Beruflich Dokumente
Kultur Dokumente
Recommended architecture
A cryptographic module, called a CM, may be
configured to protect SCADA communications
(SCM) or configured to protect communications
to the maintenance ports of field devices
(MCM). If the term CM is used, it applies to
either configuration. Figure 1 shows the
recommended architecture to implement this
SCM configurations
If a modem rack is used to support multiple
SCADA communication channels, it is common
to install SCMs in a rack configuration rather
than
stacking individual
SCMs.
This
configuration is shown in Figure 1.
MCM configurations
Protection of access to the maintenance ports
and protecting data communicated over these
channels may use an MCM at both ends of the
communication channel, or one MCM at the
field end of the communication channel and
cryptographic software loaded on the field
technicians laptop computer. Figure 1 shows
the configuration with software and one MCM
on each communication channel, because it is
less costly and simpler to manage. This
configuration is preferred.
The field technicians laptop computer must
include an available USB port that will accept an
Authentication Key to satisfy the requirement
for two factor authentication. Although a
SmartCard device may be used to provide two
factor authentication, it is not preferred because
of cost, extra equipment (SmartCard reader), and
it is not easy for field technicians to use.
2.
3.
6.
8.
Dedicated
communication
channel
between each SCM management port and
the Key Management Appliance,
3.
4.
5.
References
1. AGA Report Number 12, Part 1,
Cryptographic Protection of SCADA
Communications General Requirements. The
latest version of AGA 12, Part 1 is available from
holsteindk@adelphia.net.
2. ANSI X9.69-1994, Framework for Key
Management Extensions
3. IEEE Power and Energy magazine, September
October 2004, see page 43.
2.
10