Professional Documents
Culture Documents
Distributed Network Protocol - DNP3 - Security Interoperability Testing 2012
Distributed Network Protocol - DNP3 - Security Interoperability Testing 2012
11687472
11687472
Distributed Network Protocol (DNP3) Security
Interoperability Testing 2012
1026561
Technical Update, December, 2012
This is an EPRI Technical Update report. A Technical Update report is intended as an informal report of
continuing research, a meeting, or a topical study. It is not a final EPRI technical report.
NOTE
For further information about EPRI, call the EPRI Customer Assistance Center at 800.313.3774 or
e-mail askepri@epri.com.
Electric Power Research Institute, EPRI, and TOGETHER…SHAPING THE FUTURE OF ELECTRICITY
are registered service marks of the Electric Power Research Institute, Inc.
Copyright © 2012 Electric Power Research Institute, Inc. All rights reserved.
11687472
ACKNOWLEDGMENTS
The following organization, under contract to the Electric Power Research Institute (EPRI),
prepared this report:
EnerNex LLC
620 Mabry Hood Road Suite 300
Knoxville, TN 37932
Principal Investigator
G. Gilchrist
This document describes research sponsored by EPRI.
The DNP3 Secure Authentication specification and the DNP3 Secure Authentication Test
Procedures are being developed with the assistance of:
• The Distributed Network Protocol Users Group Technical Committee,
http://www.dnp.org.
• The International Electrotechnical Committee Technical Committee Working Group 15:
Utility Data Communications Security, and Working Group 3: Telecontrol
• The Institute of Electrical and Electronic Engineers Power Engineering Society
Substations Committee Working Group C14
• The Smart Grid Interoperability Panel Cyber-Security Working Group, sponsored by the
U.S. National Institute of Standards and Technology
This publication is a corporate document that should be cited in the literature in the following
manner:
Distributed Network Protocol (DNP3) Security Interoperability Testing 2012. EPRI, Palo Alto,
CA: 2012. 1026561.
11687472 iii
11687472
PRODUCT DESCRIPTION
This project encourages the adoption of the Distributed Network Protocol (DNP3) Secure
Authentication specification through three approaches:
• Supporting development and review of the specification by industry experts in
supervisory control and data acquisition (SCADA) and cryptography
• Aligning the specification with international standards performing similar functions, so
that there is a common industry-wide approach to SCADA security
• Developing procedures for testing the specification to reduce potential barriers to new
adopters and improve interoperability between new implementations
Results and Findings
The DNP3 Technical Committee reviewed the draft DNP3 Secure Authentication Test
Procedures, which consists of 275 tests of approximately a page each, and revised the document
to address the review comments.
The Institute of Electrical and Electronics Engineers (IEEE) balloted the DNP3 Secure
Authentication Specification Version 5 developed in 2011 and released it as IEEE Standard
1815-2012.
The International Electrotechnical Commission (IEC) balloted and released Edition 2 of IEC
62351-5, which had been aligned with DNP3 Secure Authentication version 5 in 2011.
The IEC working group revised IEC 60870-5-7, based on the revised IEC 62351-5, and released
it to the IEC for ballot.
Challenges and Objectives
This project involves coordinating updates to four different documents among several different
standards-development working groups. The primary challenge continues to be ensuring that as
the documents are reviewed by each of these groups, all necessary changes are propagated into
the appropriate specifications. A secondary challenge is trying to coordinate the processes of the
different groups, which all have different timings.
Another challenge is encouraging the implementation of the revised DNP3 Secure
Authentication Version 5 specification by vendors. Most interested vendors released Version 2
products in 2011, so there will be a delay before widespread adoption of the new standard.
The DNP Technical Committee is largely a volunteer organization with only limited resources
for developing a large, complex specification such as test procedures, especially a specification
requiring specialized knowledge like cryptography. Furthermore, the coordination between the
various organizations that must approve the specification is very labor-intensive. Without EPRI
support, this type of development might take years rather than months.
Applications, Values, and Use
The DNP3 protocol is the most widely used utility communications protocol in North America.
It has recently been released as the IEEE 1815 standard and is recognized in the National
Institute of Standards and Technology (NIST) Smart Grid Interoperability Framework as one of
11687472 v
the key standards to be used in smart grid deployments. Ensuring that DNP3 communications are
secure is therefore an important goal for the power industry.
With a comprehensive set of test procedures, vendors and utilities alike can ensure that a
particular implementation is correct and interoperable. Ensuring that these test procedures also
comply with international standards helps to ensure the specification’s adoption across the
industry.
Approach
The DNP3 Secure Authentication specification has been selected as the core document driving
the rest of the affected specification since the feedback from the DNP3 Technical Committee is
the fastest. This document is used to drive the other specifications, which have longer
development cycles.
The DNP3 Technical Committee developed the DNP3 Security Test Procedures framework by
creating a one-to-one correspondence between each requirement stated in the DNP3 Secure
Authentication specification and an appropriate section of the Test Procedures document.
Keywords
Security
Authentication
Cryptography
Key
Credential
Certificate
SCADA
Telecontrol
11687472 vi
CONTENTS
1 HISTORY AND BACKGROUND ............................................................................................ 1-1
Value to the Industry ............................................................................................................ 1-1
Goals and Objectives ........................................................................................................... 1-1
Relationships Between Deliverables .................................................................................... 1-2
Previous Accomplishments .................................................................................................. 1-3
2 CURRENT STATUS ............................................................................................................... 2-1
Status of DNP3 Secure Authentication Test Procedures ..................................................... 2-1
Status of the DNP3 Secure Authentication Specification and IEEE Std. 1815 .................... 2-1
Status of IEC 62351-5 Edition 2 ........................................................................................... 2-2
Status of IEC 60870-5-7....................................................................................................... 2-2
3 NEXT STEPS .......................................................................................................................... 3-1
DNP Secure Authentication Test Procedures ...................................................................... 3-1
Edition 2 of IEC 62351-5 ...................................................................................................... 3-1
Edition 1 of IEC 60870-5-7 ................................................................................................... 3-1
A TEST PROCEDURE REVIEW NOTES ................................................................................. A-1
11687472 vii
11687472
LIST OF FIGURES
Figure 1-1 Relationships between the Specifications and their Current Status .........................1-2
Figure 1-2 History of the DNP3 Secure Authentication Specifications (top) and IEC
62351-5 (bottom) .......................................................................................................................1-3
Figure 1-3 Interaction Between Working Groups and Documents 2008-2012...........................1-4
11687472 ix
11687472
1
HISTORY AND BACKGROUND
Value to the Industry
The Distributed Network Protocol (DNP3) is the most widely used utility communications
protocol in North America. Over 75% of power utilities have reported using it as part of their
Supervisory Control and Data Acquisition (SCADA), substation automation or feeder
automation projects. Originally released in 1994, DNP3 has been continuously updated over the
years by an active community of suppliers, users and integrators within the DNP Users Group.
