Knowledgebase
DNP3 Secure Authentication- Between ClearScada and Kingfisher RTU, and between two Kingfisher CP-30s
Posted by Bita Javershian

1. Introduction

This article is an explanation of how to set DNP3 Secure Authentication between ClearScada and Kingfisher RTU, and between two Kingfisher RTUs along with sample projects for CP-30s and ClearScda configurations. ClearSCADA and CP30, both support DNP3 Secure Authentication version 2.00. It is possible to  optionally enable DNP3 Secure Authentication on a per outstation basis in ClearSCADA. When enabled:

  •   A DNP3 outstation can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular DNP3 master.
  •   A DNP3 master can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular outstation.

Due to factors such as the necessary increase in bandwidth and extra processing involved, ‘challenges’ are only sent in relation to requests or responses that are deemed to be ‘critical’. The DNP3 standard dictates those function codes that are always deemed critical; other function codes can be set to critical if required. In ClearSCADA, you define the criticality of function codes on a per server basis. In CP30, there are default defined critical functions.

When a DNP3 device receives a request or response that is deemed to be critical, that device replies with a ‘challenge’. The challenge requires the sending device (the ‘Responder’) to send a reply within a defined time period.

If an authentic reply is received within the required time period, the device that issued the challenge (the ‘Challenger’) executes the critical function. If the challenger is an outstation, it performs the requested critical function and sends the appropriate response to the DNP3 master. If the challenger is a DNP3 master, it processes the stored response that triggered the challenge.

If a challenge is unsuccessful, the challenger rejects the critical request or response. If the challenger is an outstation, it does not perform the rejected critical request. If the challenger is a DNP3 master, it throws out the data that it received in relation to the rejected critical response. The challenger might also send an error message to the responder, but the number of error messages is actively limited.

In order to communicate using DNP3 Secure Authentication, both the DNP3 master and the DNP3 outstation must support DNP3 Secure Authentication version 2.00 and have that feature enabled. Both devices must also be provided with a pre-shared private Update Key.


Update Key


A pre-shared private Update Key is used, along with a Key Wrap algorithm, to encrypt the Session Keys during the Session Key Change process. ClearSCADA supports one Update Key per outstation (for the ‘Default User’). You set the Update Key using the Set Update Key pick action or method.

With DNP3 Secure Authentication, each DNP3 user requires their own Update Key. The outstation uses the Update Key to authenticate Session Key Change requests from its DNP3 master.

You might need to use a third-party random number generator application to generate a suitable Update Key. The key must comprise a sequence of hexadecimal digits. The key is case insensitive. The size of the Update Key is determined by the Key Wrap algorithm. The algorithm AES-128 requires a 128-bit key comprising 32 hexadecimal digits (for example, 0123456789ABCDEF0123456789ABCDEF).


Session Key

Session Keys are used to authenticate any messages that are challenged. Two Session Keys are in use per outstation at any particular time—one Session Key per communications direction. This means that if a Session Key is compromised in one direction, it does not compromise communications in the other direction.

The DNP3 master initializes the Session Keys on communications start-up (for instance, when the DNP3 driver starts up, or when communications are first established with the outstation). The Session Keys are changed periodically thereafter, to maintain . On systems on which ClearSCADA is the DNP3 master, the size of the Session Keys is set using the ClearSCADA Server Configuration Tool .

 

Session Key Change

During the Session Key Change process, the DNP3 master generates a new pair of Session Keys and sends an encrypted copy of those Session Keys to the outstation. The DNP3 master encrypts the Session Keys using another key, the Update Key, and a Key Wrap algorithm. The Update Key permits the DNP3 master to change the Session Keys even after a Session Key is compromised. Session Keys are changed on a regular basis to maintain security. The DNP3 master also initiates a Session Key Change whenever it re-establishes communications with an outstation.


Define the Session Key Length

With DNP3 Secure Authentication, two Session Keys are required. One Session Key authenticates data transmitted in the monitoring direction (from a DNP3 outstation to its DNP3 master); the other Session Key authenticates data transmitted in the controlling direction (from the DNP3 master to a DNP3 outstation). Use the Session Key Length field in the DNP3 Master’s Security section of the ClearSCADA Server Configuration Tool to specify the length of both Session Keys. Specify a Session Key length that is supported by all of the DNP3 outstations on your system. The minimum length that you can specify is 128 bits. For systems on which ClearSCADA is the DNP3 master, ClearSCADA generates Session Keys of the specified length using FIPS 186-2 including Change Notice 1.


