Recommendations for Protecting Remote Access to the MicroLogic Trip Unit or Control Unit Through Ethernet

Functions Accessible Through Ethernet

When a PC running monitoring and control software (SCADA, EcoStruxure Power Commission software) is connected to the Ethernet (Modbus/TCP) network, the functions of the MicroLogic trip unit or control unit are accessible in the following cases:

• The MasterPacT, ComPacT, and PowerPacT circuit breaker is connected through an IFE interface or an IFE server.

• The MasterPacT MTZ circuit breaker is connected through the EIFE interface.

• The MasterPacT, ComPacT, and PowerPacT circuit breaker is connected through an IFM interface stacked to an IFE server.

• The ComPacT NSX, and PowerPacT H-, J- and L-Frame circuit breaker is connected through BSCM Modbus SL/ULP module in Modbus mode via Modbus SL hub to IFE server.

Prerequisites for Establishing an Ethernet Connection

To establish an Ethernet connection with the MicroLogic trip unit or control unit, the prerequisites are:

• The MicroLogic trip unit or control unit must be powered on.

• The MicroLogic trip unit or control unit must be connected to an Ethernet network through one of the following:

  • An IFE or an EIFE interface

  • An IFE server

  • An IFM interface stacked to an IFE server

  • A BSCM Modbus SL/ULP module in Modbus mode connected via Modbus SL hub to IFE server

• You must have a PC or other device (for example, FDM128 display, or PLC) running monitoring and control software (SCADA, EcoStruxure Power Commission) connected to the Ethernet network, giving remote access

• You must have a PC running a web browser connected to the Ethernet network, giving access to the IFE or EIFE webpages

• You must have a user ID and password with the appropriate access permissions to log in to:

  • IFE and EIFE interface webpages

  • IFE server webpages

  • FTPS server for IFE and EIFE interfaces, and IFE server

  • EcoStruxure Power Commission software

    connected through IFE and EIFE interface, and IFE server

• You must have a user ID and password with the appropriate access permissions to log in to EcoStruxure Power Commission software

Recommendations for PCs Connected to Ethernet

To protect access to the MicroLogic trip unit or control unit from a networked PC, it is recommended to:

• Keep PCs safely locked away when not in use.

• Make sure that the PC that provides access to the MicroLogic trip unit or control unit using Ethernet (for example, through IFE or EIFE interface webpages, IFE server webpages, or SCADA) requires a user login and password.

• Enforce the use of strong passwords.

• Use IP filtering capability of IFE and EIFE interfaces and IFE server to allow communication only with selected remote IP addresses.

• Make sure that user passwords are changed regularly.

• Forbid reuse of old passwords.

• Set a timer to lock the PC screen after a period of idle time.

• Harden the PC by following the most recent vendor guidelines for the operating system running on your PC.

• Limit the number of users allowed to access the MicroLogic trip unit or control unit from a networked PC.

• Keep antivirus applications for PCs up to date.

In addition to the above precautions, you must also follow the general guidelines and recommendations for protecting your installation given in How Can I Reduce Vulnerability to Cyber Attacks?.

Recommendations for Machine-to-Machine Communication

For systems supporting Modbus TCP over TLS, activate the TLS connection security mode on the IFE or EIFE interface, or IFE server webpages.

Machine-to-machine secure communication requires components that connect to the IFE or EIFE interface, or IFE server to support the Secure Modbus communication.

Recommendations for Security Logs

To ensure that security logs are downloaded on a regular basis, use:

• The automatic log export feature via Syslog Service from the IFE or EIFE interface, or IFE server.

• Manual log export in CSV format from the IFE or EIFE interface, or IFE server.