A Linux-based firewall for the DNP3 protocol
Jeyasingam Nivethan Mauricio Papa
Tandy School of Computer Science
University of Tulsa
Tulsa, OK 74104
Email:
[email protected]
Email:
[email protected]
Abstract—Firewall solutions, specifically designed for smart
power grids and other industrial control systems, are quite
limited, with only a few commercial offerings. This paper presents
a novel methodology that extends existing Linux-based firewalls
for use in systems that use DNP3 protocol for industrial control.
The proposed solution uses the u32 byte-matching feature of
the iptables firewall, a firewall solution available in most Linux
distributions. To demonstrate the approach, filtering rules for
common attacks on the DNP3 protocol were developed. DNP3
is an industrial control protocol typically used in the electric
power sector. The main goal of our work is to leverage an openly
available and robust firewall solution for use in protecting the
U.S. smart grid. The prototype was tested on a scaled-down
electric power substation which runs the DNP3 protocol for
communication between the field devices and the SCADA master.
I. I NTRODUCTION
DNP3 (Distributed Network Protocol Version 3.0) is one
of the most popular Industrial Control System (ICS) protocol
[1], widely known for its use in the Electric power sector
in the U.S. and around the world. According EPRI [2], it is
estimated that more than 75% of the Electric power utilities in
the US use DNP3. Originally developed as a serial protocol,
DNP3 (as most ICS protocols) has been modernized and is
now transported over TCP/IP. The use of commodity Ethernet
hardware and TCP/IP for communication provides a good
solution in terms of maintenance and operational costs. If
not adequately protected, the use of TCP/IP may expose
these delicate systems to the larger Internet. This results in
increased risk by making them potential targets for cyber-
attacks. While it is possible to isolate the ICS from the Internet,
if not done correctly, an attacker or malware could still gain
access to the control network and cause serious damage to
the physical components and the infrastructure. In 2014, the
Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) received and responded to 245 security incidents
from various industrial control systems. [3] Of those 245
incidents, more than half involved persistent threats associated
with sophisticated actors. It is important to note that of all the
sectors reporting to ICS-CERT, the energy sector accounts for
the majority of the reported incidents (32% of all reported
incidents). This is a clear indication that further research
is needed to better protect the Energy sector. Firewalls are
commonly used to protect networks from malicious attacks.
When protecting ICS, it is critical that firewalls be able
Tandy School of Computer Science
University of Tulsa
Tulsa, OK 74104
to recognize the various packet fields used by the control
protocol. By doing so, the firewall has the ability to filter
protocol-specific attacks. Some commercial vendors provide
firewall solutions for certain ICS protocols (such as Modbus,
which is used by the oil & gas sector, and DNP3). Cisco
provides DNP3 specific signatures for some of their firewalls
[4]. Raidflow provides DNP3 packet filtering capabilities with
its 1031 Secure Ruggedized Gateway [5]. On the other hand,
there have not been any significant efforts made to use open
source firewalls to filter DNP3 network traffic. Open source
firewalls, such as Linux iptables have been successfully used
in IT networks to protect mission critical systems [6]. This
paper presents a novel approach for the generation of DNP3
specific iptables filtering rules. The proposed solution uses
an advanced feature of iptables to inspect the payload of a
DNP3 message and to identify suspicious DNP3 commands.
In addition, we also present a set of rules for the most common
attacks on the DNP3 protocol. These rules allow iptables to
recognize specific DNP3 protocol packet fields and go beyond
basic TCP/IP filtering capabilities. The goal of this research
effort is to provide an effective and openly available DNP3
firewall solution that advances the security posture of the
Energy sector.
II. BACKGROUND
DNP3 is a SCADA protocol originally designed for serial
communication (like other traditional SCADA protocols). As
with many other protocols, DNP3 has been extended to allow
the use of TCP/IP as the transport mechanism for DNP3
messages. The TCP/IP extension simply encapsulates an entire
DNP3 frame with TCP/IP headers, i.e., the encapsulation
preserves the original pseudo-transport and link layer header
and payload. Therefore a DNP3 packet sent over the TCP/IP
(or UDP/IP) will also have DNP3 data-link and pseudo-
transport header fields. The DNP3 pseudo-transport layer and
link layer were part of the communication stack for serial
connections. A DNP3/TCP packet (Figure 1) will have an
Ethernet header, an IP header, and a TCP header. Then within
the TCP payload, a message has a link header, a transport
header and an application header followed by a number of
DNP3 objects and header tuples.
A DNP3 message may incorporate the following fields:
• Start - This two-byte field indicates that it is a DNP3
packet with the value 0x0564
 Fig. 1. DNP3 message architecture
• Length - One byte field contains the length of all the
subsequent fields without the CRC
• Control - One byte control field that contains the direction
of the message flow, data-link function codes and some
other indicators.
• Destination - Two byte field that identifies the receiver of
the message
• Source - Two byte field that identifies the sender of the
message
• FIN - One bit indicates this is the last fragment
• FIR - One bit indicates that this is the first fragment
• Sequence number - Six bit sequence number used for
fragmentation and reassembly
• Application control - One byte field designed to facilitate
fragmentation within application layer. This field also has
a bit that indicates whether a message from outstation is
unsolicited or a response for a request.
• Function code - One byte field that indicates the function
to be performed by the receiving device
• Indicators - Two byte internal indicators which are only
used by the responses from the outstations
• DNP3 object header - Two byte header for each DNP3
object set present in the message
• DNP3 objects - DNP3 objects contain values (input
readings and output updates) from and to the outstations
III. E XTENDING THE L INUX IPTABLES FIREWALL FOR USE
WITH DNP3
Netfilter/Iptables is available with almost all popular Linux
distributions. Technically speaking, Iptables is the user-space
module of the Linux netfilter framework. The Linux kernel
incorporates the Netfilter framework which provides functions
that include packet filtering, network address translation, and
packet mangling. Iptables rules often check only data-link,
network and transport headers and very rarely check payload
contents. An iptables feature, added only a few years ago,
allows for the dynamic inspection of message payloads. This
feature is called u32 match and our proposed solution uses it
as the basic mechanism to inspect DNP3 packets (beyond the
standard checks on TCP/IP headers).. The u32 match feature
instructs the module to extract 32 bits (4 bytes) from the packet
at any specified location and compare it against a given value.
If the field that needs to be extracted is less than 32 bits,
the extracted data is masked and shifted. This option, makes
it possible to match up to 32 bits of data from any part of
the packet. This feature also provides a simple technique to
overcome the variable header length problem when options are
used in TCP or IP. This technique uses the header-length field
of the packet to calculate the header length and then jump
to the beginning of its ICS message. Our solution follows
the following steps to generate iptables rules that can filter
SCADA messages using u32:
1) From the IP header, calculate the header length by
extracting the hlen field value in the IPv4 header and
multiply it by four. The resulting value is the length in
bytes of the IP header.
2) Use the calculation in the previous step to jump to the
beginning of the TCP header (also the beginning of the
packets IP payload).
3) From the TCP header, extract the offset field and multi-
ply it by four. The resulting value is the length in bytes
of the TCP header.
4) Use the calculation in the previous step to jump to the
beginning of the DNP3 packet (also the beginning of the
DNP3 header).
5) From this point in the packet, jump to the FIR bit and
check if the bit is set to one. This indicates this is the
first fragment of a message.
 Fig. 2. IP header Fig. 3. TCP header

