Restricting Remote Access to the MasterPacT, ComPacT, and PowerPacT Circuit Breaker

Overview

The MasterPacT, ComPacT, and PowerPacT intelligent modular unit (IMU) offers both local and remote access possibilities. You must ensure that only authorized users are granted access.

Remote Access to MasterPacT, ComPacT, and PowerPacT Circuit Breaker

Depending on your system architecture, there are probably several ways of gaining remote access to the MasterPacT, ComPacT, and PowerPacT circuit breaker.

It is extremely important to control remote access to your system, as remote access through the following communication pathways can give full control over your installation:

EcoStruxure Power Commission software through an Ethernet connection via an IFE, EIFE, or IFM interface or IFE server, or BSCM Modbus SL/ULP module
EcoStruxure Power Commission software through Modbus-SL via an IFM interface or BSCM Modbus SL/ULP module
IFE or EIFE webpages through an Ethernet connection via an IFE or EIFE interface, or IFE server

In particular, you must consider:

How the system can be accessed using the various communication paths available
The information and controls available through each access path

Supported Protocols

The IFE and EIFE interfaces, and IFE server support the following communication protocols:

HTTPS for configuration through embedded webpages
Modbus TCP/IP for communication with other OT devices
Modbus TCP over TLS
DHCP for network IP addressing
DNS for network name resolution
SNTP for time synchronization
DPWS for network delivery
SMTPS for sending emails
FTPS for IEC 61850 configuration and event notification
IEC 61850 for communication with devices and systems in substations

The IFM interface supports Modbus-SL communication protocol.

The BSCM Modbus SL/ULP module supports Modbus-SL communication protocol.

MasterPacT MTZ applications support the following communication protocols:

Bluetooth wireless technology for communication with EcoStruxure Power Device app
NFC to download diagnostic data

Enabling and Disabling Remote Control of the MasterPacT, ComPacT, and PowerPacT Circuit Breaker

Remote control of the MasterPacT, ComPacT, and PowerPacT circuit breaker refers to the following operations:

Opening, closing and resetting the circuit breaker
Modifying the circuit breaker settings

If remote control of the MasterPacT, ComPacT, and PowerPacT circuit breaker is not a requirement, it is highly recommended to disable remote control using the IFE or EIFE interface, IFE server, or IFM interface. By default, remote control is enabled.

If remote control of the MasterPacT MTZ circuit breaker with MicroLogic Active control unit is not a requirement, it is highly recommended to set the control mode to Manual. By default, the MicroLogic Active control mode is Manual.

On the IFE interface or IFE server, use the locking pad on the front panel to enable or disable remote control commands sent over the Ethernet network.

On the EIFE interface, connect a PC running EcoStruxure Power Commission software to the mini USB port on the front of the MicroLogic X control unit to enable or disable remote control of the MasterPacT MTZ circuit breaker through the Ethernet network.

On the IFM interface, use the locking pad on the front panel to enable or disable remote controls sent over the Modbus-SL network.

For the BSCM Modbus SL/ULP module, connect a PC running EcoStruxure Power Commission software to the Modbus SL hub and use the remote padlock parameter to enable or disable remote control sent over the Modbus-SL network.

Locking Protection Settings (MasterPacT MTZ)

You can lock the protection settings of the MasterPacT MTZ circuit breaker with MicroLogic X control unit, to prevent them from being changed remotely. By default, changing the protection settings remotely is allowed.

It is recommended to disable remote modification of protection settings if you do not use this function. For more information, refer to MasterPacT MTZ - MicroLogic X Control Unit - User Guide .

NOTE: Remote modification of protection settings is not available with MasterPacT MTZ circuit breakers with MicroLogic Active control units.

Disabling the Unused IP Network Services

The communication ports on the IFE or EIFE interface, or IFE server can be disabled from the IFE or EIFE interface, or IFE server webpages.

It is recommended to:

Disable the unused communication ports of the IFE or EIFE interface.
Access the IFE or EIFE interface webpages using HTTPS service instead of HTTP.
Access EPC software using secure commissioning (available in IFE or EIFE interface webpages) for MasterPacT MTZ MicroLogic control units and ComPacT NSX MicroLogic 5, 6 or 7 trip units.

Using the Access Control List (ACL)

When remote control is necessary, it is recommended to use the IP filtering capability of the IFE and EIFE interfaces, or IFE server to list the IP addresses of the applications (for example, SCADA) that are authorized to communicate with the IMU. The list of authorized applications is the access control list (ACL).