DNP3 Protocol

AGA/GTI SCADA Security Meeting

August 19, 2002 / Washington, DC
Presented By: Mr. Jim Coats, President Triangle MicroWorks, Inc. Raleigh, North Carolina www.TriangleMicroWorks.com

www.dnp.org

05/21/97

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

2
5

Credentials
Vice President of DNP3 Users Group Lead US member for IEC TC 57 WG 03 Past member of DNP3 Technical Committee Eight years experience developing/supporting products for DNP3 through Triangle MicroWorks
Source Code Libraries Test Harness OPC Server and Protocol Gateway

www.dnp.org

05/21/97

Purpose of a Communication Protocol

Replicate database from one device to another

www.dnp.org

05/21/97

Objectives of a Communication Protocol

Minimize protocol overhead to avoid extra cost of high bandwidth media Ensure reliable data transfer (CRC or checksum) Provide necessary features such as time stamps or freeze operations Provide data quality flags Since September 11th, prevent unauthorized use or monitoring of data

www.dnp.org

05/21/97

Report by Exception (RBE)

Protocols like Modbus transmit all the data each time a device is polled RBE only transmits changes, so fewer data points Timestamps allow creation of Sequence of Events (SOE) log on Master Station RBE can be polled or unsolicited

www.dnp.org

05/21/97

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

7
5

History of DNP3
Distributed Network Protocol Developed by GE (previously Harris, Westronics) Based on early parts of IEC 870-5 Turned over to Users Group in 1993 DNP and IEC 870-5-101 have been specified in IEEE P1379
Recommended Practice for Data Communications Between Intelligent Electronic Devices and Remote Terminal Unit

www.dnp.org

05/21/97

8
6

Newton-Evans Research
1.

2.

DNP3 protocol is now the most popular protocol in use by global electric utilities. Also the DNP LAN implementation led the way for planned use by both North American and international utilities.
Taken from The World Market for Substation Automation and Integration Programs in Electric Utilities: 20002004 August 2000

www.dnp.org

05/21/97

DNP Today
Vendor Products
>100 vendors, +250 DNP products and services

Utilities/Industrials
used by >300 utilities and industrials worldwide

Countries
used in over 32 countries

Total Industry
$250 Million / year of DNP products and services

Industries
Electric, Oil & Gas, Water and Industrial

www.dnp.org

05/21/97

10

DNP3 Topology
Master Station Relay Engineer Terminal
RS-232 Serial

Substation RTU

Modem
Phone Line

Modem Relay Relay

Relay
www.dnp.org

05/21/97

11

DNP3 Users Group

Basic membership cost is $200 per year Members from:
Vendors Utilities - System Integrators - Software developers

Volunteers staff the following committees to manage the protocol:

Steering Committee Steering Committee Technical Technical Committee Committee

www.dnp.org

Conformance Conformance Committee Committee

Marketing Marketing Committee Committee

Liaison Liaison Committee Committee

05/21/97

12

DNP3 Technical Committee

Technical Committee
Chairman: Andrew West, Invensys (Foxboro Australia) Secretary: Grant Gilchrist, GE Energy Systems

Meets via conference call once a month Meets in person once per year Daily interaction by Maillist Protocol evolution tracked by year i.e. DNP3 2002

www.dnp.org

05/21/97

13

DNP3 Technical Committee

Technical Committee = Managed Evolution Define new features, then update documentation and test procedures Clarify existing documentation when different interpretations exist A Controlled Standard, avoids multiple Vendor specific variations of the protocol

www.dnp.org

05/21/97

14

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

15
5

Utility Benefits
Select products based on performance, not protocol Reduced training costs to learn only one protocol. Greater availability of support services Able to participate directly in evolution of protocol via participation in User Group Evolving to continue to meet market needs

www.dnp.org

05/21/97

16

Vendor Benefits
Avoid NRE charges to add/update new protocols for each new project Well documented, proven protocol Participate in development of common protocol instead of company protocol Large Utility Client Base Greater availability of 3rd party support services and Test Tools

www.dnp.org

05/21/97

17

Ensure Interoperability
DNP3 UG Technical Committee DNP3 Conformance Test Procedures Independent Conformance Testing Company Certificate of Conformance

Equipment Vendor

Products

www.dnp.org
* The Utility will specify in all RFQs that a Certificate of Conformance is required

Utility *

05/21/97

18

Interoperability Documents
The following documents are used to interface DNP3 Devices:
DNP3 Device Profile Document DNP3 Implementation Table DNP3 Points List

www.dnp.org

05/21/97

19

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

20
5

Core Specification Documents

DNP V3.0 Basic 4 Document Set
DNP V3.0 Data Link Layer DNP V3.0 Transport Functions DNP V3.0 Application Layer Specification DNP V3.0 Data Object Library

DNP V3.0 Subset Definitions Document (Level 1, 2, & 3) Conformance Test Procedures Technical Bulletins

www.dnp.org

All of these documents are available for download by DNP User Group members from the DNP web site.

05/21/97

21
7

OSI 7-Layer Model Compliance

DNP3 uses a simplified 3 layer version of the OSI 7 Layer model called EPA (Enhanced Performance Architecture)
7 - Application 6 - Presentation 5 - Session 4 -Transport 3 - Network 2 - Link 1 - Physical

DNP adds a Transport layer to permit messages larger than a data link frame
www.dnp.org

05/21/97

22
10

DNP Message Buildup

Application Transport Data Link Physical
www.dnp.org

message = unlimited size

fragment = 2048 bytes (max)

frame = 292 bytes (max)

byte = 8 bits

Receive goes up the stack, transmit goes down the stack. Size of data transmitted/received may fit into one data link frame. So do not require multi-frame fragments or multi-fragment messages. A single DNP application function is usually sent as a single application layer message, which can consist of many data link frames.

