Page 1 PDU Network Module eNMC2 User's Guide English 10/09/2023...
Page 3 Google™ is a trademark of Google Inc. All other trademarks are properties of their respective companies. ©Copyright 2019 Eaton Corporation. All rights reserved. No part of this document may be reproduced in any way without the express written approval of Eaton Corporation.
Page 4: Table Of Contents
1 Table of Contents TABLE OF CONTENTS ............................4 INSTALLING THE NETWORK MANAGEMENT MODULE ...................9 Unpacking the Network module.............................. 9 Mounting the Network Module ............................... 9 Accessing the Network Module ............................10 2.3.1 Accessing the web interface through Network....................... 10 2.3.2 Finding and setting the IP address ..........................
Page 5 3.7.6 Certificate ..................................98 Maintenance..................................107 3.8.1 Firmware ..................................107 3.8.2 Services ..................................110 3.8.3 Resources..................................116 3.8.4 System logs................................... 118 3.8.5 System information ............................... 119 Legal information................................. 120 3.9.1 Component..................................120 3.9.2 Availability of source code ............................. 120 3.9.3 Notice for proprietary elements.............................
Page 6 4.9.1 Automatic time synchronization ............................ 143 4.9.2 Manual time synchronization............................143 4.10 Changing the language of the web pages ........................... 143 4.11 Resetting username and password............................. 144 4.11.1 As an admin for other users ............................144 4.11.2 Resetting its own password............................144 4.12 Recovering main administrator password ...........................
Page 7 Access rights per profiles ..............................182 7.4.1 Home..................................... 182 7.4.2 Meters ................................... 182 7.4.3 Controls ..................................182 7.4.4 Protection ..................................182 7.4.5 Environment .................................. 183 7.4.6 Settings ..................................183 7.4.7 Maintenance.................................. 184 7.4.8 Legal information................................184 7.4.9 Alarms ................................... 184 7.4.10 User profile ..................................
Page 8 Card wrong timestamp leads to "Full acquisition has failed" error message on Software........... 225 8.2.1 Symptoms: ..................................225 8.2.2 Possible cause:................................225 8.2.3 Action: ................................... 225 Client server is not restarting .............................. 225 8.3.1 Symptom ..................................225 8.3.2 Possible Cause ................................225 8.3.3 Action ....................................
Page 9: Installing The Network Management Module
Unpacking the Network module 2 Installing the Network Management Module 2.1 Unpacking the Network module Unable to render include or excerpt-include. Could not retrieve page. will include the following accessories: • QuickStart • USB AM to Micro USB/M/5P 5ft Cable Packing materials must be disposed of in compliance with all local regulations concerning waste.
Page 10: Accessing The Network Module
Accessing the Network Module 2.3 Accessing the Network Module 2.3.1 Accessing the web interface through Network 2.3.1.1 Connecting the network cable Security settings in the Network Module may be in their default states. For maximum security, configure through a USB connection before connecting the network cable. Connect a standard ...
Page 11: Accessing The Web Interface Through Rndis
Accessing the Network Module 2.3.2.1.2 With web browser through the configuration port For example, if your device does not have an LCD, the IP address can be discovered by accessing the web interface through RNDIS and browsing to Settings>Network. To access the web interface through RNDIS, see the Accessing the web interface through RNDIS section.
Page 12 Accessing the Network Module b Manual configuration STEP 1 – In case Windows® OS fails to find driver automatically, go to the Windows control panel>Network and sharing center>Local area connection STEP 2 – Right click on the RNDIS local area connection and select Properties. STEP 3 – Select Internet Protocol Version 4 (TCP/IPv4)”...
Page 13 Accessing the Network Module STEP 4 – Then enter the configuration as below and validate (IP = 169.254.0.150 and mask = 255.255.0.0), click OK, then click on Close. Installing the Network Management Module – 13...
Page 14: Accessing The Card Through Serial Terminal Emulation
2.3.3.2.2 Accessing the web interface STEP 1 – Be sure that the Device is powered on. STEP 2 – On the host computer, download the rndis.7z file from the website www.eaton.com/downloads and extract it. For more information, navigate to Servicing the Network Management Module>>>Accessing to the latest Network Module firmware/ driver section.
Page 15 After the card is connected to the PC, manual configuration of the driver is needed for Windows® OS to discover the serial connection. STEP 1 – On the host computer, download the rndis.7z file from the website www.eaton.com/downloads and extract it. STEP 2 – Plug the USB cable and go to Windows® Device Manager.
Page 16: Modifying The Proxy Exception List
Accessing the Network Module STEP 6 – A warning window will come up because the driver is not signed. Select Install this driver software anyway STEP 7 – The installation is successful when the COM port number is displayed for the Gadget Serial device in the Windows® Device Manager.
Page 17 Accessing the Network Module • Select the Connections tab • Press LAN Settings • Press ADVANCED • Add the address 169.254. * Installing the Network Management Module – 17...
Page 18: Configuring The Network Module Settings
Configuring the Network Module settings • Press OK. • Close Internet Explorer and re-open it. • Now you can access the address 169.254.0.1 with Internet Explorer and any other browser. 2.4 Configuring the Network Module settings Use the web interface to configure the Network Module. The main web interface menus are described below: 2.4.1 Menu structure Home: Overview and status of the Device (Active alarms, Outlet status, ...).
Page 19 Configuring the Network Module settings Environment: Commissioning/Status, Alarm configuration, Information. Unable to render include or excerpt- include. Could not retrieve page. Settings: Network Module settings. Maintenance: Firmware, Services, Resources, System logs. Legal: Legal information, Availability of source code, Notice for proprietary elements. Profile: Displays user profile, password change, account information and logout. Help: Opens full documentation in a separate browser page.
Page 20: Contextual Help Of The Web Interface
Login page 3 Contextual help of the web interface 3.1 Login page The page language is set to English by default but can be switched to browser language when it is managed. After navigating to the assigned IP address, accept the untrusted certificate on the browser. 3.1.1 Logging in for the first time 3.1.1.1 1. Enter default password As you are logging into the Network Module for the first time you must enter the factory set default username and password.
Page 21: Home
Home Action • Ask your administrator for password initialization. • If you are the main administrator, your password can be reset manually by following steps described in the Servicing the Network Management Module>>>Recovering main administrator password Web user interface is not up to date after a FW upgrade Symptom After an upgrade: •...
Page 22: Menu Structure
Home Unable to render {include} The included page could not be found. 3.2.1 Menu structure Home: Overview and status of the Device (Active alarms, Outlet status, ...). Meters: Power quality meters and logs. Controls: Device and outlets control. Protection: Agents list, Agents shutdown sequencing, Shutdown on power outage. Contextual help of the web interface – ...
Page 23 Home Environment: Commissioning/Status, Alarm configuration, Information. Unable to render include or excerpt- include. Could not retrieve page. Settings: Network Module settings. Maintenance: Firmware, Services, Resources, System logs. Legal: Legal information, Availability of source code, Notice for proprietary elements. Profile: Displays user profile, password change, account information and logout. Help: Opens full documentation in a separate browser page.
Page 24: Energy Flow Diagram Examples
Home 3.2.2 Energy flow diagram examples 3.2.2.1 Line interactive UPS 3.2.2.1.1 Normal mode 3.2.2.1.2 Buck/Boost mode Contextual help of the web interface – 24...
Page 25 Home 3.2.2.1.3 Battery mode 3.2.2.1.4 Off mode Contextual help of the web interface – 25...
Page 26 Home 3.2.2.2 Online UPS with single input source 3.2.2.2.1 Online mode 3.2.2.2.2 Bypass mode Contextual help of the web interface – 26...
Page 27 Home 3.2.2.2.3 Battery mode 3.2.2.2.4 Off mode Contextual help of the web interface – 27...
Page 28 Home 3.2.2.2.5 HE mode / ESS mode 3.2.2.3 Online UPS with dual inputs sources and Maintenance bypass 3.2.2.3.1 Online mode Contextual help of the web interface – 28...
Page 29 Home 3.2.2.3.2 Bypass mode 3.2.2.3.3 Battery mode Contextual help of the web interface – 29...
Page 30 Home 3.2.2.3.4 HE mode / ESS mode 3.2.2.3.5 Maintenance bypass mode Contextual help of the web interface – 30...
Page 31: Access Rights Per Profiles
Meters 3.2.2.4 ATS 3.2.2.4.1 Normal mode 3.2.2.4.2 Prefered source missing 3.2.3 Access rights per profiles Administrator Operator Viewer Home 3.2.3.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.3 Meters Gauge color code: Contextual help of the web interface – ...
Page 32: Main Utility Input
Meters • Green: Value inside thresholds. • Orange/Red: Value outside thresholds. • Grey: No thresholds provided by the device. 3.3.1 Main utility input Displays the product main utility measures. • Current (A) • Voltage (V) 3.3.2 Second utility input (if available) If presents, displays the product second utility measures.
Page 33: Output
Meters 3.3.3 Output • Voltage (V) • Power (W) • Current (A) 3.3.4 Battery status Battery status section is an overview of the battery information. The information displayed depends on the device. 3.3.4.1 Overview/Environment • Type • Nominal capacity • Nominal voltage •...
