Beruflich Dokumente
Kultur Dokumente
for
DNP3 Security
SCOPE
This document covers the changes made to
support DNP3 Secure Authentication
features, multiple simultaneous master
stations, and level 3 compliance in WSOS5
and the ADVC2 firmware.
R01
Schneider Electric
80 Schneider Road, Eagle Farm, Qld 4009
Locked Bag 10, Eagle Farm Business Centre
Qld 4009, Australia
Tel: +61 7 3635 7500
Fax: +61 7 3636 7560
http://www.nulec.com.au
Page 1 of 9
dnp3_security_application_note_R01
LIMITATIONS
This document is copyright and is provided solely for
the use of the recipient. It is not to be copied in any
way, nor its contents divulged to any third party, nor
to be used as the basis of a tender or specification
without the express written permission of Schneider
Electric Recloser Solutions Pty Ltd.
This document discloses confidential intellectual
property that belongs to Schneider Electric Pty Ltd.
This document does not invest any rights to
Schneider Electric intellectual property in the
recipient. Moreover, the recipient is required not to
disclose any of the intellectual property contained in
this document to any other party unless authorised in
writing by Schneider Electric Pty Ltd.
REVISION RECORD
Level Date
Author
R00
23/10/14
Stuart C
R01
22/11/14
Sandeep S
Comment
Initial
Minor updates for
release
Page 2 of 9
dnp3_security_application_note_R01
Contents
Introduction ............................................................................................................................4
Software Versions ..................................................................................................................4
Feature Selection ...................................................................................................................4
DNP3 Secure Authentication..................................................................................................5
Secure Authentication ........................................................................................................5
Security Statistics ...............................................................................................................7
Multiple DNP3 Master Stations ..............................................................................................8
ADVC2 Panels ...................................................................................................................9
DNP3 Level 3 Compliance .....................................................................................................9
References ............................................................................................................................9
Page 3 of 9
dnp3_security_application_note_R01
Introduction
This document describes the following features now available in the ADVC2 controller:
Software Versions
The new features are supported in ADVC2 firmware and WSOS5, as per the table below.
ADVC
A45-37.00+
WSOS5
5.15.07+
Feature Selection
The Secure DNP3 feature must first be selected via the Feature Selection Dialog in WSOS5.
This dialog can be found from
Display
Configuration
Feature Selection
The pre-requisite to turn on the Secure DNP3 feature is that the DNP3 communication
should be made available (can be done so via the same dialog).
Page 4 of 9
dnp3_security_application_note_R01
Secure Authentication
The DNP3 Secure Authentication window is shown in Figure 2. It allows for configuration of
operational parameters for DNP3 Secure Authentication, along with Update Keys (secret
keys, shared between the master and outstation) for up to 10 users.
When a user issues a critical DNP3 request (i.e. one which requires authentication) and is
successfully authenticated, the ADVC2 will write two events to the Event Log. One showing
the type of request, and the other showing the ID of the requesting user.
The configurable parameters in this window are detailed in Table 1.
Page 5 of 9
dnp3_security_application_note_R01
Parameter
Description
MAC Algorithm
Reply Timeout
Update Keys
dnp3_security_application_note_R01
Security Statistics
As per the DNP3 Standard (IEEE 1815-2012), the ADVC2 controller maintains a number of
statistics associated with DNP3 Secure Authentication. These statistics can be viewed (and
their behaviour configured) in the Security Statistics window. See Figure 3.
Statistics can also be read using DNP3 Read requests, for objects in group 121. The map
for statistics points is fixed, as per table 7-6 of IEEE 1815-2012.
Each statistic has an associated event threshold, configurable in WSOS. Each time this
threshold is reached, the ADVC2 controller will generate a DNP3 event. Note that in order
for events to be generated, the corresponding statistic point must be assigned a non-zero
DNP3 class. When a DNP3 map is written to the ADVC2 controller, the class for all security
statistics points is reset to zero. To assign a non-zero class, one must issue a DNP3 Assign
Class request for the point in question. Assigned classes persist until the next time a DNP3
map is written to the ADVC2.
Page 7 of 9
dnp3_security_application_note_R01
Some statistics have associated, configurable maximum values. The meaning of (and
behaviour corresponding to) these maximums is defined in the DNP3 Standard (IEEE 18152012).
Also configurable, is the master for which statistics should be displayed in WSOS.
Throughout the DNP3 pages in WSOS, there are read-only values presented in the UI (e.g.
number of unsolicited Class 1 events waiting to be sent). These read-only fields are shaded
yellow, and are almost always specific to a particular master association. The Show
Statistics radio buttons in Figure 4 allow the user to choose one master or the other, for
which to display these read-only fields.
When the user is on-line to an ADVC2 controller, and its configured for DNP3
communications over on the 10 Base-T port, each DNP3 window in WSOS will have its title
modified to show the master association for which statistics are being displayed. See Figure
5.
Page 8 of 9
dnp3_security_application_note_R01
Note, however, that the following read-only fields are common, and not specific to any one
master association:
Last Invalid IP
Invalid IP Packet Count
Communication Status
Transmit Count
Receive Length Error
Receive Count
Receive CRC Error
ADVC2 Panels
The multiple master IPs, and Show Statistics field are also configurable on the ADVC2
panels (both FlexVUE and SetVUE).
When configured for DNP3 communications on the 10 Base-T port, each DNP3 page on the
panels will show the master for which statistics are currently being displayed. This is done
with the suffix M1 or M2 at the end of the page titles.
References
Contact your local distributor if you need more information
on this application.
www.schneider-electric.com.au
Page 9 of 9
dnp3_security_application_note_R01