05/21/9705/21/97 11

www.dnp.org

DNP3 ProtocolAGA/GTI SCADA Security Meeting August 19, 2002 / Washington, DC

Presented By: Mr. Jim Coats, PresidentTriangle MicroWorks, Inc.Raleigh, North Carolina

www.TriangleMicroWorks.com

05/21/9705/21/97 225

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 33

www.dnp.org

Credentials

Vice President of DNP3 Users GroupLead US member for IEC TC 57 WG 03Past member of DNP3 Technical CommitteeEight years experience developing/supporting products for DNP3 through Triangle MicroWorks

Source Code LibrariesTest HarnessOPC Server and Protocol Gateway

05/21/9705/21/97 44

www.dnp.org

Purpose of a Communication Protocol

Replicate database from one device to another

05/21/9705/21/97 55

www.dnp.org

Objectives of a Communication Protocol

Minimize protocol overhead to avoid extra cost of high bandwidth mediaEnsure reliable data transfer (CRC or checksum)Provide necessary features such as time stamps or freeze operationsProvide data quality flagsSince September 11th, prevent unauthorized use or monitoring of data

05/21/9705/21/97 66

www.dnp.org

Report by Exception (RBE)

Protocols like Modbus transmit all the data each time a device is polledRBE only transmits changes, so fewer data pointsTimestamps allow creation of Sequence of Events (SOE) log on Master StationRBE can be polled or unsolicited

05/21/9705/21/97 775

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 886

www.dnp.org

History of DNP3

Distributed Network ProtocolDeveloped by GE (previously Harris, Westronics)Based on early parts of IEC 870-5Turned over to Users Group in 1993DNP and IEC 870-5-101 have been specified in IEEE P1379Recommended Practice for Data Communications Between Intelligent

Electronic Devices and Remote Terminal Unit

05/21/9705/21/97 99

www.dnp.org

Newton-Evans Research

1. DNP3 protocol is now the most popular protocol in use by global electric utilities.

2. Also the DNP LAN implementation led the way for planned use by both North American and international utilities.

Taken from “The World Market for Substation Automation and Integration Programs in Electric Utilities: 2000-2004” August 2000

05/21/9705/21/97 1010

www.dnp.org

DNP Today

Vendor Products>100 vendors, +250 DNP products and services

Utilities/Industrialsused by >300 utilities and industrials worldwide

Countriesused in over 32 countries

Total Industry$250 Million / year of DNP products and services

IndustriesElectric, Oil & Gas, Water and Industrial

05/21/9705/21/97 1111

www.dnp.org

RelayRelayRelay

Master Station

Substation RTURS-232Serial

Phone Line

RelayEngineerTerminal

Modem

Modem

DNP3 Topology

05/21/9705/21/97 1212

www.dnp.org

DNP3 Users Group

Basic membership cost is $200 per year Members from:

Vendors - System IntegratorsUtilities - Software developers

Volunteers staff the following committees to manage the protocol:

Steering CommitteeSteering Committee

TechnicalCommittee

TechnicalCommittee

ConformanceCommitteeConformance

CommitteeMarketingCommittee

MarketingCommittee

LiaisonCommittee

LiaisonCommittee

05/21/9705/21/97 1313

www.dnp.org

DNP3 Technical Committee

Technical CommitteeChairman: Andrew West, Invensys (Foxboro Australia)Secretary: Grant Gilchrist, GE Energy Systems

Meets via conference call once a monthMeets in person once per yearDaily interaction by MaillistProtocol evolution tracked by yeari.e. DNP3 2002

05/21/9705/21/97 1414

www.dnp.org

DNP3 Technical Committee

Technical Committee = Managed EvolutionDefine new features, then update documentation and test proceduresClarify existing documentation when different interpretations existA Controlled Standard, avoids multiple Vendor specific variations of the protocol

05/21/9705/21/97 15155

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 1616

www.dnp.org

Utility Benefits

Select products based on performance, not protocolReduced training costs to learn only one protocol.Greater availability of support servicesAble to participate directly in evolution of protocol via participation in User GroupEvolving to continue to meet market needs

