ClearSCADA supports DNP3 Secure Authentication version 2.00 for a single user—the ‘Default User’ (DNP3 User 1).
You can optionally enable DNP3 Secure Authentication on a per outstation basis in ClearSCADA. When enabled:
- A DNP3 outstation can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular DNP3 master
- A DNP3 master can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular outstation.
Due to factors such as the necessary increase in bandwidth and the extra processing involved, ‘challenges’ are only sent in relation to requests or responses that are deemed to be ‘critical’. The DNP3 standard dictates those function codes that are deemed critical; other function codes can be set to critical if required. In ClearSCADA, you define the criticality of function codes on a per server basis (see Define Which Function Codes are Critical).
Functions that are deemed to be non-critical are processed in the normal way. (The DNP3 master sends a non-critical request to an outstation; the outstation processes that request and sends the appropriate reply and/or data to the DNP3 master.)
When a DNP3 device receives a request or response that is deemed to be critical, that device replies with a ‘challenge’ (this differs slightly if Aggressive Mode is used). The challenge requires the sending device (the ‘Responder’) to send a reply within a defined time period.
If an authentic reply is received within the required time period, the device that issued the challenge (the ‘Challenger’) executes the critical function. If the challenger is an outstation, it performs the requested critical function and sends the appropriate response to the DNP3 master. If the challenger is a DNP3 master, it processes the stored response that triggered the challenge.
If a challenge is unsuccessful, the challenger rejects the critical request or response. If the challenger is an outstation, it does not perform the rejected critical request. If the challenger is a DNP3 master, it throws out the data that it received in relation to the rejected critical response. The challenger might also send a diagnostics message to the responder, but the number of diagnostics messages is actively limited.
To communicate using DNP3 Secure Authentication, the DNP3 master and the DNP3 outstation need to support DNP3 Secure Authentication version 2.00 and have that feature enabled. Both devices also need to be provided with a pre-shared private Update Key.
If security is required, but bandwidth is limited or high latency links are used, consider transmitting critical requests and/or responses using Aggressive Mode. Aggressive Mode is generally a sufficiently secure form of DNP3 Secure Authentication that differs slightly to the above described full ‘Challenge-Response’ mechanism in that fewer messages are transmitted between both devices (see Aggressive Mode).
Further Information
Configure the system-wide DNP3 Secure Authentication properties: see Configuring DNP3 Server Settings.
Configure a DNP3 master outstation’s DNP3 Secure Authentication properties: see Configure the Security Properties.
Configure a DNP3 slave outstation’s DNP3 Secure Authentication properties: see Configure the Slave’s Security Properties.