Unfortunately, DNP3 as originally defined was not secure. Like most utility protocols developed
at the time, it was designed from the start to be highly resistant to noise and other communica-
tions failures found on power system feeders, but had no protection against deliberate cyber-
attacks. In today’s security context this omission was critical because DNP3 is frequently used
by utilities over vulnerable communications links, such as unencrypted radio systems. It is
sometimes carried over third-party wide area networks whose owners may not implement
adequate security. And even communications links that were traditionally thought to be secure,
such as leased lines, have been shown to sometimes be vulnerable.
Therefore, ensuring that DNP3 communications are secure is an important goal for the power
industry. Furthermore, because of DNP3’s popularity, it is a project that can provide a huge
benefit through relatively modest investment in a single technology.
11687472 1-1
• Release for ballot of Edition 1 of IEC 60870-5-7: Telecontrol Equipment and Systems –
Part 5-7: Security Extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols
(Applying IEC 62351-5)
It was hoped that this project would also include conformance and interoperability testing of
DNP3 Secure Authentication implementations in 2012. However, although software library
implementations of DNP3-SAv5 are available, no products were available for testing in 2012 so
this part of the project could not proceed.
IEC 62351-5
Reviewed
by Working Vendors IEEE Std.
Group, beginning to 1815-2012
revised and
Std.
implement Released
submitted Version 5 1815
for CDV
Reviewed by
Tech Committee
DNP3 Secure Authentication and Revised
Test Procedures
Figure 1-1
Relationships Between the Specifications and Their Current Status
The DNP3 Secure Authentication specification was developed in parallel with the IEC 62351-5
specification, as shown in Figure 1-2. The intent was that IEC 62351-5 would describe a generic
authentication mechanism that could be applied to both DNP3 and IEC 60870-5, the two most
commonly used utility communications protocols at the time the development was initiated. By
eliminating duplication of the effort to secure these protocols, it was intended that the work could
be accelerated and that the resources of the industry could be efficiently applied to the problem.
11687472 1-2
Figure 1-1 shows how the DNP3 Secure Authentication specification and IEC 60870-5-7 are
both based on IEC 62351-5, which in turn is based on fundamental cryptographic standards
defined by the U.S. National Institute for Standards and Technology (NIST) and the International
Standards Organization (ISO). Since work has been able to advance more quickly on the DNP3
specification, the IEC specifications are being revised to match the DNP3 changes rather than the
other way around.
Previous Accomplishments
The top half of Figure 1-2 shows events and releases of the DNP3 specification, while the
bottom half shows events in the development of IEC 62351-5.
Key distribution NIST
and ITI CSWG
cryptographic review of
EPRI Project review ver 2 / 5
Begins
Symmetric key
Testing Draft
distribution
Frame- Tests
proposed
DNP Tech work
Review “Bulletin of Tests
Version Ver Ver Ver Ver Ver Ver
Starts Reviewed
Intent” 1.0 1.5 2.0 2.2 3.0 4 5
Requests for:
• Return of public Ed. 2
Edition 1 Edition 2
62351-5 key distribution passed
Released without delayed by with key
ballot
• Authenticate key distribution IEC / NSA distribution
people, not mechanism patent issues sent to
devices ballot
Figure 1-2
History of the DNP3 Secure Authentication Specifications (top) and IEC 62351-5 (bottom)
EPRI’s sponsorship of the work began in 2008, when version 2.0 of the DNP3 Secure
Authentication specification was released by the DNP Users Group and Edition 1 of the IEC
62351-5 Technical Specification (TS) was ready for release by the IEC. While release of the
IEC specification was delayed due to patent declaration issues (which have now been resolved),
EPRI helped the DNP Users Group to develop the remote key distribution mechanism which had
been missing in previous versions, and to have the specification reviewed by the Information
Trust Institute at the University of Illinois.
11687472 1-3
In 2011, the following work took place as a part of the EPRI project, as shown in Figure 1-3.
• DNP3 Secure Authentication Version 4 (SAv4) was developed to address comments
from implementers on Version 3.
• The Cyber Security Working Group (CSWG) of the Smart Grid Interoperability Panel
(SGIP) reviewed SAv4 and found a vulnerability in it.
• DNP3 Secure Authentication Version 5 was developed to address the vulnerability and
align with IEC 62351-8. It was included in the version of IEEE Std 1815-2012 submitted
for ballot.
• IEC 62351-5 Edition 2 was revised to match DNP3-SAv5 and submitted for national
ballot.
• IEC 60870-5-7 was revised to match DNP3-SAv5 and submitted for working group
review.
IEC TC57 WG3 DNP Technical Committee IEC TC57 WG15 IEEE Sub Comm C12 WG SGIP Cyber-Security WG
IEC 60870-5-7 DNP3 Secure IEC 62351 IEEE Std. 1815 Reviews
Authentication
Version 2
2008-08
ITI Review,
IEC 62351-5
Key Distribution
Edition 1 Edition 1
Working Draft 2009-08
Version 3 IEEE Std.
Review 2010-03 1815-2010
2011
Implementer
Comments Catalog of
Stds Review
Version 4
2011-03
IEC 62351-8
Vulnerability
Edition 1
Review
2011-02
Common
Certificate Fix Encryption
Vulnerability
Version 5
2011-10 Submitted for Submitted for
Submitted to WG ballot review and ballot
2012
IEC 62351-5 IEEE Std.
Edition 1 Edition 2 1815-2012
Committee 2012-?
Draft for Vote Review
Review
Figure 1-3
Interaction Between Working Groups and Documents 2008-2012
11687472 1-4
2
CURRENT STATUS
This section describes the work completed this year and the current status of this project as of
December 2012.
Status of the DNP3 Secure Authentication Specification and IEEE Std. 1815
The following steps were completed on this deliverable in 2012.
1. IEEE Std. 1815-2010 including DNP3 Secure Authentication version 2, was approved in
January 2012 by the Governing Board of the Smart Grid Interoperability Panel (SGIP)
for inclusion in the SGIP Catalog of Standards.
2. The draft IEEE Std. 1815-2012, which includes Secure Authentication Version 5,
completed ballot on March 11 with approximately 260 comments.
3. The comments on the ballot were resolved by members of IEEE Substations Committee
Working Group C12 and the IEEE technical writers.
4. The draft standard was submitted to the IEEE Standards Association review committee
(RevCom) on April 26, 2012.
