Specification-Based IDS for the DNP3 Protocol

IDS for DNP3 extends Bro, a specification-based network traffic analyzer, to analyze the DNP3 protocol and build security policies to protect against a malicious intruder penetrating a SCADA system. The DNP3 analyzer is included in Bro, and may be downloaded from https://www.bro.org/download/index.html  to analyze DNP3 traffic without any additional modification to Bro.

A specification-based intrusion detection system (IDS) that supports proprietary protocols used in power grids, such as DNP3 and Modbus, has been implemented in Bro, a runtime network traffic analyzer. DNP3 is widely used for substation communications and control, and is presently the protocol of choice in heterogeneous environments due to interoperability requirements.

The IDS allows system operators to perform deep packet inspection on network traffic related to control operations and sensor measurements. Exploiting Bro’s domain-specific language, the IDS implements wide variety of security specifications: from detecting suspicious communication patterns at protocol level to interacting with state estimation mechanisms and performing “look-ahead” analysis on suspicious commands, even if these commands are syntactically correct within the protocol. The developed IDS is being tested using network traffic collected from real utility environments, and can be freely downloaded from Bro’s web page (bro.org).

The implementation consists of a Master IDS at the control center, which performs these functions:

  • Distinguish critical commands from non-critical ones
  • Collect and comprehend measurements from multiple substations
  • Include adapted power-flow algorithm to model the consequences of executing a particular command (“look-ahead” capability).

The master IDS interacts with slave IDS’s at remote sites, which process trusted measurements directly from sensors in the field.


Specification-Based IDS for the DNP3 Protocol. Presented by Hui Lin, University of Illinois, at the 2014 TCIPG Industry Workshop held November 12-13, 2014 at the iHotel and Conference Center in Illinois. Slides for this presentation may be downloaded from the workshop archives.

Detection of a Man-in-the-middle Attack in SCADA Network:
Presented by Hui Lin during the TCIPG Industry Workshop in October 2012.

Tech category: