INGESAS™ IC3

Security Module of INGESAS™ IC3

User Manual
ZY8567IKL01 Rev._
 Table of contents

Table of contents

1 Scope of the document ............................................................................................ 5

2 Module description ................................................................................................... 6

2.1 Basic concepts.............................................................................................................................................. 6

2.2 Starting a session in the Security Server................................................................................................ 7
2.2.1 Starting a session from the Security Configuration Tool. .......................................................... 7
2.2.2 Starting a session from the web viewer.......................................................................................... 8
2.2.3 Starting a session from eFS tools. ................................................................................................... 9
2.3 Security audit................................................................................................................................................. 9

3 Configuration of the Security Module .................................................................12

3.1 Regions ......................................................................................................................................................... 12

3.2 User profiles and privileges ..................................................................................................................... 13
3.3 User groups and permissions for tools ................................................................................................ 15
3.4 Users ............................................................................................................................................................. 16
3.5 Security directives...................................................................................................................................... 21
3.6 Changing the password from the Web Viewer .................................................................................... 22
3.7 Password retrieval...................................................................................................................................... 23
3.8 Backup copy of the configuration .......................................................................................................... 23
3.8.1 Creating a backup copy of the configuration .............................................................................. 23
3.8.2 Retrieving the configuration ............................................................................................................ 24

4 Firewall configuration ............................................................................................. 25

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Table of contents

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Scope of the document

1 Scope of the document

This document explains the operation of the Security Module of INGESAS™ IC3 and its various
components, that is, the Security Server and its configuration tool.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

2 Module description

The Configuration Tool is used to define the security policies, user accounts and permissions to
access the various functions. However, the primary component of the Security Module is the
Server, which controls and restricts user access to the system and its functions.

The Security Server has the following characteristics:

 In INGESAS™ IC3, the service is launched and controlled by UcsWatcher from the
moment the equipment is started up. The service does not depend on the operating
system and cannot be consulted.
 It is a global service and therefore does not depend on a specific project.
 It operates in the Master node; if there is a Backup node, the latter will have another
Security Server that will perform redundancy with regard to the Master node. Both
servers will share the information and cooperate during operation.
 If Standalone nodes are used, the Security Server will be launched in that node.

2.1 Basic concepts

 User: the individual who accesses INGESYS™ IC3 with certain permissions.
 User session: the period of time during which the user is accessing the system. A
user can start several sessions from different devices and a single device can open
several sessions for the same user or different users.
 Security directive: a rule that is applied to all the user accounts in the system.
 Profile: a logical group of users that have permission to perform the same operations.
A user can belong to one or more profiles or not belong to any of them.
 Privileges: a permission to perform a specific operation in the system. Privileges can
be assigned to one or more user profiles; therefore all the users belonging to at least
one of these profiles can perform the operation in question.
 Access level: a number between 0 and 100. To perform a given action in an IT tool,
the user must have an access level that is equal to or higher than the access level
setting of the action.
 User groups: a group of users that have the same access level. A user can belong to
one group only and will inherit the level of that group.
 Region: a logical group of items based on a regular expression to which specific
privileges can be assigned.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

2.2 Starting a session in the Security Server.

A user session must be started to access the Security Configuration Tool.

NOTE:
The first time the program installed in INGESAS™ IC3 is started up, the security server is
launched with the following default user configuration: manager and password ITSA.

2.2.1 Starting a session from the Security Configuration Tool.

To access the INGESAS™ IC3 Security Configuration Tool, use the Security button on the
control panel to establish communication with INGESAS™ IC3.

Dialogue to access the IC3 Security Configuration Tool.

An error message will appear if communication is not established with INGESAS™ IC3.

Error connection to INGESAS™ IC3.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

If communication is established with INGESAS™ IC3, a dialogue will appear to start the user
session.

Session start dialogue in the IC3 Security Configuration Tool.

Once the session is started the Configuration Tool will verify whether the user belongs to any of
the profiles with permission to change the security settings.

