SlideShare a Scribd company logo
1 of 56
Master Serial Killer 
Chris Sistrunk PE, Mandiant 
Adam Crain, Automatak
About Us 
Chris Sistrunk, PE 
• Electrical Engineer 
• SCADA Expert 
• Loves Security 
• DNP3 Member 
• Button Pusher 
Adam Crain 
• Software Engineer 
• OSS Advocate 
• openDNP3 Author 
• DNP3 Member 
• Code Monkey
How I Audit SCADA systems 
http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
ICS/SCADA Security 
• ICS/SCADA lags IT by 10-15 years 
• 708 SCADA-related vulns on OSVDB.org 
since 2011. “Like kicking a puppy” 
• Positive vs. Negative Testing: The front 
yard is mowed, but the back yard is 
overgrown.
Software Testing
When you scan ICS with nmap
SCADA Protocol Vuln Research 
We chose to focus on popular SCADA protocols 
Fuzzers did exist, but only tested server side 
Serial had not been fuzzed before (that we know of) 
We chose to use Responsible Disclosure 
• Inform the vendor, then ICS-CERT, DNP3 UG 
• Worked with the vendor to help them replicate and 
begin further negative testing
Project Robus 
• Latin for “bulwark” 
• Started in April 2013 
• 24 advisories / 30 tickets 
• 22 DNP3, 1 Modbus, 
1 Telegyr 8979 
www.automatak.com/robus 
www.automatak.com/aegis
Fuzzing Master Stations 
• Referenced in Nat’l SCADA Test Bed 
reports but no data available 
• Wurldtech & Spirent (Mu Dynamics) don’t 
fuzz the master side of ICS 
protocols…………..yet 
Master Slave
Fuzzing Master Stations 
DNP3 Application Function Code 0x82 
• If the Master Station has Unsol enabled, it must accept 
messages from its RTUs at any time 
• Design of System must be fine tuned...or else 
DNP3 Outstation Unsolicited Response Storm 
• If the Master parser has problem with one message, 
you can imagine the problems with many many 
messages
Serial Fuzzing 
All the security focus has been on ethernet networks, but 
many ICS, especially SCADA, still utilize serial networks. 
• DNP3 is same! (unlike Modbus) 
• Impact to NERC/CIP v3 & v5 
Physical Security (discuss later) 
• Pole-mounted RTUs 
• PQ Meters, etc
DNP3 (IEEE 1815-2012) Primer 
DNP3 is a SCADA protocol used by almost all of the 
electric utilities and some water in North America, 
Australia, and the UK. 
Created in 1990s and turned over to DNP3 UG in 1993. 
One of the few ICS protocols that has secure auth. 
SCADA 
Master 
RTU with I/O
Breaking Down DNP3 
TCP 20000 
TCP 19999 (TLS) 
UDP 20000 
Ref from IEEE Std 1815-2012
Courtesy of
Vendor Response Matrix 
ICS-CERT Adv Company Protocol Bug Fix Days Advisory 
ICSA-13-161-01 IOServer DNP3 4/24 5/24 30 6/10/2013 
ICSA-13-213-03 IOServer DNP3 5/1 7/20 80 8/1/2013 
ICSA-13-219-01 SEL DNP3 5/1 5/30 29 8/7/2013 
ICSA-13-226-01 Kepware DNP3 4/24 6/18 55 8/14/2013 
ICSA-13-234-02 TOP Server DNP3 4/24 6/18 55 8/22/2013 
ICSA-13-240-01 TMW DNP3 4/24 6/17 54 8/28/2013 
ICSA-13-213-04A Matrikon DNP3 4/24 6/17 54 8/29/2013 
ICSA-13-252-01 Subnet DNP3 4/24 8/30 128 9/9/2013 
ICSA-13-282-01 Alstom DNP3 4/24 6/4 41 10/21/2013 
ICSA-13-297-01 Catapult DNP3 4/24 10/1 160 11/22/2013 
ICSA-13-297-02 GE IP DNP3 Self Report 10/1 n/a 11/22/2013 
ICSA-13-337-01 Elecsys DNP3 9/12 11/4 53 12/3/2013 
ICSA-13-346-02 Cooper OPC DNP3 7/31 None ∞day™ 12/12/2013 
ICSA-13-346-01 Cooper/Cybectec DNP3 5/1 12/12 225 12/12/2013 
ICSA-13-352-01 Novatech DNP3 5/1 9/5 127 12/18/2013 
ICSA-14-014-01 Schneider DNP3 8/6 8/23 17 1/14/2014 
ICSA-14-100-01 IOServer Modbus 2/6 3/4 26 4/10/2014 
ICSA-14-154-01 COPA-DATA DNP3 Self Report using Aegis! n/a 6/3/2014 
ICSA-14-196-01 Subnet TG8979 4/18 6/18 61 7/31/2014
Vendor Response 
