It's time for automation and control managers to fight back against hackers, according to The SANS Institute, a research and education organization for security professionals. Researchers affiliated with SANS claim that 90% of control software is defective in fighting off hacker intrusions.
SANS holds an annual conference, the International Control Systems (ICS) Summit, that specifically targets the security challenges of the automation and control industry. This year, at the Orlando Summit March 12-18, the event will debut the Aegis Fuzzing Framework, a system designed by control systems security specialists Adam Crain and Chris Sistrunk. The researchers are working as part of Aegis, an ICS consortium dedicated to improving the robustness of ICS software.
The fuzzer was developed by Crain and Sistrunk as part of Project Robus, a project within Aegis that is conducting an ongoing search for zero-day vulnerabilities in SCADA/ICS protocols. "Robus" is Latin for bulwark, source of strength, or solidity.
The Fuzzing Framework is one of the first efforts by Project Robus that will focus on negative testing tools, a.k.a. fuzzers. The Aegis Fuzzing Framework uses re-recorded fuzzing test against vulnerabilities. This class of software is critical for hardening software against threats. The first release will be the tool used in Project Robus, a fuzzer for DNP3 (distributed network protocol). This tool is available to Aegis members now. The Project Robus roadmap will expand to include other protocols and updates to existing releases.
The first step for the Robus project was to identify vulnerabilities in control software. "Robus is the research project conducted by me and Chris, and he (Sistrunk) is a security guy at a major US utility," Crain, a partner in Automatak, told Design News. "We tested products from 25 vendors, and we only found two that didn't have defects. That's a 90% defect rate. That explains why we're doing this."
While the media light is shining brightly on hacker intrusions, these days, Crain noted that security problems are not new. "The risk has always been there. Just now everybody is talking about how hackers are launching these attacks," Crain told us. "Some vendors are taking this very seriously, others are very sticky about talking about software vulnerabilities."
Even as manufacturers and utilities are taking network security seriously, control security still lags behind the most basic security on consumer communication products. Crain sees the problem with control networks in the software itself. "We're seeing the industry becoming more aware of vulnerabilities, and we're moving toward more security, but we have a long way to go," he said. "The level of security on smartphones is more secure than our control networks. If you have buggy code, the hackers can just go around. We have to improve software security. This is not about authentication encryption, it's about software."
Fuzzing is a type of software testing. Crain noted that you can put bugs in the software to fight off the hackers. "The hacker has embedded the bug in the file. You can do the same thing in a network to find the bugs," he said. "This fuzzer completely understands the protocol, all the layers, and it sends signals that are close but have some anomalies, and it looks for bugs. It looks at hundreds of thousands of bad messages, like looking for a needle in a haystack. A software engineer can run this before the software goes out."