NovaTech Connection Manager (NCM) provides an encrypted connection between the enterprise and an OrionLX/LXm running a Connection Manager Agent. NovaTech Identity Manager™ (NIM) software provides centralized management of both system Users and system IEDs (called Hosts) using role-based access privileges. Passwords for Users and Hosts/IEDs (currently OrionLX/LXm and SEL® relays) are also centrally managed, including special modes for managing password changes.
NovaTech Connection Manager (NCM) and Agent
NCM software runs at the enterprise level and establishes encrypted connections to the OrionLX Cyber Secure Gateway in a substation. Within the OrionLX, the Connection Manager Agent allows transparent pass-through connection (using apprpriate keys and certificates) to serially-connected or LAN-connected SEL® relays at the appropriate user access level (e.g. access level 1, access level 2, etc.). The software monitors un-permitted keystroke combinations when accessing SEL® relays (e.g. “PAS”, “SET”)
NovaTech Identity Manager (NIM)
User Identity and User Password Management
NIM software provides centralized LDAP-based user authentication, and can be configured to set up a Trust with an Active Directory authentication system. Strong password generation rules meet IT industry standards, and complete logging of all changes is provided for audits. Role-based Authentication assigns specific user privileges to each user or group of users, and rules can vary for different User Groups. “Manager Group” may require stronger password construction, or more frequent password changing than “General Group”. Other examples include:
Technician Group Permitted to view relay settings but not change settings, view HMI but not control critical devices, only acknowledge non-critical alarms, attach using SSH but not HTTPS, etc.
Manager Group Same privileges as Technician group but additional privileges to change settings, control critical devices, acknowledge critical alarms
IT Group Permitted to change IP addresses, firewall settings, etc. but not permitted to have access to “non-IT” settings or controls
IED Password Management
Centralized administration of IED passwords is currently designed for management of SEL relay passwords, with other IEDs to be added in future development phases. SEL relays can be placed into groups for simplified administration such as “Transmission Relays”, “Distribution Relays”, “Critical Relay Assets”, “Non-critical relay Assets”, etc. IED-specific password rules are created for specific IED password construction. For example, the password construction rules for an SEL-421 can be different than the rules for an SEL-501. This enables SEL relays to be secured with the strongest passwords possible without running into password requirement conflicts. All activity is logged for auditing purposes.
There are four SEL relay Password Change Modes:
Normal Password Change Mode Users can select specific SEL relays or groups to be changed, view the password policies for the SEL relays in the selected group (different relays in the group may have different password policies), enter or generate new random passwords according to those rules, and then send the passwords to all the relays in the group, with all actions logged.
Maintenance ModeThis mode is for when crews are in the substation performing upgrades and reconfigurations. Passwords for substation IEDs are temporarily changed to a well-known “maintenance” password.
Emergency Mode (or “Password Checkout” Mode)Generally only used if the broadband connection to the substation has been lost. An administrator can view passwords and divulge them to utility people in substation, with all administrator actions logged.
Local Password Caching in the Security GatewayCaching includes settings to enable or disable caching, and set time limits for how long caching is enabled after connection to the remote server is lost.
The Orion Family of Substation Automation Platforms and I/O perform an expanding array of automation and security applications in electric utility substations, with minimal setup and maintenance. A single Orion can replace multiple legacy boxes in a substation, reducing hardware, design, wiring, and panel costs.
NovaTech Orion I/O™ is an extension of the family of OrionLX™ Automation Platforms for substation automation and incorporates the same security features, software tools and “NCD” configuration as the OrionLX. It is a rack-mountable I/O assembly with four slots—A, B, C, and D—that can be filled with any combination of I/O cards: currently 16-Point Discrete Input Card,
At DistribuTECH 2017, NovaTech is exhibiting the new Orion I/O™ for substations. It delivers NERC CIP-compliant security, the highest I/O density (up to 64 in 2 RU) and the lowest cost per point (under $20). Orion I/O is a member of the OrionLX™ family, which means the right combination of flexibility and ease-of-use.
Rep. Kevin Yoder (3rd Congressional District of Kansas) presented NovaTech a letter of recognition from and an American flag that flew over the Capitol. This award was in recognition of shipping over 20,000 American manufactured products worldwide.
With the rapid adoption of the IEC 61850 standard by many US-based utilities, Distributed Event Recorders are becoming easier to create. Bruce’s presentation explains why the application of fault recorders could…
Almost half of NovaTech’s business is in Systems and Services including web page design, panel design, math and logic development, Orion configuration, and onsite installation and commissioning. Mark Matassa explains how our engineers can work with you to reduce project execution time at the 2016 DistribuTECH Conference and Exhibition in Orlando, Florida.
This video describes the key features of the NovaTech Identity Manager (NIM) and NovaTech Connection Manager (NCM) products. NovaTech Identity Manager is a Linux LDAP/IPA application for managing users and passwords for OrionLXs and Schweitzer relays to the latest NERC CIP Version 5 requirements. NovaTech Connection Manager establishes a secure connection to OrionLXs and Schweitzer relays in the substation.
Within the next two to three years, it is likely that two new NERC CIP requirements will go into effect:
1. CIP-010-1: Cyber Security – Configuration Change Management and Vulnerability Assessments
2. CIP-011-1: Cyber Security – Information Protection
This webinar was held on August 22, 2013. The presentation focuses on learning more about why these were created, where they will be required in the BES, and the latest solutions to address them.The webinar is hosted by Jeremy Anderson, Senior System Engineer. Prior to joining NovaTech, Jeremy designed and implemented a complete NERC CIP compliance system at a southwest US IOU.