• Most of the vendors were very pleased 
• A few were not >> head in the sand 
• Some had never done negative testing 
• Nearly all devices and hosts with DNP3 
were affected, so it was an industry-wide 
wakeup call.
White Noise Fuzzing 
#1 random == really “dumb”
Template (mutational) Fuzzing
Generational “Smart” Fuzzing
Multi-field Anomalies
Generational == most vulns!
The Aegis ICS Fuzzing Framework 
• We decided that we needed to release our 
fuzzing framework tool as open source. 
• Open source security tools have a proven 
track record of raising security (hello MSF!) 
• We do encourage people to join our efforts 
to add more protocols to Aegis
Aegis Specifics 
• Version 0.1.x in Scala www.scala-lang.org 
• Current version (private release) in C# 
• Protocol boundary conditions 
• Abstracts physical layer 
• Combines aspects of generation and mutation 
• Repeatable random seeds 
• ~500,000 test cases with one seed
Test DNP3 Message (DL, TL, or AL) 
Request Link States 
Link Status 
x Num Test Cases 
Request 
Response 
x Num Retry (10) 
Fuzzer Test Flow
I 0x0564 U... 
Y U NO 0x0564 
ME BAK ?!
Combinatorics 
val nums = List(1, 3) 
val colors = List(“red”,”green”) 
// repeat the reversed string num times 
def combine(i: Int, s: String) = List.fill(i)(s.reverse).mkString 
val result = Cartesian.Transform(colors,nums)(combine) 
What is result?
Lazy Generator 
// val nums = List(1, 3) 
// val colors = List(“red”,”green”) 
> result.foreach(println) 
der 
derderder 
neerg 
neergneergneerg
{ frames } = f (byte,Type) 
{byte} = f (bool, bool, int) {Type} = f (.....) 
{ true, false } { true, false } { 0, 1, 63 } 
........................... 
Fuzzing is O(2n)
Generators can get large! 
{ test cases } ● Many function codes 
● Many objects 
● Header types 
● Many field values
Types of Vulnerabilities
FA 82 00 00 01 00 02 00 00 00 00 FF FF FF FF 
Unsolicited 
Response 
Group 1 
Variation 0 
Sizeless?! 
4 byte 
start/stop 
0 4294967295 
● infinite loop 
● missing data 
● integer overflow? 
● accepts broadcast 
Vuln #1
DD 82 00 00 0A 02 01 00 00 FF FF 
UNSOL 
Group 10 
Variation 2 
Binary 
Output 
Status 
2 byte 
start/stop 
0 65535 
● infinite loop 
● missing data 
● unexpected data 
● integer overflow? 
Vuln #2
05 64 06 44 64 00 64 00 FF F2 C0 1D 0A 
1 byte 
payload 
100 100 
● transport header only 
● unhandled exception 
unconfirmed 
user data 
CRC CRC 
FIR / FIN 
SEQ = 0 
Vuln #3
Recorded Demos 
Video 1: a DNP3 outstation 
-application layer object fuzzing 
Video 2: a DNP3 master 
-unsolicited application layer fuzzing
Vuln #4 (TMW integration) 
DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11) 
Unsolicited 
Response 
Control 
Relay 
Output Block 
1 byte 
start/stop 
CROB #1 CROB #2 
● buffer overrun 
● not malformed! 
● unexpected objects 
● accepts broadcast
Vuln #5 (TMW integration) 
FA 82 00 00 02 02 01 01 00 FF FF 
Unsolicited 
Response 
Group 2 
Var 2 
(event) 
2 byte 
start/stop 
1 65535 
● stable infinite loop 
● max range - 1 and no data 
● accepts broadcast
Using Aegis
So easy…Twitter can do it
Examples 
Run 10 link layer test cases starting at #123 
$ aegis-console -mid dnp3 -pid lfuzz -start 123 -count 10 
Unsolicited response fuzzing of a master listening on default port 20000 with master address of 0 
and an outstation address of 1 
$ aegis-console -mid dnp3 -pid aufuzz -dest 0 -src 1 -master -listen 
Outstation link layer fuzzing test case #100 only 
$ aegis-console -mid dnp3 -pid lfuzz -start 100 -count 1 
Outstation application object fuzzing against 192.168.1.55:20001 with default addressing 
