Backup, Recovery and Disaster Recovery ........................................................................ 22
2.6.1 Backup: Concept, Method, Documentation, Test ................................................. 22
2.6.2 Disaster Recovery ............................................................................................... 22
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
1 ABB BDEW Whitepaper

2 Requirements

2.1 General Requirements and Housekeeping

2.1.1 General

2.1.1.1 Secure System Architecture

ISO/IEC 27002:2013: 9.4.1, 13.1.3, 14.2.5, 14.2.7, 17.2.1

The system shall be designed and built for secure operations. Description of System architecture:
Examples of secure design principles are: see Function Description Part 1
Chapter 2 (1KGT 150 793).
Minimal-privileges/Need-to-know principle: RTU500 supports user account
User and system components only possess the minimal management (UAM) with role based
privileges and access rights they need to fulfil a certain access control (RBAC):
function. Applications and network services, for example, see Cyber Security Deployment
should not be run with administrator privileges. Guideline Release 11
Chapter 2 (1KGT 150 906).

Encrypted password files can be

Defence-in-depth principle:
Security threats are not mitigated by a single countermeasure
only, but by implementing several complementary security
techniques at multiple system levels.
Redundancy principle: Due to a redundant system design, the
failure of a single component will not interfere with the
system security functions. The system design shall reduce the
likelihood and impact of problems, which occur due to
excessive consumption of system resources (e.g. RAM,
network bandwidth) or denial-of-service attacks.
promoted.
Rel. 12.x: RBAC according IEC62351
RTU500 can be integrated into this
concept.
RTU500 supports redundant security
relevant components (CMU and PSU):
see Function Description Part 2
Chapter 8.1 and 8.2 (1KGT 150 794).
- redundant Ethernet communication
supported by RTU560 and RTU540
- redundant serial communication
supported by RTU560, RTU540 and
RTU520

Rate limiter to reject Denial-of-service

attacks (DoS):
see Function description part 9
Chapter 3.2.1. (1KGT 150 896).

2.1.1.2 Contact Person

ISO/IEC 27002:2013: 12.6.1

2
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
The contractor provides a contact person, who will be the No product requirement, but system
single point of contact for IT security related topics during the relevant, part of project organization.
bidding process, the system design phase and throughout the
projected period of system operations.

2.1.1.3 Patching and Patch Management

ISO/IEC 27002:2013: 12.6.1

The system shall allow the patching of all system components Patchmanagement available: In case
during normal system operation. Installation of a patch of security findings, security patches
should be possible without interruption of normal system are published.
operations and with little impact on the system’s availability. See patch-management
For example, a complete shutdown of the primary
generation, transmission or distribution systems should not Release Notes for security patches are
be necessary to install updates on secondary systems. available:
Preferentially, the patches are to be installed on passive Release Notes (internal accessible)
redundant components first. After a switchover process
(change of the active component in the redundant system) Release Notes for security patches:
and a subsequent test, the patch will be installed on the Grid Automation Cyber security
remaining components. The contractor shall support a patch (internal accessible)
management process for the entire system, this process shall Cyber security alerts and notifications
manage the testing, installation and documentation of (accessible for end customers)
security patches and system updates. In general, it should be
possible that the operating staff who administrates the Firmware update is possible from local
systems installs the patches and updates. Installation and de- and remote:
installation of patches and updates are to be authorized by see Web-Server Users Guide Release
the system owner and must not be performed automatically. 11
Chapter 8.1 (1KGT 150 802).

No reset of RTU required, if redundant

CMUs exist. Primary process not
affected.

2.1.1.4 Provision of Security Patches for all System

Components

ISO/IEC 27002:2013: 12.6.1

The contractor shall provide security updates for all system Firmware is one unit, which includes
components throughout the entire, contractually agreed operating system and libraries as well
lifecycle of the system. The contractor shall obtain updates as security patches.
for basic system components, which are not developed by the See patch-management
contractor but by third parties (e. g. operating system, library,
database management system) from the component vendor, Security development lifecycle:
test them and provide them, if applicable, directly to the see ABB_SDL_Whitepaper
customer. The contractor shall provide security updates in an Chapter 3
appropriate period, which will be defined in the contract
specifications.

3
 ISO/IEC Reference RTU-Relevant
Requirement Implementation

2.1.1.5 Third Party Support

ISO/IEC 27002:2013: 12.6.1, 14.2.7

1. See patch-management
The contractor shall ensure that during the scheduled life
cycle of the system security support for third-party system Security patches available only for the
components (e.g. operating systems, libraries, and database active (last) release and the next-to-
management systems) is available. The end-of-life terms (e. g. last release.
Last Customer Ship Date, End of Support date) are to be
defined in the contract specifications. Security patches for older
(discontinued) releases can be
ordered up to one year after
discontinuation.

2. Description of “Life cycle policy”:

see patch-management
Contents see internal link

2.1.1.6 Encryption of Sensitive Data during Storage and

Transmission

ISO/IEC 27002:2013: 12.4.2, 13.1.2, 18.1.3, 18.1.4

Data transmission can be encrypted
Sensitive data shall be stored or transmitted in encrypted by HTTPS or VPN.
form only. Sensitive data may include, but is not limited to: Password file and security log file are
log files, passwords, or sensitive data as defined by regulatory always encrypted.
or legal requirements (e.g. data protection laws). If Rel. 12.x: Integrity check of RTU
applicable, the system shall allow for the secure deletion of configuration file (rcd) after download
selected data, for example by overwriting with random data.
Encryption technologies and usage:
See Cyber Security Deployment
Guideline Release 11
Chapter 1.3 (1KGT 150 906).

2.1.1.7 Cryptographic standards

ISO/IEC 27002:2013: 10.1.1, 10.1.2, 18.1.5

ISO/IEC TR 27019:2013: 10.6.3

4
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
When selecting cryptographic standards, regulations and Web server access with HTTPS:
national restrictions are to be considered. Only state-of-the- See Cyber Security Deployment
art cryptographic standards and key lengths are to be used. Guideline Release 11
From the current state of scientific and technical knowledge, Chapter 1.3 and Chapter 4 (1KGT 150
these standards and key lengths shall also be considered 906).
secure for the foreseeable future. Cryptographic algorithms
developed in-house shall not be used. Whenever possible, VPN based on IPSEC:
well-known cryptographic libraries should be used when see RTU500 series Function
implementing cryptographic functions to avoid Description Release 11 Part 9
implementation bugs. Chapter 3 (1KGT 150 896)

Rel. 12.x: IEC104 secure, IEEE802.1X

authentication

2.1.1.8 Internal and External Software and Security Tests

and Related Documentation

ISO/IEC 27002:2013: 14.2.7, 14.2.8, 14.2.9, 15.2.1

The contractor shall perform a detailed security and stress Security Tests for each Release are
test on the individual system components as well as on the done regularly in our Cyber Security
entire system and its essential functions using a Test Lab:
representative system configuration. The team undertaking see RTU500 series - Cyber Security
these tests shall be independent from the development team. Robustness Testing (1KGT 150 919)
The test procedure shall be coordinated with the customer.
The results of these tests and the according documentation
(software versions, test configuration, etc.) shall be provided
to the customer. Additionally, the customer is allowed to
carry out the tests or let them be conducted by an external
third party.

2.1.1.9 Secure Standard Configuration, Installation and Start-

Up

ISO/IEC 27002:2013: 9.4.4, 12.5.1, 14.3.1

After initial installation and start-up, the system shall be Secure access after startup of the
configured in a fail-safe manner. This defined base system:
configuration shall be documented. see Cyber Security Deployment
Guideline Release 11
Chapter 1 (1KGT 150 906).

All Files of the RTU are stored on the

memory card, secured against power
failure.

Rel. 12.x: Backup version of

configuration file available on SD card

5
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
System services and daemons, data and functions, which are 1. Firmware:
used during development or for system testing only shall be All unused ports are deactivated. No
verifiably removed or deactivated before the systems goes backdoors or debug entries are active.
productive.
2. PLC-Online-Debugger:
see Cyber Security Deployment
Guideline Release 11
Chapter 1.2.4 (1KGT 150 906).

2.1.1.10 Integrity Checks

ISO/IEC 27002:2013: 12.5.1, 14.2.1, 14.2.4

It shall be possible to verify the integrity of system and Description of hashcode of all
application files and executables, configuration and firmware files:
application parameter files, for example by check sums. see Release Notes (internal)
For end customers: responsibility of
integrator

Grid Automation Cyber security

(internal link)

Cyber security alerts and notifications

(external link)

RTUtil500 Installation file and PDF-

documents have a signature.

Rel. 12.x: Integrity check of RTU

configuration file (rcd) after download

2.1.2 Documentation

2.1.2.1 Design Documentation, Specification of Security

Relevant System Components and Implementation
Characteristics

ISO/IEC 27002:2013: 12.1.1, 14.1.1, 14.2.7

ISO/IEC TR 27019:2013: 10.1.1

6
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
The contractor shall provide the customer with Integrator requirement
documentation covering the high-level design of the entire
system. The documentation shall be available not later than
the time of the acceptance test and shall include the
description of the system concept and of the interaction of all
system components. The documentation shall characterise
especially the details, interactions and dependencies of the
system components which are security relevant or which
deserve special protection. Furthermore, the documentation
shall list and describe in brief implementation details of
security related functions (e.g. used cryptographic standards).

2.1.2.2 Administrator and User Documentation

ISO/IEC 27002:2013: 7.2.2, 12.1.1

ISO/IEC TR 27019:2013: 10.1.1
The contractor shall provide separate user and administrator Integrator requirement
documentation. Both documentations should include a list of
security functions and parameters as well as instructions and
responsibilities for secure operation of the system.

