Multi-Level Safety Concept - Siemens SIPROTEC 5 V7.80 Operation

11.2

Multi-Level Safety Concept

DIGSI 5 offers many useful functions for the configuration and testing of your SIPROTEC 5 devices. Constant
password prompts are not sensible during this phase. During operation, however, the focus is on the reading
of data. Reconfiguration and switching are safety-critical operations. These operations lead to failures in oper-
ation if they are carried out inadvertently or without authorization. After completion of commissioning, you
can activate a multi-level security concept in the device.
Before DIGSI 5 can communicate with the SIPROTEC 5 device via its Ethernet services, the device carries out
secure authentication. Only DIGSI 5 has the authorization for communication with the device. In addition, a
connection password that meets the strict rules of NERC-CIP can be configured. The password is securely
stored in the device. The password must contain upper case and lower case letters, digits and special charac-
ters and must be at least 8 to 24 characters long. It is queried before connection is established. A connection
to the SIPROTEC 5 device cannot be established until the correct password has been entered. You now have
read access.
All write-access rights to the SIPROTEC 5 device such as, for example, changing setting values or switching are
protected by other security prompts and confirmation IDs. If changes are done via the integrated operation,
these confirmation IDs are queried on the on-site operation panel. The confirmation ID contains only numbers
that must be entered at the on-site operation panel or in DIGSI 5.
NOTE
i
i
The confirmation IDs are only needed if the role-based access control (RBAC) is not activated in the
SIPROTEC 5 device.
The 3-level security concept consists of secure authentication, the connection password, and other confirma-
tion IDs. This concept provides the highest possible degree of access protection during operation. Even remote
access to devices is protected. You can also use an Ethernet module exclusively for the communication with
DIGSI 5. Access by a substation control network with the unsecured IEC 61850 protocol and remote access
with DIGSI 5 are then carried out via completely separate networks. Even though the SIPROTEC 5 device
communicates with DIGSI 5 via an Ethernet module, communication between DIGSI 5 and the device is
encrypted using tap-proof technology.
Wrong password entries are identified and logged. An alarm can be triggered via remote link. Safety-critical
operations are also logged and cannot be deleted in the device. If files on the PC were manipulated by
malware (for example viruses), they cannot be loaded into the device.
SIPROTEC 5, Operation, Manual
C53000-G5040-C003-9, Edition 06.2018
Security Settings in the Device
11.2 Multi-Level Safety Concept
241