Page 34: Battery Health
Meters • Runtime • State • Recommended replacement date • State of health • Voltage • Current • Temperature • Min cell voltage • Max cell voltage • Number of cycles • Min temperature • Max temperature • BMS state 3.3.5 Battery health Battery health section provides status of the battery and allow to launch a battery test.
Page 35: Logs
Meters 3.3.6 Logs This log configuration allows to define the log acquisition frequency of the Device measures only. The sensors measures logs acquisition is not settable and done every minutes. Sensors measures logs are accessible in Environment menu. 3.3.6.1 Download Press the ...
Page 36: Access Rights Per Profiles
Controls 3.3.8 Access rights per profiles Administrator Operator Viewer Meters Battery health: Launch test/Abort Logs configuration 3.3.8.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.4 Controls 3.4.1 Entire UPS Controls are displayed for the entire UPS, and not for specific outlet options. The table in this section displays UPS status, the associated commands (on/off), and the pending action.
Page 37: Outlets - Group 1/ Group 2
Controls • Safe reboot This will shut off and then switch ON the load. Protected applications will be safely powered down. This control is available only if the status is not OFF and if there are no active commands running. •...
Page 38: Scheduled Shutdown
Controls 3.4.2.3 Pending action Displays the delay before shutdown and delay before startup. 3.4.3 Scheduled shutdown Use Scheduled shutdowns to turn off either the UPS or individual load segments at a specific day and time. This feature is used for saving energy by turning off equipment outside of office hours or to enhance cybersecurity by powering down network equipment.
Page 39: Protection
Protection 3.4.3.3.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.4.3.4 Troubleshooting Action not allowed in Control/Schedule/Power outage policy Symptom Below message is displayed when you access the Control, Schedule or Power outage policy page. This action is not allowed by the UPS.
Page 40 After automatic acceptance, make sure that all listed agents belong to your infrastructure. If not, access may be revoked using the Delete button. For maximum security, Eaton recommend following one of the two methods on the certificate settings page: • Import client certificates manually.
Page 41 Protection • Power source (Policy) • Delay (in seconds) • OS shutdown duration (in seconds) • Status • In service | Protected • In service | Not protected • Stopping | Protected • Stopped | Protected • Communication • Connected | yyyy/mm/dd hh:mm:ss •...
Page 42 Protection Software is not able to communicate with the Network module Symptoms • In the Network Module, in Contextual help>>>Protection>>>Agent list>>>Agent list table , agent is showing "Lost" as a status. • In the Network Module, in Contextual help>>>Settings>>>Certificate>>>Trusted remote certificates , the status of the Protected applications (MQTT) is showing "Not valid yet".
Page 43 *.0 that (are) located folder Eaton\IntelligentPowerProtector\configs\tls. Client server is not restarting Symptom Utility power has been restored, the UPS and its load segments are powered on, but the Client server does not restart. Possible Cause The “Automatic Power ON” server setup setting might be disabled.
Page 44: Agent Shutdown Sequencing
Protection 3.5.2 Agent shutdown sequencing 3.5.2.1 Agent shutdown sequence timing All agents that are connected to the Network Module are displayed in tables by power sources. • Primary • Group 1 • Group 2 The 'local agent' setting is used for setting for example a minimum shutdown duration, or a power down delay for a load segment that has no registered shutdown agents.
Page 45 Protection • Name • Delay (in seconds) • OS shutdown duration (in seconds) 3.5.2.2 Actions 3.5.2.2.1 Set Delay Select and directly change the setting in the table and then Save. 3.5.2.2.2 Set OS shutdown duration Select and directly change the setting in the table and then Save. 3.5.2.3 Examples Examples below show the impact of agent settings on the shutdown sequence for a shutdown or an immediate shutdown.
Page 46 Protection 3.5.2.3.2 Example #2 → Shutdown time: 180s → Immediate shutdown time: 180s Contextual help of the web interface – 46...
Page 47: Shutdown On Power Outage
Protection The trigger in the diagram is the moment when the shutdown sequence starts, and it is defined in the Contextual help>>>Protection>>>Scheduled shutdown or the Contextual help>>>Protection>>>Shutdown on power outage sections for each power source. 3.5.2.4 Access rights per profiles Administrator Operator Viewer Protection/Agent settings 3.5.2.4.1 For other access rights For other access rights, see the Information>>>Access rights per profiles ...
Page 48 Protection 3.5.3.1 Shutdown on power outage criteria Shutdown criteria are set per power source (outlet groups) if they are present in the UPS. By default, shutdown criterias are set to Maximize availability. 3.5.3.1.1 Shutdown criteria selection The available criteria for shutdown are listed below: a Maximize availability (default) To end the shutdown sequence 30s before the end of backup time.
Page 49 Protection When primary shuts OFF, both group1 and group 2 shut OFF immediately. So if Primary is set to Immediate OFF, groups policies should be restricted to Immediate OFF. d Settings examples All the following examples are using below agent's settings. →...
Page 50 Protection Example 2: Immediate OFF Example 4: Custom Contextual help of the web interface – 50...
Page 51 Protection Settings #1 Settings #2 Contextual help of the web interface – 51...
Page 52 Protection 3.5.3.1.2 On low battery warning In some cases, like a renewed power failure or failed battery, the capacity is much lower than anticipated. The UPS gives a Low battery warning when there is 2 - 3 minutes of estimated runtime left, depending on the UPS and its settings. This time is typically enough for shutting down a server but does not allow sophisticated sequential shutdown schemes.
Page 53 Protection Protection/Sequence 3.5.3.2.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.5.3.3 Troubleshooting Action not allowed in Control/Schedule/Power outage policy Symptom Below message is displayed when you access the Control, Schedule or Power outage policy page. This action is not allowed by the UPS.
Page 54: Environment
Environment 3.5.3.3.1 For other issues For details on other issues, see the Troubleshooting section. 3.6 Environment 3.6.1 Commissioning/Status 3.6.1.1 Sensors commissioning/Status table The table displays the sensors commissioning information and includes the following details. • Name • Location – location-position-elevation • Temperature •...
Page 55 Environment 3.6.1.2.4 Define offsets 1. Select the sensors. 2. Press the Define offset button to adjust the temperature and humidity offsets of the selected sensors. 3. Extend the temperature or humidity section. 4. Set the offsets in the cell, temperatures and humidity will be updated accordingly. 5.
Page 56 Environment 3.6.1.2.5 Edit Press the pen logo to edit sensor communication information: You will get access to the following information and settings: • Product reference • Part number • Serial number • Name • Location • Temperature and humidity – Active (Yes, No) •...
Page 57 Environment Press Save after modifications. Deactivated dry contacts are not displayed and replaced by this icon: 3.6.1.3 Note: If the UPS provides temperature compensated battery charging option, see the Servicing the EMP>>>Using the section. EMP for temperature compensated battery charging 3.6.1.4 Access rights per profiles Administrator Operator Viewer...
Page 58: Alarm Configuration
Environment Action #1-3 1- Reboot the Network module. 2- Launch the discovery. Symptom #2 The EMPs orange RJ45 LEDs are not blinking. Possible causes C#1: the EMP address switches are all set to 0. C#2: the EMPs are daisy chained, the Modbus address is the same on the missing EMPs. Action #2-1 1- Change the address of the EMPs to have different address and avoid all switches to 0.
Page 59 Environment 3.6.2.1 Temperature The table shows the following information and settings for each sensor: • Name • Location • Enabled – yes/no • Low critical threshold – xx°C or xx°F • Low warning threshold – xx°C or xx°F • High warning threshold – xx°C or xx°F •...
Page 60 Environment The table shows the following information and settings for each sensor: • Name • Location • Enabled – yes/no • Low critical threshold – xx% • Low warning threshold – xx% • High warning threshold – xx% • High critical threshold – xx% • Hysteresis – x% •...
Page 61 Environment 3.6.2.3.1 Actions a Set Enabled Enable the alarm first and then change the setting in the table and then Save. When disabled, no alarm will be sent. b Set alarm severity Enable the alarm first and then change the setting in the table and then Save. When the dry contacts is not in a normal position, an alarm will be sent at the selected level. The dry contact is open and this is not normal because it is configured as normally close.
Page 62: Information
Environment 3.6.2.5.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.6.3 Information Sensor information is an overview of all the sensors information connected to the Network Module. • Physical name • Vendor • Part number •...
Page 63: Settings
Settings 3.7 Settings 3.7.1 General 3.7.1.1 System details 3.7.1.1.1 Location Text field that is used to provide the card location information. Card system information is updated to show the defined location. 3.7.1.1.2 Contact Text field that is used to provide the contact name information. Card system information is updated to show the contact name.
Page 64 Settings 2. Select the time zone for your geographic area from the time zone pull-down menu or with the map. 3. Save the changes. DST is managed based on the time zone. 3.7.1.2 Email notification settings For examples on email sending configuration see the Servicing the Network Management Module>>>Subscribing to a set of alarms for email notification section.
Page 65 Settings c Edit Press the pen icon to edit email sending configuration: You will get access to the following settings: • Custom name • Email address • Status – Active/Inactive • Hide the IP address from the email body – Disabled/Enabled This setting will be forced to Enabled if Enabled in the SMTP settings. •...
