GE C70 Instruction Manual page 36

2.1 INTRODUCTION
The command and setting passwords are defaulted to "0" when the relay is shipped from the factory. When a password is
set to "0", the password security feature is disabled. As shown in the figures, the window indicates when the password is at
the default and when the password has been set.
Figure 2–2: WINDOW INDICATES DEFAULT PASSWORD (LEFT) AND PASSWORD SET (RIGHT)
2
The C70 supports password entry from a local or remote connection. Local access is defined as any access to settings or
commands via the faceplate interface. This includes both keypad entry and the through the faceplate RS232 port. Remote
access is defined as any access to settings or commands via any rear communications port. This includes both Ethernet
and RS485 connections. Any changes to the local or remote passwords enables this functionality.
When entering a settings or command password via EnerVista or any serial interface, the user must enter the correspond-
ing connection password. If the connection is to the back of the C70, the remote password must be used. If the connection
is to the RS232 port of the faceplate, the local password applies.
Events are logged in the Event Recorder. The FlexLogic operands and events are updated every five seconds.
c) CYBERSENTRY SECURITY
CyberSentry Embedded Security is a software option that provides advanced security services. When this option is pur-
chased, the basic password security is disabled automatically.
CyberSentry provides security through the following features:
• An Authentication, Authorization, Accounting (AAA) Remote Authentication Dial-In User Service (RADIUS) client that
is centrally managed, enables user attribution, provides accounting of all user activities, and uses secure standards-
based strong cryptography for authentication and credential protection.
• A Role-Based Access Control (RBAC) system that provides a permission model that allows access to UR device oper-
ations and configurations based on specific roles and individual user accounts configured on the AAA server (that is,
Administrator, Supervisor, Engineer, Operator, Observer).
• Security event reporting through the Syslog protocol for supporting Security Information Event Management (SIEM)
systems for centralized cybersecurity monitoring.
• Strong encryption of all access and configuration network messages between the EnerVista software and UR devices
using the Secure Shell (SSH) protocol, the Advanced Encryption Standard (AES), and 128-bit keys in Galois Counter
Mode (GCM) as specified in the U.S. National Security Agency Suite B extension for SSH and approved by the
National Institute of Standards and Technology (NIST) FIPS-140-2 standards for cryptographic systems.
Example: Administrative functions can be segmented away from common operator functions, or engineering type access,
all of which are defined by separate roles, as shown in the following figure, so that access of UR devices by multiple per-
sonnel within a substation is allowed. Permission for each role are outlined in the next section.
2-4
Figure 2–3: CYBERSENTRY USER ROLES
C70 Capacitor Bank Protection and Control System
2 PRODUCT DESCRIPTION
GE Multilin