$ aegis-console -mid dnp3 -id aofuzz -host 192.168.1.55 -port 20001
Further Aegis Development 
• In addition to DNP3 protocol, we’ve added 
Modbus and Telegyr 8979 (serial only) 
protocol modules to the framework. 
• Migrated from scala to C#. 
• Added a GUI 
• Working with vendors and other trusted 
researchers.
New Aegis Demo 
--- module: dnp3 - Test routines for the DNP3 protocol --- 
Procedure ids: 
link Fuzzing of the link layer (masters or outstations) 
transport Fuzzing of the transport function (masters or outstations) 
requests Fuzzes the application layer with malformed and unexpected requests (outstation) 
unsol Fuzzes the application layer with malformed and unexpected unsolicited responses (master) 
octetunsol Reports large numbers of 0-length octet string headers via unsolicited mode (master) 
octetwrite Writes large numbers of 0-length octet string headers (outstation) 
randrequest Fuzzes the application layer with semi-random requests (outstation) 
randunsol Fuzzes the application layer with semi-random unsolicited responses (master) 
-dest <arg>(1024)[0, 65535] link layer address of the target 
-src <arg>(1)[0, 65535] link layer address of the fuzzer 
-master <arg>(False) set the link-layer master bit for master fuzzing 
-retries <arg>(10)[1, none] Number of link status retries 
-timeout <arg>(1000)[10, none] Read timeout in milliseconds 
-health <arg>(LinkStatus) Type of health check to use [linkstatus, resetlink] 
--- module: modbus - Test routines for the Modbus protocol --- 
Procedure ids: 
request Sends malformed or unexpected requests at a Modbus slave
ICS/SCADA Defense
ICS/SCADA Defense 
Network Security Monitoring (do it now!) 
• Bro, SNORT, Wireshark can parse DNP3 & Modbus! 
• Deep packet inspection firewalls 
• Full packet capture (even serial) – 1TB y’all 
• Use Security Onion to monitor ICS networks 
http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/ 
tl;dr ≥1 person, Security Onion, and an ICS Honeypot
ICS/SCADA Defense 
• Install patches – not quite like IT 
• Robust device & network configuration 
• Disable unused ports, protocol function codes 
• Whitelist apps and even traffic 
• DNP3 Secure Authentication v5 & TLS 
• Signed software/firmware
Physical Security 
3/8” Mesh 
ASTM Grade 6 
Buys extra time
What’s different about Robus? 
SCADA Vulns reported for a while now 
Adam and I aren’t security researchers 
• He’s a software geek…I’m an engineer 
• Our skills complemented each other 
• Both experts in DNP3 protocol, but from 
different angles
Some theories 
Why did the industry move instead of ignore? 
• I was an end user and we really cared! 
• Not just a wham-bam researcher 
• Respectful, tactful, responsible 
• We released our tool 
…………we weren’t going away
I’m still more worried about…
SHODAN 
Probably default configs 
• Many similar responses 
• Same DNP Addresses 
python shell 
>>> " ".join("%02x" % ord(i) for 
i in "DNP3 paste from shodan”) 
Unsolicited Response with 
Binary and Analog Data 
Class 1/2/3/0 Poll!!! 
https://ics-radar.shodan.io/ 
https://maps.shodan.io/
Conclusions 
• DNP3 is not a special case, other protocols same fate 
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… 
• Early testing both slave/server AND master/client sides 
of protocols are important! 
• Compliance != Security, but the culture is important 
• Don’t have to be a nation/state or large firm to do this 
• A few good folks can make a difference in the industry
Questions? 
@jadamcrain 
@chrissistrunk

