05/21/9705/21/97 11

www.dnp.org

DNP3 ProtocolAGA/GTI SCADA Security Meeting August 19, 2002 / Washington, DC

Presented By: Mr. Jim Coats, PresidentTriangle MicroWorks, Inc.Raleigh, North Carolina

www.TriangleMicroWorks.com

05/21/9705/21/97 225

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 33

www.dnp.org

Credentials

Vice President of DNP3 Users Group Lead US member for IEC TC 57 WG 03 Past member of DNP3 Technical Committee Eight years experience developing/supporting products

for DNP3 through Triangle MicroWorks Source Code Libraries Test Harness OPC Server and Protocol Gateway

05/21/9705/21/97 44

www.dnp.org

Purpose of a Communication Protocol

Replicate database from one device to another

05/21/9705/21/97 55

www.dnp.org

Objectives of a Communication Protocol

Minimize protocol overhead to avoid extra cost of high bandwidth media

Ensure reliable data transfer (CRC or checksum) Provide necessary features such as time stamps or

freeze operations Provide data quality flags Since September 11th, prevent unauthorized use or

monitoring of data

05/21/9705/21/97 66

www.dnp.org

Report by Exception (RBE)

Protocols like Modbus transmit all the data each time a device is polled

RBE only transmits changes, so fewer data points

Timestamps allow creation of Sequence of Events (SOE) log on Master Station

RBE can be polled or unsolicited

05/21/9705/21/97 775

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 886

www.dnp.org

History of DNP3

Distributed Network Protocol Developed by GE (previously Harris, Westronics) Based on early parts of IEC 870-5 Turned over to Users Group in 1993 DNP and IEC 870-5-101 have been specified in IEEE P1379

Recommended Practice for Data Communications Between IntelligentElectronic Devices and Remote Terminal Unit

05/21/9705/21/97 99

www.dnp.org

Newton-Evans Research

1. DNP3 protocol is now the most popular protocol in use by global electric utilities.

2. Also the DNP LAN implementation led the way for planned use by both North American and international utilities.

Taken from The World Market for Substation Automation and Integration Programs in Electric Utilities: 2000-2004 August 2000

05/21/9705/21/97 1010

www.dnp.org

DNP Today

Vendor Products >100 vendors, +250 DNP products and services

Utilities/Industrials used by >300 utilities and industrials worldwide

Countries used in over 32 countries

Total Industry $250 Million / year of DNP products and services

Industries Electric, Oil & Gas, Water and Industrial

05/21/9705/21/97 1111

www.dnp.org

RelayRelayRelay

Master Station

Substation RTURS-232Serial

Phone Line

RelayEngineerTerminal

Modem

Modem

DNP3 Topology

05/21/9705/21/97 1212

www.dnp.org

DNP3 Users Group

Basic membership cost is $200 per year Members from:

Vendors - System Integrators Utilities - Software developers

Volunteers staff the following committees to manage the protocol:

Steering CommitteeSteering Committee

TechnicalCommittee

TechnicalCommittee

ConformanceCommitteeConformance

CommitteeMarketingCommittee

MarketingCommittee

LiaisonCommittee

LiaisonCommittee

05/21/9705/21/97 1313

www.dnp.org

DNP3 Technical Committee

Technical Committee Chairman: Andrew West, Invensys (Foxboro Australia) Secretary: Grant Gilchrist, GE Energy Systems

Meets via conference call once a month Meets in person once per year Daily interaction by Maillist Protocol evolution tracked by year

i.e. DNP3 2002

05/21/9705/21/97 1414

www.dnp.org

DNP3 Technical Committee

Technical Committee = Managed Evolution Define new features, then update documentation and

test procedures Clarify existing documentation when different

interpretations exist A Controlled Standard, avoids multiple Vendor

specific variations of the protocol

05/21/9705/21/97 15155

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 1616

www.dnp.org

Utility Benefits

Select products based on performance, not protocol Reduced training costs to learn only one protocol. Greater availability of support services Able to participate directly in evolution of protocol via

participation in User Group Evolving to continue to meet market needs

05/21/9705/21/97 1717

www.dnp.org

Vendor Benefits

Avoid NRE charges to add/update new protocols for each new project

Well documented, proven protocol Participate in development of common

protocol instead of company protocol Large Utility Client Base Greater availability of 3rd party support

services and Test Tools

05/21/9705/21/97 1818

www.dnp.org

Ensure Interoperability

DNP3 UGTechnical Committee DNP3 Conformance

Test Procedures

Independent ConformanceTesting Company

Certificate ofConformance

ProductsEquipment

Vendor

Utility ** The Utility will specify in all RFQs that a Certificate of Conformance is required

