In ClearSCADA, Aggressive Mode is enabled by default on DNP3 outstations that use DNP3 Secure Authentication. This is because Aggressive Mode provides:
- A lower level of security than the full ‘Challenge-Response’ mechanism, but sufficient security for most systems
- Greater communications efficiency, as fewer messages are transmitted.
With Aggressive Mode, the device that sends the critical request or response anticipates a challenge to that request or response. For this reason, it includes the necessary authentication data in the original message.
The receiving device (the ‘Challenger’) has no need to issue a challenge as it has already received the data with which to authenticate the request. The receiving device authenticates the request to confirm that the critical request has genuinely come from that particular DNP3 device. Providing that the message is authentic, the device performs the critical request and sends the appropriate response to the sending device (the ‘Responder’). If the message is not authentic, the receiving device rejects the critical request. The device may then send a diagnostics message indicating a possible security attack.
Aggressive Mode is directional, which means it is applied separately in each direction - ‘Master Station to Outstation’ and ‘Outstation to Master Station’. As Aggressive Mode is directional:
- A DNP3 device can only issue Aggressive Mode requests once it has received a valid challenge (and replied successfully to that challenge). After the Session Keys expire, or communications are terminated, another valid challenge has to be received before the device can resume issuing Aggressive Mode requests.
- A DNP3 device can only accept Aggressive Mode requests once it has issued a valid challenge (and received a valid reply to that challenge). After the Session Keys expire, or communications are terminated, the device has to issue another valid challenge before it can resume accepting Aggressive Mode requests.
Communications might cease, for example, due to a server changeover or driver shutdown in the case of direct communications, or at the end of a PSTN call in the case of PSTN communications.
Further Information
Specify whether ClearSCADA accepts Aggressive Mode requests from, or issues Aggressive Mode requests to a DNP3 master outstation: see Specify Whether Aggressive Mode is Used.
Specify whether a DNP3 slave outstation accepts or issues requests using Aggressive Mode: see Specify Whether Aggressive Mode is Used.