DNPSec: Distributed Network Protocol Version 3 (DNP3) security framework

Distributed Network Protocol Version 3 (DNP3) is an open and optimized protocol developed for the Supervisory Control and Data Acquisition (SCADA) Systems supporting the utilities industries. The DNP3 enables the Master Station to request data from Substations using pre-defined control function commands and Substations to respond by transmitting the requested data. DNP3 was never designed with security mechanisms in mind and therefore the protocol itself lacks any form of authentication or encryption. Discussion so far has been centered on two solutions to provide security for SCADA: cryptographic technologies placed at each end of the communication medium, or security enhancements placed directly in the protocol. This paper recommends a new Distributed Network Protocol Version 3 Security (DNPSec) framework to enable confidentiality, integrity, and authenticity placed directly in the DNP3. Such framework requires some modifications in the data structure of the DNP3 Data Link layer. Our main goal is to address the threats related to confidentiality, integrity, and authenticity in the DNP3 as part of SCADA architecture, with a minimum performance impact on the communication link; and without requiring modification to the much more expensive Master Station and Substation devices and the applications supporting them.