DNP3
What is DNP3?
DNP3Distributed Network Protocol 3, an event-driven ICS protocol used in electric utilities, water, and oil & gas to communicate between SCADA masters and remote outstations.
DNP3 (Distributed Network Protocol 3) is a layered, event-driven ICS protocol widely deployed in electric, water, and oil & gas utilities, especially in North America. It uses unsolicited responses, time-stamped event data, and class-based polling to efficiently report changes from RTUs and IEDs to SCADA masters over serial or TCP/IP (port 20000). Base DNP3 has no authentication and is well-known to fuzzing tools, so unprotected networks are vulnerable to spoofed control commands, time-bomb data injection, and denial of service. DNP3 Secure Authentication (defined in IEC 62351-5) adds challenge-response message integrity using HMAC, and modern deployments wrap DNP3 in TLS or place it behind data diodes and ICS-aware firewalls.
● Examples
- 01
An electric utility SCADA master polling substation IEDs over DNP3/TCP.
- 02
A gas pipeline RTU sending unsolicited pressure events to a control center.
● Frequently asked questions
What is DNP3?
Distributed Network Protocol 3, an event-driven ICS protocol used in electric utilities, water, and oil & gas to communicate between SCADA masters and remote outstations. It belongs to the OT / ICS / IoT category of cybersecurity.
What does DNP3 mean?
Distributed Network Protocol 3, an event-driven ICS protocol used in electric utilities, water, and oil & gas to communicate between SCADA masters and remote outstations.
How does DNP3 work?
DNP3 (Distributed Network Protocol 3) is a layered, event-driven ICS protocol widely deployed in electric, water, and oil & gas utilities, especially in North America. It uses unsolicited responses, time-stamped event data, and class-based polling to efficiently report changes from RTUs and IEDs to SCADA masters over serial or TCP/IP (port 20000). Base DNP3 has no authentication and is well-known to fuzzing tools, so unprotected networks are vulnerable to spoofed control commands, time-bomb data injection, and denial of service. DNP3 Secure Authentication (defined in IEC 62351-5) adds challenge-response message integrity using HMAC, and modern deployments wrap DNP3 in TLS or place it behind data diodes and ICS-aware firewalls.
How do you defend against DNP3?
Defences for DNP3 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNP3?
Common alternative names include: Distributed Network Protocol 3, DNP3 SA, IEEE 1815.
● Related terms
- ot-iot№ 972
SCADA
Supervisory Control and Data Acquisition systems that gather telemetry from remote field devices and let operators monitor and command large industrial processes.
- ot-iot№ 529
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 702
Modbus
A simple, openly documented industrial protocol for polling registers and coils on PLCs, RTUs, and field devices, available over serial (RTU/ASCII) and TCP.
- ot-iot№ 758
OPC UA
OPC Unified Architecture, a service-oriented industrial protocol with built-in authentication and encryption used to exchange semantic data across OT and IT systems.
- ot-iot№ 530
Industroyer / CrashOverride
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
- ot-iot№ 513
IEC 62443
The IEC family of standards for the cybersecurity of industrial automation and control systems, addressing asset owners, integrators, and product suppliers.