IEC 60870 and DNP3 - the middle layers

Introduction

This web page, and the ones that follow it, are looking in some depth into some of the many SCADA protocols that have been used in the past, or are still in use, and still being developed to cope with changes in technology.

These protocols can be regarded as the middle layer or layers of a SCADA protocol stack.

Although many protocols are not usually described in terms of layers, it is quite a good way to think about how they operate. It also makes comparisons of different protocols somewhat easier.

There are two protocol stacks that are of interest to this web page. These are

• EPA - Enhanced Performance Architecture
• TCP/IP - this is the bottom four layers of the stack used for the internet and corporate networks

 

EPA

This is a 3-layer stack known as Enhanced Performance Architecture ( EPA ), and the three layers are

• Application layer
• Data Link layer
• Physical layer

In the SCADA world, the physical layer is usually RS232 or RS485.

 

TCP/IP

TCP/IP is the bottom 4 layers of the stack used for the internet - it is sometimes loosely described as IP, however IP is actually the third layer of the stack. The whole stack looks like -

• Application layer
• TCP / UDP
• IP
• Data Link layer
• Physical layer

In the corporate network, the physical layer is usually ethernet, based on CSMA/CD - which basically means that every device on the network has an equal right to initiate a conversation with another device, and any collisions will be detected - if a collision is detected, the transmission is aborted, and restarted later.

Carrying a SCADA protocol over TCP/IP can generate problems of latency, as TCP/IP gets increasingly slower as the network gets busier - more packets get dropped, and there are more collisions, causing delays at the physical level. This latency can exceed the built-in time-outs in SCADA devices. Using VLAN`s or some form of quality-of-service or priority tagging would help to reduce this.     Hmmm !     What happens if you are also using VoIP ?

 

SCADA protocols

The SCADA industry has developed many protocols for use within SCADA systems - many of these were developed by, and were unique to specific SCADA system providers, who provided the whole SCADA system, from the remote devices right through to the control room.

Modbus was one of these, however it went on to become an open standard, and has had quite a lot of development work done on it. One of the versions developed is Modbus TCP, which can be used for data communications over TCP/IP. Modbus is widely used as an industrial communications protocol. More information on it on the next page, entitled "SCADA Protocols - the middle layers - Modbus". Here`s a shortcut to it.

Modbus - the middle layer

 

IEC 60870-5 was, or is, a protocol developed by the IEC as a more open protocol, so that different companies could design SCADA components with a common protocol, so that systems could be built with parts from different manufacturers.

IEC 60870-5 is based on EPA, so has that 3 layer stack.

There are now various standards associated with IEC 60870-5, and there is ongoing development. IEC 60870-5-104 is an extension that uses TCP/IP.

DNP3 is another protocol - it was originally developed by a single company in America specifically for the American electricity distribution network, it is now an open standard, and again is still evolving, and is widely used. It was partially based on IEC 60870-5, which at that time was still under development, and had not been published. One of the recent developments is encryption of the data and authentication.

In some respects, DNP3 and IEC 60870-5 are quite similar, however the differences are significant, and they are not compatible.

Host addressing is different - DNP3 always uses 16 bit addressing, and always includes the source address and the destination address. IEC 60870-5 can use 8 bit or 16 bit addressing, and the source address is not always included - it depends on how the link has been set up.

DNP3 relies more on the Application layer to confirm that transmitted data has been successfully received, whereas IEC 60870-5 relies more on the security features built into the Data Link layer for this confirmation.

DNP3 can only work in balanced transmission mode, where as IEC 60870-5 can be configured for either balanced or unbalanced transmission mode.

In balanced transmission mode, every RTU and MTU has equal status, and can initiate a data exchange. Since an RTU or an MTU can initiate a data exchange at any time, without knowing that some other device is also about to start a data exchange, balanced transmissions require network technology which either prevents or detects collisions - for example, full duplex point-to-point RS232, 4 wire RS485, ethernet using CSMA/CD ( which is the norm for most modern IP based corporate networks ).

In unbalanced transmissions, only the MTU can initiate data exchanges, so it has complete control of when data exchanges are going to occur, and so collisions cannot occur ( or shouldn`t occur ).

Another of the differences between DNP3 and IEC 870-5 is that whilst IEC 870-5 sticks to the 3-layer EPA model, DNP3 actually slips in a fourth layer - a pseudo transport layer, sitting between the Application layer and the Data Link layer. It is used within DNP3 for fragmentation ( or segmentation ), where the Application layer produces packets that are too large for the Data Link layer to handle. In IEC 870-5, these too-large packets have to be split up into seperate messages by the Application layer.

 

DNP3 stack

Because of the extra layer, the DNP3 stack has the following four layers -

• Application layer
• Pseudo transport layer
• Data link layer
• Physical layer

 

The DNP3 data link layer

The data link layer takes the data sent down from the pseudo transport layer, and wraps it up into frames, for onward transmission by the physical layer.

Alternatively, it receives incoming frames from the physical layer, strips out the data, and pushes it up to the pseudo transport layer.

A DNP3 frame has two basic parts :-

• the headers - 10 bytes, described below
• the data from or going to the application layer - the maximum amount of data that can be carried in one frame is 250 bytes, and added to that is up to 16 pairs of bytes of CRC ( cyclic redundancy check ), one pair for each 16 bytes of data

So the maximum length of a frame is 250 + 16 + 16 + 10 = 292 bytes

Strictly speaking, 1 byte out of the 250 bytes maximum is used by the pseudo transport layer to deal with fragmentation, so the maximum amount of SCADA data in one frame is limited to 249 bytes. There seems to be two different uses of the term fragments or fragmentation in the various descriptions about DNP3 - some of them refer to the way the pseudo transport layer divides up the data from the application layer into the 249 byte chunks for use by the data link layer, and others refer to the application layer dividing up large quantities of SCADA data into fragments, with the size of the fragment dependent on the capacity of the buffer in the receiving hardware. Typical fragment size in the later case is 2048 bytes.

I`ve also seen the word "segments" used instead of "fragments", in relation to the action of the pseudo transport layer. Here is a layer view of these maximum sizes.

• Application layer - produces data in fragments with a maximum size of 2048 bytes
• Pseudo transport layer - divides up the 2048 bytes into smaller fragments ( or segments ) with a maximum size of 250 bytes
• Data link layer - frame produced by data link layer has a maximum size of 292 bytes
• Physical layer

The headers are always 10 bytes long, there are several sections in the headers, and they are packaged in the following order :-

• sync - 2 bytes to mark the start of the frame
• length - 1 byte - indicates the length of the frame - there is no end-of-frame marker in DNP3, so this section tells the receiver how much data to expect
• link control - 1 byte that contains various control flags
• destination address - 2 bytes - so there can be 65536 unique addresses in a SCADA system, however 16 of them are reserved for special functions, so can`t be used for device addressing
• source address - again, 2 bytes
• cyclic redundancy check - 2 bytes

As far as I can see so far, the 16 reserved DPN3 addresses referred to above include

• 65535 - broadcast address - hex = ffff
• 65534 - broadcast address - hex = fffe
• 65533 - broadcast address - hex = fffd
• 65532 - self address - hex = fffc

 

DPN3 over TCP/IP

DNP was designed to operate as a point-to-point protocol over an always-on physical connection - ie, RS232. TCP/IP is a very different form of connection - it is still serial, but a single physical link can carry a large number of "logical" connections. TCP/IP has its own addressing scheme, but it doesn`t replace the DNP3 addressing scheme.

I`m guessing here - but presumably the TCP layer has to maintain some kind of look-up table to map DNP3 addresses to IP addresses - a bit like ARP, but at a higher level in the stack.

As far as I can see, there were some isolated solutions to carrying DNP3 over TCP/IP, involving modifications or substitutions to the psuedo transport layer, and to the data link layer.

Then the DNP user group came up with a specification which went in a somewhat different direction - it specified that the existing upper layers within DNP are maintained almost unchanged, and the layer 2 frames produced by the DNP3 data link layer are encapsulated within the TCP layer of the 4 layer TCP/IP protocol stack.

The RS232 physical layer is gone, and replaced by the TCP/IP stack, using whatever physical layer is appropriate.

I think there has to be some changes in the DNP3 data link layer, due to timing.

So now the whole stack has the following six layers -

• DNP3 application layer
• DNP3 pseudo transport layer
• DNP3 data link layer - slightly modified
• TCP
• IP
• Data Link layer
• Physical layer

In DNP3, the responsibility for ensuring DNP data integrity lies within the application layer of the DNP stack, and that is still there unchanged. TCP also provides some responsibility for data integrity.

There are various manufacturers producing "boxes" that convert the RS232 data streams into TCP/IP traffic, so presumably, legacy devices can be continue to be used.

IANA has registered port 20000 for DNP3 over both TCP and UDP, over IP. The DNP3 over TCP/IP specification allows for other ports to be used - this is essential if the network infrastructure uses NAT.

Master stations should be capable of both initiating and listening for new connections - slave stations must be capable of listening for new connections, and can if wanted also initiate new connections.

Setting up and killing TCP connections is completely seperate from DNP3 connections or polling - TCP has its own connection time and keep-alive configuration.

If a SCADA network is based on TCP/IP, the outstations must also be capable of receiving broadcast mesages on UDP port 20000, but don`t respond to them.

If a master station wants to do a broadcast to all the outstations using UDP, then as well as the UDP broadcast address, the DNP3 frame must also include a DNP3 broadcast address.

 

 

 

 

• home page
• image gallery
• about this website
• about the colour bar

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

 

• grayscale