Vulnerabilities in the DNP 3.0 Communication Protocol in ICS/SCADA Systems on Critical Electrical Infrastructure † †
Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain
*
Author to whom correspondence should be addressed.
†
Presented at the First Summer School on Artificial Intelligence in Cybersecurity, Cancun, Mexico, 3–7 November 2025.
‡
These authors contributed equally to this work.
Eng. Proc. 2026, 123(1), 17; https://doi.org/10.3390/engproc2026123017
Published: 4 February 2026
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Abstract
Supervisory control and data acquisition systems are an essential part of industrial control systems that form part of the critical infrastructure in the energy sector, which in the last decade have increased their interconnection, complexity, and dependence on other systems. In addition, the data generated and transmitted play a crucial role during acquisition and monitoring through the distributed network protocol version 3, which is used for analysis. As a result, they have become susceptible to cyberattacks that compromise data integrity, specifically unauthorized manipulation, which can cause significant disruptions and impacts on critical infrastructure. Therefore, the purpose of this work is to analyze the limitations, drawbacks, and vulnerabilities of the DNP3 and to present recommendations for identifying anomalous patterns in protocol communication.
1. Introduction
The critical infrastructure in the electricity sector is managed and supervised by SCADA systems [1]. Their benefits and uses are endless and undeniable. These implementations are designed for automation in the supervision, monitoring and control of processes. Where the DNP3 protocol is used for communication between devices, SCADA systems operate according to events, which consist of three main components: a centralized control station (master), substations (remote), and communication networks that interconnect substations with their respective control centers. The master supervises, regulates, and monitors multiple geographically dispersed remotes. Remotes are specialized field automation equipment, such as programmable logic controllers or remote terminal units. They supervise the physical components of the system on site. They provide information on the status of field equipment to the control center for supervision, control, and analysis. Before the advent of connectivity between SCADA systems and the Internet, through the emergence of cloud-based applications and the prevailing practice of integrating these real-time information systems, SCADA networks were traditionally isolated and segregated from the Internet and other networks, using proprietary protocols [2,3].
2. Literature Review
The DNP3 distributed network protocol is widely used for industrial control systems such as that in [4]. It facilitates communication between remote terminals and their masters, as well as other control devices, in a SCADA system. DNP3 collects data from sensors, control devices, and field devices and transmits it to the SCADA system. It has several features that make it suitable for industrial control systems. These features include [5]:
- Robustness: It is designed to operate in environments with small bandwidth and noisy communication channels. It supports error detection and correction for message retransmission, ensuring reliable communication.
- Flexibility: It is designed to be flexible and adaptable to various devices and applications.
- Scalability: It is designed to support large-scale deployments with thousands of devices. It supports multiple levels of network topology and can be used in both local and wide area networks, as well as multiple data types, speeds, and communication media.
Protocol messages can be sent over serial or TCP/IP connections. This work considers communication messages over the TCP/IP protocol. Today, most SCADA systems operate in a TCP/IP network environment. When DNP3 operates over TCP/IP, the master is a TCP client linked to several remotes that serve as TCP servers. Under these conditions, messages can be assigned to the upper layers of the TCP/IP model, which are the data link layer, the transport layer, and the application layer. Each layer is responsible for a specific function and provides services to the upper layer.
3. DNP3 Attacks
DNP3 is a protocol widely used in highly critical settings, such as SCADA systems, to automate and manage industrial processes. Its use is particularly prominent in power plants, with more than 75% of North America’s smart grids relying on DNP3 for device communication. Therefore, any cyberattack targeting DNP3 threatens the normal functioning of critical infrastructure. This section explains the execution of five attack scenarios focused on DNP3 and examines the potential effects of these malicious actions on the infrastructure [6].
3.1. Types of Attacks
3.1.1. Initialize Data
The first DNP3 attack aims to force the outstation to reset its data to default values, causing its updates to misrepresent the actual status. This is done by intercepting and manipulating a packet from the master using a Man-In-The-Middle method and the Scapy tool, then reinjecting the altered packet into the network.
3.1.2. Slave Discovery
The second and third cyberattacks on DNP3 utilize two Nmap Scripting Engine scripts to identify if an IP address belongs to a DNP3 outstation. The first script requests the link status using function code 9 across the first 100 DNP3 data link addresses, while the second sends requests to those same addresses. A response from the outstation confirms the successful identification.