Page 66 Settings 3.7.1.3 SMTP settings SMTP is an internet standard for electronic email transmission. The following SMTP settings are configurable: Contextual help of the web interface – 66...
Page 67 Settings • Server IP/Hostname – Enter the host name or IP address of the SMTP server used to transfer email messages in the SMTP Server field. • Port • Default sender address • Hide the IP address from the email body – Disabled/Enabled If Enabled, it will force this setting to Enabled in the Email notification settings.
Page 68 Settings SMTP settings Server IP/Hostname — blank Server IP/Hostname — 128 characters maximum SMTP server authentication — disabled SMTP server authentication — disable/enable (Username/Password — 128 characters maximum) Port — 25 Port — x-xxx Default sender address — device @networkcard.com Sender address —...
Page 69 Settings time Description Command used to display or change time and date. Help For Viewer and Operator profiles: time -h Usage: time [OPTION]... Display time and date. -h, --help display help page -p, --print display date and time in YYYYMMDDhhmmss format For Administrator profile: time -h Usage: time [OPTION]...
Page 70: Local Users
Settings 3.7.1.6.1 For other CLI commands See the CLI commands in the Information>>>CLI section. 3.7.2 Local users 3.7.2.1 Local users table The table shows all the supported local user accounts and includes the following details: • Username • Email • Profile •...
Page 71 Settings • Enter manually • Force password to be changed on next login d Global settings Press Save after modifications. Password settings To set the password strength rules, apply the following restrictions: • Minimum length • Minimum upper case • Minimum lower case •...
Page 72 Settings To set the password expiration rules, apply the following restrictions: • Number of days until password expires • Main administrator password never expire Main administrator password never expires If this feature is disabled, the administrator account can be locked after the password expiration. If Enabled, the administrator password never expires, make sure it is changed regularly.
Page 73 Settings Local users 1 user only: 10 users maximum: • Active — Yes • Active — Yes/No • Profile — Administrator • Profile — Administrator/Operator/Viewer • Username — admin • Username — 255 characters maximum • Full Name — blank • Full Name — 128 characters maximum • Email — blank • Email — 128 characters maximum • Phone — blank • Phone — 64 characters maximum •...
Page 74: Remote Users
Settings Help logout <cr> logout the user 3.7.2.4.1 For other CLI commands See the CLI commands in the Information>>>CLI section. 3.7.2.5 Troubleshooting How do I log in if I forgot my password? Action • Ask your administrator for password initialization. • If you are the main administrator, your password can be reset manually by following steps described in the ...
Page 75 Settings • Certificate • Status – Status could take following values – Unreachable/Active 3.7.3.1.1 Actions a Configure 1.Enable LDAP to be able to configure settings 2. Press Configure to access the following LDAP settings: Contextual help of the web interface – 75...
Page 76 Settings • Connectivity • Security SSL – None/Start TLS/SSL Verify server certificate • Primary server – Name/Hostname/Port • Secondary server – Name/Hostname/Port • Credentials – Anonymous search bind/Search user DN/Password • User base DN • User name attribute • Group base DN • Group name attribute 2.
Page 77 Settings 1. Press Users preferences to define preferences that will apply to all newly logged in LDAP users • Language • Temperature • Date format • Time format 2. Click Save. 3.7.3.2 RADIUS Radius is not a secured protocol, for a maximum security, it is recomended to use LDAP over TLS. The table shows all the supported severs and includes the following details: •...
Page 78 Settings 3.7.3.2.1 Actions a Configure Enable Radius to be able to configure settings Press Configure to access the following RADIUS settings: • Primary server • Name - descriptive name for the RADIUS server • Secret - a shared secret between the client and the RADIUS server •...
Page 79 • Profile - the local profile you want users to be mapped Note: The default mapping is used for eaton-specific value : Attribute 28, Vendor 534, Value 1 and Profile administrator. See your RADIUS protocol provider documentation for further information.
Page 80 Settings 1. Press Users preferences to define preferences that will apply to all RADIUS users • Language • Temperature • Date format • Time format 2. Click Save. 3.7.3.3 Default settings and possible parameters - Remote users Default setting Possible parameters LDAP Configure Configure •...
Page 81 Settings RADIUS Configure Configure • Active – No • Active – Yes/No • Retry number – 0 • Retry number – 0 to 128 • Primary server • Primary server Name – blank Name – 128 characters maximum Secret – blank Address –...
Page 82 Settings Help Usage: ldap-test <command> [OPTION]... Test LDAP configuration. Commands: ldap-test -h, --help, Display help page ldap-test --checkusername <username> [--primary|--secondary] [-v] Check if the user can be retrieve from the LDAP server <username> Remote username to test --primary Force the test to use primary server (optional) --secondary Force the test to use secondary server (optional) -v,--verbose...
Page 83 Settings Help logout <cr> logout the user whoami Description whoami displays current user information: • Username • Profile • Realm 3.7.3.5.1 For other CLI commands See the CLI commands in the Information>>>CLI section. 3.7.3.6 Troubleshooting How do I log in if I forgot my password? Action •...
Page 84: Network & Protocol
Settings 3.7.4 Network & Protocol 3.7.4.1 Network 3.7.4.1.1 IPv4 Any modifications are applied after the Network Module reboots. Press the Edit button to configure the network settings, select either the Manual or DHCP settings option: Contextual help of the web interface – 84...
Page 85 Settings a Manual Select Manual, and then enter the network settings if the network is not configured with a BootP or DHCP server. • Enter the IP Address. The Network Module must have a unique IP address for use on a TCP/IP network. •...
Page 86 Settings a Current configuration • Address • Gateway b Address settings • Enabled • Mode (Manual/DHCP) • Address • Prefix • Gateway Contextual help of the web interface – 86...
Page 87 Settings 3.7.4.1.3 DNS/DHCP The DNS is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. Press the Edit button to configure the network settings, select either the Static or Dynamic settings. a Manual •...
Page 88 Settings • Secondary DNS server. Enter the IP address of the secondary DNS server that provides the translation of the domain name to the IP address when the primary DNS server is not available. b DHCP • Enter the Network Module Hostname. 3.7.4.1.4 Ethernet A LAN is a computer network that interconnects computers within a limited area. ...
Page 89 Settings 3.7.4.2.1 HTTPS Only https is available. The default network port for https is 443. For additional security, the ports can be changed on this page. Press Save after modifications. Since only https is available, port 80 is not supported. 3.7.4.2.2 Syslog a Settings This screen allows an administrator to configure up to two syslog servers.
Page 90 Settings Press Save after modifications. 2- Configure the syslog server: • Click the edit icon to access settings. • Enter or change the server name. • Select Yes in the Active drop-down list to activate the server. • Enter the Hostname and Port. • Select the Protocol – UDP/TCP. •...
Page 91: Snmp
Settings Syslog Inactive Inactive/Active • Server#1 • Server#1 Name – Primary Name – 128 characters maximum Status – Disabled Status – Disabled/Enabled Hostname – empty Hostname – 128 characters maximum Port – 514 Port – x-xxx Protocol – UDP Protocol – UDP/TCP Message transfer method –...
Page 92 Settings SNMP monitoring Battery status, power status, events, and traps are monitored using third-party SNMP managers. To query SNMP data, you do not need to add SNMP Managers to the Notified Application page. To set-up SNMP managers: • Configure the IP address. •...
Page 93 Settings b Configure the SNMP V1 settings: 1. Click the edit icon on either Read Only or Read/Write account to access settings: 2. Enter the SNMP Community Read-Only string. The Network Module and the clients must share the same community name to communicate.
Page 94 Settings c Configure the SNMP V3 settings: 1. Click the edit icon on either Read Only or Read/Write account to access settings: 2. Edit the user name. 3. Select Active in the Enabled drop-down list to activate the account. 4. Select access level. •...
Page 95 Settings 6. If Auth is selected on the communication security mechanism, select the Authentication algorithms. It is recommended to set SHA256/SHA384/SHA512 with the AES192/AES256 Privacy algorithms. • SHA— SHA1 is not recommended as it is not secured. • SHA256—fill in password and privacy keys. The password can be between 8 and 24 characters and use a combination of alphanumeric and the following special characters <>&@#%_=:;,./?|$*.
Page 96 Settings 3.7.5.2.1 Actions a Add 1. Press the New button to create new trap receivers. 2. Set following settings: • Enabled – Yes/No • Application name • Hostname or IP address • Port • Protocol – V1/V3 • Trap community (V1) / User (V3) 3.
Page 97 Settings 3.7.5.3 Link to SNMP traps • UPS Mib • ATS Mib • Sensor Mib 3.7.5.4 Default settings and possible parameters - SNMP Default setting Possible parameters SNMP Activate SNMP — disabled Activate SNMP — disable/enable Port — 161 Port — x-xxx SNMP V1 —...
Page 98: Certificate
Settings 3.7.5.5 Access rights per profiles Administrator Operator Viewer SNMP 3.7.5.5.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.7.5.6 Troubleshooting SNMPv3 password management issue with Save and Restore Affected FW versions This issue affects SNMP configuration done on versions prior to 1.7.0 when applied to versions 1.7.0 or above. Symptom SNMPv3 connectivity is not properly working after a restore settings on a 1.7.0 version or above.