05/21/9705/21/97 1717

www.dnp.org

Vendor Benefits

Avoid NRE charges to add/update new protocols for each new projectWell documented, “proven” protocolParticipate in development of common protocol instead of company protocolLarge Utility Client Base Greater availability of 3rd party support services and Test Tools

05/21/9705/21/97 1818

www.dnp.org

Ensure Interoperability

DNP3 UGTechnical Committee DNP3 Conformance

Test Procedures

Independent ConformanceTesting Company

Certificate ofConformance

ProductsEquipment

Vendor

Utility ** The Utility will specify in all RFQs that a Certificate of Conformance is required

05/21/9705/21/97 1919

www.dnp.org

Interoperability Documents

The following documents are used to interface DNP3 Devices:

DNP3 Device Profile Document DNP3 Implementation Table DNP3 Points List

05/21/9705/21/97 20205

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 21217

www.dnp.org

Core Specification Documents

DNP V3.0 Basic 4 Document SetDNP V3.0 Data Link LayerDNP V3.0 Transport FunctionsDNP V3.0 Application Layer SpecificationDNP V3.0 Data Object Library

DNP V3.0 Subset Definitions Document (Level 1, 2, & 3)Conformance Test ProceduresTechnical Bulletins

All of these documents are available for download by DNP User Group members from the DNP web site.

05/21/9705/21/97 222210

www.dnp.org

OSI 7-Layer Model Compliance

DNP3 uses a simplified 3 layer version of the OSI 7 Layer model called EPA (Enhanced Performance Architecture)

7 - Application6 - Presentation5 - Session4 -Transport3 - Network2 - Link1 - Physical

DNP adds a Transport layer to permit messages larger than a data link frame

05/21/9705/21/97 232311

•Receive goes up the stack, transmit goes down the stack.•Size of data transmitted/received may fit into one data link frame. So do not require multi-frame fragments or multi-fragment messages.•A single DNP application function is usually sent as a single application layer message, which can consist of many data link frames.

www.dnp.org

Application message = unlimited size

Transport fragment = 2048 bytes (max)

Data Link frame = 292 bytes (max)

Physical byte = 8 bits

DNP Message Buildup

05/21/9705/21/97 242414

www.dnp.org

“Balanced” Link Layer

Master SlaveRequest Message

Response Message

(User Data, Confirm Expected)

(Acknowledgment)

[P]

[P] = Primary Frame[S] = Secondary Frame

[S]

(User Data, Confirm Expected)

(Acknowledgment)

[P]

[S]

05/21/9705/21/97 252515

www.dnp.org

“Balanced” Link Layer

At the link layer, all devices are equal

Collision avoidance by one of the following:Full duplex point to point connection (RS232 or four wire RS485)

Designated master polls rest of slaves on network

Physical layer (CSMA/CD)

05/21/9705/21/97 262618

www.dnp.org

Device Addressing

DNP3 Link contains both Source and Destination address

Both are always 16 bits

Application layer does not contain address

The provision of a source and destination address simplifies message routing in certain network topologies.A DNP link address is a device’s logical address. A single physical device is permitted to respond to multiple addresses (contain multiple logical devices). Each device will appear to the master as a completely separate device.

05/21/9705/21/97 272722

www.dnp.org

Application Layer Features:

Time SynchronizationTime-stamped eventsFreeze/Clear CountersSelect before operatePolled report by exceptionUnsolicited ResponsesData groups/classes

05/21/9705/21/97 282821

www.dnp.org

Application Layer

05/21/9705/21/97 292926

Master/Slave Network - Slaves do not speak unless spoken toMAC = Media Access Control - CSMA/CD

Polled Static - Class 0 or specific data request message sent to each device

Polled Report by Exception - Class 1, 2, 3 request message sent to each device with occasional integrity (class 0) data poll.

Unsolicited Report by Exception - most communication is unsolicited, but the Master occasionally sends integrity polls for class 0 Data to verify its’ database.