2.1.2.3 Documentation of Security Parameters and Security

Log Events or Warnings

ISO/IEC 27002:2013: 12.1.1

ISO/IEC TR 27019:2013: 10.1.1
The administrator documentation shall include a description Integrator requirement
of all security parameters and their default values. The
documentation shall alert of the consequences of grossly
insecure parameter settings.
Furthermore, documentation shall be provided that includes See Cyber Security Deployment
all security events, warnings and log messages the system Guideline Release 11
generates, possible causes and the related administrative Chapter 3 (1KGT 150 906)
action that should be taken.

2.1.2.4 Documentation of Requirements and Assumptions

needed for Secure System Operation

ISO/IEC 27002:2013: 12.1.11

ISO/IEC TR 27019:2013: 10.1.1
The administrator documentation shall provide a description Integrator requirement
of requirements relevant for secure systems operation. The
description may contain, for example, assumptions about
user behavior and network environment or requirements for
interaction and communication with other systems or
networks.

7
 ISO/IEC Reference RTU-Relevant
Requirement Implementation

2.2 Base System

2.2.1 System Hardening

ISO/IEC 27002:2013: 9.4.4, 12.6.2, 13.1.2, 14.2.4

All components of the base system shall be permanently RTU fulfills the requirements (see
hardened according to well-known best-practice guides. Chapter 2.1.1.3)
Furthermore, the latest security patches and service packs
shall be installed. If this is technically not feasible, a Flyer available for RTU500:
documented equivalent security measure shall be see Cyber Security Robustness Testing
implemented for a transitional period (until the requirements (1KGT 150 919)
of 2.1.1.3 are completely fulfilled).
Unnecessary user accounts, default users, system daemons, User administration and port
programs, network protocols and services shall be removed, handling:
or - if removal is technically not possible – shall be see Cyber Security Deployment
permanently disabled and secured against accidental re- Guideline Release 11
activation. Chapter 2 (1KGT 150 906)
The secure base system configuration shall be reviewed and
documented. Especially, the security measures required in Rel. 12.x: fulfills IEC62351 for default
this document, which contribute to system hardening, shall user
be carried out.
Description of system requirements:
see Cyber security for substation
automation products and systems

2.2.2 Anti Virus Software

ISO/IEC 27002:2013: 12.2.11

ISO/IEC TR 27019:2013: 10.4.1

8
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
The base systems of all IP-based networked system not applicable for RTU,
components shall be secured with virus and malware No third party software can be
protection software. As an alternative to installing antivirus downloaded and activated in the RTU.
software on each system component, the contractor may Command line interface is not
implement a comprehensive antivirus and malware available in the RTU
protection concept, which provides an equivalent protection.
The patterns of the antivirus and malware protection
software shall be automatically and timely updated without
using a direct connection to update-servers located in
external networks like the internet. A possible
implementation would be to use an internal update server.
The time when the patterns are updated shall be
configurable. An alternative to automatic updates is a well-
defined and documented secure manual process, through
which the pattern updates are installed in the system, for
example on an isolated central update server.

2.2.3 Autonomous User Authentication

ISO/IEC 27002:2013: 9.2.1, 9.2.2, 9.4.2

Data used for user identification and authentication shall not Independent user management of the
solely be obtained from sources located outside of the secure RTU.
process network. Integration of user identification and
authentication into a central isolated directory service within RTU500 supports user account
the process network should be considered. management (UAM) with role based
access control (RBAC):
see Cyber Security Deployment
Guideline Release 11
Chapter 2 (1KGT 150 906).

2.3 Networks / Communication

2.3.1 Secure Network Design and Communication

Standards

2.3.1.1 Deployed Communication Technologies and Network

Protocols

ISO/IEC 27002:2013: 9.4.1, 9.4.3, 10.1.1, 13.1.1, 13.1.3

ISO/IEC TR 27019:2013: 10.6.3, 10.12.1, 11.4.5

9
ISO/IEC Reference RTU-Relevant
Requirement Implementation
a) If technically feasible, the systems Firewall should use only Webserver access with HTTPS:
secure communication standards and protocols which see Cyber Security Deployment
provide integrity checks, authentication and, if applicable, Guideline Release 11
encryption. In particular, secure communication shall be used Chapter 4 (1KGT 150 906)
for remote administration or transmission of user log on
information. The transmission of password information in Webserver access with HTTPS:
clear text is not allowed (e.g. no telnet protocol, no Unix rsh VPN based on IPSEC
services). An up-to-date list of secure protocols can be see Function Description Release 11
provided by the client according to its internal formalities. Part 9
Chapter 3 and 4 (1KGT 150 896)

Rel. 12.x: IEC104 secure, IEEE802.1X

authentication
b) The system and its network components shall be easily Webserver access with HTTPS:
integrable into the network conception of the whole see Cyber Security Deployment
company. Relevant network configuration parameters like IP Guideline Release 11
addresses can be managed centrally. For administration and Chapter 4 (1KGT 150 906)
monitoring secure protocols shall be used (SSHv2, SNMPv3).
The network components shall be hardened, unnecessary RTU500 supports user account
Services and protocols shall be deactivated; management management (UAM) with role based
interfaces shall be protected with ACLs. access control (RBAC):
see Cyber Security Deployment
Guideline Release 11
Chapter 2 (1KGT 150 906).

