The DNP User Group published the following news on May 27th 2016:
The DNP Technical Committee has released the following Technical Bulletin (TB):
- TB2016-002 Addressing Deficiencies in DNP3-SAv5
The TB (dated May 18th 2016) describes a number of interoperability problems and vulnerabilities identified in Secure Authentication version 5 procedures (SAv5). Some of the deficiencies and vulnerabilities can be corrected with explanations about how to use the SAv5 functions (which may result in code changes to the devices), others will be addressed in a future version of the procedures (SAv6).
How does this affect WITS users?
The WITS Master Stations and Field Devices currently implement DNP3-SAv2. This version of the DNP3 Secure Authentication has a number of known deficiencies and vulnerabilities which could result in a denial of service attack. However the security provided by the SAv2 procedures is considered to be far greater than those previously offered by earlier, vendor specific, protocols.
The deficiencies and vulnerabilities identified in the Technical Bulletin relate to features of SAv5 that are not used in WITS devices; therefore, this TB has no impact on user’s current systems. However, WITS users may wish to seek information from their device suppliers about when devices with SAv5 will be available.
How does this affect WITS vendors?
The WITS vendors should have the implementation of SAv5 in their product road-map. As recommended by the DNP User Group, the implementation of SAv5 should not be deferred and the details in this DNP3 Technical Bulletin used when implementing the new procedures.
The DNP Technical Bulletin can be downloaded by members of the DNP User Group from www.dnp.org
Please email firstname.lastname@example.org if you have any questions.