NovaTech Automation Products for NERC CIP Compliance
PUBLISHED ON Apr 27, 2015
NovaTech Automation offers both enterprise products for NERC CIP compliance and OrionLX products for NERC CIP compliance. The two enterprise products are the NovaTech Automation Identity Manager (“NIM”) and the NovaTech Automation Connection Manager (“NCM”). The OrionLX products are the Connection Manager Agent, Configuration Manager Agent, Syslog, and Security Monitoring Points.
Summary of Product Capabilities
A. NovaTech Automation Connection Manager (“NCM” at Enterprise) and Connection Manager Agent (in the OrionLX)
i. Establishes encrypted connections to the Orion Cyber Security Gateway in the substations
ii. Establishes encrypted connections – through Orion – to serially-connected or LAN-connected SEL® relays at the appropriate user access level (e.g. access level 1, access level 2, etc.)
iii. Monitors unpermitted keystroke combinations when accessing SEL® relays (e.g. “PAS”, “SET”)
B. NovaTech Automation Identity Manager (“NIM” at the Enterprise)
i. User Password Management features:
1. Provides centralized authentication of users
2. Can be configured to set up a Trust with an Active Directory authentication system
3. Supports Role-based Authentication; each user (or group of users) can have their own privileges
4. Supports creation of strong password rules that meet IT industry standards
5. Complete logging of all changes
ii. IED Password Management features
1. Provides centralized administration of IED passwords.
2. Currently designed for management of SEL relay passwords.
3. SEL relays can be placed into groups for simplified administration.
4. Rules can be created for specific IED password construction.
5. Complete activity logging provided
6. SEL relay Password Change Modes:
a. Normal Password Change Mode
b. Maintenance Mode
c. Emergency Mode (or “Password Checkout” Mode
d. Local Password Caching in the security gateway
C. The NovaTech Automation Configuration Manager Agent
i. The Orion Configuration Manager Agent retrieves configuration files from substation cyber assets (currently SEL relay settings and Orion configuration files), names and zips the files, and stores them in non-volatile OrionLX memory.
ii. Using the OrionLX “FileMover” feature, stored files are scheduled for automatic SFTP transfer to a Configuration Management server that performs NERC CIP-010 configuration management. If auto-transfer is not desired, stored files can be alternatively accessed and retrieved using a file transfer utility, or transferred to a thumb drive attached to the OrionLX.
iii. For users who prefer not to transfer configuration files to upstream servers at all, the Configuration Manager Agent also calculates a checksum on the zipped SEL setting files and Orion configuration files. This checksum can be accessed as a SCADA point.
D. OrionLX Syslog
i. The OrionLX creates a “syslog” of all system alarms and events. These time-stamped logs, which can be sorted and filtered, contain the raw data required for NERC reporting, including access attempts, connection information and packages running on the OrionLX.
ii. The OrionLX “System Logger” function can be configured to make user-selected points available in syslog, including circuit breaker position and other events and alarms in Orion database not automatically logged to syslog.
E. OrionLX Security Monitoring Points
i. Security Monitoring Points indicating who is connected and how they are connected can be brought out of the OrionLX. These points can be mapped to SCADA or to an alarm log.
Summary of Commercial Offering
The NovaTech Automation Identity Manager (NIM) and NovaTech Automation Connection Manager (NCM) are sold as a bundled offering. These products can be sold on a hardware server provided by NovaTech Automation, or can be loaded as a Virtual Machine (VM) on to a user-provided server using our Install instructions.
NovaTech Automation offers an Annual Support and Upgrade Package with the following services:
• Upgrades to maintain compliance with the latest NERC CIP Access Control and Configuration Management requirements
• Phone support
• Feature Upgrade (adding new IED support, etc.)
The Orion Connection Manager Agent is sold as a software option on the OrionLX CPX or the OrionLXm. This agent can be installed on an existing OrionLX CPX / OrionLXm in the same manner as any other software option. There is no support or upgrade fee for this agent.
The two OrionLX security products for monitoring – Syslog and Security Monitoring Points – are included with the OrionLX CPX and the OrionLXm for no extra charge.