Security
The Aprisa SR+ provides security features to implement the key recommendations for industrial control
systems. The security provided builds upon the best in class from multiple standards bodies, including:
• IEC/TR 62443 (TC65) ‘Industrial Communications Networks – Network and System Security’
• IEC/TS 62351 (TC57) ‘Power System Control and Associated Communications – Data and
Communication Security’
• FIPS PUB 197, NIST SP 800-38C, IETF RFC3394, RFC3610 and IEEE P1711/P1689/P1685
• FIPS 140-2: Security Requirements for Cryptographic Modules
The security features implemented are:
• Data encryption
Counter Mode Encryption (CTR) using Advanced Encryption Standard (AES) 128, 192, 256 bit,
based on FIPS PUB 197 AES encryption (using Rijndael version 3.0)
• Data authentication
NIST SP 800-38C Cipher Block Chaining Message Authentication Code (CBC-MAC) based on RFC
3610 using Advanced Encryption Standard (AES)
• Data payload security
CCM Counter with CBC-MAC integrity (NIST special publication 800-38C)
• Secured management interface protects configuration
• RADIUS security for remote user authorization, authentication and accounting
• Account lockout / slowdown user account lockout mechanisms to mitigate brute force password
guessing attacks
• One-time Password (OTP) recovery provides proofing mechanism that allows an Admin user access
to change the Admin password if the Admin user is permanently locked out
• Events logging for auditing user access and operation
• Supported security alerts event options
• L2 / L3 / L4 Address filtering enables traffic source authorization
• Proprietary physical layer protocol and modified MAC layer protocol based on standardized IEEE
802.15.4
• Licensed radio spectrum provides recourse against interference
• Secure HTTPS access to the radio SuperVisor element management interface, i.e. secure access to
the radio embedded web server
• Unique self-signed ECC-256 security certificate used for the secure HTTPS management interface
• Secure Shell (SSH) access to the radio CLI (command line interface) management interface
• SNMPv3 with Encryption for NMS secure access
• Secure remote software upgrade using HTTPS protocol
• Encrypted and signed software file to prevent the loading of non 4RF software
• Secure USB software upgrade
• Secure Ethernet port access by user of SCADA / user traffic or management traffic. This is useful to
block any management access from unguarded remote sites.
• Unused ports can be disabled to prevent unauthorized access
• Key Encryption Key (KEK) based on RFC 3394, for secure Over The Air Re-keying (OTAR) of encryption
keys
• User privilege allows the accessibility control of the different radio network users and the user
permissions
To Next Page
Loading...
