Security Options Module
The Security Options Module is used to configure the behavior of the basic and advanced security system.
Module icon
Overview
The configuration of this module and the configuration of the Security User Modules define the overall basic and advanced security system setup.
NOTE: Use ION Setup or Power Monitoring Expert to configure advanced security. If advanced security is enabled, only users with security configuration rights are able to configure this module.
NOTE: The registers and settings available in this module depend on the device or node you are configuring, as well as its firmware and template versions. Not all registers or settings are available on all devices or the Virtual Processor, and labels may vary.
notice
ACCESS Loss
Record your device's user and password information in a secure location.
Failure to follow these instructions can result in equipment damage.
Inputs
The Security Options Module has no inputs.
Setup registers
Legacy Security Support
This register allows older software to continue to communicate with meters that have the Advanced Security option enabled.
Enable Advanced Security
This register enables the advanced security for the device. Once this register is set to ENABLED, advanced security is active; all applications that interact with the device must specify a username and password. The access capabilities of the different users are defined by the configuration of Security User modules (see the Security User module description).
Allow Broadcast Timesyncs
This register defines whether or not a username and password must be supplied to synchronize the time of the device (when advanced security is enabled). If set to NO, it indicates that a username and password must always be supplied by any software used to synchronize the device time. If it is set to YES, then time synchronization can be performed without a username and password. If you need to synchronize the device time with a third-party protocol (for example, Modbus), set this register to YES.
Modbus Map Access
This register limits access to the device via the Modbus protocol.
Web Access Read Security
This register defines whether or not to enforce read security on read access to HTML/XML pages when advanced security is enabled. When set to YES, it enforces the read security.
NOTE: The Factory user is a user and password combination only intended for use by Technical Support or other qualified personnel.
NOTE: If you set the Factory registers to NO, Technical Support may not be able to configure the device to correct any problems that may occur in the field.
Factory Read Access
This register specifies if the Factory user has read access permissions for the device. If it is set to YES, the Factory user can read any parameter on the device except the security configuration. If it is set to NO, the Factory user cannot read any device parameters.
Factory Peak Demand Reset
This register specifies if the Factory user has peak demand reset access permissions for the device. If it is set to YES, the Factory user can reset the peak demand of any demand parameter. If it is set to NO, the Factory user cannot reset the peak demand of any demand parameter.
Factory Time Sync Access
This register specifies if the Factory user has time synchronization access permissions for the device. If it is set to YES, the Factory user can set the time of the device.
Factory Full Meter Config
This register specifies if the Factory user has full device configuration access permissions for the device. If it is set to YES, the Factory user can configure any programmable register on the device except for registers related to the security setup, registers that result in a Demand Reset or registers that place the device in Test mode (those registers require additional security access levels). If it is set to NO, the Factory user cannot modify any registers on the device.
Factory Test Mode Access
This register specifies if the Factory user has test mode access permissions for the device. If it is set to YES, the Factory user can put the device into test mode. If it is set to NO, the Factory user cannot put the device into test mode.
Factory Security Config
This register specifies if the Factory user has security configuration access permissions for the device. If it is set to YES, the Factory user can configure advanced security for the device. If it is set to NO, the Factory user cannot configure security settings.
Factory Comms Config
This register specifies if the Factory user has communication access permissions for the device. If it is set to YES, the Factory user can configure the communication registers for the device.
Telnet Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using Telnet is denied to that user.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using Telnet are allowed.
See the Communication protocol lockout examples for more information.
FTP Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using File Transfer Protocol (FTP) is denied to that user.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using FTP are allowed.
NOTE: Older devices support Telnet, FTP, and HTTP. Newer devices support SSH, SFTP, and HTTPS. Devices support one set or the other; not both.
SFTP/SSH Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using Secure File Transfer Protocol (SFTP) or Secure Shell (SSH) is denied to that user.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using SFTP/SSH are allowed.
For more information, see the Communication protocol lockout examples.
Factory Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using the Factory protocol is denied to that user. This setting is specific to a communications method–if the user is locked out of using the Factory protocol on the modem, the user can still access the device using the Factory protocol on a serial port, provided the user has the correct password.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using the Factory protocol are allowed.
