DNP3/TCP Decoder

1. DNP3/TCP Decoder Matt Michael

2. Presentation Overview • Motivation • DNP3 overview • Available decoders • Implementation details • Example of use of decoder

3. Motivation • I needed to learn about DNP3 to perform the investigation. • Alarms from sectionalizing switch controllers needed investigation. 01/07/11 11:26:23 Z785 UNKNOWN OBJECT REQUEST DETECTED

4. Sectionalizing switch • Used to reconfigure distribution network for maintenance or repairs [http://www.sandc.com/edocs_pdfs/EDOC_001894.pdf]

5. DNP3 History • Developed by Westronic to provide a common communication protocol for the utility industry. • Used some work from IEC 870-5 • Intended to be usable on 1200 bps links, so limited the amount of data to be sent, but still provide many features.

6. DNP3 Feature Overview • Broadcasting. • Select-Before-Operate – Or Not. • Time-Stamped Data. • Accurate Time Synchronization. • Quality Flags. • Multiple Data Formats. • Scan Groups. • Layer Separation. • Report-by-Exception. • Internal Indications. [§1.5 DNP3 Specification Vol. 1]

7. DNP3 has layers: • Data Link Layer • Transport Function • Application Layer [Fig. 2.1-1 DNP3 Specification Vol. 1]

8. Data Link Layer [p.34 DNP3 Specification Vol. 1]

9. Transport Function [p.33 DNP3 Specification Vol. 1]

10. Application Layer [p.32 DNP3 Specification Vol. 1]

11. Objects, Groups and Variations [p.9 DNP3 Specification Vol. 2]

12. DNP3 Conformance

13. Those Unknown Object Requests? • Different ways to tell the IED what time it is • SCADA system only sends Object Group 50 Variation 2 • Switch controller only knows about Object Group 50 Variation 1

14. DNP3 is not trivial to decipher [p.33 DNP3 Specification Vol. 1]

15. SCADA vendor’s tool is limited

16. Wireshark has better decoding

17. Commercial products

18. Write my own and learn • Get the features I want: • Command-line • Text output so can use tools like tail and grep • Runs on Linux machine that runs SCADA communication software • Provide motivation to learn details of DNP3 • Specification is in 8 volumes plus appendices

19. Master and outstation

20. DNP3 has layers… • Data Link Layer • Transport Function • Application Layer

21. but my decoder doesn’t

22. Implementation details, part 1

23. Implementation details, part 2 DNP3 “magic numbers” means lots of constants had to be defined

24. Implementation details, part 3 Net::PcapUtils makes using libpcap easy

25. Implementation details, part 4

26. Implementation details, part 5

27. Implementation details, part 6

28. Implementation details, part 7

29. dnpdecode.pl operation • Has to run with root permissions for libcap access to NIC • Single line of text for each DNP3 packet

30. Too many objects and variations • 45 object groups, each with up to 10 variations • Not enough time to write decoding subroutines for them all, so resort to hex dump for most objects:

31. dnpdecode.pl output for control operation, part 1 • Master issues a select • Master is 192.168.5.155, outstation 192.168.5.1 • DNP source address 100, destination address 1 • “SLCT” is abbreviation for Select • The operation is a Pulse On (“PULSEON”), on for 250ms and off for 125ms.

32. dnpdecode.pl output for control operation, part 2 • Outstation responds (“RESP”) • Echoes what the master sent so that master can be sure the message was correctly received

33. dnpdecode.pl output for control operation, part 3 • Master issues command to perform operation • Same information as the Select step, but is now an Operate (“OPRT”) command.

34. dnpdecode.pl output for control operation, part 4 • Outstation responds with an error • This outstation does not support a Pulse On operation for the selected point so responds with NOT_SUPPORTED.

35. Conclusion • I learned a lot about DNP3 – mostly that it is complex!

36. Thank you • Questions? mmichael@vandals.uidaho.edu