Power Grids

RTU500 series - Remote Terminal Units

Web server Release 13
User manual
Revision

Document identity: 1KGT151108 V008 1

Revision: Date: Changes:
1 10/2020 New document for Release 13.0.
2 01/2021 Added chapter 'Translate Language Files' (PI#163198).
02/2021 Updated chapter 'External Certificate' (PI#170985).
Updated chapter 'Access to the Web Server' (PI#177587).
3 06/2021 Backup Management for RTU540 (PI#181075).
07/2021 Backup file signed (PI#181881)
Updated chapter 'Password Policies' (PI#180151)
08/2021 Added chapter 'Certificate Revocation List (CRL)
Upload' (PI#183367, PI# 183364)
Updated chapter 'User Accounts/Passwords’ and 'Certificate
Upload' (PI# 183362)
Updated chapter 'Secure Web Server Access' (PI#183359)
4 05/2022 Updated chapter 'Password Policies' (PI#187824)
Removed recommendations for Internet Explorer settings
(PI#185100)
06/2022 Added chapter 'Recommendations' to the chapter 'User Manage-
ment' (PI#189712)
07/2022 Updated chapter 'Firmware Management' (PI#189730)
09/2022 Updated chapter 'Script Interface' (PI#186752)
12/2022 Updated chapters 'Configuration Management' and 'Firmware Man-
agement' (PI#192320)
5 03/2023 Updated chapter 'Password Policies' (PI#196050, PI#199491))
Updated chapter 'Script Interface' (PI#195525)
05/2023 Removed ABB logo (PI#197954)
07/2023 Updated chapter 'CAM Management / Change User Pass-
word' (PI#179687)
09/2023 Replaced ABB Library links (PI#200420)
Updated chapter 'RTUtil500 Configuration' (PI#132386)
Added chapter 'PKI Management' (PI#131079)
6 11/2023 Updated chapter 'Script Interface' (PI#195525)
Corrected permission usrAccount@RTU500 (PI#203686)
7 12/2023 Added chapter 'Restrictions' to 'PKI Management' (PI#205263)
01/2024 Updated chapter 'User Roles' (PI#203791)
02/2024 Updated chapter 'Enable Logging and Debugging' (PI#208887)
Updated chapter 'Setting Certificate Attributes' (PI#209118)
Updated chapter 'Password Policies' (PI#209191)
8 05/2024 Updated chapter 'Secure Web Server Access' (PI#208844, #208282)
09/2024 Updated chapter 'Backup Management' (PI#214253)
Updated chapter 'Test & Simulation' (PI#131436)
Contents

Contents

1 Introduction............................................................................................................................. 5
1.1 Preface........................................................................................................................... 5
1.2 Structure of this Document............................................................................................5
1.3 References..................................................................................................................... 6
1.4 Access to the Web Server............................................................................................ 6
1.5 Presentation of the RTU500 series Web Pages........................................................... 9

2 Management.......................................................................................................................... 11
2.1 Configuration Management..........................................................................................11
2.2 Firmware Management................................................................................................ 13
2.3 License Management...................................................................................................15
2.4 Backup Management................................................................................................... 16
2.4.1 Start Backup Management.......................................................................... 17
2.4.2 Create a Backup..........................................................................................19
2.4.3 Restore a Backup........................................................................................20
2.4.4 Confirm a Backup........................................................................................21
2.4.5 Undo a Backup............................................................................................22
2.5 Language Management............................................................................................... 22
2.5.1 Change Language of the Web server......................................................... 23
2.5.2 Translate Language Files............................................................................ 24
2.6 User Management....................................................................................................... 26
2.6.1 Security Policies.......................................................................................... 27
2.6.2 User Accounts / Passwords.........................................................................30
2.6.3 User Roles................................................................................................... 33
2.6.4 Change User Password.............................................................................. 36
2.6.5 Password File Management........................................................................ 37
2.6.6 Password File Harmonization......................................................................38
2.6.7 Recommendations....................................................................................... 41
2.7 Certificate Management...............................................................................................41
2.7.1 Certificate Upload........................................................................................ 41
2.7.2 Certificate Revocation List (CRL) Upload................................................... 45
2.8 CAM Management....................................................................................................... 48
2.8.1 Setting Communication Parameter..............................................................49
2.8.2 Upload Communication Parameter............................................................. 50
2.8.3 Activate CAM Client.................................................................................... 53
2.8.4 Test Connection........................................................................................... 54
2.8.5 Change User Password.............................................................................. 54
2.9 PKI Management......................................................................................................... 55
2.9.1 RTUtil500 Configuration.............................................................................. 56
2.9.2 Setting Communication Parameters............................................................58
2.9.3 Setting Certificate Attributes........................................................................ 59
2.9.4 Upload Configuration Parameters............................................................... 60
2.9.5 PKI Client Activation.................................................................................... 63
2.9.6 Test Connection........................................................................................... 63

1KGT151108 V008 1 I
 Contents

2.9.7 Enrollment.................................................................................................... 64
2.9.8 CRL Update................................................................................................. 67
2.9.9 Restrictions.................................................................................................. 67
2.10 PLC Parameter Settings..............................................................................................67
2.10.1 Prerequisite for Usage of PLC Parameter Settings.....................................68
2.10.2 Changing Setting Parameters..................................................................... 68
2.10.3 Import/Export of Setting Parameters........................................................... 69
2.11 System Help Page with Pre-requisitions..................................................................... 70

3 Diagnostics............................................................................................................................73
3.1 System Log.................................................................................................................. 73
3.2 System Event Status................................................................................................... 74
3.3 Hardware Tree............................................................................................................. 75
3.3.1 General Overview........................................................................................ 76
3.3.2 Board Diagnosis.......................................................................................... 77

4 Test & Simulation................................................................................................................. 79

4.1 Enable Logging and Debugging.................................................................................. 79
4.2 Time Administration..................................................................................................... 80
4.3 General Overview: Test Mode..................................................................................... 81
4.3.1 Opening the User Interface......................................................................... 81
4.4 Inputs and Outputs View - Elements of the User Interface......................................... 82
4.4.1 Signal Grid................................................................................................... 82
4.4.2 Multiple Simulation Interval..........................................................................85
4.4.3 STOP Button................................................................................................86
4.4.4 Control Panel for Process Connection........................................................ 86
4.4.5 Disconnected Indicator................................................................................ 92
4.4.6 Download Log File.......................................................................................93
4.5 SEV and SSC View - Elements of the User Interface.................................................93
4.5.1 Signals Grid................................................................................................. 93
4.5.2 Input for Multiple Simulation Interval........................................................... 93
4.5.3 STOP Button................................................................................................93
4.5.4 Control Panel for Process Connection........................................................ 93
4.5.5 Status Indicator............................................................................................94
4.5.6 Log File Download Link...............................................................................94
4.6 Security Events View - Elements of the User Interface.............................................. 94
4.6.1 Signals Grid................................................................................................. 94
4.6.2 Input for Multiple Simulation Interval........................................................... 94
4.6.3 STOP Button................................................................................................94
4.6.4 Log file Download Link................................................................................ 94

5 Operation............................................................................................................................... 95
5.1 Starting the Integrated HMI......................................................................................... 95
5.2 General Overview: Archives........................................................................................ 95
5.3 Process Archives......................................................................................................... 96
5.4 File Archive.................................................................................................................. 97
5.5 Security Event Archive................................................................................................ 98

II 1KGT151108 V008 1
Contents

6 Secure Web Server Access...............................................................................................101

6.1 RTUtil500 Configuration.............................................................................................101
6.2 HTTPS Web server access....................................................................................... 103
6.3 Certificate Handling....................................................................................................104
6.3.1 Self-signed Certificate................................................................................104
6.3.2 External Certificate.................................................................................... 105
6.4 TLS Version............................................................................................................... 105
6.5 Supported Cipher Suites........................................................................................... 106

7 Modem Installation............................................................................................................. 109

7.1 Windows 10, 11......................................................................................................... 109

8 PPP Installation...................................................................................................................113
8.1 Windows 10, 11......................................................................................................... 113

9 USB RNDIS Driver Installation.......................................................................................... 125

9.1 Windows 10, 11......................................................................................................... 125

10 Update of I/O Modules Software.......................................................................................127

11 Script Interface....................................................................................................................131
11.1 Overview.................................................................................................................... 131
11.2 Installation.................................................................................................................. 132
11.3 Commands................................................................................................................. 134
11.3.1 Import Module............................................................................................134
11.3.2 Connect to the RTU.................................................................................. 134
11.3.3 Disconnect from the RTU.......................................................................... 134
11.3.4 User Management..................................................................................... 135
11.3.5 Central Account Management (CAM) Client............................................. 140
11.3.6 Download Files from the RTU................................................................... 141
11.3.7 Upload Files to the RTU............................................................................142
11.3.8 Get Configuration Files..............................................................................144
11.3.9 Get RTU Status......................................................................................... 144
11.3.10 Get RTU System Log................................................................................ 144
11.3.11 Get Runtime Files......................................................................................145
11.3.12 Get CMU Modules.....................................................................................145
11.3.13 Activate a Configuration............................................................................ 145
11.3.14 Reset the RTU...........................................................................................145
11.3.15 Backup Management.................................................................................145
11.3.16 Language Management.............................................................................146
11.3.17 RTU Certificates........................................................................................ 148
11.3.18 PKI EST Client.......................................................................................... 149
11.3.19 Time Administration................................................................................... 150
11.4 PowerShell Script Example....................................................................................... 150

12 Recovery Mode................................................................................................................... 155

12.1 Start Recovery Mode.................................................................................................155
12.2 User Interface............................................................................................................ 155
12.3 Actions........................................................................................................................156

1KGT151108 V008 1 III

 Contents

12.3.1 Automatic Triggered Actions..................................................................... 156

12.3.2 User Actions.............................................................................................. 156
12.4 Logging.......................................................................................................................159
12.5 Leaving the Recovery Mode......................................................................................159
12.6 Scope and Restrictions of the Recovery Mode.........................................................160

13 Glossary...............................................................................................................................161

IV 1KGT151108 V008 1
Introduction Preface

1 Introduction

1.1 Preface
The document describes the requirements and installation steps needed to build up a full RTU500
series engineering environment. The base configuration of the Microsoft Windows Operating
System and the tools required for the engineering process are described. System requirement are
defined in chapter Chapter 2.11 in figure "Fig. 76: Page for general information and pre-requisitions"
.

1.2 Structure of this Document

This document is divided in two main parts:

The first part describes the RTU500 series Web server functionality:

The first part describes the RTU500 series Web server functionality:
• Management functions:
– Configuration management
– Firmware management
– User management
– Loading of password files
– Help page

• Diagnosis functions
– System logs
– Process diagnosis functionality (Hardware Tree)
– The Network Tree

• Test & Simulation functions

– Enable Logging and Debugging functions
– Test mode functions

• Operation functions
– Starting the Integrated HMI
– File archive functions

• Engineering
– Changing individual parameters online
– Online generation of a new RTU configuration

The second part includes the installation and configuration of the environment.

• PPP Installation
• USB Installation
• Establishing the connection
• Network configuration
• The hardware required for the connection

1KGT151108 V008 1 5
References Introduction

1.3 References
Additional Information is available in the documents:

[1] 1KGT151106 Security Deployment Guide Line

[2] 1KGT151107 RTUtil500 User's Guide
[3] 1KGT151100 Function Description Part 6: RTU500 functions

1.4 Access to the Web Server

The integrated Web server of the RTU500 series is accessed by a web browser, using the IP
address of one of the Ethernet interfaces of the RTU communication unit.

The default IP addresses are:

• Ethernet interface E1: 192.168.0.1
• USB interface: 169.254.0.10

The figure below shows an example of a connection.

Figure 1: HTTPS access to an RTU Web server

ADVICE
A network speed of at least 1 Mbit/s is recommended.

The minimum network speed is 256 kbit/s to get a startup time of less than a minute.

The access to the RTU500 series Web server is enabled by default, but it is possible to disable the
access for each Ethernet interface in the configuration tool RTUtil500 [2]. See chapter "RTUtil500
Configuration" for information how to disable the RTU500 series Web server.

Besides the secure standard HTTPS access, the RTU500 series Web server supports also HTTP.
For more information about the secure access see chapter "Secure Web Server Access". This
chapter describes the configuration and the certificate handling required for the secure HTTPS
access.

After a successful connection with a web browser to the RTU500 series web server, the server
requests a user name and password for log-in.

6 1KGT151108 V008 1
Introduction Access to the Web Server

The log-in dialog presented by the web browser depends on the configuration of the RTU. With the
local user account management (LAM) a standard log-in dialog, generated by the Web browser
itself, appears. Examples for this kind of log-in dialog are shown in the next figure.

Figure 2: LAM log-in dialog examples

With the central user account management (CAM) a common log-in dialog, generated by the Web
server, is shown (see figure below). Additional to the input fields for user name and password the
dialog contains an information whether the CAM server is available or not. This information named
protection space can have the following values:

• CAM Server
CAM server connection is online. Login via CAM server is required.
• LAM Backup
CAM server connection is offline and LAM is configured as backup. Login is possible via LAM.
• Not available
CAM server connection is offline and LAM is not configured as backup. No login is possible.

1KGT151108 V008 1 7
Access to the Web Server Introduction

Figure 3: CAM log-in dialog

To avoid insecure configuration in connection with the central user account management (CAM) the
following advice shall be considered.

ADVICE
In a CAM configuration the user credentials are transmitted as plain text from the Web browser
to the RTU500 series. Therefore the secure Web server access via HTTPS shall be enabled
for the RTU500 series if a CAM client is used. This applies for all CMU modules in a multi CMU
setup.

After completing the working session it is recommended to log-off from the RTU500 series Web
server and to close the used Web browser. This prevents the usage of supplied user names and
passwords by unauthorized persons. The log-off is done by selecting the link 'Logout' as shown in
the figure below. The appearing dialog must be confirmed with Ok to execute the log-off.

8 1KGT151108 V008 1
Introduction Presentation of the RTU500 series Web Pages

Figure 4: Log-off from Web server

Additional to the manual log-off, the user will be logged off by the RTU500 series after a
configurable time of inactivity. The timeout for automatic logout after user inactivity could be
disabled and is configurable between 1 minute and 24 hours. In RTUtil500 the inactivity timeout
parameter is placed on the 'Parameter' tap at an RTU (Network or Hardware tree).

Figure 5: User inactivity timeout parameter

1.5 Presentation of the RTU500 series Web Pages

All the pages used to in the RTU Web Server are structured with frames:
• Status frame (1)
• Navigation tiles (2)
• Presentation and selection frame (3)

1KGT151108 V008 1 9
Presentation of the RTU500 series Web Pages Introduction

Figure 6: Structure of the Web server pages

The 'status frame' (1) is fixed during runtime, but depending on the configuration of the RTU.

The navigation tiles (2) is fixed during runtime and used to navigate through the different Web
server functions.

The 'presentation frame' (3 left side) depends also on the configuration of the RTU, but will not be
updated, as long as the frame is shown.

The 'selection frame' (3 right side)

• will be updated cyclically (approximately every 2 seconds) or
• must be updated on demand by the user.

10 1KGT151108 V008 1
Management Configuration Management

2 Management
2.1 Configuration Management
To navigate to the Configuration-File Manager page, click on 'Management' and on 'Configurations
Management' in the navigation frame.

Figure 7: Configuration files: navigation tiles

The files on the RTU will be displayed on top of this page. Below is the drop in area. Here you
can drop new configuration files to be downloaded to the RTU. Only one file is needed for the
configuration of an RTU: <name>.rcd (RTU configuration data)

On the RTU there can be stored 4 different RTUtil500 configuration files:

• Active: The active configuration file is at the moment executed by the RTU
• Backup: It is possible to store one backup copy of a configuration file. This file can be activated
again.
• Base: A configuration file downloaded from the PC will be shown as base configuration file

Besides these RTUtil500 configuration files, also Integrated HMI files and PLC program package
files can be up- and downloaded. The PLC program package has to be activated after upload to the
RTU. Creation of a backup is supported as well. While activating the PLC program package, the
PLC program contained in the PLC program package gets started. Deleting an active PLC program
package stops the running PLC program.

The different table columns show the properties of the different configuration files.

1KGT151108 V008 1 11
Configuration Management Management

Figure 8: Configuration File Manager

With this button the configuration file can be downloaded to the RTU.
First the configuration file must be dropped into the drop file area.
Then the file can be downloaded to the RTU. The downloaded file
Send file to device will become the new base configuration file. It must be activated in a
next step.
With this button the configuration file on the RTU can be uploaded to
the PC.

Receive file from device

With this button the configuration can be deleted.

Delete file
By selecting this button the base or backup configuration will become
the new active configuration.

Activate configuration
Press this button in the active configuration row to generate a new
backup of the active configuration. The new backup configuration will
override an existing backup configuration.
Backup configuration
Table 1: Configuration Management: Operation buttons on the left side of the tables

In the case of a multi CMU configuration, the actions 'Send file to device', 'Activate configuration',
'Backup configuration' or 'Delete file' can be performed for specific CMUs.

Available for selection:

• Local CMU
• All CMUs
• Specific CMU

The selection is made via a dialog that is displayed when the action is started.

12 1KGT151108 V008 1
Management Firmware Management

Figure 9: Example CMU selection send file to device

2.2 Firmware Management

To navigate to the Firmware-File Manager page, click on 'Management' and on 'Firmware
Management' in the navigation frame. The different table columns show the properties of the
different files.

Figure 10: Firmware files: navigation tiles

The files on the RTU will be displayed on top of this page. Below is the drop in area. Here you can
drop new firmware files to be downloaded to the RTU.

The loading of the different software files is independent. The software is not distributed to other
boards while loading.

1KGT151108 V008 1 13
Firmware Management Management

Figure 11: Firmware File Manager

With this button the firmware file can be downloaded to the RTU.
First the firmware file must be dropped into the drop file area. Than
the file can be downloaded to the RTU. The downloaded file will
Send file to device replace the existing firmware file on the flash. It must be activated in
a next step. After a success full download a red exclamation mark
will appear and the activate botton will become visible.
With this button the firmware file on the RTU can be uploaded to the
PC.

Receive file from device

With this button a firmware file be deleted.

Delete file
By selecting this button the firmware file will be activated and the
RTU will be restarted.

Activate
This sign indicated a difference between the firmware file on the flash
and the firmware under operation for the the RTU. The activation of
the firmware is required.
the red exclamation mark
Table 2: Firmware Management: Operation buttons on the left side of the tables

In the case of a multi CMU configuration, the action 'Send file to device' can be performed for
specific CMUs.

Available for selection:

• Local CMU
• All CMUs
• Specific CMU

The selection is made via a dialog that is displayed when the action is started.

14 1KGT151108 V008 1
Management License Management

Figure 12: Example CMU selection send file to device

ADVICE
On the RTU there is no backup of the firmware files available. Deleted files must be replaced by
files from the PC.

ADVICE
The RTU will not start up after a reset command or power outage if firmware file has been
deleted without replacement, or if a wrong or corrupted firmware file has been loaded.

2.3 License Management

Each communication unit has a separate license on the memory card, containing:

• a license for the basic functions

• the maximum number of process data points
• a license for 'local archives' and 'PLC' (option)
• a license for the 'integrated HMI' (option)

It is possible to upgrade the RTU license with an license extension file (ABBRTU500Ext.lic),
generated by Hitachi Energy, by uploading the file via the Web server.

The function is available with the license file manager

Figure 13: License file: navigation tiles

1KGT151108 V008 1 15
Backup Management Management

The data of the license file is checked during loading the file. The new licenses are activated after a
reset.

Figure 14: License Upgrade.

2.4 Backup Management

The product lines RTU530 and RTU540 support a feature called backup management which offers
backup and restore functionality.

It is possible at any time on a running system to create a full backup of the system.

The backup contains everything required to restore it later:

• Firmware file,
• Configuration file,
• Archives,
• PLC files (BootFile.pro or PLC package, *.zwt file, PLC retain values, PLC settings),
• CAM file,
• PKI file,
• Language files,
• HMI files (project and libraries),
• User settings,
• User accounts,
• Certificates,
• and license files.

The backup is stored on the CMU but also can be transferred to the local PC and archived. It is
possible at any time on a running system to restore a backup in order to get a system of an earlier
point in time.

The Backup file is signed during creation with a CMU specific key. The signature is verified before
restore to increase security.

ADVICE
In case of a hardware fault, it is possible to restore the backup on a spare part CMU as well.

16 1KGT151108 V008 1
Management Backup Management

ADVICE
Backup management is a feature of the RTU530 and RTU540 product lines.

2.4.1 Start Backup Management

To navigate to the 'Backup Management' page, click on 'Management' and on 'Backup

Management' in the menu bar.

Figure 15: Backup Management

The Backup Management user interface consists of 3 parts:

• The header area with the action buttons.
• The top grid area where the backups located on the RTU are visible.
• The bottom grid with the drop area, where external saved backups can be dropped and
transferred to the RTU. It is possible to store up to 5 backups on the RTU itself.

1KGT151108 V008 1 17
Backup Management Management

Figure 16: Backup Management Areas

The action buttons are always visible. But only the buttons of actions are activated that can be
executed.

18 1KGT151108 V008 1
Management Backup Management

With this button a new backup can be created.

With this button a backup which was restored, and which is awaiting
a confirmation, can be confirmed.

With this button a backup which was restored, and which is awaiting
a confirmation, can be undone.

With this button the countdown confirmation timer, which is showing

the remaining time for confirmation can be set back to 10 minutes;
this can be done as often as required.
Table 3: Action buttons

With this button the backup file can be transferred to the RTU. First
the backup file must be dropped into the drop file area. Then the file
can be send.
Send file to device
With this button the backup file on the RTU can be received from the
RTU and saved locally on the PC.

