Geo SCADA Expert supports DNP3 Secure Authentication version 2.00 for a single user—the ‘Default User’ (DNP3 User 1).
You can optionally enable DNP3 Secure Authentication on a per outstation basis in Geo SCADA Expert. When enabled:
- A DNP3 outstation can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular DNP3 master
- A DNP3 master can issue a ‘challenge’ to determine whether it is genuinely communicating with a particular outstation.
Due to factors such as the necessary increase in bandwidth and the extra processing involved, ‘challenges’ are only sent in relation to requests or responses that are deemed to be ‘critical’. The DNP3 standard dictates those function codes that are deemed critical; other function codes can be set to critical if required. In Geo SCADA Expert, you define the criticality of function codes on a per server basis (see Define Which Function Codes are Critical).
Functions that are deemed to be non-critical are processed in the normal way. (The DNP3 master sends a non-critical request to an outstation; the outstation processes that request and sends the appropriate reply and/or data to the DNP3 master.)
When a DNP3 device receives a request or response that is deemed to be critical, that device replies with a ‘challenge’
If an authentic reply is received within the required time period, the device that issued the challenge
If a challenge is unsuccessful, the challenger rejects the critical request or response. If the challenger is an outstation, it does not perform the rejected critical request. If the challenger is a DNP3 master, it throws out the data that it received in relation to the rejected critical response. The challenger might also send a diagnostics message to the responder, but the number of diagnostics messages is actively limited.
To communicate using DNP3 Secure Authentication, the DNP3 master and the DNP3 outstation need to support DNP3 Secure Authentication version 2.00 and have that feature enabled.