In some cases, an attacker can learn the protocol used by an RTU unit to gain dial-up access. When an RTU does not employ strong authentication or other security mechanisms, it accepts and responds to any caller.
To address such concerns, the BMENOR2200H module uses these security authorization services within DNP3 to facilitate communications between remote RTU units.
Secure Authentication Versions
The RTU supports these DNP3 secure authentication versions:
-
SAv2: Secure Authentication version 2 is a protocol family within DNP3 that facilitates the authentication of critical controls and commands and helps increase message confidentiality when the BMENOR2200H module is used in conjunction with a suitable SCADA host or other devices that support SAv2.
SAv2 requires pre-shared keys to be pre-installed on all devices.
SAv2 is defined by the IEEE 1815-2010 DNP3 standard.
-
SAv5: Secure Authentication version 5 is a newer protocol family within DNP3 that addresses evolving threats.
SAv5 is defined by the IEEE 1815-2012 DNP3 standard.
NOTE:
-
Schneider Electric recommends that you use the same secure authentication version (SAv2 or SAv5) on both the client and server sides.
-
Manufacturers design a single device to be compatible with only one of these security authorization service versions.
-
The implementation of SAv2 or SAv5 authentication requires the use of a security administrator application.
The BMENOR2200H module implements secure DNP3 communications through pre-shared keys.
Many utilities that do not choose to manage security credentials in a more sophisticated manner may nonetheless require the level of protection afforded by pre-shared keys.
By definition, users on the SCADA side and module side use the same pre-shared key to effect mutual authentication. Communications are facilitated by a session key that is derived from the pre-shared key.
