Skip to main content
Reference

DNP3

Distributed Network Protocol — the SCADA protocol most widely used in North American power utilities and increasingly common in GB transmission. Plain-text by default; secured by IEC 62351-5.

Also: Distributed Network Protocol, DNP, IEEE 1815

DNP3 is a SCADA protocol defined in IEEE 1815-2012, originally specified by Westronic in 1990 and adopted as an open standard in 1993. It carries telemetry (analogue values, binary status), control commands (open/close breakers, change tap positions), file transfer, and time synchronisation between SCADA masters and outstation devices.

Where it sits

In a typical GB control architecture, DNP3 is the protocol between a substation gateway (or virtualised RTU) and the SCADA front-end at the regional control centre. Runs on TCP/20000 (or UDP, or serial) — modern deployments are almost all TCP/IP.

DNP3 is not the protocol on the substation LAN itself. Inside the substation, the IEC 61850 stack (MMS, GOOSE, Sampled Values) carries the IED-to-IED and IED-to-gateway traffic. DNP3 begins at the substation gateway and goes northbound.

The security problem

The base protocol carries function codes, point readings, and control commands in plain text. Anyone with a packet capture can read it. Anyone with a packet generator can forge it. The original 1993 specification predates the assumption that SCADA networks would be reachable by anyone with malicious intent.

The mitigation is DNP3 Secure Authentication — specified by the DNP Users Group, standardised by the IEC as IEC 62351-5. SA doesn’t encrypt the payload; it adds an HMAC-based challenge/response so the outstation can verify a command actually came from an authorised master before executing it.

Most GB operators have not deployed SA across the substation gateway estate. The reason is rarely technical — it’s that the gateways in the field were specified before SA was widely supported, and refreshing the firmware across hundreds of sites is a multi-year programme that competes with everything else.

Why it shows up in the IT/OT conversation

DNP3 traffic crosses the boundary between substation networks and corporate WANs. Unlike GOOSE and Sampled Values (which stay on the substation LAN by design), DNP3 is the protocol that traverses public or semi-private network paths. It’s where IEC 62443 conduit design and IEC 62351 protocol security tend to bite hardest in practice.