More Related Content

What's hot

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentationguest85a34f
 

What's hot (20)

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 

Viewers also liked

Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
Are You a Serial Killer?
Are You a Serial Killer?Are You a Serial Killer?
Are You a Serial Killer?slrevare
 
Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Benjamin Benifei
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Serial Killers Psychology Presentation
Serial Killers Psychology PresentationSerial Killers Psychology Presentation
Serial Killers Psychology PresentationPietro Solda
 

Viewers also liked (8)

Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
Mental Relaxation
Mental RelaxationMental Relaxation
Mental Relaxation
 
Are You a Serial Killer?
Are You a Serial Killer?Are You a Serial Killer?
Are You a Serial Killer?
 
Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Serial Killers Psychology Presentation
Serial Killers Psychology PresentationSerial Killers Psychology Presentation
Serial Killers Psychology Presentation
 

Similar to Master Serial Killer - DEF CON 22 - ICS Village

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfssusercbaa33
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchYutaka Yasuda
 
Pipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptPipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptmali yogesh kumar
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshopInterlatin
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam McConnell
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarEtienne Leduc
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA   New Questions 29Tuts.Com New CCNA 200-120 New CCNA   New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 

Similar to Master Serial Killer - DEF CON 22 - ICS Village (20)

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow Switch
 
Pipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptPipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture ppt
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshop
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection Webinar
 
Thesis
ThesisThesis
Thesis
 
Thesis
ThesisThesis
Thesis
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA   New Questions 29Tuts.Com New CCNA 200-120 New CCNA   New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdf
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 

More from Chris Sistrunk

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeChris Sistrunk
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachChris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridChris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteChris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisChris Sistrunk
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityChris Sistrunk
 

More from Chris Sistrunk (11)

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
 

Recently uploaded

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxNeo4j
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphNeo4j
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 

Recently uploaded (20)

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptxFrom Knowledge Graphs via Lego Bricks to scientific conversations.pptx
From Knowledge Graphs via Lego Bricks to scientific conversations.pptx
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 

