PC Security Kit_DS_20120217.fm

PC Security Kit_DS_20120217.fm
PC Serial Security Kit
(915900225)
Strong Cryptographic Security
for Engineering Access
The PC Serial Security Kit (part 915900225) enables
a PC to communicate securely over remote serial
links protected by SEL encryption devices such as
the SEL-3025 Serial Shield™. Installation of the kit
is simple and requires no hardware modifications to
the PC or its connections beyond plugging in a USB
device. The kit consists of an SEL-3055 SEL Card
Dock, an SEL-3045 Secure SCADA Card, and the
SEL-5025 Secure Port Service Software. The PC
Serial Security Kit enables secure engineering communication with meters, protective relays, programmable logic controllers (PLCs), and other remote
devices. It also authenticates and encrypts serial data
communications, offering a defense against eavesdropping, malicious attack, and unauthorized access.
The PC Serial Security Kit is the ideal solution for securing engineering access to dial-up connections for
which an SEL-3025 protects the remote end by providing communications security and identity-based access
control.
Major Features and Benefits
➤
➤
➤
➤
➤
➤
➤
➤
Simple Integration. Easily upgrade remote access security with an SEL-3025 bump-in-the-wire
encryption device at the remote site and the PC Serial Security Kit at the engineering workstation.
Individual User Accountability. Secure all your dial-up modems with identity-based access controls
and reports that you can manage centrally.
Proven Cryptographic Protocols. SEL Encryption cards use proven NIST-approved algorithms for
encryption and authentication.
SSCP for Message Authentication With Encryption. Secure SCADA Communication Protocol
(SSCP) is ideal for engineering access. SSCP authenticates every data packet on your serial link and
can also use NIST-approved Advanced Encryption Standard (AES) encryption with strong 128- or
256-bit keys provide strong encryption.
Easy Configuration. Use ACSELERATOR QuickSet® SEL-5030 Software to set up and manage configuration of both local and remote units.
Backup Configuration Data. Quickly back up and restore configuration data with configuration files.
Simple Logging With Syslog. Log events with Syslog for consistency, compatibility, and centralized
collection.
Reliability. The PC Serial Security Kit carries the standard SEL ten-year warranty.
Schweitzer Engineering Laboratories, Inc.
PC Serial Security Kit Data Sheet
2
Overview
E
IN
,
N
A
M
A
W
R
ZE ING S
EIT R IE
W E R A
H INE TO U S
SC G RA TON
EN BO ING
LA H
LL
PU
5
05
L-3
SE
D
A
M
S
SE
45
3E0L CADA
–
LS S
SE CURCEARD
A
CI
M
Y.
PC
NL
A EL O
S
OT H S CT
: N IT DU
NG W O
NI SE PR
AR . U D
W RD VE
O
CA PR
AP
=ACC
Password: ? **********
SEL-751A
FEEDER RELAY
USB Port
Date: 01/03/2011
Time: 15:15:35
Time Source: Internal
PC Serial
Port
Level 1
=>SER
SEL-751A
FEEDER RELAY
Date: 01/03/2011
Time: 15:16:11
Time Source: Internal
Terminal Program
Serial No = 2008185433
CID = A096
Figure 1
FID = SEL-751A-R201-V0-Z003002-D2008080
Connection Changed to
Virtual Serial Port Created
by the Secure Port Service
C
O
Password: ?
M
MyP255wOrd
4
COM4
Secure Port
Service
(Virtual Port)
COM1
.45n f^5jc9Q
*bn%glHg}>3
(Physical Port)
Serial Data Encryption Using the PC Serial Security Kit
The PC Serial Security Kit provides NIST-validated
encryption for a serial communications port on a PC
workstation. Through your use of the SEL-3045 card and
the SEL-5025 Secure Port Service Software, you can
enable cryptographic security for any serial
communications port on the PC. The SEL-5025 routes
communication between virtual serial ports and the
hardware communications ports on a PC. It sends data
through the inserted cryptographic processor card either
before the information leaves the PC and needs to be
encrypted or after it is received, decrypting the
information before passing it on to the software
application. Through use of a virtual serial port created
by the Secure Port Service, existing PC software
applications can access remote field devices for which
the SEL-3025 provides security without requiring
changes to typical device operation. Access controls and
encryption occur independently of the end device or the
PC software application.
