IP port security depends on specific installation, requirements and existing infrastructure. The required external equipment can be separate devices or devices that combine firewall, router and secure VPN functionality. When the network is divided into security zones, it is done with substation devices having firewall functionality or with dedicated firewall products. Security zone boundaries are inside the substation or between the substation and the outside world.
The device supports an option with multiple station communication Ethernet ports. In this case, all ports use the same IP address regardless of what redundancy option is activated in the device configuration.
To set up an IP firewall the following table summarizes the IP ports used by the device. Ports which are by default open are used for configuring the protection device.
| Port number | Type | Default state | Description |
|---|---|---|---|
| 20, 21 | TCP | Open | File Transfer protocol (FTPS) |
| 102 | TCP | Open | IEC 61850 |
| 80, 443 | TCP | Open | Web Server HTTPS |
| 5001 | TCP | Open | Firmware upgrade using HTTPS, user account management and certificate updates. |
| 2404 | TCP | Closed | IEC 60870-5-104 TCP |
| 67 | UDP | Open | DHCP server at LAN1 and LAN2 |
FTPS and IEC 61850 are primary services needed for device configuration and those cannot be disabled. Additionally, the protection device uses R-GOOSE (IP/UDP multicast) and layer 2 communications in GOOSE, SMV, IEEE 1588 (PTP) and PRP supervision services, which needs to be considered when designing the network.
In addition to the HTTPS and FTPS protocols, the device supports the IEC 61850 Ethernet-based substation automation communication protocol. IEC 61850 is always enabled.