ClearSCADA can detect errors during any part of the authentication process, including challenge-responses, Aggressive Mode requests, Aggressive Mode confirmations, and Session Key Changes. If ClearSCADA detects an error during the authentication process, it will determine whether it needs to report that error to the outstation. For example, if ClearSCADA received a critical response from an outstation, it issues a challenge to that outstation and waits for a response. If the outstation does not respond, or responds with an incorrect reply, ClearSCADA may generate an error message.
A malicious user may use a device to mount a denial-of-service attack against ClearSCADA by repeatedly sending ‘bad’ authentication messages. They may also send repeated challenges in an attempt to learn about ClearSCADA’s authentication. The Maximum Error Count setting helps to protect against such attacks by stopping ClearSCADA from transmitting error messages once a defined limit has been exceeded. This is in accordance with the DNP3 standard.
Use the Maximum Error Count spin box on the Security tab to specify the maximum number of authentication error messages that ClearSCADA is to send to this outstation:
You can specify a maximum error count of between 0 and 10 inclusive (with 2 being the default). Once this count has been exceeded, ClearSCADA will no longer send authentication error messages to this outstation.
The error count resets when either of the following occur:
- ClearSCADA receives an authentic reply to its latest challenge
- The Session Keys are changed (see Define When the Session Keys Need to Change).
If the error count is exceeded in ClearSCADA for any reason, ClearSCADA will initiate a Session Key Change.
If the error count is exceeded during a Session Key Change, ClearSCADA will assume that the outstation does not support DNP3 Secure Authentication, or does not have DNP3 Secure Authentication enabled. Further communications will proceed without any authentication while the outstation remains online. (Should this occur, correct the configuration in the relevant device so that there is no longer a security mismatch.)
Further Information
Define Whether ClearSCADA Logs Authentication and Key Change Information.
Aggressive Mode: see Specify Whether Aggressive Mode is Used.