All unused ports are deactivated. No

backdoor ordebug access active.

Rel. 12.x:
- SNMP V3 (on roadmap)
- online configuration of IP-address
possible
c) It shall be possible to integrate network components, Versio nadministartion, remote patch
which are provided by the contractor within a central asset management available (see above)
and patch management process.
d) If technically feasible, the IP protocol is used on WAN lines. Webserver access with HTTPS:
Unencrypted application layer protocols should be secured by VPN based on IPSEC
encryption on lower network layers (e. g.. with SSL/TLS see Function Description Part 9
encryption or by using VPN technologies). Chapter 3 (1KGT 150 896)

Rel. 12.x: IEC104 secure, IEEE802.1X

authentication
e) If applicable, firewall friendly protocols should be used: e.g. All Ethernt protocols of RTU are based
TCP instead of UDP, OPC over network boundaries should be on TCP/IP
avoided.
Responsibility of customer

10
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
f) If shared network infrastructure components (e. g. VLAN or Responsibility of customer
MPLS technology) will be used the network with the highest
protection level requirement determines the security
requirements of the used hardware components and their
configuration. Concurrent use of the network hardware for
networks with different protection levels is permitted only if
this concurrent use does not decrease the security level or
the availability.

2.3.1.2 Secure Network Design

ISO/IEC 27002:2013: 9.4.1, 13.1.3, 13.1.2

ISO/IEC TR 27019:2013: 10.6.3, 10.12.1, 11.4.5, 11.4.8
a) Vertical network segmentation: if applicable and Responsibility of customer
technically feasible, the network infrastructure of the system
shall be divided into multiple vertical zones with different
functions and protection requirements. Where technically
feasible the network zones shall be separated by firewalls,
filtering routers or gateways. Network connections to
external networks shall be deployed only using
communication protocols approved by the customer and in
compliance with the security policies in effect.
b) Horizontal network segmentation: If applicable and Responsibility of customer
technically feasible the network infrastructure of the system
shall be divided into independent horizontal segments (e. g..
according to different locations), the segments shall be
separated by firewalls, filtering routers or gateways.
c) Firewalls and VPN components shall be provided and Responsibility of customer
managed centrally through a defined process by the
customer.

2.3.1.3 Documentation of Network Design and Configuration

ISO/IEC 27002:2013: 8.1.1

ISO/IEC TR 27019:2013: 7.1.1
The contractor shall provide documentation, which shall Responsibility of customer
describe the network design and configuration, all physical,
virtual and logical network connections, the network
protocols used, and all network perimeter components which
are part of or which interact with the system. All changes (e.g.
by updates) shall be included in the documentation using a
document management process. To support the
implementation of rate limiting functions for QoS and to
mitigate DoS problems, the documentation provides values of
normal and maximal expected data rate for all network
connections.

11
 ISO/IEC Reference RTU-Relevant
Requirement Implementation

2.3.2 Secure Maintenance Processes and Remote

Access

Please note: the term “maintenance” used in this document Responsibility of customer
denotes all service processes commissioned by the client or
system operator, e. g.repairs, fault analyses, failure and fault
corrections, system enhancements and adjustments etc.

2.3.2.1 Secure Remote Access

ISO/IEC 27002:2013: 9.1.2, 9.4.1, 9.4.2

a) It shall be possible to perform administration, maintenance Local Access to RTU via Web server is
and configuration of all network components via out-of-band possible, same behaviour as on
channels, like local access, serial interfaces, network or direct remote access
control of input devices (KVM).
b) Remote access shall be performed through dedicated Responsibility of customer
central administered terminal servers which ensure isolation
of the process network and which are located in a DMZ.
Strong 2- factor authentication shall be used.
c) Direct dial-in access to devices is not allowed. Responsibility of customer
d) Remote access shall be (centrally) logged; multiple failed Responsibility of customer
login-in attempts shall result in a security event audit
message.
e) All remote access possibilities and ports shall be Responsibility of customer
documented.

