2. Matt Michael

3. Presentation Overview Motivation DNP3 overview Available decoders Implementation details Example of use of decoder

4. Motivation I needed to learn about DNP3 to perform the investigation. Alarms from sectionalizing switch controllers needed investigation. 01/07/11 11:26:23 Z785 UNKNOWN OBJECT REQUEST DETECTED

5. Sectionalizing switch Used to reconfigure distribution network for maintenance or repairs [http://www.sandc.com/edocs_pdfs/ EDOC_001894.pdf]

6. DNP3 History Developed by Westronic to provide a common communication protocol for the utility industry. Used some work from IEC 870-5 Intended to be usable on 1200 bps links, so limited the amount of data to be sent, but still provide many features.

7. DNP3 Feature Overview Broadcasting. Select-Before-Operate – Or Not. Time-Stamped Data. Accurate Time Synchronization. Quality Flags. Multiple Data Formats. Scan Groups. Layer Separation. Report-by-Exception. Internal Indications. [§1.5 DNP3 Specification Vol. 1]

8. DNP3 has layers: Data Link Layer Transport Function Application Layer [Fig. 2.1-1 DNP3 Specification Vol. 1]

9. Data Link Layer [p.34 DNP3 Specification Vol. 1]

10. Transport Function [p.33 DNP3 Specification Vol. 1]

11. Application Layer [p.32 DNP3 Specification Vol. 1]

12. Objects, Groups and Variations [p.9 DNP3 Specification Vol. 2]

13. DNP3 Conformance

14. Those Unknown Object Requests? Different ways to tell the IED what time it is SCADA system only sends Object Group 50 Variation 2 Switch controller only knows about Object Group 50 Variation 1

15. DNP3 is not trivial to decipher [p.33 DNP3 Specification Vol. 1]

16. SCADA vendor’s tool is limited

17. Wireshark has better decoding

18. Commercial products ProductManufacturerPrice NetDecoderFrontline$995 Smart Protocol AnalyzerImperious Tech.$999 DNP Demon SnifferSCADASOFT$1,439 ASE2000 RTU Test SetApplied Systems Engineeringquote required CPTTReal Thoughtsquote required

19. Write my own and learn Get the features I want: Command-line Text output so can use tools like tail and grep Runs on Linux machine that runs SCADA communication software Provide motivation to learn details of DNP3 Specification is in 8 volumes plus appendices

20. Master and outstation

21. DNP3 has layers… Data Link Layer Transport Function Application Layer

22. but my decoder doesn’t

23. Implementation details, part 1

24. Implementation details, part 2 DNP3 “magic numbers” means lots of constants had to be defined

25. Implementation details, part 3 Net::PcapUtils makes using libpcap easy

26. Implementation details, part 4

27. Implementation details, part 5

28. Implementation details, part 6

29. Implementation details, part 7

30. dnpdecode.pl operation Has to run with root permissions for libcap access to NIC Single line of text for each DNP3 packet

31. Too many objects and variations 45 object groups, each with up to 10 variations Not enough time to write decoding subroutines for them all, so resort to hex dump for most objects:

32. dnpdecode.pl output for control operation, part 1 Master issues a select Master is 192.168.5.155, outstation 192.168.5.1 DNP source address 100, destination address 1 “ SLCT ” is abbreviation for Select The operation is a Pulse On (“ PULSEON ”), on for 250ms and off for 125ms.

33. dnpdecode.pl output for control operation, part 2 Outstation responds (“ RESP ”) Echoes what the master sent so that master can be sure the message was correctly received

34. dnpdecode.pl output for control operation, part 3 Master issues command to perform operation Same information as the Select step, but is now an Operate (“ OPRT ”) command.

35. dnpdecode.pl output for control operation, part 4 Outstation responds with an error This outstation does not support a Pulse On operation for the selected point so responds with NOT_SUPPORTED.

36. Conclusion I learned a lot about DNP3 – mostly that it is complex!

37. Thank you Questions? mmichael@vandals.uidaho.edu