Receive file from device

With this button the backup can be restored

Restore backup
With this button the backup can be deleted.

Delete file
This sign indicates the backup, which was restored, and which is
waiting for confirmation.

Red exclamation mark

Table 4: Action buttons on the left side of the tables

2.4.2 Create a Backup

When creating a backup, the user has to provide a name. In addition, a comment can be entered to
remember later the scenario of the backup. Date and user information is added automatically.

ADVICE
Backup files are automatically signed with a specific key when it is created.

1KGT151108 V008 1 19
Backup Management Management

Figure 17: Create a backup

ADVICE
The creation of a backup may take up to some minutes!

A backup contains the firmware, the configurations, the archives, the PLC files (BootFile.pro or PLC
package, *.zwt file, PLC retain values, PLC settings) the language files, the HMI files (project and
libraries), user settings, user accounts, certificates and license files.

ADVICE
If the restore is done on a different device (spare part) hardware dependent license files cannot
be restored completely.

2.4.3 Restore a Backup

Clicking the Start button will restore the backup.

ADVICE
The first step in the recovery process is to verify the signature of the backup file. Files with an
invalid or without a signature will be rejected.

The restore procedure will take some time. The RTU will reboot twice.

ADVICE
Please do not switch off or reset manually the RTU during this operation!

When restoring a backup, the user has the possibility to select the option that the restored backup
should be confirmed later.

20 1KGT151108 V008 1
Management Backup Management

Figure 18: Restore a backup

After the restoration of the backup, the user can check if everything works as expected and can
then either confirm or easily undo this restored backup.

If this confirmation is not done within a given time frame (about 10 minutes) an automatically
undo operation will revert this restored backup. This can maybe happen in a scenario when the IP
addresses of the backup cannot be remembered correctly anymore for example and a connection
with a web client to the RTU cannot successfully be established.

2.4.4 Confirm a Backup

When the option 'Backup should be confirmed after restore' was selected when the restore was
started, then, after the reboot of the RTU an orange sign and a countdown timer is visible in order to
show how many seconds are left until an automatic undo will take place.

ADVICE
It is possible to reset the timer back to 10 minutes as often as required by clicking the ‘Defer’
button.

Clicking on the orange sign will directly navigate to the backup management page. The red
exclamation mark in the grid shows which backup was restored and is awaiting a confirmation.

1KGT151108 V008 1 21
Backup Management Management

Figure 19: Confirm a backup

2.4.5 Undo a Backup

An undo of a backup will revert everything and the RTU is afterwards in the state as it was before
restoring a backup. The RTU will again reboot twice during that undo process.

Figure 20: Undo a backup

ADVICE
Please do not switch off or reset manually the RTU during this operation!

2.5 Language Management

To navigate to the Language Manager page, click on 'Management' and on 'Language
Management' in the navigation frame. The different table columns show the properties of the
different files.

For each language 2 language files are required. For example for English language:
• webserver_en-US.stb (CSV format)
• RTUi_en-US.rdt (XML format)

22 1KGT151108 V008 1
Management Language Management

Figure 21: Copy language file

With this button the language file can be downloaded to the RTU.
First the language file must be dropped into the drop file area. Then
the file can be downloaded to the RTU.
Send file to device
With this button the language file on the RTU can be uploaded to the
PC.

Receive file from device

With this button the language can be deleted.

Delete file
By selecting this button the language will become the new active lan-
guage. A reboot of the RTU is required.

Activate
Table 5: Language Management: Operation buttons on the left side of the tables

2.5.1 Change Language of the Web server

The language of the Web server can be selected in the status frame. For changing the language a
reboot of the RTU is required.

Figure 22: Change language of the Web server

1KGT151108 V008 1 23
Language Management Management

2.5.2 Translate Language Files

It is possible to customize the language of the web server.

Two language files are required for each language. For example for English:
• RTUi_en-US.rdt (XML-Format)
• webserver_en-US.stb (CSV-Format)

Navigate to the 'Language Management' page and load the two files from the RTU to your PC. Use
these files as a template for the new language.

Figure 23: Language Management

Open the RTUi_en-US.rdt file in an XML file editor. The table below explains the different domains
of the file. Translate the domains as needed.

Domain Comment Hint

UserInterface User interface of client. Most important domain, must be
translated.
rtu500.core Interaction with RTU Also very important, must be
rtu500.core.unit.long translated.
rtu500.core.unit.short • Mainly results from RTU
rtu500.category (error messages, informa-
rtu500.runtime tion, warnings, etc.)
rtu500.Qualifiers • Archives
• User management
rtu500.description.AODM.nodes Used for engineering, precon- Can be skipped for translation if
figuration and PLC parameter. no corresponding engineering is
done.
TagNames Used for preconfiguration. Can be skipped for translation if
no preconfiguration is done.
rtu.function.xxx1 Used for engineering, precon- Can be skipped for translation if
figuration, one domain per pro- no corresponding engineering is
tocol type. done.
Table 6: RTUi_en-US.rdt Domains

1 xxx = Protocol type e.g. DNP3

24 1KGT151108 V008 1
Management Language Management

The webserver_en-US.stb file contains texts for the user interface. Open the file with a text editor
and translate the text after the equals sign into the desired language. Do not remove semicolons.

Rename the files according to the language and country code.

Identification of language and country/region:

Option 1:
• Language code: an ISO 639 two-letter lowercase culture code associated with a language, i.e.
en, de, fr.
• Country/region code: an ISO 3166 two-letter uppercase subculture code associated with a
country or region, EN, DE, FR.

Option 2:
• Culture name: language code + “-” + country code

For French the file names would be as follows:

• RTUi_fr-FR.rdt
• webserver_fr-FR.stb

Set the 'locale' information in RTUi_fr-FR.rdt accordingly:

locale = “fr-FR”.

Set the 'locale' information in webserver_fr-FR.stb accordingly:

0.1 = French
0.3 = fr
0.5 = FR.

Drop the new files into the 'Drop files here' area of the 'Language Management' page or select them
to download them to the RTU.

Figure 24: Language Management French

Activate the new language by clicking 'Activate' button. To change the language, the RTU must be
restarted.

1KGT151108 V008 1 25
User Management Management

Figure 25: Language Management French Not active

The language is active after the restart.

2.6 User Management

All modification of local user accounts are done via the RTU500 series Web server. In the Web
server menu the link “User Management” is the entry point for the local user account management.
This link can be found under the menu item “Management” as shown in the figure below. Due to the
sensible information in the user account management the following notice has to be considered.

ADVICE
The web pages of this functionality require secure HTTPS access. It is not possible to open the
web pages with standard HTTP access.

Figure 26: Web server menu user account management

The link starts a user interface to modify the following properties:

• Enable or disable functional policies

• Enable or disable password policies
• Add new or delete existing local user accounts

26 1KGT151108 V008 1
Management User Management

• Change user account passwords

• Add new or delete existing user roles
• Change assignments of user and permissions to/from user roles

The user interface for the account management consists of several menu tabs. The first 3 menu
tabs cover the password policies, the local user accounts and the user roles. On each tab the
corresponding information are shown for display and modification.

Common for all menu tabs are 2 buttons at the top of each tab. These buttons control the changes
done by the administrator. At startup all control elements are disabled showing the current
configuration. If changes shall be done the administrator just start to access the user interface.
Then the both control buttons get active. After finishing the administrator can accept and store the
changes by pressing the button “Save” or returning to the former configuration by declining the
changes with the button “Cancel”. It is irrelevant on which tab the control buttons are used. The
change process could be started or finished on each tab.

ADVICE
Be sure to save any wanted modification in the user account management by pressing the
“Save” button.

When the changes are accepted an additional dialog appears to confirm the decision. The changed
account configuration is active right after accepting the changes. There is no need to reset the RTU
but all users are logged out and a re-login is required. During accepting the changes are distributed
within the RTU CMU's which could take a few seconds.

To avoid conflicts no access is possible via the Web server when an administrator has started
the account change process. This compromises the access from other CMU's as well. The next
chapters describe each menu tab in detail.

2.6.1 Security Policies

In the first tab of the user management the security policies of the RTU500 series are defined.
Security policies are general rules, which are valid for all users and for the whole RTU500 system.
As shown in the figure below the security policies are divided into the following two sections:

• Functional policies that define restrictions in the access to the RTU500 series and
• Password policies that define rules that a password must fulfill to get accepted.

1KGT151108 V008 1 27
User Management Management

Figure 27: Menu tab security policies

The following sections describes the functional and password policies in detail.

2.6.1.1 Functional Policies

The functional policies define restrictions in the access to the RTU500 series. When activated
certain functionalities are disabled and cannot be used anymore. The following functional policies
can be activated for the whole system:

• PLC online debugging

Disable the access to the PLC online debugging. This includes start/stop of PLC programs,
display and setting of PLC variables.
• COMPROTware RIO Server
Disable the access to the COMPROTware RIO Server. That means disable the possibility to
listening of telegram traffic on serial and Ethernet interfaces.
• Web server Test Mode
Disable the Web server testing and simulation mode. This includes time administration,
simulation of process inputs and commands in the test manager.
• Online parameter change
Disable the possibility to change single parameters online with the Web server.
• Online configuration change
Disable the possibility to change the RTU configuration online with the web server.

See part (1) of the Web server screen shoot "Fig. 27: Menu tab security policies" for the password
policies user interface.

2.6.1.2 Password Policies

The password policies define rules that a password must fulfill to get accepted by the RTU500
series. To enable the password policies the check box “Enforce password policies” must be
checked (see figure in last chapter). Changes in the password policies are considered when
changing a password only. Exception: Password lifetime is considered immediately, i.e. at the next

28 1KGT151108 V008 1
Management User Management

login. That means existing passwords are not checked against the policies and the passwords are
still valid and usable. To be sure that all passwords are compliant the passwords must be changed
after defining a password policy.

After enabling the password policies the control elements are enabled and changes could be done.

The following parameters are editable:

• Password minimum length.
The required length of a password can be set to a value from 3 to 31.
• Password lifetime.
This parameter defines the time after a password became invalid and could not be used
anymore. The time is configured in days with a range from 0 to 1000. The value 0 means that
the password never became invalid.
For each user the password expiration date is calculated and stored individually. This expiration
date is set to the current date if the password of the user is changed or the user is created.
Users with roles with the permission 'manage user accounts' (usrAccount@RTU500) are
allowed to login, even if the password has expired. By default, these are the roles 'Administrator'
and 'SECADM', the users 'Default' and 'Admin' usually have at least one of these roles.
• Lower case characters.
If this check box is set the passwords must contain at least one lower case character.
• Upper case characters.
If this check box is set the passwords must contain at least one upper case character.
• Numeric characters.
If this check box is set the passwords must contain at least one numeric character '0' to '9'.
• Special characters.
If this check box is set the passwords must contain at least one of the listed special character:
“ [!£$%^&*@?<>+_]\”

Even when the password policies are not enabled there are certain rules for passwords. These are
minimal rules to ensure proper system functionality.

These implicit rules are:

• A password must be at least 3 characters long.
• A password must not be more than 31 characters long.
• A whitespace character is not allowed as part of the password.
• For passwords the following characters are allowed:
“abcdefghijklmnopqrstuvwxyz”
“ABCDEFGHIJKLMNOBQRSTUVWXYZ”
“0123456789”
“[!£$%^&*@?<>+_]\”

Independent from the password policies there are as well implicit rules for user names. These rules
are:

• A user name must be at least 3 characters long.

• A user name must not be more than 31 characters long.
• A whitespace character is not allowed as part of the user name.
• For user names the following characters are allowed:
“abcdefghijklmnopqrstuvwxyz”
“ABCDEFGHIJKLMNOBQRSTUVWXYZ”
“0123456789”
“-.@_”

The number of failed login attempts is tracked per user and can be defined with parameter 'Login
attempts'.

1KGT151108 V008 1 29
User Management Management

Parameter name Default Parameter location

Login attempts 3 Security Policies

The number of failed login attempts.

If number of failed login attempts exceeds the defined limit, login of this user is locked for a fixed
time-out of 10 minutes and security event 1170 'Log-in failed 3 times' is generated. The function is
activated by default and set to 3. The maximum allowed is 99. The function can be deactivated via
the parameter 'Disable login lock'.

Parameter name Default Parameter location

Disable login lock Disabled Security Policies

Count number of failed login attempts and lock the user for 10 minutes if the limit is exceeded.

See part (2) of the Web server screen shoot "Fig. 27: Menu tab security policies" for the password
policies user interface.

2.6.2 User Accounts / Passwords

In the second menu tab the local user accounts are defined. The tab shows in a table the names
of the existing local user accounts (see figure below). The password of a user account can be
changed by selecting the lock symbol at the left side of the table and by selecting the trash can
symbol the local user account can be deleted. Be careful, there is no security query when deleting a
local user account and a once deleted user account could not be restored.

On the right side of the table are the assignments of the user roles. One or several roles can be
assigned to a local user account. The user role can be assigned or withdrawn by selecting the
corresponding checkbox at the user account. The specific permissions assigned to a user role are
defined in the menu tab “User Roles” described in the next chapter.

Figure 28: Menu tab user accounts

At the end of the table of existing local user accounts there is an empty field for adding a new local
user. A new local user account is created by typing a user name and pressing <ENTER>. Then a
dialog appears to set the initial password of the new user account (as shown in the next figure). By
confirming the dialog with “Ok” the user account is created. For information about rules that must be
consider when choosing a user name or password see chapter about the password policies.

30 1KGT151108 V008 1
Management User Management

When changing a local user password the same dialog appears as when setting the initial
password. In the dialog the affected user name is displayed and 2 text fields to type the new
password. The password must be typed two times to eliminate, unintentional typing errors. The new
password is accepted only if both text fields contain the same password.

The new password is checked against the policies rules when the button “OK” is selected. In case
of violations the password is declined, an error message is shown and a valid password must be
defined. The dialog can be finished by pressing the button “Cancel”. In this case the password is not
changed and the old password is still valid.

Figure 29: Dialog to change the password of a user

It’s also possible to add a new users or change existing one using certificates in format X509v3
saved as PEM files. When using this option ‘User Authority’ certificate shall be loaded first.
Workflow is similar to method without certificate. The only difference is that user is added by loading
a certificate. Its not possible to change roles assigned by certificate. For more detailed information
about adding users with certificate see User Manual Security Deployment Guide Release 13
(1KGT151106).

1KGT151108 V008 1 31
User Management Management

Figure 30: User certificate upload area

In delivery status the RTU500 series contains the following predefined local user accounts, with
their assigned user roles and their defined default user role:

Default Default Assigned user roles Default user role

user name password
Show Show Viewer Viewer
Load Load Installer Installer
Control Control Installer Installer

Engineer
Admin Admin Engineer Engineer

Administrator
Operator Operator Operator Operator
Default Default Viewer Viewer

Operator

Installer

Engineer

SECAUD

RBACMNT

SECADM

Administrator
Table 7: Default user accounts in the RTU

32 1KGT151108 V008 1
Management User Management

During migration from the previous RTU560 user account management (before release 12) the
existing local user accounts are taken as they are. That means user names, passwords and role
assignments remains unchanged after the migration.

ADVICE
The predefined superuser Default is added to the local user accounts during migration from
the previous RTU560 user account management. So, if the local user accounts are defined
individual be sure to remove the superuser after the migration.

In delivery status the RTU530 contains the following predefined local recovery user account:

Default Default
user name password
Recover Recover
Table 8: Recovery user account in the RTU

Figure 31: Recovery User Account Management

2.6.3 User Roles

In the third menu tab the user roles and there permission assignments are defined. The tab shows
in a table the names of the existing user roles (see figure below). A user role can be deleted by
selecting the trash can symbol on the left side of the table. Be careful, there is no security query
when deleting a user role and a once deleted role could not be restored.

On the right side of the table are the specific permissions assigned to a user role. A permission can
be assigned or withdrawn by selecting the corresponding checkbox at the user role.

1KGT151108 V008 1 33
User Management Management

Figure 32: Menu tab user roles

There is an empty field at the end of the table of existing roles for adding a new user role. A new
user role is created by typing a role name and pressing <ENTER>. There are the following rules
defined for role names:

• A role name must be at least 3 characters long.

• A role name must not be more than 19 characters long.
• Whitespace characters are allowed as part of the role name
• For role names the following characters are allowed:
“abcdefghijklmnopqrstuvwxyz”
“ABCDEFGHIJKLMNOBQRSTUVWXYZ”
“0123456789 ”

The account permissions available in the RTU500 series are fix defined and cannot be changed.
Each defined account permission allows several actions within the RTU500 series Web server or
Integrated HMI. The table below shows all available permissions and describes the allowed actions
for every permission in detail.

Permission Definition Description

viewData@RTU500 Read and view RTU data:
• View system diagnostics log in Web server.
• View and download system diagnostics file in Web server.
• View RTU500 series process data in hardware tree of Web
server.
• Enable and disable RIO protocol logging mode in the Web
server. Once enabled there is no restriction on the access
to the RIO server. That means the real access is not pro-
tected by user name and password. The RIO protocol log-
ging mode is disabled after a fix timeout of 30 minutes if no
online connection exists.
• View and download process archive information via the Web
server (events and indications, measured values and inte-
grated total).
• Download archived disturbance record files via the Web
server.
Table 9: Account permissions available in the RTU

34 1KGT151108 V008 1
Management User Management

Permission Definition Description

• View online parameter changes in the engineering part of
the Web server.
• View online configuration in the engineering part of the Web
server.
config@RTU500 Change configuration files:
• Upload and download all RTU500 series configuration files
via the Web server. This comprises the RTU configuration
and the Integrated HMI configuration. The certificate han-
dling is not included in this permission.
• Restart of RTU500 series via RTU500 series Web server.
firmware@RTU500 Change firmware files:
• Upload and download all RTU500 series firmware files via
the Web server. This comprises the RTU basic firmware, the
communication controller firmware and the Integrated HMI
firmware.
• Restart of RTU500 series via RTU500 series Web server.
• View, upgrade and extend RTU500 series protocol/function
licenses (via Web server).
usrAccount@RTU500 User account management:
• Add, modify and delete user accounts (via Web server).
• Add, modify and delete user roles (via Web server).
• Upload and download password files (via Web server).
• Prohibit enabling RIO protocol logging mode (via Web
server).
• Prohibit enabling PLC online debug mode (via Web server).
• Prohibit enabling RTU500 series test mode (via Web server).
• Prohibit online configuration changes (via Web server).
• Prohibit online parameter changes (via Web server).
userRole@RTU500 User role management:
• Assign and withdraw user roles to user accounts (via Web
server).
• Assign and withdraw account permissions to user roles (via
Web server).
• Change user passwords (via Web server).
viewEvent@RTU500 View security event logging / audit trails:
• View logged security events in Web server.
• Download logged security events in predefined CSV format
(via Web server).
enableTest@RTU500 Enabling and use simulation and test mode:
• Enable/Disable RTU500 series test mode via the Web
server. The test mode allows the simulation of inputs/outputs
in the test manager of the Web server.
• Enable/Disable 'Time administration test mode' to allow set-
ting of the RTU system time via the Web server.
• Enable/Disable 'IEC 61850 startup log' (via Web server).
• Enable/Disable Ethernet and PPP interface logging (via Web
server).
• Enable/Disable 'IEC 61850 debug trace log' interface (via
Web server).
Table 9: Account permissions available in the RTU

1KGT151108 V008 1 35
User Management Management

Permission Definition Description

• Enable/Disable 'OS debugging agent' interface (via Web
server).
• Simulate inputs, outputs, system events and security events
in the RTU500 series test mode via the Web server (If test
mode is enabled).
• Set system time of RTU via Web server, if 'Time administra-
tion test mode' is enabled.
enablePlc@RTU500 Enable and use PLC online debug mode:
• Enable/Disable PLC online debug mode via the Web server.
Once enabled there is no restriction on the access to the
PLC. That means the real access is not protected by user
name and password. The PLC debug mode is disabled after
a fix timeout of 30 minutes if no online connection exists.
onlineConf@RTU500 Online configuration changes:
• Online configuration changes (Engineering via the RTU500
web server)
onlinePara@RTU500 Online parameter changes:
• Online parameter changes (Engineering via the RTU500
web server)
viewDataHmi@RTU500 Read and view data on the Integrated HMI:
• View all configured Integrated HMI pages.
• View and download process archive information in the HMI
event list (events and indications, measured values and inte-
grated total).
• Acknowledge alarms in the HMI alarm list.
ctrlOpHmi@RTU500 Control operations on the Integrated HMI:
• View all configured Integrated HMI pages.
• View and download process archive information in the HMI
event list (events and indications, measured values and inte-
grated total).
• Acknowledge alarms in the HMI alarm list.
• Do control operations in the Integrated HMI.
certificate@RTU500 Handle certificates for security related functions:
• Access the certificate management in the RTU500 series
Web server and upload certificates for all functionalities that
requires or support them.
• Delete certificates via the certificate management in the
RTU500 series Web server.
• Restart of RTU500 series via RTU500 series Web server.
Table 9: Account permissions available in the RTU

2.6.4 Change User Password

The Administrator can change the passwords of all local user accounts. A normal user can change
the own password, only. To change the own password the user must select the tab “User Accounts”
in the user account management. In this case the user account table shows the logged in user and
the password can be changed by selecting the lock symbol. In the change password dialog the
current and the new password must be typed. By pressing “Ok” the minimum password policies are
checked and if the password is valid the dialog closes. But closing the dialog does not store the new
password on the RTU500 series.

36 1KGT151108 V008 1
Management User Management

To store the new password the button “Save” must be selected. With this step the new password
is checked against the local defined policies rules and stored when valid. By pressing the button
“Cancel” the password is not changed and the old password is still valid. The following figure shows
the user interface for changing the own password of a CAM user.

