If I Knew Then What I Know Now: On Reevaluating DNP3 Security using Power Substation Traffic

In the modern world, the reliable and continuous operation of cyber-physical systems (CPSs) have become increasingly crucial factors of our daily life. As a result, the networking protocols of CPSs have been developed to achieve availability without serious consideration for security. Security flaws in these protocols could lead to system misconfigurations or malicious network penetrations which would severely impact the operation of critical infrastructure and control devices on a CPS network. To combat this some researchers have made efforts to design effective intrusion detection and prevention systems (IDSs/IPSs) for providing security in CPS networks. Most of the past and ongoing work in this space explores security from virtual testbeds or simulated systems, many of which make simplifying assumptions. These artificial platforms generally rely on the expectation that CPS networks are behaviorally very similar to traditional information technology (IT) networks and this does not always hold true in practice. In this paper, we investigate and discuss the feasibility and efficacy of previously proposed DNP3 application layer attacks and their mitigation techniques on network traffic captured from four real-world power grid substations. Based on this and a traffic characterization of the captured data we suggest a set of lightweight, but effective mechanisms to help enhance the security of power substations utilizing the DNP3 protocol. This work primarily focuses on DNP3 since it is the most widely used protocol in power substations which form the backbone of the electricity grid.