Updated slides on Master Serial Killer from Adam Crain and Chris Sistrunk's research on ICS Protocol Vulnerabilities called Project Robus, the Aegis Fuzzer, and mitigations of these vulnerabilities.
2. About Us
Chris Sistrunk, PE
• Electrical Engineer
• SCADA Expert
• Loves Security
• DNP3 Member
• Button Pusher
Adam Crain
• Software Engineer
• OSS Advocate
• openDNP3 Author
• DNP3 Member
• Code Monkey
3.
4. How I Audit SCADA systems
http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
5. ICS/SCADA Security
• ICS/SCADA lags IT by 10-15 years
• 708 SCADA-related vulns on OSVDB.org
since 2011. “Like kicking a puppy”
• Positive vs. Negative Testing: The front
yard is mowed, but the back yard is
overgrown.
8. SCADA Protocol Vuln Research
We chose to focus on popular SCADA protocols
Fuzzers did exist, but only tested server side
Serial had not been fuzzed before (that we know of)
We chose to use Responsible Disclosure
• Inform the vendor, then ICS-CERT, DNP3 UG
• Worked with the vendor to help them replicate and
begin further negative testing
9. Project Robus
• Latin for “bulwark”
• Started in April 2013
• 24 advisories / 30 tickets
• 22 DNP3, 1 Modbus,
1 Telegyr 8979
www.automatak.com/robus
www.automatak.com/aegis
10.
11. Fuzzing Master Stations
• Referenced in Nat’l SCADA Test Bed
reports but no data available
• Wurldtech & Spirent (Mu Dynamics) don’t
fuzz the master side of ICS
protocols…………..yet
Master Slave
12. Fuzzing Master Stations
DNP3 Application Function Code 0x82
• If the Master Station has Unsol enabled, it must accept
messages from its RTUs at any time
• Design of System must be fine tuned...or else
DNP3 Outstation Unsolicited Response Storm
• If the Master parser has problem with one message,
you can imagine the problems with many many
messages
13. Serial Fuzzing
All the security focus has been on ethernet networks, but
many ICS, especially SCADA, still utilize serial networks.
• DNP3 is same! (unlike Modbus)
• Impact to NERC/CIP v3 & v5
Physical Security (discuss later)
• Pole-mounted RTUs
• PQ Meters, etc
14. DNP3 (IEEE 1815-2012) Primer
DNP3 is a SCADA protocol used by almost all of the
electric utilities and some water in North America,
Australia, and the UK.
Created in 1990s and turned over to DNP3 UG in 1993.
One of the few ICS protocols that has secure auth.
SCADA
Master
RTU with I/O
15. Breaking Down DNP3
TCP 20000
TCP 19999 (TLS)
UDP 20000
Ref from IEEE Std 1815-2012
18. Vendor Response
• Most of the vendors were very pleased
• A few were not >> head in the sand
• Some had never done negative testing
• Nearly all devices and hosts with DNP3
were affected, so it was an industry-wide
wakeup call.
25. The Aegis ICS Fuzzing Framework
• We decided that we needed to release our
fuzzing framework tool as open source.
• Open source security tools have a proven
track record of raising security (hello MSF!)
• We do encourage people to join our efforts
to add more protocols to Aegis
26. Aegis Specifics
• Version 0.1.x in Scala www.scala-lang.org
• Current version (private release) in C#
• Protocol boundary conditions
• Abstracts physical layer
• Combines aspects of generation and mutation
• Repeatable random seeds
• ~500,000 test cases with one seed
27. Test DNP3 Message (DL, TL, or AL)
Request Link States
Link Status
x Num Test Cases
Request
Response
x Num Retry (10)
Fuzzer Test Flow
29. Combinatorics
val nums = List(1, 3)
val colors = List(“red”,”green”)
// repeat the reversed string num times
def combine(i: Int, s: String) = List.fill(i)(s.reverse).mkString
val result = Cartesian.Transform(colors,nums)(combine)
What is result?
30. Lazy Generator
// val nums = List(1, 3)
// val colors = List(“red”,”green”)
> result.foreach(println)
der
derderder
neerg
neergneergneerg
31. { frames } = f (byte,Type)
{byte} = f (bool, bool, int) {Type} = f (.....)
{ true, false } { true, false } { 0, 1, 63 }
...........................
Fuzzing is O(2n)
32. Generators can get large!
{ test cases } ● Many function codes
● Many objects
● Header types
● Many field values
42. Examples
Run 10 link layer test cases starting at #123
$ aegis-console -mid dnp3 -pid lfuzz -start 123 -count 10
Unsolicited response fuzzing of a master listening on default port 20000 with master address of 0
and an outstation address of 1
$ aegis-console -mid dnp3 -pid aufuzz -dest 0 -src 1 -master -listen
Outstation link layer fuzzing test case #100 only
$ aegis-console -mid dnp3 -pid lfuzz -start 100 -count 1
Outstation application object fuzzing against 192.168.1.55:20001 with default addressing
$ aegis-console -mid dnp3 -id aofuzz -host 192.168.1.55 -port 20001
43. Further Aegis Development
• In addition to DNP3 protocol, we’ve added
Modbus and Telegyr 8979 (serial only)
protocol modules to the framework.
• Migrated from scala to C#.
• Added a GUI
• Working with vendors and other trusted
researchers.
44. New Aegis Demo
--- module: dnp3 - Test routines for the DNP3 protocol ---
Procedure ids:
link Fuzzing of the link layer (masters or outstations)
transport Fuzzing of the transport function (masters or outstations)
requests Fuzzes the application layer with malformed and unexpected requests (outstation)
unsol Fuzzes the application layer with malformed and unexpected unsolicited responses (master)
octetunsol Reports large numbers of 0-length octet string headers via unsolicited mode (master)
octetwrite Writes large numbers of 0-length octet string headers (outstation)
randrequest Fuzzes the application layer with semi-random requests (outstation)
randunsol Fuzzes the application layer with semi-random unsolicited responses (master)
-dest <arg>(1024)[0, 65535] link layer address of the target
-src <arg>(1)[0, 65535] link layer address of the fuzzer
-master <arg>(False) set the link-layer master bit for master fuzzing
-retries <arg>(10)[1, none] Number of link status retries
-timeout <arg>(1000)[10, none] Read timeout in milliseconds
-health <arg>(LinkStatus) Type of health check to use [linkstatus, resetlink]
--- module: modbus - Test routines for the Modbus protocol ---
Procedure ids:
request Sends malformed or unexpected requests at a Modbus slave
49. What’s different about Robus?
SCADA Vulns reported for a while now
Adam and I aren’t security researchers
• He’s a software geek…I’m an engineer
• Our skills complemented each other
• Both experts in DNP3 protocol, but from
different angles
50. Some theories
Why did the industry move instead of ignore?
• I was an end user and we really cared!
• Not just a wham-bam researcher
• Respectful, tactful, responsible
• We released our tool
…………we weren’t going away
54. SHODAN
Probably default configs
• Many similar responses
• Same DNP Addresses
python shell
>>> " ".join("%02x" % ord(i) for
i in "DNP3 paste from shodan”)
Unsolicited Response with
Binary and Analog Data
Class 1/2/3/0 Poll!!!
https://ics-radar.shodan.io/
https://maps.shodan.io/
55. Conclusions
• DNP3 is not a special case, other protocols same fate
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…
• Early testing both slave/server AND master/client sides
of protocols are important!
• Compliance != Security, but the culture is important
• Don’t have to be a nation/state or large firm to do this
• A few good folks can make a difference in the industry