IEEE 1686:2013 pdf free download – IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities
4.3 lmplementing lED security
The implementation of a security posture for IEDs and their configuration software is a combination oftechnology and procedures. Technology alone will not produce the desired results without theimplementation and enforcement of a set of complementary security procedures.Additionally,securityprocedures and technology are often developed in conjunction with one another with considerations givento such things as operational costs, user practices, manpower constraints, and communications capabilities.This standard defines the functions and features to be provided in IEDs to accommodate CIP programs. It isrecognized,however,that in some cases,the functions and features may require some adaptation orrelaxation to meet a user’s specific situation.As an example, this standard calls for at least ten uniqueuserID/passwords for the IED. In a very small utility such as a municipality, there may not be ten users whorequire access,and therefore the requirement is not substantiated. For a very large utility with an IEDmaintenance force that covers a wide geographical area, ten individual passwords may not be enough. Insuch cases, the user must identify to the IED provider where the user’s requirements differ or exceed thestandard.
Further, the failure of an IED to meet every clause of this standard does not necessarily preclude its use in asecure environment. It is possible the deficiency may be overcome by procedural or administrativetechnology, architecture, or other measures.
5.5.1 Authentication
The IED shall have a means to authenticate that the configuration software being used to access or changethe configuration is a copy that has been authorized by the user.Unauthorized copies of the configurationsoftware shall be prevented from accessing any features of the lED.
5.5.2 Digital signature
The configuration software shall have the capability to generate a digital signature in the configuration andfirmware download files indicating the file has been produced by an authorized configuration softwareprogram and by an authorized user.The IED shall have the capability to read the digital signature appliedto a configuration file or firmware file to verify that the file has been created by an authorized entity andhas not been altered or corrupted.The IED shall only accept properly signed files.
5.5.3 ID/password control
The configuration software shall be ID/password controlled so that the software cannot be accessed withoutthe proper ID/password combination. At least ten individual ID/password combinations shall be providedfor each copy of the configuration software program.Under no circumstances shall the configurationsoftware cause the passwords of the software itself or the IED to be displayed in readable text.
5.5.4 ID/password controlled features
IED configuration software shall have the ability to assign features to specific users andor roles.At theleast, the functions and features outlined in 5.5.4.1 and 5.5.4.2 shall be assignable on an individual user orrole basis.
5.5.4.1 View configuration data
In view configuration data mode, a user can only view configuration data. No changes to the configurationcan be made.