6) If the FIR bit is set, then match the function code field
against the desired value.
Header length fields of IP and TCP represent the header
length as 4-byte words, i.e., the value should be multiplied by
4 to obtain the actual length in bytes. The header length field
of IP is located in bits 4-7 of the first byte (Figure 2). Since
u32 extracts 4 bytes (32 bits) at a time, the actual value of the
IP header length can be obtained by extracting the first four
bytes of the IP header, right shifting 22 bits and masking the
result with 0x3C (this quarantines the field and multiplies it
by four at the same time) . The u32 command to perform this
operation is 0>>22&0x3C. The @ sign instructs a jump of n
bytes, where n precedes the @ sign. For instance, if the result
of 0>>22&0x3C is 20 (the length of an IP header without
any options), then 0>>22&0x3C@ will jump 20 bytes from,
in this case, the beginning of the IP header. After this jump,
iptables is pointing at the start of the TCP header. In the similar
manner, the TCP header length can be obtained to jump to
the end of the TCP header, which is also the beginning of
the DNP3 packet. The TCP header length is represented by
the offset field (Figure 3) which starts at byte 12 (from the
beginning of the TCP header). Following the same procedure
used for the IP header, a jump to the end of the TCP header
can be made with 12>>26&0x3C@. At this point, iptables Fig. 4. Iptables rules for common DNP3 attacks
is ready to start inspecting the DNP3 packet. One of most
important field to inspect in a DNP3 message is the function
code field. This field carries specific commands (represented DNP3 data-link layer [7]. A DNP3 firewall or IDS (Intru-
by different numbers) to the outstation devices as transmitted sion Detection System) must be able to monitor and check
by the master node. The function code field is part of the fragmented DNP3 messages. IDS preprocessors (such as the
application header of a DNP3 message and is always located Snort preprocessor for DNP3) have the ability to reassemble
at byte 12 from the beginning of the DNP3 message. For DNP3 fragments in order to reconstruct a full DNP3 message.
instance, consider function code 13 (0xD) which is a cold Firewalls in general will not attempt to reconstruct DNP3
start command that reboots the PLC. It can be simply matched fragments (the final DNP3 recipient should be able to do so).
using the 12>>24&0xff=0xD directive to look for function In many applications, this type of preprocessing is not done
code 13 (assuming iptables is already inspecting the beginning at the Firewall because the reassembly process may cause
of the DNP3 packet). unacceptable delays. Timing requirements in the electric power
DNP3 protocol has a pseudo-transport layer that supports sector are very common to ensure that response times are
message fragmentation and reassembly. This feature is needed adequate. For instance, the maximum delay for a trip signal
in case a message is too long for transmission over the message should not be more than 4 milliseconds for a power-
line frequency of 60Hz [8]. Our proposed solution seeks to
provide protection for the DNP3 protocol without the added
burden of reassembling fragmented messages. This is done by
taking advantage of how DNP3 handles fragmentation, i.e., by
setting FIR bit to true for the first fragment. It is important to
note that an unfragmented DNP3 frame is also transmitted with
FIR flag set. This first DNP3 fragment also contains the control
fields associated with the message. A DNP3 receiver will
drop any fragments for which it has not observed a fragment
marked as FIR. We propose a method that only filters the first
DNP3 fragment if needed, e.g. when it matches a rule for a
prohibited operation. In doing so, we achieve two goals: (i)
protect the receiving device (which will drop all subsequent
fragments because the first fragment is missing) and (ii) avoid
reassembly at the firewall level. Since unfragmented DNP3
traffic also goes with the FIR flag set, the proposed approach
effectively protects devices against fragmented and unfrag-
mented messages. We can check whether FIR is set with a
10>>30&0x01=0x01 u32 directive. Additional u32 directives
can then be used to inspect control fields. To illustrate a more
sophisticated use of the u32 directive, consider the case where
the firewall needs to filter Cold Restart messages (function
code 13). This could be done with the following iptables rule:
sudo iptables -A INPUT -p tcp –dport 20000 -m u32 –u32