If this is not the case, the configuration tool will display an error message and will not open.

Unauthorised user message.

The user session will close when the user exits the Configuration Tool.

2.2.2 Starting a session from the web viewer.

To view the panels via the web, access the web server from a browser by entering the following
URL:

http://ServerIP:8000/PanelServer/itIndex?InitialPanel=panelName

A dialogue will appear for the user to start the session.

User authentication via the IC3 web.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

2.2.3 Starting a session from eFS tools.

The INGESYS™ eFS tools of a node share the same user session.

If the session has not been created, the first tool that is run will display the session start dialogue.

Session start dialogue from eFS tools.

2.3 Security audit.

While the Security Server is running, it generates the following events:

 Server start-up and shutdown.

 Correct session start.
 Incorrect session start attempt.
 Manual and automatic session close.
 Password change.

The events registered be the selected IC3 Security Server, whether Master or Backup, can be
seen in the INGESAS™ IC3 control panel by downloading the events log using the Obtain Events
option.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

Obtain events of the INGESAS™ IC3.

Once the events logs have been downloaded, use the See events option on the control panel to
monitor them.

See events of the INGESAS™ IC3.

The Ingeteam Security filter in the Origin combo of the events viewer selects the events
registered by the IC3 Security Server.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Module description

Events filter of the INGESAS™ IC3 Security Server.

Once the filter has been set, the events registered by the INGESAS™ IC3 Security Server can be
consulted.

Events of the INGESAS™ IC3 Security Server.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

3 Configuration of the Security Module

The parameters used by the Security Module can be set up using the Security Configuration Tool
provided with the INGESAS™ eFS tools, see Section 2.2.1. Starting a session from the Security
Configuration Tool.

This is where the user accounts, security directives shared by all the accounts, profiles, groups
and permissions and privileges needed for specific operations in the various tools are defined.

General appearance of the Security Configuration Tool

The tool contains the following elements:

1 Toolbar
2 Tree containing the security model applied to all IT projects.
3 Area to edit the element selected in the tree.
4 Name of the INGESYS™ IT node or IP of INGESAS™ IC3, which contains the active
Security Server.
5 Identified user name
6 User language

NOTE
To guarantee security in configuration tasks, the session started in the Configuration Tool will shut
down automatically after 6 minutes of user inactivity. The user will be presented with an
information message and the session start dialogue will appear.

3.1 Regions

A region is a logical group of items based on a regular expression to which specific privileges can
be assigned.
© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01
Rev._
Configuration of the Security Module

New regions can be defined from the Security Configuration Tool by selecting the New region
option in the tool bar and entering the information in the dialogue that appears.

New region.

Once the region is created, its description can be deleted or edited, but not its name.

The items that belong to each region are defined by editing the Panels Server configuration file,
following the syntax explained in the User Manual for the Multi-Platform Web Solution.

3.2 User profiles and privileges

As seen by selecting the Profiles branch, the security module contains 24 different user profiles
identified by a letter (A, B, C and so on to Z, except O and I) .

A description can be assigned to each profile (for example Security administrators).

Editing user profiles.

Users must have a specific privilege to perform some of the operations in the system. A list of
authorised profiles must be indicated for each privilege, so all the users belonging to at least one
of these profiles will be able to perform the operation.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

The list of privileges and authorised profiles can be seen and edited in the Security Configuration
Tool by selecting the Privileges branch.

Selecting the authorised profiles for a specific task.

Some of the privileges can be specified by region, so certain profiles can be assigned globally and
other more specific ones can be assigned to a concrete region.

If a user has a privilege assigned globally, they are also assigned that privilege for all the regions,
according to the following configuration:

 Privilege to force values: A

 Privilege to force values in the Input: B

Therefore, A profiles can force values in all areas, including the Input region, and B profiles can
only force profiles in Input.

If a privilege is assigned to the Everyone profile, any registered user can perform this operation,
regardless of the profile they belong to or even if they are not assigned a profile, such as the profile
None.