Master Serial Killer - DEF CON 22 - ICS Village

  • 1. Master Serial Killer Chris Sistrunk PE, Mandiant Adam Crain, Automatak
  • 2. About Us Chris Sistrunk, PE • Electrical Engineer • SCADA Expert • Loves Security • DNP3 Member • Button Pusher Adam Crain • Software Engineer • OSS Advocate • openDNP3 Author • DNP3 Member • Code Monkey
  • 3.
  • 4. How I Audit SCADA systems http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
  • 5. ICS/SCADA Security • ICS/SCADA lags IT by 10-15 years • 708 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy” • Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
  • 7. When you scan ICS with nmap
  • 8. SCADA Protocol Vuln Research We chose to focus on popular SCADA protocols Fuzzers did exist, but only tested server side Serial had not been fuzzed before (that we know of) We chose to use Responsible Disclosure • Inform the vendor, then ICS-CERT, DNP3 UG • Worked with the vendor to help them replicate and begin further negative testing
  • 9. Project Robus • Latin for “bulwark” • Started in April 2013 • 24 advisories / 30 tickets • 22 DNP3, 1 Modbus, 1 Telegyr 8979 www.automatak.com/robus www.automatak.com/aegis
  • 10.
  • 11. Fuzzing Master Stations • Referenced in Nat’l SCADA Test Bed reports but no data available • Wurldtech & Spirent (Mu Dynamics) don’t fuzz the master side of ICS protocols…………..yet Master Slave
  • 12. Fuzzing Master Stations DNP3 Application Function Code 0x82 • If the Master Station has Unsol enabled, it must accept messages from its RTUs at any time • Design of System must be fine tuned...or else DNP3 Outstation Unsolicited Response Storm • If the Master parser has problem with one message, you can imagine the problems with many many messages
  • 13. Serial Fuzzing All the security focus has been on ethernet networks, but many ICS, especially SCADA, still utilize serial networks. • DNP3 is same! (unlike Modbus) • Impact to NERC/CIP v3 & v5 Physical Security (discuss later) • Pole-mounted RTUs • PQ Meters, etc
  • 14. DNP3 (IEEE 1815-2012) Primer DNP3 is a SCADA protocol used by almost all of the electric utilities and some water in North America, Australia, and the UK. Created in 1990s and turned over to DNP3 UG in 1993. One of the few ICS protocols that has secure auth. SCADA Master RTU with I/O
  • 15. Breaking Down DNP3 TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
  • 17. Vendor Response Matrix ICS-CERT Adv Company Protocol Bug Fix Days Advisory ICSA-13-161-01 IOServer DNP3 4/24 5/24 30 6/10/2013 ICSA-13-213-03 IOServer DNP3 5/1 7/20 80 8/1/2013 ICSA-13-219-01 SEL DNP3 5/1 5/30 29 8/7/2013 ICSA-13-226-01 Kepware DNP3 4/24 6/18 55 8/14/2013 ICSA-13-234-02 TOP Server DNP3 4/24 6/18 55 8/22/2013 ICSA-13-240-01 TMW DNP3 4/24 6/17 54 8/28/2013 ICSA-13-213-04A Matrikon DNP3 4/24 6/17 54 8/29/2013 ICSA-13-252-01 Subnet DNP3 4/24 8/30 128 9/9/2013 ICSA-13-282-01 Alstom DNP3 4/24 6/4 41 10/21/2013 ICSA-13-297-01 Catapult DNP3 4/24 10/1 160 11/22/2013 ICSA-13-297-02 GE IP DNP3 Self Report 10/1 n/a 11/22/2013 ICSA-13-337-01 Elecsys DNP3 9/12 11/4 53 12/3/2013 ICSA-13-346-02 Cooper OPC DNP3 7/31 None ∞day™ 12/12/2013 ICSA-13-346-01 Cooper/Cybectec DNP3 5/1 12/12 225 12/12/2013 ICSA-13-352-01 Novatech DNP3 5/1 9/5 127 12/18/2013 ICSA-14-014-01 Schneider DNP3 8/6 8/23 17 1/14/2014 ICSA-14-100-01 IOServer Modbus 2/6 3/4 26 4/10/2014 ICSA-14-154-01 COPA-DATA DNP3 Self Report using Aegis! n/a 6/3/2014 ICSA-14-196-01 Subnet TG8979 4/18 6/18 61 7/31/2014
  • 18. Vendor Response • Most of the vendors were very pleased • A few were not >> head in the sand • Some had never done negative testing • Nearly all devices and hosts with DNP3 were affected, so it was an industry-wide wakeup call.
  • 19. White Noise Fuzzing #1 random == really “dumb”
  • 24.
  • 25. The Aegis ICS Fuzzing Framework • We decided that we needed to release our fuzzing framework tool as open source. • Open source security tools have a proven track record of raising security (hello MSF!) • We do encourage people to join our efforts to add more protocols to Aegis
  • 26. Aegis Specifics • Version 0.1.x in Scala www.scala-lang.org • Current version (private release) in C# • Protocol boundary conditions • Abstracts physical layer • Combines aspects of generation and mutation • Repeatable random seeds • ~500,000 test cases with one seed
  • 27. Test DNP3 Message (DL, TL, or AL) Request Link States Link Status x Num Test Cases Request Response x Num Retry (10) Fuzzer Test Flow
  • 28. I 0x0564 U... Y U NO 0x0564 ME BAK ?!
  • 29. Combinatorics val nums = List(1, 3) val colors = List(“red”,”green”) // repeat the reversed string num times def combine(i: Int, s: String) = List.fill(i)(s.reverse).mkString val result = Cartesian.Transform(colors,nums)(combine) What is result?
  • 30. Lazy Generator // val nums = List(1, 3) // val colors = List(“red”,”green”) > result.foreach(println) der derderder neerg neergneergneerg
  • 31. { frames } = f (byte,Type) {byte} = f (bool, bool, int) {Type} = f (.....) { true, false } { true, false } { 0, 1, 63 } ........................... Fuzzing is O(2n)
  • 32. Generators can get large! { test cases } ● Many function codes ● Many objects ● Header types ● Many field values
