OpenDNP3 was released as open source over 10 years ago. This post describes where I believe the project has succeeded, where it hasn’t, and why Step Function I/O is using a different licensing model for our new libraries going forward. In many ways, OpenDNP3 has been a success. We are constantly learning of new companies that have successfully used the library to add DNP3 functionality to their product or service offering.
Complexity vs Security
Historical Note: This post originally appeared on Automatak.com. The title has been changed. The DNP UG recently published a statement regarding the rash of DNP3 advisories from ICS-CERT. Generally, I agree with their statements. There is nothing wrong with the specification in the perfect world of specifications. In theory, a developer should be able to write a flawless implementation of the protocol. In practice, however, something quite different has been demonstrated.
DNP3 SAv5 and TLS: Different trust boundaries
Historical Note: This post originally appeared on Automatak.com. Subsequent analysis under a DHS grant, changed my opinion on DNP3 SAv5 substantially. There is a good paper published by IEEE S&P available here that I co-authored with Sergey Bratus that better summarizes my technical opinion of DNP3 SAv5. The purpose of this post is not to compare the merits of SAv5 vs. TLS, but rather to point out how the security concept of trust boundaries is applied to the analysis of dnp3 implementations themselves.