If a region does not have a specific profile for that privilege, the value None will appear.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

3.3 User groups and permissions for tools

Apart from the profiles, the necessary user groups and levels have been maintained to run tool
actions in versions prior to 6.0 of INGESYS™ IT.

The user groups are set up in the User group branch. Numbers from 0 to 100 can be used to
define each user group. Each user must belong to a group and will inherit the level of that group.

User groups.

New user groups can be created by selecting the New group option in the tool bar and entering
the information of the new group in the dialogue that appears.

Group creation dialogue

Once created, groups cannot be edited and only those with no associated users can be deleted.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

The levels required to run operations in INGESYS™ IT tools are defined in the Permissions in
tools option of the Security Configuration Tool.

Permissions for tools.

The permission for tools are grouped hierarchically by application and by groups of actions within
the applications. When the level of one of these groups is changed, the level of actions contained
in it are updated.

3.4 Users

The system can have one or more users; these are set up in the User accounts branch. There is
one default user account called Manager with the maximum level and which cannot be blocked.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

Manager user account

Subsequently, the administrator will create as many users as needed by selecting the New user
option in the tool bar and entering the new user information in the dialogue that appears.

Creating a user.

When creating a new user from the Security Configuration Tool, the following properties must be
completed:

 User name. Name of the new user.

 Group of the user: all users must belong to a group. Bear in mind that once this is
entered, the user cannot be changed to a different group.
 Profiles: a user can belong to one or more profiles or not belong to any.
 Associated language: this is used to show the web viewer panels in the language
that is chosen. In addition, when a user starts a session in the node, it changes the
node language to the language chosen by the user, although this change does not
affect the tools that are opened in the node.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

 Regional language: a specific property of the tab above to customise date and
number formats, etc.
 Password. User access password.
 The password should be changed at the start: initially, a user can be created with
an empty password or a default value to force the user to change it the first time they
access with that account.
 The password is never blocked.
 Account deactivated: a user account can be created and deactivated so the
administrator can activate it when required.

NOTE:
The system will not be secure if there are "common" or "generic" users. In other words, if a given
installation has 20 people operating it and 10 people in charge of maintenance, and the only users
are "operator" and "maintenance", the "operator" password must be known by at least 20 people
and the "maintenance" password by 10. Keeping the password secret among that number of
people is obviously not possible. Therefore, it is advisable to define as many users as there are
persons operating the various installations and for each person to know their own password, for
which they will be responsible.

After the user has been created, the user settings and profiles it belongs to can be edited.

User configuration.

The parameters shown below define both the user settings and the status of the account at any
given time:

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

 Account deactivated: the system administrator can deactivate a user account if

necessary and activate it again at a later moment.
 Account blocked: an account is blocked when the number of unsuccessful attempts
to access is the number configured in the directive: The accounts will be blocked
after X invalid session start attempts.
There are two options to unblock an account:

 to change the value of this property from this dialogue.

 to wait for the time configured in the following directive to expire: Blocked
accounts will be blocked for X seconds.

 Account never blocked: when this option is enabled, the account will not be blocked
even if more invalid attempts are made than those indicated in the directive. Certain
accounts, such as the administrator's account, should never be blocked.
 Inactive session timeout: In certain applications, once this time has elapsed without
any user interaction with the application, the user session will no longer be valid and it
will close.

In the case of the Web Viewer, inactivity is considered any time the mouse is not
moved or the keypad is not pressed. In the case of the Security Configuration Tool,
pressing the options in the tree or changing the parameters is considered an activity.
A value of 00:00:00 means that there is no limit to time of inactivity established for this
user.

NOTE:
Regardless of this expiration value, after 6 minutes of inactivity by the user, the Security Server
session will shut down automatically.

 Do not allow simultaneous connections: when this option is enabled, if a user

wants to access the system and a session is already open for the same user, two
things can happen:

 Access from the Web Viewer or from the Security Configuration Tool: a
message will appear indicating that a session is already open for that user. The
message will provide the option to continue with the new access and leave the
previous session open or close the previous session and access with new
session.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

Dialogue for closing simultaneous connections.

