All devices of the Telecontrol Gateway and Smart Telecontrol Unit product families fulfill the high standards of software in critical infrastructures. These standards are based on the BDEW Whitebook specifications. The operating system plattform NENUX 6.0 provides important upgrades for the security of data transfer between the control center and remote station.
The hash function SHA512 ensures a secure storage of passwords on the device. The more secure crytoalgorithms with the function AES256 and SHA256 are used to improve the VPN communication. The VPN encryption is based on Strongswan using IKEv2 and the Diffie-Hellman group 14 (modp2048) by default.
For the device administration, the secure protocols SFTP, HTTPS and SNMPv3 are used only. And the user rights are defined according to the user roles. The devices use unique security keys, e. g. for the installation of IT security patches. The data partition of the integrated memory card is completely encrypted.
The used Linux kernel 3.18 is an up-to-date and long-term supported kernel. It provides optimized drivers and more virtualisation, and it also improved security support.
All devices are hardened before being delivered. The following activities will enhance the hardening:
|Encrypted memory card||✔ (active)*|
|Operating system (basis)||NENUX (Linux 3.18)|
|User role concept||UserAdministratorOperator|
|User authentication||Shadow passwords (SHA512)LDAP*, RADIUS*OTP (OPIE)|
|Administration:Web interfaceSNMP||✔ (SSL/TLS)✔ (SNMPv1-v3)|
|VPN communication* [RFC4301]||IPSec/IKE/IKEv2, (PSK, certificate), (Strongswan)IKEv1 (interoperable), IKEv2 (default)Hash SHA1, Hash SHA256 (Standard), Hash SHA512|
|Diffie-Hellman groups*||2 modp10245 modp153614 modp2048 (default)22 modp1024s16023 modp2048s22424 modp2048256|
* This function is available with the security licence only.