SmartGridNews.com

The insider's guide to the modernization and automation of electric power

DNP Secure Authentication – Essential to Smart Grid Progress
By Erich Gunther
Nov 18, 2008 - 7:17:31 AM

In SGN's Tech Take articles, power engineer and architect Erich Gunther evaluates actual products and services against the SGN Smart Grid Scorecard. Unless disclosed explicitly at the beginning of the article, neither SGN nor Erich Gunther has received any compensation from the vendor nor do they own stock in the company.

This article is a bit different from my other Tech Take reviews because instead of talking about a particular product, I’m reviewing a technology that may appear in several different products. DNP Secure Authentication is a recently released addition to the popular Distributed Network Protocol (DNP3) standard. It permits the receiver of a DNP3 message to verify that:

The message came from an authorized user
The message was not tampered with in transit

In today’s security environment, these abilities can make the difference between (a) deploying a modern “automated” substation, (b) deploying a legacy technology with less business value, or (c) deploying no automation at all. As such, DNP Secure Authentication is a key enabler for the deployment of the Smart Grid.

In the interest of full disclosure, my EnerNex colleague Grant Gilchrist is the editor of this specification and worked with the DNP Users Group and EPRI to develop it. However, EnerNex receives no compensation from the use of the specification.

To understand my evaluation, you need to know about the following:

The Smart Grid News Scorecard
What is DNP?
Why Secure DNP?
How Does DNP Secure Authentication Work?
How Does It Enable the Smart Grid?

The SGN Scorecard

The SGN Scorecard was developed for a very important reason: most of today's products do not adhere to Smart Grid principles. They do not support the requirements envisioned by Smart Grid researchers such as EPRI, the California Energy Commission's Public Interest Energy Research program, the Modern Grid Initiative and DOE's GridWise program. Nor do they adhere to the mandates in the Energy Independence and Security Act of 2007.

In particular, several elements of the EPRI IntelliGrid Architecture are critical to implementing a Smart Grid:

Proven, Internet-derived communication technologies
Service-based architecture at the enterprise level
Self-healing technology
Well-defined interfaces and points of interoperability
Application of industry and international standards
Built-in security and network management

The SGN Scorecard is a checklist that measures whether products meet minimum Smart Grid standards. We use it as the benchmark for all Tech Talk reviews. You are invited to use it free of charge for your own evaluations. For a further explanation and a blank version you can copy freely, download the PDF version of the Scorecard. (See link below.)

What is DNP?

The Distributed Network Protocol, known as DNP3, is the most popular utility automation protocol in North America. According to a 2004 Newton-Evans survey, over 75% of North American utilities were already using or planning to use DNP3 in their Supervisory Control and Data Acquisition (SCADA) networks. It is applied throughout transmission and distribution networks, providing connections from master stations to substations, between devices within substations, and out to pole-top devices along feeders.

DNP3 is an open standard and therefore a good candidate for the Smart Grid. It was developed by Westronic Inc. of Calgary, Canada, which later became Harris Distributed Automation Products, then GE Harris and now GE Energy. As Harris, it released the specification of DNP3 in to the utility industry in 1994 and gave control of it to the DNP Users Group, which has grown to several hundred members including both utilities and vendors. Unlike a few supposedly open utility protocols – which are actually poorly disguised attempts to collect license fees – DNP3 earns no direct revenue for GE Energy. DNP3 is recognized in the IEEE 1379 standard for communications with Intelligent Electronic Devices (IEDs).

DNP3 is a viable Smart Grid technology. Unlike the more advanced IEC 61850 protocol, it does not provide structured naming and complex object models. However, it provides limited self-description of data, can be configured using XML, operates over the Internet protocol suite, and has proven to be an extremely reliable and self-healing technology. Furthermore – at least until new additions are developed – there is no comparable IEC 61850 standard for the low-bandwidth and hostile distribution automation environment. Therefore, for the benefit of the Smart Grid, it would be extremely valuable to have a method to provide security for DNP.

Why Secure DNP?

Many utilities are reluctant to secure their SCADA systems. They fear the cost required to secure hundreds or even thousands of remote devices. They point to the fact that many SCADA systems are on dedicated networks that are supposedly isolated and, therefore, difficult to hack. They claim the NERC Critical Infrastructure Protection (CIP) standards do not require security for serial implementations. And they assert that NERC has no jurisdiction in distribution, where many DNP3 deployments are found.

That last argument is correct – for now. As of November 2008, the NERC mandate applies only in the bulk transmission system and not to distribution networks. However, that this issue received significant and vigorous debate this year in Washington, DC. It would be premature to assume that the issue is settled.

Whatever the official jurisdiction, NERC firmly believes SCADA should be secured. In 2007, the NERC Control Systems Security Working Group released their Top Ten Vulnerabilities of Control Systems and Their Associated Mitigations. Vulnerability Number Nine is stated as:

9. Control systems command and control data not authenticated

· Authentication for LAN-based control commands not implemented

· Immature technology for authenticated serial communications to field devices.

