Secure Authentication

The WinCC OA DNP3 driver supports Secure Authentication (SA) version 5 as defined in IEEE Standard. 1815-2012 section 7. This allows a device to request authentication for critical operations. What a critical operation is, is up to the device configuration and cannot be defined by the DNP3 driver. If the driver is executing a critical operation (e.g. send a binary command), the device requests authentication. If the driver can successfully authenticate, the operation is executed. Otherwise it is rejected.

Secure Authentication - DNP3 Device Configuration

Some Siemens CPs (CP 1243-1 DNP3, CP 1542SP-1 IRC, …) and other support DNP3 Secure Authentication. The DNP3 driver supports the communication with such devices, with activated Secure Authentication. The figure below shows an example for configuration of an S7 CP1243-1 DNP3 module:
Figure 1. S7 CP1243-1 DNP3 Module

Depending on the WinCC OA Secure Authentication - DNP3 Driver Configuration, configure the device. Note the following:

CAUTION:
The preshared key of the WinCC OA DNP3 driver configuration and the preshared key here in the device panel MUST be identical! Other settings of the WinCC OA DNP3 driver configuration and in the device panel must not be identical. If the keys are not identical, operations which require authentication are rejected by the device.
Note:
You can select either the algorithm Aggressive Mode or other algorithms such as SHA1. The config entry authMACAlgorithm in the [dnp3] section can be used to specify other algorithms. MAC stands for Message Authentication Code. NOTE also that the selected algorithm must be supported by the device and vice versa. The algorithm selected from the device panel must be supported by the WinCC OA DNP3 driver.

WinCC OA Secure Authentication - DNP3 Driver Configuration

Figure 2. DNP3 Device-Panel

On the Security tab configure the Secure Authentication parameters:

Secure Authentication: Use this check box to enable the authentication. If the Secure Authentication is disabled, the connection does not use Secure Authentication.

Aggressive Mode: This option is used to activate the aggressive mode. This is a mode where no separate authentication challenge and reply is required. This means that the processing of critical operations is speed up since the authentication is part of a telegram and not a separate step. Aggressive mode must be only activated if it is supported by the device. If the device does not support this mode, Allow SHA1.

Since SHA1 is considered as unsafe, it is not enabled by default. However, devices that do not support more recent MAC algorithms might still be used. Therefore, this option is available.

You can specify a list of users with different roles and keys for each device. A device can support multiple users or not.

The Actual user defines the current setting for the authentication. In DNP3 a user has a unique name and a unique number.
Note:
Therefore, do not set different user names with the same number or vice versa.
Role : You can select different roles for a user, for example, Viewer, Operator, SingleUser etc.

Depending on a role, the user has specific rights. The user can, for example, only view or also edit configurations.

By default the SingleUser has all rights, meaning to monitor data, operate controls, transfer data files, change configs, change security configs, change code and to login locally. If a user may only view data, select the role Viewer. The Viewer may only monitor data.
Note:
The roles are meaningful since there are function codes such as Direct Read, Write, Select Operate etc. in the address panel . You can specify in your device whether a function is critical or not. You can, for example, specify in the device that a client must authenticate in order to read.
The norm specifies the different available roles. The table below contains the different roles:
Figure 3. Different User Roles according to the Norm IEEE Std. 1815-2012 section 7
Preshared key: The preshared key must be either 16 or 32 byte long. This corresponds to either 32 or 64 HEX character.
CAUTION:
The preshared key specified here and the preshared key in the device panel MUST be identical! Other settings here and in the device panel must not be identical. If the keys are not identical, you cannot write data meaning enter values since the authentication is not enabled. You can, however, read values without authentication. NOTE also that if you change the configuration on the Security tab, you must deactivate and reactivate the connection on the Connection tab via the Active check box) or restart the DNP3 driver.

Secure Authentication - DNP3 Statistics

You can read Security Statistics from a device that supports it. The device provides the statistics and WinCC OA DNP3 driver can read them, for example, "How often did the authentication fail"? The DNP3 Specification contains a whole list of Security Statistics. In order to query the statistics, you must add a periphery address to the group 121. The Variation for an address in group 121 must be 1.

The statistics are specified in the norm IEEE Std. 1815-2012 in the section 7.5.2.2.. Specify what you read by using the index of a security statistics object (of the Security Statistics group). Use, for example, index 12 meaning Successful Authentications in the address panel.