Quiescent Operation - master never polls slave

Last two modes are useful when communication medium is dial-up modem.

www.dnp.org

Means of Retrieving Data

Master/Slave Network

Polled Static

Polled Report by Exception

Point to Point (or MAC)

Unsolicited Report by Exception

Quiescent Operation

05/21/9705/21/97 3030

www.dnp.org

DNP3 LAN-WAN Features

Puts entire DNP3 Stack on top of TCP/IPBecame part of Standard in Nov 1998Makes use of widely available and inexpensive third-party productsSpecification also allows for use of UDP (connectionless) service

05/21/9705/21/97 31315

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 3232

www.dnp.org

What’s Next for DNP3?

Major revision to DNP3 Basic 4 Document setAddress Security IssuesDNP3 Master Conformance Test ProceduresDouble-Bit StatusOutput Event ObjectsSelf Description

XML file approachDefine new protocol functionality

05/21/9705/21/97 3333

www.dnp.org

Security in DNP3

Threat until recently was noise on the wireCRC bytes were actually called “Security” bytes in many protocol analyzersMost security provided by Physical isolation of network and lack of common knowledge about systemsSince moving toward more network solutions, security has now become a priority

05/21/9705/21/97 3434

www.dnp.org

DNP3 User Group Plan for Security

Form a Working Group within the DNP3 Technical CommitteeWill hire consultant to write Technical Bulletins Discussion so far has been on 2 solutions:

Encryption/decryption device placed at each end of the wireSecurity Enhancements directly in the protocol

05/21/9705/21/97 3535

www.dnp.org

Self Description Using XML

XML is an excellent standard that is naturally suited for these types of applicationsPrimary benefit is “Plug & Play”, for faster and more accurate device install or replacement One data file contains information normally found in the DNP3 interoperability documents:

Device Profile DocumentImplementation TablePoints List, including scaling and units information

DNP3 Solution will build on existing models developed by IEC TC 57 Working Group 14 and/or UCA2Online or offline transfer of XML file to DNP3 Master

05/21/9705/21/97 3636

www.dnp.org

Offline Option

DNP3 IED

DNP3 Master DNP3 Slave

DNP3Communicatons

DNP3 XMLDeviceProfile

05/21/9705/21/97 3737

www.dnp.org

Benefits of using XML Files Offline

Can be applied to existing devices placed in operation years agoDoes not interfere with real time communicationsGood for small devices that may not support DNP3 file transferRequires no changes to DNP3 Embedded code All XML files can be stored in centralized network location

05/21/9705/21/97 3838

www.dnp.org

Online Option

IED ConfigSoftware

DNP3 Master

DNP3 SlaveDNP3

Communicatons

DNP3 XMLDevice Profile

DNP3 File Transfer during first startup sequence

DNP3 XMLDevice Profile

Transfer to deviceduring configuration

05/21/9705/21/97 3939

www.dnp.org

Benefits of using XML Files Online

XML file is contained in device, always know where to find itRequires no changes to DNP3 Embedded code if already supports File TransferNominal affect on real time communicationsIED only transferring a file, does not need to know details of file or XMLCan evolve without affecting Embedded code

05/21/9705/21/97 40405

www.dnp.org

Agenda

Purpose of a Communication ProtocolHistory of DNP3Benefits of Industry Standard ProtocolsOverview of Protocol FeaturesWhat’s Next for DNP3?Demonstration of Test Harness

05/21/9705/21/97 4141

Test Harness Demonstration

Manual CommandsPeriodic CommandsToggle binary input to create unsolicited responseTCL/TK Script for conformance testing

A full 21-day evaluation of the Test Harness may be downloaded from www.TriangleMicroWorks.com/downloads.htm.

05/21/9705/21/97 424229

www.dnp.org

Summary

DNP3 is:Well established in the Electrical Utiltiy IndustryHas an active users group that is eager to enhance the protocol to meet new requirements

05/21/9705/21/97 434330

www.dnp.org

DNP3 Users Group Web site

All protocol documentation and meeting minutes posted on web siteList of equipment supporting the protocolJoin DNP3 maillistNext General meeting - February 2003 in Las Vegas

www.DNP.org

05/21/9705/21/97 444430

www.dnp.org

More Information on DNP3

IEEE P1379 - www.ieee.org

SCADA Mailing List -

www.iinet.net.au/~ianw

Contact me, Jim Coats at:jcoats@TriangleMicroWorks.com

www.TriangleMicroWorks.com(919) 870-6615