NERC’s recommended mitigation for this vulnerability is “Use control system protocols that contain appropriate authentication and integrity attributes without affecting performance as the technology becomes available.” The DNP Secure Authentication specification is exactly this type of protocol.

Another NERC statement may apply. It is listed in Critical Infrastructure Protection standard CIP-005:

R2.4. Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

Some people make the argument that this requirement does not apply to SCADA or data traffic. They claim that the term “external interactive access” means remote login only. It remains to be seen whether this position is defensible.

Of course, the applicability of this requirement also depends on how a utility chooses to define its Critical Cyber Assets and Electronic Security Perimeter. This in turn may depend on how much power may be switched or shed on a given network.

All this is quibbling over legalisms, however. The fact remains that there are many transmission networks within NERC’s mandate that are controlled by DNP devices over insecure networks such as trunked radio systems. These networks, at a minimum, should be secured. Furthermore, one can expect that either NERC’s mandate, or the mandate of some other organization, will soon come to apply security standards in the distribution arena.

Finally, pure common sense indicates that as much of the utility control system that can be protected should be protected from attack and as soon as possible.

How Does DNP Secure Authentication Work?

The DNP Secure Authentication specification uses security principles that have been in widespread use since the use of dial-up Internet connections: the concepts of the Hashed Message Authentication Code (HMAC) and challenge-response.

A hash is a calculation performed on a message that is very similar to a checksum or cyclic redundancy check. The value is very sensitive to changes in a message and the same hash value is very unlikely to be produced by two different messages. As shown in Figure 1, the DNP3 authentication mechanism performs an HMAC on each critical message to authenticate it. The secret pre-shared key is never transmitted on the link.

[Figure 1 - Using an HMAC to Authenticate]

Challenge-response is a common mechanism for preventing replay attacks. As shown in Figure 2, the device receiving a message (the challenger) decides whether or not the message is critical and requires authentication. If the message is critical, the receiving device challenges the message by transmitting random data.

[Figure 2 - Using a Challenge-Response Mechanism]

To authenticate the critical message, the sender must respond with an HMAC calculated across the critical message, the secret key, and the challenge data. Including the challenge data makes it extremely difficult for an attacker to determine the key by trial and error.

Of course, the full challenge-response mechanism adds several messages to the protocol, which can adversely affect performance. Therefore, DNP Secure Authentication provides an aggressive mode, in which the data from a single challenge can be used to authenticate many subsequent messages. The sender of the critical message includes the HMAC at the end of the critical message without having to be challenged. At least one challenge must occur, however, before aggressive mode can be used.

How Does DNP Secure Authentication Measure Up?

The scorecard at the end of this article describes DNP Secure Authentication’s strengths and weaknesses. In general, it is an excellent specification, well-designed for its purposes, which are to prevent impersonation or modification of the messages while minimizing the effect on throughput and processing power. It is based on IEC, ISO, and NIST standards and thus avoids the traps of many “brew your own” security schemes. As shown in Figure 3 and Figure 4, it is implemented at the application layer. Unlike site-to-site VPNs or device-to-device Transport Layer Security (TLS), it is carried wherever the DNP message goes, whether over TCP/IP networks, through terminal servers, or over radio systems.

It may surprise some that the mechanism is not intended to encrypt data. Utilities have told the IEC and the DNP Users Group that encryption of SCADA data is unnecessary if impersonation and modification are prevented. However, it can be used in concert with TLS over TCP/IP networks if encryption is desired.

The main items that prevent DNP Secure Authentication from receiving a higher score are its key management mechanism and its specialization.

[Figure 3 – Advantages of Application-to-Application Security]

There are two levels of keys used in DNP Secure Authentication. The lowest level is the Session Key, which is used to calculate the HMACs and is changed periodically by the DNP master to prevent brute-force attacks. The second level, the Update Key, is used to encrypt the Session Key and send it to the remote device. This may occur as often as every ten or fifteen minutes in systems that are retrieving two-second SCADA data.

If the Update Key is corrupted or compromised, or if the owner of the key leaves the organization, the utility has no choice but to send personnel to the remote device to change it. The cost of this can be prohibitive if there are hundreds or thousands of devices. The DNP Users Group recognizes this weakness and is working with EPRI to remedy it by the end of 2009 if possible. Public Key Encryption may be part of the solution. EPRI is also preparing for evaluation and testing of the specification. EPRI or DNP Users Group members can see www.epri.com or www.dnp.org for details.

The other item that prevents a higher Smart Grid score is that this specification will not solve all a utility’s Smart Grid requirements, or even all its security requirements. It is not intended to address network management, does not need to interact with the customer, and doesn’t affect utility participation in markets in the least. However, it is very good at what it does, which is to protect DNP traffic.

How Does It Enable the Smart Grid?

