Blank Passwords; Password Management - GE MiCOM P40 Agile Technical Manual

P44X/EN CS/Hb6
(CS) 15-14
then uses appropriate response codes to inform the client that the password was NERC-
compliant or not. The client then can choose if he/she wishes to enter a new password that
is NERC-compliant or leave the entered one in place.
4.3.1

Blank passwords

A blank password is effectively a zero-length password. Through the front panel it is entered
by confirming the password entry without actually entering any password characters.
Through a communications port the Courier and Modbus protocols each have a means of
writing a blank password to the IED. A blank password disables the need for a password at
the level that this password applied.
Blank passwords have a slightly different validation procedure. If a blank password is
entered through the front panel, the following text is displayed, after which the procedure is
the same as already described:
Blank Passwords cannot be configured if the lower level password is not blank.
Blank Passwords affect fall back level after inactivity timeout or logout.
The 'fallback level' is the password level adopted by the IED after an inactivity timeout, or
after the user logs out. This will be either the level of the highest level password that is blank,
or level 0 if no passwords are blank.
4.4

Password Management

The user is locked out temporarily, after a defined number of failed password entry attempts.
The number of password entry attempts, and the blocking periods are configurable. These
settings are shown in Table 4.
The first invalid password entry sets the attempts count (actual text here) to 1 and initiates
an 'attempts timer'. Further invalid passwords during the timed period increments the
attempts count. When the maximum number of attempts has been reached, access is
blocked. If the attempts timer expires, or the correct password is entered before the 'attempt
count' reaches the maximum number, then the 'attempts count' is reset to 0.
Once the password entry is blocked, a 'blocking timer' is initiated. Attempts to access the
interface whilst the 'blocking timer' is running results in an error message, irrespective of
whether the correct password is entered or not. Only after the 'blocking timer' has expired
will access to the interface be unblocked, whereupon the attempts counter is reset to zero.
Attempts to write to the password entry whilst it is blocked results in the following message,
which is displayed for 2 seconds.
Appropriate responses achieve the same result if the password is written through a
communications port.
The attempts count, attempts timer and blocking timer can be configured, as shown in Table
4.
Setting
Attempts Limit
Attempts Timer
Blocking Timer
Table 4: Password blocking configuration
BLANK PASSWORD
ENTERED CONFIRM
NOT ACCEPTED
ENTRY IS BLOCKED
Cell
Units
col row
25 02
25 03 Minutes
25 04 Minutes
MiCOM P40 Agile P441, P442, P444
Default Setting Available Setting
3 0 to 3 step 1
2 1 to 3 step 1
5 1 to 30 step 1
Cyber Security