We divide the security approaches into three categories:
1. Solutions that wrap the DNP3 protocols without making changes to the protocols.
2. Solutions that alter the DNP3 protocols fundamentally.
3. Enhancements to the DNP3 applications.
The solutions that wrap the protocols include SSL/TLS and IPsec, which would provide a low cost and quick security enhancement. The solutions that would require altering the DNP3 protocols tend to be more time consuming to implement and expensive but provide better end to end security. Such solutions can either be deployed at either a protocol level, or within an application.
From the studied SCADA of security enhancement by using an open source implementation OpenSSL of SSL (Secure Socket Layer)/TLS (Transport Layer Security) protocols. Communication channels of SSL/TLS secure for any reliable communication over TCP/IP and has been in use for about a decade providing virtual private network for the internet users. SSL/TLS secures communication between a server and a client by allowing mutual authentication and provides integrity by using digital signatures and privacy via encryption. The SSL/TLS protocols were designed specifically to protect against both man in the middle and replay attack. Other SSL/TLS features include error encryption, transparency and data compression. The protocols are administered by a standards international organization. SSL is well established in areas of Web servers, Web browser, and other Internet systems that require security.
These inherent SSL/TLS benefits, wrapping DNP3 with SSL/TLS has the following benefits:
1. The implementation would be fast, straightforward, and cost effective.
2. SSL/TLS covers the most necessary components expected at a protocol level.
3. The IEC technical committee has accepted SSL/TLS as a part of a security standard for their communication protocols. This endorsement is noteworthy and relevant especially considering DNP3’s similarity with IEC protocol.
4. Since UCA/MMS protocols can share the same lower level protocols with DNP3, any security enhancement done via securing TCP/IP would secure UCA/MMS transmission too.
Labels:
SCADA
SCADA