Next Article in Journal
Leveraging MFCC and Mel-Spectrogram Representations for Deep Learning-Based Speech Recognition
Previous Article in Journal
Photocatalytic Degradation of Brilliant Blue FCF Dye Using Biosynthesized ZnO Nanoparticles
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Engineering Proceedings
Volume 123
Issue 1
10.3390/engproc2026123029
engproc-logo
Submit to this Journal
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Proceeding Paper

DNP3 Protocol Taxonomy †

by
Jacinto Pérez García
,
Ana Lucila Sandoval Orozco
and
Luis Javier García Villalba
*
Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain
*
Author to whom correspondence should be addressed.
Presented at the First Summer School on Artificial Intelligence in Cybersecurity, Cancun, Mexico, 3–7 November 2025.
Eng. Proc. 2026, 123(1), 29; https://doi.org/10.3390/engproc2026123029
Published: 9 February 2026
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Versions Notes

Abstract

SCADA and remote monitoring systems employ a communications protocol called DNP3. The Distributed Network Protocol is a popular open-standard protocol. As a result, any manufacturer can create DNP3 equipment that works with other DNP3 devices. Since its launch in 1993, the Distributed Network Protocol—also referred to as DNP3—has gained widespread popularity. This protocol was created to communicate the condition of essential infrastructure, enabling dependable remote control, making it an instantly deployable solution for monitoring distant locations. The groundbreaking work on the protocol is typically attributed to GE-Harris Canada (previously Westronic, Inc.). However, a wide range of firms are presently using this protocol in a number of industrial applications, including power utilities. Three tiers of the OSI seven-layer functions model make up DNP3. The application layer, data link layer, and transport layer are these layers. Additionally, DNP3 can be sent via a TCP/IP network or a serial bus link.
Keywords:
DNP3; taxonomy; security

1. Introduction

The core of DNP3 (Distributed Network Protocol version 3) is an object model. Other, less object-oriented protocols typically require bit mapping of data, which this model minimizes. Additionally, it lessens the significant variation in control and status monitoring paradigms typically present in protocols that offer almost no predefined objects [1]. Proponents of these alternative protocols would maintain that any necessary item may be “built” from pre-existing ones. However, DNP3 is a somewhat more pleasant design and deployment framework for SCADA (Supervisory Control and Data Acquisition) engineers and technicians because it has some predefined items. The initial detection of reconnaissance attacks is designed to prevent subsequent attacks. The sophistication and organization of attacks on these infrastructures are escalating. A frequently targeted protocol within these critical infrastructures is the DNP3.

2. Elements Communicate

Usually, DNP3 is used between remote scattered and centrally placed masters [2]. The interface between the monitoring system and the human network manager is provided by the master. The interface between the master and the physical device or devices being monitored and/or managed is provided by the remote (RTUs and intelligent electronic devices) [3]. The remote and the master use a library of shared objects to communicate. The DNP3 protocol has features that have been thoughtfully designed. Because of these features, it can be utilized with reliability even when using media that might be noisy.
Polling is a feature of the DNP3 protocol. An integrity poll is conducted when a remote is connected to the master station. In order to overcome DNP3, integrity polls are crucial. This is because they include the present value of a data point along with all of its buffered values.
Main DNP3 Capabilities, an intelligent and robust SCADA protocol, DNP3 gives you many capabilities. Some of them are as follows:
  • DNP3 can request and respond with multiple data types in single messages;
  • Response without request (unsolicited messages);
  • It allows multiple masters and peer-to-peer operations;
  • It supports time synchronization and a standard time format;
  • It includes only changed data in response messages.
DNP3 communicates between Masters (think Control Center) and Remotes via 27 fundamental function codes. A Master is made possible by some of those function codes, to ask a remote for and obtain status information. A Master can determine or modify a remote’s configuration with the help of additional function codes.