2.3.2.2 Maintenance Processes

ISO/IEC 27002:2013: 9.1.2, 9.2.1, 9.2.2, 15.1.1, 15.1.2

ISO/IEC TR 27019:2013: 11.5.2
a) Interactive remote access users shall use personal RTU500 supports user account
accounts. management (UAM) with role based
access control (RBAC):
see Cyber Security Deployment
Guideline Release 11
Chapter 2 (1KGT 150 906).
For non-interactive, automated processes restricted accounts Archive sync service doesn’t fulfill this
shall be used, for which interactive access is disabled. condition, user rights for “downlaod
only” required
Rel. 11.x: not available
b) Technical measures shall ensure that remote access Responsibility of customer
sessions are explicitly activated by the administrative
personnel. For external service personnel the activation must
be performed for each individual session.
Each session shall be disconnected after a reasonable time RTU has automatic logout
period.

12
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
c) Maintenance shall be performed by defined and trained Responsibility of customer
contractor personnel only, using secure systems only. The
systems used for remote access are physically or logically
disconnected from other systems and networks during a
remote access session. A physical separation should be
preferred.
d) A defined maintenance process (compare above) shall Responsibility of customer
ensure that maintenance personnel can only access systems,
services and data they need for maintenance tasks.
e) The maintenance personnel shall comply with the security Responsibility of customer
requirements of DEWA and shall be approved prior to
deployment.
f) Local maintenance by service personnel poses a significant Responsibility of customer
security threat. Attachment of contractor’s hardware (e.g.
laptops, USB devices) to the process network should be
avoided. If this is not feasible, the hardware must be
approved by the client, specifically secured and shall be
scanned for malware before attaching it. The contractor shall
provide evidence that an adequate internal security policy is
implemented.

2.3.3 Wireless Technologies: Assessment and Security

Requirements

ISO/IEC 27002:2013: 10.1.1, 13.1.1, 13.1.2, 14.1.1

ISO/IEC TR 27019:2013: 12.1.1
Wireless technology like WLAN and Bluetooth shall not be not applicable for RTU product
used for systems with high or very high protection level
requirements. In consultation with the customer WLAN WLAN and bluetooth are potential
technology may be deployed after a risk analysis has been security risks, but not used in the RTU
performed and if the following essential security product
requirements are complied with:
 Wireless LANs shall only be deployed in separate
networks zones, which are segregated from other
networks by firewalls and application level proxies.
 Wireless technology shall be secured according to
state-of-the-art practice.
 Novel WLANs shall not interfere with existing wireless
networks.

2.4 Application

2.4.1 User Account Management

2.4.1.1 Role-Based Access Model

ISO/IEC 27002:2013: 6.1.2, 9.2.1, 9.2.3, 9.2.6, 9.4.1

13
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
The system shall utilize a role-based user model, in which at RTU500 supports user account
least the following user roles are defined: management (UAM) with role based
 Administrator: A user, who installs, maintains and access control (RBAC):
administrates the system. Therefore, the administrator see Cyber Security Deployment
role has the authorization and the according privileges to Guideline Release 11
change the system and security configuration and Chapter 2 (1KGT 150 906).
settings.
 Auditor: User role, which solely has the permission to Rel. 12.x: according to IEC62351
inspect and archive the audit, logs.
 Operator: User who performs regular system operations.
This might include the privilege to change operational
system settings.
 Data-Display: User, who is allowed to view the status of
the system and to read defined datasets but is not
allowed to make any changes to the system.
If applicable, a “Backup Operator” role is defined, which is
allowed to backup relevant system and application data. The
system shall allow for a granular access control on data and
resources. The default access permissions shall conform to a
secure system configuration. Security relevant system
configuration data can only be read or changed by the
administrator role. For normal system use, the operator or
data display role permissions shall be sufficient. Individual
user accounts can be disabled without removing them from
the system.

2.4.1.2 User Authentication and Log-On Process

ISO/IEC 27002:2013: 9.3.1, 9.4.2, 9.2.1, 9.2.2, 9.4.3

ISO/IEC TR 27019:2013: 11.3.1, 11.5.2
a) Users shall be identified and authenticated with personal RTU500 supports user account
accounts, group accounts shall only be used in precise management (UAM) with role based
defined exceptional cases. access control (RBAC):
see Cyber Security Deployment
Guideline Release 11
Chapter 2 (1KGT 150 906).

Rel. 12.x: according to IEC62351

b) Before allowing any actions, the system shall require each Available
user to be successfully authenticated.
c) The system shall force passwords with configurable password rules available:
strength and expiration periods. The password strength and see Cyber Security Deployment
expiration period shall be configurable by the customer. Guideline Release 11
Chapter 2.2.3 (1KGT 150 906)

d) If technically feasible, 2-factor authentication shall be used, Can be implemented within the
for example SmartCards or security tokens. system

14
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
e) Data used for user identification and authentication shall Available
not solely be provided from sources external to the process
network.
Integration with a central, process net internal directory On the roadmap
service should be considered
f) Successful and failed log on attempts shall be logged SYSLOG events, security archive:
centrally. see Cyber Security Deployment
Guideline Release 11
Chapter 3 (1KGT 150 906)
If applicable, the following items shall be implemented after
paramount consideration of safe system operation and
availability issues:
1. The system should implement mechanisms which allow 1. Login / Logout
for a secure and reproducible switching of user session
during system operations.
2. If applicable and technically feasible user sessions should 2. Automatic logout, timeout time
be locked after a configurable time of inactivity. configurable by administrator
3. After a configurable number of failed log-on attempts, a
security event message should be logged and, if 3 Alarms are configurable, account
applicable, the account should be locked. blocking not supported

