DNP3 - telecommunications protocol for energy and critical infrastructure
DNP3 (port 20000) - SCADA protocol for energy and water utilities. Secure Authentication v5 (HMAC), IEEE 1815, known attacks, OT network segmentation.
DNP3 (Distributed Network Protocol 3) is a communication protocol designed specifically for SCADA systems in the energy, water, and gas sectors. Developed in 1993 by Westronic (now GE Grid Solutions) based on the IEC 60870-5 standard, it became the dominant telecommunications protocol in North America, Australia, and parts of Asia. In Europe, its counterpart is IEC 60870-5-104 - both protocols serve the same purpose (SCADA master-outstation communication), but DNP3 offers a richer feature set and - critically - an optional authentication mechanism that IEC 104 lacks.
How DNP3 works
DNP3 handles communication between a dispatch center (master station) and field devices (outstation) - typically RTUs (Remote Terminal Units), PLCs, and intelligent electronic devices (IEDs). The protocol supports:
- Telemetry (monitoring) - the RTU reports binary states (circuit breakers, signaling), analog values (voltage, current, temperature), counters (energy), and timestamped events
- Telecommands (control) - the master sends commands to open/close circuit breakers, change regulator setpoints, switch operating modes
- File transfer - transferring configuration files, logs, and firmware to field devices
- Unsolicited responses - the outstation can independently report events without polling (event-driven), which reduces network traffic and shortens response time
Layered architecture
DNP3 uses a three-layer model (Enhanced Performance Architecture - EPA):
| Layer | Function |
|---|---|
| Application Layer | Data objects (Binary Input, Analog Output, Counter…), fragmentation, function codes |
| Transport Layer | Segmentation and reassembly, sequence numbering |
| Data Link Layer | Addressing (source/destination, 16-bit), CRC-16 per 16-byte block, acknowledgements |
In the DNP3-over-TCP variant (most commonly used in modern networks), the DNP3 layers are encapsulated in TCP/IP on port 20000.
Data Link frame structure
The 0x0564 signature enables identification of DNP3 in network traffic. CRC-16 is calculated per 16-byte block (not per frame) - this is a unique DNP3 feature ensuring integrity at the data link layer.
Application Layer function codes
| Function Code | Name | Risk | Description |
|---|---|---|---|
| 0x01 | Read | Low | Reading data objects (states, measurements) |
| 0x02 | Write | High | Writing to objects - changing setpoints |
| 0x03 | Select | High | Selecting a control command (SBO - Select Before Operate) |
| 0x04 | Operate | Critical | Executing the selected command (opening/closing a circuit breaker) |
| 0x05 | Direct Operate | Critical | Direct execution without Select (if permitted) |
| 0x06 | Direct Operate No Ack | Critical | As above, without acknowledgement - no trace in logs |
| 0x0D | Cold Restart | Critical | Device restart |
| 0x0E | Warm Restart | High | Application restart without hardware restart |
| 0x81 | Response | - | Outstation response to master request |
| 0x82 | Unsolicited Response | - | Spontaneous event reporting |
WARNING
SBO (Select Before Operate) mode requires two steps (FC 0x03 + FC 0x04), providing a detection window between command selection and execution. Direct Operate (FC 0x05) and Direct Operate No Ack (FC 0x06) bypass this mechanism. If the device configuration allows Direct Operate - an attacker can issue a control command in a single packet.