  • 34. FA 82 00 00 01 00 02 00 00 00 00 FF FF FF FF Unsolicited Response Group 1 Variation 0 Sizeless?! 4 byte start/stop 0 4294967295 ● infinite loop ● missing data ● integer overflow? ● accepts broadcast Vuln #1
  • 35. DD 82 00 00 0A 02 01 00 00 FF FF UNSOL Group 10 Variation 2 Binary Output Status 2 byte start/stop 0 65535 ● infinite loop ● missing data ● unexpected data ● integer overflow? Vuln #2
  • 36. 05 64 06 44 64 00 64 00 FF F2 C0 1D 0A 1 byte payload 100 100 ● transport header only ● unhandled exception unconfirmed user data CRC CRC FIR / FIN SEQ = 0 Vuln #3
  • 37. Recorded Demos Video 1: a DNP3 outstation -application layer object fuzzing Video 2: a DNP3 master -unsolicited application layer fuzzing
  • 38. Vuln #4 (TMW integration) DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11) Unsolicited Response Control Relay Output Block 1 byte start/stop CROB #1 CROB #2 ● buffer overrun ● not malformed! ● unexpected objects ● accepts broadcast
  • 39. Vuln #5 (TMW integration) FA 82 00 00 02 02 01 01 00 FF FF Unsolicited Response Group 2 Var 2 (event) 2 byte start/stop 1 65535 ● stable infinite loop ● max range - 1 and no data ● accepts broadcast
  • 42. Examples Run 10 link layer test cases starting at #123 $ aegis-console -mid dnp3 -pid lfuzz -start 123 -count 10 Unsolicited response fuzzing of a master listening on default port 20000 with master address of 0 and an outstation address of 1 $ aegis-console -mid dnp3 -pid aufuzz -dest 0 -src 1 -master -listen Outstation link layer fuzzing test case #100 only $ aegis-console -mid dnp3 -pid lfuzz -start 100 -count 1 Outstation application object fuzzing against 192.168.1.55:20001 with default addressing $ aegis-console -mid dnp3 -id aofuzz -host 192.168.1.55 -port 20001
  • 43. Further Aegis Development • In addition to DNP3 protocol, we’ve added Modbus and Telegyr 8979 (serial only) protocol modules to the framework. • Migrated from scala to C#. • Added a GUI • Working with vendors and other trusted researchers.
  • 44. New Aegis Demo --- module: dnp3 - Test routines for the DNP3 protocol --- Procedure ids: link Fuzzing of the link layer (masters or outstations) transport Fuzzing of the transport function (masters or outstations) requests Fuzzes the application layer with malformed and unexpected requests (outstation) unsol Fuzzes the application layer with malformed and unexpected unsolicited responses (master) octetunsol Reports large numbers of 0-length octet string headers via unsolicited mode (master) octetwrite Writes large numbers of 0-length octet string headers (outstation) randrequest Fuzzes the application layer with semi-random requests (outstation) randunsol Fuzzes the application layer with semi-random unsolicited responses (master) -dest <arg>(1024)[0, 65535] link layer address of the target -src <arg>(1)[0, 65535] link layer address of the fuzzer -master <arg>(False) set the link-layer master bit for master fuzzing -retries <arg>(10)[1, none] Number of link status retries -timeout <arg>(1000)[10, none] Read timeout in milliseconds -health <arg>(LinkStatus) Type of health check to use [linkstatus, resetlink] --- module: modbus - Test routines for the Modbus protocol --- Procedure ids: request Sends malformed or unexpected requests at a Modbus slave
  • 46. ICS/SCADA Defense Network Security Monitoring (do it now!) • Bro, SNORT, Wireshark can parse DNP3 & Modbus! • Deep packet inspection firewalls • Full packet capture (even serial) – 1TB y’all • Use Security Onion to monitor ICS networks http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/ tl;dr ≥1 person, Security Onion, and an ICS Honeypot
  • 47. ICS/SCADA Defense • Install patches – not quite like IT • Robust device & network configuration • Disable unused ports, protocol function codes • Whitelist apps and even traffic • DNP3 Secure Authentication v5 & TLS • Signed software/firmware
  • 48. Physical Security 3/8” Mesh ASTM Grade 6 Buys extra time
  • 49. What’s different about Robus? SCADA Vulns reported for a while now Adam and I aren’t security researchers • He’s a software geek…I’m an engineer • Our skills complemented each other • Both experts in DNP3 protocol, but from different angles
  • 50. Some theories Why did the industry move instead of ignore? • I was an end user and we really cared! • Not just a wham-bam researcher • Respectful, tactful, responsible • We released our tool …………we weren’t going away
  • 51.
  • 52. I’m still more worried about…
  • 53.
  • 54. SHODAN Probably default configs • Many similar responses • Same DNP Addresses python shell >>> " ".join("%02x" % ord(i) for i in "DNP3 paste from shodan”) Unsolicited Response with Binary and Analog Data Class 1/2/3/0 Poll!!! https://ics-radar.shodan.io/ https://maps.shodan.io/
  • 55. Conclusions • DNP3 is not a special case, other protocols same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… • Early testing both slave/server AND master/client sides of protocols are important! • Compliance != Security, but the culture is important • Don’t have to be a nation/state or large firm to do this • A few good folks can make a difference in the industry