PacT Series MasterPacT, ComPacT, PowerPacT – Cybersecurity Guide PDF
DOCA0122EN-10

Designing a Password Policy

Overview

A carefully designed password policy is the first line of defense against cyber attacks.

In the context of installations that include the MasterPacT, ComPacT, and PowerPacT circuit breaker with a MicroLogic trip unit or control unit, passwords are required for:

  • Performing intrusive commands on the MicroLogic control unit, whatever the access mode (through Modbus-TCP / Modbus-SL, USB connection, or Bluetooth wireless technology)

  • Performing intrusive commands on the MicroLogic trip unit, whatever the access mode (through Modbus-TCP / Modbus-SL, FDM121 display, or test port)

  • Logging in to the PC that runs EcoStruxure Power Commission software

  • Logging in to IFE and EIFE interface webpages

  • Logging in to IFE server webpages

  • Logging in to IFE and EIFE interface, and IFE server webpages via EcoStruxure Power Commission software from a MasterPacT MTZ IMU

  • Logging in to the FTPS server for IEC 61850 configuration of the IFE and EIFE interfaces, and IFE server from a MasterPacT MTZ

Cybersecurity Recommendations Concerning Password Policy

WARNING
POTENTIAL COMPROMISE OF SYSTEM AVAILABILITY, INTEGRITY, AND CONFIDENTIALITY
Change default passwords at first use to help prevent unauthorized access to device settings, controls, and information.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The password policy is one of the main elements of the cybersecurity policy. A good password policy consists of:

  • Using strong passwords

  • Changing passwords regularly

  • Using a password vault to manage access passwords

  • Forbidding reuse of old passwords

  • Regularly reminding users about best practices concerning passwords

To help protect your system, at a minimum you should:

  • Enforce the use of strong passwords

  • Set the minimum password length to 10 characters

  • Change the password periodically

All users must be aware of best practices concerning passwords. These include:

  • Not sharing personal passwords

  • Not displaying passwords during password entry

  • Not transmitting passwords in email or by any other means

  • Not saving the passwords on PCs or other devices

Password for MicroLogic Active Critical Settings and Controls

When accessing the MicroLogic Active control unit via a communication interface, any intrusive commands that modify the behavior of the MasterPacT MTZ circuit breaker with MicroLogic Active control unit require a password. For example, making changes to the protection settings, or operating the circuit breaker requires the MicroLogic Active password.

A single user account and password are defined for the MicroLogic Active control unit.

When connecting through EcoStruxure Power Device app or EcoStruxure Power Commission software, the user is prompted to provide this password.

When connecting from a remote monitoring and control interface, the password must be part of the communication request.

The password is composed of 8 to 32 ASCII characters, with the following constraints:

  • Only ASCII [32–126] characters are allowed

  • At least one uppercase character

  • At least one lowercase character

  • Must not contain the username

  • Must be different to the previous password

Default passwords must be changed at first installation of the MasterPacT MTZ circuit breaker with MicroLogic Active control unit, and periodically after the first installation, using EcoStruxure Power Commission software. Store passwords using a password vault. Only share passwords with a limited number of trusted users. Follow the password policy recommendations where applicable.

Password for Other MicroLogic Critical Settings and Controls

When accessing the MicroLogic trip unit or control unit via a communication interface, any intrusive commands that modify the behavior of the MasterPacT, ComPacT, and PowerPacT circuit breaker require a password. For example, making changes to the protection settings, or operating the circuit breaker requires the MicroLogic password.

Four passwords are defined for a MicroLogic trip unit or control unit, one for each of the following four user profiles:

  • Administrator

  • Services

  • Engineer

  • Operator

For more information on user profiles, refer to the MicroLogic User Guides.

When connecting through the EcoStruxure Power Device app or EcoStruxure Power Commission software, the user is prompted to provide one of these passwords.

When connecting from a remote monitoring and control interface, the password must be part of the communication request.

The password is composed of four ASCII characters. The password is case-sensitive and the allowed characters are:

  • Digits from 0 to 9

  • Lower case letters from a to z

  • Upper case letters from A to Z

Default passwords must be changed at first installation of the MasterPacT, ComPacT, and PowerPacT circuit breaker and periodically after the first installation, using EcoStruxure Power Commission software. Store passwords using a password vault. Only share passwords with a limited number of trusted users. Follow the password policy recommendations where applicable.

Password for Remote Access to MicroLogic X Control Unit via IFE or EIFE Interface, or IFE Server

Within an MasterPacT MTZ IMU, access to the MicroLogic X control unit is checked by a Role-Based Access Control (RBAC) mechanism when the connection is made through:

For more information about the RBAC mechanism, refer to Passwords for IFE or EIFE Interface Webpages, and IFE or EIFE FTPS Server.

Password for Remote Access to ComPacT NSX Trip Units via IFE Interface or IFE Server

Within a ComPacT NSX IMU, equipped with a MicroLogic 5, 6 or 7 trip unit, access to the MicroLogic trip unit is checked by a Role-Based Access Control Mechanism (RBAC) when the connection is made through:

For more information about the RBAC mechanism, refer to Passwords for IFE or EIFE Interface Webpages, and IFE or EIFE FTPS Server.

Passwords and User IDs for Networked PCs

PCs that run EcoStruxure Power Commission software, or that access the MicroLogic trip unit or control unit using any other means (for example, IFE webpages, or SCADA), must prompt users for a login and password. You must ensure that users define strong passwords and change them periodically. In addition, you must set a timer to lock the PC screen automatically after a period of idle time.

A strong password includes uppercase and lowercase letters, numbers, and special characters, where these are available. It should have a minimum length of 10 characters.

Follow the password policy recommendations where applicable.

Passwords for IFE/EIFE Interface or IFE Server (with Firmware Version 005.•••.•••) Webpages and FTPS Server

Access to the IFE interface webpages, EIFE interface webpages, IFE server webpages, and FTPS server for IFE and EIFE interfaces and IFE server is checked by Role-Based Access Control (RBAC) mechanism.

With RBAC, users are assigned a role that defines the features they can access.

The security administrator of your system lists the system users and assigns a role to each of them.

The security administrator can manage the users of the IFE or EIFE interface, or IFE server:

  • On the IFE or EIFE interface, or IFE server webpages

  • With the EcoStruxure Cybersecurity Admin Expert (CAE) software

The security administrator can use CAE software to define the security policy of the system.

The security policy applies to all elements of the system that are compatible with CAE software. For low voltage systems, it applies to the IFE and EIFE interfaces, and IFE server in the system.

The security administrator can set the following parameters of the security policy with CAE software:

  • Minimum inactivity period. After the duration without any action from the user, IFE or EIFE interface webpages are locked. The user must re-enter their password to unlock it.

  • Maximum number of login attempts

  • Locking period duration

For more information, refer to CAE_EN_UM_B4.1 EcoStruxure Cybersecurity Admin Expert User Guide.

Passwords for IFE Server (with Firmware Version 003.•••.•••) Webpages

For IFE server with firmware version 003.•••.•••, each user of the IFE server webpages has a personal user ID and password to log in to the webpages. Users must change their password after logging in to the webpages for the first time.

You must define which users in your organization require a login on the IFE server webpages, and follow the password policy recommendations where applicable.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?

Contact Information
Legal Information
Privacy Policy
Change your cookie settings