3. DNP3 Message Structure

The packets include bytes for the header, data, and checksum. Using the packet structure. DNP3 provides the rules for remotely located computers and master station computers to communicate data and control commands. DNP3 is a non-proprietary protocol. The Remote responds with the requested information, if it is accessible, when the Master sends a read request for an object or objects. To generate the output actions linked to the chosen object reference, the Master issues an Operate command. When a certain event occurs, the remote sends an unsolicited message [4]. The DNP3 application service data unit (ASDU) is worthy of special note for the clever content adjustment that is controlled by the qualifier and indexSize fields. This design makes application data available in an impressively flexible number of configurations or omitted all together if desired. DNP3 was designed to optimize the transmission of data acquisition information and control commands from one computer to another. It is not a general-purpose protocol like those found on the Internet for transmitting email, hypertext documents, SQL queries, multimedia, or huge files. It is intended for SCADA (Supervisory Control and Data Acquisition) applications.

3.1. Understanding Layered Communication

3.1.1. The Application Layer

Create an application protocol data unit (APDU) by combining an application service data unit (ASDU), which is a packed object in and of itself, with an application protocol control information (APCI) block.

3.1.2. Slave Discovery

The fourth and fifth cyberattacks on DNP3 utilized two Nmap Scripting Engine scripts to identify if an IP address belonged to a DNP3 outstation. The first script requested link status using function code 9 across the first 100 DNP3 data link addresses, while the second sent requests to those same addresses. A response from the outstation confirmed the successful identification.

3.1.3. The Transport Layer

The transport layer has the responsibility of breaking long application layer messages into smaller packets sized for the link layer to transmit, and, when receiving, to reassemble frames into longer application layer messages. In DNP3, the transport layer is incorporated into the application layer. The transport layer requires only a single octet overhead to do its job. Therefore, since the link layer can handle only 250 data octets, and one of those is used for the transport function, each link layer frame can hold as many as 249 application layer octets. Partitions the APDU into segments up to 16 bytes in size, then packages the segments into a transport Frame with an 8-bit transport control header and 16-bit segment CRC separators.

3.1.4. The Link Layer

Prepares the packet for delivery to a specified location by adding a header containing the control and addressing information. Once the Department of Defense Internet layer has been removed, these layers can be assigned to the Department of Defense four-layer model.
The three DNP3 layers are folded into the application layer if the packet is being sent over a LAN or WAN. The transport layer encapsulates the assembled packet in the Transport Control Protocol (TCP), while the internet layer encapsulates it in the Internet Protocol (IP). Although it can also be used, the User Datagram Protocol (UDP) has some additional problems with reliable delivery in crowded networks. A feature of DNP3’s link layer is the ability for the transmitter of the frame to request the receiver to confirm that the frame arrived. Using this feature is optional, and it is often not employed because there are other methods for confirming receipt of data. It provides an extra degree of assurance of reliable communications. If a confirmation is not received, the link layer may retry the transmission. Some disadvantages to using link layer confirmation are the extra time required for confirmation messages and waiting for multiple timeouts when retries are configured. The packet is interfaced to a transport medium (such as fiber, RG58 coaxial, or twisted pair copper) at the fourth layer, which is known as the Network Interface layer. Despite its somewhat perplexing appearance, this multilayer approach successfully separates the communication duties and eventually aids in network design and implementation.

4. Proposal

Using the DNP3 protocol, this study concentrated on creating efficient defenses against targeted and organized attacks on vital facilities. Generally structured [5]. Being deliberate, these attacks are well suited to the creation of plans using organized defense techniques. Usually, these attacks start with reconnaissance before moving on to destructive measures based on vulnerabilities found. Detecting reconnaissance assaults quickly and accurately was the main goal of the created model, which also sought to detect first attacks as efficiently as possible while using the fewest resources possible. This study represents a crucial step toward fortifying industrial control systems using the DNP3 protocol against the rising tide of cyberattacks. To protect more effectively against complex attacks targeting industrial control systems. Moreover, while the research is specific to the DNP3 protocol, it is relevant within a broader framework of industrial infrastructure security. The defense mechanisms developed can serve as a general model to enhance the security of industrial control systems.