Figure 33: Dialog to change the own password of a LAM user

2.6.5 Password File Management

The password file of the RTU500 series can be reset to factory default and be exchanged between
different RTUs. For this functionality the password file can be reset, uploaded and downloaded via
the RTU500 series Web server. The corresponding user interface can be found under the link “User
Management” in the menu item “Management”. The figure below shows the user interface for the
password file management in the tab “Password File”.

Figure 34: Menu tab password file management

To reset the password file to factory default the button “Reset” has to be used. When pressed a
dialog appears to confirm the reset. After confirmation with “Ok” the default password file is active

1KGT151108 V008 1 37
User Management Management

directly. A reset of the RTU500 series is not necessary, but all users are logged out and a re-login
is required. After the reset all user accounts and passwords are reset to the default values. That
means the re-login must happen with a default user and password.

For the exchange of a password file the file must be downloaded from an RTU first. This is done by
selecting the button “Download” in the tab “Password File”. When pressed an information status bar
appears like shown in the figure below. To save the downloaded password file on the host PC select
the button “Save”.

Figure 35: Download password file

To upload a before downloaded password file on another RTU the file can be dropped to the dotted
area shown in the figures above or the area can be clicked with the mouse. In the second case a
file select dialog appears to choose the password file to upload. In both cases a confirmation dialog
appears to confirm the upload. After confirmation with “Ok” the existing password file is replaced
by the uploaded file. If successful, the new password file is active directly. A reset of the RTU500
series is not necessary, but all users are logged out and a re-login is required.

2.6.6 Password File Harmonization

In normal operation mode all changes described in chapter "User Management" are automatically
distributed to all communication units and stored in the password file of each unit (no restart of the
RTU required).

In the following system states, inconsistent password files can occur between the communication
units:

– Adding a new communication unit into the system

– Missing/faulty communication unit during the changes

In case the password file is inconsistent between different CMU's the RTU500 series goes into a
restricted mode. In this mode a login is possible but the only function available is the harmonization
of the password file. The harmonization of the password file requires administrator permissions.
In restricted mode the Web server shows after login without administrator permissions the error
message displayed below.

38 1KGT151108 V008 1
Management User Management

Figure 36: Error message administrator permissions required

After login with administrator permission the RTU500 series Web Server shows the normal
user interface. But due to the restricted mode each function, besides the harmonization of the
password file, is locked. If a locked function is selected the Web server shows a corresponding error
message, like shown in the next figure.

Figure 37: Error message password file inconsistency

To start the password file harmonization the link 'User Management, found under the menu item
'Management', must be selected (see figure below). When selected the user interface for the
account management appears. The last tab (called 'Harmonization') in the user interface is used
for the password file harmonization by authenticate all available CMU's. Due to the sensible
information in the authentication the following notice has to be considered.

1KGT151108 V008 1 39
User Management Management

ADVICE
The web pages of this functionality require secure HTTPS access. It is not possible to open the
web pages with standard HTTP access.

Figure 38: Web server menu user account management

Before a harmonization of the password file is possible, the authentication of the administration user
must be provided by the user for all detected CMU's. The provided authentications are compared
with authentications requested from the other CMU modules. Only if all authentications are correct
the password file can be harmonized and distributed to the other CMU modules.

The next figure shows an example for an RTU with 2 CMU's. For each detected CMU the rack and
slot address is shown. Furthermore there are input fields for user name, password and a button
to authenticate each CMU. A CMU is authenticated by typing a user account with administrator
permissions and selecting the button 'Authenticate'. A correct authenticated CMU is identified by the
check box on the right side.

Figure 39: Password file harmonization

When all CMU's are authenticated the distribution of the password file is started by selecting the
button 'Harmonize' at the top of the page. The harmonization distributes the password file of the
connected CMU to all other CMU's. The distribution within the RTU can take a few seconds. If the
distribution was successful, the harmonized password file is active directly. A reset of the RTU500
series is not necessary, but all users are logged out and a re-login is required.

40 1KGT151108 V008 1
Management User Management

2.6.7 Recommendations

Recommendation Implementation in the Reference to standards

RTU500 series
All default users and user pass- The RTU system provides
words shall be deleted means to configure individual
secure user accounts.
There shall be individual user The RTU system provides
accounts. No shared user means to configure individual
accounts shall be used. secure user accounts. Only with
individual accounts the trace-
ability in the security logs is
possible.
Users shall only have the mini- The RTU provides a role based
mum rights required. user account management.
New roles can be defines.
All predefined roles can be
deleted.
A strong password policy shall Use the RTU password policy • NERC CIP-007-3a “Cyber
be defined. setting option to enable strong Security - Systems Security
passwords. Management”
• IEC 62443
A maximum lifetime for a user Use the RTU password policy • NERC CIP-007-3a “Cyber
password shall be defined setting option to enable a pass- Security - Systems Security
word lifetime. Management”
• IEC 62443
Login lock shall remain Use the RTU password pol-
enabled. icy setting option to set login
attempts.
Table 10: Recommendations for local user account management

ADVICE
When removing user accounts or roles the RTU500 series firmware ensures that at least one
administrator account remains (user account with permission 'usrAccount@RTU500'). Be sure
to keep the password of this administrator account because there is no possibility to reset an
administrator password. If the administrator password is lost, a new flash card (with factory
settings) has to be used.

2.7 Certificate Management

For several security functionalities in the RTU500 series external generated certificates are
required. Examples of these functionalities are the central user account management (see chapter )
and the secure Web server (see chapter ). In either case the external certificates must be uploaded
via the web interface of the RTU500 series. The following chapter describes the process to upload
these certificates.

2.7.1 Certificate Upload

In the Web server menu, the link “Certificate Management” is the entry point for the certificate
upload. This link can be found under the menu item “Management” as shown in the figure below.
Due to the sensible information in the certificate upload the following notice has to be considered.

1KGT151108 V008 1 41
Certificate Management Management

ADVICE
The web pages of this functionality require secure HTTPS access. It is not possible to open the
web pages with standard HTTP access.

Figure 40: Web server menu certificate management

In the certificate management, the certificates for different functionalities can be uploaded to the
RTU500 series. Generally there are two types of certificates with the following characteristics:

• Public Key certificates

These certificates contain the public key of a server certificate. The certificate type is used for
client activities in the RTU500 series like the central user account management (CAM). As the
certificates contain public information only, no password is required for the upload. The public
key certificates must in PKCS#7 format and the file extension must be “*.p7b”.
• Private Key certificates
These certificates contain end-entity certificate with public/private key pair and possibly the
whole certificate chain. The certificates are used for server activities in the RTU500 series like
the Web server. For the upload the passphrase of the private key is required. The private key
certificates must in PKCS#12 format and the file extension must be “*.p12”.

The user interface for the certificate upload is separated in two areas. The upper area contains the
certificates actually uploaded to the RTU500 series and the lower area controls the upload. The
following figure shows an example with two certificates to upload. One public key certificate for
CAM and a private key certificate for the Web server. As there is no trusted, certificate for the Web
server uploaded in the example, a certificate error is shown. This error is dissolved after the upload
of the Web server certificate (see last figure in this chapter).

42 1KGT151108 V008 1
Management Certificate Management

Figure 41: Certificate management user interface

To upload a certificate the following steps has to be executed in the lower area of the user interface:

1 Select the description of the certificate to upload in the column “Certificate description”. In
the selection all in RTUtil500 configured entries of the certificate store appear. The selection
text is the descriptive name set in RTUtil500 as explained in the chapter about the RTUtil500
configuration. The type of certificate to upload is written in the column “Certificate Type” of the
upper area.
2 Select a certificate file by dropping the file on the lower area or by using the file open dialog
that appears when clicked with the mouse. Depending on the certificate type, the file must be in
PKCS#7 or PKCS#12 format.
3 If a private key certificate is uploaded the password respectively passphrase of the private key
is required. To enter the passphrase select the lock symbol on the left side. When pressed a
dialog appears to enter the passphrase. The passphrase is used to decrypt the private key of
the certificate after the upload. For storing on the memory card the private key is re-encrypted
with a memory card specific key. The entered passphrase is not stored on the RTU500 series.
For public key certificates no passphrase is required.

When all steps are finished the certificate can be uploaded by pressing the upload button (see
figure below). The upload button appears not before all required information are set.

1KGT151108 V008 1 43
Certificate Management Management

Figure 42: Start certificate upload

Check system log for additional information if certificate upload fails.

Depending on the activity that uses the uploaded certificate, it may be necessary to restart the
RTU500 series for activation of the certificate. Please refer to the specific activity documentation to
find the information whether a restart is required or not. In the example shown here the Web server
certificate requires a restart but the CAM certificate not.

After a successful upload and activation the certificate management looks like shown in the next
figure. The upper area contains now the information about the uploaded certificates. The certificate
error due to the missing trusted Web server certificate is not shown anymore.

44 1KGT151108 V008 1
Management Certificate Management

Figure 43: Certificate upload successfully finished

System log contains diagnostic information about changes in current certificates state:
• Deleted,
• Added,
• Updated,
• Not available,
• Revoked.

For more information about the Web server certificate see chapter "External Certificate".

2.7.2 Certificate Revocation List (CRL) Upload

In the Web server menu, the link 'Certificate Management' is the entry point for the CRL file upload.
This link can be found under the menu item 'Management' as shown in the figure below. Due to the
sensible information in the CRL upload the following notice has to be considered.

ADVICE
The web pages of this functionality require secure HTTPS access. It is not possible to open the
web pages with standard HTTP access.

1KGT151108 V008 1 45
Certificate Management Management

Figure 44: Web server menu certificate management

In the certificate management, the CRL can be uploaded to the RTU. In general, Certificate
Revocation Lists are expected in PEM format.

Figure 45: Certificate management user interface

The user interface for the certificate or CRL upload is separated in two areas. The upper area
contains the certificates and CRLs already uploaded to the RTU. The lower area controls the
upload. The following figure shows an example with one CRL to upload.

Figure 46: Select a place for CRL before upload

To upload a CRL the following steps have to be executed in the lower area of the user interface:
1 Select the description of the CRL to upload in the column 'Certificate description'. In the
selection all in RTUtil500 configured entries of the CRL store appear ('CRL_File'). The type of
CRL to upload is written in the column 'Certificate Type' of the upper area.
2 Select a CRL file by dropping the file on the lower area or by using the file open dialog that
appears when clicked with the mouse. The file must be in PEM format.
3 The password respectively passphrase is not required.

46 1KGT151108 V008 1
Management Certificate Management

When all steps are finished the CRL can be uploaded by pressing the upload button (see figure
below). The upload button appears not before all required information are set ('Certificate
description').

Figure 47: CRL upload button

The RTU validates the uploaded certificate revocation list. If system time is set on device and CRL
list is outdated red exclamation mark will be displayed.

Figure 48: Outdated CRL

Next step of validation is an issuer certificate check. Following states are applicable for CRL
validation:
• 'valid' if any certificate bundle loaded contain issuer certificate and CRL signed by the issuer,
• 'invalid' no certificate to validate CRL but at least one certificate subject equal to CRL issuer,
• 'uploaded' no certificate to validate CRL.

After a successful CRL upload the certificate management looks like shown in the next figure. The
upper area contains now the information about the uploaded certificates and which one are revoked
by uploaded CRL. If intermediate CA is revoked all subordinates certificates are revoked as well.

Figure 49: CRL file upload successfully finished. One certificate ('CERT') is revoked

Information about revoked certificate is included in system log and Security Archive. For RTU560
with multi CMU or configured in redundant mode CRL is automatically distributed between the
boards.

1KGT151108 V008 1 47
CAM Management Management

ADVICE
If Certificate Revocation List file was generated by other certificate authority than currently
loaded CRL is needed to remove the previous one before upload the new one (transfer error
appears).

2.8 CAM Management

The central user account management (CAM) in the RTU500 series is an extension of the standard
local account management (LAM). In a CAM setup the user authentication (with user name and
password) is done on an external CAM server that manage all user accounts of a system. For
detailed information about the central user account management see User Manual Security
Deployment Guide Release 13 (1KGT151106).

The central user account management (CAM) in the RTU500 series is enabled by an
according configuration in RTUtil500. This configuration contains the type of CAM server but no
communication related information. These information are set via the RTU500 series Web server to
protect the access and to allow changes without updating the RTUtil500 configuration.

In the Web server menu the link “CAM Management” is the entry point for the communication
configuration of the CAM client. This link can be found under the menu item “Management” as
shown in the next figure. The link is shown if no CAM client is configured, as well. In this case an
error message appears if the menu item is selected.

Figure 50: Web server menu CAM management

Selecting the menu item starts a user interface to perform the following tasks:

• Set the communication parameter of the CAM client

• Sending the communication parameter of the CAM client in a file to the RTU
• Receiving the communication parameter of the CAM client in a file from the RTU
• Activate or deactivate the CAM client
• Test the connection and authentication of the CAM server

The user interface for the central account management consists of several menu tabs. Each menu
tab handles one (or more) of the tasks stated above. The next chapters describe each menu tab in
detail.

The user interface is available on the CMU (none redundant CMU or active CMU of redundant
pair) that contains the CAM client only and the configuration is specific for this CAM client.
On other CMUs without CAM client (in a multi CMU setup), no information are shown in

48 1KGT151108 V008 1
Management CAM Management

the CAM management user interface. That means the CAM client must configured on the CMU that
contains the client.

2.8.1 Setting Communication Parameter

In the first tab of the central user account management the communication parameter of the
CAM client can be set. In a grid view information about the CAM client are shown and specific
communication parameter can be set. An example of the user interface is shown in the figure below.

Figure 51: Menu tab for communication parameter setting

As information, the grid view shows the CAM client number, the actual CAM activation state and
the CAM server type. The client number and the server type are from the RTUtil500 configuration
used. The activation state indicates whether the specific CAM client is active or not. For detailed
information about the possible activation states see chapter . The information part in the grid view is
static and cannot be changed by the user.

The subsequent connection parameters can be set by the user or changed from the default values.
The parameters are up to two IP addresses of the CAM server, the used TCP/IP port and the
communication timeout in seconds. The timeout is required to consider low bandwidth connections.

Besides the connection parameters up to 8 base distinguish names (Base DNs) can be defined.
The base distinguish names defines in which area/domain the CAM server shall search for the
requested user authentications. The area/domain is a classification criterion not related to user
groups or roles. Please refer to the documentation of the used CAM server to determine how the
base distinguish names must be set.

Editing the communication parameters is possible if the CAM client is not active, only. If the client
is active the parameters are shown but cannot be changed. To enable editing again the CAM client
must be deactivated. When editing is finished the changes must be confirmed by pressing the
“Save” button above the grid view. When saved the parameters are checked for validity and stored
on the RTU. In case of invalid parameters an according error message appears and the parameters
are set back to the last values. If the web page is switched without saving the communication
parameters, any changes are lost.

1KGT151108 V008 1 49
CAM Management Management

If the parameter changes shall be dismissed and not stored on the RTU, the button “Cancel” can be
pressed. In this case a confirmation dialog appears and if approved the last stored parameter are
reloaded, overwriting any changes.

To be able to activate the CAM client in the RTU500 series the following communication parameters
must be set at least:

• One CAM server IP address. The second IP address can be set for redundant server setups.
• The TCP/IP port. It is recommended to use the standard LDAP port 389 (default value) but this
can be changed if required.
• The communication timeout between 1 and 300 seconds.
• At least one base distinguish name. The other distinguished names can be set if the CAM server
shall search for users in several domains.

2.8.2 Upload Communication Parameter

In the second menu tab the communication parameter of the CAM client can be uploaded to
or downloaded from the RTU. The CAM client communication parameters are included in a
structured XML text file for upload and download. For uploading the RTU500 series supports 2
XML file formats. First the file format specified for the IEC 62351 Authentication Server included in
SDM600 (SDM600 format). And second an extend format including all CAM client communication
parameter supported by the RTU500 series (RTU500 format). For detailed information about the file
formats see the paragraphs below.

The user interface for uploading and downloading the communication parameter (see figure below)
are separated in two areas. The upper area contains the communication parameter actually stored
on the RTU500 series and the lower area controls the uploading to the RTU.

Figure 52: Menu tab for upload/download CAM client communication parameter

To download the actual stored communication parameter press the receive button ( ) in the
grid row for the communication parameter (in the upper area). When pressed the actual parameters

50 1KGT151108 V008 1
Management CAM Management

are downloaded from the RTU and stored in XML format in the download folder of the host PC. The
XML format used is the extend format including all CAM client communication parameter supported
by the RTU500 series. The received file is a standard text file that can be edit and sent back to the
same or any other RTU with CAM client. The name of the downloaded file is “camComConf.xml”.

To upload the CAM client communication parameter to the RTU, the following steps has to be
executed in the lower area of the user interface:

1 Select in the column for the file description the 'CAM client communication parameter'. The both
file formats supported by the RTU500 series are automatically detected.
2 Select a file with communication parameter by dropping the file on the lower area or by using the
file open dialog that appears when clicked with the mouse. The XML parameter file must be in
one of the both supported formats. The file to upload can have any name but the extension must
be '*.xml'.

When both steps are finished the communication parameter can be uploaded to the RTU by
pressing the send button (see figure below). The send button doesn't appear before all required
information are set. The uploaded file with the communication parameter are checked for
completeness, validity and plausibility by the RTU500 series firmware. If the uploaded file is
not correct the CAM client communication parameter are not set and an according message is
presented to the user.

Figure 53: Example CAM client communication parameter upload

The version number shown in the upper area can be used to check whether different RTUs use the
same CAM client communication parameter. The version number is build according to the following
rules:

• When a parameter file in SDM600 format is uploaded to the RTU the version number is reset to
0. Because the SDM600 format doesn't contain a version information.
• When a parameter file in RTU500 format is uploaded to the RTU the version number is
overwritten by the number stored in the file (see format below).
• Each time the communication parameter are changed and saved in the 'Parameter' tab, the
version number is increased by 1.

1KGT151108 V008 1 51
CAM Management Management

The both file formats supported for the communication parameters are the SDM600 and the
RTU500 format. In both formats the parameters are described in an XML structure. The difference
between the formats are the available parameters and the used XML tags. The RTU500 format
contains all CAM client communication parameter supported by the RTU500 series including a
version number. The SDM600 format contains besides other definitions a subset of the supported
parameter only. The following section shows an example of the SDM600 format:

<?xml version="1.0"?>
<SDM600_CAM_IED_Configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://abb.com/ConfigurationSchema.xsd">
<IED_information>
<name>Aeroglen</name>
<description>Aeroglen</description>
<address>192.168.0.110</address>
</IED_information>
<BaseDN> ou=CamUsers,dc=vmbox,dc=int</BaseDN>

<Replication_Group>memberOf=cn=RTU_Engineer,ou=Groups,dc=vmbox,
dc=int</Replication_Group>
<Replication_Interval>1440</Replication_Interval>
<CAM_Servers>
<CAM_Server>
<ldapaddress>ldap://192.168.0.201:389</ldapaddress>
</CAM_Server>
</CAM_Servers>
</SDM600_CAM_IED_Configuration>
The parameters relevant for the RTU500 series in the SDM600 format are the base distinguish
name 'BaseDN' and the LDAP address 'ldapaddress'. The distinguish name is taken as it is and the
LDAP address is parsed for the IP address and port number of the CAM server. The parameter file
in SDM600 format are part of the configuration package generated by SDM600 (see System Data
Manager SDM600 - User Manual). Before uploading the parameter file to the RTU extract the file
from the configuration package (ZIP format) provided by SDM600. The file can be identified by the
extension '*.xml'.

The RTU500 format contains all communication parameter shown in the 'Parameter' tab and
described in chapter "Setting Communication Parameter". An example of the RTU500 format is
shown in the next section.

<?xml version="1.0" encoding="UTF-8"?>

<rtu500CAMConfiguration version="12">
<camServers>
<camServer>
<ipAddresses>
<ipAddress>192.168.1.1</ipAddress>
<ipAddress>192.168.2.1</ipAddress>
</ipAddresses>
<ipPort>389</ipPort>
<comTimeout>2</comTimeout>
<baseDNs>
<baseDN> ou=CamUsers,dc=vmbox,dc=int</baseDN>
<baseDN> ou=rtuUsers,dc=vmbox,dc=int</baseDN>
</baseDNs>

52 1KGT151108 V008 1
Management CAM Management

</camServer>
</camServers>
</rtu500CAMConfiguration>
The parameter file in RTU500 format can be edit by the user or build from scratch with the needed
values. Use the example above as guideline but do not exceed the maximum number of supported
parameters. Two CAM server IP addresses and up to 8 base distinguish names are permitted.
For uploading the parameter file to the RTU make sure the file name extension is '*.xml'.

2.8.3 Activate CAM Client

In the third menu tab the CAM client on the RTU can be activated or deactivated. When the CAM
client is not active, which is the default state after the configuration, the user authentication is done
with the local user account management (LAM). After the activation the user authentication is done
on the CAM server. If the CAM server is not available LAM can be used as fallback, if configured
accordingly. For detailed information about the CAM configuration see User Manual Security
Deployment Guide Release 13 (1KGT151106). The next figure shows the structure of the menu tab
for activation/deactivation.

Figure 54: Menu tab for CAM client activation and deactivation

The user interface shows the buttons for activation and deactivation the actual activation state of
the CAM client. The possible activation states are listed below:

• In Configuration
This is the default state indicating that the communication parameters of the CAM client
must be set or send to the device. The CAM client remains in this state as long the required
communication parameter are not set and the CAM server public key certificate is not uploaded
to the RTU. In this state the user interface shows (in this tab) a list of missing information and
configuration mistakes that must be added or solved. Activation of the CAM client is not possible
in this state.
• Ready for Activation
When all required communication parameters for the CAM client are set and the CAM server
public key certificate is uploaded the state change to “Ready for Activation”. In this state the
CAM client can be activated by pressing the button “Activate”.
• Activated
The state “Activated” indicates that CAM client is active and the user authentication is done
on the CAM server. Activating the CAM client doesn't lead to log-out. That means the actual
existing user session, whether the user is authenticated by LAM or CAM, remains and the user
stays logged-in. When activated the CAM client can be deactivated by pressing the button
“Deactivate”.