Frontpanel Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using the front panel is denied to that user.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using the front panel are allowed.
ION Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using the ION protocol is denied to that user. This setting is specific to a communications method—if the user is locked out of using the ION protocol over Ethernet, the user can still access the device using the ION protocol on a serial port, provided the user enters the correct password.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using the ION protocol are allowed.
Http Lock Attempts
This register specifies the number of invalid login attempts allowed per user/ password combination before access to the device using HTTP is denied to that user.
If this register is set to 0 (zero), the lockout feature is disabled and unlimited attempts using HTTP are allowed.
ION Silence Minutes
This register specifies an active session duration (in minutes) for ION protocol communications, and can be set to a value from 1–43200 (30 days).
During this time:
- Only the first invalid login attempt using the same user/password combination is counted towards the invalid login count.
- Each invalid attempt using a different user/password combination is counted.
- Each valid attempt resets the session time (silence minutes).
This setting is specific to a communications method; the counter is only updated for a user/password combination using a particular communications method (for example, COM1).
NOTE: ION Silence Minutes applies to ION or Secure ION protocol, and only when not using token-based ION sessions.
Http Silence Minutes
This register specifies an active session duration (in minutes) for HTTP protocol communications, and can be set to a value from 1–43200 (30 days).
During this time:
- Only the first invalid login attempt using the same user/password combination is counted towards the invalid login count.
- Each invalid attempt using a different user/password combination is counted.
- Each valid attempt resets the session time (silence minutes).
This setting is specific to a communications method–the counter is only updated for a user/password combination using a particular communications method (for example, COM1).
Lockout Duration Minutes
This register specifies the length of time (in minutes) that a user/password combination remains locked out on a particular protocol and communications method after the maximum invalid attempts is reached, as determined by the Lock Attempts registers. This setting applies to all configured lockouts. Enter a value from 1–43200 (30 days).
Valid Auth Priority
This register allows you to set an event priority level for valid login attempts. Set this register to 0 (zero) to disable logging of valid login attempts in the Event Log. This setting applies to all configured lockouts.
Invalid Auth Priority
This register allows you to set an event priority level for invalid login attempts. Set this register to 0 (zero) to disable logging of invalid login attempts in the Event Log. This setting applies to all configured lockouts.
Lockout Auth Priority
This register allows you to set an event priority level for lockouts. Set this register to 0 (zero) to disable logging of lockouts in the Event Log. This setting applies to all configured lockouts.
Factory Access Minutes
This register defines how long, in minutes, the device permits factory-level access, with the correct login credentials, after one of the following actions:
- Display button press
- Modification of the Factory Access Minutes setup register
- Power cycle
If advanced security is enabled, the Factory user must also be enabled and configured with appropriate access rights for the device.
Setting this value to 0 (zero) disables factory access for both standard and advanced security.
Maximum Password Length
This read-only register specifies the maximum number of characters (16) allowed for passwords.
Output registers
Event
All events produced by the Security Options Module are written into this register.
Possible events and their associated priority numbers are shown below.
For this module, events generated by setup changes do not indicate the new setup register values. This prevents security configuration information from being available to users who do not have security configuration rights.
| Event priority group | Priority | Description |
|---|---|---|
| Setup Change | 10 | Input links, setup registers or labels have changed |
| Auth OK | See note 1 and 2 | Valid login attempt |
| Auth FAIL | See note 1 | Invalid login attempt |
| Auth FAIL, locked out | See note 1 | Invalid login attempt, lockout in effect |
|
Note 1: The priority of these events is determined by the Auth Priority setup registers. Note 2: Only the first valid login attempt per active session for a user/password combination are written to the Event register: if the user logs in, logs out, and then logs back in during a single active session, only the first valid login attempt will be written to the Event register. |
||
The Event output register stores the following information for each ION event: time stamp, priority, cause, effect, and any values or conditions associated with the cause and effect.
Detailed module operation
The Security Options module is a core module that lets you customize the standard and advanced security for the device. When advanced security is enabled, all applications that interact with the device must specify a username and password. The username, password, and security access permissions are allocated with the Security User Modules; therefore, before you enable advanced security, configure the Security User Modules (refer to the Security User Module description).
