Some companies hold the belief that its standard protocol is safe from the threat of cyberattacks, or leaked information.
For example, the DNP3 (version 5) protocol – though is relatively new, is a secure protocol. To measure the amount of risk, companies must measure it by the algorithm Risk=Threat x Vulnerability x Consequence. Though this is the case for the DNP3v5 protocol, it is not secure enough on its own to withstand an attack. For this example, it can be assumed that the Threats and Consequences are equal, leaving only Vulnerability up for analyzation. Vulnerability is a weakness that allows an attacker to succeed.
These weaknesses can take the form of weak encryption algorithms, poor implementation or even poor social engineering in regards to how a security solution is designed to be implemented. A network using a CryptoMod has less risk than a network using a SCADAPack with DNP3 v5 through a Bullet LTE radio.
Endpoint Security Device
This is where AUTOSOL’s CryptoMod fits. The CryptoMod provides a wider blanket of protection for the network and, when coupled with ACM, provides a parallel example of “application-to-application” security as claimed by DNP3, which is what the SCADAPack in question uses.
DNP3 was “never designed with security in mind,” according to Multitrode, a company who assists entities with cost savings in the wastewater industry. “Since it is an open design, anyone familiar with the protocol could launch an attack on a SCADA system.”
Using the Autosol Communication Manager (ACM) , users can poll data from their RTU or PLC device using the DNP3 protocol, but the data will not be encrypted. With the use of the CryptoMod – which is installed in the same physical enclosure as the RTU or PLC – users will still have the ability to retrieve data in the used protocol, but the information will be encrypted for the entire length of communication. This will secure companies’ most vital information directly from the field to the field, or corporate office.
To further secure your data, select users will be equipped with a Public Key Infrastructure (PKI), which will only permit that user access to decrypting that data. A PKI can also be revoked from a user if necessary.