The buttons for activation and deactivation of the CAM client are enabled according to the actual
state. In configuration both buttons are disabled and cannot be selected. When the CAM client is

1KGT151108 V008 1 53
CAM Management Management

activated the “Deactivate” button is enabled and if the state is “Ready for Activation” the button
“Activate” can be selected.

2.8.4 Test Connection

The last menu tab contains the user interface for testing the CAM server connection. The testing
allows to check the communication setup without the necessity to log-off from the web interface.
The test functionality allows to check the LDAP connection to the CAM server and as well the user
authentication on the CAM server. The figure below shows the user interface for testing the CAM
client.

Figure 55: Menu tab for testing CAM server connection

Testing the server connection is only possible, if the CAM client communication setup is complete
and the CAM client is active. If the client is not active an error message appears when the tests are
executed. To start the tests follow the instructions below:

• Testing the LDAP connection:

For testing the LDAP connection to the CAM server the button “Test connection” must be
pressed only. The result of the test is shown with an according message at the bottom of the
browser window. This test doesn't check the uploaded CAM server public key certificate.
• Testing user authentication:
To test the user authentication provide a user name and password in the according input
fields and press the button “Test connection”. An according message at the bottom of the
browser window shows the result of the test. This test covers the uploaded CAM server public
key certificate. If the user name or the password is missing no authentication but the LDAP
connection is tested, only.

As the CAM client must be active when performing the tests, be sure to consider the following
advice.

ADVICE
If the user authentication test fails with a correct user name and password, deactivate the
CAM client before checking for the reason. Because with activated CAM client and failed user
authentication you may be excluded from the RTU500 series Web server.

2.8.5 Change User Password

In the central account management all user accounts and their passwords are stored on the CAM
server. The administrator of the CAM server can enforce the change of a user password by setting

54 1KGT151108 V008 1
Management PKI Management

an expiration time for password. In this case the user must change his own password after the set
time interval. This change can be down in the RTU500 series Web interface.

To change the own password the logged-in CAM user must select the menu tab 'User Accounts' in
the user account management. As for the local user accounts the appearing table shows the logged
in user and the password can be changed by selecting the lock symbol. In the change password
dialog the current and the new password must be typed. By pressing 'Ok' the minimum password
policies are checked and if the password is valid the dialog closes. But closing the dialog does not
store the new password on the CAM server.

To store the new password on the CAM server, click on the 'Save' button.

ADVICE
The new password is checked against the policies rules defined on the CAM server and stored if
valid. In case of an error please check your policy settings.

If the new password is invalid or the current password is incorrect an error message is shown. By
pressing the button 'Cancel' the password is not changed and the old password is still valid.

If changing the password succeeds the user is logged-out.

The following figure shows the user interface for changing the own password of a CAM user.

Figure 56: Dialog to change own password of a CAM user

2.9 PKI Management

To support connection to a PKI (Public Key Infrastructures) and automate certificate- and CRL
(Certificate Revocation List) maintenance, RTU500 series offers a functionality to connect as client
to RA (Registration Authority) servers.

The RTU500 series manages the life cycle of certificates as specified in RFC 7030 and IEC
62351-9. Generation and renewal of certificates is implemented using protocol EST (Enrollment
over Secure Transport).

The configuration of PKI clients is split in two parts. Static parts and enabling of the configuration
are done with RTUtil500 and deployed to the RTU500 within the RCD (RTU Configuration Data) file.
The part to be modified at runtime of a RTU is configured and persisted with the web based user

1KGT151108 V008 1 55
PKI Management Management

interface. Communication parameters and CSR (Certificate Signing Request) attributes included in
a structured XML file can be uploaded to or downloaded from the RTU per PKI client.

PKI client functions are identified by their name and number configured in RTUtil500.

2.9.1 RTUtil500 Configuration

To enable a PKI client, it needs to be added to an Ethernet interface of a CMU module in RTUtil500
hardware tree. Adding multiple PKI client functions to the same Ethernet interface is supported. The
figures below show an example hardware tree with a PKI client added to the Ethernet interface of a
CMU module.

Figure 57: PKI client in hardware tree (General tab)

Figure 58: PKI client in hardware tree (PKI Client tab)

The following parameters are required in RTUtil500 for configuration per PKI client function:

Parameter name Default Parameter location

Name Empty General parameter

Name - maximum 32 characters.
PKI client number 1 General parameter
PKI client number has to be unique within one RTU configuration.
Pre-configured certificate Empty PKI Client
This certificate is preloaded during installation used for initial enrollment of certificates. It contains the PKI client certificate accepted by
the EST server during TLS authentication including its issuer chain. The issuing CA of the certificate chain must be equal to the one
issuing the EST servers certificate to allow also mutual authentication of the EST server by the PKI client.

56 1KGT151108 V008 1
Management PKI Management

Parameter name Default Parameter location

Manage RTU500 user authority certificate Disabled PKI Client

If this feature is enabled the user authority certificate will be managed by a PKI client.
Only one PKI client of an RTU500 can have this option enabled.

To link certificates to be maintained by a configured PKI client, the certificate slot configured in CMU
certificate store needs to be linked to a certain configured PKI client.

The PKI client linked to a certificate slot could also be configured on another CMU as the certificate
slot itself.

Figure 59: Certificate Store

A dropdown list to select a managing PKI Client is displayed for each certificate. That list contains
one entry for each configured PKI client and an entry for a 'None'-PKI mode. In the 'None' mode the
user must take care for regular certificate updates by manual update. Default value after creation of
a project or if PKI client got deleted is 'None'.

1KGT151108 V008 1 57
PKI Management Management

2.9.2 Setting Communication Parameters

Configuration options made at RTU500 runtime are visualized in Web server and persisted in a
XML configuration file per PKI client function. The configuration user interface is launched from
menu entry 'PKI Management'.

Figure 60: Management menu

To modify the online configuration of PKI clients, the user logged in must have permission
'Certificate handling'. Modifications must be applied and saved individually per PKI client. Any
modifications on PKI client parameters are applied immediately after activation and does not require
a reboot of the CMU to be activated.

In the menu tab 'Parameter' the communication parameters of the PKI client can be set (see
figure below). In a grid view information about the selected PKI client are shown and specific
communication parameters can be set.

Figure 61: Menu tab for communication parameters

58 1KGT151108 V008 1
Management PKI Management

The selectable PKI client number/name comes from the RTUtil500 configuration used. The current
PKI activation state is displayed. The activation state indicates whether the specific PKI client is
active or not.

Communication parameters can be set by the user or changed from the default values. The
parameters are up to two IP addresses of the RA/CRL servers, the used TCP/IP port and the
communication timeout in seconds. The timeout is required to consider low bandwidth connections.

Changing the attributes is possible if the PKI client is not active, only. If the client is active the
attributes are shown but cannot be saved. When editing is finished the changes must be confirmed
by pressing the 'Save' button. If the web page is switched without saving the attributes, any
changes are lost.

If the attribute changes shall be discarded and not stored on the RTU, the button 'Cancel' can be
pressed. In this case a confirmation dialog appears and if approved the last stored attributes are
reloaded, overwriting any changes.

To be able to activate the PKI client the following communication parameters must be set at least:

• RA Server IP Address 1 (The second IP address can be set for redundant server setups.)
• RA Server Port 1 (The second port can be set for redundant server setups.)
• RA Communication timeout (between 1 and 300 seconds, Default: 20 seconds)
• RA Communication retries (between 0 and 10, Default: 2)
• RA Time between enrollment attempts (between 1 and 1000 hours, Default: 24 hours)
• Renewal window (between 1 and 365 days, Default: 31 days)

The following CRL configuration parameters are optional:

• CRL server IP addresses, domain names and ports

• CRL Communication retries (between 0 and 10, Default: 2)
• CRL Update interval (between 1 and 1000 hours, Default: 24 hours)

2.9.3 Setting Certificate Attributes

In the menu tab 'Certificates' the CSR (Certificate Signing Request) attributes can be set (see figure
below).

Figure 62: Menu tab for certificate attributes

1KGT151108 V008 1 59
PKI Management Management

The following subject attributes required for issuing a CSR can be configured individually for each
certificate:
• Common name (CN) [Mandatory]
• Organization (O) [Mandatory]
• Domain component (DC)
• Country (C)
• Organizational unit (OU)

The key algorithm of the CSR can be:

• RSA_2048bit
• RSA_3072bit
• RSA_4096bit
• ECDSA_secp256r1 [Default value]

Changing the attributes is possible if the PKI client is not active, only. If the client is active the
attributes are shown but cannot be saved. When editing is finished the changes must be confirmed
by pressing the 'Save' button. If the web page is switched without saving the attributes, any
changes are lost.

If the attribute changes shall be discarded and not stored on the RTU, the button 'Cancel' can be
pressed. In this case a confirmation dialog appears and if approved the last stored attributes are
reloaded, overwriting any changes.

2.9.4 Upload Configuration Parameters

In the menu tab 'Upload' the communication parameters and CSR attributes of the PKI client can be
uploaded to or downloaded from the RTU per PKI client. The PKI client communication parameters
are included in a structured XML text file for upload and download.

The user interface for uploading and downloading the parameters (see figure below) is separated in
two areas. The upper area contains the communication parameters actually stored on the RTU and
the lower area controls the uploading to the RTU.

60 1KGT151108 V008 1
Management PKI Management

Figure 63: Menu tab for upload/download PKI client parameter

To download the actual stored parameters press the receive button in the grid row (in the
upper area). When pressed the actual parameters are downloaded from the RTU and stored in
XML format in the download folder of the host PC. The XML includes all PKI client parameters
supported by the RTU500. The received file is a standard text file that can be edit and sent
back to the same or any other RTU with PKI client. The name of the downloaded file is
'pkiConfiguration_Client<no>.xml'.

To upload the PKI client parameters to the RTU, select the XML file by dropping the file on the lower
area or by using the file open dialog that appears when clicked with the mouse. The XML parameter
file must be in supported format.

The parameters can be uploaded to the RTU by pressing the send button (see figure below). The
send button doesn't appear before all required information are set. The uploaded file is checked for
completeness, validity and plausibility. If the uploaded file is not correct parameters are not set and
an according message is displayed.

1KGT151108 V008 1 61
PKI Management Management

Figure 64: PKI client parameters upload

The following section shows an example of the XML file format:

<rtu500PkiClientConfiguration version="51" id32="24">

<registrationAuthority>
<server ipaddr="192.168.52.95" dnsName="pki.example.com"
port="8443"/>
<server ipaddr="63.33.226.161"
dnsName="pki2.example.com" port="8444"/>
<comTimeout>20</comTimeout>
<timeBetweenAttempts>24</timeBetweenAttempts>
<renewalWindow>31</renewalWindow>
</registrationAuthority>
<crl>
<server ipaddr="192.168.52.95" dnsName="pki.example.com"
port="8080"/>
<comRetries>2</comRetries>
<updateInterval>24</updateInterval>
<crl>
<certificates>
<certificate cmuNo="1" entryNo="2" name="Enrolled
Cert1">
<commonName>RTU530 STATION</commonName>
<organizationName>Company</organizationName>
<domainComponent>com</domainComponent>
<countryName>IT</countryName>
<keyAlgorithm>ECDSA_secp256r1</keyAlgorithm>
</certificate>
<certificate cmuNo="1" entryNo="3" name="Enrolled

62 1KGT151108 V008 1
Management PKI Management

Cert2">
<commonName>RTU530 STATION</commonName>
<organizationName>Company</organizationName>
<domainComponent>com</domainComponent>
<countryName>IT</countryName>
<organizationalUnitName>Company-ABC</
organizationalUnitName>
<keyAlgorithm>ECDSA_secp256r1</keyAlgorithm>
</certificate>
</certificates>
</rtu500PkiClientConfiguration>

2.9.5 PKI Client Activation

In the menu tab 'Actions' the PKI client can be activated or deactivated. The buttons for activation
and deactivation of the PKI client are enabled according to the actual state. The figure below shows
the current state and button for activation/deactivation in the first line.

Figure 65: Menu tab for PKI client activation and deactivation

When the PKI client is not active, which is the default state after the configuration, all certificate
enrollments and CRL downloads are disabled. Only after the client activation certificate enrollments
and CRL downloads are possible.

When deactivating the PKI client, a duration can be configured. Default value is 24 hours.
Nevertheless manual activation is possible anytime.

2.9.6 Test Connection

The menu tab 'Actions' contains the user interface for testing the RA server connection. The testing
allows to check the communication setup. The functionality allows to check the network connection
to the RA server and as well the enrollment preparation by querying/authenticating the CA server
certificates. The figure below shows the user interface for testing the PKI client.

1KGT151108 V008 1 63
PKI Management Management

Figure 66: Menu tab for testing the RA server connection

For each RA server identified by IP address and domain name (optional) a button 'Test Connection'
is available to initiate the connection test. Testing the server connection is only possible, if the PKI
client communication setup is complete and the PKI client is active. If the client is not active an error
message appears when the tests are executed.

The following diagnosis messages after the test are possible:

• PKI client not activated.

• Send or receive operation of PKI client failed (network connection issue to the RA server).
• Connected to server, but authentication of CA root certificate failed.
• PKI Connection successful: Server connection of PKI client tested successfully.

ADVICE
If connected to the RA server, but authentication of CA root certificate failed check the fingerprint
of pre-configured (activation) certificate.

2.9.7 Enrollment

To enroll or update certificates of an RTU, the PKI client initiates a CSR to the CA via the configured
RA server of a PKI. The signing request uses PKCS#10 format. Enrolled or updated certificates are
stored in the RTU500 series certificate store.

The menu tab 'Actions' contains the user interface for initial enrollment (see figure below).

64 1KGT151108 V008 1
Management PKI Management

Figure 67: Dialog for launching initial enrollment

For all certificates configured to be managed by a specific PKI client enrollment can be divided into
two phases:
• Initial enrollment
Initial exchange of data required for mutual authentication of EST server and PKI client.
• Certificate Reissuance
Rekey existing client certificates by requesting reenrollment from an EST server.

2.9.7.1 Initial Enrollment - HTTP-based Client Authentication

Precondition for authentication using 'HTTP-based client authentication' is the existence of a 'Pre-
configured certificate' containing the certificate of the CA that issued the PKI server certificate
required for verification during the authentication phase of the RA server.

If a managed client certificate is not present in the RTU500 serie certificate store, the initial
enrollment must be manually performed by user interaction. During this process, user name and
password could be entered (optional).

Optionally, also an activation code / OTP (One Time Password) can be provided. Entered activation
code/OTP is not stored by RTU500 series, but just used in the initial enrollment.

1KGT151108 V008 1 65
PKI Management Management

Figure 68: Dialog for HTTP-based client authentication

2.9.7.2 Initial Enrollment - Certificate TLS Authentication

Precondition for authentication using 'Certificate TLS authentication' is the existence of a pre-
configured certificate containing the certificate of the PKI client including the chain to the issuing
CA.

If a managed client certificate is not present in the RTU500 certificate store, an initial enrollment
is performed using the pre-configured certificate to authenticate the EST server based on the
contained CA and the PKI client by proposing the clients certificate for authentication by the EST
server during the TLS handshake. The certificate received during enrollment procedure will be
stored together with the chain in the slot of the managed certificate in the certificate store.

The initial enrollment is started using the dialog shown in figure below.

Figure 69: Initial enrollment

Optionally, also an activation code / OTP (One Time Password) can be provided. Entered activation
code/OTP is not stored by RTU500 series, but just used in the initial enrollment.

2.9.7.3 Reenrollment

Once the managed certificate is present in the RTU500 serie certificate store, this certificate is used
for authentication with the EST server during reenrollment.

Reissuance of initially enrolled certificates is triggered by the PKI client managing the certificate. For
this purpose, the PKI client checks cyclically for a possible trigger condition. The cyclic check takes
only place, if the RTU was at least once time synchronized. That means time qualifier NSY (Never
Synchronized) is not set.

66 1KGT151108 V008 1
Management PKI Management

Trigger condition for reissuance of a certificate is the upcoming expiration date. The parameter
'Renewal window [days]' defines the point in time when the PKI client starts to reenroll a certificate
in advance to its expiration.

2.9.8 CRL Update

The CRL is updated continuously by the CA and the PKI client retrieves the CRL before the next
update information placed inside the CRL is reached. The CRL is signed by the CA which has
issued the revoked certificate.

Once active, a PKI client starts to connect cyclically to CRL servers based on the parameters in the
online configuration file and replicates new CRLs on the RTU500. Received CRLs are distributed to
all CMUs within an RTU. On reception of a new CRL referring certificates are checked, if revoked.

ADVICE
The CDP (CRL Distribution Point) URL is stored inside the certificates and is generally a
Web server (HTTP). Precondition for CRL update is the existence of the managed certificate,
because the necessary URL of the CDP can be found in the managed certificate extensions. The
extension 'X509v3 CRL Distribution Points' contains the URL with DNS name or IP address.

2.9.9 Restrictions

Each EST operation is indicated by a path-suffix that indicates the intended operation. RTU500
series requests with operation path '/cacerts' for distribution of CA certificates.

The EST servers can expose two types of endpoints:

• Without label: https://[url]/.well-known/est/cacerts
• With label: https://[url]/.well-known/est/[label]/cacerts

The mode supported by RTU500 series is an endpoint without label. The labelled endpoint is not
supported.

2.10 PLC Parameter Settings

PLC parameter settings management offers the possibility to change the values of defined PLC
setting parameters over the web interface without using MULTIPROG.

In the Web server menu, the link 'PLC Parameter Settings' is the entry point for managing PLC
parameter settings. This link can be found under the menu item 'Management' as shown in the next
figure. The link is also shown if no PLC setting parameters are configured. In this case an error
message appears if the menu item is selected.

1KGT151108 V008 1 67
PLC Parameter Settings Management

Figure 70: Menu item PLC Parameter Settings

2.10.1 Prerequisite for Usage of PLC Parameter Settings

At first PLC Setting Parameters have to be defined in MULTIPROG as described in RTU500 Series
Function Description - Part 6: RTU500 functions (1KGT151100). Then the generated project
package which contains these setting parameters and the PLC boot project has to be transferred to
the RTU and activated as described in Chapter 2.1, "Configuration Management".

Only when these preconditions are fulfilled, the user interface for changing the setting parameters
can be opened over the web server menu “PLC Parameter Settings”.

ADVICE
To use this function, RTU500PLCEngineering 1.3.1.0 or later is required.

2.10.2 Changing Setting Parameters

There exists a tab, named like the PLC function defined in hardware structure of RTUtil500 (in the
following example named 'PLCFunc'). When this tab is opened all defined PLC Setting Parameters
are shown and the values can be changed:

68 1KGT151108 V008 1
Management PLC Parameter Settings

Figure 71: PLC Parameter Settings

The value of the changed parameter is validated and marked red if the value is out of allowed
range. The 'Apply' button will be enabled, as soon as any value was changed. All changes will
be written into the PLC when clicking the 'Apply' button. Clicking the 'Cancel' button will revert all
changes done in this user interface, nothing is sent to the PLC.

2.10.3 Import/Export of Setting Parameters

It exists an additional functionality for changing the setting parameters inside the tab 'Import/Export':

1KGT151108 V008 1 69
System Help Page with Pre-requisitions Management

Figure 72: PLC Parameter Settings Import/Export

The export button is exporting all setting parameters in an xml file. Also initial values are included
for documentation purpose. It is possible in this manner to transfer the adapted Setting Parameters
to other RTUs in a convenient way. When dropping this xml file to the dropping area of this user
interface of an RTU, these settings are uploaded and applied immediately, if the user agrees:

Figure 73: Upload and apply PLC settings

If the PLC, due to whatever reason, does not contain the same Setting Parameters, the writing of
new values of these parameters will be rejected and an error message is shown:

Figure 74: Applying PLC setting parameters failed

2.11 System Help Page with Pre-requisitions

A System Help Page is available, showing the pre-requisitions for the Web server of the RTU500
series.

70 1KGT151108 V008 1
Management System Help Page with Pre-requisitions

Figure 75: System help page: navigation tiles

Figure 76: Page for general information and pre-requisitions

1KGT151108 V008 1 71
System Help Page with Pre-requisitions Management

72 1KGT151108 V008 1
Diagnostics System Log

3 Diagnostics
3.1 System Log
The system log pages give information about the actual state of the RTU.

The logged information can be filtered in different areas (see "Fig. 78: System Log: General View"):

• All
• System
• Activies
• I/O boards
• Connected I/O devices

Figure 77: System Log: navigation tiles

1KGT151108 V008 1 73
System Event Status Diagnostics

Figure 78: System Log: General View

3.2 System Event Status

The state of the system is represented by 'System Events'.

To view the status of the system events in the RTU500 series Web server the link “System Event
Status” must be selected. This item can be found under the navigation tile “Diagnostics” as shown
in the figure below.

Figure 79: Web server menu system events

74 1KGT151108 V008 1
Diagnostics Hardware Tree

Figure 80: Displaying system events

3.3 Hardware Tree

1KGT151108 V008 1 75
Hardware Tree Diagnostics

3.3.1 General Overview

Figure 81: Hardware tree: navigation tiles

The Hardware tree page gives information about the configuration of the RTU and about the actual
values of the process objects according the configuration in RTUtil500 (see "Fig. 82: Hardware tree
pages").