Key Wrap

The Key Wrap algorithm is the algorithm that is used to encrypt the Session Keys and Challenge Data during a Session Key Change. All devices that use DNP3 Secure Authentication must support the Advanced Encryption Standard (AES) AES-128 algorithm.
AES-128 is the algorithm that ClearSCADA uses during each Session Key Change.A pre-shared private Update Key is used in the encryption process. 

 

2. Test

2.1 Scope of work

Secured DNP3 Authentication on Direct Operate function from Cleasr Scada to slave RTU; and from master RTU to slave RTU. Check results in wireshark while both right and wrong update keys are entered in ClearScada, and compare them.


2.2 Required settings in ClearScada

2.2.1 Defined objects in Data base tree

  

                                                                                                                figure1.

 

a. Channel: configured on network TCP
b. Outstation set: connected to defined channel
c. Outstation: configured with single network, related IP address, and port no. 20000

 

 

 

                                                                                                                figure2.

  

Security enables, HMAC : SHA-1 truncated to 10 octets(network).
Key Wrap: AES-128.
Disable aggressive mode.

  

                                                                                                                 figure3.

 

 

Set update key: right click on outstation, on pop up menu; select Set update key, paste the update key copied from RTU.

  

                                                                                                                figure4.

Note: When pasting the update key , please note that there should not be any gaps in between the characters. 

 d. Digital Output: DO, Normal digital out put with update point on successful action option.

 

 2.2.2 Define Which Function Codes are Critical


With devices that use DNP3 Secure Authentication, any request to perform a function that is deemed to be critical is ‘challenged’. Such a request is only processed once the correct reply has been received to that challenge. Use the check boxes in the relevant DNP3 Security section of the ClearSCADA Server Configuration Tool to specify which function codes are deemed to be critical. In order to set that, go to Server configuration, global parameters, DNP3 Master.

 

                                                                                                                 figure5.

Use the check boxes on the DNP3 Master section of the ClearSCADA Server Configuration Tool to determine the criticality of function codes for systems on which ClearSCADA is the DNP3 master. Set the function codes’ criticality so that it matches that of your outstations. For this test “Direct Operate” should be ticked.

 

2.3 Required settings in RTU


2.3.1 Between Scada and RTU 

Require authentication for critical functions:
1- Create a new project
2- Create a new RTU
3- Define DNP3 protocol
4- Edit DNP3 protocol: enable Authentication setting

 

                                                                                                               figure6.

5- When enabled, an Update key can be entered (consisting of 16 hexadecimal bytes). This Update key must then be provided by a DNP3 master device before it can request a critical function. (copy it to a file to paste in ClearScada)

 

2.3.2 Between 2 RTUs

1- Create new project
2- Create two new RTUs as master and slave
3- Define DNP3 protocol for both
4- Edit DNP3 protocol: enable Authentication setting
5- When enabled, an Update key can be entered (consisting of 16 hexadecimal bytes). This Update key must then be provided by a DNP3 master device before it can request a critical function. For a DNP Master RTU, authentication is configured for each route that is used to communicate with a Secure .


2.3.4 Critical functions requiring authentication

The DNP3 Secure Authentication standard for Kingfisher RTUs are:

Write; Select; Operate; Direct Operate; Direct Operate No Acknowledgement; Cold restart; Warm Restart; Initialise Application; Start Application; Stop Application; Enable Unsolicited Messages; Disable Unsolicited Messages; Record Current Time; Authenticate; and Activate Configuration.


2.4 Test Result


Make DO1 ON and OFF from ClearScada to CP-30:


2.4.1 wireshark capture with right update key

Request wireshark capture detailed:

 

                                                                                                                figure7.   

  

Respond wireshark capture detailed:

                                                                                                                figure8.

 

 

2.4.1wireshark capture with wrong update key
ClearScasda can’t initiate communication with RTU:

 

                                                                                                                figure9.

 



Attachments 
 
 scada_to_cp30_dnp3_secure.sde (512.53 KB)
 cp-30_dnp3_secure.zip (1.63 MB)
 dnp3 secure.pdf (1.01 MB)
(1 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: