The WITS-DNP3 Protocol

The WITS-DNP3 protocol defines a standard method to achieve the water industry telemetry control and monitoring requirements, in particular interoperability between equipment from different manufacturers. The standard defines how to satisfy water industry specific functional requirements using features of the DNP3 protocol.

On this page we have articles describing the protocol, its development and current status, together with some technical information. Click on the titles below to learn more.

What Does WITS Do?

The WITS Protocol builds on the robust foundation of DNP-3 to bring unique Water Industry benefits to compatible products…[Read more]

Industry Adoption

The WITS Protocol is widely supported and specified by the Water Industry users and their partnership equipment and services providers. For the latest position please see an article published in December 2015 in the Water & Sewerage Journal, entitled “WITS-DNP3 Protocol Adoption Progresses” and was written by Charles Williams.

To view the article, click on the link which will take you straight to the first page of the article in the eBook:

It is best viewed in full-screen, OR you can click on an individual page which will then zoom to whatever level you want.

WITS Roadmap

WITS is a mature protocol that is being actively maintained by the Protocol Standards Association…[Read more]

WITS Release History

WITS Protocol versions, past and present[Read more]

Encryption and the WITS-DNP3 protocol

Review of current security provisions in the protocol

The WITS-DNP3 protocol is entirely based on the DNP3 protocol, extending that protocol to provide functions which are specific to the Water Industry, but may also be of general applicability to other industries. The WITS-DNP3 protocol adds no further security functions to those offered by DNP3 and so is wholly dependent for its security on the DNP3 protocol. This reliance on the security provided by DNP3 is intentional and intended to prevent any re-engineering of the security solution which we feel has been well engineered and is being well maintained by the DNP3 Users Group.

The DNP3 protocol provides security by only permitting suitably authenticated parties to be able to execute certain privileged functions. So, for example, if a party was trying to drive a digital output on a Field Device, then authentication would be required to ensure that only those permitted to drive the point could do so. The details of how this is done are contained within the DNP3 specification (IEEE1815-2012) and referred to as Secure Authentication, or SA for short. Two versions of this (SAv2 and SAv5) are mentioned within the WITS-DNP3 protocol and you can read an overview article and a more detailed article discussing these on the WITS website.

It is important to note that DNP3, and therefore WITS-DNP3, does not include any provision for encryption of data between the Master Station and Field Device. However, where the protocol is used with other network protocols such as TCP/IP then features of these protocols can be used to enhance the security of DNP3. For example, encryption can be implemented using the TLS feature of TCP/IP.

WITS-DNP3 certainly extends the communications part of the DNP3, including details of communications channels and connections and when those connections should be used. However, it does not add encryption on top of the current DNP3 security mechanism. As long as critical functions of the device are protected through secure authentication, which they are through the standard DNP3 security, this was felt to be enough protection for most uses.

Use of further security measures

In some cases, it is possible that those deploying WITS-DNP3 will require further security measures to be put in place, such as encryption. Encryption would for instance prevent eavesdroppers listening to the data from the device, watching commands being executed or monitoring files during transfer, where the existing communications channel do not provide enough of a guarantee of security.

When using WITS-DNP3 with a network protocol such as TCP/IP then encryption could be provided by the network protocol.

When using non-network protocols, encryption could be provided by other devices placed at appropriate points in the communications channel. This may be through “bump in the wire” devices, the use of “virtual private networks” or other similar technologies and can ensure that data travelling between sites is encrypted and therefore may not be eavesdropped.

The implementation of such schemes is a matter for the users deploying the protocol and outside the scope of the WITS-DNP3 protocol.

Future developments

The development of the WITS-DNP3 protocol is led by the members of the WITS PSA, who comprise users of the protocol and vendors who sell products implementing the protocol. If you are not a member and wish to have a say in the development of the protocol, we suggest you join and become active in the WITS community.

Currently there is little pressure from the current WITS PSA members to implement any form of encryption. However, if there were, and bearing in mind the close relationship of the protocol to DNP3, it is most likely that we would seek to do this through supporting the development of this function within DNP3. By the same argument, should the DNP3 User Group ever choose to include encryption within the DNP3 protocol then we would naturally adopt that within the WITS-DNP3 protocol.