One unfortunate effect of the release of the NERC CIPs was the use of the term “routable protocol” in the CIP-002 and CIP-005 standards and how some utilities have reacted to it. The requirement is worded as follows:

…For the purpose of Standard CIP-002, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or,

R3.2. The Cyber Asset uses a routable protocol within a control center; or,

R3.3. The Cyber Asset is dial-up accessible.

To avoid classifying their SCADA devices as Cyber Assets and thus incurring extensive costs, some utilities have considered either (a) not deploying IP-based networks, or worse (b) dismantling their existing IP-based networks and moving back to purely serial networks. A few innovative souls have compromised by deploying terminal servers so that the DNP protocol does not have a “routable” network layer outside the control center or substation, but is carried over IP inside those perimeters. Time will tell whether this will allow them to escape the NERC audits.

From the point of view of deploying the Smart Grid, this is catastrophic. Open standards-based (i.e. IP-based) networks are the foundation of the Smart Grid. The idea that encouraging the industry to secure the grid could result in delaying its modernization, optimization, and responsiveness is a tragedy. The tragedy is worsened by the fact that IP-based networks are not less secure; in fact there are myriad technologies for securing them. The driving factor here is cost.

Fortunately, the arrival of the DNP Secure Authentication specification provides an alternative. It permits DNP3 traffic to be secured over either serial links or IP-based networks, or both simultaneously, as illustrated in Figure 4. It may convince utilities that they really can secure their SCADA systems and devices, and thus prevent a detrimental move away from the use of WANs and LANs in their automation systems. This can only be good for the future of the Smart Grid.

[Figure 4 – Use of DNP Secure Authentication in Serial or TCP/IP networks]

Scorecard for DNP3 Secure Authentication

Metric	Score (10 is best)	Comments
Impact	8	Some people argue whether securing distribution automation should be the first priority, or would have the greatest impact, on overall utility security. However, this is nevertheless a security mechanism for the most popular SCADA protocol in North America and therefore should have some significant impact.
Openness	10	The specification has been through both the IEC and DNP open development processes over three years. Anyone can join the DNP Technical Committee or contribute as a guest. The documents are available for a nominal membership fee at www.dnp.org. The mechanism is being implemented by multiple vendors, and code is available now from popular source code providers.
Standardization	8	The specification has been developed by the DNP User’s Group with input from multiple vendors, in coordination with the IEC 62351-5 international standard, and is based on NIST and ISO algorithms. It still needs evaluation by external experts, test procedures, interoperability testing, and integration into the DNP certification process. Contact EPRI if you want to help.
Security	9	This specification is particularly intended to improve security and comprehensively meets the expressed needs of the industry in this arena, although it only addresses certain specific threats.
Manageability	6	Not particularly intended to address network management, although it can help to raise alarms about intrusions. It may permit devices to download configuration and firmware remotely.
Upgradeability	8	Periodically changes Session Keys and is designed to permit changing key lengths, data lengths, and cryptographic algorithms as security requirements evolve. Designed to co-exist with non-secure implementations. Does not download Update Keys yet. Would be nice to add a DNP Device Attribute object for this feature so devices can detect what version is use.
Scalability	6	Uses 16-bit values for user numbers and addresses, so it is not infinitely scalable, although few if any SCADA systems use tens of thousands of devices. More importantly, until remote download of Update Keys is available, practical systems are limited to perhaps hundreds of devices.
Extensibility	10	Implemented at the application layer and so will work over a variety of underlying networks. Uses the DNP object-based structure so it can be detected and expanded in the future. Describes online which algorithms, key sizes, and data sizes are in use. Uses a standardized data model.
Self-healing	9	Contains extensive state machine definitions designed to recover from message losses or interference. Security decisions are made by the receiving device at the point of impact. Contains the option to send debugging messages. Can report attacks on one communications link that are occurring on another link.
Interactivity	6	Not designed for interaction with consumers. However, it permits the authentication of individual operators, not just devices, which is a level of tracking not previously available.
Total	80

Conclusion

The DNP Secure Authentication specification is what we need more of: a well thought-out, open-standards approach to solving a critical Smart Grid problem. It needs a mechanism to download keys remotely in order to be properly scalable, but EPRI and the DNP Users Group are working on that. In the meantime, it may encourage utilities not to go backward in their deployment of Smart Grid technology.

Research Credit: Grant Gilchrist

Grant Gilchrist is a systems engineer, a member of several IEC communications standards committees and the editor of the DNP Secure Authentication specification.

Email Erich W. Gunther

Email Grant Gilchrist

Summary of all SGN Tech Take reviews

Smart Grid Scorecard for free download and use (PDF)

Subscribe to our FREE eMail News Alert!

Smart Grid Newsletter (SGN) is the insider's guide to the Smart Grid revolution. It consists of a FREE bi-monthly email summary, along with a companion Web site that contains the full stories and other helpful materials.

Benefits of subscribing: SGN is the only central source for all of the news, trends, research and marketplace information relevant to grid automation. In it, you will read about cutting edge technologies; successful pioneers and how they got ahead; regulatory changes that could unleash new markets; the latest research; and new opportunities for sales of grid-related products and services.