2.4.2 Authorization of Activities on User and System

Level

ISO/IEC 27002:2013: 9.4.1, 9.4.4

Before certain security relevant or security critical activities RTU500 supports user account
are performed, the system shall check the authorisation of management (UAM) with role based
the requesting user or system. Relevant activities may already access control (RBAC):
be read access to process data or configuration parameters. see Cyber Security Deployment
Guideline Release 11
Chapter 2 (1KGT 150 906).

Rel. 12.x: IEEE802.1X support

2.4.3 Application Protocols

ISO/IEC 27002:2013: 13.1.2, 10.1.1

ISO/IEC TR 27019:2013: 10.6.3, 11.4.8

15
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
Only standard application level protocols approved by the Webserver access with HTTPS:
client shall be used. Exceptions shall be approved by the see Cyber Security Deployment
customer and documented. Protocols that protect the Guideline Release 11
integrity of the transferred data and ensure correct Chapter 4 (1KGT 150 906)
authentication and authorisation of the communication
partners should be preferred. Furthermore the used Webserver access with HTTPS:
protocols should provide timestamps or secure sequence VPN based on IPSEC
numbers to prevent re-injection of prior sent messages. If see Function Description Release 11
applicable, encryption of the protocol data should be Part 9
implemented. The previous requirements also apply to non- Chapter 3 and 4 (1KGT 150 896)
standard, proprietary or in-house developed protocols.
Rel. 12.x: IEC104 secure, IEEE802.1X
authentication

2.4.4 Web Applications

ISO/IEC 27002:2013: 14.2.5, 14.2.7

Additional to common secure application programming
practice, the following topics shall be regarded when web a) not relevant for RTU
applications are being developed:
a) The application shall be separated into different modules
(e. g.. presentation, application and data layers). If applicable, b) RBAC available
the modules shall be deployed on different servers.
b) The web application components shall be configured with
the minimal possible privileges, both on the application and c) Provided by Web-interface
the system level.
c) All parameters, which are passed to the web application
from the user or his web browser, shall extensively be tested d) Web server access with HTTPS:
for validity, maximum length, correct type and range. This See Cyber Security Deployment
applies also to data, which has been sent from the application Guideline Release 11
to the user beforehand. Special attention shall be paid to Chapter 1.3 and Chapter 4 (1KGT 150
socalled XSS and data injection vulnerabilities, through which 906).
an attacker can execute commands.
d) Especially, secure session management has to be taken e) Security event log
into account, for example by using signed or encrypted see Cyber Security Deployment
session IDs and session timeouts. The transmission of session Guideline Release 11Kapitel 3.3 (1KGT
IDs shall be secured by encryption. 150 906)
e) In the case of application errors, the user should be
informed by error messages. These error messages shall not Security log Server:
provide detailed information, which can be used by an see Cyber Security Deployment
attacker to plan further attacks. Such detailed error Guideline Release 11
information shall only be logged to a log file, which is Chapter 1.2.7 (1KGT 150 906)
accessible by internal users only.
f) Web applications with a high protection requirement shall f) see ABB_SDL_Whitepaper
be tested by a security audit before going productive. Chapter 3.7

16
 ISO/IEC Reference RTU-Relevant
Requirement Implementation

2.4.5 Integrity Checks of Relevant Data

ISO/IEC 27002:2013: 14.2.5

The system shall check the integrity of data before this data is RTU uses secured communication
processed in security relevant activities, (e.g. check for protocols
plausibility, correct syntax and value ranges).
Rel. 12.x: Integrity check of RTU
configuration file (rcd) after download

