Every time you flip a light switch, there's a good chance a protocol called DNP3 is involved in making that happen.
Most people have never heard of it. Most IT security professionals have never heard of it. And that gap — between how critical this protocol is and how little attention it gets — is exactly why I started writing about ICS/OT security.
This is my attempt to understand DNP3 from the ground up. Not a vendor whitepaper, not a conference talk — just someone learning in public and documenting what they find.
What is DNP3?
DNP3 stands for Distributed Network Protocol 3. It was developed in 1990 by Westronic Inc. — now known as GE Harris — and released publicly in 1993. At the time, the industry was struggling with a patchwork of proprietary protocols where every vendor spoke a different language, and getting their equipment to talk to each other was a constant headache. Westronic based DNP3 on early drafts of the IEC 60870-5 standard, which was still under development, and built something open and immediately deployable for the North American market. [^1]
The DNP Users Group took over maintenance of the protocol, and in 2010, the IEEE formally adopted it as IEEE Std 1815. [^2]
It was built specifically for communication between two types of components in a SCADA system:
- Master stations — the control center, where operators monitor the system and send commands
- Outstations — remote devices in the field: RTUs (Remote Terminal Units) and IEDs (Intelligent Electronic Devices)
Think of it this way: a utility company might have a substation 50 miles away with no one physically present. DNP3 is how the control center communicates with that substation — checking sensor readings, opening and closing breakers, and monitoring for faults — all without anyone physically being there.
Why DNP3 specifically?
DNP3 was designed for genuinely harsh environments. Electromagnetic interference from high-voltage equipment. Aging hardware that might be decades old. Poor or unreliable communication links — originally serial lines and radio, long before any of this ran over IP. [^1]
The protocol was built to be:
- Reliable over noisy, low-bandwidth links
- Interoperable across different vendors and devices — no more proprietary silos
- Efficient — sending only changed data rather than polling everything constantly
It worked. DNP3 became the dominant SCADA protocol for electric utilities in North America and spread into water/wastewater, oil and gas, and transportation infrastructure. [^3]
Where DNP3 lives today
DNP3 is everywhere in critical infrastructure:
- Electric transmission and distribution substations
- Water treatment and distribution systems
- Oil and gas pipelines
- Gas utilities
- Transportation control systems
It is not a niche protocol. It is foundational infrastructure that most people in the United States depend on without knowing it exists.
The security problem
Here's where it gets uncomfortable.
DNP3 was designed in 1993. The threat model in 1993 was: what if the communication link is noisy or unreliable? The threat model was not: what if an attacker is on the network, sending malicious commands?
As a result, the original DNP3 specification has no built-in authentication. None.
What that means in practice:
- Any device on the network that speaks DNP3 can send commands to an outstation
- There is no way for the outstation to verify that a command came from a legitimate master station
- An attacker who gains access to the network can replay captured commands, spoof a master station, inject false data, or issue control commands directly to field devices.
Known attack categories against DNP3 include replay attacks, man-in-the-middle interception, master station spoofing, and denial-of-service attacks via malformed packets. [^4]
This isn't hypothetical. In 2012, researcher Reid Wightman and the Digital Bond team conducted Project Basecamp — a systematic audit of widely-deployed ICS devices — and demonstrated how thoroughly the "insecure by design" nature of these devices could be exploited. The key finding wasn't a clever zero-day: it was that the attack capabilities were documented features. [^5] You didn't need to break anything. You just needed to show up on the network and speak the protocol.
Why hasn't this been fixed?
A Secure Authentication mechanism for DNP3 was first introduced in 2008, and version 5 (SAv5) was included in the IEEE 1815-2012 standard. SAv5 addresses spoofing, modification, replay attacks, and eavesdropping by requiring devices to mutually verify authenticity before executing commands. [^6]
So the fix exists. The standard exists. So why are most DNP3 deployments still running without it?
Legacy equipment is the biggest barrier. DNP3 was designed with the acknowledgment that components would have expected lifetimes stretching into decades. [^2] Substations regularly run equipment from the 1990s and early 2000s. That equipment doesn't support SAv5 — and replacing it requires capital investment, regulatory coordination, and taking systems offline.