The channel number, process object ID and the current value of the data point is shown in the right
window. The value and the status information is updated cyclically.

Figure 82: Hardware tree pages

The formerly functionality to perform any commands from this display directly to the connected
primary process is obsolete and replaced by the TestMode functionality. Please see "Test &
Simulation" chapter.

76 1KGT151108 V008 1
Diagnostics Hardware Tree

3.3.2 Board Diagnosis

Select a communication unit in the hardware tree to get information about it's state.

Figure 83: State of a communication unit

Select a serial communication line, connected to a communication unit, to get static and dynamic
information about this line.

Figure 84: State of a serial communication line

1KGT151108 V008 1 77
Hardware Tree Diagnostics

78 1KGT151108 V008 1
Test & Simulation Enable Logging and Debugging

4 Test & Simulation

4.1 Enable Logging and Debugging
If one or more logging/debug interfaces are granted (see Chapter 2.6.1), the user with the
necessary privileges has to enable the logging/debug interface, before the function can be used.

Figure 85: Activation of Debugging Options

• Time administration test mode:

If this feature is enabled, the 'Time Admistration' dialog is enabled and it is possible to set the
RTU time manually.
• Signal test mode:
If this feature is activted, the signal inputs, outputs, system events, system commands and
security events can be simulated.
• PLC online debugging:
If the PLC debugging feature is activated by one user, all other user, having this privilege, can
use this PLC debugging option of Multiprog. This feature must be enabled to get online access
between Multiprog and the RTU. The debugging option is 'disabled' again after a restart of the
RTU, and must be 'enabled' again.
• Bind configuration to CMU hardware:
If this feature is enabled, hash of RCD configuration file stored on memory card is compared
with hash stored in CMU board memory. If compared hash is not equal the CMU is starting up
with limited access in protected mode. In this mode no configuration is loaded and the CMU is
only accessible via local USB interface or rather default IP address. Please disable this feature,
before you replace a memory card.
• RIO protocol logging:

1KGT151108 V008 1 79
Time Administration Test & Simulation

If this feature is enabled, RIO protocol logging function together with the Comprotware CPTT
tool can be used.
• IEC 61850 startup log:
If feature is enabled, a detailed log of the IEC 61850 connections will be dumped to the internal
file system of the RTU
• PPP logging:
This logging functionality is helpful to handle startup and failure diagnostic for resolving Point to
Point Protocol issues. Two ring buffered logfiles are created: syslog and syslog.0 (each limited
to 256 KB). The PPP events logged to these files may be analyzed for failed negotioations
between RTU and the other peers e.g. because of wrong password or other parameters.
• VPN logging:
This option is only visible when VPN is configured. This logging functionality should be
deactivated in normal operation to avoid unnecessary write accesses to the memory card. For
VPN this functionality is helpful to analyze failed IKE negotiations. Two ring buffered logfiles are
created: syslog and syslog.0 (each limited to 256 KB).
• Secure access logging:
This logging option generates function-specific debug output for:
– Certificate management,
– PKI client,
– CAM client,
– HCI IEC 60870-5-104 (with secured data traffic),
– BCI IEC 60870-5-104 (with secured data traffic).

Two ring buffered logfiles are created: syslog and syslog.0 (each limited to 256 KB).
• IP network logging:
This logging option generates function-specific debug output for TCP/IP based activities in the
RTU500 series. Two ring buffered logfiles are created: syslog and syslog.0 (each limited to 256
KB).
• IEEE 802.1X logging:
This logging option generates output for IEEE 802.1X authentication. Two ring buffered logfiles
are created: syslog and syslog.0 (each limited to 256 KB).
• E1/E2 logging:
These options offer the functionality to capture packets on network interfaces between RTU and
remote destinations. All packets sent or received on the interfaces E1 or E2 are written to a pcap
compatible file. That created file can be loaded into Wireshark, which in turn allows analysis of
the stream(s) sent and received on the monitored network interface.

The developer debug interfaces shall only be activated on special request.

For support cases a system information file can be downloaded to a PC. This file is used by the
RTU support line to analyze the status of this RTU. The file includes all information visible in the
Web server in a condensed form and the generated PPP/VPN/E1/E2 debug output, so that the
user can investigate anomalous behavior during initialization and running of PPP/VPN connections
between RTU and remote peer.

4.2 Time Administration

To navigate to the Time Administration page, click on 'Test & Simulation' and on 'Time
Administration' in the navigation frame. The Time Administration page is shown below.

80 1KGT151108 V008 1
Test & Simulation General Overview: Test Mode

Figure 86: Time Administration page

This feature is available, if:

• the user is connected to a CMU in the state 'Time Administration Master'
• the debugging option is generally enabled (see Chapter 2.6.1)
• the time administration test mode is temporary enabled (see Chapter 4.1)
• the user has the privileges to perform commands (see Chapter 2.6.3)

The time can be set:

• manually or
• according to the client time of the connected PC

4.3 General Overview: Test Mode

4.3.1 Opening the User Interface

If the Web server can be accessed, a button with name “Simulation & Test” can be observed. By
clicking the button an additional menu appears.

This feature is available:

• if the test modus is generally enabled (see Chapter 2.6.1, "Security Policies")
• if the Signal test mode is temporary enabled (see Chapter 4.1, "Enable Logging and
Debugging")
• if the user has the privileges to perform commands (see Chapter 2.6.3, "User Roles"). See step
1 in the figure below.
• if the test modus is not already open in second browser window on same PC or in browser
window in other session (by other user)

Following menu items refer to the different test mode views (see step 2 in figure below):
• Inputs and outputs (process data objects)
• System events and system commands
• Security Events

1KGT151108 V008 1 81
Inputs and Outputs View - Elements of the User Interface Test & Simulation

Figure 87: Test Mode user interface - inputs and outputs

4.4 Inputs and Outputs View - Elements of the User

Interface
4.4.1 Signal Grid

The central element of the user interface is a grid that displays the signals configured in the RTU.

Figure 88: Signal grid

The grid has nine columns and as many rows (each row representing a signal) as selected by the
user.

Figure 89: Grid navigation panel

Grid columns:
• Data point type:
The first column shows the data point type. Filter signals by selecting a data point type from the
selection list at the buttom of the column or entering a search term in the search field at the top
of the column. For example, entering 'i' will show all signals whose type contains 'i' (SPI, DPI,
STI, etc.). Entering 'pi' will show SPI and DPI signals.
• Data point identifier:
This column contains the full name of each signal, including the names of the different signal
tree levels. Filter signals by entering a partial name of the signals (e.g. the name of a group in
the signal tree) in the search field at the top of the column. Figure Fig. 90 shows a filter example.
• Data point source:
The third column contains the name of the data point source (local IO or sub device) to which
the signal belongs. Filter signals by selecting a data point source from the selection list at the
buttom of the column or entering a search term in the search field at the top of the column.

82 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

Figure 90: Example data point identifier filter

In the upper left corner, there is a button called 'Clear filter'. Click on it, to clear all filters.

The next columns provide the dynamic information about the signal, i.e. its value and cause of
transmission. At the same time, these fields are also used to simulate the value and the cause of
transmission.
• Cause of transmission:
This column contains the cause of transmission with which the signal is sent. The possible
values for each specific signal are listed in a drop list: SPONT (spontaneous), PERIOD
(periodic), BACKG (background), REQ (required), INTERROG (interrogated), RET_REM
(returned by remote command), RET_LOC (returned by local command), ACT (activation),
ACT_CON (activation confirmation), DEACT (deactivation), DEACT_CON (deactivation
confirmation) and ACT_TERM (activation termination).
The column includes a drop list with gray background at the bottom. If one of the options of this
gray drop list is selected, all drop lists in the column containing the same option will change their
selected option to the one specified at the bottom.

Figure 91: Example of using the bottom drop list selector

• Confirm:
For process commands (SCO, DCO, RCO, ASO, DSO, FSO and BSO), this column includes the
confirmation field of the cause of transmission. The two possible values are included in a drop
list: POS (positive confirmation) and NEG (negative confirmation). The column has another gray
drop list at the bottom, whose function is the same described for the previous column.

1KGT151108 V008 1 83
Inputs and Outputs View - Elements of the User Interface Test & Simulation

• Value:
This column displays the value with which the signal is transmitted. For signals whose values
are predefined (SPI, DPI, SCO, DCO and RCO), the value is represented as the selected option
of a drop list. In contrast, for signals whose values are integers (ITI and STI), natural numbers
(BSI and BSO), normalized percentages (AMI, DMI, ASO and DSO) or floating-point numbers
(MFI and FSO), the value is contained in an input box.

• Qualifiers:
The qualifiers that accompany the value of a signal can be specified. Click the cell for selecting
qualifier. A dialog is opened with the current qualifiers, and the user has the possibility to change
it.

Figure 92: Specify Qualifiers

The gray drop list at the bottom of the column is similar to the ones in the two previous columns. It
has no effect on the input boxes contained in the column; it only affects the drop lists.

The two final columns contain the elements that trigger the simulation of signals: the next to last
column includes buttons to force the simulation, while the last column contains a checkbox for each
row to enable multiple sequential forcing.

Note that the simulate button and checkbox for input signals (SPI, DPI, STI, AMI, DMI, MFI, BSI
and ITI) are not visible until these signals are disconnected from process (see Chapter 4.4.4.1,
"Disconnecting Signals in Monitoring Direction").

On the other hand, the simulation buttons and checkbox for output commands (SCO, DCO, RCO,
ASO, DSO, FSO and BSO) are always visible. These output signals possess two simulation
buttons: 'Se' (to perform a command selection) and 'Ex' (to perform a command execution). The
buttons also signalize the status of the command (selection or execution) by means of bold letters.
For example, in Fig. 93, the first command is an execution, while the second is a selection.

Figure 93: Selection - Execution

84 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

To simulate an input signal or to send an output command, the user has just to click on the
'Simulate' or 'Se'/'Ex' button in the row of the appropriated signal. A green flash in the row confirms
that the signal has been forced into the RTU and transmitted to the host systems (Fig. 94). In fact,
each time that a spontaneous change happens in a signal, the green flash appears in the row and
the value and cause of transmission fields are updated.

Figure 94: Single forcing example

It is also possible to simulate a sequence of signals. The checkboxes in the last column are used
with this purpose. If the user selects multiple checkboxes in different rows (even in different pages
of the grid) and then clicks on any 'Simulate', 'Se' or 'Ex' button, all the selected signals will be
simulated sequentially, from top to bottom. The 'All' button at the top of the column selects (or
deselects) all checkboxes in the current page of the grid.

Figure 95: Multiple forcing example

A dialog will be prompted before starting a multiple forcing. This may avoid undesired sequence
simulation.

Figure 96: Multiple forcing dialog

4.4.2 Multiple Simulation Interval

It is possible to specify the time interval between each signal in a multiple simulation sequence.

This time span is defined by the user in seconds. An interval less than a second is also possible to
be defined (for instance '0.1' seconds).

1KGT151108 V008 1 85
Inputs and Outputs View - Elements of the User Interface Test & Simulation

4.4.3 STOP Button

A running simulation sequence can be stopped by clicking the STOP button.

This action also deactivates the test and simulation mode and sets the RTU back to normal
operation mode.

Figure 97: Simulation interval and STOP button

4.4.4 Control Panel for Process Connection

In the upper right corner of the user interface, the control panel for process connection can be
found. Please notice that this element do not signalize any status, it just provides the option to
proceed with disconnection/reconnection of signals and to set the automatic simulation of command
responses and reactions.

The actions carried out in this control panel have only effect on the signals which are displayed at
that moment in the grid, and not on the rest of hidden signals.

The control panel allows the user to disconnect, reconnect signals and specify the direction
(Monitoring, Controlling or Both). See figure Fig. 98 and figure Fig. 99:

Figure 98: Process connection - direction

Figure 99: Process connection - value

When the appropriate direction and value are selected, the user must click on the 'Proceed' button
to apply the changes.

4.4.4.1 Disconnecting Signals in Monitoring Direction

When a signal is disconnected from process in monitoring direction, the RTU500 series blocks that
object's inputs, not sending them to the host system and not updating the RTU500 series database
with the real value of the signal.

In the following example (Fig. 100), a SPI signal which belongs to a sub-device has been
disconnected from process in monitoring direction. Updates in the SPI's real value are blocked and
not sent to the host systems. Instead, the user can simulate the signal by means of the Test Mode
user interface.

86 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

Figure 100: Disconnecting signals in monitoring direction

Process information inputs (SPI, DPI, STI, AMI, DMI, MFI, BSI and ITI) are shown in the signal grid
without 'Simulate' button and with disabled checkbox.

Figure 101: Inputs connected to the process

Only when the connection to the process is disconnected does the 'Simulate' button appear, the
checkbox is activated and the text in the line turns bold green.

Figure 102: Inputs disconnected from the process

Therefore, process information inputs whose text is bold green are signals that are disconnected
from process in monitoring direction and whose values are simulated.

4.4.4.2 Disconnecting Signals in Controlling Direction

When a signal is disconnected from process in controlling direction, the RTU500 series blocks that
object's output commands, not sending them to the target local output board or sub-device. In other
words, the RTU500 series blocks the physical execution of the output.

1KGT151108 V008 1 87
Inputs and Outputs View - Elements of the User Interface Test & Simulation

In the following example (Fig. 103), a SCO signal which belongs to a sub-device has been
disconnected from process in controlling direction. Output commands sent by a host system to the
SCO are blocked by the RTU500 series and not sent to the target-subdevice. Test Mode generates
automatically a response (positive or negative confirmation) to the command, and sends it to the
host system. This response is the same one that should be expected if the SCO would have not
been disconnected from process.

Figure 103: Disconnecting signals in controlling direction

From the host system's point of view, there is no difference in the process, since the command
output workflow remains the same as usual (a command response is generated by the RTU and
sent back to the host system). However, the physical output is not executed in the sub-device (or
local output board).

Regarding the user interface, process command outputs (SCO, DCO, RCO, ASO, DSO, FSO
and BSO) are always shown in the signals grid with checkbox and 'Se'/'Ex' buttons, since it is
always possible to send output commands locally from the user interface. If the signals are not
disconnected from process in controlling direction, these outputs commands will be physically
executed.

Figure 104: Commands connected

When the process command outputs are disconnected from process the text in the row (signal type,
identifier and source) turns bold. From this moment on, the outputs are blocked and the command
responses are simulated.

Figure 105: Commands disconnected

88 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

When at least one of the process command signals shown in the signals grid is disconnected from
process in controlling direction, an additional element appears in the control panel for process
connection (upper right corner of the user interface):

Figure 106: Control panel for process connection

In this second row of the panel, it is possible to set the automatic simulation of command responses
and command reactions (drop list 'Type'):

Figure 107: Automatic simulation - type

The 'Command response' option gives the user the possibility to pre-define the command response
(positive or negative confirmation) that the RTU sends back to host systems when a command
output to a disconnected from process (in controlling direction) signal is received. The user shall
select an option from the 'Value' drop list and click on the “Apply” button.

Figure 108: Automatic simulation - command response

In the user interface, the text of the signals for which the automatic simulation of pre-defined
command responses are set turns green. If the mouse pointer is placed over these rows, a tooltip
shows the value of the pre-defined command response (Fig. 109).

Figure 109: Setting automatic simulation of command responses

The second type of automatic simulation that the user can set in the control panel is 'Command
reaction'. This is the simulation of the process information signal defined by the user in RTUtil500
as response indication for SCO and DCO objects (Process information parameter, SCO/DCO -
General parameters). That process information signal must also have been disconnected from
process by the user.

The user shall select the value with which the command reaction is simulated (same or opposite
value to the output command's value) and, optionally, the delay in milliseconds between the
command response and the command reaction (Fig. 110). Finally, the button 'Apply' must be
clicked.

1KGT151108 V008 1 89
Inputs and Outputs View - Elements of the User Interface Test & Simulation

Figure 110: Automatic simulation - command reaction

Figure 111: Simulation of command reaction - delay parameter

In the user interface, the text of the output command signals whose command reactions are being
automatically simulated becomes italic.

Figure 112: Setting automatic simulation of command reactions

4.4.4.3 Disconnecting Signals in Both Directions

The user can dsiconnect signals from both directions from the process at once. To do this, the
direction 'Both' must be selected.

Figure 113: Process connection - 'Both' direction

When this option is chosen (with value set to 'Disconnect' and after clicking on 'Proceed'), the
process information inputs shown in the signals grid are disconnected from process in monitoring
direction, while the process command outputs are disconnected in controlling direction. The
behavior is the same described in Chapter 4.4.4.1, "Disconnecting Signals in Monitoring Direction"
and Chapter 4.4.4.2, "Disconnecting Signals in Controlling Direction".

90 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

Figure 114: Disconnection in both directions

Regarding the user interface, the visualization of the rows containing the disconnected signals
change in the same way described previously: the text corresponding to process information inputs
turns bold and green (and the 'Simulate' buttons appear), while the one corresponding to process
command outputs becomes bold.

Figure 115: Both directions connected

Figure 116: Both directions disconnected

If at least one of the signals shown in the signals grid is a process command output, after
disconnecting signals in 'Both' connections, the control panel will show the option to set automatic
simulation, as explained in Chapter 4.4.4.2, "Disconnecting Signals in Controlling Direction".

4.4.4.4 Reconnecting Signals

To reconnect signals means to stop blocking inputs or outputs which had been previously
disconnected from process.

Figure 117: Process reconnection

1KGT151108 V008 1 91
Inputs and Outputs View - Elements of the User Interface Test & Simulation

When a process information input (SPI, DPI, STI, AMI, DMI, MFI, BSI and ITI) is reconnected to
the process, the RTU500 series database is updated with the current value of the signal. The host
systems receive this data update as well, and the Test Mode user interface displays the signal's real
value as well.

Figure 118: Reconnection in both directions

Regarding the visualization of the signals in the Test Mode user interface, the reconnected signals
are displayed with normal text again (no longer bold and/or green). The 'Simulate' button and
checkboxes disappear for process information inputs, since it is not possible to simulate an input if
the signal is not disconnected from process.

Figure 119: Both directions disconnected

Figure 120: Both directions reconnected

4.4.5 Disconnected Indicator

The indicator in the upper left corner of the user interface displays the number of signals that are
currently disconnected from process. The indicator is independent of the signals that are currently
displayed in the signals grid; it counts the total number of signals disconnected from process.

If the number of simulated signals is zero, the indicator is black:

Figure 121: No signals disconnected

92 1KGT151108 V008 1
Test & Simulation Inputs and Outputs View - Elements of the User Interface

If one or more signals are disconnected from process, the amount of them is displayed in the
indicator, whose color turns green:

Figure 122: Several signals disconnected

4.4.6 Download Log File

The 'Download log file' link at the bottom of the user interface triggers the download of a text file.

This file includes all input simulations and output commands generated by the user in the current
session. When the user interface is closed, the log file is emptied.

Figure 123: Download log file

Each time the link is clicked a new text file will be generated, containing all logs since the beginning
of the session.

4.5 SEV and SSC View - Elements of the User

Interface
4.5.1 Signals Grid

The signal grid, like in the Inputs and Outputs view, is central element of the user interface in the
SEV and SSC view. For this reason, please read Chapter 4.4.1 carefully.

In this view's grid, there are two new columns: 'ID' and 'Description'. They substitute the 'Signal
Identifier' column from the Inputs and Outputs view. Their purpose is to help the user to filter the
signals properly. The rest of the columns and their functionality remains the same as explained in
Chapter 4.4.1

4.5.2 Input for Multiple Simulation Interval

See Chapter 4.4.2.

4.5.3 STOP Button

See Chapter 4.4.3.

4.5.4 Control Panel for Process Connection

This control panel is the same explained in Chapter 4.4.4.

From the point of view of process disconnection, SEVs are treated in the same way that process
information inputs (SPI, DPI, STI, AMI, DMI, MFI, BSI and ITI). That is, they are disconnected in
monitoring direction.

On the other hand, SSCs are treated in the same manner as process command outputs (SCO,
DCO, RCO, ASO, DSO, FSO and BSO). They are disconnected in controlling direction.

1KGT151108 V008 1 93
SEV and SSC View - Elements of the User Interface Test & Simulation

ADVICE
Automatic simulation of pre-defined command responses and command reactions are not
allowed for SSCs.

ADVICE
Because of the way the feature Simulation & Test is implemented, redundancy switch over
cannot be tested with SSC (#16 ... #31).

4.5.5 Status Indicator

See Chapter 4.4.5.

4.5.6 Log File Download Link

See Chapter 4.4.6.

4.6 Security Events View - Elements of the User

Interface
4.6.1 Signals Grid

The signal grid, like in the other two views, is central element of the user interface in the Security
events view. For this reason, please read Chapter 4.4.1 carefully.

In this view's grid, the three first column help the user to filter the appropriate signals, while the two
last ones trigger the simulation. As the security events have no value or cause of transmission, this
grid has not such columns.

4.6.2 Input for Multiple Simulation Interval

See chapter Chapter 4.4.2.

4.6.3 STOP Button

See chapter Chapter 4.4.3.

4.6.4 Log file Download Link

See chapter Chapter 4.4.6.

94 1KGT151108 V008 1
Operation Starting the Integrated HMI

5 Operation
5.1 Starting the Integrated HMI
The Integrated HMI can be started directly from the navigation tile (see below) or from the
'Hardware Tree'. This feature is only available, if an 'Integrated HMI' is configured.