 Access from another INGESYS™ IT tool: access to the system will not be
allowed.

 Change the password at the start: this is generally used when a new user is
created to ensure that the password is changed during the first access. The message
indicating the need to change the password is shown when this user accesses.

Password change message

A new password has to be entered using the following dialogue:

Password change.

NOTE:
Stored passwords cannot be viewed by anyone, including the security administrator.

 Session timeout: the maximum time a session can remain active, regardless of
whether there is user activity or not. After this time elapses, the session will close
automatically. A value of 00:00:00 means that there is no limit.
 Profiles: a user can belong to one or more profiles or not belong to any.
 Goup of the user: once the user is created, it cannot be changed to another group.
 Language: associated language.
 Regional language: the associated language applied to certain formats.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

3.5 Security directives

Minimum security directives can be established to ensure greater system security; these will be
applied to all user accounts. These can be edited in the Security Configuration Tool, by selecting
the Account directives branch.

Security directives for user accounts.

The directives that can be set up are as follows:

 The password will expire in X days: indicates the number of days until a password
expires. A value of 0 means that the password will never expire.
 Passwords can be changed after X days: indicates the minimum number of days
until a password can be changed. A value of 0 means that there is no limit.
 The accounts will be blocked after X invalid session start attempts: when X
incorrect identification attempts are made to open an account, the account will be
blocked. There are two ways to unblock an account:

 From the Security Configuration Tool, by editing the properties of the blocked
user.
 Waiting for the seconds configured in the following directive to elapse: Blocked
accounts will be blocked for X seconds.

A value of 0 means that the accounts do not have a limit of invalid attempts; that is,
they are never blocked.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

It is important to mention that regardless of this value, each user can define the The
account is never blocked property which, if activated, has priority over this
general directive.
By default, the Manager user is never blocked.

Some directives define the rules that all user passwords have to comply with to ensure their
security:

 Passwords cannot contain the name of the user.

 Passwords must contain characters from at least X groups: the various groups of
characters are high case, low case, numbers and non-alphanumeric characters.
 Passwords must be at least X characters long.
 File containing blacklisted passwords: a file of invalid passwords can be created
with a file name for the directive with a .txt extension that should be placed in
directory: ¿[OCSPath]\SecurityServer ? of the Server node. If no value is entered,
no list of forbidden passwords will be available.
 Passwords cannot be the same as the last X passwords.

If a password does not comply with the security directives, the user will be shown the following
message:

Password unsafe message

3.6 Changing the password from the Web Viewer

Users connected to the Web Viewer can change their own password because it has expired or at
their choosing.

This is done in the status bar menu of the Web Viewer by selecting Password change

Status bar menu.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

and then entering the current password and the new password in the following dialogue:

Changing the password from the Panels Viewer.

3.7 Password retrieval

System administrators can set up a new password for any user without having to know the previous
password.

This is done by selecting the MANAGER user account and selecting the Set password option in the
tool bar of the Security Configuration Tool.

Dialogue to reset a password.

3.8 Backup copy of the configuration

The Security Configuration Tool saves a backup copy of the Security Server configuration so it
can be restored subsequently in the same equipment or other equipment. This can only be done
with privileges to change the configuration.

3.8.1 Creating a backup copy of the configuration

To create a backup copy, select the tree root Security configuration and select Backup copy
from the tool bar of the Configuration Tool. The user will have to choose the name and location of

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Configuration of the Security Module

the backup file with the extension .ssb where the configuration created by the Administrator will
be stored.

3.8.2 Retrieving the configuration

To retrieve the configuration of the Security Server saved previously in a backup file, select the
tree root Security configuration and select Restore from the tool bar of the Configuration
Tool. The user will have to choose a backup file with extension .ssb that contains the information
to be restored.

If the installation where the information is retrieved has a previous configuration, this will be lost
and replaced with the configuration contained in the backup file.

 If the backup file contains new users, these will be created in the new accounts, but not
activated.
 If any of the accounts to be restored already exist in the system, the password will remain
the same and only the properties of the account will be restored, including whether or not
it is activated.
 If there are accounts in the system that are not contained in the backup file, these will be
deleted.

The Configuration Tool will shut down to enable all the changes.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Firewall configuration

4 Firewall configuration

Configuration of the INGESAS™ IC3 firewall is carried out from the IC3 control panel by entering
the information requested in the dialogue that appears when the Firewall tab is selected.

Dialogue for configuration of the INGESAS™ IC3 firewall.

This dialogue appears as a table with five columns, where the first contains the functions to filter
and the remaining four contain the filters set up for each of the four network interfaces of
INGESAS™ IC3.

The first row contains the cells to enable or disable the firewall of the corresponding network
interface.

 Firewall enabled: Network interface firewall allowed (Yes) or blocked (No).

To enable or disable the firewall, click on the corresponding cell and then click on Yes in the
dialogue window that appears.

Dialogue to enable the firewall.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Firewall configuration

Dialogue to disable the firewall.

Each of the following rows contains filters for a different function.

 PING: Ping command for network diagnosis.

 FTP: File transfer protocol without security measures.
 SSH – SFTP: Security protocol that allows client/server connections and secure file
transfers.
 IEC61850: Communications standard to automate electricity substations.
 IEC60870-5-104: Network communications protocol for remote control according to
the IEC standard.
 DNP3.0: Remote control communications protocol according to the DNP3.0 standard.
 MODBUS: Communications protocol for industrial electronic devices designed by
Modicon.
 NTP: Communications protocol for time synchronisation via a network.
 PROCOME: Communications protocol for the protection, control and measurement of
electronic devices based on IEC60870.
 IEC61131 MONITOR: Standard programming language for PLCs, automation,
protection and control systems and monitoring applications.
 MASTER_BACKUP_COMMS: Communications protocol between Master and
Backup.
 WINDOWS_FILESYSTEM: Windows file management system that uses Windows
Explorer.
 DATA MONITORING: Variables monitoring service.
 SECURITY SERVER ACCESS: Access to the security server.
 SECURE WEB SERVICE: Service to access the web server with security.

By default, the table shows the filter settings used normally when the ETH2 interface is dedicated
to upstream communications with the remote control desks through the control network, the ETH3
interface is dedicated to downstream communication through the station network with the IEDs,
the ETH1 interface allows all functions and the ETH0 interface is not enabled at the moment
because INGESAS™ IC3 does not use this interface with the CPU IC3192.

To edit any of the filters set up in the firewall, click on the cell and use the following dialogue.

Select Closed and click on Accept for the firewall to block the function; the cell will be left blank.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
Firewall configuration

Closed filter settings dialogue in firewall.

Select Open without entering any IP address and click on Accept for the firewall to allow use of the
function with any IP address; the text in the cell will be ALL.

Open filter settings dialogue without IPs in the firewall.

Select Open but enter one or more IP addresses and click on Accept for the firewall to allow use
of the function only with the IP addresses that are entered; the text in the cell will be SOME.

Open filter settings dialogue with one or more IPs in the firewall.

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
 Firewall configuration

Total or partial reproduction of this publication by any means or

procedure is prohibited without previous express written
authorisation by Ingeteam Power Technology.

One of the primary goals of Ingeteam Power Technology is the Parque Tecnológico de Bizkaia-
continuous improvement of its equipment; consequently, the Edificio 110
48170 Zamudio (Bizkaia)
information contained in this catalogue may be modified without
Tel +34-944 039 600
previous notice. Fax +34-944 039 679

For further information, please refer to the manual or contact us. http://www.ingeteam.com

© Ingeteam Power Technology, S.A. 2018 All rights reserved. ZY8567IKL01

Rev._
www.ingeteam.com