Why Cybersecurity Is Relevant for MasterPacT, ComPacT, and PowerPacT Circuit Breakers
Overview
The MasterPacT, ComPacT, and PowerPacT circuit breaker is a key component of any plant or equipment because it controls the power supply to the process, provides electrical protection, and delivers critical information.
MasterPacT, ComPacT, and PowerPacT circuit breakers with communication features also provide 24/7 access to real-time control functions and to monitoring data. These features bring greater efficiency and flexibility in managing your electrical distribution system. However, they may be subject to cyber attacks.
MasterPacT MTZ Circuit Breaker with MicroLogic X Control Unit Operating Environment
The following figure shows the various ways of communicating with the MicroLogic X control unit of the MasterPacT MTZ circuit breaker.
The MasterPacT MTZ intelligent modular unit (IMU) represents the circuit breaker, the MicroLogic X control unit, and the associated ULP modules, communication interface, and IO modules.
To communicate with the MasterPacT MTZ circuit breaker through its MicroLogic X control unit, the following communication paths are available:
-
MicroLogic X human-machine interface (HMI)
-
FDM121 front display module for one circuit breaker
-
Wireless NFC connection from a smartphone
-
Wireless Bluetooth Low Energy connection from a smartphone
-
Connection to the mini type B USB port of the MicroLogic X control unit from:
-
A PC running EcoStruxure™ Power Commission software
-
A smartphone running the EcoStruxure Power Device app
-
-
Ethernet (Modbus TCP/IP or IEC 61850 protocols) connection through the operational technology (OT) network when the IFE or EIFE interface, or IFE server is present
-
Modbus-SL connection through the operational technology (OT) network when the IFM interface is present
MasterPacT MTZ Circuit Breaker with MicroLogic Active Control Unit Operating Environment
The following figure shows the various ways of communicating with the MicroLogic Active control unit of the MasterPacT MTZ circuit breaker.
A Panel Server webpages B EcoStruxure Power Monitoring Expert (PME) software C EcoStruxure Power Operation (PO) software D POI Plus, industrial workstation with energy management software |
The MasterPacT MTZ intelligent modular unit (IMU) represents the circuit breaker, the MicroLogic Active control unit, and the communication interface.
To communicate with the MasterPacT MTZ circuit breaker through its MicroLogic Active control unit, the following communication paths are available:
-
MicroLogic Active human-machine interface (HMI)
-
Wireless NFC connection from a smartphone
-
Connection to the USB-C port of the MicroLogic Active control unit from:
-
A PC running EcoStruxure™ Power Commission software
-
A smartphone running the EcoStruxure Power Device app
-
-
Wireless IEEE 802.15.4 connection to a Panel Server for MicroLogic Active AP/EP control units.
MasterPacT NT/NW, ComPacT NS, and PowerPacT P- and R-Frame Circuit Breaker Operating Environment
The following figure shows the various ways of communicating with the MicroLogic trip unit of the circuit breaker.
The intelligent modular unit (IMU) represents the MasterPacT NT/NW, ComPacT NS, or PowerPacT P- or R-frame circuit breaker, the MicroLogic trip unit, and the associated ULP modules, communication interface, and IO modules.
To communicate with the circuit breaker through its MicroLogic trip unit, the following communication paths are available:
-
MicroLogic human-machine interface (HMI)
-
FDM121 front display module for one circuit breaker
-
Connection to the MicroLogic trip unit from a PC running EcoStruxure Power Commission software through the Service interface
-
Ethernet (Modbus TCP/IP protocol) connection through the operational technology (OT) network when the IFE interface or IFE server is present
-
Modbus-SL connection through the operational technology (OT) network when the IFM interface is present
ComPacT NSX, and PowerPacT H-, J- and L-Frame Circuit Breaker Operating Environment
The following figure shows the various ways of communicating with the MicroLogic trip unit of the circuit breaker.
The intelligent modular unit (IMU) represents the ComPacT NSX or PowerPacT H-, J- or L-Frame circuit breaker, the MicroLogic trip unit, and the associated ULP modules, communication interface, and IO modules.
To communicate with the circuit breaker through its MicroLogic trip unit, the following communication paths are available:
-
MicroLogic human-machine interface (HMI)
-
FDM121 front display module for one circuit breaker
-
Connection to the MicroLogic trip unit from a PC running EcoStruxure Power Commission software through the Service Interface or USB maintenance interface
-
Ethernet (Modbus TCP/IP protocol) connection through the operational technology (OT) network when the IFE interface or IFE server is present
-
Modbus-SL connection through the operational technology (OT) network when the IFM interface or BSCM Modbus SL/ULP module is present
System Vulnerability to Cyber Attacks
Each of the communication paths listed above represents a potential vulnerable point in your system if security measures are not put in place. This guide provides guidelines to help secure these communication paths to avoid intentional attacks or accidental misuse.
The following security features are intended to mitigate the inherent threats which are linked to the usage of IFE and EIFE interfaces, IFE server, and MasterPacT, ComPacT, and PowerPacT devices in an Operational Technology (OT) environment.
Security Features Provided
The following cybersecurity functions are supported by MasterPacT, ComPacT, and PowerPacT IMUs:
-
User account management:
-
On IFE server
-
On MicroLogic Active control unit
-
Access code protection
-
Configurable security services and settings
-
Firmware update mechanism
-
Secure machine-to-machine communication via Modbus TCP/TLS (on IFE and EIFE interfaces, and IFE server)
-
Security logs in Syslog format or CSV format (on IFE and EIFE interfaces, and IFE server)
These features provide security capabilities which contribute towards protecting the product from potential security threats that could:
-
Disrupt the product operation (availability)
-
Modify information (integrity)
-
Disclose confidential information (confidentiality)
Security Features Comparison Between IFE/EIFE Interface and IFE Server
The following table provides a comparison between the security features of:
-
IFE/EIFE interface with firmware versions 004.•••.••• and 005.•••.•••
-
IFE server with firmware version 003.•••.•••
-
IFE server with firmware version 005.•••.•••
Schneider Electric recommends that you update the firmware version of the IFE/EIFE interface and IFE server to benefit from the latest features.
Features |
EIFE Interface (LV851001) IFE Interface (LV434001) |
IFE Server (LV434002) (firmware version 003.•••.•••) |
IFE Server (LV434002) (firmware version 005.•••.•••) |
---|---|---|---|
HTTP |
Yes |
Yes |
Yes |
HTTPS |
Yes |
No |
Yes |
FTP-Server |
Yes |
Yes |
Yes |
FTP-Client |
Yes |
Yes |
Yes |
FTPS |
Yes |
No |
Yes |
NTP |
Yes |
No |
Yes |
SNTP |
No |
Yes |
No |
RSTP |
Yes |
No |
Yes |
Modbus TCP |
Yes |
Yes |
Yes |
Modbus Secure |
Yes |
No |
Yes |
RBAC |
Yes |
No |
Yes |
IEC 61850 |
Yes |
No |
Yes |
Syslog |
Yes |
No |
Yes |
SMTP |
Yes |
Yes |
Yes |
IPv6 support and DPWS discovery |
Yes |
No |
Yes |
SNMP |
Yes |
Yes |
Yes |
Time to upgrade the firmware |
4 minutes approximately |
16 minutes approximately |
4 minutes approximately |