Detecting DNP3 Protocol Anomalies

When to Use

• When monitoring SCADA systems in the energy sector where DNP3 is the primary protocol
• When building detection rules for DNP3-based attacks against RTUs and substations
• When investigating suspected unauthorized control commands sent via DNP3
• When deploying IDS with DNP3 deep packet inspection at utility substations
• When responding to alerts from OT monitoring platforms about DNP3 traffic anomalies

Do not use for non-DNP3 protocol monitoring (see detecting-modbus-command-injection-attacks for Modbus), for DNP3 Secure Authentication configuration (separate implementation), or for protocol-agnostic network anomaly detection.

Prerequisites

• Network TAP/SPAN on DNP3 communication segments (TCP port 20000 or serial)
• Baseline of normal DNP3 traffic patterns (masters, outstations, poll intervals, function codes)
• Suricata or Zeek with DNP3 protocol parser enabled
• Understanding of DNP3 function codes and object groups used in the environment
• DNP3 communication topology map (master-to-outstation relationships)