5. The IEEE-SA review committee approved IEEE Std. 1815-2012 on June 8, 2012.
6. The final version was published Oct 10, 2012.
11687472 2-1
The EPRI contribution to this work in 2012 was to resolve the ballot comments having to do
with DNP3 Secure Authentication and facilitating some of the C12 Working Group meetings.
11687472 2-2
3
NEXT STEPS
This section describes the next steps in the development of this project that should be completed in
2013.
11687472 3-1
11687472
A
TEST PROCEDURE REVIEW NOTES
This section provides the notes from the review of the DNP3 Secure Authentication Test
Procedures as of Nov 22, 2012
11687472 A-1
DNP3 Document Review
Reviewed Document’s Title: Date This Review Last Edited:
DNP3Spec-SecureAuthenticationTestProcedures 2012-11-22
Reviewed Document’s Version: Edited by:
2012-02-06 Grant Gilchrist
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Don’t need any references that aren’t directly Change to just reference the IEEE 1815
3. AW 1.2 E Accepted
used. standard
1
Reference Identifier’s include section, paragraph, table or figure numbers to identify the specific location within the original document.
2
T/E indicates whether the change is technical (T) or editorial (E).
11687472 A-2
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Add as an Annex. Must include which
10. AAW Missing T Description of what a test log should look like Accepted
profiles the tests were performed on.
Add as an Annex. Would like to have
Description of what the certificate should look
11. RK Missing T check boxes that show which optional Accepted
like
tests were performed.
12. AW 2.3.1 item 3 T “DNP3 and IP”, not “DNP or IP” As noted Accepted
14. GG 2.3.1 item 8 T Is it really necessary to force CRC failures Check to see if that’s true Accepted
15. GG 2.3.1 item 10 T Do we actually test against non-secure devices Check to see if that test exists Accepted
18. AW 2.3.2 item 5 T Incorrect value, or manually-entered? Specifically need “incorrect” value. Accepted.
2.3.2 item 6
19. GG T Don’t need this requirement Remove Accepted.
and 8
22. AW 3.1, 4.1 E Reword to use the default configurations As noted Accepted.
24. GG 3.1 step 12c T Add certification data length As noted. Accepted.
11687472 A-3
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Verify that the confirmation object from the
3.1 step 16
25. GG T master is actually in the same request as the key As noted. Accepted.
and 17
change itself.
3.3.1 step 6/7, Note that the CSQ is only 0 if nothing happened
30. AW step 10/11 E between the reset of the session keys and the As noted Accepted.
3.4.1 step 7/8 control operation.
3.3.1 step 6/7,
step 10/11 Use the default configuration of AES-256/SHA-
31. GG T As noted Accepted.
256
3.4.1 step 7/8
35. GG 4.1 T Critical messages received statistic is not tested Remove from list of statistics tested. Accepted.
11687472 A-4
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Not clear exactly which MAC algorithms are List very specifically which ones are
38. AW 4.1.2.1 E Accepted.
mandatory permitted, noting there are 4 values
Refer to the table in section 12.1.2 of the
The list of mandatory critical functions is not
test procedures regarding which functions
39. AW 4.1.2.2 E found in the test procedures, but in the Accepted.
are critical, and that the PIXIT lists them
specification itself.
all as supported.
The test asks the test set to be configured after Swap steps 4 and 5 so the configuration
40. AW 4.1.3 T Accepted.
sending the first message occurs first.
Is it necessary to test roll-over of the CSQ when Investigate. This may need to be a change
42. AW 4.1.4 T Accepted
the value increases by more than 1? to the specification.
Investigate whether roll-over requires a
Is it possible to test roll-over if the Challenger is
43. AW 4.1.4 T very long test or cannot be tested in a Accepted.
verifying that each new CSQ increments by 1?
conformance or integration test.
Change this test to verify that the next Challenge
44. AAW 4.1.4.1 T CSQ increments by 1 only if the Aggressive Mode As noted Accepted
CSQ was correct and the MAC was correct.
Add verification that authentication can only be
45. PA 4.1.5 T As noted. Accepted
disabled locally.
Note that the statistics to be checked are the ones
46. AW All tests E As noted. Accepted.
on the DUT
There were two messages received: the critical Note “received messages” increases by 2,
47. GG 4.2.3.3 step 21 T Accepted.
ASDU and the Reply not 1.
Correct step 16 to “critical” and change
There was a cut-and-paste error: step 16 should step 15 to note that the second critical
48. CB 4.2.4.2 step 16 T Accepted.
verify that the “critical” ASDU was not acted on. message must be distinguishable from the
first, e.g. a different point number.
Make “3. Discards critical ASDU
49. GG 4.2.6 step 3 E This is not a step, it’s a heading. Accepted.
if Reply times out” into 4.2.6.1
11687472 A-5
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
50. GG 4.2.7.1, 4.2.7.2 E Note that logging is optional “If the DUT supports logging, check…” Accepted.
11687472 A-6
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Add a test to increment
Unexpected Messages statistic if
the CSQ is not incremented
There are no responder tests to verify that the from Challenge to Challenge.
CSQ increments, or that the CSQ is different
from previous Challenges, or that the Challenge Make a change to the SA
data is different from previous Challenges. Add tests to check the CSQ and Challenge specification to require a
58. AW 5.1.2 T
data and ignore them. Responder to check that the
Furthermore, there are no rules in the Responder CSQ increments and update the
section of the specification saying that these Unexpected Messages statistic.
checks are necessary.
Note that this protects only
against brute force or DOS
attacks.
No need to tie the MAC algorithm to a particular
59. AW 5.1.1.2 E medium, and we don’t want them to think they Remove the notations in brackets. Accepted.
should only test it if it’s on a particular medium.
Finish sentence to say that the test should
60. GG 5.1.1.3 E Truncated sentence be skipped if the DUT does not support Accepted.
multiple users.
Accepted.
11687472 A-7
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
definition of the statistic, it should be acceptable.
11687472 A-8
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
11687472 A-9
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Missing a test for a TCP timeout (or data link
85. JB 6.3 T Add steps. Accepted.
timeout)
Sentence at the top of the section is incorrect;
86. CF 6.4 T Reword. Accepted.
copied from previous section.
Change the title to “Ignores Key Status if
87. AWGG 6.4.3 E Using “confirmation” in the title is confusing. waiting for confirmation of Session Key
Change”. Also change spec.
G120v5 is “Authentication Session Key Status”,
88. AWGG 6.4.3 E Change name throughout.
not “Authentication Key Status”
There is no test for the master receiving a Key
Status Request that is valid except the KSQ is
89. AWGG Missing T incorrect. If the MAC is valid but the KSQ is not Add a test.
incremented, the master should just accept the
new KSQ.
It is not clear that the (0x20) and (0x83) are
90. AWGG Throughout E Change to (FC=0x20) and (FC=0x83).
function codes.
6.4.4 and
Whenever the test set sends a Key Status object,
91. AWGG throughout, T Change the step
specify the User Number (usually the Default)
e.g. step 36
6.4.3 step 22
and 6.4.5 step This step should specify the MAC algorithm and
92. AWGG E Change the step
47 and challenge data as in 6.4.3
elsewhere
Clarify that the message must have a MAC, but
93. AWGG 6.4.6 step 61 E the master will know that any MAC value is Change the step
invalid.
Change “increased” to “changed” because it is
94. AWGG 6.4.6 step 65 E Change the step.
more difficult to mis-read.
Need four occurrences to exceed Max
95. AWGG 6.4.7 step 72 T Change text to “three more times”
Authentication Failures.
11687472 A-10
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
This step should check the Discarded Messages Discarded Messages should increment 8
96. AWGG 6.4.7 step 82 T
statistic also. times
Change text to “Repeat steps 68 through
97. AWGG 6.4.7 step 77 T Wrong number of repeats
76 two more times”
Once the keys have been successfully reset due to Add steps to test one more rekey due to
98. AWGG 6.4.7 step 81 T a key change timeout, it should be possible to authentication failure (steps 68 through
rekey due to authentication failure again. 76).
Critical messages rxed = 12
Auth failures = 12
Statistics counts are off by one because of
99. AWGG 6.4.7 step 82 T Error messages = 12
“exceeded”
Session Key Changes = 3
Rekeys due to auth failure = 4
100. AWGG 6.4.7 step 79 E The DUT may transmit non-security messages Reword the step
11687472 A-11
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Note this issue at the beginning of the test
Some masters may have a timeout that would kill and say that it may be necessary to disable
105. AWGG 6.5.4 E
the control if it was queued for too long. such a timeout or set it too a long period,
etc.
Remove the “disconnect the devices”,
106. AWGG 6.5.5 step 44 E Change the step and delete step 47.
unnecessary.
May not be a good idea to have the timers be Change the Session Key Change Interval
107. AWGG 6.5.5 step 45 T
exactly the same. to 35 sec instead of 30.
108. AWGG 6.5.5 step 52 E Invalid reference error Change reference to say step 51
109. AWGG 6.5.5 step 52 T Add a step to wait until the timeout expires Change text
6.6 steps 7, 8
and elsewhere
113. AWGG in document, E Add the word “valid” for the replies Change text
e.g. 6.7 steps
3, 4
“If higher data rates can be achieved and the Key
Change Interval can be reduced, the overall Change text. Also add “NOTE” in front
114. AWGG 6.6 step 9 E
duration of this test can therefore be reduced, of “At 128 bits every 2 seconds,…”
which is preferred.”
Requirement 3 should read “two sequential
115. AWGG 2.3.3 T Change text
messages”, not just “two messages”
11687472 A-12
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
6.5.5,
6.5.6,
Note this test requires optional support for
116. AWGG 6.6 step 12, T Add note
multiple users
6.7
119. AWGG 6.7.2 step 9 T Verify that the RESTART IIN has been cleared Change text
121. AWGG Throughout E It’s not clear what “skip this test” means Change to “skip to test number…”
122. AWGG 6.7.7 E Reword so it’s possible to have just a single user Change text
126. AWGG 6.8.4 step 18 E Step is fragmented Remove “If the DUT…”
6.8.4 step 22
127. AWGG 6.8.5 step 28 T Aggressive Mode Request is not g120v1 Change to g120v3
6.8.7 step 40
11687472 A-13
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Establishes keys but does not perform the first
128. AWGG 6.8.4 step 19 T Add steps to perform the first challenge
challenge
6.8.4 step 24 Tests are too confusing and perhaps incorrect if
Add tests specifically for DUTs that do
129. AWGG 6.8.5 step 28 T the DUT does not require event data to be
not require event data to be authenticated.
6.8.6 step 32 authenticated
134. AWGG 6.9.1 step 10 T Wrong number of timeouts to fail authentication Change “two more times” to “three more
11687472 A-14
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
rekeys times”
11687472 A-15
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Add “If supported” to the test for the
This only tests for an Error message on an
146. AWGG 8.1.3 step 25 T alternate connection. Also verify the Error
alternate connection.
was sent on the same link, IF supported.
147. AWGG 8.1.5 step 27 T This is not Session Key Data, it is Challenge Data. Change text
154. AWGG 8.2.3 T This test is incorrect. The DUT should throw Replace steps 23-25 with:
away the critical message and stop waiting for a
11687472 A-16
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Reply. - send the DUT a Key Status Request
before the Reply Timeout would have
occurred.
- verify the DUT responds with a Key
Status immediately
- verify the following statistics
Unexpected Messages (only 1, not 2)
Session Key Changes (1)
Critical Messages Received (1)
Messages Discarded (1)
Failed Authentications (1)
After discussion with the Technical
The specification has a serious vulnerability Committee, decided that for a Rx Invalid
associated with this test case. The spec says the Key Change event in Security Idle, the
outstation should invalidate the keys if the Key outstation shall discard the Key Change
155. AWGG 8.2.4 T
Change Message is not authentic. Instead, it message and increment the Discarded
should just discard the Key Change Message and Messages and Authentication Failed
continue. statistics. This is Row 25, column C of
the Challenger State Table (Table 8).
The specification currently says that Unexpected
Messages should be updated, but this is incorrect. When the specification is updated, remove
156. AWGG 8.2.5 T
The Key Change message was expected, but it the Unexpected Messages (3) verification.
was not authentic.
8.3.1 step 8 Delete steps 8 and 13, just say “do not
157. AWGG T “disconnect” is incorrect and unnecessary.
and 13 respond”
Change “two more times” to “three more
158. AWGG 8.3.2 step 23 T Max Authentication Failures isn’t exceeded.
times”.
Change “two more times” to “three more
159. AWGG 8.3.3 step 25 T Max Authentication Rekeys isn’t exceeded
times”.
8.3.3 step 25
160. AWGG T Need to change the keys Change the repeat to go back to step 16.
and 26
11687472 A-17
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Totals will be:
Session Key Changes (5)
Reply Timeouts (4)
161. AWGG 8.3.4 step 32 T Statistics are incorrect
Authentication Failure (15)
Rekeys Due to Authentication Failure(4)
…but check them on each repeat
162. AWGG 8.3.4 step 29 E Note that this information will be used for step 33 Change text
165. AWGG 8.4.1 E This section is redundant with 4.3.1.2 Leave as is.
The Successful Authentications statistic should Verify that the statistic incremented.
166. AWGG 8.4.3 step 26 T
increment.