Page 99 Settings During the selected timeframe, new connections to the Network Module are automatically trusted and accepted. After automatic acceptance, make sure that all listed clients belong to your infrastructure. If not, access may be revoked using the Delete button. The use of this automatic acceptance should be restricted to a secured and trusted network. For maximum security, we recommend following one of the two methods on the certificate settings page: •...
Page 100 Settings 3.7.6.2.1 Local certificates table The table shows the following information for each local certificate. • Used for • Issued by • Valid from • Expiration • Status — valid, expires soon, or expired 3.7.6.2.2 Actions a Revoke This action will take the selected certificate out of use. Select the certificate to revoke, and then press the Revoke button.
Page 101 Settings • Common name (CN) • Country (C) • State or Province (ST) • City or Locality (L) • Organization name (O) • Organization unit (OU) • Contact email address Press Save button. Issuer configuration will be applied only after the revoke of the certificate. d Edit Press the pen logo: ...
Page 102 Settings This operation cannot be recovered. f Create new certificates: g CSR Press Generate Signing Request button in the in the certificate edition. The CSR is automatically downloaded. CSR must be signed with the CA, which is managed outside the card. h Import certificate When the CSR is signed by the CA, it can be imported into the Network Module.
Page 103 Settings b Revoke Select the certificate to revoke, and then press the Revoke button. A confirmation window appears, press Continue to proceed, this operation cannot be recovered. Export Exports the selected certificate on your OS browser window. c Edit Press the pen logo to access to the certificate summary: 3.7.6.4 Trusted remote certificates The table shows the following information for each trusted remote certificate.
Page 104 State or Province — 38 State or Province — 64 characters maximum City or Locality — Grenoble City or Locality — 64 characters maximum Organization name — Eaton Organization name — 64 characters maximum Organization unit — Power quality Organization unit — 64 characters maximum Contact email address —...
Page 105 Settings existing. <service_name>: mqtt/syslog/webserver Examples of usage From a linux host: print over SSH: sshpass -p $PASSWORD ssh $USER@$CARD_ADDRESS certificates local print $SERVICE_NAME revoke over SSH: sshpass -p $PASSWORD ssh $USER@$CARD_ADDRESS certificates local revoke $SERVICE_NAME export over SSH: sshpass -p $PASSWORD ssh $USER@$CARD_ADDRESS certificates local export $SERVICE_NAME import over SSH: cat $FILE sshpass...
Page 106 During the selected timeframe, new agent connections to the Network Module are automatically trusted and accepted. STEP 4: Action on the agent ( IPP/IPM ) while the time to accepts new agents is running on the Network Module Remove the Network module certificate file(s) *.0 that (are) located folder Eaton\IntelligentPowerProtector\configs\tls. Contextual help of the web interface – 106...
Page 107: Maintenance
Maintenance Card wrong timestamp leads to "Full acquisition has failed" error message on Software Symptoms: IPP/IPM shows the error message "The full data acquisition has failed" even if the credentials are correct. Possible cause: The Network module timestamp is not correct. Probably the MQTT certificate is not valid at Network module date.
Page 108 Displays the associated firmware version and associated Sha. c Generated on Displays the release date of the firmware. For better performance, security, and optimized features, Eaton recommends to upgrade the Network Module regularly. d Installation on Displays when the firmware was installed in the Network Module.
Page 109 Maintenance 3.8.1.3 Access rights per profiles Administrator Operator Viewer Firmware 3.8.1.3.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.8.1.4 CLI commands get release info Description Displays certain basic information related to the firmware release. Help get_release_info Get current release date...
Page 110: Services
Maintenance Refer to Installing the Network Management Module>>>Accessing the Network Module>>>Finding and setting the IP address section. Web user interface is not up to date after a FW upgrade Symptom After an upgrade: • The Web interface is not up to date •...
Page 111 Maintenance Depending on your network configuration, the Network Module may restart with a different IP address. Only main administrator user will remain with default login and password. Refresh the browser after the Network module reboot time to get access to the login page. 3.8.2.1.2 Reboot Reboot means restarting the network module operating system.
Page 112 Maintenance Depending on your network configuration, the Network Module may restart with a different IP address. Refresh the browser after the Network module reboot time to get access to the login page. Communication Lost and Communication recovered may appear in the Alarm section. 3.8.2.1.3 Settings Allow to save and restore the Network module settings.
Page 113 Maintenance 3.8.2.1.5 Restore Restoring settings may result in the Network module reboot. To restore the Network module settings: 1. Click on Restore 2. Select to include the Network settings if needed. 3. Enter the passphrase used when the file was saved. 4.
Page 114 Maintenance 3.8.2.2 Access rights per profiles Administrator Operator Viewer Services 3.8.2.2.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.8.2.3 CLI commands maintenance Description Creates a maintenance report file which may be handed to the technical support. Help maintenance <cr>...
Page 115 Maintenance Description Save_configuration and restore_configuration are using JSON format to save and restore certain part of the configuration of the card. Help save_configuration -h save_configuration: print the card configuration in JSON format to standard output. restore_configuration -h restore_configuration: restore the card configuration from a JSON-formatted standard input.
Page 116: Resources
Maintenance Help sanitize -h, --help Display help page --withoutconfirmation Do factory reset of the card without confirmation <cr> Do factory reset of the card 3.8.2.3.1 For other CLI commands See the CLI commands in the Information>>>CLI section. 3.8.3 Resources Card resources is an overview of the Network Module processor, memory and storage information. The COPY TO CLIPBOARD button will copy the information to your clipboard so that it can be past.
Page 117 Maintenance 3.8.3.2 Memory • Total size in MB • Available size in MB • Application size in MB • Temporary files size in MB 3.8.3.3 Storage • Total size in MB • Available size in MB • Used size in MB 3.8.3.4 Access rights per profiles Administrator Operator...
Page 118: System Logs
Maintenance 3.8.3.4.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.8.3.5 CLI commands systeminfo_statistics Description Displays the following system information usage: usage : % upSince : date since the system started total: MB free: MB used: MB tmpfs: temporary files usage (MB) Flash...
Page 119: System Information
Maintenance For the list of system logs, see the Information>>>System Logs codes section. 3.8.4.2 Access rights per profiles Administrator Operator Viewer System logs 3.8.4.2.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.8.5 System information System information is an overview of the main Network Module information.
Page 120: Legal Information
Legal information • Installation date • Activation date • Bootloader version 3.8.5.3 Access rights per profiles Administrator Operator Viewer System information 3.8.5.3.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.9 Legal information This Network Module includes software components that are either licensed under various open source license, or under a proprietary license.
Page 121: Access Rights Per Profiles
Alarms 3.9.4 Access rights per profiles Administrator Operator Viewer Legal information 3.9.4.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.10 Alarms 3.10.1 Alarm sorting Alarms can be sorted by selecting: • • Active only Contextual help of the web interface – ...
Page 122: Active Alarm Counter
Alarms 3.10.2 Active alarm counter Alarms with a severity set as Good are not taken into account into the counter of active alarms. 3.10.3 Alarm details All alarms are displayed and sorted by date, with alert level, time, description, and status. Info/Warning/Critical logo Alarm description text Active In color...
Page 123: Access Rights Per Profiles
User profile • EMP alarm log codes • Network module alarm log codes 3.10.8 Access rights per profiles Administrator Operator Viewer Alarm list Export Clear 3.10.8.1 For other access rights For other access rights, see the Information>>>Access rights per profiles section. 3.11 User profile 3.11.1 Access to the user profile Press the icon on the top right side of the page to access the user profile window: ...
Page 124 User profile 3.11.2.1 Change password Click on Change password to change the password. In some cases, it is not possible to change the password if it has already been changed within a day period. Refer to the troubleshooting section. Contextual help of the web interface – 124...
Page 125: Default Settings And Possible Parameters - User Profile
User profile 3.11.2.2 Edit account If you have the administrator's rights, you can click on Edit account to edit user profile and update the following information: Account details • Full name • Email • Phone • Organization Preferences • Language • Date format •...
Page 126: Access Rights Per Profiles
User profile Profile Account details: Account details: • Full name — Administrator • Full name — 128 characters maximum • Email — blank • Email — 128 characters maximum • Phone — blank • Phone — 64 characters maximum •...
Page 127: Troubleshooting
User profile whoami Description whoami displays current user information: • Username • Profile • Realm 3.11.5.1 For other CLI commands See the CLI commands in the Information>>>CLI section. 3.11.6 Troubleshooting Password change in My profile is not working Symptoms The password change shows " Invalid credentials " when I try to change my password in My profile menu: Possible cause The password has already been changed once within a day period.
Page 128: Documentation
Documentation 3.12 Documentation 3.12.1 Access to the embedded documentation Press the ? icon on the top right side of the page to access the documentation in a new window: The focus will be made on the contextual page. You can then navigate into below sections: Contextual help Help for each webpage.
Page 129: Servicing The Network Management Module
Configuring/Commissioning/Testing LDAP 4 Servicing the Network Management Module 4.1 Configuring/Commissioning/Testing LDAP 4.1.1 Commissioning Refer to the section Contextual help>>>Settings>>>Local users to get help on the configuration. 4.1.1.1 Configuring connection to LDAP database This step configures the LDAP client of the network module to request data from an LDAP base. Activate LDAP.
