HOME  |  NEWS  |  BLOGS  |  MESSAGES  |  FEATURES  |  VIDEOS  |  WEBINARS  |  INDUSTRIES  |  FOCUS ON FUNDAMENTALS
  |  REGISTER  |  LOGIN  |  HELP
Blogs
Blog

Fuzzing Framework Fights Control Hackers

NO RATINGS
View Comments: Threaded|Newest First|Oldest First
naperlou
User Rank
Blogger
professional coders
naperlou   1/15/2014 1:01:15 PM
NO RATINGS
Rob, one of the items highlighted in your article is the problems with the code itself.  With industrial control and SCADA systems increasingly on standard networks, they are exposed to more and more frequent attacks.  This year, the IEEE and state licensing boards are instituting a Professional Engineer certification for Software Engineers.  The main target of such a certification is avionics, medical and control software, especially embedded.  The PE, as in other fields, will certify a product in terms of the relevant standards.  These should include safety and security standards.

Rob Spiegel
User Rank
Blogger
Re: professional coders
Rob Spiegel   1/15/2014 2:10:19 PM
NO RATINGS
I wasn't aware of that Naperlou. That's a good move. I'll look into this. I think our readers would be interested.

William K.
User Rank
Platinum
Re: professional coders
William K.   1/15/2014 10:30:51 PM
NO RATINGS
N. L. It would seem that the ability to accurately evaluate software as hacker proof or even just hacker resistant would be an incredibly valuable skill. I doubt that there will be many of those masters around.

GTOlover
User Rank
Platinum
Re: professional coders
GTOlover   1/16/2014 2:44:21 PM
NO RATINGS
William, I think that CGI has a bunch of coders available. It seems that they are done with their latest website coding and the government no longer needed them;-)

William K.
User Rank
Platinum
Re: professional coders
William K.   1/16/2014 3:53:21 PM
NO RATINGS
My point was intended to say that the ability to evaluate code as to it's ability to avoid penetration by determined hackers is far beyond the ability to create even excellent code that works perfectly. A lot like the difference between being able to raise the dead versus the ability to apply makeup perfectly. Possibly that adequately describes the differences in skill levels, as I see it. It certainly would explain the steady stream of updayes that I see for security issues. 

Defficiencies become much more obvious after somebody breaks through because of them. 

ab3a
User Rank
Platinum
Crain And Sistrunk Worked With Us
ab3a   1/15/2014 2:12:47 PM
NO RATINGS
As Chairman of the DNP Users Group, I have a strong interest to encourage our membership to secure their SCADA systems.

1. Vendors should react reasonably to these discoveries

2. End Users should take thes issues seriously and patch

3. Consultants and Integrators should test the products they recommend/install

I also need to point out that the DNP3 protocol is sound. Though the Aegis Fuzzer found many problems in many vendor's products, there were a few vendors who were not affected by these discoveries. They had made the effort to carefully validate the DNP3 messages, and they sailed through the tests without problems.

Crain and Sistrunk worked with the Users Group to study the failure modes and to help us make recommendations to vendors on writing more robust software.  These recommendations are available on the DNP Users Group web site.

DNP3 is the only open SCADA protocol available today with secure authentication features. As such we have a strong interest in staying ahead of these security issues. We are encouraging our members to stay abreast of these issues and to help each other build better, more secure SCADA systems. 

Jacob Brodsky, PE

Chair, DNP Users Group.

Rob Spiegel
User Rank
Blogger
Re: Crain And Sistrunk Worked With Us
Rob Spiegel   1/15/2014 2:18:47 PM
NO RATINGS
Thanks so much for the comment, Jacob. It's great to receive further background and claification on a story like this. As the chair of the DNP User's group, I'd love to quizz you about the state of security in SCADA systems. Send me your contact info, and let's have a conversation we can share with Design News readers.

My email: rob.spiegel@ubm.com

REM
User Rank
Iron
Re: Crain And Sistrunk Worked With Us
REM   1/19/2014 4:07:46 PM
NO RATINGS
ICCP (IEC 60879-6 TASE.2) is also an open SCADA protocol with secure authentication features.

ab3a
User Rank
Platinum
Re: Crain And Sistrunk Worked With Us
ab3a   1/22/2014 3:12:19 PM
NO RATINGS
Have the '870 secure authentication features been published yet?  The last I heard from a couple months ago, they had not. 

REM
User Rank
Iron
Re: Crain And Sistrunk Worked With Us
REM   1/22/2014 3:30:48 PM
NO RATINGS
Yes. The security profile for IEC 60870-6 TASE.2 (a.k.a. ICCP) are published in IEC 62351-4. The DNP security profile is published under IEC 62351-5 albeit they are for IEC 60870-5 in this spec. But it is my understanding that it is essentially the same as the DNP3 specs. IEC 62351-6 includes the profile for IEC 61850, which I admit is not widely implemented yet. The ICCP specs have been implemented in products since the mid 2000s I think it was.

I should add that none of these profiles are really widely deployed as many users are still hesitant to disrupt data flow for any reason including having certificates expire or fail to validate. Access to the systems is more important than secured access to the systems in many cases.

These security profiles do not address the fundamental coding vulnerabilities that fuzzing detects. All they do is prevent access to the vulnerability by only allowing trusted parties to get access to the protocol. If your trusted communicating partner runs a fuzzer at you it won't prevent exploitation unless proper coding methods have been used.

And, these authentication mechanisms really need to get connected into the internal processing of the device through role based access control to provide authentication on specific control actions versus more benign actions like reading values. That is addressed in IEC 62351-7.

Partner Zone
More Blogs
Take a look at the top 20 US undergraduate engineering programs. Then tell us -- did your school make the cut?
Engineers at the University of San Diego’s Jacobs School of Engineering have designed biobatteries on commercial tattoo paper, with an anode and cathode screen-printed on and modified to harvest energy from lactate in a person’s sweat.
A London-based company has added some sweetness to the versatility of the 3D printing market with a printer designed solely to print candy and confections.
Programs to boost domestic manufacturing combined with technological advances are bringing production back to the US.
Google's Project Tango is in its second iteration, this time taking the form of a tablet. Join us as we unravel the new goodies that Google has packed into the Project Tango Tablet.
Design News Webinar Series
7/23/2014 11:00 a.m. California / 2:00 p.m. New York
7/17/2014 11:00 a.m. California / 2:00 p.m. New York
6/25/2014 11:00 a.m. California / 2:00 p.m. New York
5/13/2014 10:00 a.m. California / 1:00 p.m. New York / 6:00 p.m. London
Quick Poll
The Continuing Education Center offers engineers an entirely new way to get the education they need to formulate next-generation solutions.
Sep 8 - 12, Get Ready for the New Internet: IPv6
SEMESTERS: 1  |  2  |  3  |  4  |  5  |  6


Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.
Next Class: September 30 - October 2
Sponsored by Altera
Learn More   |   Login   |   Archived Classes
Twitter Feed
Design News Twitter Feed
Like Us on Facebook

Sponsored Content

Technology Marketplace

Copyright © 2014 UBM Canon, A UBM company, All rights reserved. Privacy Policy | Terms of Service