Technical parameters
| Parameter | Value |
|---|---|
| Port | 20000/TCP (DNP3-over-TCP), 20000/UDP (optional) |
| Transport | TCP/IP or serial links (RS-232, RS-485) |
| Authentication | None (standard DNP3), HMAC-SHA-256 (Secure Authentication v5) |
| Encryption | None (natively), TLS as transport layer (DNP3-SA v5 recommends) |
| Integrity | CRC-16 at the Data Link layer, HMAC at the application layer (SA v5) |
| Standard | IEEE 1815-2012 |
| Organization | DNP Users Group (dnp.org) |
Secure Authentication - security evolution
Versions 1-4 (2007-2010)
Awareness of cyber threats in the energy sector grew from the early 2000s. The DNP Users Group began work on an authentication mechanism - Secure Authentication (SA). Versions 1-4 introduced:
- Challenge-response with a pre-shared key
- HMAC-SHA-1 for verifying the integrity of critical messages (control commands, configuration changes)
- Aggressive Mode authentication - after one successful challenge-response, subsequent messages in the session can skip the full handshake
However, these versions had significant limitations: no key exchange and rotation mechanism, the need for manual key distribution to every field device (a logistical nightmare in energy networks with thousands of RTUs), and lack of replay attack protection in some scenarios.
Secure Authentication v5 (IEEE 1815-2012)
Version 5, incorporated into the IEEE 1815-2012 standard, resolved most issues:
- HMAC-SHA-256 as the default integrity mechanism
- Asymmetric key exchange - IEC 62351 Part 8 Certificate-based key agreement allows automatic session key rotation
- Update Key Change Protocol - secure update of authentication keys without a physical visit to the device
- Error/Attack detection - mechanism for detecting and reporting unauthorized access attempts
SA v5 is recommended by NERC CIP (North American Electric Reliability Corporation - Critical Infrastructure Protection) as the standard for securing DNP3 communication in North American energy networks.
Security assessment
Standard DNP3 (without SA)
The majority of DNP3 installations worldwide still operate without Secure Authentication. Standard DNP3 has no authentication - any host capable of establishing a TCP connection on port 20000 can send control commands to an outstation. The protocol does not encrypt data - process values, control commands, and configuration information are transmitted in cleartext.
Known attacks and research
- Aurora Generator Test (2007) - at Idaho National Laboratory, DOE (Department of Energy) researchers demonstrated the ability to physically destroy a 2.25 MW generator by sending circuit breaker open and close commands at high frequency. The test used DNP3 to communicate with the protective relay. The video of the experiment, showing the generator shaking and starting to smoke, became one of the most frequently cited proofs of the physical consequences of cyberattacks on OT.
- BlackEnergy 2 (2014) - a variant of the BlackEnergy malware contained a module parsing DNP3 traffic (plugin “dstr”), enabling SCADA network topology reconnaissance by analyzing DNP3 addresses and object types.
- Adam Crain & Chris Sistrunk - Project Robus (2013-2014) - the researchers identified over 30 vulnerabilities in DNP3 implementations from various manufacturers (GE, SEL, Cooper, ABB, Siemens) using fuzzing. Many allowed DoS (device freeze or restart) by sending specially crafted DNP3 packets. The research led to dozens of ICS-CERT advisories.
- Industroyer/CrashOverride (2016) - the Industroyer malware had dedicated modules for IEC 61850 and IEC 104 communication, but its modular architecture demonstrates how easily support for additional SCADA protocols, including DNP3, can be added.
MITRE ATT&CK for ICS
| Technique | ID | DNP3 context |
|---|---|---|
| Unauthorized Command Message | T0855 | Sending control commands without authentication |
| Manipulation of Control | T0831 | Changing circuit breaker states, regulator setpoints |
| Point & Tag Identification | T0861 | Enumerating DNP3 objects (Binary Input, Analog Output) |
| Denial of Service | T0814 | Fuzzing DNP3 implementations, packet flooding |
| Monitor Process State | T0801 | Reading telemetry data from outstations |
Segmentation and protection recommendations
TIP
DNP3 Secure Authentication v5 is the only protocol-level security mechanism available for SCADA communication in the energy sector. If your devices support it - enable it. If not - network segmentation and encrypted tunnels (TLS or IPsec) are the only alternatives. Remember that SA protects the integrity of control commands but does not encrypt process data. Guidelines for designing zones and conduits per IEC 62443 are described in the article OT network segmentation - zones and conduits.