In the sample application in Figure 1, a terminal and
modem provide a user communication with a remote
device. The SEL-3055 has been plugged into a serial
port, and the SEL-5025 is running on the PC. The Secure
Port Service has created a new virtual serial port on
COM4, and the terminal program is simply reconfigured
to use that port instead of the physical port it had used
previously. The Secure Port Service is configured to map
the new virtual port to COM1. The new port copies
communications parameters from the physical port, so
the communications parameters need no change. If you
PC Serial Security Kit Data Sheet
configure the Secure Port Service to operate with a
modem on the physical port, the system is modem aware.
Traffic to the physical serial port remains in the clear
until you have an established carrier, so that you can
communicate with the modem and establish a connection
before automatically switching to secure mode.
SEL-3045 Secure SCADA Card
The SEL-3045 Secure SCADA Card with Secure
SCADA Communication Protocol (SSCP) provides
strong protection, data integrity, and authenticity. SSCP
protects against spoofed, altered, spliced, reordered, or
replayed data with strong data authentication. It also
provides optional AES-128 or AES-256 data encryption
for protection from eavesdropping. The protocol prevents
unauthorized device access by rejecting all
communications session requests from sources that
cannot pass cryptographic session authentication.
Figure 2 shows a typical engineering access connection
where an engineering workstation retrieves data from a
remote device over an untrusted communications
channel. Publicly accessible channels, such as a leased
phone circuit, a dial-up connection, or a radio link, are
considered untrusted communications channels. An
attacker could access the channel, connect to the remote
modem, and inject malicious data or replay old data to
cause such an unwanted action as an unauthorized
breaker operation.
Schweitzer Engineering Laboratories, Inc.
3
Untrusted
Communications
Channel (POTS)
SEL-351
Engineering Access
With Modem
Modem
Modem
Unauthorized
Access
Figure 2
Typical Engineering Access Communications Channel
Figure 3 shows the engineering communications link
secured by a PC Serial Security Kit at the engineering
workstation and working with an SEL-3025 at the
remote modem. Legitimate communication still flows
seamlessly between the engineering workstation and the
remote device. The SEL-3025 serial shield blocks all
unauthorized access to the protected master and remote
IEDs. The SSCP protocol is a byte-oriented protocol that
offers the strong encryption and message authentication
features necessary for engineering access.
Untrusted
Communications
Channel (POTS)
PC Serial Security Kit
(915900225)
SEL-3025
SEL-351
Engineering Access
With Modem
Modem
User Access Logging
Modem
Unauthorized
Access
Figure 3
Secure SCADA Communications Channel
Using the PC Serial Security Kit
With a Modem for Engineering
Access
Set up of an engineering workstation that uses the PC
Serial Security Kit for secure communication begins
with the insertion of the SEL-3045 into the SEL-3055
and the connection of the card dock to a USB port on the
workstation. The software on the CD accompanying the
PC Serial Security Kit installs the SEL-5025 Secure Port
Service application, as well as the necessary device
drivers and ACSELERATOR QuickSet software.
Following Secure Port Service configuration, the serial
port presently in use by your PC application maps to a
new virtual serial port, and the PC application begins
using the new port. You can then see among the
Schweitzer Engineering Laboratories, Inc.
communications application configuration dialogs a new
serial port called SEL Secured Communications Port.
The new port adopts the configuration settings of the
physical port to which it is mapped. Secure your
communications applications by choosing the new
encrypted port for communication.
You configure the port to enable AT passthrough mode
by using a modem for communication. This allows the
PC to communicate in the clear to a modem until you
have established a carrier, at which point encryption
turns on. You can disconnect the modem in the usual
manner, by transmitting a hang-up sequence to the
modem or deasserting DTR (Data Terminal Ready).
When the Secure Port Service starts, it installs a tray
application (accessible through the task bar tray area)
that you can use to configure the secure serial port and
PC Serial Security Kit Data Sheet
4
show its status. Figure 4 shows the screen from which
you would configure the secure port service to use
COM1 and to provide COM99 as the SEL Secured
Communications Port for applications. The speed and
Figure 4
format parameters copy automatically from the port you
select, but you can also change these parameters as
necessary.
Tray Application User Interface
Use ACSELERATOR QuickSet to establish the cryptographic settings and keys necessary to communicate with the distant
end device. Figure 5 shows ACSELERATOR QuickSet, which is used for configuring the SSCP shared keys. See the
SEL-3025 Instruction Manual for more information.
