GE 845 Instruction Manual page 15

CHAPTER 1: INTRODUCTION
FASTPATH:
845 TRANSFORMER PROTECTION SYSTEM – INSTRUCTION MANUAL
The 845 can still use the Setpoint access switch feature, but enabling the feature can be
done only by an Administrator. Setpoint access is controlled by a keyed switch to offer
some minimal notion of security.
CYBERSENTRY
The CyberSentry Embedded Security feature is a software option that provides advanced
security services. When the software option is purchased, the Basic Security is
automatically disabled.
CyberSentry provides security through the following features:
• An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-In
User Service (RADIUS) client that is centrally managed, enables user attribution, and
uses secure standards based strong cryptography for authentication and credential
protection.
• A Role-Based Access Control (RBAC) system that provides a permission model that
allows access to 845 device operations and configurations based on specific roles
and individual user accounts configured on the AAA server. At present the defined
roles are: Administrator, Operator and Observer.
• Strong encryption of all access and configuration network messages between the
EnerVista software and 845 devices using the Secure Shell (SSH) protocol, the
Advanced Encryption Standard (AES), and 128-bit keys in Galois Counter Mode (GCM)
as specified in the U.S. National Security Agency Suite B extension for SSH and
approved by the National Institute of Standards and Technology (NIST) FIPS-140-2
standards for cryptographic systems.
• Security event reporting through the Syslog protocol for supporting Security
Information Event Management (SIEM) systems for centralized cyber security
monitoring.
There are two types of authentication supported by CyberSentry that can be used to
access the 845 device:
• Device Authentication – in which case the authentication is performed on the
845 device itself, using the predefined roles as users (No RADIUS involvement).
– 845 authentication using local roles may be done either from the front panel or
through EnerVista.
• Server Authentication - in which case the authentication is done on a RADIUS server,
using individual user accounts defined on the server. When the user accounts are
created, they are assigned to one of the predefined roles recognized by the 845
– 845 authentication using RADIUS server may be done only through EnerVista.
WiFi and USB do not currently support CyberSentry security. For this reason WiFi is
disabled by default if the CyberSentry option is purchased. The user can enable WiFi, but
be aware that doing so violates the security and compliance model that CyberSentry is
supposed to provide.
When both 845 device and server authentication are enabled, the 845 automatically
directs authentication requests to the 845 device or the respective RADIUS server, based
on user names. If the user ID credential does not match one of the device local accounts,
the 845 automatically forwards the request to a RADIUS server when one is provided. If a
RADIUS server is provided, but is unreachable over the network, server authentication
requests are denied. In this situation, use local 845 device accounts to gain access to the
845 system.
USER ROLES
User Access Levels are used to grant varying permissions to specific user roles. User roles
are used by both Basic Security and CyberSentry.
The following user roles are supported:
SECURITY OVERVIEW
1–7