APPLICATION NOTE

for
DNP3 Security
SCOPE
This document covers the changes made to
support DNP3 Secure Authentication
features, multiple simultaneous master
stations, and level 3 compliance in WSOS5
and the ADVC2 firmware.

Document Revision Level:

R01

Copyright Schneider-Electric Global Recloser Solution

2014

Schneider Electric
80 Schneider Road, Eagle Farm, Qld 4009
Locked Bag 10, Eagle Farm Business Centre
Qld 4009, Australia
Tel: +61 7 3635 7500
Fax: +61 7 3636 7560
http://www.nulec.com.au

Page 1 of 9
dnp3_security_application_note_R01

LIMITATIONS
This document is copyright and is provided solely for
the use of the recipient. It is not to be copied in any
way, nor its contents divulged to any third party, nor
to be used as the basis of a tender or specification
without the express written permission of Schneider
Electric Recloser Solutions Pty Ltd.
This document discloses confidential intellectual
property that belongs to Schneider Electric Pty Ltd.
This document does not invest any rights to
Schneider Electric intellectual property in the
recipient. Moreover, the recipient is required not to
disclose any of the intellectual property contained in
this document to any other party unless authorised in
writing by Schneider Electric Pty Ltd.

REVISION RECORD
Level Date

Author

R00

23/10/14

Stuart C

R01

22/11/14

Sandeep S

Comment
Initial
Minor updates for
release

Page 2 of 9
dnp3_security_application_note_R01

Contents
Introduction ............................................................................................................................4
Software Versions ..................................................................................................................4
Feature Selection ...................................................................................................................4
DNP3 Secure Authentication..................................................................................................5
Secure Authentication ........................................................................................................5
Security Statistics ...............................................................................................................7
Multiple DNP3 Master Stations ..............................................................................................8
ADVC2 Panels ...................................................................................................................9
DNP3 Level 3 Compliance .....................................................................................................9
References ............................................................................................................................9

Page 3 of 9
dnp3_security_application_note_R01

Introduction
This document describes the following features now available in the ADVC2 controller:

DNP3 Secure Authentication

Multiple DNP3 master stations

DNP3 Level 3 compliance

These features are described in detail in the sections below.

Software Versions
The new features are supported in ADVC2 firmware and WSOS5, as per the table below.

ADVC

A45-37.00+

WSOS5

5.15.07+

Feature Selection
The Secure DNP3 feature must first be selected via the Feature Selection Dialog in WSOS5.
This dialog can be found from
Display

Configuration

Feature Selection

The pre-requisite to turn on the Secure DNP3 feature is that the DNP3 communication
should be made available (can be done so via the same dialog).

Figure 1: Feature Selection

Page 4 of 9
dnp3_security_application_note_R01

DNP3 Secure Authentication

DNP3 provides a means of securely identifying and recording the actions of individual users.
This facility is called Secure Authentication.
The ADVC2 implements version 5 of the secure authentication feature, as specified in the
IEEE standard document: 1815-2012.
ADVC2 DNP3 Secure Authentication functionality is configured via WSOS. It is enabled via
the Feature Selection page, and is configured over two separate windows (accessible under
DNP3): Secure Authentication and Security Statistics

Secure Authentication
The DNP3 Secure Authentication window is shown in Figure 2. It allows for configuration of
operational parameters for DNP3 Secure Authentication, along with Update Keys (secret
keys, shared between the master and outstation) for up to 10 users.
When a user issues a critical DNP3 request (i.e. one which requires authentication) and is
successfully authenticated, the ADVC2 will write two events to the Event Log. One showing
the type of request, and the other showing the ID of the requesting user.
The configurable parameters in this window are detailed in Table 1.

Figure 2 - WSOS5 DNP3 Secure Authentication Window

Page 5 of 9
dnp3_security_application_note_R01

Table 1 - DNP3 Secure Authentication Window Parameters

Parameter

Description

Secure Authentication On/Off

This turns the Secure

Authentication facility on or off.
While off, the controller will not
respond to any secure
authentication messages from the
master, nor will it require
authentication for accessing
ASDUs.

Aggressive Mode On/Off

This allows (or prevents)

Aggressive mode operation in
DNP3 Secure Authentication. For
more information on aggressive
mode, please consult the standard.

MAC Algorithm

This determines which algorithm

the controller uses to encode the
MAC (Message Authentication
Code) in DNP3 Secure
Authentication messages. The
options are: HMAC-SHA-256
(truncated to 16 octets) or HMACSHA-1 (truncated to 10 octets).

Reply Timeout

The interval after which the

controller will implement the Reply
Timeout DNP3 Security Statistic
(see section on Security Statistics)

Key Change Interval

Interval after which the controller

expects a session key to have
been changed by the master. If
the key has not been changed by
this time, the controller will
invalidate the current session.

Key Change Count

Number of transmitted messages,

after which the controller expects a
session key to have been changed
by the master. If the key has not
been changed after this many
messages, the controller will
invalidate the current session.

Max Session Key Status Count

The maximum number of session

key status requests that the
controller will respond to during a
given session.

Update Keys

DNP3 Secure Authentication is

performed on a per-user basis.
Each user has an associated
Update Key. The Update Key is a
32-character ASCII string of
hexadecimal digits (i.e. 0-9 and AF). WSOS5 allows configuration of
up to 10 users. Update Keys must
Page 6 of 9

dnp3_security_application_note_R01

be common between the master

and outstation. NOTE: Update
Keys should be kept secret
within a customers
organisation. This secrecy
requirement extends to the
WSOS switchgear configuration
files, where the keys are stored.
Critical ASDUs

Secure Authentication is required

for accessing critical ASDUs only.
As per the DNP3 Standard (IEEE
1815-2012), some ASDUs are
always critical (Write, Select,
Operate, etc.). Others are
optionally critical, and are
configured in this section of the
user interface.

Security Statistics

Figure 3 - DNP3 Security Statistics Window

As per the DNP3 Standard (IEEE 1815-2012), the ADVC2 controller maintains a number of
statistics associated with DNP3 Secure Authentication. These statistics can be viewed (and
their behaviour configured) in the Security Statistics window. See Figure 3.
Statistics can also be read using DNP3 Read requests, for objects in group 121. The map
for statistics points is fixed, as per table 7-6 of IEEE 1815-2012.
Each statistic has an associated event threshold, configurable in WSOS. Each time this
threshold is reached, the ADVC2 controller will generate a DNP3 event. Note that in order
for events to be generated, the corresponding statistic point must be assigned a non-zero
DNP3 class. When a DNP3 map is written to the ADVC2 controller, the class for all security
statistics points is reset to zero. To assign a non-zero class, one must issue a DNP3 Assign
Class request for the point in question. Assigned classes persist until the next time a DNP3
map is written to the ADVC2.
Page 7 of 9
dnp3_security_application_note_R01

Some statistics have associated, configurable maximum values. The meaning of (and
behaviour corresponding to) these maximums is defined in the DNP3 Standard (IEEE 18152012).

Multiple DNP3 Master Stations

The ADVC2 now supports up to two simultaneous master station connections. Multi-master
support is available only when using DNP3 on the 10-Base T Ethernet port of the ADVC2.
Multiple master stations should be configured with the same DNP3 address, and they must
connect with the controller from different IP addresses. The IP address of each master (for
the purpose of unsolicited communications) can be configured in the controller via the DNP3
IP Networking window in WSOS. See Figure 4.

Figure 4 - DNP3 IP Networking Window

Also configurable, is the master for which statistics should be displayed in WSOS.
Throughout the DNP3 pages in WSOS, there are read-only values presented in the UI (e.g.
number of unsolicited Class 1 events waiting to be sent). These read-only fields are shaded
yellow, and are almost always specific to a particular master association. The Show
Statistics radio buttons in Figure 4 allow the user to choose one master or the other, for
which to display these read-only fields.
When the user is on-line to an ADVC2 controller, and its configured for DNP3
communications over on the 10 Base-T port, each DNP3 window in WSOS will have its title
modified to show the master association for which statistics are being displayed. See Figure
5.

Page 8 of 9
dnp3_security_application_note_R01

Figure 5 - DNP3 Master 1 Stats

Note, however, that the following read-only fields are common, and not specific to any one
master association:

Last Invalid IP
Invalid IP Packet Count
Communication Status
Transmit Count
Receive Length Error
Receive Count
Receive CRC Error

ADVC2 Panels
The multiple master IPs, and Show Statistics field are also configurable on the ADVC2
panels (both FlexVUE and SetVUE).
When configured for DNP3 communications on the 10 Base-T port, each DNP3 page on the
panels will show the master for which statistics are currently being displayed. This is done
with the suffix M1 or M2 at the end of the page titles.

DNP3 Level 3 Compliance

The ADVC2 now supports counter and frozen counter events, and the assignment of class
for counter and frozen counter points.
When a DNP3 map is written to the ADVC2, the class of all counter and frozen counter
points resets to zero. Non-zero classes can then be assigned to these points, using DNP3
Assign Class requests. Once assigned, classes for these points persist until the next time a
DNP3 map is written to the controller.
When a counter (or frozen counter) point has a non-zero class, an event will be generated
for every change in that points value.

References
Contact your local distributor if you need more information
on this application.
www.schneider-electric.com.au
Page 9 of 9
dnp3_security_application_note_R01