2.4.6 Logging, Audit Trails, Timestamps, Alarm

Concepts

ISO/IEC 27002:2013: 12.4.1, 12.4.2, 12.4.3, 12.4.4,

18.1.3
ISO/IEC TR 27019:2013: 10.10.1, 10.10.6
a) All systems shall use a uniform system time, which can be Time administration:
synchronized with an external time source. see Function Description Part 6, RTU
Functions
Chapter 7 (1KGT 150 798)
b) The system shall log user actions and security relevant Protocol function as security log:
actions, events and errors to an audit trail using a format, see Cyber Security Deployment
which is appropriate for later, and central analysis. The Guideline Release 11
system shall record date, time, involved users and systems, as Chapter 3 (1KGT 150 906)
well as the event and its result for a configurable time period.
c) The logging function shall be easy to configure and see Function Description Part 5,
customize. SCADA Functions
Chapter 2.8.5 to 2.8.7 (1KGT 150 797)
d) Security events shall be highlighted in the system logs to Security events have an own archive
allow for an easy automatic analysis. file
e) The central storage location of the log files shall be External security log server
configurable. configurable:
see Cyber Security Deployment
Guideline Release 11
Chapter 3.5 (1KGT 150 906)
f) A mechanism for automatic transfer of the log files to Security events can be transmitted
central component shall be available. automatically to an external security
server:
see Cyber Security Deployment
Guideline Release 11
Chapter 3.5 (1KGT 150 906)
g) The log files shall be protected against later modification. Logfile is encrypted, integrity check by
hash value:
see Cyber Security Deployment
Guideline Release 11
Chapter 3 (1KGT 150 906)
h) The audit log shall only be archivable by the auditor role. Rel. 11.x.: not available

17
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
i) The system shall overwrite the oldest stored audit records if FIFO principle, max. 10.000 entries:
the audit trail is full. The system shall issue a warning if the see Cyber Security Deployment
storage capacity decreases below a reasonable threshold. Guideline Release 11
Chapter 2.2.1 (1KGT 150 906)
j) Security relevant events shall be integrable into an existing Security relevant events can be
alarm management. processed (i.e. can be sent to network
control center):
see Cyber Security Deployment
Guideline Release 11
Chapter 3.4 (1KGT 150 906)

Security relevant events can be

transmitted via SYSLOG to an alarm
management system.

2.4.7 Self-Test and System Behaviour

ISO/IEC 27002:2013: 14.2.5

The system or the security modules, respectively, should RTU500 supports continously self
perform integrity checks of security relevant settings and data monitoring and alarming
at start-up and in regular intervals. If the security modules or
the integrity checks fails, the system shall fall back into a Watchdog function:
system state, which maintains the primary system functions see Function Description Part 6, RTU
as long as the prevention of personal injury or equipment Functions
damage can be ensured. Chapter 7 and 9 (1KGT 150 798)

2.5 Development, Test and Rollout

2.5.1 Secure Development Standards, Quality

Management and Release Processes

ISO/IEC 27002:2013: 9.4.5, 14.2.2, 14.2.3, 14.2.4, 14.2.5,

14.2.6, 14.2.7, 14.2.8, 14.2.9, 14.3.1
ISO/IEC TR 27019:2013: 10.1.4
a) On the contractor side, the system shall be developed by see ABB_SDL_Whitepaper
trained and trustworthy personnel. Chapter 2.1 section 1
Outsourcing of the system development as a whole or in Integrator requirement
parts to third parties shall require the written approval of the
customer. The third party shall at least comply with the same
security requirements as the original contractor.

18
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
b) The system shall be developed according to well-known documented process of secure
development standards and quality management/assurance development , guidelines, audit:
processes. Development and testing of the system shall be see ABB_SDL_Whitepaper
done by independent teams. Test plans, test concepts, SDIP (software depelopment
expected and actual test results shall be documented in a improvement program):
comprehensible way; they shall be available for inspection by Chapter 2.1
the customer. Gatemodel: Chapter 2.2
Testprocedure: Chapter 3.7

c) The contractor shall have a documented development used methods:

security program that covers the physical, procedural and TFS - Team Foundation server
personnel security measures to protect the integrity and DSAC - Security Test center
confidentiality of the system’s design and implementation. SVC Systemtest - system verification
center
The contractor shall be available for an external audit of the see ABB_SDL_Whitepaper
effectiveness of the security program. Chapter 3.7

d) The contractor shall have a programming guideline, which see ABB_SDL_Whitepaper

covers security requirements, and secure programming Chapter 3.5
practice. The guideline should deprecate insecure
programming style and the use of insecure functions. Data Codereview, 4-eyes-principle
input shall be verified to avoid buffer overflows. If applicable, Automatic check of memory
security enhancing compiler options and libraries shall be administration in code
used.
e) System release and the release of updates and security DSAC - Security Test center
patches shall be managed and controlled through a well- SVC Systemtest - system verification
defined and documented release process. center
per Release

2.5.2 Secure Data Storage and Transmission

ISO/IEC 27002:2013: 13.2.4, 13.2.2, 8.3.3,

13.2.3, 6.2.1, 10.1.1, 14.3.1
Sensitive customer data, which is used or produced during Integrator requirement
development and maintenance, shall be transmitted
encrypted if it is sent over public networks. If the data is
stored on mobile devices, it shall be stored in encrypted form.
Sensitive data may include, but is not limited to, internal
customer information and documents, log files, error logs,
and relevant system documentation. The amount of stored
data and the storage time shall be limited to the necessary
minimum.

19
 ISO/IEC Reference RTU-Relevant
Requirement Implementation

2.5.3 Secure Development, Test– and Staging Systems,

Integrity Checks

ISO/IEC 27002:2013: 12.1.4, 14.3.1, 9.4.5, 14.2.7

ISO/IEC TR 27019:2013: 10.1.4
a) Development shall be conducted on secure computer provided in R&D process
systems, the development environment, the source code and
binaries shall be protected against unauthorized access.
b) Development and testing of the system and of updates, provided in R&D process
enhancements and security patches shall be conducted on
staging environments, which shall be separated from the live
system.
c) No source code shall be installed on live systems. Only selected files (no source code)
can be loaded into the RTU, web
server checks file type:
see Web-Server Users Guide Release
11
Chapter 7 and 8 (1KGT 150 802)
d) It shall be possible to verify the integrity of the system Firmware is codesigned by ABB
source code and binaries to detect unauthorized changes. For certificate, Check sum (HASH)
example, the integrity might be checked by secure check documented:
sums. see Release Notes (internal)
e) A version history of all deployed software packages shall be see Release Notes (internal)
maintained, which allows tracing all software changes.
Code management System (CMS) is
used

2.5.4 Secure Update and Maintenance Processes.

ISO/IEC 27002:2013: 12.5.1, 14.2.2, 14.2.3, 14.2.7,

14.2.9
ISO/IEC TR 27019:2013: 12.4.1

20
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
Provision and Installation of updates, enhancements and Integrator requirement
patches shall be carried out in consultation with the customer
according to a well-defined process. RTU supports as follows:
On the contractor side, dedicated and trained personnel, Decription of changes:
using particularly secured systems, shall carry out see Release Notes (internal)
maintenance.
Release Notes for security patches:
Grid Automation Cyber security
(internal)
Cyber security alerts and notifications
(external)

Upgrade of the system (Major release

change):
see Migration Guides (Download
Center)

Current Firmware:
see RTU500 Series Functions and
Software (Download center)

2.5.5 Configuration and Change Management, Rollback

ISO/IEC 27002:2013: 12.1.2, 14.2.9, 12.5.1, 12.6.2,

14.2.2
ISO/IEC TR 27019:2013: 10.12.1, 12.4.1
a) The system shall be developed and maintained using a Configuration and Firmware can be
configuration and change management. maintained via web interface:
see Web-Server Users Guide Release
11
Chapter 7 and 8 (1KGT 150 802)
b) The system shall support rollback of a specified number of Rel. 12.x: one-step-rollback online
configuration changes. available.
Further backup functions offline, in
responsibility of the customer

2.5.6 Fixing Security Vulnerabilities

ISO/IEC 27002:2013: 12.6.1, 16.1.2, 16.1.3

21
 ISO/IEC Reference RTU-Relevant
Requirement Implementation
The contractor shall have a well-defined vulnerability A vulnerability handling process in 5
management process to address security vulnerabilities. The steps is established:
process allows all involved and external parties to report see ABB_SDL_Whitepaper
actual or potential vulnerabilities. Furthermore, the Chapter 3.8 and 3.8.1
contractor shall obtain up-to-date information about security
problems and vulnerabilities, which might affect the system Reports about security issues
or its components. The vulnerability management process
shall define how a potential vulnerability is verified, classified, Findings and their treatment, affected
fixed and how recommend measurements are reported to all ABB products, particularly RTU, are
system owners. Furthermore, the process shall define published by ABB:
timelines for each step in the vulnerability management
process. The contractor shall early inform the customer about see ABB Cyber Security Homepage
known security vulnerabilities, even if there is no patch
available. The customer shall treat this information
confidentially.

2.5.7 Source Code Escrow

ISO/IEC 27002:2013: 14.2.7

If applicable, a source code escrow agreement should be contract issue
considered, to ensure security updates in case of failure of
the contractor. The agreement should cover the system
source code and the according source code documentation.

2.6 Backup, Recovery and Disaster Recovery

2.6.1 Backup: Concept, Method, Documentation, Test

ISO/IEC 27002:2013: 12.1.1, 12.3.1

ISO/IEC TR 27019:2013: 10.1.1
There are documented backup and recovery procedures, not applicable for RTU, system
which cover single applications and the entire system, approach
respectively, together with the according configuration data.
Configuration data of distributed systems can be saved in a
central repository. The backup and recovery processes shall
be tested by the client regularly. Documentation and tests
shall be adjusted after relevant system updates and the
procedures shall be re-tested. The backup process should
provide a verify operation and shall take into account the
protection requirements of the backup data (e.g. by
encrypting sensitive data).

2.6.2 Disaster Recovery

ISO/IEC TR 27019:2013: 14.1.1, 14.2.1

22
ISO/IEC Reference RTU-Relevant
Requirement Implementation
The contractor shall provide documented operational not applicable for RTU, system
concepts and tested disaster recovery concepts and approach
procedures for defined emergency and crisis scenarios. The
recovery concepts shall include a specification of the recovery
time objectives. The documentation and procedures are
adjusted after relevant system updates and the procedures
are re-tested during system release acceptance procedures.

23