5. Conclusions

DNP3 is a SCADA communication protocol that has been standardized to ensure compatibility and interoperability between devices manufactured by different entities. The DNP3 protocol was examined, as well as its security limitations and possible attacks that exploit the security gaps inherent in the DNP3 communication protocol itself. The protocol has been the target of numerous cyberattacks due to its limitations and vulnerabilities. For this reason, it has been the main concern of security experts. Consequently, failure to implement adequate protection protocols and secure these systems against constantly evolving cyberattacks and physical attacks can lead to catastrophic results. Preventing cyberattacks against SCADA systems is an urgent and crucial requirement to ensure their protection against risks related to SCADA systems. This can be achieved by improving the defenses and protection measures of these systems. Specifically, the research work will create a model capable of identifying anomalous patterns. Using network flows that contain specific protocol attributes for analysis and presenting a proposal for a solution that strengthens the DNP3 protocol against cyberattacks when implemented in critical infrastructures.

Author Contributions

Conceptualization, J.P.G., A.L.S.O. and L.J.G.V.; methodology, J.P.G., A.L.S.O. and L.J.G.V.; validation, J.P.G., A.L.S.O. and L.J.G.V.; investigation, J.P.G., A.L.S.O. and L.J.G.V. All authors have read and agreed to the published version of the manuscript.

Funding

This work was carried out with funding from the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation EU), through the Chair “Cybersecurity for Innovation and Digital Protection” INCIBE-UCM. In addition this work has been supported by Comunidad Autonoma de Madrid, CIRMA-CM Project (TEC-2024/COM-404). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors. However, the opinions expressed are the sole responsibility of the authors and do not necessarily reflect those of INCIBE, the European Union, or the European Commission-EU. Neither INCIBE, the European Union nor the European Commission can be held responsible.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable; this study does not report any data.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Tsantikidou, K.; Sklavos, N. Threats, Attacks, and Cryptography Frameworks of Cybersecurity in Critical Infrastructures. Cryptography 2024, 8, 7. [Google Scholar] [CrossRef]
  2. Pandit, R.; Astolfi, D.; Hong, J.; Infield, D.; Santos, M. SCADA data for wind turbine data-driven condition/performance monitoring: A review on state-of-art, challenges and future trends. Wind Eng. 2023, 47, 422–441. [Google Scholar] [CrossRef]
  3. Marian, M.; Cusman, A.; Popescu, D.; Ionica, D. A DNP3-based SCADA Architecture Supporting Electronic Signatures. In Proceedings of the 2019 20th International Carpathian Control Conference (ICCC), Krakow-Wieliczka, Poland, 26–29 May 2019; pp. 1–6. [Google Scholar] [CrossRef]
  4. Faramondi, L.; Flammini, F.; Guarino, S.; Setola, R. A hybrid behavior-and bayesian network-based framework for cyber-physical anomaly detection. Comput. Electr. Eng. 2023, 112, 108988. [Google Scholar] [CrossRef]
  5. Mohy-eddine, M.; Guezzaz, A.; Benkirane, S.; Azrour, M. An efficient network intrusion detection model for IoT security using K-NN classifier and feature selection. Multimed. Tools Appl. 2023, 82, 23615–23633. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Pérez García, J.; Sandoval Orozco, A.L.; García Villalba, L.J. DNP3 Protocol Taxonomy. Eng. Proc. 2026, 123, 29. https://doi.org/10.3390/engproc2026123029

AMA Style

Pérez García J, Sandoval Orozco AL, García Villalba LJ. DNP3 Protocol Taxonomy. Engineering Proceedings. 2026; 123(1):29. https://doi.org/10.3390/engproc2026123029

Chicago/Turabian Style

Pérez García, Jacinto, Ana Lucila Sandoval Orozco, and Luis Javier García Villalba. 2026. "DNP3 Protocol Taxonomy" Engineering Proceedings 123, no. 1: 29. https://doi.org/10.3390/engproc2026123029

APA Style

Pérez García, J., Sandoval Orozco, A. L., & García Villalba, L. J. (2026). DNP3 Protocol Taxonomy. Engineering Proceedings, 123(1), 29. https://doi.org/10.3390/engproc2026123029

Article Metrics

Back to TopTop