PC Serial Security Kit Data Sheet
Schweitzer Engineering Laboratories, Inc.
5
Figure 5
ACSELERATOR
QuickSet Application
Related Products
The accompanying CD provides the following products for use with the PC Serial Security Kit.
Software
➤ The SEL-5025 Secure Port Service Software pro-
vides secure serial ports for applications running
on the PC.
➤ ACSELERATOR QuickSet provides configuration
assistance for SEL devices including the
SEL-3045. You can obtain this software from the
CD or download it from www.selinc.com/sel-5030.
Plug-In Cryptographic Cards
The SEL-3045 Secure SCADA Card uses Secure
SCADA Communication Protocol (SSCP) with NISTapproved AES encryption to secure remote engineering
access communication.
Remote Device Communications
Encryption
The SEL-3025 Serial Shield, a bump-in-the-wire
encryption device for distant-end serial communication,
works with a PC equipped with the PC Serial Security
Kit.
Schweitzer Engineering Laboratories, Inc.
PC Serial Security Kit Data Sheet
6
Guideform Specification
The following features shall be available during use of the PC Serial Security Kit.
➤ Cryptographic Algorithms. The PC Serial Secu➤ Integrated Communications. The Secure Port
rity Kit shall include an SEL plug-in encryption
Service software supplied with the PC Serial Secumodule that employs SHA-1 and SHA-256 for
rity Kit shall provide the encrypted communicaauthenticity and integrity. AES-128 and AES-256
tions channel as a virtual serial port available to
shall be used for data encryption.
software running on the PC.
➤ USB Driver. The PC Serial Security Kit software
➤ Configuration. The PC Serial Security Kit PC
CD shall include the appropriate USB 2.0 driver.
software shall support secure upload and download
of configuration data.
➤ USB Port Supplied Power. The SEL-3055 SEL
Card Dock with the SEL-3045 Secure SCADA
➤ Logging. The PC Serial Security Kit PC software
Card plug-in encryption module shall receive
shall support the Syslog protocol, enabling local
power from the USB port of the PC, consuming a
logging and remote log collection.
maximum of 1.5 W.
➤ Warranty. The device shall have a minimum
10-year worldwide warranty.
Specifications
General
Indicators
None
PC Interface
USB 2.0 Type A with 6-foot cable
Power Consumption
Less than 1.5 W at 5 Vdc (USB-powered)
Temperature
–0° to +70°C (+32° to +158°F), operating
–40° to +85°C (–40° to +185°F), storage
Humidity
Dimensions
87 mm (3.4 in) W x 102 mm (4.0 in) D x 14 mm (0.55 in) H
Weight
SEL-3055 SEL Card Dock
With SEL-3045 Secure
SCADA Card:
190 g (6.7 oz)
Cryptographic Protocols
Secure SCADA Communication Protocol (SSCP) provided by plug-in
cryptographic card.
Certifications
ISO: Designed and manufactured using ISO 9001 certified quality
program.
CE Mark
5 to 95% noncondensing
PC Serial Security Kit Data Sheet
Schweitzer Engineering Laboratories, Inc.
7
Notes
Schweitzer Engineering Laboratories, Inc.
PC Serial Security Kit Data Sheet
8
© 2012 by Schweitzer Engineering Laboratories, Inc. All rights reserved.
All brand or product names appearing in this document are the trademark or registered
trademark of their respective holders. No SEL trademarks may be used without written
permission. SEL products appearing in this document may be covered by US and Foreign
patents.
SCHWEITZER ENGINEERING LABORATORIES
2350 NE Hopkins Court • Pullman, WA 99163-5603 USA
Phone: +1.509.332.1890 • Fax: +1.509.332.7990
Internet: www.selinc.com • E-mail: info@selinc.com
Schweitzer Engineering Laboratories, Inc. reserves all rights and benefits afforded under
federal and international copyright and patent laws in its products, including without limitation software, firmware, and documentation.
The information in this document is provided for informational use only and is subject to
change without notice. Schweitzer Engineering Laboratories, Inc. has approved only the
English language document.
This product is covered by the standard SEL 10-year warranty. For warranty details, visit
www.selinc.com or contact your customer service representative.
PC Serial Security Kit Data Sheet
*PDSPSSK-01*
Date Code 20120217
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising