Three Ways to Increase Security in Industrial Communications. (Part II)
The first proposed way to increase security in industrial communications is based on the use of specifications associated with secure industrial protocols. We tell you all the details
The first way we propose to increase security in industrial communications is the uuse of specifications associated with secure industrial protocols. Currently, the best-known specifications in the industrial field that provide security to protocols are the following:
- The one carried out by the OPC Foundation through OPC UA (Open Connectivity Unified Architecture)
- The one carried out by the IEC (International Electrotechnical Commission) through the IEC 62351 series, which in turn provides security to the TC 57 protocol series, including the IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series, and the IEC 61968 series.
OPC UA (Open Connectivity Unified Architecture)
In 2008, the OPC Foundation proposed the new OPC specification named OPC UA (Open Connectivity Unified Architecture). OPC UA aims to improve and evolve the traditional OPC specification as follows:
- Integrating all the specifications proposed in the traditional OPC (DA, HDA, A&E) into one.
- Being independent of the operating system and therefore unlinking from Microsoft environments.
- Integrating data and applications through a service-based style, in particular, through Web Services.
- Facilitating accessibility to OPC applications through HTTP protocols (as this is one of the stacks on which web services are built)
- Incorporating a native security layer into the specification that allows communications made over OPC UA to be provided with confidentiality, integrity, authentication, authorization, auditability, and availability.
Secure DNP3
In 2007, the DNP User Group published the Secure DNP3 specification. Secure DNP3 can be used in both DNP3 Serial and DNP3 encapsulated over TCP, as it is located in the application layer. It is based on IEC 62351-5, which manages the security of the TC 57 protocol series: IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. This protocol:
- Authenticates and authorizes communications between master and slave through a pre-shared key (level 1).
- Authenticates and authorizes communications between master and slave from time to time through HMAC (level 2).
- Authenticates and authorizes critical requests and responses between master and slave, such as the following: Writes (function code 2), selects (FC 3), operates (FC 4), direct operates (FC 5, 6), cold and warm restarts (FC 13, 14), initialize, start and stop application (FC 15, 16, 17), enable and disable unsolicited response (FC 20, 21), record current time (FC 24), authenticate file (FC 29), and activate configuration (FC 31).
Finally, it should be mentioned that Secure DNP3 does not encrypt the information it sends. Encryption is performed in DNP3 using TLS (Transport Layer Security). This specification is defined in IEC 62351-3.
