Introduction

In some cases, an attacker can learn the protocol used by an RTU unit to gain dial-up access. When an RTU does not employ strong authentication or other security mechanisms, it accepts and responds to any caller.

To address such concerns, the BMENOR2200H module uses these security authorization services within DNP3 to facilitate communications between remote RTU units.

The implementation of DNP3 secure authentication (SA) facilitates mutual authentication for communications between a DNP3 client and a DNP3 server:

  • A DNP3 server uses DNP3 SA to unambiguously determine that it is communicating with a user who is authorized to access the services of the server.

    NOTE: Secure authentication option is enabled by default. The server works properly only when a valid server channel is configured in the cyber security settings. Disable this function when your application does not require secure authentication. This global setting applies to all server channels. You cannot enable or disable a single specific channel independently of other channels. If the DNP3 service is disabled, no channels work, regardless of the configured security level.

  • A DNP3 client uses DNP3 SA to unambiguously determine that it is communicating with the appropriate server.

    NOTE: On the client side, you can configure individual client channels for secure authentication. For such cases, confirm that those channels are included in the table with an assigned security level (None, SAv2, SAv5).

Versions

The RTU supports these DNP3 secure authentication versions:

  • SAv2: Secure Authentication version 2 is a protocol family within DNP3 that facilitates the authentication of critical controls and commands and helps increase message confidentiality when the BMENOR2200H module is used in conjunction with a suitable SCADA host or other devices that support SAv2.

    SAv2 requires pre-shared keys to be pre-installed on all devices.

    SAv2 is defined by the IEEE 1815-2010 DNP3 standard.

  • SAv5: Secure Authentication version 5 is a newer protocol family within DNP3 that addresses evolving threats.

    SAv5 is defined by the IEEE 1815-2012 DNP3 standard.

NOTE:

  • Schneider Electric recommends that you use the same secure authentication version (SAv2 or SAv5) on both the client and server sides.

  • Manufacturers design a single device to be compatible with only one of these security authorization service versions.

  • The implementation of SAv2 or SAv5 authentication requires the use of a security administrator application.

  • BMENOR2200H provides DNP3 security setting at build-in Web page.

Pre-Shared Keys

The BMENOR2200H module implements secure DNP3 communications through pre-shared keys.

Many utilities that do not choose to manage security credentials in a more sophisticated manner may nonetheless require the level of protection afforded by pre-shared keys.

By definition, users on the SCADA side and module side use the same pre-shared key to effect mutual authentication. Communications are facilitated by a session key that is derived from the pre-shared key.

NOTE:

  • Refer to the instructions for the management of pre-shared keys.

  • For general information about pre-shared keys, refer to the Modicon Controllers Platform Cyber Security, Reference Manual.