“0>>22&0x3c@ 12>>26&0x3C@ 10>>30&0x01=0x01
&& 0>>22&0x3c@ 12>>26&0x3C@ 9&0xff=0x0D” -j
DROP
This rule contains two tests or parts:
• 0>>22&0x3c@ 12>>26&0x3C@ to jump over the
IP and TCP headers by calculating their lengths and
10>>30&0x01=0x01 to checks whether the FIR flag is
set
• 0>>22&0x3c@ 12>>26&0x3C@ to jumps over the IP
and TCP headers and then jumping to byte 9 to check
whether the function code (located in byte 12) is 13 (0xD)
using 9&0xff=0x0D(bytes 9-11 are masked).
The following list describes the most common attacks on the
DNP3 protocol [9], [10]:
• DNP3 disable unsolicited responses: DNP3 has an option
where the master can disable unsolicited responses by
sending a message with function code 21. Outstation
devices may be configured to update the master with
unsolicited messages. In those cases, this type of message
would prevent the master from getting any unsolicited
messages from the target outstation.
• DNP3 stop application: An attacker could send a DNP3
message with function code 18 and stop the applications
running in an outstation device. This will essentially make
outstation devices unreachable to the master, because
outstation devices do not have running applications to
process a request.
• DNP3 freeze clear: DNP3 PLCs have a set of specific
registers known as frozen registers which are allocated
by the master for specific purposes, e.g. internal counter.
The freeze clear command, function code 10, clears these
registers, without requiring an acknowledgement from
the affected outstation. An attacker can send a DNP3
message with function code 10 and clear the frozen
registers which may contain important information. The
freeze clear command using function code 9 also does
the same but it requires the device to send a response
upon clearing.
• DNP3 warm restart: A DNP3 request with function code
14 Warm Restart, restarts the communication tasks in
the outstation. A continuous stream of requests of this
type causes a denial of service attack. Such an attack
could prevent an outstation from communicating with the
Master and HMI.
• DNP3 cold restart: A DNP3 request with function code 13
Cold Restart, restarts an outstation device. A continuous
stream of requests causes a denial of service attack and
makes the outstation unavailable.
• DNP3 broadcast request: the DNP3 data-link layer has
a two byte field to denote the destination address of the
message. A message with broadcast address (0xFFFF)
in this field will send the message to all other DNP3
outstation devices. An attacker could use this technique
to obtain the address of all DNP3 servers (outstation
devices) or to flood the network with broadcasts.
Firewall rules (Figure 4) were developed for the attacks
described above and then tested in a smart grid testbed.
IV. E XPERIMENTAL R ESULTS
Proposed solution was tested on the smart-grid test bed at
the University of Tulsa. The Critical Infrastructure Protection
Lab at The University of Tulsa has a scaled-down electric
power substation (Figure 5). The design of the substation
closely reflects the topology of a ring-type substation with
redundant lines as well as inductive and resistive loads. Input
power level is limited to voltage availability in the lab building.
The substation uses three-phase 208V input voltage (dual
inputs) and was designed for an estimated power consumption
of 3KVA. The substation uses two controllers, also known as
programmable logic controllers that communicate over an Eth-
ernet network using the DNP3 protocol. This facility has all the
elements needed to validate our approach: physical elements
(power input, switching relays), hardware interface (current
and voltage transducers), software and control (programmable
logic controllers) and communications (DNP3 over Ethernet).
The Firewall was implemented on a dual-homed Ubuntu
14.04 LTS computer and placed between the two PLCs (out-
station devices) and the HMI. A rogue DNP3 master was
deployed on the network to help generate malicious messages
targeting the PLCs. When the rogue master tried to attack
the grid by sending various types of malicious messages,
the firewall successfully blocked them. This was verified by
inspecting the iptables log (Figure 6 shows a few selected log
entries generated during the experiment) and the unchanged
indicators on the HMI panels. When the firewall was disabled,
the malicious packets were received by the PLCs and its effects
were directly observed by the HMI panels.
 Fig. 5. Electric power testbed at the CIP lab, University of Tulsa