Figure 124: Starting the Integrated HMI

Before an HMI application can be started, the following files must be uploaded to the RTU:
• HMILib.jar (using the Firmware File Manager (see chapter Chapter 2.2))
• HMILibInterface.jar (using the Firmware File Manager (see chapter Chapter 2.2))
• HMI Application (using the Configuration File Manager (see chapter Chapter 2.1))

This feature is available:

• an 'Integrated HMI' is configured.
• the user has the privileges to use the integrated HMI (see chapter Chapter 2.6.3)

5.2 General Overview: Archives

Archives are stored on the memory card of a communication unit. RTU500 series supports following
archives:
• Process Archives (see Chapter 5.3, "Process Archives")
• File Archives (see Chapter 5.4, "File Archive")
• Security Event Archive (see Chapter 5.5, "Security Event Archive")

The archive size can be configured with RTUtil500 [2].

1KGT151108 V008 1 95
Process Archives Operation

Figure 125: Archive Configuration in RTUtil500

One page of a list shows in maximum 50 events. To navigate inside the archive lists there are
several buttons above the list. The buttons have the following meanings (from left to right):
•
Go to end of the list to show the newest entries.
•
To scroll one page forward in the list (towards newer entries).
•
To scroll one page backward in the list (towards older entries).
•
Go to beginning of the list to show the oldest entries.
•
Download the complete list in predefined CSV format to the PC.

5.3 Process Archives

Process archives are available for:
• Events and Indications
• Measurements
• Pulse Counter Values

96 1KGT151108 V008 1
Operation File Archive

Figure 126: Events and Indications

5.4 File Archive

Within RTU500 series Web server there is an own page for the file archive. This page shows the
files in a variable structure, configurable by the user. This page is also used for the file transfer of
the files to the workplace PC.

Figure 127: File Archive: navigation tiles

1KGT151108 V008 1 97
Security Event Archive Operation

Figure 128: File archive: root directory

Figure 129: File archive: load file

Navigation and file download:

• Click on the folder to navigate between the different folders

• Click on a file to load the file to the PC.

The RTU does no conversion of the format of the files in the archives. The file format depends on
the format provided by the IED. Different conversion routines are provided on request. For more
details see RTU500 Series Function Description - Part 7: Archive functions (1KGT151101)

5.5 Security Event Archive

The archive for security events stores all user actions, which are relevant for the security of the
RTU500 series. For more information about security features see [1].

To view the security event archive in the RTU500 series Web server the link “Security Archive” must
be selected. This link can be found under the menu item “Operation” as shown in the figure below.

98 1KGT151108 V008 1
Operation Security Event Archive

Figure 130: Web server menu security archive

One page of the security event list shows in maximum 50 events. An example of the event archive
is shown in the next figure.

Figure 131: Displaying security event archive

To navigate inside the list there are several buttons above the list. The buttons have the following
meanings (from left to right):

•
Go to end of the security event list to show the newest entries.
•
To scroll one page forward in the event list (towards newer entries).
•
To scroll one page backward in the event list (towards older entries).
•
Go to beginning of the security event list to show the oldest entries.

1KGT151108 V008 1 99
Security Event Archive Operation

•
Download complete security event list in predefined CSV format.

For displaying and downloading of the security event list the following definitions apply:

• For each security event an event text is shown. The text depends on the specific event id and
is in the language selected for the whole RTU500 series Web server. To change the event text,
the text must be modified in the language file of the Web server (like the other texts in the Web
server as well).
• All time stamps of the security events are shown in local time (local time zone) as defined for the
whole RTU.
• When downloading the security event list the resulting CSV file contains the events in the same
format and language as shown in the Web server display. This applies as well for the time
stamps that are in local time.
• The size of the security event archive is configurable in RTUtil500. If the configured limit is
reached the oldest security events in the archive are overwritten, when new events occur.

For more information about the localization support see chapter "Language Management". For
detailed information about the available security event archive limits please refer to the RTU500
series Security Deployment Guideline [1].

100 1KGT151108 V008 1

Secure Web Server Access RTUtil500 Configuration

6 Secure Web Server Access

For secure access, the RTU500 series web server supports Hypertext Transfer Protocol Secure
(HTTPS). HTTPS is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to
provide encryption and secure identification of the server. Detailed information about HTTPS could
be found in RFC2818 “HTTP Over TLS”.

For the identification the RTU500 series web server uses as default self-signed public key
certificates not issued by a certification authority (CA). The default self-signed certificates are
created at startup depending on the configuration. In addition the RTU500 series web server
supports the upload of external generated HTTPs certificates. This allows to use trusted certificates
issued by a certification authority (CA). Externally generated certificates can be revoked by loading
a certificate revocation list generated by issuer of certificate. If the used certificate is revoked the
RTU switches to self-signed certificate.

Client authentication with user certificates is not supported by the RTU500 series. The
authentication of the user is ensured by a user name and a password.

ADVICE
For security reasons, the web client has to be closed after each working session. This prevents
the usage of supplied user names and passwords by unauthorized persons.

The following chapters describe configuration, access and certificate handling for the secured
RTU500 series web server.

6.1 RTUtil500 Configuration

The configuration parameters for the Web server access are defined for each CMU respectively
Ethernet interface within an RTU. The following parameters are configurable within RTUtil500:

• Option to disable the Web server on selected Ethernet interfaces. This is possible in single and
multiple CMU systems. The Web server must be enabled on at least one Ethernet interface
to be able to access the RTU at all. The Web server is enabled on all Ethernet interfaces by
default.
• Option to secure the Web server access with HTTPS. This option can be selected on each
CMU. The HTTPS option is enabled by default.
• Define the authentication type for the secure Web server. Possible are the default self-signed
certificate or an uploaded external certificate stored in the certificate store of the CMU.
• Set an entry in the certificate store of the CMU to upload external HTTPS certificates for the
Web server authentication.

In RTUtil500 the option to disable the Web server is placed at the CMU on the configuration tab
of the Ethernet interface, e.g. 'E1' (Hardware tree only). The figure below shows the option in the
RTUtil500 user interface. The Web server is disabled by deselecting the checkbox 'Enable Web
server'.

1KGT151108 V008 1 101

RTUtil500 Configuration Secure Web Server Access

Figure 132: RTUtil500 Ethernet interface Web server parameter

As shown in the next figure, the configuration parameters related to the secure Web server are
located on the 'General' tap at a CMU module (Hardware tree only). To secure the RTU500 series
Web server with a self-signed certificate follows these steps:

1 Select the checkbox 'Secure HTTPS Web server'.

2 Select the option 'Self-created and self-signed certificate' in the drop-down menu 'Web-server
authentication' (shall be pre-selected).

Figure 133: RTUtil500 secure Web server parameter

For the usage of an external HTTPS certificate, the certificate store has to be configured at first.
That means an entry has to be added to the certificate store representing the certificate used for the
Web server authentication.

The certificate store configuration opens by pressing the button “Configuration” shown in the figure
above (near the text “Certificate Storage”). When selected a dialog appears with several entries
for certificates. Each entry represents a certificate that shall be transferred to the CMU. To add
a certificate, select the check box at the entry number and give the entry a descriptive name. An
example of the certificate store configuration is shown in the figure below.

102 1KGT151108 V008 1

Secure Web Server Access HTTPS Web server access

Figure 134: RTUtil500 certificate store

Together with the certificate store the steps to secure the RTU500 series Web server with an
external certificate are:

1 Configure an entry in the certificate store representing the external certificate to upload. Give the
entry a descriptive name like “WebServerCert”.
2 Select the checkbox 'Secure HTTPS Web server'.
3 Select in the drop-down menu 'Web server authentication' the certificate from the store. Here the
name given in the first step is selected.
4 Upload the external HTTPS certificate via the RTU500 series Web server.

Further information about the upload of external HTTPS certificates can be found in chapter
"Certificate Upload".

6.2 HTTPS Web server access

To access the RTU500 series web server via HTTPS the URL given in the Web client must begin
with “https://” followed by the IP address of the RTU500 devices. The following figure shows an
example.

1KGT151108 V008 1 103

Certificate Handling Secure Web Server Access

Figure 135: HTTPS access to an RTU Web server

The default Web server certificates used by the RTU500 series are self-signed and not issued by
a certification authority (CA). As result an actual web client shows a warning messages concerning
the missing CA, if the Web server is accessed with HTTPS. To avoid this warning message a
trusted external certificate must be configured and uploaded to the RTU500 series.

If the Web server is configured for HTTPS a standard access is not possible anymore. In case of
a standard access the Web server redirects the access to the secure pages of the RTU500 series
web server.

If the web server is not configured for HTTPS, a secure access is possible as well. There are no
restrictions in this case besides the possible warning message from the self-signed certificate.

See chapter "RTUtil500 Configuration" for configuration and chapter "Certificate Upload" for upload
of external certificates.

6.3 Certificate Handling

For encryption and secure identification HTTPS uses public key certificates that bind together a
public key with an identity (information such as the name of an organization, their address and so
on). The certificate is used to verify that a public key belongs to an identity. In case of HTTPS the
Web server presents the certificate to the web client giving the client the public key and the identity
of the server.

This requires for the RTU a public/private key pair and a corresponding public key certificate. There
are two possibilities for this purpose. First the self-signed certificates generated by the RTU500
series firmware can be used or a trusted, extern generated certificate can be uploaded to the RTU.
When uploading, a certificate must be available for each CMU because the Web server can be
accessed on any CMU. Further information about the self-signed and extern generated certificates
can be found in the following two chapters.

6.3.1 Self-signed Certificate

In the default setup the RTU500 series Web server uses self-generated and self-signed public key
certificates for encryption and secure identification. As explained above the certificate consists of a
public/private key pair and an identity information. The key pair and the certificate are generated by
the RTU firmware and stored in the internal flash of the CMU (not on the memory card).

104 1KGT151108 V008 1

Secure Web Server Access Certificate Handling

The certificate contains HTTPS protocol specific information like the public key and identity
information. The identity information are set as follows.

• The identity information like country, locality and organization name are predefined to the Hitachi
Energy Germany AG . These cannot be changed.
• The common name of the identity is set to the configured IP address of the CMU Ethernet
interface E1. The common name represents the host name (server name) the web client uses to
access the Web server. In case the configuration of the IP address changes a new certificate is
generated and stored in the internal flash (overwrites the existing one).
• In subject alternative name the IP address of the Ethernet interface E1 and the USB interface
are defined. This allows the secure HTTPS access via USB as well.
• The serial number of the certificate is set to 1 for the first created certificate and increased every
time a new certificate is generated due to a configuration change.
• The expiration date of the certificate is set the 1. January 2070.

6.3.2 External Certificate

The RTU500 series supports the usage of external generated and signed public-key certificates
for the encryption and secure identification of the Web server. These certificates can be uploaded
to the RTU500 series via the Web server. When creating an end-entity certificate for the RTU500
series Web server the following issues shall be considered:

• The generated end-entity server certificate shall be signed and issued by a trusted root or
intermediate certificate. This avoids any warning messages in the Web client when accessing
the RTU500 series Web server via HTTPS.
• For a correct end-entity Web server certificate the attribute “keyUsage” must contain the
encryption value “keyEncipherment” at least. And the attribute “extendedKeyUsage” must
contain the server authentication value “serverAuth”.
• The common name of the certificate identity must not be set to an IP address used in the RTU. It
is sufficient to set the attribute “IP Address” in the subject alternative name to a used IP address.
Depending on the policies in your organization setting the attribute “DNS Name” might be
necessary as well.
• To use the same certificate for several CMU's or RTU's a list of IP addresses and DNS names
can be defined in the subject alternative name.
• The generated certificate must contain the public/private key pair of the end-entity certificate.
The whole certificate chain, including root and intermediate certificates can be included but this
is not required.
• For uploading the generated certificate must be stored in PKCS#12 format with the file ending
“.p12”.

The upload of an external generated certificate is done via the RTU500 series Web server. For
detailed information about the upload process see chapter "Certificate Upload". When the upload is
finished the RTU500 series has to be restarted to activate the Web server certificate. And it may be
necessary to restart the Web client as well, to recognize the new certificate in the client.

For certificate generation SDM600 is recommended (System Data Manager SDM600 - User
Manual).

6.4 TLS Version

Since RTU500 Release 12.4.1.0 TLS versions lower than TLS 1.2 are no longer supported. TLS
version 1.2 is specified in RFC 5246:2008.

In former Releases RTU500 supports the following TLS versions:

1KGT151108 V008 1 105

Supported Cipher Suites Secure Web Server Access

Release SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

12.0.1.0 Disabled Enabled Enabled Enabled
12.1.1.0 Disabled Disabled Enabled Enabled
12.4.1.0 Disabled Disabled Disabled Enabled

6.5 Supported Cipher Suites

The following cipher suites are supported by RTU500 series:

RFC Identifier OpenSSL Name

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-CBC-SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-CBC-SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-CBC-SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-CBC-SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH-RSA-AES128-CBC-SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH-RSA-AES128-CBC-SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH-RSA-AES128-GCM-SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH-RSA-AES256-CBC-SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH-RSA-AES256-CBC-SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-CBC-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-CBC-
SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-
SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-CBC-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-CBC-
SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-WITH-AES256-GCM-
SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-CBC-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-CBC-SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-CBC-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-CBC-SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_RSA_WITH_AES_128_CBC_SHA AES128-CBC-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-CBC-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA AES256-CBC-SHA
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-CBC-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384

106 1KGT151108 V008 1

Secure Web Server Access Supported Cipher Suites

ADVICE
By default, all cipher suits are enabled, represented by an empty cipher list. It is possible to
configure only a set of cipher suites which would be used in TLS connections.

Parameter name Default Parameter location

Web-Server Authentication Self created and self CMU - General

signed certificate
Certificate for web-server authentication
Cipher Suite Empty CMU - General
Click New button to select allowed cipher suites. Cipher suites can be ordered by Up or Down button for better readability. Click Delete
button to remove a cipher suite from list.

ADVICE
If parameter 'Web-Server Authentication' is set to 'Self created and self signed certificate', at
least one of the following cipher suite must be selected, otherwise access to the web server is
lost.

If parameter 'Web-Server Authentication' is set to a certificate and none of the following cipher
suites is selected, a certificate that supports the selected cipher suites must be uploaded before
uploading the configuration to the RTU, otherwise access to the web server is lost.

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
• TLS_RSA_WITH_AES_128_CBC_SHA,
• TLS_RSA_WITH_AES_128_CBC_SHA256,
• TLS_RSA_WITH_AES_128_GCM_SHA256,
• TLS_RSA_WITH_AES_256_CBC_SHA,
• TLS_RSA_WITH_AES_256_CBC_SHA256,
• TLS_RSA_WITH_AES_256_GCM_SHA384 .

1KGT151108 V008 1 107

Supported Cipher Suites Secure Web Server Access

108 1KGT151108 V008 1

Modem Installation Windows 10, 11

7 Modem Installation

7.1 Windows 10, 11

Before starting the installation, be sure that the current user has administrator rights in the Windows
operating system.

To create a modem, select Start > Control Panel > Phone and Modem.

If this is the first modem, a location has to be configured first.

Select New... and enter arbitrary values.

Figure 136: Modem set up

Under the Modems tab Add... a new Modem and choose Don't detect my modem; I will select
it from a list. Choose (Standard Modem Types) and Communications cable between two
computers.

1KGT151108 V008 1 109

Windows 10, 11 Modem Installation

Figure 137: Add modem

Figure 138: Select modem

Choose the COM port which will be used for the communication.

110 1KGT151108 V008 1

Modem Installation Windows 10, 11

Figure 139: Selecting the COM port

Click Poperties of the newly added Modem.

Figure 140: Edit modem settings

Click Change settings and go to the Modem tab.

1KGT151108 V008 1 111

Windows 10, 11 Modem Installation

Figure 141: Modem speed

Choose the correct Maximum Port Speed.

112 1KGT151108 V008 1

PPP Installation Windows 10, 11

8 PPP Installation

8.1 Windows 10, 11

Before starting the installation, be sure that the current user has administrator rights in the Windows
operating system. These rights are needed to install new software on the computer.

To create and establish a PPP connection to an RTU, select Start > Control Panel > Network and
Sharing Center.

Figure 142: Network and Sharing Center

Select Set up a new connection or network.

1KGT151108 V008 1 113

Windows 10, 11 PPP Installation

Figure 143: Connection options

Choose the connection option Connect to a workplace.

Figure 144: Direct connection

Choose the option Dial directly.

114 1KGT151108 V008 1

PPP Installation Windows 10, 11

Figure 145: Modem selection

Select the correctly configured modem .

Figure 146: Create a Dial-up Connection(1)

Fill in an arbitrary Dial-up phone number to enable Connect.

1KGT151108 V008 1 115

Windows 10, 11 PPP Installation

Figure 147: Create a Dial-up Connection(2)

Either fill in an arbitrary User name and Password or the configured User name and Password from
the RTUtil500 configuration to enable Connect. The User name and Password needs to be re-
entered during the connection establishment.

Figure 148: Create a Dial-up Connection (3)

Either wait for the dialing attempt to finish or skip the step.

116 1KGT151108 V008 1

PPP Installation Windows 10, 11

Figure 149: Create a Dial-up Connection (4)

The connection attemp will fail but select Set up the connection anyway.

To configure the PPP connection, select Start > Control Panel > Network and Internet > Network
Connections > Change adapter settings.

Figure 150: Dial-up Connection Properties (1)

Right-click on the connection created from the previous steps and click Properties.

1KGT151108 V008 1 117

Windows 10, 11 PPP Installation

Figure 151: Dial-up Connection Properties (2)

Remove the Phone number and verify below Connect using Communication cable between two
computers with correct COM port is activated. Click Configure…..

Figure 152: Modem Configuration

For the Maximum speed (bps), select 38400 from the drop-down list.

Select the Options tab.

118 1KGT151108 V008 1

PPP Installation Windows 10, 11

Figure 153: Options

Deactivate Prompt for phone number and click PPP Settings….

Figure 154: PPP Settings

Uncheck all three settings.

Select the Security tab.

1KGT151108 V008 1 119

Windows 10, 11 PPP Installation

Figure 155: Security

Enable the settings from the figure above.

Select the Networking tab.

Figure 156: Networking

Enable the settings from the figure above and click Advanced….

Select the IP Settings tab.

120 1KGT151108 V008 1

PPP Installation Windows 10, 11

Figure 157: Advanced TCP/IP Settings

Use the settings from the figure above.

From Start > Control Panel > Network and Internet > Network Connections > Change adapter
settings select Connectfrom the context menu of the new connection. Then select Dial-Up and
Connect on the right connection.

1KGT151108 V008 1 121

Windows 10, 11 PPP Installation

Figure 158: Connect dialog (1)

Figure 159: Connect dialog (2)

122 1KGT151108 V008 1

PPP Installation Windows 10, 11

Figure 160: Connect dialog (3)

If authentication is configured in the RTU enter User name and Password and click Dial.

If the connection to the RTU is established, start the web browser without using a proxy server
or bypass the proxy server for configured RTU IP address from Tools > Internet Options >
Connections > LAN settings.

1KGT151108 V008 1 123

Windows 10, 11 PPP Installation

124 1KGT151108 V008 1

USB RNDIS Driver Installation Windows 10, 11

9 USB RNDIS Driver Installation

The Remote Network Driver Interface Specification (RNDIS) is a Microsoft proprietary protocol used
on top of USB. It provides a virtual Ethernet link to most versions of the Windows operating system.

The USB interface on the CMU modules works as USB RNDIS target device. RNDIS host is a
Windows computer. RNDIS interface’s IP address on the RTU is 169.254.0.10. The USB RNDIS
Device running on Windows host can get IP settings assigned automatically from the “link local”
block 169.254.0.0/16 (APIPA - Automatic Private IP Addressing). As described in RFC3927, it is
allocated for communication between hosts on a single link. The Windows host can obtain this
address by auto-configuration. Alternative, the static IP address 169.254.0.1 of the Windows RNDIS
interface can be configured manually

If firewall is used on Windows computer, please adjust firewall settings to allow communications via
the RNDIS interface. Subnet mask is 255.255.0.0.

9.1 Windows 10, 11

USB RNDIS works out of the box with Windows 10 and 11.

1KGT151108 V008 1 125

Windows 10, 11 USB RNDIS Driver Installation

126 1KGT151108 V008 1

Update of I/O Modules Software

10 Update of I/O Modules Software

This chapter describes how to update I/O modules software.

You can start the update process, if the message 'Current I/O board software x is not consistent
with CMU firmware. Update recommended' appears in the Web server system log:

Figure 161: System log: I/O board software update recommended

Switch to Hardware Tree view and click 'Start update of I/O modules software'.

Figure 162: Start update of I/O modules software

The update process of I/O modules software starts. It can take several minutes. Please do not
restart or shut down the RTU while update process is running.

1KGT151108 V008 1 127

 Update of I/O Modules Software

Figure 163: Update of I/O modules software started

After the update process has been successfully completed the message 'Software update
successfully completed' appears.

Figure 164: I/O software update successfully completed

Switch back to system log. Here you can find the messages 'Current I/O board software x is
consistent with CMU firmware.' and 'Update of software of I/O boards successfully completed'.

128 1KGT151108 V008 1

Update of I/O Modules Software

Figure 165: System log: Update of software of I/O boards successfully completed

1KGT151108 V008 1 129

 Update of I/O Modules Software

130 1KGT151108 V008 1

Script Interface Overview

11 Script Interface

11.1 Overview
Starting with RTU500 series firmware version 12.6.1 the RTU500 Web Access PowerShell script
interface enables the user to access the RTU via PowerShell Cmdlets.

