DNP3 Secure Authentication

About DNP3 Secure Authentication

The implementation of DNP3 secure authentication (SA) facilitates mutual authentication for communications between a DNP3 master and a DNP3 outstation:

A DNP3 outstation uses DNP3 SA to unambiguously determine that it is communicating with a user who is authorized to access the services of outstation.

NOTE: Secure authentication option is enabled by default. The server works properly only when a valid server channel is configured in the cyber security settings. Disable this function when your application does not require secure authentication. This global setting applies to all server channels. You cannot enable or disable a single specific channel independently of other channels. If the DNP3 service is disabled, no channels work, regardless of the configured security level.
A DNP3 master uses DNP3 SA to unambiguously determine that it is communicating with the appropriate outstation.

NOTE: On the client side, you can configure individual client channels for secure authentication. For such cases, confirm that those channels are included in the table with an assigned security level (None, SAv2, SAv5).

Access the Settings

Access the DNP3 SECURE AUTHENTICATION page from the SETUP web page:

Step	Action
1	Access the cyber security web pages for the module.
2	Select the SETUP tab in the page banner.
3	Expand the MENU navigation tree.
4	Expand the DNP3 SECURE AUTHENTICATION in the navigation tree banner to see these settings: Master Configuration Outstation Configuration Key Management NOTE: These security settings are described individually below.

Master Configuration

Define master (local PLC) access:

Step	Action
1	Select the Secure Authentication Enabled check box to enable the mechanism.
2	Select the Add Channel button.
3	Populate the fields in the Add Channel dialog box. Channel Name: Use a name that matches the configured DNP3 channel name. Secure Authentication: Select a DNP3 authentication version (SAV5, SAV2, Disabled). Enable Aggressive Mode: check box selected: Enable aggressive mode. check box deselected: Disable aggressive mode. Key/Account Table: Advanced Settings: NOTE: When the Control Expert window is active you can hover over the blue circle (i) next to the feature to see an explanation for each field.
4	Select Apply.
5	Repeat these steps to add additional channels.

Outstation Configuration

Define outstation access:

Step	Action
1	Select the Secure Authentication Enabled check box to enable the mechanism.
2	Select the Add Channel button.
3	Populate the fields in the Add Channel dialog box. Channel Name: Use a name that matches the configured DNP3 channel name. Secure Authentication: Select a DNP3 authentication version (SAV5, SAV2, Disabled). MAC Algorithm (HMAC): Select the appropriate algorithm. Enable Aggressive Mode: check box selected: Enable aggressive mode. check box deselected: Disable aggressive mode. Key/Account Table: Advanced Settings: NOTE: When the Control Expert window is active you can hover over the blue circle (i) next to the feature to see an explanation for each field.
4	Select Apply.
5	Repeat these steps to add additional channels.

Key Management

Create a list of users that can access your module:

Step	Description
1	In the Key Management web page, press the Create Table button and follow the directions to assign a name to the table. NOTE: The tables you create appear in a pull-down menu next to the Create Table button.
2	Press the Add User button to add a list of authorized users at the supervision (SCADA) environment. NOTE: You can configure a maximum of 64 users for DNP3 Secure Authentication.
3	Populate the fields in the Add User dialog box. NOTE: When the Control Expert window is active you can hover over the blue circle (i) next to the feature to see an explanation for each field.
4	optional step: For the pre-shared key field (Update Key), you have the option to click the Generate button to use a randomly generated key.
5	optional step: You can copy the Update Key information by clicking the copy icon next to the Generate button. NOTE: You can copy the key to share the key more easily with the SCADA system.
6	Press the Apply button to add the user to the table of authorized users.
7	Repeat these steps to add additional users. NOTE: The DNP3 standard limits the number of users to 64.

The user(s) in your table will be able to access your module from the SCADA environment.

This table describes the Key Management parameters:

Parameter	Description
MASTER (tab)	User Number: This number corresponds to the current DNP3 user. NOTE: Use the value 1 when this user is assigned SAv5.
	User Name: This field shows the current user. NOTE: Because the BMENOR2200H RTU module acts as a data concentrator, the current user role on the MASTER side is SINGLE USER.
	Key Wrap: Select the appropriate wrap algorithm (AES-128, AES-256). Encryption Standard. NOTE: AES-256 does not work with SAv2. In this case, the Update Key value is 32 Hex.
	Key: This column shows the content of the Update Key value.
OUTSTATION (tab)	User Number: This number corresponds to the current DNP3 user.
	User Name: This field shows the current user.
	User Role: This field shows the role performed by the user (OPERATOR, ENGINEER, INSTALLER, SECURITY ADMINISTRATOR, VIEWER, SINGLE USER).
	Key Wrap: Select the appropriate wrap algorithm (AES-128, AES-256). Encryption Standard. NOTE: AES-256 does not work with SAv2. In this case, the Update Key value is 32 Hex.
	Key: This column shows the content of the Update Key value.