DNP3 protocol in depth

Posted date 02/05/2024
Autor
INCIBE (INCIBE)
Decorative photo blog

Nowadays most of the devices used are electronic, which makes the electrical sector one of the most important sectors. The importance of this sector is also known to cybercriminals, as they can cause great damage, such as obtaining sensitive information or even causing power outages like those caused by the BlackEnergy malware in the Ukrainian region of Ivano-Frankvisk on December 23, 2015. To prevent this from happening, the electricity sector is investing heavily in the field of cybersecurity.

One of the aspects to improve such cybersecurity is to use protocols that are secure, a clear example being the DNP3 and IEC 61850 protocols, which are standards used specifically for the electrical sector. The former is widely used in the United States and Canada, while the latter is more commonly used in Europe.

Introduction to the DNP3

The Distributed Network Protocol, also known as DNP3, is a comprehensive protocol standard capable of defining the rules by which computers communicate with each other. This protocol came into use in 1993 and focused on providing a lightweight means of transporting simple data values with a high degree of integrity.

This protocol defines two types of endpoints that communicate with each other; a master and a remote unit.

  • Master: This can be one or more devices, usually a computer or a network of such devices that are located in the control center.
  • Remote unit: Can also be known as slave, these units are usually used in the field and are able to collect information from many devices in different locations and transmit the information to the master station or even remote devices that can communicate with the remote such as the RTU, an IED, a flowmeter, etc.

DNP3 protocol structure

In the following, it will be explained how this protocol is structured. The following image will allow a brief knowledge of this protocol.

Modular structure of DNP3

- Modular structure of DNP3. Source-

  • Application layer: Defines the various functions that are transmitted between the master and the remote station. It defines two types of application-level data structures, called fragments. On the one hand, the request fragment and on the other hand the response fragment, the latter is characterized by a 16-bit field called Internal Indications with status information of the remote station or the result of the requested function.
DNP3 fragment format

- DNP3 fragment format. Source-

DNP3 fragment header

- DNP3 fragment header. Source -

  • Transport layer: The fragments found in this layer can be larger than the link layer message, although the maximum size is 249 bytes. Its mission is to chop up the fragments at the transmitting end and assemble them at the receiving end, thus forming the so-called segments. These segments carry a set of bytes of the fragment and a transport header.
  • Link layer: It is in charge of addressing and error detection tasks, in this layer we can differentiate between serial and TCP/IP links.
    • Serial: Allows the use of frame acknowledgement that requires the receiving end to confirm the correct reception of each message.
    • TCP/IP: The link layer functionality is not used as it is able to guarantee the correct sending and receiving of frames.

Security and encryption

As mentioned above, the electricity sector needs to use cybersecure protocols and DNP3 is characterized as one of the most cybersecure protocols in the electricity world. This protocol is characterized by the use of TLS encryption and authentication procedures:

  • TLS encryption: This type of encryption allows data to be read only by the internal system and is therefore commonly used as basic security to combat unwanted disclosure of information, unauthorized access and message manipulation.
  • Secure authentication: This mechanism requires authentication when certain requests come from the master or remote unit. These protected authentication functions are often critical functions that affect system operability, such as setting command results, reading confirmation messages and the like.

Differences between DNP3 and IEC 61850

As have already been mentioned, these two protocols are the most widely used in the electrical sector, and some of the differences between them will be explained below:

  • DNP3 focuses on transporting simple data in a lightweight and secure way, while IEC 61850 is more focused on asset communication.
  • DNP3 focuses on data and largely leaves contextualization aside, while IEC 61850 is able to integrate context into the system by mapping data to logical nodes with predefined context names.

Conclusion

As have been seen in this article, the electricity sector is one of the most important sectors today and, due to previous cyber-attacks, a lot is being invested in improving its cybersecurity.

One of the best examples is to use cybersecure protocols such as DNP3. This protocol, widely used especially in the United States and Canada, is characterized by using TLS encryption, secure authentication and transporting simple data in a lightweight and secure way.