CASE STUDY

Implementation of DNP3 Secure Authentication

SEMAPHORE PRODUCTS

Kingfisher Plus+ RTU

INTRODUCTION

CSE-Semaphore recently completed a project for a major water authority in Australia with the scope comprising DNP3 Secure Authentication in an initial installation of 50 RTUs. DNP3 Secure Authentication is an extension to the existing DNP3 standard incorporating IEC62351 Version 2.0 authentication on top of the DNP3 communication protocol. With multiple parties required for the ultimate success of the project implementation required a partnered approach. CSE-Semaphore implemented the RTU firmware updates in the Kingfisher Plus+ RTU with CP-30 CPU. While this particular project required authentication and key management for DNP3 Slave, the Kingfisher RTU products also provide DNP3 Secure Authentication at the master level. Logica was the partner for the server side updates on the Logica Mosaic SCADA host, which included authentication and key management for DNP3 Master. CSE-Semaphore and Logica further partnered with Triangle MicroWorks for the DNP3 Driver, which is primarily responsible for message handling.
DNP3 PROTOCOL BACKGROUND1

DNP3 Secure Authentication is available in the Kingfisher G30 (shown here) and the Kingfisher Plus+ RTU products.

DNP was originally created by Westronic, Inc. (now GE Harris) in 1990. In 1993, the DNP 3.0 Basic 4 protocol specification document set was released into the public domain. Ownership of the protocol was given over to the newly formed DNP Users Group in October of that year. Since that time, the protocol has gained worldwide acceptance, including the formation of Users Group Chapters in China, Latin America, and Australia. In January 1995, the DNP Users Group Technical Committee was formed to review enhancements and to recommend them for approval to the general Users Group. One of the most important tasks of this body was to publish the DNP Subset Definitions document, which establishes standards for scaled-up or scaled-down implementations of DNP3.

CASE STUDY

DNP3 is an open, intelligent, robust, and efficient modern SCADA protocol. It can: Request and respond with multiple data types in single messages Segment messages into multiple frames to ensure excellent error detection and recovery Include only changed data in response messages Assign priorities to data items and request data items periodically based on their priority Respond without request (unsolicited) Support time synchronization and a standard time format Allow multiple masters and peer-to-peer operations Allow user definable objects including file transfer
SECURE DNP3 AUTHENTICATION BACKGROUND2

DNP3 Secure Authentication is an extension to the existing DNP3 standard incorporating IEC62351 Version 2.0 authentication on top of the DNP3 communication protocol. According to the DNP3 User Group, the purpose of this specification is to define a protocol mechanism that: A DNP3 outstation can use to unambiguously determine it is communicating with a user who is authorized to access the services of the outstation. A DNP3 master can use to unambiguously determine that it is communicating with the correct outstation. The specification addresses authentication only, not encryption or other security measures. It does not rule out the possibility of such measures being added to DNP3 later or through the use of external measures such as bump in the wire link encryptors.
THE CHALLENGE PROCESS

When a command, e.g. to open a valve or start a pump, is received from the server, the RTU challenges the server to be sure it is a legitimate node on the network (blue arrow in the accompanying diagram). The Server responds with an authentication message (yellow arrow in accompanying diagram). If the server authenticates correctly, only then will the RTU perform the action (green arrows).

Only when the server authenticates correctly does the RTU perform the requested action.

The authentication key is updated at regular intervals in order to prevent old keys from being stolen and re-used. If an RTU does not receive a new key within a specified time limit, it will mark the key as stale and ignore commands until a new key is provided.

CASE STUDY

Shown here is the menu for configuration of Secure Authentication for the CP30/G30 processor acting as a DNP3 slave.

INTERPRETATION OF THE STANDARD

While the DNP3 User Group stated their intentions very clearly in the DNP3 Secure Authentication specification, there were still areas open for interpretation among the SCADA host developers, RTU driver developers, and RTU firmware developers. Security key management was a major issue. Questions included: Who is responsible for the keys? How are keys updated? How often are keys Updated? Communication among the parties was essential to resolving all the issues. Compatibility with the DNP3 Time Synch exemplified these issues. Secure DNP3 is compatible with Standard DNP3 to enable progressive security enhancements to existing networks. In an existing, DNP3 network, all RTUs would normally accept the time synchronization, which is broadcast from a server. Since this network uses DNP3 Secure Authentication and Time Synch messages must be challenged, the team determined that, instead of broadcasting to all nodes, updates should occur individually to prevent a flood of authentication requests.

The project team determined that DNP3 Time Synch updates should occur individually rather than being broadcast in order to prevent a flood of authentication requests.

CASE STUDY

CONCLUSION

The system is now operational at 50 sites with more sites being added (planned to 150 sites). New functionality being added includes RTUs performing Host Key Management services, ie: Secure DNP3 Master for brown field projects. Cooperation between several parties was required to iron out details on how Secure DNP3 should work in this particular installation. Trials were held to determine limitations and the impact on an existing system and the project team was able to provide valuable feedback to the DNP3 User Group. This work required a strong relationship with the client.
New functionality being added to the project includes configuration of Secure Authentication for the CP-30/G30 processor acting as a DNP3 master note. This is unique with respect to DNP3 Secure Authentication implementations in other RTU products.

SEMAPHORE Worldwide contact information U.S.A. CSE Semaphore Inc. 1200 Chantry Place Lake Mary, FL 32746 U.S.A. P+1 (407) 333 3235 F +1 (407) 386 6284 Days@cse-semaphore.com Australia CSE-Semaphore Unit 8, 3-5 Gilda Crt Mulgrave, Victoria 3170 Australia P+61 (03) 8544 8544 F +61 (03) 8544 8555 Info.kingfisher@cse-semaphore.com Europe CSE-Semaphore Begium Waterloo Office Park Building M Dreve Richelle, 161 B-1410 Waterloo Belgium P+32 (2) 387 42 59 F +32 (2) 387 42 75 info.tbox@cse-semaphore.com
2010 CSE-Semaphore. All rights reserved. T-BOX and T-VIEW are trademarks of CSE-Semaphore. All other marks may be trademarks of their respective owners. 1061038 09/10

REFERENCES

1. DNP3 Overview, Triangle MicroWorks, Inc., Raleigh, North Carolina, USA 2. DNP3 SPECIFICATION, Supplement to Volume 2, SECURE AUTHENTICATION, Version 2.00, 31 July, 2008, DNP Users Group

www.cse-semaphore.com