DNP3 New App-ID Release
Resolution
Background:
DNP3 (Distributed Network Protocol) is a set of communication protocols used between components in SCADA systems. Its main use is in utilities such as electric and water companies. It was developed for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it is used by SCADA Master Stations (a.k.a. Control Centers), Remote Terminal Units and Intelligent Electronic Devices.
We currently have 5 App-IDs for DNP3 and are planning to extend this to all DNP3 function codes which will take this to 32 App-IDs. Given this is crucial protocol used in SCADA and ICS systems we would like to introduce these changes in a way which allows customers to smoothly absorb these changes without any interruption to existing deployments utilizing the DNP3 App-ID.
Release Plan:
In the week of 21st of August 2017, Palo Alto Networks will be adding 27 App-IDs for DNP3 function codes.The list of App-IDs that will be enabled in the week of 17th August is as follows:
dnp3-confirm
dnp3-select
dnp3-direct-operate-no-resp
dnp3-freeze
dnp3-freeze-no-resp
dnp3-clear
dnp3-clear-no-resp
dnp3-freeze-at-time
dnp3-freeze-at-time-no-resp
dnp3-cold-restart
dnp3-warm-restart
dnp3-initialize-data
dnp3-initialize-application
dnp3-start-application
dnp3-stop-application
dnp3-save-configuration
dnp3-enable-unsolicited
dnp3-disable-unsolicited
dnp3-assign-class
dnp3-delay-measurement
dnp3-record-current-time
dnp3-open-file
dnp3-close-file
dnp3-delete-file
dnp3-get-file-information
dnp3-authenticate-file
dnp3-abort-file
These 27 App-IDs will be released in two phases:
- July 2017 - 27 DNP3 placeholder functional App-IDs will be released - Release time frame (Week of July 17th, 2017)
- August 2017 - Enable the 27 DNP3 functional App-IDs - Release time frame (Week of August 21st, 2017)
The placeholder App-IDs allow our customers to make any necessary policy changes to their firewalls ahead of time. Placeholder App-ID gives enough time for the customers to plan and add the App-IDs to their security policy.
Frequently Asked Questions
Q: Why did Palo Alto Networks make this change?
A: Based on our interaction with a lot of our customers in the SCADA and ICS space and the evolving threat landscape a request for predefined DNP3 App-IDs has come often. Being cognizant of that and our continuing efforts to provide application visibility in the SCADA space we made the decision to release these 27 additional DNP3 App-IDs.
Q: What policy changes will be required?
A: If you are a customer who is using an App-ID based policy and the App-ID named dnp3-base to allow DNP3 related traffic, you will be required to change this policy to "add" the required DNP3 App-IDs from this list of 27 App-IDs. Pay close attention to the word "add" in preceding sentence. We suggest you to not remove the dnp3-base but add more dpn3 functional App-IDs to that existing policy.
A somewhat easier but less granular approach could be to just allow the DNP3 container App-ID which will allow all DNP3 App-IDs.
However, for a more granular approach, we suggest customers evaluate what type of DNP3 traffic should be allowed and only allow those specific DNP3 function code App-IDs. Please note the security policy below is just an example and every customers setup will differ. Please use your own judgment and knowledge of DNP3 flows that exist in your network to construct the right policy.
Q: What if I am using port-based policies to allow traffic related to DNP3 ?
A: If you are using port-based policies to safely enable DNP3 traffic you will not be affected by this change. However we highly recommend that you start using the DNP3 App-ID to safely enable traffic related to DNP3.
Q: What happens if dnp3-base is not replaced by one or more of the DNP3 functional App-IDs in the security policies?
A: In the week of August 21, 2017, all 27 DNP3 functional App-IDs will be enabled. Any traffic that was earlier identified as dnp3-base will now be identified as one of these 27 functional App-IDs if it matches the signatures of these new App-IDs. If the existing security policy has dnp3-base explicitly allowed and there is traffic matching one of these 27 functional DNP3 App-IDs it may get dropped.