05/21/9705/21/97 1919

www.dnp.org

Interoperability Documents

The following documents are used to interface DNP3 Devices: DNP3 Device Profile Document DNP3 Implementation Table DNP3 Points List

05/21/9705/21/97 20205

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 21217

www.dnp.org

Core Specification Documents

DNP V3.0 Basic 4 Document Set DNP V3.0 Data Link Layer DNP V3.0 Transport Functions DNP V3.0 Application Layer Specification DNP V3.0 Data Object Library

DNP V3.0 Subset Definitions Document (Level 1, 2, & 3)

Conformance Test Procedures Technical Bulletins

All of these documents are available for download by DNP User Group members from the DNP web site.

05/21/9705/21/97 222210

www.dnp.org

OSI 7-Layer Model Compliance

DNP3 uses a simplified 3 layer version of the OSI 7 Layer model called EPA (Enhanced Performance Architecture)

7 - Application6 - Presentation5 - Session4 -Transport3 - Network2 - Link1 - Physical

DNP adds a Transport layer to permit messages larger than a data link frame

05/21/9705/21/97 232311

Receive goes up the stack, transmit goes down the stack.Size of data transmitted/received may fit into one data link frame. So do not require multi-frame fragments or multi-fragment messages.A single DNP application function is usually sent as a single application layer message, which can consist of many data link frames.

www.dnp.org

Application message = unlimited size

Transport fragment = 2048 bytes (max)

Data Link frame = 292 bytes (max)

Physical byte = 8 bits

DNP Message Buildup

05/21/9705/21/97 242414

www.dnp.org

Balanced Link Layer

Master SlaveRequest Message

Response Message

(User Data, Confirm Expected)

(Acknowledgment)

[P]

[P] = Primary Frame[S] = Secondary Frame

[S]

(User Data, Confirm Expected)

(Acknowledgment)

[P]

[S]

05/21/9705/21/97 252515

www.dnp.org

Balanced Link Layer

At the link layer, all devices are equal

Collision avoidance by one of the following: Full duplex point to point connection (RS232 or four wire

RS485)

Designated master polls rest of slaves on network Physical layer (CSMA/CD)

05/21/9705/21/97 262618

www.dnp.org

Device Addressing

DNP3 Link contains both Source and Destination address

Both are always 16 bits

Application layer does not contain address

The provision of a source and destination address simplifies message routing in certain network topologies.A DNP link address is a devices logical address. A single physical device is permitted to respond to multiple addresses (contain multiple logical devices). Each device will appear to the master as a completely separate device.

05/21/9705/21/97 272722

www.dnp.org

Application Layer Features:

Time Synchronization Time-stamped events Freeze/Clear Counters Select before operate Polled report by exception Unsolicited Responses Data groups/classes

05/21/9705/21/97 282821

www.dnp.org

Application Layer

05/21/9705/21/97 292926

Master/Slave Network - Slaves do not speak unless spoken toMAC = Media Access Control - CSMA/CD

Polled Static - Class 0 or specific data request message sent to each device

Polled Report by Exception - Class 1, 2, 3 request message sent to each device with occasional integrity (class 0) data poll.

Unsolicited Report by Exception - most communication is unsolicited, but the Master occasionally sends integrity polls for class 0 Data to verify its database.

