Access Management Software

Access, Identity and Password Mangement for Utility Users Groups and Substation IEDs

NovaTech Connection Manager (NCM) provides an encrypted connection between the enterprise and an OrionLX/LXm running a Connection Manager Agent. NovaTech Identity Manager™ (NIM) software provides centralized management of both system Users and system IEDs (called Hosts) using role-based access privileges. Passwords for Users and Hosts/IEDs (currently OrionLX/LXm and SEL® relays) are also centrally managed, including special modes for managing password changes.

NovaTech Connection Manager (NCM) and Agent

NCM software runs at the enterprise level and establishes encrypted connections to the OrionLX Cyber Secure Gateway in a substation.  Within the OrionLX, the Connection Manager Agent allows transparent pass-through connection (using apprpriate keys and certificates) to serially-connected or LAN-connected SEL® relays at the appropriate user access level (e.g. access level 1, access level 2, etc.).  The software monitors un-permitted keystroke combinations when accessing SEL® relays (e.g. “PAS”, “SET”)

NovaTech Identity Manager (NIM)

User Identity and User Password Management

NIM software provides centralized LDAP-based user authentication, and can be configured to set up a Trust with an Active Directory authentication system. Strong password generation rules meet IT industry standards, and complete logging of all changes is provided for audits. Role-based Authentication assigns specific user privileges to each user or group of users, and rules can vary for different User Groups. “Manager Group” may require stronger password construction, or more frequent password changing than “General Group”.  Other examples include:

  • Technician Group Permitted to view relay settings but not change settings, view HMI but not control critical devices, only acknowledge non-critical alarms, attach using SSH but not HTTPS, etc.
  • Manager Group Same privileges as Technician group but additional privileges to change settings, control critical devices, acknowledge critical alarms
  • IT Group Permitted to change IP addresses, firewall settings, etc. but not permitted to have access to “non-IT” settings or controls

IED Password Management

Centralized administration of IED passwords is currently designed for management of SEL relay passwords, with other IEDs to be added in future development phases.  SEL relays can be placed into groups for simplified administration such as “Transmission Relays”, “Distribution Relays”, “Critical Relay Assets”, “Non-critical relay Assets”, etc.  IED-specific password rules are created for specific IED password construction.  For example, the password construction rules for an SEL-421 can be different than the rules for an SEL-501. This enables SEL relays to be secured with the strongest passwords possible without running into password requirement conflicts.  All activity is logged for auditing purposes.

There are four SEL relay Password Change Modes:

  • Normal Password Change Mode Users can select specific SEL relays or groups to be changed, view the password policies for the SEL relays in the selected group (different relays in the group may have different password policies), enter or generate new random passwords according to those rules, and then send the passwords to all the relays in the group, with all actions logged.
  • Maintenance Mode This mode is for when crews are in the substation performing upgrades and reconfigurations. Passwords for substation IEDs are temporarily changed to a well-known “maintenance” password.
  • Emergency Mode (or “Password Checkout” Mode) Generally only used if the broadband connection to the substation has been lost. An administrator can view passwords and divulge them to utility people in substation, with all administrator actions logged.
  • Local Password Caching in the Security Gateway Caching includes settings to enable or disable caching, and set time limits for how long caching is enabled after connection to the remote server is lost.


  • NERC CIP Cyber Security Solutions

    Tripwire and NovaTech jointly present on security solution to meet the latest NERC CIP requirements including Access Management, Security Monitoring, Configuration Management, and Event Analysis.

    March 18, 2016

  • NovaTech Utility Systems and Services

    Almost half of NovaTech’s business is in Systems and Services including web page design, panel design, math and logic development, Orion configuration, and onsite installation and commissioning. Mark Matassa explains how our engineers can work with you to reduce project execution time at the 2016 DistribuTECH Conference and Exhibition in Orlando, Florida.

    March 18, 2016

  • NERC CIP Identity and Password Management Software

    This video describes the key features of the NovaTech Identity Manager (NIM) and NovaTech Connection Manager (NCM) products. NovaTech Identity Manager is a Linux LDAP/IPA application for managing users and passwords for OrionLXs and Schweitzer relays to the latest NERC CIP Version 5 requirements. NovaTech Connection Manager establishes a secure connection to OrionLXs and Schweitzer relays in the substation.

    April 29, 2015

  • Review of the New NERC CIP-10 and CIP-11 Webinar

    Within the next two to three years, it is likely that two new NERC CIP requirements will go into effect:
    1. CIP-010-1: Cyber Security – Configuration Change Management and Vulnerability Assessments
    2. CIP-011-1: Cyber Security – Information Protection
    This webinar was held on August 22, 2013. The presentation focuses on learning more about why these were created, where they will be required in the BES, and the latest solutions to address them.The webinar is hosted by Jeremy Anderson, Senior System Engineer. Prior to joining NovaTech, Jeremy designed and implemented a complete NERC CIP compliance system at a southwest US IOU.

    April 6, 2015

Your browser is out-of-date!

Update your browser to view this website correctly.Update my browser now