Following Cmdlets are available:

• Confirm-Restore
• Connect-RTU
• Disconnect-RTU
• Edit-CertificateUserAccount
• Enable-Configuration
• Enable-Language
• Get-BackupInfo
• Get-RTUCentralAccountManagementActivationInfo
• Get-RTUCentralAccountManagementFiles
• Get-RTUCentralAccountManagementParameters
• Get-RTUCertificateRevocationLists
• Get-RTUCertificates
• Get-RTUPkiEstClientConfiguration
• Get-RTUPkiEstClients
• Get-RTUSystemLog
• Get-CmuModules
• Get-ConfigurationFiles
• Get-LanguageFileInfo
• Get-RtuStatus
• Get-RTUSystemTime
• Get-RuntimeFiles
• Get-RtuSecureUpdateCertificate
• GetSecurityPolicy
• Get-UserAccounts
• Get-UserRoles
• Get-SecurityPolicy
• Grant-UserRoles
• Invoke-InitialRTUPkiEstClientEnrollment
• New-Backup
• New-CertificateUserAccount
• New-UserAccount
• New-UserRole
• Receive-Backup
• Receive-File
• Receive-LanguageFile
• Receive-RTUPkiEstClientConfigurationFile
• Remove-Backup
• Remove-Configuration
• Remove-RTUCertificate

1KGT151108 V008 1 131

Installation Script Interface

• Remove-RTUCertificates
• Remove-RTUCertificateRevocationList
• Remove-LanguageFile
• Remove-UserAccount
• Remove-UserRole
• Reset-RTU
• Reset-RestoreConfirmationTimeout
• Reset-UserAccounts
• Restore-Backup
• Revoke-UserRoles
• Send-Backup
• Send-RTUCertificate
• Send-RTUCertificateRevocationList
• Send-File
• Send-LanguageFile
• Send-RTUCentralAccountManagementParameters
• Send-RTUPkiEstClientConfigurationFile
• Set-ActiveUserAccountPassword
• Set-RTUSystemTime
• Set-SecurityPolicy
• Set-UserAccountPassword
• Set-UserRole
• Set-UserRoles
• Start-RTUCentralAccountManagementServerConnection
• Start-RTUPkiEstClient
• Stop-RTUCentralAccountManagementServerConnection
• Stop-RTUPkiEstClient
• Test-RTUCentralAccountManagementServerConnection
• Test-RTUPkiEstClientConnection
• Undo-Restore

ADVICE
RTU500 Web Access PowerShell script interface requires Windows PowerShell environment
version 5.1.

You can check PowerShell version number with command: $ P S V e r s i o n T a b l e within

Windows PowerShell environment.

11.2 Installation
Run RTU500 Scripting Interface installation file.
RTU500 Web Access Power Shell module is installed to given destination folder.

132 1KGT151108 V008 1

Script Interface Installation

Figure 166: RTU500 Scripting Interface Welcome page

Figure 167: RTU500 Scripting Interface Setup Options page

Figure 168: RTU500 Scripting Interface Installation Successfully Completed page

1KGT151108 V008 1 133

Commands Script Interface

11.3 Commands
This chapter describes the commands provided by the RTU500 Web Access Power Shell module
that can be used in the Windows PowerShell environment.

11.3.1 Import Module

Open a PowerShell console or Windows PowerShell ISE and import the module containing the
RTU500 Web Access Power Shell commands:

Import-Module "C:\Program Files\Hitachi\RTU500 Scripting

Interface\VersionNb\Hitachi.RTU500.WebAccess.PowerShell.dll"

ADVICE
You have to import the module for every new PowerShell session.

11.3.2 Connect to the RTU

Connect to a RTU with following command (replace the server address with an IP address of your
RTU):

$connection = Connect-RTU -ServerAddress 192.0.2.79 -Secure -

UserName Default -Password Default -UserRole Engineer

ADVICE
SSL Certificate validation is turned on by default. The OS-defined certificate store is being used
automatically. Certificate validation can be turned off for testing reasons with the argument -
D a n g e r o u s A l l o w U n t r u s t e d S S L C e r t i f i c a t e s . However, this can lead to an
insecure connection and should be used for initial RTU configuration or troubleshooting only.

Optional arguments: Checking for CRL expiration with- C h e c k C R L and adding certificates
manually with - M a n u a l l y A d d e d C e r t i f i c a t e s .

The - U s e r R o l e parameter is optional. If ommitted, the connection will use the default user role.

Further debugging (support-level debugging) is possible via using the - L o g R s i R e q u e s t s

switch-parameter.

ADVICE
Once a connection to the RTU is established, reuse the same connection to execute multiple
commands.

11.3.3 Disconnect from the RTU

Disconnect from the RTU with the command:

Disconnect-RTU -Connection $connection

or with:

Disconnect-RTU $connection

134 1KGT151108 V008 1

Script Interface Commands

ADVICE
After disconnection the connection object stored in the $connection variable is no longer usable.

11.3.4 User Management

To use these features, the PowerShell wrapper starts a usermanagement session. The session is
being started, changes are applied and commited. If changes are not applicable, an Exception is
thrown.

After using one of the following commands:

• New-UserAccount,
• New-UserRole,
• Remove-UserAccount,
• Remove-UserRole,

the connection is being closed and needs to be re-opened after a short time (approximate 1
second).

11.3.4.1 Create User Account

Command to create a new RTU500 series user account:

New-UserAccount -Connection $connection -Name "testuser" -

Password "secret"

11.3.4.2 Get User Accounts

Command to get information about RTU500 series user accounts:

Get-UserAccounts -Connection $connection

11.3.4.3 Reset User Accounts

Command to reset RTU500 series user accounts:

Reset-UserAccounts -Connection $connection

11.3.4.4 Remove User Account

Command to remove a RTU500 series user account:

Remove-UserAccount -Connection $connection -UserId "10"

11.3.4.5 Set Active User Account Password (Non-Admin Mode)

Set user account password with command:

Set-ActiveUserAccountPassword -Connection $connection -

OldPassword "test" -NewPassword "rtu"
With Hex-format password:

1KGT151108 V008 1 135

Commands Script Interface

Set-ActiveUserAccountPassword -Connection
$connection -OldPassword "rtu" -NewPassword
"921beba5cc11f4863862b1ed0bfb1bad619e0fb16d00e99a771fb32b6d6637e4"
-UseHexPassword

11.3.4.6 Set User Account Password (Admin Mode)

Set user account password with command:

Set-UserAccountPassword -Connection $connection -UserId "14" -

NewPassword "rtu"
or with:

Set-UserAccountPassword -Connection $connection -UserName

"testuser12345" -NewPassword "rtu"
Moreover, a Hex-format password can be used:

Set-UserAccountPassword -Connection
$connection -UserName "testuser" -Password
"921beba5cc11f4863862b1ed0bfb1bad619e0fb16d00e99a771fb32b6d6637e4"
-UseHexPassword

11.3.4.7 Create User Account with Certificate

Command to create new user account with certificate:

New-CertificateUserAccount -Connection $connection -Password

"rtu" -CertificateFileName '.\Add_Christian.pem'

11.3.4.8 Edit User Account with Certificate

Edit user account with certificate with command:

Edit-CertificateUserAccount -Connection $connection -UserId

"18" -CertificateFileName '.\Change_Christian_viewer_only.pem'
or with:

Edit-CertificateUserAccount -Connection $connection

-UserName "Christian" -CertificateFileName '.
\Change_Christian_viewer_only.pem'

11.3.4.9 Create User Role

Command to create a new RTU500 series user role:

New-UserRole -Connection $connection -Name "role1"

11.3.4.10 Get User Roles

Command to get information about RTU500 series user roles:

Get-UserRoles -Connection $connection

136 1KGT151108 V008 1

Script Interface Commands

11.3.4.11 Change User Role

Commands to change RTU500 series user role:

Set-UserRole -Connection $connection -NewUserRole <Role name>

or:

Set-UserRole $connection <Role name>

11.3.4.12 Remove User Role

Command to remove a RTU500 series user role:

Remove-UserRole -Connection $connection -RoleId "10"

11.3.4.13 Set User Role

Set a RTU500 series user role with command:

Set-UserRole -Connection $connection -NewUserRole <Role name>

or with:

Set-UserRole $connection <Role name>

11.3.4.14 Grant User Role to User Account

Commands to grant user role to user account:

Grant-UserRoles -UserId 17 -RoleIds 5,6 -Connection

$connection
or with:

Grant-UserRoles -UserName "testuser12345" -RoleIds 5,6 -

Connection $connection
or with:

Grant-UserRoles -UserId 17 -RoleNames "Engineer" -Connection

$connection
or with:

Grant-UserRoles -UserName "testuser12345" -RoleNames

"Engineer" -Connection $connection

11.3.4.15 Revoke User Role for User Account

Commands to revoke user role for user account:

Revoke-UserRoles -UserId 17 -RoleIds 5,6 -Connection

$connection
or with:

Revoke-UserRoles -UserName "testuser12345" -RoleIds 5,6 -

Connection $connection

1KGT151108 V008 1 137

Commands Script Interface

or with:

Revoke-UserRoles -UserId 17 -RoleNames "Engineer" -Connection

$connection
or with:

Revoke-UserRoles -UserName "testuser12345" -RoleNames

"Engineer" -Connection $connection

11.3.4.16 Edit User Roles and Permissions

This section describes the usage of the command S e t - U s e r R o l e s . In general, the object
$ r o l e s can be used for adding, removing and editing user roles.

Anyway, there are a few points to keep in mind here:

• Multiple changes in the roles object are possible, e.g. add a user, then add permissions etc.
• Role IDs and names should not be duplicated (e.g. two roles with the same ID).
• Special characters are not allowed in the role name.
• The C l o n e ( ) method of IList<IUserRole> must be used to copy a role. Otherwise the interface
will point back to another existing role with the same data inside.

11.3.4.16.1 Copy an Existing User Role and Add it

Command to copy and existing user role and add it:

$roles = Get-UserRoles -Connection $connection

$roleToAdd = $roles[$roles.Count - 1].Clone()
# Setting the individual ID and name:

$roleToAdd.Id = $roles[$roles.Count - 1].Id + 1

$roleToAdd.Name = "test123"
$roles.Add($roleToAdd)
Set-UserRoles -Connection $connection -UserRoles $roles

11.3.4.16.2 Remove an Existing User Role

Command to remove an existing user role:

$roles = Get-UserRoles -Connection $connection

# Example: This command removes the last user role:

$roles.RemoveAt($roles.Count - 1)
Set-UserRoles -Connection $connection -UserRoles $roles

11.3.4.16.3 Add Permission to User Role

Command to add permission to user role:

$roles = Get-UserRoles -Connection $connection

$roles[8].AddPermission(1024)
Set-UserRoles -Connection $connection -UserRoles $roles

138 1KGT151108 V008 1

Script Interface Commands

11.3.4.16.4 Remove Permission from User Role

Command to remove permission from user role:

$roles = Get-UserRoles -Connection $connection

$roles[8].RemovePermission(1024)
Set-UserRoles -Connection $connection -UserRoles $roles

11.3.4.16.5 Add User ID to User Role

Command to add user ID to user role:

$roles = Get-UserRoles -Connection $connection

$roles[8].UserIds.Add(1)
Set-UserRoles -Connection $connection -UserRoles $roles

11.3.4.16.6 Remove User ID from User Role

Command to remove user ID from user role:

$roles = Get-UserRoles -Connection $connection

$roles[8].UserIds.Remove(1)
Set-UserRoles -Connection $connection -UserRoles $roles

11.3.4.16.7 Add a New User Role

Command N e w - U s e r R o l e (see "Create User Role") is needed for this task.

11.3.4.16.8 Remove a User Role

Command R e m o v e - U s e r R o l e (see "Remove User Role") is needed for this task.

11.3.4.17 Get Security Policy

Command to get information about RTU500 series security policy:

Get-SecurityPolicy -Connection $connection

11.3.4.18 Edit a Security Policy

Command to edit a security policy:

$policy = Get-SecurityPolicy -Connection $connection

$policy.PasswordRequiresUpperCaseCharacters = $true
$policy | Set-SecurityPolicy -Connection $connection -Verbose
# Alternative without Pipelining:

# Set-SecurityPolicy -SecurityPolicy $policy -Connection

$connection -Verbose

1KGT151108 V008 1 139

Commands Script Interface

11.3.5 Central Account Management (CAM) Client

11.3.5.1 Get CAM Parameters

Command to get CAM parameters:

Get-RTUCentralAccountManagementParameters -Connection
$connection

11.3.5.2 Upload CAM Parameter File

Command to upload CAM parameter file:

Parameter Set: "File":

Send-RTUCentralAccountManagementParameters -LocalFileName ".
\test.xml"
Parameter Set: "XML":
Send-RTUCentralAccountManagementParameters -XmlDocument $xml

11.3.5.3 Get CAM File Info

Command to get CAM file info:

Get-RTUCentralAccountManagementFiles -Connection $connection

11.3.5.4 Get CAM Activation Info

Command to get CAM activation info:

Get-RTUCentralAccountManagementActivationInfo -Connection
$connection

11.3.5.5 Test CAM Server Connection

Command to test CAM server connection:

Test-RTUCentralAccountManagementServerConnection -Connection
$connection -UserName "test" -Password "rtu"

ADVICE
Arguments “UserName” and “Password” are optional.

11.3.5.6 Start CAM Server

Command to start CAM server:

Start-RTUCentralAccountManagementServerConnection -Connection
$connection

11.3.5.7 Stop CAM Server

Command to stop CAM server:

Stop-RTUCentralAccountManagementServerConnection -Connection

140 1KGT151108 V008 1

Script Interface Commands

$connection

11.3.6 Download Files from the RTU

11.3.6.1 Download Active Configuration File

You can download the active configuration file from the RTU with command:

Receive-File -Connection $connection -FileType

RcdConfigurationActive -LocalFileName C:\PowerShell\config.rcd
or with command:

Receive-File $connection RcdConfigurationActive C:\PowerShell

\config.rcd
To overwrite an existing file, add the 'Overwrite' switch to the command:

Receive-File -Connection $connection -FileType

RcdConfigurationActive -LocalFileName C:\PowerShell\config.rcd
-Overwrite
or:

Receive-File $connection RcdConfigurationActive C:\PowerShell

\config.rcd -Overwrite

11.3.6.2 Download Firmware File

Download firmware file from the RTU with command:

Receive-File -Connection $connection -FileType CmuFirmware -

LocalFileName C:\PowerShell\wblrxx.bin -Overwrite
or with:

Receive-File $connection CmuFirmware C:\PowerShell\wblrxx.bin

-Overwrite

11.3.6.3 Download HMI Project File

Download HMI project file from the RTU with command:

Receive-File -Connection $connection -FileType

IntegratedHmiProject -LocalFileName C:\PowerShell\project.jar
-Overwrite
or with:

Receive-File $connection IntegratedHmiProject C:\PowerShell

\project.jar -Overwrite

11.3.6.4 Download License File

To download the license file from the RTU enter the following command:

Receive-File -Connection $connection -FileType License -

LocalFileName C:\PowerShell\ABBRTU500.lic -Overwrite

1KGT151108 V008 1 141

Commands Script Interface

or enter:

Receive-File $connection License C:\PowerShell\ABBRTU500.lic -

Overwrite

11.3.6.5 Download Password File

To download the password file from the RTU enter the following command:

Receive-File -Connection $connection -FileType PasswordFile -

LocalFileName C:\PowerShell\passwordFile.key -Overwrite
or enter:

Receive-File $connection PasswordFile C:\PowerShell

\passwordFile.key -Overwrite

11.3.6.6 Download PLC Package

To download a PLC package from the RTU enter the following command:

Receive-File -Connection $connection -FileType PlcPackageBase

-LocalFileName C:\PowerShell\PLC.pkg -Overwrite
or enter:

Receive-File $connection PlcPackageBase C:\PowerShell\PLC.pkg

-Overwrite

11.3.7 Upload Files to the RTU

11.3.7.1 Upload Configuration File

Upload a configuration file to the RTU with command:

Send-File -Connection $connection -FileType

RcdConfigurationBase -LocalFileName C:\PowerShell\config.rcd
or with:

Send-File $connection RcdConfigurationBase C:\PowerShell

\config.rcd

11.3.7.2 Upload CMU Firmware File

This commands upload the CMU firmware to the local CMU board (the CMU board accessible via
the IP address specified in the connect command):

Send-File -Connection $connection -FileType CmuFirmware -

LocalFileName C:\PowerShell\wblrxx.bin
or:

Send-File $connection CmuFirmware C:\PowerShell\wblrxx.bin

You can specify the distribution mode with the 'DistributionMode' parameter:

142 1KGT151108 V008 1

Script Interface Commands

Distribution option Parameter value Comment

To local CMU module ToLocalCmu Default, if 'DistributionMode'
parameter is omitted
To all CMU modules ToAllCmus -
To CMU module by rack/slot ToCmuByAddress Mandatory to specify rack/slot
address address with the 'RackAddress'
and 'SlotAddress' parameters

To upload the CMU firmware to a CMU module with rack address 1 and slot address 3, use this
command:

Send-File -Connection $connection -FileType CmuFirmware -

LocalFileName wblrxx.bin -DistributionMode ToCmuByAddress -
RackAddress 1 -SlotAddress 3

11.3.7.3 Upload HMI Project File

Upload HMI project file for the Integrated HMI to the RTU with this command:

Send-File -Connection $connection -FileType

IntegratedHmiProject -LocalFileName C:\PowerShell\project.jar
or with command:

Send-File $connection IntegratedHmiProject C:\PowerShell

\project.jar
You can specify the distribution mode with the 'DistributionMode' parameter:

Distribution option Parameter value Comment

To local CMU module ToLocalCmu Default, if 'DistributionMode'
parameter is omitted
To all CMU modules ToAllCmus -
To CMU module by rack/slot ToCmuByAddress Mandatory to specify rack/slot
address address with the 'RackAddress'
and 'SlotAddress' parameters

11.3.7.4 Upload License File

Upload license file to the RTU with command:

Send-File -Connection $connection -FileType License -

LocalFileName C:\PowerShell\ABBRTU500.lic
or with:

Send-File $connection License C:\PowerShell\ABBRTU500.lic

11.3.7.5 Upload Password File

Upload password file to the RTU with command:

Send-File -Connection $connection -FileType PasswordFile -

LocalFileName C:\PowerShell\passwordFile.key
or with:

1KGT151108 V008 1 143

Commands Script Interface

Send-File $connection PasswordFile C:\PowerShell

\passwordFile.key
You can specify the distribution mode with the 'DistributionMode' parameter:

Distribution option Parameter value Comment

To local CMU module ToLocalCmu Default, if 'DistributionMode'
parameter is omitted
To all CMU modules ToAllCmus -
To CMU module by rack/slot ToCmuByAddress Mandatory to specify rack/slot
address address with the 'RackAddress'
and 'SlotAddress' parameters

11.3.7.6 Upload PLC Package

Upload PLC package to the RTU with command:

Send-File -Connection $connection -FileType PlcPackageBase -

LocalFileName C:\PowerShell\PLC.pkg
or with:

Send-File $connection PlcPackageBase C:\PowerShell\PLC.pkg

You can specify the distribution mode with the 'DistributionMode' parameter:

Distribution option Parameter value Comment

To local CMU module ToLocalCmu Default, if 'DistributionMode'
parameter is omitted
To all CMU modules ToAllCmus -
To CMU module by rack/slot ToCmuByAddress Mandatory to specify rack/slot
address address with the 'RackAddress'
and 'SlotAddress' parameters

11.3.8 Get Configuration Files

Command to get information about RTU500 series configuration files:

Get-ConfigurationFiles -Connection $connection

11.3.9 Get RTU Status

Command to get RTU status:

Get-RtuStatus -Connection $connection

11.3.10 Get RTU System Log

Command to get RTU system log:

Get-RtuSystemLog -Connection $connection

144 1KGT151108 V008 1

Script Interface Commands

11.3.11 Get Runtime Files

Command to get information about RTU500 series runtime files:

Get-RuntimeFiles -Connection $connection

11.3.12 Get CMU Modules

Command to get information about RTU500 series CMU modules:

Get-CmuModules -Connection $connection

11.3.13 Activate a Configuration

Activate a configuration with command:

Enable-Configuration -Connection $connection -FileType

RcdConfigurationBase
or with:

Enable-Configuration $connection RcdConfigurationBase

11.3.14 Reset the RTU

Reset the RTU with command:

Reset-RTU -Connection $connection

or with:

Reset-RTU $connection

11.3.15 Backup Management

ADVICE
Backup management is a feature of the RTU530 and RTU540 product lines.

11.3.15.1 Create a New Backup

Create a new backup with command:

New-Backup -Connection $connection -Name "Test-Backup" -

Comment "Test-Comment"
or with:

New-Backup -Connection $connection -Name "Test-Backup"

11.3.15.2 Download Backup Package

To download a backup package from the RTU enter the following command:

Receive-Backup -Connection $connection -Name "Test-Backup" -

1KGT151108 V008 1 145

Commands Script Interface

LocalFileName C:\PowerShell\TestBackup.pkg

11.3.15.3 Upload Backup Package

Upload backup package to the RTU with command:

Send-Backup -Connection $connection -LocalFileName C:

\PowerShell\TestBackup.pkg

11.3.15.4 Delete Backup

To delete the backup from the RTU enter the following command:

Remove-Backup -Connection $connection -Name "Test-Backup"

11.3.15.5 Restore a Backup

Restore a backup without confirmation with command:

Restore-Backup -Connection $connection -Name "Test-Backup"

After restore of the backup, the RTU reboots.

Restore a backup with confirmation with command:

Restore-Backup -Connection $connection -Name "Test-Backup" -

WithConfirmation
After restore of the backup, the RTU reboots. You' ll need to confirm or undo the restore with
commands:

Confirm-Restore -Connection $connection

or:

Undo-Restore -Connection $connection

11.3.15.6 Reset Restore Confirmation Timeout

Reset restore confirmation timeout with command:

Reset-RestoreConfirmationTimeout -Connection $connection

11.3.15.7 Get Backup Information

Get backup information with command:

Get-BackupInfo -Connection $connection

11.3.16 Language Management

Following language file types are supported:

• RTUi
• WebServer

Identification of language and country/region:

146 1KGT151108 V008 1

Script Interface Commands

Option 1:
• Language code: an ISO 639 two-letter lowercase culture code associated with a language, i.e.
en, de, fr.
• Country/region code: an ISO 3166 two-letter uppercase subculture code associated with a
country or region, EN, DE, FR.

