Configure the Certificate-Based Security Properties
WARNINGPOTENTIAL SECURITY BREACH
We strongly recommend using network-connected Geo SCADA Expert drivers in a private network only (either physical or virtual). We recommend against using such drivers for communications over the public Internet.
If the drivers are used over the public Internet, as a minimum those drivers should use valid SSL certificates to initiate secure connections and encrypt the data that is transmitted over the network.
Failure to follow these instructions can result in death, serious injury, or equipment damage. The breach in system security could expose sensitive data and the leave the database vulnerable to unauthorized and potentially malicious use.
The IED tab on the IED Form includes a Certificate-Based Security section. Use the section to specify whether the data that the IEC 61850 IED transmits is encoded using SSL, and if so, to specify the certificate and key settings required for such data transmissions.
- Use Certificate-Based Security—Use this check box to enable the use of MMS and/or TLS certificate-based security. Clear the check box (the default) if communications between the IED and clients are not encrypted. The rest of the fields within the Use Certificate-Based Security section are 'grayed out' and unavailable for use.
- Trust Store—With communications for which Geo SCADA Expert is to check the authenticity of the IED's certificate, you first need to import that certificate into the Geo SCADA Expert database. You use an SSL Certificate database item to import and store the certificate in the database (see SSL Certificates for Driver Communications). Use to specify the location of the SSL Certificate database item that is used to store the public certificates that are to be trusted. Use the browse button to display a Reference browse window and then select the required entry from the window.
- Enable MMS Security—Select this check box to enable one of the MMS security features, which is the exchange of certificates, to allow authentication of the client and the server.
- Check Server Certificate—Select this check box if verification of the server certificate supplied by the broker is required. This verification process checks that the broker to which Geo SCADA Expert connects has a trusted certificate. The broker is represented in the database by this IEC 61850 database item.
- Enable TLS—Select this check box to enable the use of TLS protocol standard when connecting to the device. TLS is a lower level protocol which is used to encrypt the MMS protocol. Using TLS is optional and is used to improve the security of the IEC 61850 connection. TLS uses certificates to setup the encryption and also allows the certificates to be used to authenticate the server and client
- Key Store—With encrypted communications, Geo SCADA Expert sends a client certificate to the IED as part of the certificate validation process. You use an SSL Certificate and Key database item to store this certificate and its private key in the database (see SSL Certificates for Driver Communications). Use to specify the location of the SSL Certificate and Key database item that is used to store the client certificate and matching private key.
NOTICE
LOSS of communication
If Geo SCADA Expert is unable to establish a network connection with a device that uses an SSL certificate, check that the certificate is valid, has not expired, and has not been revoked.
Perform these checks in addition to those that you would otherwise perform if Geo SCADA Expert is unable to establish a connection with a device.
Failure to follow these instructions can result in loss of communications between Geo SCADA Expert and the network-connected device.
Further Information