PowerLogic ADVC Controller – Operations Manual PDF
PKR39809-02

DNP3 Security

The PowerLogic ADVC Controller implements version 5 of the secure authentication feature as specified in the IEEE standard document 1815-2012.

DNP3 Secure Authentication functionality for the PowerLogic ADVC Controller can only be enabled and configured through WSOS.

DNP3 and DNP3 Security must firstly be made available through Feature Selection in WSOS.

Display > Configuration > Feature Selection > Communications

Secure Authentication

Once DNP3 Security has been made available, Secure Authentication can be configured through WSOS by going to:

Display> Switchgear Communications > Protocols > DNP3 > DNP3 Secure Authentication.

Figure 66
DNP3 Secure Authentication Configuration settings

This page allows the configuration of operational parameters for DNP3 Secure Authentication, along with Update Keys (secret keys shared between the master station and outstation) for up to 10 users.

When a user issues a critical DNP3 request that is one which requires authentication, and it is successfully authenticated, the PowerLogic ADVC Controller will write two events to the Event Log. One event shows the type of request and the other shows the ID of the requesting user.

The configurable settings for DNP3 Secure Authentication are described in the table below.

Table 19 DNP3 Secure Authentication Configuration settings

Setting

Description

Secure Authentication On/Off

This turns the Secure Authentication feature On and Off.

While Off, the controller will not respond to any source authentication message from the master station, nor will it require authentication for accessing ASDU’s.

Aggressive Mode On/Off

This allows (or helps prevent) Aggressive mode operation in DNP3 Secure Authentication.

For more information on aggressive mode please consult the standard.

Message Authentication Code (MAC) Algorithm

This determines which algorithm the controller uses to encode the MAC in DNP3 Secure Authentication messages.

The options are:

  • HMAC-SHA-256 (truncated to 16 octets)

  • HMAC-SHA-1 (truncated to 10 octets)

Reply Timeout

The interval after which the controller will implement the Reply Timeout DNP3 Security Statistic (See section on Security Statistics).

Key Change Interval

The interval after which the controller expects a session key to have been changed by the master. If the key has not been changed by this time, the controller will invalidate the current session.

Key Change Count

The number of transmitted messages after which the controller expects a session key to have been changed by the master.

If the key has not been changed after this many messages, thFe controller will invalidate the current session.

Max Session Key Status Count

The maximum number of session key status requests that the controller will respond to during a given session.

Update Keys

DNP3 Secure Authentication is performed on a per-user basis.

Each user has an associated Update Key.

The Update Key is a 32 character ASCII string of hexadecimal digits i.e. 0-9 and A-F.

WSOS allows configuration of up to 10 users.

Update Keys must be common between the master and outstation.

NOTE: Update Keys must be kept check with a customer’s organization. This security requirement extends to the WSOS switchgear configuration files, where the keys are stored.

Critical ASDU’s

Secure Authentication is required for accessing critical ASDU’s only.

As per the DNP3 Standard (IEEE 1815-2012), some ASDU’s are always critical (Write, Select, Operate etc.).

Others are optionally critical, and can be configured on the DNP3 Secure Authentication page in WSOS.

DNP3 Security Statistics

As per the DNP3 Standard (IEEE 1815-2012), the PowerLogic ADVC Controller maintains a number of statistics associated with DNP3 Secure Authentication. These statistics are displayed by WSOS on the DNP3 Security Statistics page.

Display> Switchgear Communications > Protocols >DNP3 > DNP3 Security Statistics

Figure 67
DNP Security Statistics values and settings

NOTE: Statistics can also be read using DNP3 Read requests, for objects in group 121. The map for statistics points is fixed, as per table 7-6 of IEEE 1815-2012.

Each statistic recorded has an associated event threshold, configurable on the DNP3 Security Statistics page.

Each time a threshold is reached, the PowerLogic ADVC Controller will generate a DNP3 event. Note that for events to be generated, the corresponding statistic point must be assigned a non-zero DNP3 class.

When a DNP3 map is written to the PowerLogic ADVC Controller, the class of all security statistics points is automatically reset to zero.

To assign a non-zero class to any point, a DNP3 Assign Class request must be issued for that point.

Classes assigned in this way will persist until the next time a DNP3 map is written to the PowerLogic ADVC Controller.

Some statistics have associated, configurable maximum values. The meaning of and behavior corresponding to these maximum values is defined in the DNP3 Standard IEEE 1815-2012.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?

Contact Information
Legal Information
Privacy Policy
Change your cookie settings