NERC compliancy on ION meters

MatthewP · ‎2015-12-03

Referring the V4.20 firmware release notes for the ION8650

http://www.schneider-electric.us/documents/news/offer-news/schneider_electric_announces_powerlogic_i...

It mentions compliancy with NERC 5... "The ION 8650 meter V4.20 enables Utilities to comply with the latest NERC CIP standard Version 5, which is designed to protect the bulk power system against cybersecurity compromises that could lead to misoperation or instability. Utility Compliance represents significant progress in mitigating cyber risks to the grid."

I am currently working on project with a utility and numerous concerns around NERC compliancy have come up. From my understanding, NERC compliant devices must have the ability to be COMPLETELY locked down meaning that ZERO changes can be made to the device.

Can someone please provide technical details on how this has been implemented on the meter?

Will this be NERC compliance be available on the 7650/7550 platform as well?

Thank you!

Matthew

Anonymous user · ‎2015-12-04

If I understand correctly you can disable front panel access, and turn off all ports and protocols for ethernet, as well as set all serial comms to protocol none.

Take a look at the comms modules in V4.20.1 you should see some new setup registers. be careful though I think you can lock yourself out permanently.

Brian

sesa56307_bridg · ‎2015-12-04

In addition to the comments from Brian, I'd encourage you to review the "What’s new in PowerLogic ION8650 version 4.20 (v4.20)" document, which provides a short summary of the new security-related features and changes. Here is a link:

http://download.schneider-electric.com/files?p_Reference=7EN12-0287-00&p_EnDocType=User%20guide&p_Fi...

Regarding NERC CIP in general, please note that this is a (large) set of standardized requirements that apply to an entire system, and the related features on the meter are intended to help our customers comply with these requirements. Some of the requirements are related to workflow/process (for example, how often passwords need to be changed across the system), while others imply direct needs for features at the device level. Some of the requirements were already met in previous firmware releases; the changes in V4.20 simply closed some notable gaps, making it easier for our customers to achieve NERC CIP compliance.

Matthew, if the customer you are working with still has some remaining concerns around NERC compliancy, please contact me separately as I would be interested to discuss the specific requirements of concern. I'm not sure exactly which requirement relates to your example of completely locking down the device, although I think that the combination of HW locking, advanced security usernames/passwords, security settings like enabling/disabling ports and protocols, and auditability of any changes should be enough to satisfy them.

Thanks,

Dave Tuckey