Com600 Security Events - ABB COM600 series 5.0 Cyber Security Deployment Manualline

1MRS758267
3.3.2.
COM600 series 5.0
Cyber Security Deployment Guideline
•
Policy Change – Use policies under this category to monitor changes to local
security policies, user rights assignments, auditing policies and/or trust policies.
• System – Use policies under this category to monitor startup/shutdown on COM600,
change in time.
There are multiple options to configure audit policies. These policies can be configured
locally in COM600 either by using Local Security Policy editor or by using auditpol
command line tool. In addition, these policies can also be managed by a domain controller
in cases where COM600 is part of a domain. Policy configuration made using any one
of these options may not necessarily reflect configuration made by another. Therefore,
ABB recommends that "auditpol" command line tool in COM600 is always used to
view/edit any audit policy.
The audit policies that are preconfigured in COM600 at factory are listed below. These
policies are configured to generate both success and failure events when applicable.
• Account Management
• Computer Account Management
• Security Group Management
• User Account Management
• Logon/Logoff
• Account Lockout
•
Logoff
•
Logon
•
Policy Change
•
Authentication Policy Change
• Authorization Policy Change
• System
• Security State Change.

COM600 Security Events

Security Events (SEV) OPC server
COM600 application related security events can be generated using SEV OPC Server.
These events include for example COM600 WebHMI user logon/logoff actions, operator
control operations, and configuration upload and download action. See CAL and SEV
OPC Server User's Manual for additional details on how to configure and use it in
COM600.
The security events generated for various COM600 software components can be forwarded
to external entities using syslog messages. One such entity is COM600 CAL server.
25