Importing And Writing Certificates To An Ied - ABB RELION 670 SERIES Manual

Section 5
Central Account Management
5.2.2
44
SDM600 allows user to set key length of the certificates that needs to be deployed
in IED. While it may be prudent to use a larger key size, it would also mean it
requires a considerable longer time for the TLS handshake (between IED and tools/
Central Account Management servers) before any secure communication starts. We
recommend to deploy certificates with key length of 2048 in the IED. NSA
(National Security Agency) recommendation is that RSA keys of 2048 bit key size
is acceptable.
IED will use the certificate imported via PCM600 to automatically
access to the SDM600 server. This certificate is also used as a
server certificate to secure communication of FTP and ODBC
protocols. However, it is possible to deploy server certificates
(External) for FTP and ODBC protocol. PCM600 does not support
this feature.
The security administrator uses a 3rd party FTP client to transfer
the pkcs#12 package to certificates/import/external and use the
SITE cmd "PKCS12Install <path to file> <KEK>" to activate the
external certificate

Importing and writing certificates to an IED

The following are the steps to import and write certificates to the IED.
1. Connect PC to the IED.
2. Start PCM600, open project.
3. Select VoltageLevel, Bay or IED in the plant structure.
4. Select Tools/Account Management or right click on VoltageLevel, Bay or
IED in the plant structure and select Account Management
The Account Management dialog will appear as shown below
IEC15000281 V1 EN-US
Figure 23: Account Management Tool in PCM
5. Select the Import and Write Certificates option.
6. Select those IEDs to which certificates needs to be written.
1MRK 511 399-UEN B
GUID-36E12AF0-A5D9-446D-B679-ABD55BB12CD6 v1
670 series 2.2 IEC
Cyber security deployment guideline