Option 2:
• Culture name: language code + “-” + country code

11.3.16.1 Download Language File

To download the language file from the RTU enter the following command:

Receive-LanguageFile -Connection $connection -FileType RTUi -

Culture "en-US" -LocalFileName "C:\PowerShell\RTUi_en-US.rdt"
or enter:

Receive-LanguageFile -Connection $connection -FileType RTUi

-LanguageCode "en" -CountryCode "US" -LocalFileName "C:
\PowerShell\RTUi_en-US.rdt" -Overwrite

11.3.16.2 Upload Language File

Upload language file to the RTU with command:

Send-LanguageFile -Connection $connection -FileType RTUi -

Culture "en-US" -LocalFileName "C:\PowerShell\RTUi_en-US.rdt"
or with:

Send-LanguageFile -Connection $connection -FileType RTUi

-LanguageCode "en" -CountryCode "US" -LocalFileName "C:
\PowerShell\RTUi_en-US.rdt"

11.3.16.3 Delete Language File

To delete the language file from the RTU enter the following command:

Remove-LanguageFile -Connection $connection -FileType RTUi -

Culture "fr-FR"
or enter:

Remove-LanguageFile -Connection $connection -FileType RTUi -

LanguageCode "fr" -CountryCode "FR"

11.3.16.4 Activate a Language

Activate a language with command:

Enable-Language -Connection $connection -Culture "en-US"

or with:

Enable-Language -Connection $connection -LanguageCode "en" -

CountryCode "US"

1KGT151108 V008 1 147

Commands Script Interface

11.3.16.5 Get Information About Language Files

Get information about available language files with command:

[xml]$document = Get-LanguageFileInfo -Connection $connection

11.3.17 RTU Certificates

11.3.17.1 Download RTU Certificates

Download certificates from the RTU with command:

Get-RTUCertificates -Connection $connection

or with:

Get-RTUCertificates $connection

11.3.17.2 Upload RTU Certificate

Upload a certificate to the RTU with command:

Send-RTUCertificate -Connection $connection -

RtuCertStoreEntryNumber "1" -LocalFileName "C:\PowerShell
\CertFile.p12" -LocalCertFilePassword "CertFile123"

11.3.17.3 Remove RTU Certificate

Command to remove a RTU certificate:

Remove-RTUCertificates -Connection $connection -

RtuCertStoreEntryNumber "1"

11.3.17.4 Download RTU Certificate Revocation Lists

Download certificate revocation lists from the RTU with command:

Get-RTUCertificateRevocationLists -Connection $connection

or with:

Get-RTUCertificateRevocationLists $connection

11.3.17.5 Upload RTU Certificate Revocation List

Upload a certificate revocation list to the RTU with command:

Send-RTUCertificateRevocationList -Connection $connection -

LocalFileName "C:\PowerShell\Certificate-no_revoked_cert.pem"

11.3.17.6 Remove RTU Certificate Revocation List

Command to remove a RTU certificate revocation list:

Remove-RTUCertificateRevocationList -Connection $connection -

RtuCRLEntryNumber "1"

148 1KGT151108 V008 1

Script Interface Commands

11.3.17.7 Get RTU Secure Update Certificate Information

Get RTU secure update certificate information with command:

Get-RtuSecureUpdateCertificate -Connection $connection

11.3.18 PKI EST Client

11.3.18.1 Get all PKI Clients

Command to get all PKI clients:

Get-RTUPkiEstClients -Connection $connection

11.3.18.2 Get a PKI Client Configuration

Command to get a PKI client configuration:

Get-RTUPkiEstClientConfiguration -Connection $connection -

ClientID 1 -Verbose

11.3.18.3 Receive a PKI Client Configuration File

Command to receive a PKI Client configuration file:

Receive-RTUPkiEstClientConfigurationFile -Connection
$connection -ClientID 1 -LocalFileName "C:\temp
\pki_config.xml" -Overwrite -Verbose

11.3.18.4 Send a PKI Client Configuration File

Command to send a PKI client configuration file:

Send-RTUPkiEstClientConfigurationFile -Connection $connection

-ClientID 1 -LocalFileName "C:\temp\pki_config.xml" -Verbose

11.3.18.5 Enroll Initially with Certificate

Command to enroll initially with certificate:

Invoke-InitialRTUPkiEstClientEnrollment -Connection
$connection -ClientID 1 -CmuNo 1 -EntryNo 1 -OneTimePassword
"test" -Verbose

11.3.18.6 Enroll Initially with HTTP Authentication

Command to enroll initially with HTTP Authentication:

Invoke-InitialRTUPkiEstClientEnrollment -Connection
$connection -ClientID 1 -CmuNo 1 -EntryNo 1 -
OneTimePassword "test" -AuthenticationUserName "test123" -
AuthenticationPassword "passwort123" -Verbose

1KGT151108 V008 1 149

Commands Script Interface

11.3.18.7 Start a PKI Client

Command to start a PKI client:

Start-RTUPkiEstClient -Connection $connection -ClientID 1 -

Verbose

11.3.18.8 Stop a PKI Client

Command to stop a PKI client:

Stop -RTUPkiEstClient -Connection $connection -ClientID 1 -

Timespan 24 -Verbose

11.3.18.9 Test PKI Client Connection

Command to test a Test PKI client connection:

Test -RTUPkiEstClientConnection -Connection $connection -

ClientID 1 -IPAddress "192.168.178.10" -Port 80 -Verbose

11.3.19 Time Administration

11.3.19.1 Get RTU System Time

Get RTU system time with command:

Get-RTUSystemTime -Connection $connection

or with:

Get-RTUSystemTime $connection

11.3.19.2 Set RTU System Time

Commands to set RTU system time:

$timestamp = [System.DateTime]::new(2011,11,11,11,11,11)
Set-RTUSystemTime -Connection $connection -CustomTimestamp
$timestamp
or:

Set-RTUSystemTime -Connection $connection -UseSystemTime

11.4 PowerShell Script Example

This example shows how to define variables, establish a connection, upload files, enable a
configuration and reset an RTU:

Import-Module "C:\Program Files (x86)\Hitachi\RTU500 Scripting

Interface\1.0.1.38\Hitachi.RTU500.WebAccess.PowerShell.dll"

$FW1 = "C:\powershell\WBLRX0000R12_06_01_176.bin"
$conf1 = "C:\powershell\ConfigPLC.rcd"
$confPLC = "C:\powershell\testPLC\testpower.pkg"

150 1KGT151108 V008 1

Script Interface PowerShell Script Example

$confHMI1 = "C:\powershell\testhmi.jar"

Write-Host "RTU Connection establishment" -ForegroundColor

Blue

try
{
$connection = Connect-RTU -ServerAddress 192.168.0.1 -Secure
-UserName Default -Password Default -UserRole Engineer -
Verbose
}
catch
{
Write-Host "RTU Connection Error: $($_.Exception.Message)" -
ForegroundColor Red
}

if ($NULL-ne $connection.ServerAddress)
{
write-host "Send Configuration $($conf1)" -ForegroundColor
Blue
try
{
Send-File -Connection $connection -FileType
RcdConfigurationBase -LocalFileName $conf1
write-host "Enable Configuration $($conf1)" -ForegroundColor
Blue
Enable-Configuration -Connection $connection -FileType
RcdConfigurationBase
}
catch
{
Write-Host "Configuration Error: $($_.Exception.Message)" -
ForegroundColor Red
}

write-host "Send HMI $($confHMI1)" -ForegroundColor Blue

try
{
Send-File $connection -FileType IntegratedHmiProject -
DistributionMode ToAllCmus -LocalFileName $confHMI1
}
catch
{
Write-Host "Send HMI Error: $($_.Exception.Message)" -
ForegroundColor Red
}

write-host "Send PLC $($confPLC)" -ForegroundColor Blue

try
{
Send-File -Connection $connection -FileType PlcPackageBase -
LocalFileName $confPLC

1KGT151108 V008 1 151

PowerShell Script Example Script Interface

Enable-Configuration -Connection $connection -FileType

PlcPackageBase
write-host "Enable PLC" -ForegroundColor Blue
}
catch
{
Write-Host "PLC Error: $($_.Exception.Message)" -
ForegroundColor Red
}

write-host "Send Firmware $($FW1)" -ForegroundColor Blue

try
{
Send-File -Connection $connection -FileType CmuFirmware -
DistributionMode ToAllCmus -LocalFileName $FW1
write-host "Reset RTU" -ForegroundColor Magenta
Reset-RTU $connection -Verbose
}
catch
{
Write-Host "Firmware Error: $($_.Exception.Message)" -
ForegroundColor Red
}
}

PowerShell command window output examples:

Figure 169: PowerShell command window example output 1

Figure 170: PowerShell command window example output 2

152 1KGT151108 V008 1

Script Interface PowerShell Script Example

Figure 171: PowerShell command window example output 3

1KGT151108 V008 1 153

PowerShell Script Example Script Interface

154 1KGT151108 V008 1

Recovery Mode Start Recovery Mode

12 Recovery Mode
The RTU530 supports a feature called recovery mode:

In case of a fatal device failure, it is possible to boot the RTU in a limited recovery mode: this mode
is able to detect and repair several failure scenarios of the CMU hardware and guides the user to
recover the device.

A web based reduced user interface offers possibilities to check logs and offers actions to recover
the device.

ADVICE
Recovery mode is a feature of RTU530 product line.

12.1 Start Recovery Mode

The RTU530 recovery mode can be started via S1 button. The button is located inside behind a tiny
hole below the lower left corner of the power plug:

Figure 172: S1 Button

If S1 button is pressed for 3 seconds during power-up of a RTU530 CMU until the green LED is
blinking or if no CMU application firmware is found, the CMU recovery mode is started.

ADVICE
The recovery mode is signalized by a green flashing RUN LED and a constant red ERR LED.

12.2 User Interface

Within the recovery mode a browser can only be connected to the RTU via the USB device
interface using the HTTP protocol: The URL for the homepage of the USB connection is: http://
169.254.0.10. There are no user credentials required to connect to the homepage and watch
the status of the RTU. Only running an action command requires an authentication with valid
credentials. Default user credentials of the recovery user are created at manufacturing time
and documented in User Manual Security Deployment Guide Release 13 (1KGT151106). This
username and password of the recovery user can be changed inside the user management of
standard web server GUI when not running in recovery mode.

The user interface consists of three sections:

• The header section shows the current colored status of the RTU: OK, Warning, Error.
• The section in the middle provides the device information like CMU type, MAC address, etc. on
the left side and possible actions on the right side.
• The lower section contains the recovery log.

1KGT151108 V008 1 155

Actions Recovery Mode

Figure 173: Possible actions

It is possible to download the current recovery log and a (reduced) system information file (blue
hyperlinks on the right), which can be sent to the RTU support line if required.

12.3 Actions
12.3.1 Automatic Triggered Actions

When the recovery mode is started, the different existing partitions (data partition and program
partition) of the memory device are checked and partition errors are already corrected if possible.

It is not possible to run any manual actions during the partition check. The result of the partitions
check is visible in the recovery log.

12.3.2 User Actions

After starting the recovery mode and after all checks are performed, the user can select between
different possible actions, where usually one action is marked as recommended, dependent on the
status of the CMU.

All actions beside the 'Reset CMU without changes' action requires an authentication:

156 1KGT151108 V008 1

Recovery Mode Actions

Figure 174: Authentication required

Successful authentication is valid until the next reboot of the CMU.

12.3.2.1 Reset CMU Without Changes

If no further actions are required to recover the device, a plain reset can be done. The RTU will
reboot and run the application firmware again.

12.3.2.2 Reset to Factory Defaults

During manufacturing there is a default firmware and an example configuration stored as backup
on the RTU memory device. During reset to factory defaults, the data partition and the program
partition will be formatted and this firmware and example configuration will be activated.

All data are gone. The CMU has been reset to the delivery state. The license is the same as it was
during delivery of the RTU. After a reboot, the CMU firmware behaves like a new RTU. Afterwards it
is possible to upload configuration, HMI, PLC, change user accounts etc.

1KGT151108 V008 1 157

Actions Recovery Mode

Figure 175: Reset to factory settings

12.3.2.3 Reset to Factory Defaults and Keep License

The difference to the action before is, that the upgraded license is kept. Prerequisite: You have
updated your license at runtime of the the CMU (e.g. because you bought additional functions).

12.3.2.4 Load CMU Firmware to RTU

Sometimes it is just enough to load a new firmware to the RTU (e.g. the uploaded application
firmware has a defect and is not able to run anymore). This action can be performed here and after
a reboot this uploaded firmware is running with the still available configuration.

158 1KGT151108 V008 1

Recovery Mode Logging

Figure 176: Choose Firmware File

12.4 Logging
For diagnostic and audit trailing, information gathered by the CMU recovery firmware or entered by
users is logged in recovery log files.

Recovery log files are read outside the recovery mode as well by the CMU application firmware to
e.g. derive security events or diagnostic log entries of its content.

This logging information will also survive the factory reset of course.

The system information file will be nearly empty after a factory reset, containing only information
since the reboot.

12.5 Leaving the Recovery Mode

To leave the recovery mode, the CMU must be reset. This reset can be initiated manually by a user
via the user interface or by a timeout supervising user inactivity in the recovery mode.

Manual reset can be performed in several phases of the recovery mode.

The recovery mode is supervised by an inactivity timeout to prevent remaining in the recovery mode
without any user activity once the recovery mode was entered.

The started recovery mode expects a user interaction within a time of 5 minutes. If no user connects
to the recovery firmware via the web interface, the recovery firmware performs a CMU reset.

Starting with the first user interaction, the user inactivity timeout is retriggered by a time of 15
minutes with each user interaction via the user interface of the recovery mode.

If the inactivity timeout expires, a CMU reset is performed.

1KGT151108 V008 1 159

Scope and Restrictions of the Recovery Mode Recovery Mode

12.6 Scope and Restrictions of the Recovery Mode

The recovery mode is affecting only the local CMU and is not intended to communicate with other
CMUs in a multi-CMU configuration. It contains only the mandatorily required features and has
therefore only a limited functionality.

Only the CMU's USB device interface is used to enable for local RNDIS connection initiated by a
directly connected PC. All other external interfaces, like ethernet or serial interfaces are deactivated
if the CMU recovery mode is running.

160 1KGT151108 V008 1

Glossary

13 Glossary
AMI Analog Measured value Input

ASO Analog Setpoint command Output

BCI Bidirectional Communication Interface

BSI Bit String Input

CA Certificate Authority

CAM Central User Account Management

CDP CRL Distribution Point

CMU Communication and Data Processing Unit

CRL Certificate Revocation List

CSR Certificate Signing Request

DCO Double Command Output

DMI Digital Measured value Input (8, 16 bit)

DNS Domain Name System

DPI Double Point Input

DSO Digital Setpoint command Output (8, 16 bit)

ECDSA Elliptic Curve Digital Signature Algorithm

EST Enrollment over Secure Transport

FSO Floating Setpoint Command Output

HCI Host Communication Interface

HMI Human Maschine Interface (here Integrated HMI function of the

RTU500 series)

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IEC International Electrotechnical Commission

IED Intelligent Electronic Device

IEEE Institute of Electrical and Electronics Engineers

IKE Internet Key Exchange

LAM Local User Account Management

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LED Light Emitting Diode

MFI Analog Measured value Floating Input

1KGT151108 V008 1 161

 Glossary

OTP One Time Password

OU Organizational Unit

PC Personal Computer

PEM Privacy Enhanced Mail

PKI Public Key Infrastructure

PLC Programmable Logic Control

PPP Point to Point Protocol

RA Registration Authority

RCD RTU Configuration Data

RCO Regulation step Command Output

RFC Request for Comments

RTU Remote Terminal Unit

SCO Single Command Output

SEV System Event

SPI Single Point Input or Single point information

SSC System Single Command

STI Step position Input

TCP/IP Transmission Control Protocol / Internet Protocol

URL Uniform Resource Locator

USB Universal Serial Bus

VPN Virtual Private Network

162 1KGT151108 V008 1

1KGT151108 V008 1 163
 Note:

The specifications, data, design or other information contained in this document (the “Brochure”)
- together: the “Information” - shall only be for information purposes and shall in no respect be
binding. The Brochure does not claim to be exhaustive. Technical data in the Information are only
approximate figures. We reserve the right at any time to make technical changes or modify the
contents of this document without prior notice. The user shall be solely responsible for the use of
any application example or information described within this document. The described examples
and solutions are examples only and do not represent any comprehensive or complete solution.
The user shall determine at its sole discretion, or as the case may be, customize, program or add
value to the Hitachi Energy products including software by creating solutions for the end customer
and to assess whether and to what extent the products are suitable and need to be adjusted or
customized.

This product is designed to be connected to and to communicate information and data via a network
interface. It is the users sole responsibility to provide and continuously ensure a secure connection
between the product and users or end customers network or any other network (as the case may
be). The user shall establish and maintain any appropriate measures (such as but not limited to the
installation of firewalls, application of authentication measures, encryption of data, installation of
anti-virus programs, etc) to protect the product, the network, its system and the interface against
any kind of security breaches, unauthorized access, interference, intrusion, leakage and/or theft
of data or information. Hitachi Energy is not liable for any damages and/or losses related to such
security breaches, any unauthorized access, interference, intrusion, leakage and/or theft of data or
information.

Hitachi Energy shall be under no warranty whatsoever whether express or implied and assumes
no responsibility for the information contained in this document or for any errors that may appear
in this document. Hitachi Energy's liability under or in connection with this Brochure or the files
included within the Brochure, irrespective of the legal ground towards any person or entity, to which
the Brochure has been made available, in view of any damages including costs or losses shall be
excluded. In particular Hitachi Energy shall in no event be liable for any indirect, consequential or
special damages, such as – but not limited to – loss of profit, loss of production, loss of revenue,
loss of data, loss of use, loss of earnings, cost of capital or cost connected with an interruption
of business or operation, third party claims. The exclusion of liability shall not apply in the case
of intention or gross negligence. The present declaration shall be governed by and construed in
accordance with the laws of Switzerland under exclusion of its conflict of laws rules and of the
Vienna Convention on the International Sale of Goods (CISG).

Hitachi Energy reserves all rights in particular copyrights and other intellectual property rights.
Any reproduction, disclosure to third parties or utilization of its contents - in whole or in part - is not
permitted without the prior written consent of Hitachi Energy.

ABB is a registered trademark of ABB Asea Brown Boveri Ltd.

Manufactured by/for a Hitachi Energy company.

© 2024 Hitachi Energy.

All rights reserved.

164 1KGT151108 V008 1

 Cybersecurity Product Manual Documentation Disclaimer

This document contains information about one or more Hitachi Energy products and may include
a description of or a reference to one or more standards that may be generally relevant to the
Hitachi Energy products. The presence of any such description of a standard or reference to a
standard is not a representation that all the Hitachi Energy products referenced in this document
support all the features of the described or referenced standard. In order to determine the specific
features supported by a particular Hitachi Energy product, the reader should consult the product
specifications for that Hitachi Energy product. In no event shall Hitachi Energy be liable for direct,
indirect, special, incidental, or consequential damages of any nature or kind arising from the use of
this document, nor shall Hitachi Energy be liable for incidental or consequential damages arising
from the use of any software or hardware described in this document.

Hitachi Energy may have one or more patents or pending patent applications protecting the
intellectual property in the Hitachi Energy products described in this document. The information in
this document is subject to change without notice and should not be construed as a commitment
by Hitachi Energy. Hitachi Energy assumes no responsibility for any errors that may appear in this
document.

All people responsible for applying the equipment addressed in this manual must satisfy themselves
that each intended application is suitable and acceptable, including compliance with any applicable
safety or other operational requirements. Any risks in applications where a system failure and/
or product failure would create a risk for harm to property or persons (including but not limited
to personal injuries or death) shall be the sole responsibility of the person or entity applying the
equipment, and those so responsible are hereby requested to ensure that all measures are taken to
exclude or mitigate such risks.

Products described or referenced in this document are designed to be connected and to

communicate information and data through network interfaces, which should be connected to a
secure network. It is the sole responsibility of the system/product owner to provide and continuously
ensure a secure connection between the product and the system network and/or any other
networks that may be connected.

The system/product owners must establish and maintain appropriate measures, including, but not
limited to, the installation of firewalls, application of authentication measures, encryption of data,
installation of antivirus programs, and so on, to protect these products, the network, its system, and
interfaces against security breaches, unauthorized access, interference, intrusion, leakage, and/or
theft of data or information.

Hitachi Energy performs functionality testing on released products and updates. However, system/
product owners are ultimately responsible for ensuring that any product updates or other major
system updates (to include but not limited to code changes, configuration file changes, third-party
software updates or patches, hardware change out, and so on) are compatible with the security
measures implemented. The system/product owners must verify that the system and associated
products function as expected in the environment in which they are deployed. Hitachi Energy and
its affiliates are not liable for damages and/or losses related to security breaches, any unauthorized
access, interference, intrusion, leakage, and/or theft of data or information.

This document and parts thereof must not be reproduced or copied without written permission from
Hitachi Energy, and the contents thereof must not be imparted to a third party nor used for any
unauthorized purpose.

1KGT151108 V008 1 165

Visit us

Hitachi Energy Germany AG

P.O. Box 42 01 30
68280 Mannheim, Germany

hitachienergy.com/rtu

1KGT151108 V008 1