Security Log

ToDo: new topic to be reviewed completely by project experts (Ray and Spring)

Description

The security log feature of the TS trip system generates the security related events such as:

Successful or unsuccessful login attempts
User account or password change
Configuration change

The security events are recorded in a security log and provide information to monitor activities carried out in the system. The security log can record up to 252 security events. Each new security event overwrites the oldest event, when the security log is full.

NOTE: To avoid overwriting old security logs, export the security log every half-year.

The security log can be exported by Schneider Electric Services representative. The security log delivered by Schneider Electric Services can be used to detect and respond in the event of security compromise.

Security Log Export

The security log is a file in CVS format, with one security event per line.

Below is the example of security log file:

A security event has following data available:

Column A: Event Severity
- 81 (Alert): urgent corrective action is required.
- 85 (Notice): corrective action needs to be scheduled.
- 86 (Information): for information only.
Column B: Date and time of event occurrence ( TS trip system only)
Column C: Host name, commercial reference of the TS trip system
Column D: Event Category
- CoAP: USB communication interface with CoAP protocol
- Config: Device configuration
- System: System mode
- Security Log: Security log related behavior
- User: User account who does the operation
Column E: Message ID
Column F: Security log sequence number, helps to show the event occurrence sequence when the time is not synced.
Column G: Pre-defined event information structure, including user name, type, etc.
Column H: Event message

Security Event List

Category	Severity	Event message	Description	Recommended actions
CoAP	Information	EPC connection	Successful connection	-
CoAP	Information	User logout	Disconnection	-
CoAP	Alert	Password expired	Successful connection with invalid credentials.	Change the expired password and login again.
CoAP	Notice	Invalid password	Unsuccessful connection	Check if the unsuccessful connection is normal.
CoAP	Notice	Unknown user	Unsuccessful connection	Check the unknown user.
CoAP	Alert	Account locking	User account locking due to 3 times unsuccessful authentication attempts.	Abnormal scenario Check if any unauthorized user trying to login the device.
CoAP	Alert	Login denied	Denied login (account is blocked)	Abnormal scenario Check if any unauthorized user trying to login the device.
CoAP	Notice	Unauthorized operation	Unauthorized operation	Check for account abnormal operation.
Update	Information	Protection firmware update	Firmware update	Check if the firmware upgrade operation is normal.
Update	Alert	Invalid format	The updated firmware format is invalid	Abnormal firmware release. Check the firmware release file and its origin.
		Incompatible version	The version is not compatible.
		Unauthenticated origin	The firmware origin cannot be authenticated.
		Invalid signature	The firmware signature is invalid.
		Rollback operation detected	The firmware version rollback.
Config	Information	Overload pre-alarm threshold	Configuration change	Check if the mode switch operation is normal.
Config	Information	Ground fault pre-alarm threshold	Configuration change	Check if the mode switch operation is normal.
System	Notice	Enter test mode	Operating mode change	Check if the mode switch is normal.
System	Notice	Exit test mode	Operating mode change	Check if the mode switch is normal.
Security Log	Information	Security log export	Retrieval/export of the security logs of the device.	-
Security Log	Notice	Security log cleared	Security logs are cleared	Check if the security log clear operation is normal.
User	Information	User account creation	User account creation	Check if the user account and password change is normal.
		User account modification	User account modification
		User account deletion	User account deletion
		Password update	Password update
		Password reset	Password reset
User	Information	Reset to factory default	Reset to factory default operation.	Check if the reset factory operation is normal.

Security Recommended Actions

Contact your Schneider Electric Services representative to get the security log, if you detect an abnormal situation like:

Account or password abnormal behavior
Unwanted change in data or settings
Device abnormal behavior

Your Schneider Electric Services representative can provide support in analyzing the events recorded in the security log.

Check regularly the security log, to find whether the device is potentially at risk of being attacked and whether there have already been some existing illegal people's attacks.
Check the security events of user authentication and authorization of the device whether there are:
- Multiple login failure events
- Account lock events
- Login events using expired passwords
- Unauthorized events of user creation and password modification
- Unauthorized reset
Check the device USB configuration connection events, whether there are:
- Illegal connection events
- Illegal data and configuration operations via USB connection
Check the device configuration data change and operation mode change events, whether there are abnormal configuration and mode change operations.
Check the events of clearing security logs to detect if there is potential attackers who illegally clear security log records.
Check firmware update events to detect if there are illegal and failed upgrades.
Check the events record of factory reset settings to detect if there is any illegal factory reset operation.

TBC: If the above security logs are found during operation process, it is necessary to analyze the specific circumstances and conditions of its occurrence by considering on-site monitoring and other equipment and find the root cause to eliminate security risks.