Page 130: Testing Ldap Authentication
Pairing agent to the Network Module 4.1.1.3 Map remote users to profile This step is mandatory and configures the Network module to give permissions to the LDAP users. Users not belonging to a group mapped on a profile will be rejected. Configure the rules to mapped LDAP users to profile: Enter LDAP group name.
Page 131: Pairing With Credentials On The Agent
Note: After that stage, the agent creates a client certificate. The power source could show a communication loss since the current client certificate is not trusted by the Network Module. 4. Copy the agent certificate file client.pem that is located in the folder Eaton\IntelligentPowerProtector\configs\tls.. Servicing the Network Management Module – 131...
Page 132: Powering Down/Up Applications (Examples)
Powering down/up applications (examples) STEP 2: Action on the Network Module 1. Connect to the Network Module • On a network computer, launch a supported web browser. The browser window appears. • In the Address/Location field, enter: https://xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the static IP address of the Network Module.
Page 133 Powering down/up applications (examples) Connections to UPS are done as described below: • Group 1: Applications • Group 2: Database servers • Primary: Storage 4.3.1.3 Step 2: Agent settings 4.3.1.3.1 Objective Ensure IT solution is shutdown gracefully. 4.3.1.3.2 Resulting setup 1.
Page 134 Powering down/up applications (examples) Storage is the last one to power down, its availability is maximized, and its shutdown will end 30s before the end of backup time. 3. Set Group 1 and Group 2 to: Custom. Applications must shutdown first so Group 1 has been set to start shutdown when on battery for 30s. Servers must shutdown second, so Group 2 has been set to start shutdown when on battery for 210s, so 3min after the applications.
Page 135: Powering Down Non-Priority Equipment First
Powering down/up applications (examples) 4.3.2 Powering down non-priority equipment first 4.3.2.1 Target Powering down non-priority equipment first (immediately) and keep battery power for critical equipment. Powering down critical equipment 3min before the end of backup time. 4.3.2.2 Step 1: Installation setup 4.3.2.2.1 Objective Use load segmentation provided by the UPS to independently control the power supply of each IT equipment categories (Applications, Database servers, Storage).
Page 136 Powering down/up applications (examples) 4.3.2.2.2 Resulting setup UPS provides outlets (Group 1 and Group 2) and a primary output. When primary shuts OFF, both group 1 and group 2 shut OFF immediately. Connections can be done as described below: • Group 2: non-priority equipment •...
Page 137 Powering down/up applications (examples) Critical equipment is the last one to power down, their availability will be maximized and their shutdown will end 180s before the end of backup time. 3. Set Group 2 to: Immediate off. Servicing the Network Management Module – 137...
Page 138: Restart Sequentially The It Equipment On Utility Recovery
Powering down/up applications (examples) Non-priority equipment immediately shuts down when on battery for 10s to keep battery power for critical equipment. 4.3.3 Restart sequentially the IT equipment on utility recovery 4.3.3.1 Target Restart the storage first (right after utility recovery), database servers next (2min after utility recovery) and applications last (3min after utility recovery).
Page 139: Checking The Current Firmware Version Of The Network Module
Firmware version x.xx.x • The Card menu : Contextual help>>>Maintenance>>>Firmware: Active FW version x.xx.x 4.5 Accessing to the latest Network Module firmware/driver/script Download the latest Eaton Network Module firmware, driver or script from the Eaton website www.eaton.com/downloads Servicing the Network Management Module – 139...
Page 140: Upgrading The Card Firmware (Web Interface / Shell Script)
Upgrading the card firmware (Web interface / shell script) 4.6 Upgrading the card firmware (Web interface / shell script) For instructions on accessing to the latest firmware and script, refer to: Accessing to the latest firmware and script 4.6.1 Web interface To upgrade the Network module through the Web interface, refer to the section: Firmware upgrade through the Web interface.
Page 141: Changing The Rtc Battery Cell
Changing the RTC battery cell STARTING UPDATE FROM: [FW_Update.tar] to [X.X.X.X] Transfer by scp (FW_Update.tar) to [X.X.X.X] Warning: Permanently added 'X.X.X.X' (ECDSA) to the list of known hosts. Transfer done. Check running upgrade status ... Check firmware binary signature Uncompress and flash upgrade inProgress(%):11 Uncompress and flash upgrade inProgress(%):28...
Page 142 Changing the RTC battery cell 6. Replace the Network Module and secure the screw, reconnect the Network cable if it was unplugged during the operation. 7. Connect the Network Module and set the date and time. For more information, see the Date & Time section. Servicing the Network Management Module – ...
Page 143: Updating The Time Of The Network Module Precisely And Permanently (Ntp Server)
Updating the time of the Network Module precisely and permanently (ntp server) 4.8 Updating the time of the Network Module precisely and permanently (ntp server) For an accurate and quick update of the RTC for the Network Module, we recommend implementing a NTP server as time source for the Network Module.
Page 144: Resetting Username And Password
Resetting username and password 4.11 Resetting username and password 4.11.1 As an admin for other users 1. Navigate to Contextual help>>>Settings>>>Local users. 2. Press the pen icon to edit user information: 3. Change username and save the changes. 4. Select Reset password and choose from the following options : •...
Page 145: Switching To Static Ip (Manual) / Changing Ip Address Of The Network Module
Switching to static IP (Manual) / Changing IP address of the Network Module Peel off the protection : Change the position of switch number 3, this change is detected during next power ON and the sanitization will be applied : Case 1 : Case 2 : Changes of the switches 1, 2 or 4 has no effect.
Page 146: Subscribing To A Set Of Alarms For Email Notification
Subscribing to a set of alarms for email notification 4.15 Subscribing to a set of alarms for email notification 4.15.1 Example #1: subscribing only to one alarm (load unprotected) Follow the steps below: 1. Navigate to Contextual help>>>Settings>>>General>>>Email notification settings. 2.
Page 147: Example #2: Subscribing To All Critical Alarms And Some Specific Warnings
Subscribing to a set of alarms for email notification 4.15.2 Example #2: subscribing to all Critical alarms and some specific Warnings Follow the steps below: 1. Navigate to Contextual help>>>Settings>>>General>>>Email notification settings. 2. Press the button New to create a new configuration. 3.
Page 148: Saving/Restoring/Duplicating Network Module Configuration Settings
Saving/Restoring/Duplicating Network module configuration settings 4. Press Save, the table will show the new configuration. 4.16 Saving/Restoring/Duplicating Network module configuration settings 4.16.1 Modifying the JSON configuration settings file 4.16.1.1 JSON file structure The JSON file is structured into 3 blocks: Servicing the Network Management Module – 148...
Page 149 Saving/Restoring/Duplicating Network module configuration settings 4.16.1.1.1 File block File block cannot be modified, this is the mandatory structure of the JSON file. 4.16.1.1.2 Feature block Feature block contains the full definition of a feature. If it is removed from the JSON file, this feature settings will not be updated/restored in the card. 4.16.1.1.3 Data block Data block contains all the feature settings values.
Page 150 Saving/Restoring/Duplicating Network module configuration settings When restoring the file, the corresponding setting will be updated based on the cyphered value. without 4.16.1.2.2 The JSON file is saved passphrase All sensitive data will have below structure: When restoring the file, the corresponding setting will not be set. This may lead to restoration failure if corresponding setting was not previously set with a valid value.
Page 151 Saving/Restoring/Duplicating Network module configuration settings Original file: Modified file: 4.16.1.3.4 Making a partial update/restoration a Example: Updating/Restoring only LDAP settings If you restore below JSON content, only LDAP settings will be updated/restored, everything else will remain unchanged. "version": "x.x", "features": { Servicing the Network Management Module – ...
Page 152 Saving/Restoring/Duplicating Network module configuration settings "ldap": { "data": { "version": "x.x", "certificateData": [], "dmeData": { "enabled": true, "baseAccess": { "security": {"ssl": 1,"verifyTlsCert": false}, "primary": {"name": "Primary","hostname": "xxxxxxxxx","port": xxxx}, "secondary": {"name": "xxxxxx","hostname": "xxxxxx","port": xxxx}, "credentials": { "anonymousSearchBind": false, "searchUserDN": "CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xxxx", "password": {"plaintext": null}}, "searchBase": {"searchBaseDN": "DC=xxx,DC=xxx,DC=xxx"} "requestParameters": { "userBaseDN": "OU=xxxx,DC=xxxx",...
Page 153 Saving/Restoring/Duplicating Network module configuration settings preferences>>>dateFormat Y-m-d: YYYY-MM-DD d-m-Y: DD-MM-YYYY d.m.Y: DD.MM.YYYY d/m/Y: DD/MM/YYYY m/d/Y: MM/DD/YYYY d m Y: DD MM YYYY preferences>>>timeFormat 1: 24h 0: 12h preferences>>>temperatureUnit 1: °C 2: °F Data Values example Card Data Values example Date timeZone "Europe/Paris","Africa/Johannesburg","America/ New_York","Asia/Shanghai"...