3.1.3. Cold Restart
The fourth attack aims to force the outstation into a full restart and self-check using a cold restart packet. This exploits the DNP3 function that temporarily keeps the outstation offline, causing a DoS by making it unresponsive to master requests. The attack involves a malicious master sending repeated cold restart commands to the outstations.
3.1.4. Warm Restart
The fifthattack aims to make the outstation restart only its DNP3 applications, temporarily preventing it from responding to master requests. This is carried out by a malicious master sending warm restart requests to the targeted outstations.
4. Proposal
Traffic analysis and the identification of anomalous patterns in SCADA systems are critical aspects in ensuring the security and integrity of these systems, which are used for control within critical infrastructures in the energy sector. Analysis and identification tasks are of the utmost importance for SCADA systems due to the vulnerabilities and threats that arise from interconnections with other systems and environments. External connections to other systems are easily visible even from simplified network diagrams. To carry out these processes, it is necessary to continuously collect, analyze, and monitor network traffic to detect and respond to potential threats and attacks. The phases are as follows:
- Monitoring of devices and links in the SCADA environment;
- Collection of DNP3 traffic;
- Proposal or analysis algorithms;
- Data analysis;
- Detection of anomalous patterns.
Clearly, successful execution of the aforementioned attacks in a SCADA environment can cause service interruptions and message alterations, and prevent the delivery of critical notifications. Therefore, to avoid the consequences of cyberattacks, it is necessary to have solutions that quickly and accurately detect malicious attempts. The research work addresses a proposal to try to identify anomalous patterns by taking advantage of network flows related to DNP3 traffic. It will propose the analysis of flows using CIC-FlowMeter, available at the following URL: https://github.com/ahlashkari/CICFlowMeter (accessed on 26 January 2026), and simulation with openDNP3, available at the following URL https://github.com/dnp3/opendnp3 (accessed on 26 January 2026) in layers to operate collaboratively and perform tests with the proposed algorithms for identifying anomalous patterns. This will enable the timely identification of attacks on critical infrastructure based on DNP3 protocols. Our first component will be responsible for analyzing the packet-level network traffic generated by our second component [7]. These flows, when generated with these two tools, will emulate traffic and analyze the flow in TCP/IP, to observe and analyze communication patterns, enter learning mode, and be able to identify and classify valid flows and those that present anomalies. These tests will be performed with ARP poisoning. This will then be labeled, resulting in the creation of a new file and thus allowing the creation of alerts that could identify a possible cyberattack.
5. Conclusions
DNP3 is a SCADA communication protocol that has been standardized to ensure compatibility and interoperability between devices manufactured by different entities. The DNP3 protocol was examined, as well as its security limitations and possible attacks that exploit the security gaps inherent in the DNP3 communication protocol itself. The protocol has been the target of numerous cyberattacks due to its limitations and vulnerabilities.
For this reason, it has been the main concern of security experts. Consequently, failure to implement adequate protection protocols and secure these systems against constantly evolving cyberattacks and physical attacks can lead to catastrophic results. Preventing cyberattacks against SCADA systems is an urgent and crucial requirement to ensure their protection against risks related to SCADA systems. This can be achieved by improving the defenses and protection measures of these systems. Specifically, the research work will create a model capable of identifying anomalous patterns, using network flows that contain specific protocol attributes for analysis and presenting a proposal for a solution that strengthens the DNP3 protocol against cyberattacks when implemented in critical infrastructures.
Author Contributions
Conceptualization, J.P.G., A.L.S.O. and L.J.G.V.; methodology, J.P.G., A.L.S.O. and L.J.G.V.; validation, J.P.G., A.L.S.O. and L.J.G.V.; investigation, J.P.G., A.L.S.O. and L.J.G.V. All authors have read and agreed to the published version of the manuscript.
Funding
This work was supported by the European Commission under the Horizon 2020 research and innovation programme, as part of the project HEROES (https://heroes-fct.eu (accessed on 26 January 2026), Grant Agreement no. 101021801) and of the project ALUNA (https://aluna-isf.eu/ (accessed on 26 January 2026), Grant Agreement no. 101084929). This work was also carried out with funding from the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation EU), through the Chair “Cybersecurity for Innovation and Digital Protection” INCIBE-UCM. In addition this work has been supported by Comunidad Autonoma de Madrid, CIRMA-CM Project (TEC-2024/COM-404). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors.
Institutional Review Board Statement
Not applicable.
Informed Consent Statement
Not applicable.
Data Availability Statement
Not applicable; this study does not report any data.
