NENUX - Hardened Operating System

All devices of the Telecontrol Gateway and Smart Telecontrol Unit product families fulfill the high standards of software in critical infrastructures. These standards are based on the BDEW Whitebook specifications. The operating system plattform NENUX 6.0 provides important upgrades for the security of data transfer between the control center and remote station.

The hash function SHA512 ensures a secure storage of passwords on the device. The more secure crytoalgorithms with the function AES256 and SHA256 are used to improve the VPN communication. The VPN encryption is based on Strongswan using IKEv2 and the Diffie-Hellman group 14 (modp2048) by default.

For the device administration, the secure protocols SFTP, HTTPS and SNMPv3 are used only. And the user rights are defined according to the user roles. The devices use unique security keys, e. g. for the installation of IT security patches. The data partition of the integrated memory card is completely encrypted.

The used Linux kernel 3.18 is an up-to-date and long-term supported kernel. It provides optimized drivers and more virtualisation, and it also improved security support.

All devices are hardened before being delivered. The following activities will enhance the hardening:

  •  Firewall activate
  •  external interfaces deactivate
  •  ADM interface deactivate
  •  Web server deactivate

NENUX Functions

FunctionSoftware 6.0
Encrypted memory card✔ (active)*
Operating system (basis)NENUX (Linux 3.18)
User role conceptUser
Administrator
Operator
User authenticationShadow passwords (SHA512)
LDAP*, RADIUS*
OTP (OPIE)
Administration:
Web interface
SNMP
 
✔ (SSL/TLS)
✔ (SNMPv1-v3)
Protocols:
SSH/SFTP
Telnet/FTP
 

not allowed
VPN communication* [RFC4301]IPSec/IKE/IKEv2, (PSK, certificate), (Strongswan)
IKEv1 (interoperable), IKEv2 (default)
Hash SHA1, Hash SHA256 (Standard), Hash SHA512
Diffie-Hellman groups* 2     modp1024
5     modp1536
14   modp2048 (default)
22   modp1024s160
23   modp2048s224
24   modp2048256
IPSec compression*
Firewall
NTP authentication
Patch management
Device key

* This function is available with the security licence only.