Quiescent Operation - master never polls slaveLast two modes are useful when communication medium is dial-up modem.

www.dnp.org

Means of Retrieving Data

Master/Slave Network

Polled Static

Polled Report by Exception

Point to Point (or MAC)

Unsolicited Report by Exception

Quiescent Operation

05/21/9705/21/97 3030

www.dnp.org

DNP3 LAN-WAN Features

Puts entire DNP3 Stack on top of TCP/IP Became part of Standard in Nov 1998 Makes use of widely available and

inexpensive third-party products Specification also allows for use of UDP

(connectionless) service

05/21/9705/21/97 31315

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 3232

www.dnp.org

Whats Next for DNP3?

Major revision to DNP3 Basic 4 Document set Address Security Issues DNP3 Master Conformance Test Procedures Double-Bit Status Output Event Objects Self Description

XML file approach Define new protocol functionality

05/21/9705/21/97 3333

www.dnp.org

Security in DNP3

Threat until recently was noise on the wire CRC bytes were actually called Security bytes in

many protocol analyzers Most security provided by Physical isolation of

network and lack of common knowledge about systems

Since moving toward more network solutions, security has now become a priority

05/21/9705/21/97 3434

www.dnp.org

DNP3 User Group Plan for Security

Form a Working Group within the DNP3 Technical Committee

Will hire consultant to write Technical Bulletins Discussion so far has been on 2 solutions:

Encryption/decryption device placed at each end of the wire Security Enhancements directly in the protocol

05/21/9705/21/97 3535

www.dnp.org

Self Description Using XML

XML is an excellent standard that is naturally suited for these types of applications

Primary benefit is Plug & Play, for faster and more accurate device install or replacement

One data file contains information normally found in the DNP3 interoperability documents: Device Profile Document Implementation Table Points List, including scaling and units information

DNP3 Solution will build on existing models developed by IEC TC 57 Working Group 14 and/or UCA2

Online or offline transfer of XML file to DNP3 Master

05/21/9705/21/97 3636

www.dnp.org

Offline Option

DNP3 IED

DNP3 Master DNP3 Slave

DNP3Communicatons

DNP3 XMLDeviceProfile

05/21/9705/21/97 3737

www.dnp.org

Benefits of using XML Files Offline

Can be applied to existing devices placed in operation years ago

Does not interfere with real time communications Good for small devices that may not support DNP3 file

transfer Requires no changes to DNP3 Embedded code All XML files can be stored in centralized network

location

05/21/9705/21/97 3838

www.dnp.org

Online Option

IED ConfigSoftware

DNP3 Master

DNP3 SlaveDNP3

Communicatons

DNP3 XMLDevice Profile

DNP3 File Transfer during first startup sequence

DNP3 XMLDevice Profile

Transfer to deviceduring configuration

05/21/9705/21/97 3939

www.dnp.org

Benefits of using XML Files Online

XML file is contained in device, always know where to find it

Requires no changes to DNP3 Embedded code if already supports File Transfer

Nominal affect on real time communications IED only transferring a file, does not need to know

details of file or XML Can evolve without affecting Embedded code

05/21/9705/21/97 40405

www.dnp.org

Agenda

Purpose of a Communication Protocol History of DNP3 Benefits of Industry Standard Protocols Overview of Protocol Features Whats Next for DNP3? Demonstration of Test Harness

05/21/9705/21/97 4141

Test Harness Demonstration

cManual CommandscPeriodic CommandscToggle binary input to create unsolicited

responsecTCL/TK Script for conformance testing

A full 21-day evaluation of the Test Harness may be downloaded from www.TriangleMicroWorks.com/downloads.htm.

05/21/9705/21/97 424229

www.dnp.org

Summary

DNP3 is: Well established in the Electrical Utiltiy Industry Has an active users group that is eager to

enhance the protocol to meet new requirements

05/21/9705/21/97 434330

www.dnp.org

DNP3 Users Group Web site

All protocol documentation and meeting minutes posted on web site

List of equipment supporting the protocol Join DNP3 maillist Next General meeting - February 2003 in

Las Vegas

www.DNP.org

05/21/9705/21/97 444430

www.dnp.org

More Information on DNP3

IEEE P1379 - www.ieee.org

SCADA Mailing List -

www.iinet.net.au/~ianw

Contact me, Jim Coats at:jcoats@TriangleMicroWorks.com

www.TriangleMicroWorks.com(919) 870-6615