words, the u32 feature can be effectively used to dynamically

inspect a DNP3 message transported over TCP/IP. Rules
for most common attacks on the DNP3 protocol are also
presented in the paper. These rules were all developed using
the methodology described in the paper. The solution has been
tested and validated on the smart-grid test bed at the Critical
Infrastructure Laboratory at the University of Tulsa.
R EFERENCES
[1] IEEE Standard for Electric Power Systems Communications-Distributed
Network Protocol (DNP3), in IEEE Std 1815-2012 (Revision of IEEE
Std 1815-2010) , vol., no., pp.1-821, Oct. 10 2012
[2] Electric Power Research Institute, Distributed Network Protocol 3 Secu-
rity Interoperability, Dec 2011, Palo Alto, CA
[3] ICS-CERT Monitor September 2014 February 2015
[4] Cisco, Inc. Cisco IOS Intrusion Prevention System (IPS) for Connected
Energy, White paper.
[5] 1031 Secure Ruggedized Gateway. http://www.radiflow.com/products/1031-
secure-ruggedized-gateway
[6] ] Lawton, George. “Open source security: opportunity or oxymoron?.”
Computer35, no. 3 (2002): 18-21.
[7] Curtis, Ken. “A DNP3 protocol primer.” DNP User Group (2005): 1-8.
[8] ] Nivethan, Jeyasingam, Mauricio Papa, and Peter Hawrylak. “Modeling
and simulation of electric power substation employing an IEC 61850
network.” In Proceedings of the 9th Annual Cyber and Information
Security Research Conference, pp. 89-92. ACM, 2014.
[9] East, Samuel, Jonathan Butts, Mauricio Papa, and Sujeet Shenoi. “A
Taxonomy of Attacks on the DNP3 Protocol.” In Critical Infrastructure
Protection III, pp. 67-81. Springer Berlin Heidelberg, 2009.
[10] Mander, Todd, Richard Cheung, and Farhad Nabhani. “Power System
Peer-to-Peer Networking Data Object Based Security.” In Power Engi-
neering, 2006 Large Engineering Systems Conference on, pp. 90-94.
IEEE, 2006.

Fig. 6. Iptables log

V. C ONCLUSION

This paper describes a novel approach for the use of the

iptables open-source firewall facility (available with most
Linux distributions), to protect against attacks on the DNP3
protocol. Experimental results show the approach succeeds
in blocking attacks targeting the DNP3 protocol. In other