05/21/97

23
11

Balanced Link Layer

Request Message Master [P]
(User Data, Confirm Expected) (Acknowledgment)

Slave [S]

Response Message
(User Data, Confirm Expected)

[P] [S]
(Acknowledgment)

www.dnp.org

[P] = Primary Frame [S] = Secondary Frame

05/21/97

24
14

Balanced Link Layer

At the link layer, all devices are equal Collision avoidance by one of the following:
Full duplex point to point connection (RS232 or four wire
RS485)

Designated master polls rest of slaves on network Physical layer (CSMA/CD)

www.dnp.org

05/21/97

25
15

Device Addressing
DNP3 Link contains both Source and Destination address Both are always 16 bits Application layer does not contain address

www.dnp.org

The provision of a source and destination address simplifies message routing in certain network topologies. A DNP link address is a devices logical address. A single physical device is permitted to respond to multiple addresses (contain multiple logical devices). Each device will appear to the master as a completely separate device.

05/21/97

26
18

Application Layer Features:

Time Synchronization Time-stamped events Freeze/Clear Counters Select before operate Polled report by exception Unsolicited Responses Data groups/classes

www.dnp.org

05/21/97

27
22

Application Layer

www.dnp.org

05/21/97

28
21

Means of Retrieving Data

Master/Slave Network Polled Static Polled Report by Exception Point to Point (or MAC) Unsolicited Report by Exception Quiescent Operation

www.dnp.org

Master/Slave Network - Slaves do not speak unless spoken to MAC = Media Access Control - CSMA/CD Polled Static - Class 0 or specific data request message sent to each
device

Polled Report by Exception - Class 1, 2, 3 request message sent

to each device with occasional integrity (class 0) data poll.

Unsolicited Report by Exception - most communication is

unsolicited, but the Master occasionally sends integrity polls for class 0 Data to verify its database.

Quiescent Operation - master never polls slave Last two modes are useful when communication medium is dial-up modem.
05/21/97 29
26

DNP3 LAN-WAN Features

Puts entire DNP3 Stack on top of TCP/IP Became part of Standard in Nov 1998 Makes use of widely available and inexpensive third-party products Specification also allows for use of UDP (connectionless) service

www.dnp.org

05/21/97

30

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

31
5

Whats Next for DNP3?

Major revision to DNP3 Basic 4 Document set Address Security Issues DNP3 Master Conformance Test Procedures Double-Bit Status Output Event Objects Self Description
XML file approach Define new protocol functionality

www.dnp.org

05/21/97

32

Security in DNP3
Threat until recently was noise on the wire CRC bytes were actually called Security bytes in many protocol analyzers Most security provided by Physical isolation of network and lack of common knowledge about systems Since moving toward more network solutions, security has now become a priority

www.dnp.org

05/21/97

33

DNP3 User Group Plan for Security

Form a Working Group within the DNP3 Technical Committee Will hire consultant to write Technical Bulletins Discussion so far has been on 2 solutions:
Encryption/decryption device placed at each end of the wire Security Enhancements directly in the protocol

www.dnp.org

05/21/97

34

Self Description Using XML

XML is an excellent standard that is naturally suited for these types of applications Primary benefit is Plug & Play, for faster and more accurate device install or replacement One data file contains information normally found in the DNP3 interoperability documents:
Device Profile Document Implementation Table Points List, including scaling and units information

DNP3 Solution will build on existing models developed by IEC TC 57 Working Group 14 and/or UCA2 Online or offline transfer of XML file to DNP3 Master

www.dnp.org

05/21/97

35

Offline Option

DNP3 Communicatons

DNP3 IED

DNP3 Master

DNP3 Slave

DNP3 XML Device Profile

www.dnp.org

05/21/97

36

Benefits of using XML Files Offline

Can be applied to existing devices placed in operation years ago Does not interfere with real time communications Good for small devices that may not support DNP3 file transfer Requires no changes to DNP3 Embedded code All XML files can be stored in centralized network location

www.dnp.org

05/21/97

37

Online Option
DNP3 File Transfer during first startup sequence
DNP3 XML Device Profile

DNP3 Slave

DNP3 Communicatons

DNP3 Master
DNP3 XML Device Profile

Transfer to device during configuration

IED Config Software

www.dnp.org

05/21/97

38

Benefits of using XML Files Online

XML file is contained in device, always know where to find it Requires no changes to DNP3 Embedded code if already supports File Transfer Nominal affect on real time communications IED only transferring a file, does not need to know details of file or XML Can evolve without affecting Embedded code

www.dnp.org

05/21/97

39

Agenda
Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

www.dnp.org

05/21/97

40
5

Test Harness Demonstration

Manual Commands Periodic Commands Toggle binary input to create unsolicited response TCL/TK Script for conformance testing
A full 21-day evaluation of the Test Harness may be downloaded from www.TriangleMicroWorks.com/downloads.htm.

05/21/97

41

Summary
DNP3 is:
Well established in the Electrical Utiltiy Industry Has an active users group that is eager to enhance the protocol to meet new requirements

www.dnp.org

05/21/97

42
29

DNP3 Users Group Web site

All protocol documentation and meeting minutes posted on web site List of equipment supporting the protocol Join DNP3 maillist Next General meeting - February 2003 in Las Vegas

www.DNP.org
www.dnp.org

05/21/97

43
30

More Information on DNP3

IEEE P1379 - www.ieee.org SCADA Mailing List www.iinet.net.au/~ianw Contact me, Jim Coats at: jcoats@TriangleMicroWorks.com www.TriangleMicroWorks.com (919) 870-6615
www.dnp.org

05/21/97

44
30