Key recommendations
-
Deploy Secure Authentication v5 - if the RTU/IED manufacturer supports DNP3-SA v5 (GE, SEL, ABB, Honeywell - most modern devices), configure HMAC-SHA-256 authentication for control commands and configuration changes. Plan a key distribution and rotation procedure.
-
Encrypt transport - DNP3-SA protects integrity but not confidentiality. For segments where process data confidentiality is required, use TLS (DNP3-over-TLS) or IPsec tunnels between the master station and outstations. IEEE 1815-2012 Annex A contains TLS implementation guidelines.
-
WAN network segmentation - DNP3 communication between dispatch centers and field stations often traverses WAN networks (MPLS, LTE, satellite). Apply site-to-site VPN with strong encryption. Never expose port 20000 directly to the internet.
-
Firewall filtering - on the OT firewall between the SCADA network and the RTU/IED segment, configure rules allowing DNP3 only between authorized master-outstation pairs. Firewalls with DNP3 DPI (Fortinet, Palo Alto, SEL-3620) can filter messages at the function code level - blocking control commands from unauthorized sources while allowing reads.
-
Monitoring and anomalies - deploy passive DNP3 traffic monitoring (Dragos, Claroty, Nozomi Networks). Alert on: control commands from unknown IP addresses, unusual DNP3 objects, unsolicited responses from unexpected outstations, fuzzing attempts (malformed packets).
-
NERC CIP compliance - in North America, DNP3 communication in BES (Bulk Electric System) networks is subject to NERC CIP-005 (Electronic Security Perimeters) and CIP-012 (Communication Networks and Data) regulations. In Europe, analogous requirements stem from the NIS2 directive and national energy sector regulations.
DNP3 vs. IEC 60870-5-104 comparison
| Feature | DNP3 | IEC 60870-5-104 |
|---|---|---|
| Dominant region | North America, Australia | Europe, Asia, Middle East |
| Port | 20000/TCP | 2404/TCP |
| Authentication | Secure Authentication v5 (HMAC) | None (natively) |
| Unsolicited responses | Yes | Yes (spontaneous) |
| File transfer | Yes | No |
| Standard | IEEE 1815-2012 | IEC 60870-5-104:2006 |
| Reference attacks | Aurora Test, BlackEnergy 2 | Industroyer, COSMICENERGY |
Summary
DNP3 is a protocol that - unlike many other OT standards - has an optional security mechanism (Secure Authentication v5) providing communication integrity. Unfortunately, most existing installations do not use it, and many older field devices do not support it. For organizations in the energy and water sectors, the priority should be: deploy SA v5 where possible, encrypt transport (TLS/IPsec), and apply strict network segmentation for all remaining installations. DNP3 without Secure Authentication offers the same security level as Modbus TCP - which is none.
Open source tools
| Tool | Language | Description | Link |
|---|---|---|---|
| opendnp3 | C++14 | Reference DNP3 implementation (master and outstation) with Secure Authentication support | GitHub |
| pydnp3 | Python | Python bindings for opendnp3 - scripting DNP3 sequences | GitHub |
| Wireshark | C | Built-in DNP3 dissector - traffic analysis on port 20000 | Wireshark |
TIP
pydnp3 enables scripting non-standard DNP3 sequences, including testing the Secure Authentication v5 mechanism - useful for verifying that an outstation properly rejects unauthenticated control commands.
Sources:
- IEEE 1815-2012 - Standard for Electric Power Systems Communications - DNP3 - IEEE
- DNP3 Secure Authentication v5 Specification - DNP Users Group
- Aurora Generator Test - Idaho National Laboratory - DOE/CISA
- BlackEnergy by the SSHBearDoor - ESET, 2016
- Project Robus - DNP3 Fuzzing - Adam Crain, Chris Sistrunk, 2014
- NERC CIP Standards - NERC
- MITRE ATT&CK for ICS - MITRE Corporation
- NIST SP 800-82 Rev. 3 - Guide to OT Security - NIST, 2023
Need help in this area?
Our experts will help you assess the risk and plan next steps.