Audit trail - Arc protection - Bay control and measurement - Motor protection - Transformer protection - 2 winding - Busbar differential protection (low impedance) - Feeder protection - Voltage regulation - Busbar protection (voltage and frequency) - Capacitor bank protection - Interconnection protection - Power management/Load shedding - Back-up protection - Cyber Security Deployment Guideline - SSC600 Smart substation control and protection - 1.0 FP4 - IEC - ANSI - 18.04.2023

SSC600 Cyber Security Deployment Guideline

The protection device offers a large set of event-logging functions. Critical system and protection device security-related events are logged to a separate nonvolatile audit trail for the administrator.

Audit trail is a chronological record of system activities that allows the reconstruction and examination of the sequence of system and security-related events and changes in the protection device. Both audit trail events and process related events can be examined and analyzed in a consistent method with the help of Event List in WHMI and Event Viewer in PCM600.

The protection device stores 2048 audit trail events to the nonvolatile audit trail. Additionally, 8192 process events are stored in a nonvolatile event list. Both the audit trail and event list work according to the FIFO principle. Nonvolatile memory is based on a memory type which does not need battery backup nor regular component change to maintain the memory storage.

Audit trail events related to user authorization (login, logout, violation remote and violation local) are defined according to the selected set of requirements from IEEE 1686. The logging is based on predefined user names or user categories. The user audit trail events are accessible with IEC 61850-8-1, PCM600 and WHMI.

Note: Events which happen without authenticated user will be recorded with a generic username.
Table 1. Audit trail events
Event Id Description Severity
1110 Log-in successful Event
1130 Log-in failed - Wrong credentials Event
1210 Log-out (user logged out) Event
1320 Downloaded / wrote configuration successfully Event
1370 Viewed Security Event logs successfully Alarm
1380 Parameter changed successfully Event
1420 Download / writing configuration failed Event
1520 Software updated successfully Event
1610 Firmware change fail Event
1710 Device reset to factory default Event
2110 User account created successfully Alarm
2120 User account deleted successfully Alarm
2180 New role created successfully Alarm
2190 Role deleted successfully Alarm
2210 User password changed successfully Event
2220 Change of user password failed Event
5110 Firmware Reset Alarm
5140 Software reset Alarm
5270 System startup Alarm
6110 Test Mode started successfully Alarm
6120 Test Mode ended successfully Alarm
6130 Control operation performed successfully Alarm
6220 Time Synchronized successfully Event
6320 Time Synchronization failed Event
8020 Date and time set successfully Event
9020 Flooding attack detected Alarm
13520 Certificates transferred to the device successfully Event
14520 Failed to transfer certificates to the device Event

PCM600 Event Viewer tool can be used to view the audit trail events and process related events. Audit trail events are visible through dedicated Security events view. Since, user with Security Management Right can read audit trail. The audit trail cannot be reset, but PCM600 Event Viewer can filter data. Audit trail events can be configured to be visible also in WHMI Event list together with process related events.

In WHMI, Audit trail events are displayed based on user rights. A user having Security Management right can view audit trail logs.