Interoperability problems make adoption harder. SAv5 has known interoperability challenges between different manufacturers. Deploying it successfully often requires working directly with manufacturers to achieve communications — the burden falls on the end user, not the vendor. Different versions of secure authentication (SAv2 and SAv5) are not mutually compatible, adding another layer of complexity. [^7]
Operational risk compounds everything. Upgrading firmware or replacing equipment in a live substation means accepting real operational risk during the maintenance window. In the energy sector, that's not a decision made lightly.
I think about this every time I connect a laptop to a radio programming cable at work. There's no authentication on that connection either. The attitude — "just don't let the bad guys get to our equipment" — is pervasive across mission-critical infrastructure of all kinds. It works until it doesn't.
The 2016 connection
This came into sharp focus for me when I started researching the 2016 Ukraine power grid attack (more on that in my next post). The malware used in that attack — called Industroyer by ESET and CRASHOVERRIDE by Dragos — was designed as a modular framework specifically for attacking power grid protocols. It included modules for IEC 101, IEC 104, and IEC 61850.
A DNP3 module was not found in the analyzed samples. But the malware was explicitly designed to support one. As Dragos researcher Robert M. Lee put it: "The way this framework is built, it would be very easy to switch in a DNP3 module, and you'd be able to replay this against portions of the US grid." [^8]
The DNP Users Group issued a security notice following the Industroyer discovery, recommending that member organizations implement DNP3 Secure Authentication as a priority step. [^9]
What defenders can do
I'm still early in understanding the defensive side of this, so I'll share what I've found so far without overclaiming:
Network segmentation is the most consistently recommended first step — keeping DNP3 traffic isolated, monitored, and separated from corporate IT networks. The 2015 Ukraine attack succeeded in part because legitimate VPN paths existed between corporate networks and OT networks. [^10]
Passive monitoring — tools that watch DNP3 traffic for anomalies without disrupting the protocol — is how most ICS-focused security vendors approach detection. Companies like Dragos, Claroty, and Nozomi Networks all offer protocol-aware monitoring.
DNP3 Secure Authentication (SAv5), where operationally feasible. It won't happen overnight across the industry, but any new deployment should include it.
CISA guidance is worth reading directly. CISA's ICS-CERT has published advisories on DNP3 vulnerabilities and defensive practices, and their Seven Steps to Effectively Defend Industrial Control Systems is widely cited. [^11]
What I'm still figuring out
One thing I want to do differently on this blog is be honest about the edges of my understanding. After researching this, here's what I'm still working through:
- How exactly does SAv5 key management work in practice across hundreds of remote devices — and who actually manages that in a real utility?
- What does passive DNP3 monitoring look like from a defender's perspective? What does "anomalous" DNP3 traffic actually look like versus normal polling?
- How much of the US grid is actually running SAv5 today? I couldn't find a reliable current estimate.
If you know the answers to any of those — or if I got something wrong — I genuinely want to hear from you.
Further reading
[^1]: Real Time Automation — DNP3 Overview — Clean technical overview of the protocol's history and design philosophy.
[^2]: Wikipedia — DNP3 — Surprisingly detailed. Good starting point for the IEEE standardization history.
[^3]: Infosec Institute — Modbus, DNP3 and HART — Compares DNP3 to Modbus in the context of SCADA security. Useful framing.
[^4]: Veridify Security — DNP3 Cybersecurity Risks — Covers the main attack categories against DNP3 in plain language.
[^5]: Digital Bond — Project Basecamp GitHub — The original Basecamp repository. Read the README for the full scope of what was found.
[^6]: ResearchGate — Introducing Secure Authentication Version 5 for DNP3 — Technical paper on the differences between SAv2 and SAv5.
[^7]: SEL — All About Eve: Comparing DNP3 Secure Authentication With Standard Security — Honest account of real-world SAv5 deployment challenges from a utility perspective.
[^8]: Vice/Motherboard — The Malware Used Against the Ukrainian Power Grid Is More Dangerous Than Anyone Thought — Robert M. Lee quote on DNP3 module extensibility.
[^9]: DNP Users Group Security Notice — CrashOverride/Industroyer — Official DNP Users Group response to the Industroyer disclosure.
[^10]: E-ISAC/SANS — Analysis of the Cyber Attack on the Ukrainian Power Grid — The definitive technical analysis of the 2015 attack. Required reading.
[^11]: CISA — ICS-CERT Advisories — Start here for current ICS vulnerability advisories.
Brenda Suarez is a telecom technician and ICS/OT security researcher focused on energy sector critical infrastructure. Dead Reckoning documents her journey learning this field in public.