Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application...
Transcript of Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application...
![Page 1: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/1.jpg)
Joe Stevens
Marketing Manager
Deploying Secure DNP3 (IEEE 1815)What You Need to Know
Technology Updates for Key Management
![Page 2: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/2.jpg)
• Why Secure Authentication?• Benefits and Justification
• Equipment Considerations• Gateways/RTUs/Terminal Servers
• Cyber Security Architecture• Where Does SA Fit?• Multi-User Systems• Key Management
• Technology Updates• DNP Authority• DNP3 Key Management Protocol (DKMP)
Agenda
![Page 3: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/3.jpg)
Why Secure Authentication?• User Authentication
• Each critical operation is authenticated
• Addresses threat of spoofing, modification, and replay
• Not just about cyber-security but also operational reliability
• Legacy Support Requirements• Must have low overhead on devices
• Support low bandwidth, serial, and IP networks
• TLS Encryption Can Be Added for DNP3 IP Networks
![Page 4: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/4.jpg)
• Increased security and reliability• End to end cyber-security at the application layer goes
beyond TLS or VPN• Can help meet authentication requirements of NERC CIP• Role Based Access Control addresses operational
requirements of utilities
• Can be implemented within existing infrastructure• Security upgrade path without upgrading existing
infrastructure or legacy devices
Benefits of DNP3 Secure Authentication
![Page 5: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/5.jpg)
• Are there devices that support Secure Authentication?
• What challenges are there for utilities and vendors?
Equipment Considerations
Short answer: Yes, a wide varietyLong answer: Stop by the DNP booth downstairs!
– Determining a migration path to DNP3 SA– Operational adjustments (especially for role based access)– Planning for key management in the future– Vendors – not many challenges now after 10 years
![Page 6: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/6.jpg)
Equipment Considerations
DNP3 SA to DNP3 without SA
Or mapping of DNP3 SA users
Terminal Server
Gatewayor RTU
DNP3 Outstations
SCADA Master
Supports IP to Serialand vice versa
DNP3DNP3 SADNP3 SA Serial
![Page 7: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/7.jpg)
• Role-Based Access Control (IEC 62351-8)• Each user has a role (Engineer, Operator, Security Admin)
• Privileges are based on the role• Standard roles have predefined privileges
• Custom roles can be defined for each organization
Multi-User Systems
Privileges
View Read Reporting File Read File Write Control Security
Use
r R
ole
s
Viewer
Operator
Engineer
Security Admin
Security Auditor
![Page 8: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/8.jpg)
Multi-User Systems• Users can be added to the system with specific roles
• Roles determine which privileges they have
DNP3 Masters
DNP3Outstations
DNP3 Networks
Users
Keys
Roles Engineer Operator Viewer Operator Sec Admin
![Page 9: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/9.jpg)
Benefits of Role Based Access
• Operational Side• User access based on roles within organization
• Greater reliability and safety by reducing risk of unintentional operations
• Support for multiple organizations that share assets
• Security Aspects• Capability to log operations by DNP3 Master
• Reduces risk of malicious attacks from within organization
• Key disclosure has lower risk than a “single user” system
![Page 10: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/10.jpg)
Key Management Dilemma
So many devices, users, keys…• How can users be added, removed, or modified?
• Who manages the updates?
• How do you update keys securely?
• How frequently do you need to update keys?
• What is the cost?
• Can this be automated?
![Page 11: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/11.jpg)
Technology Updates
Updates to Secure Authentication
• IEEE StdTM 1815.1 Standard
• Security must evolve
• Backward compatibility is major goal
• Current objective: how will remote key management be standardized?
- Much of the functionality exists in DNP3 now
- DNP3 Authority evolving
- Proposed key management interface for Masters
![Page 12: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/12.jpg)
Cyber Security Architecture
![Page 13: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/13.jpg)
DNP3 Authority
Central application across multiple DNP3 networks• Interfaces to DNP3 Masters
• Adds, removes, and updates users
• Sends user keys/certificates to remote devices via Master
DNP3 Masters
DNP3 Authority
DNP3Outstations
DNP3 Secure Authentication
KeysCertificates
KeysCertificates
Outstation Authenticates
Authority
Enables remote key
management
![Page 14: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/14.jpg)
DNP3 Key Management Protocol (DKMP)
DKMP is a proposed specification*
• Uses TLS over TCP Sockets
• Symmetric or asymmetric cryptography
• Synchronizes Users
• Updates Users
• Changes Keys
*Started as part of EPRI DNP3 demonstration in 2014
DNP3 Masters
DNP3 Authority
DNP3Outstations
DKMP
DNP3 Secure Authentication
![Page 15: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/15.jpg)
Certificate Authority
DNP3 Masters
DNP3 Authority
DKMP
Certificate Authority
• Asymmetric cryptography
• Provides digitally signed certificates
• Interfaces to DNP3 Authority
• Supports X.509 certificates with IEC 62351-8 defined extensions:
X.509X.509
X.509
– User Role
– Lifetime of User Rights
– Operation (add, delete, change)
X.509Certificate
![Page 16: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/16.jpg)
Why Key Management?
• Operational Benefits
– Lower cost to update keys in remote devices
– User access is based on operational requirements
– Add and remove users as organization changes
– Users are synched with central User Management System
• Security Benefits
– Change keys quickly after an unintended key disclosure
– Reduced risk of key disclosure versus manual distribution
– Users can be removed as they leave the organization
![Page 17: Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and](https://reader030.fdocuments.in/reader030/viewer/2022040516/5e74381b31eb0a7903052939/html5/thumbnails/17.jpg)
Joe Stevens
Marketing Manager
Triangle MicroWorks
Deploying Secure DNP3 (IEEE 1815)What You Need to Know