Page 154 Saving/Restoring/Duplicating Network module configuration settings Power outage policy 1: Primary 2: Group 1 3: Group 2 Data Values example Remote user preferences>>>language de: Deutsch en: English es: Español fr: Français it: Italiano ja: 日本語 ru: русский zh_Hans: 简体中文 zh_Hant:繁體中文 preferences>>>dateFormat Y-m-d: YYYY-MM-DD d-m-Y: DD-MM-YYYY d.m.Y: DD.MM.YYYY...
Page 155: Saving/Restoring/Duplicating Settings Through The Cli
Saving/Restoring/Duplicating Network module configuration settings Data Values example SNMP traps>>>receivers>>>protocol 1: SNMP v1 3: SNMP v2 traps>>>receivers>>>user User configuration cannot be duplicated without manual configuration through the Web interface. Data Values example Syslog servers>>>protocol 1: UDP 2: TCP servers>>>tcpframing 1: TRADITIONAL 2: OCTET_COUNTING Data Values example...
Page 156: Securing The Network Management Module
5.1 Cybersecurity considerations for electrical distribution systems 5.1.1 Purpose The purpose of this section is to provide high-level guidance to help customers across industries and applications apply Eaton solutions for power management of electrical systems in accordance with current cybersecurity standards.
Page 157: Defense In Depth
Cybersecurity considerations for electrical distribution systems 5.1.4.1 Paths to the control network The paths in above figure include: • External users accessing the network through the Internet • Misconfigured firewalls • Unsecure wireless routers and wired modems • Infected laptops located elsewhere that can access the network behind the firewall •...
Page 158: Designing For The Threat Vectors
Cybersecurity considerations for electrical distribution systems 5.1.6 Designing for the threat vectors 5.1.6.1 Firewalls Firewalls provide the capability to add stringent and multifaceted rules for communication between various network segments and zones in an ICS network. They can be configured to block data from certain segments, while allowing the relevant and necessary data through.
Page 159 Cybersecurity considerations for electrical distribution systems 5.1.6.2.1 Three-tier architecture for a secure control network Above figure shows that the control networks are divided into layers or zones based on control functions, which are then connected by conduits (connections between the zones) that provide security controls to: •...
Page 160: Policies, Procedures, Standards, And Guidelines
Cybersecurity considerations for electrical distribution systems 5.1.6.3 Intrusion detection and prevention systems (IDPS) These are systems that are primarily focused on identifying possible incidents in an ICS network, logging the information about them, attempting to stop them, and reporting them to ICS security administrators. Because these systems are critical in an ICS network, they are regular targets for attacks and securing them is extremely important.
Page 161 Cybersecurity considerations for electrical distribution systems Existing (traditional) IT standards and policies may not apply (or have not been considered) for control systems. A gap analysis should be performed to determine which components are not covered (or not adequately covered) by existing policies. Relationships with existing policies and standards should be explicitly identified and new or supporting policies should be developed.
Page 162: Conclusion
Cybersecurity considerations for electrical distribution systems general IT components, while the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) publishes advisories specific to control systems. A regular patch deployment schedule should be established for each component in the environment. Depending on the component, this could range from a monthly schedule to an as-needed deployment, depending on the historical frequency of patch or vulnerability related issues for the component or the vendor.
Page 163: References
Cybersecurity considerations for electrical distribution systems Intrusion Prevention Systems Information Technology National Vulnerability Database Open System Interconnection Programmable Logic Controller SCADA Supervisory Control and Data Acquisition SNMP Simple Network Management Protocol Secure Shell SIEM Security Information and Event Management Universal Serial Bus 5.1.11 References [1] Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies, October 2009 https://ics-cert.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf...
Page 164: Cybersecurity Recommended Secure Hardening Guidelines
Eaton is committed to minimizing the Cybersecurity risk in its products and deploys cybersecurity best practices and latest cybersecurity technologies in its products and solutions; making them more secure, reliable and competitive for our customers. ...
Page 165 It is extremely important to securely configure the logical access mechanisms provided in Network module to safeguard the device from unauthorized access. Eaton recommends that the available access control mechanisms be used properly to ensure that access to the system is restricted to legitimate users only. And, such users are restricted to only the privilege levels necessary to complete their job roles/functions.
Page 166 Eaton recommends segmentation of networks into logical enclaves and restrict the communication to host-to-host paths. This helps protect sensitive information and critical services and limits damage from network perimeter breaches. At a minimum, a utility Industrial Control Systems network should be segmented into a three-tiered architecture (as recommended by NIST SP800-82[R3]) for better security control.
Page 167: References
Conduct regular Cybersecurity risk analyses of the organization /system. Eaton has worked with third-party security firms to perform system audits, both as part of a specific customer’s deployment and within Eaton’s own development cycle process. Eaton can provide guidance and support to your organization’s effort to perform regular cybersecurity audits or assessments.
Page 168: Configuring User Permissions Through Profiles
Configuring user permissions through profiles [R4] National Institute of Technology (NIST) Interagency “Guidelines on Firewalls and Firewall Policy, NIST Special Publication 800-41”, October 2009: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf 5.3 Configuring user permissions through profiles The user profile can be defined when creating a new users or changed when modifying an existing one. Refer to the section Contextual help>>>Settings>>>Local users in the settings.
Page 169: Servicing The Emp
Installing the EMP 6 Servicing the EMP 6.1 Installing the EMP 6.1.1 Mounting the EMP The EMP includes magnets, cable ties slots and keyholes to enable multiple ways of mounting it on your installation. Bottom mounting capabilities: Side mounting: • magnets •...
Page 170 Installing the EMP Bottom mounting Side mounting 6.1.1.3 Wall mounting with screws example To mount the EMP on the wall close to the rack, use the supplied screw and screw anchor. Then, mount the EMP on the screw and tighten it. 6.1.1.4 Wall mounting with nylon fastener example To mount the EMP within the enclosure environment, attach one nylon fastener to the EMP and the other nylon fastener to an enclosure rail post.
Page 171: Using The Emp For Temperature Compensated Battery Charging
Using the EMP for temperature compensated battery charging 6.2 Using the EMP for temperature compensated battery charging This section applies only to UPS that provides temperature compensated battery charging option. Address must be defined before EMP power-up; otherwise, the changes will not be applied. Do not set Modbus address to 0; otherwise, the EMP will not be detected.
Page 172: Information
Front panel connectors and LED indicators 7 Information 7.1 Front panel connectors and LED indicators Name Description Network connector Ethernet port Network speed LED Flashing green sequences: • 1 flash — Port operating at 10Mbps • 2 flashes — Port operating at 100Mbps •...
Page 173: Specifications/Technical Characteristics
Specifications/Technical characteristics Settings/UPS data Configuration port. connector Access to Network Module’s web interface through RNDIS (Emulated Network port). Access to the Network Module console through Serial (Emulated Serial port). 7.2 Specifications/Technical characteristics Physical characteristics Dimensions (wxdxh) 132 x 66 x 42 mm | 5.2 x 2.6 x 1.65 in Weight 70 g | 0.15 lb RoHS...
Page 174: Default Settings And Possible Parameters
Default settings and possible parameters Settings/Device data USB RNDIS Apipa compatible | IP address: 169.254.0.1 | Subnet mask: connector 255.255.0.0 7.3 Default settings and possible parameters 7.3.1 Settings Default settings and possible parameters - General Default setting Possible parameters System details Location — empty Location —...
Page 175 Default settings and possible parameters SMTP settings Server IP/Hostname — blank Server IP/Hostname — 128 characters maximum SMTP server authentication — disabled SMTP server authentication — disable/enable (Username/Password — 128 characters maximum) Port — 25 Port — x-xxx Default sender address — device @networkcard.com Sender address —...
Page 176 Default settings and possible parameters LDAP Configure Configure • Active – No • Active – No/yes • Security • Security SSL – SSL SSL – None/Start TLS/SSL Verify server certificate – enabled Verify server certificate – disabled/enabled • Primary server •...
Page 177 Default settings and possible parameters RADIUS Configure Configure • Active – No • Active – Yes/No • Retry number – 0 • Retry number – 0 to 128 • Primary server • Primary server Name – blank Name – 128 characters maximum Secret –...
Page 178 Default settings and possible parameters Syslog Inactive Inactive/Active • Server#1 • Server#1 Name – Primary Name – 128 characters maximum Status – Disabled Status – Disabled/Enabled Hostname – empty Hostname – 128 characters maximum Port – 514 Port – x-xxx Protocol –...
Page 179 Default settings and possible parameters SNMP Activate SNMP — disabled Activate SNMP — disable/enable Port — 161 Port — x-xxx SNMP V1 — disabled SNMP V1 — disable/enable • Community #1 — public • Community #1 — 128 characters Enabled — Inactive maximum Access —...
Page 180: Meters
State or Province — 38 City or Locality — 64 characters maximum City or Locality — Grenoble Organization name — 64 characters maximum Organization name — Eaton Organization unit — 64 characters maximum Organization unit — Power quality Contact email address — 64 characters maximum Contact email address —...
Page 181: User Profile
Default settings and possible parameters 7.3.4 User profile Default settings and possible parameters - User profile Default setting Possible parameters Profile Account details: Account details: • Full name — Administrator • Full name — 128 characters maximum • Email — blank •...
Page 182: Access Rights Per Profiles
Access rights per profiles 7.4 Access rights per profiles 7.4.1 Home Administrator Operator Viewer Home 7.4.2 Meters Administrator Operator Viewer Meters Battery health: Launch test/Abort Logs configuration 7.4.3 Controls Administrator Operator Viewer Control 7.4.4 Protection Administrator Operator Viewer Protection/Scheduled shutdowns Administrator Operator Viewer...
Page 183: Environment
Access rights per profiles 7.4.5 Environment Administrator Operator Viewer Environment/Commissioning Environment/Status Administrator Operator Viewer Environment/Alarm configuration Administrator Operator Viewer Environment/Information 7.4.6 Settings Administrator Operator Viewer General Administrator Operator Viewer Local users Administrator Operator Viewer Remote users Administrator Operator Viewer Network & Protocols Administrator Operator Viewer...
Page 184: Maintenance
Access rights per profiles Certificate Administrator Operator Viewer 7.4.7 Maintenance Administrator Operator Viewer System information Administrator Operator Viewer Firmware Administrator Operator Viewer Services Administrator Operator Viewer Resources Administrator Operator Viewer System logs 7.4.8 Legal information Administrator Operator Viewer Legal information 7.4.9 Alarms Administrator Operator...
Page 185: User Profile
Access rights per profiles Export Clear 7.4.10 User profile Administrator Operator Viewer User profile 7.4.11 Contextual help Administrator Operator Viewer Contextual help Full documentation 7.4.12 CLI commands Administrator Operator Viewer get release info Administrator Operator Viewer history Administrator Operator Viewer ldap-test Administrator Operator...
Page 186 Access rights per profiles netconf (read-only) (read-only) Administrator Operator Viewer ping ping6 Administrator Operator Viewer reboot Administrator Operator Viewer save_configuration restore_configuration Administrator Operator Viewer sanitize Administrator Operator Viewer ssh-keygen Administrator Operator Viewer time (read-only) (read-only) Administrator Operator Viewer traceroute traceroute6 Administrator Operator Viewer...
Page 187: List Of Event Codes
List of event codes email-test Administrator Operator Viewer systeminfo_statistics Administrator Operator Viewer certificates 7.5 List of event codes To get access to the Alarm log codes or the System log codes for email subscription, see sections below: 7.5.1 System log codes To retrieve System logs, navigate to Contextual help>>>Maintenance>>>System logs section and press...
Page 188 List of event codes 7.5.1.2 Warning Code Severity Log message File 0A00200 Warning Network module upgrade failed <f/w: xx.yy.zzzz> logUpdate.csv 0A00A00 Warning Network module bootloader upgrade failed <f/w: xx.yy.zzzz> logUpdate.csv 0B00500 Warning RTC battery cell low logSystem.csv 0E00200 Warning New [self/PKI] signed certificate [generated/imported] for <service> server logSystem.csv 0E00300 Warning...
Page 189 List of event codes 0B00100 Notice Time manually changed logSystem.csv 0B00700 Notice NTP sever not available <NTP server address> logSystem.csv 0900100 Notice Session - opened logSession.csv 0900200 Notice Session - closed logSession.csv 0900300 Notice Session - invalid token logSession.csv 0900400 Notice Session - authentication failed ...
Page 190 List of event codes 0100B00 Notice Syslog is stopping logSystem.csv 0100D00 Notice Network module is booting logSystem.csv 0100E00 Notice Network module is operating logSystem.csv 0100F00 Notice Network module is starting shutdown sequence logSystem.csv 0101000 Notice Network module is ending shutdown sequence logSystem.csv 0101400 Notice...
Page 191: Ups(Hid) Alarm Log Codes
List of event codes 7.5.2 UPS(HID) alarm log codes This table applies to all UPS except to the 9130 UPS. To retrieve Alarm logs, navigate to Contextual help>>>Alarms section and press the Download alarms button. Below codes are the one to be used to add "Exceptions on events notification" on email sending configurations. Some zeros maybe added in front of the code when displayed in emails or logs.
Page 192 List of event codes Critical Battery temperature low critical Battery temperature OK Check battery Critical Battery temperature high critical Battery temperature OK Check battery Critical Battery fault Battery OK Check battery Critical Inverter internal failure UPS OK Service required Critical Inverter overload No power overload Reduce output load Critical...
Page 193 List of event codes Warning Input AC unbalanced End of input AC unbalanced Warning Bypass phase out range Bypass phase in range Warning Bypass not available Bypass available Service required Warning Bypass thermal overload Bypass thermal OK Reduce output load Warning Bypass temperature alarm Bypass temperature OK...
Page 194 List of event codes Warning Battery State Of Charge below Battery State Of Charge OK limit Warning Battery State Of Health below limit Battery State Of Health OK Check battery Warning Battery voltage low warning Battery voltage OK Check battery Warning Battery voltage high warning Battery voltage OK...
Page 195 List of event codes Warning Output voltage too high Output voltage OK Service required Warning Output voltage too low Output voltage OK Service required Warning UPS Shutoff requested End of UPS shutoff requested Service required Warning Load not powered Load protected Warning Maintenance bypass Not on maintenance bypass...
Page 196: 9130 Ups(Xcp) Alarm Log Codes
List of event codes 7.5.3 9130 UPS(XCP) alarm log codes Use this table for 9130 UPS. To retrieve Alarm logs, navigate to Contextual help>>>Alarms section and press the Download alarms button. Below codes are the one to be used to add "Exceptions on events notification" on email sending configurations. Some zeros maybe added in front of the code when displayed in emails or logs.
Page 197 List of event codes 2193 Critical Fan fault Fan OK 2199 Critical No battery Battery present Check battery 2200 Critical Temperature out of range Temperature in range 2259 Critical Rectifier short circuit Rectifier OK 2260 Critical Rectifier short circuit Rectifier OK 2261 Critical Rectifier short circuit...
Page 198 List of event codes 2028 Warning DC bus + too high DC bus + voltage OK 2029 Warning DC bus + too low DC bus + voltage OK 2032 Warning Battery breaker closed Battery breaker open 2057 Warning On battery No more on battery 2063 Warning...
Page 199 List of event codes 2227 Info On high efficiency High efficiency disabled 2A0F Info Group is OFF Group is ON Information – 199...
Page 200: Ats Alarm Log Codes
List of event codes 7.5.4 ATS alarm log codes To retrieve Alarm logs, navigate to Contextual help>>>Alarms section and press the Download alarms button. Below codes are the one to be used to add "Exceptions on events notification" on email sending configurations. Some zeros maybe added in front of the code when displayed in emails or logs.
Page 201 List of event codes Warning Voltage out of range Voltage in range Warning Input waveform is not OK Input waveform is OK Warning Voltage out of range Voltage in range Warning On alternate source 7.5.4.3 Good Alarms with a severity set as Good are not taken into account into the counter of active alarms. Code Severity Active message...
Page 202: Emp Alarm Log Codes
List of event codes 7.5.5 EMP alarm log codes To retrieve Alarm logs, navigate to Contextual help>>>Alarms section and press the Download alarms button. Below codes are the one to be used to add "Exceptions on events notification" on email sending configurations. Some zeros maybe added in front of the code when displayed in emails or logs.
Page 203: Network Module Alarm Log Codes
List of event codes 7.5.6 Network module alarm log codes To retrieve Alarm logs, navigate to Contextual help>>>Alarms section and press the Download alarms button. Below codes are the one to be used to add "Exceptions on events notification" on email sending configurations. Some zeros maybe added in front of the code when displayed in emails or logs.
Page 204: Snmp Traps
SNMP traps 7.5.6.2.2 Communication Code Severity Active message Non-active message Advice 1300 Info Communication: No device connected Communication: Communication with the device is back - 1301 Info Communication: Device not supported Communication: Communication with the device is back - 7.5.6.2.3 Alarms Code Severity Active message...
Page 205 SNMP traps Alarm oid at : Description when trap 3 Description when trap 4 .1.3.6.1.2.1.33.1.6.3.x .1.3.6.1.2.1.33.1.6.3.8 Power overload No power overload .1.3.6.1.2.1.33.1.6.3.9 Bypass mode No more on bypass .1.3.6.1.2.1.33.1.6.3.10 Bypass not available Bypass available .1.3.6.1.2.1.33.1.6.3.13 Battery charger fault Battery charger OK .1.3.6.1.2.1.33.1.6.3.14 Not powered Powered (Protected or Not protected)
Page 206: Ats Mib
SNMP traps Trap oid : Trap message at oid : .1.3.6.1.4.1.534.1.11.4.1.0.x .1.3.6.1.4.1.534.1.11.3.0 .1.3.6.1.4.1.534.1.11.4.1.0.23 Battery test failed .1.3.6.1.4.1.534.1.11.4.1.0.26 Communication lost .1.3.6.1.4.1.534.1.11.4.1.0.30 Sensor contact is active .1.3.6.1.4.1.534.1.11.4.1.0.31 Sensor contact back to normal .1.3.6.1.4.1.534.1.11.4.1.0.32 Parallel UPS redundancy lost .1.3.6.1.4.1.534.1.11.4.1.0.33 Temperature alarm .1.3.6.1.4.1.534.1.11.4.1.0.34 Battery charger fault .1.3.6.1.4.1.534.1.11.4.1.0.35 Fan fault .1.3.6.1.4.1.534.1.11.4.1.0.36...
Page 207: Sensor Mib
Trap oid : Trap description .1.3.6.1.4.1.534.10.2.10.x .1.3.6.1.4.1.534.10.2.10.14 Sources synchronized .1.3.6.1.4.1.534.10.2.10.15 Output powered by source 1 .1.3.6.1.4.1.534.10.2.10.16 Output powered by source 2 .1.3.6.1.4.1.534.10.2.10.20 Remote temperature low .1.3.6.1.4.1.534.10.2.10.21 Remote temperature high .1.3.6.1.4.1.534.10.2.10.22 Remote temperature normal .1.3.6.1.4.1.534.10.2.10.23 Remote humidity low .1.3.6.1.4.1.534.10.2.10.24 Remote humidity high .1.3.6.1.4.1.534.10.2.10.25 Remote humidity normal .1.3.6.1.4.1.534.10.2.10.26...
Page 208: Commands Available
Warning: Changing network parameters may cause the card to become unavailable remotely. If this happens it can only be reconfigured locally through USB. 7.7.1 Commands available You can see this list anytime by typing in the CLI: 7.7.2 Contextual help You can see this help anytime by typing in the CLI: help CONTEXT SENSITIVE HELP...
Page 209: Get Release Info
7.7.3 get release info 7.7.3.1 Description Displays certain basic information related to the firmware release. 7.7.3.2 Help get_release_info Get current release date Get current release sha1 Get current release time Get current release version number 7.7.3.3 Specifics 7.7.3.4 Access rights per profiles Administrator Operator Viewer...
Page 210: Logout
7.7.5 logout 7.7.5.1 Description Logout the current user. 7.7.5.2 Help logout <cr> logout the user 7.7.5.3 Specifics 7.7.5.4 Access rights per profiles Administrator Operator Viewer logout 7.7.6 maintenance 7.7.6.1 Description Creates a maintenance report file which may be handed to the technical support. 7.7.6.2 Help maintenance <cr>...
Page 211 7.7.7.2 Help For Viewer and Operator profiles: netconf -h Usage: netconf [OPTION]... Display network information and change configuration. -h, --help display help page -l, --lan display Link status and MAC address -4, --ipv4 display IPv4 Mode, Address, Netmask and Gateway -6, --ipv6 display IPv6 Mode, Addresses and Gateway -d, --domain...
Page 212: Ping And Ping6
- set custom Network address, Prefix and Gateway manual <network> <prefix> <gateway> - automatically set Network address, Prefix and Gateway router Examples of usage: -> Display Link status and MAC address netconf -l -> Set Auto negotiation to Link ...
Page 213: Reboot
Specify the number of echo requests to be sent Specify maximum number of hops <Hostname or IP> Host name or IP address ping6 The ping6 utility uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (``pings'') have an IP and ICMP header, followed by a ``struct timeval''...
Page 214: Save_Configuration | Restore_Configuration
7.7.10 save_configuration | restore_configuration 7.7.10.1 Description Save_configuration and restore_configuration are using JSON format to save and restore certain part of the configuration of the card. 7.7.10.2 Help save_configuration -h save_configuration: print the card configuration in JSON format to standard output. restore_configuration -h restore_configuration: restore the card configuration from a JSON-formatted standard input.
Page 215: Ssh-Keygen
7.7.11.2 Access • Administrator 7.7.11.3 Help sanitize -h, --help Display help page --withoutconfirmation Do factory reset of the card without confirmation <cr> Do factory reset of the card 7.7.11.4 Access rights per profiles Administrator Operator Viewer sanitize 7.7.12 ssh-keygen 7.7.12.1 Description Command used for generating the ssh keys.
Page 216: Traceroute And Traceroute6
time -h Usage: time [OPTION]... Display time and date. -h, --help display help page -p, --print display date and time in YYYYMMDDhhmmss format For Administrator profile: time -h Usage: time [OPTION]... Display time and date, change time and date. -h, --help display help page ...
Page 217: Whoami
7.7.14.2 Help traceroute Specify maximum number of hops <Hostname or IP> Remote system to trace traceroute6 Specify maximum number of hops <IPv6 address> IPv6 address 7.7.14.3 Specifics 7.7.14.4 Access rights per profiles Administrator Operator Viewer traceroute traceroute6 7.7.15 whoami 7.7.15.1 Description whoami displays current user information: •...
Page 218: Systeminfo_Statistics
7.7.16.2 Help Usage: email-test <command> ... Test SMTP configuration. Commands: email-test -h, --help, Display help page email-test -r, --recipient <recipient_address> Send test email to the <recipient_address> Email address of the recipient 7.7.16.3 Specifics 7.7.16.4 Access rights per profiles Administrator Operator Viewer email-test 7.7.17 systeminfo_statistics...
Page 219: Certificates
7.7.17.3 Specifics 7.7.17.4 Access rights per profiles Administrator Operator Viewer systeminfo_statistics 7.7.18 certificates 7.7.18.1 Description Allows to manage certificates through the CLI. 7.7.18.2 Help certificates <target> <action> <service_name> <target> : - local <action> : - print: provides a given certificate detailed information. - revoke: revokes a given certificate.
Page 220: Legal Information
The source code of open source components that are made available by their licensors may be obtained upon written express request by contacting network-m2-opensource@Eaton.com. Eaton reserves the right to charge minimal administrative costs, in compliance with the terms of the underlying open source licenses, when the situation requires.
Page 221: Notice For Our Proprietary (I.e. Non-Open Source) Elements
Copyright © 2020 Eaton. This firmware is confidential and licensed under Eaton Proprietary License (EPL or EULA). This firmware is not authorized to be used, duplicated, or disclosed to anyone without the prior written permission of Eaton. Limitations, restrictions and exclusions of the Eaton applicable standard terms and conditions, such as its EPL and EULA, apply.
Page 222: Acronyms And Abbreviations
Acronyms and abbreviations 7.9 Acronyms and abbreviations AC: Alternating current. ATS: Automatic transfer switch is an electrical switch that switches a load between two sources. AVR: Automatic Voltage Regulation provides stable voltage to keep equipment running in the optimal range. BMS: A Battery Management System is any electronic system that manages li-ion battery. bps: bit per second BOM: In Syslog, placing an encoded Byte Order Mark at the start of a text stream can indicates that the text is Unicode and identify the encoding scheme used.
Page 223 Acronyms and abbreviations MAC: A media access control address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment. MIB: A management information base is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP).
Page 224 Acronyms and abbreviations Information – 224...
Page 225: Troubleshooting
Action not allowed in Control/Schedule/Power outage policy 8 Troubleshooting 8.1 Action not allowed in Control/Schedule/Power outage policy 8.1.1 Symptom Below message is displayed when you access the Control, Schedule or Power outage policy page. This action is not allowed by the UPS. To enable it, please refer to the user manual of the UPS and its instructions on how to configure the UPS settings and allow remote commands.
Page 226: Action
EMP detection fails at discovery stage 8.3.3 Action In the server system BIOS, change the setting for Automatic Power ON to "Enabled". 8.4 EMP detection fails at discovery stage In the Network Module, in Contextual help>>>Environment>>>Commissioning/Status, EMPs are missing in the Sensor commissioning table.
Page 227: How Do I Log In If I Forgot My Password
How do I log in if I forgot my password? Refer to the section Contextual help>>>Maintenance>>>Services>>>Reboot. 2- Launch the discovery. 8.5 How do I log in if I forgot my password? 8.5.1 Action • Ask your administrator for password initialization. • If you are the main administrator, your password can be reset manually by following steps described in the Servicing the Network Management Module>>>Recovering main administrator password.
Page 228: Action #2
During the selected timeframe, new agent connections to the Network Module are automatically trusted and accepted. STEP 4: Action on the agent (IPP/IPM) while the time to accepts new agents is running on the Network Module Remove the Network module certificate file(s) *.0 that is (are) located in the folder Eaton\IntelligentPowerProtector\configs\tls. 8.7 LDAP configuration/commissioning is not working Refer to the section Servicing the Network Management Module>>>Commissioning/Testing...
Page 229: Symptom
The alarm list has been cleared after an upgrade 8.9.2 Symptom SNMPv3 connectivity is not properly working after a restore settings on a 1.7.0 version or above. 8.9.3 Cause The SNMPv3 was configured prior to 1.7.0. In that case, SNMPv3 configuration is not well managed by the Save and by the Restore settings. 8.9.4 Action Reconfigure your SNMPv3 users and passwords on versions 1.7.0 or above and Save the settings.
Page 230: Action
Web user interface is not up to date after a FW upgrade 8.11.2 Action Recover the IP address and connect to the card. Refer to Installing the Network Management Module>>>Accessing the Network Module>>>Finding and setting the IP address section. 8.12 Web user interface is not up to date after a FW upgrade 8.12.1 Symptom After an upgrade: •...

Eaton eNMC2 User Manual

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Eaton eNMC2

Summary of Contents for Eaton eNMC2

Table of Contents