With ION Setup or the Designer component of Power Monitoring Expert, access the Security Options module Enable Advanced Security setup register to enable the security system.
The security system handles Secure ION, ION, Telnet, SSH, HTTPS, HTTP, SFTP, FTP, and display access attempts. Advanced security is effective with the MV-90 protocol, provided that you have installed the appropriate Translation Interface Module (TIM). Contact UTS-Itron for a TIM that supports advanced security.
With third-party protocols that cannot supply a username and password (for example, DNP or Modbus), standard and advanced security functions in a limited capacity. Communication ports that use Modbus can access parameters related to the Modbus Slave module only (unless the Security Options Module Modbus Map Access setup register is set to YES; in this case, the Modbus map is accessible based on other configuration settings on your device). Communications ports that are configured to use DNP are not protected by advanced security.
Communications protocol lockout examples
The following section provides examples of how the communication protocol lockout feature functions in different scenarios.
In the following examples:
| Configured users and passwords |
User1 / Password 11 User2 / Password 22 |
| ION Lock Attempts | ION Lock Attempts is set to 3, allowing 3 invalid login attempts by a particular user/password combination before locking that combination out. |
| ION Silence Minutes | ION Silence Minutes is set to 30, meaning that each attempt with a particular user/password combination is only counted once in 30 minutes. |
| All protocols that can be locked out | The device is configured to log invalid event entries. |
Scenario 1: This example illustrates what happens when a user repeatedly enters the same incorrect password when attempting to access the device.
- An access attempt is made using ION protocol over Ethernet by User1 but with a password of 0.
- The user attempts to access the device again 10 minutes later with the same invalid User1/password 0 combination.
- The user attempts to access the device again with the invalid User1/password 0 combination 30 minutes after the initial attempt.
- If the user attempts to login again after another 30 minutes has elapsed with the same invalid User1/password 0 combination, the event is logged and the counter of invalid attempts is incremented to 3. User1 is locked out for the duration specified by the Lockout Duration Minutes setup register, and cannot connect to the device using ION protocol over Ethernet for that duration, regardless of whether or not they subsequently try to login with the correct user/password combination. User1 can access the device through another communications method (for example, ION protocol over serial) if they enter the correct User/password combination.
- If the user attempts to login with User1/password 11, the access is allowed and the invalid login counter is reset to 0.
The user is informed of the invalid attempt and cannot access the device. The invalid attempt is logged in the event log and the counter of invalid attempts is incremented to 1.
The user cannot access the device but the event is not logged and the counter of invalid attempts is not incremented, because the ION Silence Minutes interval has not elapsed.
Because the session timeout has elapsed, the event is logged and the counter of invalid login attempts is incremented to 2.
Regardless of the invalid attempts of User1, User2 can access the device using ION protocol over Ethernet if they enter the correct password; they are not affected by the lockout.
Scenario 2: This example illustrates what happens when different invalid combinations of user and password are entered.
- An access attempt is made using ION protocol over Ethernet by User1 but with a password of 0.
- The user attempts to access the device again with User1/password 3. The user is informed of the invalid attempt and cannot access the device. In this case, this is considered a new invalid attempt because it is a different combination of user and password. It is logged in the event log and the counter of invalid attempts is incremented to 2.
- The user attempts to access the device again with User1/password 4. The user is informed of the invalid attempt and cannot access the device. Once again, this is considered a new invalid attempt and it is logged in the event log and the counter of invalid attempts is incremented to 3.
The user is informed of the invalid attempt and cannot access the device. The invalid attempt is logged in the event log and the counter of invalid attempts is incremented to 1.
User1 is locked out for the duration specified in the Lockout Duration Minutes setup register, and cannot connect to the device using ION protocol over Ethernet for that duration, regardless of whether or not they subsequently try to login with the correct user/password combination.
User1 can access the device through another communications method (for example, ION protocol over serial) if they enter the correct User/password combination.
Regardless of the invalid attempts of User1, User2 can access the device using ION protocol over Ethernet if they enter the correct password; they are not affected by the lockout.