Acknowledgments
This work was carried out with funding from the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation EU), through the Chair “Cybersecurity for Innovation and Digital Protection” INCIBE-UCM. In addition, this work has been supported by Comunidad Autonoma de Madrid, CIRMA-CM Project (TEC-2024/COM-404). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors. Therefore, the opinions expressed are the sole responsibility of the authors and do not necessarily reflect those of INCIBE, the European Union, or the European Commission-EU. Neither INCIBE, the European Union nor the European Commission can be held responsible.
Conflicts of Interest
The authors declare no conflict of interest.
Abbreviations
The following abbreviations are used in this manuscript:
| INCIBE | Instituto Nacional de Ciberseguridad es ciberseguridad |
| UCM | Universidad Complutense de Madrid |
| SCADA | Supervisory Control and Data Acquisition |
| ARP | Address Resolution Protocol |
| DoS | Denial of service |
| DNP3 | Distributed Network Protocol version 3 |
| TCP/IP | Transmission Control Protocol/Internet Protocol |
References
- Nazir, S.; Patel, S.; Patel, D. Assessing and augmenting SCADA cyber security: A survey of techniques. Comput. Secur. 2017, 70, 436–454. [Google Scholar] [CrossRef]
- Tsantikidou, K.; Sklavos, N. Threats, Attacks, and Cryptography Frameworks of Cybersecurity in Critical Infrastructures. Cryptography 2024, 8, 7. [Google Scholar] [CrossRef]
- Pandit, R.; Astolfi, D.; Hong, J.; Santos, D.I.y.M. SCADA data for wind turbine data-driven condition/performance monitoring: A review on state-of-art, challenges and future trends. Wind Eng. 2023, 47, 422–441. [Google Scholar] [CrossRef]
- Marian, M.; Cusman, A.; Popescu, D.; Ionica, D. A DNP3-based SCADA Architecture Supporting Electronic Signatures. In Proceedings of the 2019 20th International Carpathian Control Conference (ICCC), Krakow-Wieliczka, Poland, 26–29 May 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Kelli, V.; Radoglou-Grammatikis, P.; Sesis, A.; Lagkas, T.; Fountoukidis, E.; Kafetzakis, E.; Giannoulakis, I.; Sarigiannidis, P. Attacking and Defending DNP3 ICS/SCADA Systems. In Proceedings of the 2022 18th International Conference on Distributed Computing in Sensor Systems (DCOSS), Los Angeles, CA, USA, 30 May–1 June 2022; pp. 183–190. [Google Scholar] [CrossRef]
- Faramondi, L.; Flammini, F.; Guarino, S.; Setola, R. A hybrid behavior-and bayesian network-based framework for cyber-physical anomaly detection. Comput. Electr. Eng. 2023, 112, 108988. [Google Scholar] [CrossRef]
- Mohy-eddine, M.; Guezzaz, A.; Benkirane, S.; Azrour, M. An efficient network intrusion detection model for IoT security using K-NN classifier and feature selection. Multimed. Tools Appl. 2023, 82, 23615–23633. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
MDPI and ACS Style
Pérez García, J.; Sandoval Orozco, A.L.; García Villalba, L.J. Vulnerabilities in the DNP 3.0 Communication Protocol in ICS/SCADA Systems on Critical Electrical Infrastructure †. Eng. Proc. 2026, 123, 17. https://doi.org/10.3390/engproc2026123017
AMA Style
Pérez García J, Sandoval Orozco AL, García Villalba LJ. Vulnerabilities in the DNP 3.0 Communication Protocol in ICS/SCADA Systems on Critical Electrical Infrastructure †. Engineering Proceedings. 2026; 123(1):17. https://doi.org/10.3390/engproc2026123017
Chicago/Turabian StylePérez García, Jacinto, Ana Lucia Sandoval Orozco, and Luis Javier García Villalba. 2026. "Vulnerabilities in the DNP 3.0 Communication Protocol in ICS/SCADA Systems on Critical Electrical Infrastructure †" Engineering Proceedings 123, no. 1: 17. https://doi.org/10.3390/engproc2026123017
APA StylePérez García, J., Sandoval Orozco, A. L., & García Villalba, L. J. (2026). Vulnerabilities in the DNP 3.0 Communication Protocol in ICS/SCADA Systems on Critical Electrical Infrastructure †. Engineering Proceedings, 123(1), 17. https://doi.org/10.3390/engproc2026123017
