Security recommendation

There have been a number of comments appearing in the "press" recently about DNP3 security:

  1. The DNP User Group have deprecated Secure Authentication Version 2 (SAv2) and are now specifying version 5 (SAv5). This has partly been done so that the DNP3 protocol can be adopted as a standard in the Smart Grid catalogue.
  2. The Smart Grid Interoperability Panel laid down a set of requirements which meant that the DNP security model needed to be enhanced in the areas of managing users and their roles. DNP3 SAv5 implements this enhanced security model.

How does this affect WITS users?

  • The DNP User Group have stated:

    The User Group is aware that there are field deployments using SAv2. These systems can continue to be used. There are no mandatory requirements to remove, replace or update existing deployments to SAv5.

    This means that there is no requirement to update or replace the many thousands of WITS Field Devices currently deployed.:

  • WITS does not have a requirement for "Devices" to support multiple users with different roles and so the enhanced security model in SAv5 is not applicable to WITS users. The security model in SAv2 meets the requirements of WITS users.

The way forward?

The WITS PSA Committee recommends that users continue to deploy devices implementing SAv2 (i.e. WITS-DNP3 versions 1.x) provided that they have taken care to secure their physical communications system.

The Committee recognises the need to evolve the security implementations and expect the WITS vendors to implement current and future versions of DNP Secure Authentication. The Committee encourages the vendors to identify where the development of SAv5 appears on their product roadmap.

Further details

A more in-depth discussion about DNP3 Secure Authentication can be found by clicking here.