Begin the section by recording the
167. AWGG 8.4.3 step 26 T Statistics were not recorded
statistics
Change (2) To (1) for Critical Messages
168. AWGG 8.4.3 step 26 T Only one critical message was received.
Received.
Change steps to use “N” and
Not sure if this test is valid. Why would an “X” for sequence numbers.
169. AWGG 8.4.4 T outstation generate a UR if it was waiting for an Discuss with DNP Technical Committee
Authentication Reply.
1. Create a new event in the
11687472 A-18
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Challenger state machine
called “Ready to send UR
requiring Aggressive Mode
Confirm”
2. In “Security Idle” state,
send the UR and move to
“Wait for Reply”
3. In “Wait for Reply”, queue
the UR and stay in “Wait
for Reply”.
4. Split the “Rx Critical
ASDU” event in “Wait for
Reply” state.
5. If waiting for an Aggressive
Mode App Confirm, cancel
the UR and send a
challenge, otherwise
discard the ASDU.
171. AWGG 8.4.5 step 50 T No check for CSQ Verify that CSQ=1
172. AWGG 8.4.5 step 51 T Must generate more events in order to cause a UR Add step.
Need to verify that the new unsolicited is not a Check the application sequence number in
173. AWGG 8.4.5 step 51 T
retry. step 42 and verify it changes in step 51.
174. AWGG 8.4.5 step 56 T There may be other Internal Indications Set Specify only Class 1, 2, 3 indications.
175. AWGG 8.4.5 step 57 T Verify this step has CSQ=Y+2 As noted.
176. AWGG 8.4.5 step 57 E There might be a Challenge object in the Add a note that there might be one, and it
11687472 A-19
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Response. would have the CSQ of 3 if there was.
183. AWGG 8.4.7 T Need to check statistics so step 81 will work. Add step.
11687472 A-20
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Typo: “does not support Update Key Change Change to “does not support a particular
188. AWGG 7.1 E
Method” Update Key Change Method”
189. AWGG 7.1.1 step 4 T Missing the Certification Data Length Change to 20.
Does not verify the actual Public Key. Public Key Replace with “Verify there is no Public
190. AWGG 7.1.1 step 4 T
Length appears twice. Key included”
For asymmetric methods, the Certification Data Change this step to include the possible
191. AWGG 7.1.1 step 5 T will not be a MAC, but a signature, and the length methods and their Certification Data
will be different. Lengths.
Should not refer to “certificate message” because Change to “sent by the authority to the
192. AWGG 7.1.1 step 8 T
the comms between authority and master DUT”
Should also test all the fields that have NOT
193. AWGG 7.1.1 step 8 E Add verification to this step.
changed compared to step 4.
“Update Key Length to the length required
194. AWGG 7.1.1 step 10 E Unclear grammar by the asymmetric key change
algorithm…”
195. AWGG 7.1.1 step 14 E Unclear grammar “A valid IEC 62351-8 certificate”
7.1.1, 7.1.2,
7.1.3 and The mandatory Key Change Method is <4> AES-
196. AWGG T Change from <3> as the default to <4>
many other 256 / SHA-256-HMAC, Key Length 256
places
7.1.1, 7.1.2, Add a step to send it the expected
Need to send the DUT the appropriate response to
197. AWGG 7.1.3 step 8, T Response and verify that nothing “bad”
the User Status object.
14, 24 happens.
The text about “hundreds of milliseconds should
198. AWGG 7.1.3 step 26 E be next to the “Reply Timeout”, not the “Max Move text.
Reply Timeouts”.
The other test section is 7.2.6. Delete the
Need another test section for the Reply Timeout
199. AWGG 7.1.3 E steps in this section that test the Reply
steps.
Timeout.
11687472 A-21
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Typo: “increment” is not part of the statistic
200. AWGG 7.1.4 step 42 E Delete.
name.
Add steps. Include table regarding the
201. AWGG 7.2.1 step 6 T Does not verify Challenge Data Length minimum required length for each
Method.
At 256 bits per message and 1 second per
202. AWGG 7.2.2 step 19 E Note how long it’s going to take. retry, should take about 3900 seconds or
just over an hour.
Replace with changing the DUT back to
203. AWGG 7.2.3 E Steps 22 through 24 are not necessary.
the default configuration.
Add a step that states, “If the master does
7.2.1 step 5 not automatically proceed with sending an
Missing a test for masters that do not want to
204. AWGG T Update Key Change Request, cause it to
7.2.4 step 32 change the Update Key immediately.
do so as specified in the PIXIT”. Also add
a section to the PIXIT.
Change to “Update Key Change
205. AWGG 7.2.5 step 37 E Incorrect message name
Confirmation”
Title is confusing, all the subtitles also. “User
206. AWGG 7.2 E Change to “Waits for Null Response” etc.
Change Response” sounds like a particular object.
Missing a test for an unexpected unsolicited
207. AWGG 7.3 T Add test.
response in the middle of the key change.
Change text to be more generic, e.g.
7.3.1 step 3 “The certificate should” is incorrect; the authority
“Cause the authority to send the following
208. AWGG and E and the master do not necessarily communicate
user status change information to the
throughout 7 using certificates.
master…”
7.3.1 step 6,
step 7 No information about what should be in the Add “common” user, User Name Length,
209. AWGG E Update Key Change Request or Update Key and Key Change Method = <4>, User
7.3.2 step 19, Change Reply Number (USR), KSQ etc.
20
210. AWGG 7.3.1 step 8 T “Default value of <128>” is wrong and confusing Add or refer to the table showing the
11687472 A-22
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
correct key lengths for each Key Change
Method
Check that the length actually matches the length
211. AWGG 7.3.1 step 8 T As noted.
of the field
“Encrypted Update Key Data is the user
ID “common” received from the
Authority in step 3, the new random
Missing information from the expected Encrypted
Update Key, and the Challenge Data
212. AWGG 7.3.1 step 8 T Update Key Data, and the Update Key was not
provided by the outstation in step 7
provided in step 3 as stated.
Update Key Change Reply (g120v12)
object, and any padding data required by
the selected algorithm”
Add text to say the g120v13 and g120v15
objects are in the same message.
Add text to check that the test set can
calculate the hash in the g120v15 object
based on:
Missing text saying that the g120v15 object must - the outstation’s text name
213. AWGG 7.3.1 step 8,9 T (preconfigured)
be in the same message
- master Challenge Data (step 6)
- outstation Challenge Data (step 7)
- the KSQ (step 7)
- the User Number (USR) (step 7)
- any padding data
Default configuration is missing the outstation
214. AWGG 2.6 T Add the name, e.g. “outstation”
name
As noted, especially that the two pieces of
Need to specify the contents of the g120v15
215. AWGG 7.3.1 step 10 T random data are reversed and it is the
object.
“common” user name, not the outstation.
7.3.2 step 13
Provide a step number to skip to, or a
216. AWGG and E It is not clear what “skip this test” means.
heading number.
throughout
11687472 A-23
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Refer to table for the correct Update Key
217. AWGG 7.3.2 step 14 E Could be clearer Length, and swap the order of the two
bullets
7.3.2 step 21 Missing text saying that the g120v14 object must Add text to say that the g120v13 and
218. AWGG T
and 22 be in the same message g120v14 objects are in the same message
Signature of the following using the
User’s private key (decoded with the
User’s Public key)
- outstation name (preconfigured)
- master Challenge Data (step 19)
219. AWGG 7.3.2 step 22 T Need info on what is in the signature
- outstation Challenge Data (step 20)
- the KSQ (step 20)
- the USR (step 20)
- the Encrypted Update Key Data from
g120v13 (same message as g120v14)
Hash of the following using the new
Update Key:
- user name “common”
Need to specify the contents of the g120v15 - outstation Challenge Data (step 20)
220. AWGG 7.3.2 step 23 T
object.
- master Challenge Data (step 19)
- the KSQ (step 20)
- the USR (step 20)
Note that the MAC value in g120v15 can
7.3.3 steps 32, Add “valid” to the description of the messages
221. AWGG E be random since a valid one can’t be
34 received.
created.
7.4, 7.4.1,
222. AWGG T Name object retransmitted is incorrect Change to just “Update Key Change”
7.4.2, 7.4.6
7.4.1 step 9 Merge the two steps so the objects are sent
223. AWGG T These two steps should be a single message.
and 10, and 12 in the same message.
224. AWGG 7.4.1 steps 5, E Add “valid” to the description of the messages As noted.
11687472 A-24
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
7, 8, 9/10, 12,
13
Note this should be a repeat of the message in step
225. AWGG 7.4.1 step 11 T As noted.
8
7.4.1 step 14 Only perform once, no repeats. Statistic
226. AWGG T No need to repeat multiple times
and 15 only counts once.
7.4.2 steps 22,
227. AWGG 24, 25, 26/27, E Add “valid” to the description of the messages As noted.
28, 29, 30
7.4.2 step 26, Merge the two steps so the objects are sent
228. AWGG T These two steps should be a single message.
27 and 29 in the same message.
7.4.1 step 31 Only perform once, no repeats. Statistic
229. AWGG T No need to repeat multiple times
and 32 only counts once.
7.4.3 steps 38,
230. AWGG 40, 41, 42, 43, E Add “valid” to the description of the messages As noted.
44
7.4.3 step 42, Merge the two steps so the objects are sent
231. AWGG T These two steps should be a single message.
43 in the same message.
Add a step: “Wait for a Session Key Change
232. AWGG 7.4.3 step 44 T Interval”. The changing of Update Keys and As noted.
Session Keys is not necessarily linked.
Change to “either <1> OK or <2>
NOT_INIT, depending on whether the
233. AWGG 7.4.3 step 46 T Will the Session Key status be NOT_INIT?
outstation has timed out waiting for a
Session Key Change.”
234. AWGG 7.4.3 step 48 E Verify that the Key Status MAC is valid. As noted.
11687472 A-25
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
7.4.4 step 64
236. AWGG E Statistics should be bulleted, not numbered. As noted.
7.4.5 step 69
The state machine goes back to Security Idle after
Repeat 7.4.4 instead of just sending more
237. AWGG 7.4.5 T an invalid confirmation, so all of 7.4.4 must be
invalid confirmations.
repeated.
Change to 4 Error Messages Sent and 5 of
238. AWGG 7.4.5 T Statistics count is wrong.
all the other statistics listed.
7.4.6 steps 76,
239. AWGG E Add “valid” to the description of the messages As noted.
78, 79, 80, 83
7.4.6 step 80,
Merge the two steps so the objects are sent
240. AWGG 81, 83, 84, 87, T These two steps should be a single message.
in the same message.
88
241. AWGG 7.4.6 T Count of repeats is wrong Remove steps 83, 84, 85
7.5.1 step 9,
242. AWGG 14, 16, 19, 20, E Add “valid” to the description of the messages As noted.
21/22, 25/26
7.5.1 steps 21, Merge the two steps so the objects are sent
243. AWGG T These two steps should be a single message.
22 and 25, 26 in the same message.
Missing a test for an asymmetric Key Change Repeat the test for one asymmetric Update
244. AWGG 7.5.1 T
Method Key Change Method, if supported.
245. AWGG 7.5.2 E Check the statistics after each Error As noted.
248. AWGG 7.5.3 steps 59, E Add “valid” to the description of the messages As noted.
63, 65, 69, 70,
11687472 A-26
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
71/72, 76, 77
7.5.3 steps 71 Merge the two steps so the objects are sent
249. AWGG T These two steps should be a single message.
and 72, 76 in the same message.
7.5.3 step 60, Specify that they are URs with event data,
250. AWGG T These need to explicitly be URs.
66, 73 CON bit set
Note that this means that the master transmits
251. AWGG 7.5.3 step 78 E As noted.
three separate Confirms.
These should be sub-steps of step 81. It’s not
7.5.4 step 82
252. AWGG T necessary to wait for a Reply Timeout if you As noted.
and 83
haven’t issued a control.
7.5.4 step 87
253. AWGG T These should be sub-steps of step 86 As noted.
and 88
7.5.4 step 93
254. AWGG T These should be sub-steps of step 92 As noted.
and 94
7.5.4 steps Merge the two steps so the objects are sent
255. AWGG T These two steps should be a single message.
90/91 and 94 in the same message.
256. AWGG 7.5.4 step 92 T This should read “third pass”, not “second pass” As noted.
11687472 A-27
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
7.5.6 step 132,
262. AWGG T This should be a Response, not a Confirm. Change the text.
139
7.5.6 step
Merge the two steps so the objects are sent
263. AWGG 137/138 and T These two steps should be a single message.
in the same message.
142
7.5.7 step Merge the two steps so the objects are sent
264. AWGG T These two steps should be a single message.
156/157, 161 in the same message.
265. AWGG 9.1.1 step 4 T The default Key Change Method is <4>, not <3> Change step.
269. AWGG 9.1.1 step 10 E Refer to the table of key lengths versus Methods As noted.
274. AWGG 9.1.1 step 12 T Don’t know what “the note in section 9” refers to. Change to “according to the description
11687472 A-28
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
for g120v8”.
11687472 A-29
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
9.1.2 step 46-
282. AWGG T Unnecessary to re-test the unsupported modes Delete the steps
47
Get a valid certificate attempting to
Can’t change the user name without invalidating change the key for a not yet installed user.
283. AWGG 9.1.2 step 48 T
the signature. Then verify the error is <11> unknown
user.
9.1.3 step 58 “Choose an unsupported Key Change
284. AWGG T <4> is not an invalid Key Change Method
and 59 Method”
287. AWGG 9.1.5 step 72 T Change the reference to a link Link to section 9.1.4
Delete this test because role changes are tested in As noted. Add text in 9.1 that the
288. AWGG 9.1.6 T
9.4 changing of roles is tested in 9.4.
If the DUT supports multiple users, add a
user and let it expire. If the DUT does not
support multiple users but permits
Have to determine whether it’s possible to test
289. AWGG 9.1.7 T “Common” to expire, do so. IF the DUT
expiry.
does not support multiple users and does
not permit “Common” to expire, skip
9.1.7.
g120v10 does not permit an expiry time of less Change the text to explain this test will
290. AWGG 9.1.7 step 88 T
than one day take a long time using v10.
9.1.4, 9.1.5,
291. AWGG T Missing tests for the g120v8 Add tests
9.1.6, 9.1.7
11687472 A-30
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
The spec says that the role does not start to expire Discuss with the DNP Technical
292. AWGG 9.1.7 T
until the Update Key has been changed. Committee.
Discuss with the DNP Technical
Committee whether a device that supports
This test can’t be run on DUTs that don’t permit
293. AWGG 9.1.7 T Update Key Changes but does not support
additions.
multiple users must permit a User Status
Change, including role and expiry time.
9.1.7 steps 91-
294. AWGG E These steps should be bullets. Change them to bullets of step 90.
93 and 97-99
In step 7, specify that the Update Key
295. AWGG 9.2.1 steps 3-6 T These steps are not necessary. Change Request should name a user that
does not exist on the outstation.
296. AWGG 9.2.2 step 9 E Change the reference to a link Link to section 9.1.7
298. AWGG 9.2.3 T Don’t need “Test User” for this test Use “Common”
9.2.3 steps 15- Don’t need steps to add a new user if the
299. AWGG T Delete.
20 outstation doesn’t support it.
The first time, the User Number will be 1 (for
300. AWGG 9.2.3 step 22 T Change to “User Number is 1”
“Common”)
Add steps to the test adding a new user and
301. AWGG 9.2.3 step 22 T receiving a different User Number if the outstation As noted.
supports adding additional users.
Verify that the message contains Challenge Data
302. AWGG 9.2.3 step 22 T As noted.
and the length value is correct
9.2.4 steps 28-
303. AWGG T Don’t need steps to add the “Common” user Delete.
30
11687472 A-31
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Some devices may not support more than one
304. AWGG 9.2.5 T Add step to skip this test if not supported.
user.
306. AWGG 9.2.5 T Missing test for g120v8 for creating the new user Test at least once.
307. AWGG 9.3.1 steps 4-6 T Don’t need steps to add the “Common” user Delete.
9.3.1 steps Merge the two steps so the objects are sent
308. AWGG T These two steps should be a single message.
9/10 in the same message.
309. AWGG 9.3.1 step 11 T Must verify that the MAC is valid Add text.
312. AWGG 9.3.2 step 24 T Must verify that the MAC is valid Add text.
314. AWGG 9.3.3 step 28 T This test is not necessary for the “Common” user Delete.
Instead, ensure the test set has the name and the
315. AWGG 9.3.3 step 28 T Add step.
Update Key for the outstation configured.
316. AWGG 9.3.3 step 30 T Verify the content of the Reply Check USR and random data
11687472 A-32
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
319. AWGG 9.3.4 step 38 E Note that there was (1) Session Key Change. As noted.
328. AWGG 9.3.6 step 62 T Error code should be <9> Invalid Signature As noted.
11687472 A-33
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
331. AWGG 9.3.7 step 72 T The Error Code should note be <9> or <10> Change to <1> Authentication Failed.
335. AWGG 9.4 T Missing test for SINGLEUSER role. Add a test.
11687472 A-34
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Add sections for :
“How to verify the user can monitor data”
342. AWGG 13.6 T As noted.
“How to verify the user can operate controls”
“How to verify the user can transfer data files”
9.4.9 step 127, Don’t include <32768> in this test since this is
343. AWGG T As noted.
129 SINGLEUSER
As noted. Will need to change spec to add
344. AWGG 9.4.9 step 126 T Change to “a non-zero Error Code”
an “Invalid Role” error code.
Missing a test to verify that the user status does
345. AWGG 9.4 T not actually change until the Update Key Change Add test for Role, Expiry Interval
is confirmed.
Verify that the SCS increments each time a new
346. AWGG 7.1.1 step 5 T As noted.
g120v10 is transmitted.
Verify that the SCS
(IECUsersRoles.statusChangeSequenceNumber)
347. AWGG 7.1.1 step T increments each time a new g120v8 is transmitted. As noted.
Note that the certificate’s serial number can
increment instead.
Missing a test that the outstation rejects a User
Status Change (g120v10 or g120v8) with an SCS
348. AWGG 9.1 T Add test.
that gets smaller or increases by more than half of
the range.
7.1.1 step 5 Repeat and verify that the User’s Public Key
350. AWGG T Add test.
7.1.1 step 15 changes
Verify the signature uses the outstation’s public
351. AWGG 7.3.2 E The test set will verify.
key.
Move the test for randomness of User’s Public
352. AWGG 10.1.7, 7.1 E As noted.
Key to 7.1
11687472 A-35
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Add a test to verify that the master sends an
353. AWGG 7.1 T appropriate expiry time when selected at the Add test.
Authority.
Make sure all these tests are performed using both
354. AWGG 7.1 T As noted.
g120v10 and g120v8.
Verify that each time the role, expiry time, or
355. AWGG 7.1 T Public Key changes, the Update Key is also As noted.
changed.
Add a section: “How to change the user Public
356. AWGG 13.5 T As noted.
Key”
Delete this section because the tests have been
357. AWGG Section 10 E As noted.
moved into 7.1.
11.1.1 and
358. AWGG E Clarify “skip this test” As noted.
anywhere else
Configure the DUT for a TCP/IP
359. AWGG 11.1.1 step 3 E Remove “but”. connection to the test set. Disable the use
of TLS.
11.1.2 step 9-
360. AWGG T Do not use “hard” numbers for KSQ. Verify values in terms of “X”, for KSQ.
12
“If the DUT can initiate a connection,
11.1.1 step 6 cause it to do so and verify it does so using
Either a master or an outstation can initiate a
361. AWGG T TCP port number 20000. If the DUT
11.1.3 step 28 connection.
accepts connections, initiate a TCP/IP
connection to the DUT.”
362. AWGG 11.1.2 T Disable aggressive mode for these tests As noted.
11687472 A-36
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
Find out the difference between TLS change They are the same thing (says Herb Falk).
365. AWGG 11.2.7 T
cipher timeout and the renegotiation timeout. Delete 11.2.7.
“Verify that the act of checking the CRL
366. AWGG 11.2.8 step 37 T Clarify what is being tested. does not drop the existing TLS security
connection and TCP/IP connection.”
11.2.10 step
367. AWGG T Typo: DTU Fix.
42
Attempt another connection using a different
368. AWGG 11.2.10 T As noted.
revoked certificate found in the CRL.
Need a test that it does not accept a certificate
369. AWGG 11.2.13 T Add test.
from a CA that is not configured at the DUT.
Is “user name” the correct name for the name in a
370. AWGG 11.2.13 T Change to “subject name”
certificate?
13.4.14 TLS Change “user name” to “subject name” because
371. AWGG T As noted.
parameters that is what it is called in the RFC.
Test for Attribute Certificates as well as ID
372. AWGG Missing T Add test.
Certificates
11.3.1, 11.3.2,
373. AWGG E Clarify what is meant by “skip this test” As noted.
11.4, 11.4.4
“but with the same destination DNP3 address” Is
374. AWGG 11.3.2 E Delete.
not necessarily true.
Must disconnect both channels for the test to
375. AWGG 11.3.2 step 6 T “Disconnect both channels”
work.
Wait for a reply timeout from step 10 before
376. AWGG 11.3.2 step 12 T As noted.
repeating the Read
“Reconnect the link during the second Reply
377. AWGG 11.3.2 step 12 T As noted.
Timeout”
378. AWGG 11.3.2 T Make the Reply Timeout longer to make Increase to 20 seconds.
11687472 A-37
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
reconnection easier.
380. AWGG 11.4 E “upstream protocol” is not very clear “upstream communication link”
389. AWGG 11.4.2 – 11.4.3 T It’s not clear what functionality is required in data Discuss with DNP technical committee
concentrators. Is it permitted to have multiple whether it would be useful to make
11687472 A-38
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
users to the master and only the default to the multiple users or remote Update Key
IED, for example? change mandatory in one direction or the
other for data concentrators in the interests
of interoperability.
Missing test for the data concentrator to create
390. AWGG 11.4.2 T Add test.
users on downstream IEDs.
Missing information from the specification about
Discuss with DNP Technical Committee
391. AWGG 11.4.3 T how to perform remote Update Key Change
how it should be done.
through a data concentrators.
Require that this test is always run using DNP3
with security turned off on the upstream side; As noted. Can be done with a “repeat”
392. AWGG 11.4.4 step 31 T
additional tests using non-DNP3 protocols are step.
optional.
Add a note that it is better to perform tests in
393. AWGG 2.1.3 E sections 12 and 13 first in order to verify the As noted.
documentation before proceeding.
Make the requirement that four certificate
394. AWGG 12, 12.1.4 E authorities must be supported for TLS, not As noted.
necessarily for all parts of the specifications.
Add a statement that these test procedures are for
395. AWGG 1.1 E version 5 and the DUT should be configured for As noted.
only that version.
Add an item for “How to configure the system for
396. AWGG 13.4 E As noted.
a particular version of Secure Authentication”
Add caption and use it for reference in
397. AWGG 12.1.2 E Table is missing a caption
12.1.2 step 5.
Missing a test for whether the device
398. AWGG 12.2 T documentation states whether it supports multiple Add test.
users.
11687472 A-39
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
The outstation name is not needed if you don’t
400. AWGG 13.1.4 T Add an “if…”
support Update Key Change.
It is not necessary to know how the random
13.1.8, 13.1.9, numbers are generated as long as they are
401. AWGG T Delete this requirement.
13.2.8 sufficiently random, or how the keys are generated
as long as they are random.
Change to “operate only in challenge-
13.1.11,
402. AWGG E “purely” is colloquial reply mode with aggressive mode
13.2.10
disabled.
List the application layer function codes
403. AWGG 13.1.13 E May confuse “no ack” with data link layer
specifically
13.1.15, “security logs” is not used anywhere else in the
404. AWGG E Delete “security”
13.2.15 document
410. AWGG 13.4.3 T The reply timeout is not necessarily just a security Discuss with DNP Technical Committee
parameter; is it also subject to the rule that it can’t
11687472 A-40
Cmnt Reference T/
Name Reviewer’s Comments Reviewer’s Proposed Changes Editor’s Comments
Num Identifier 1 E2
be changed remotely?
11687472 A-41
11687472
11687472
Export Control Restrictions The Electric Power Research Institute, Inc.
Access to and use of EPRI Intellectual Property is granted (EPRI, www.epri.com) conducts research and
with the specific understanding and requirement that development relating to the generation, delivery
responsibility for ensuring full compliance with all applicable and use of electricity for the benefit of the public. An
U.S. and foreign export laws and regulations is being independent, nonprofit organization, EPRI brings
undertaken by you and your company. This includes an
together its scientists and engineers as well as
obligation to ensure that any individual receiving access
hereunder who is not a U.S. citizen or permanent U.S. experts from academia and industry to help
resident is permitted access under applicable U.S. and address challenges in electricity, including
foreign export laws and regulations. In the event you are reliability, efficiency, health, safety and the
uncertain whether you or your company may lawfully obtain environment. EPRI also provides technology, policy
access to this EPRI Intellectual Property, you acknowledge and economic analyses to drive long-range
that it is your obligation to consult with your company’s legal
research and development planning, and supports
counsel to determine whether this access is lawful.
Although EPRI may make available on a case-by-case research in emerging technologies. EPRI's
basis an informal assessment of the applicable U.S. export members represent approximately 90 percent of the
classification for specific EPRI Intellectual Property, you and electricity generated and delivered in the United
your company acknowledge that this assessment is solely States, and international participation extends to
for informational purposes and not for reliance purposes. more than 30 countries. EPRI's principal offices and
You and your company acknowledge that it is still the
laboratories are located in Palo Alto, Calif.;
obligation of you and your company to make your own
assessment of the applicable U.S. export classification and Charlotte, N.C.; Knoxville, Tenn.; and Lenox, Mass.
ensure compliance accordingly. You and your company
Together…Shaping the Future of Electricity
understand and acknowledge your obligations to make a
prompt report to EPRI and the appropriate authorities
regarding any access to or use of EPRI Intellectual Property
hereunder that may be in violation of applicable U.S. or
foreign export laws or regulations.
© 2012 Electric Power Research Institute (EPRI), Inc. All rights reserved.
Electric Power Research Institute, EPRI, and TOGETHER…SHAPING THE
FUTURE OF ELECTRICITY are registered service marks of the Electric
Power Research Institute, Inc.
1026561