|
Automated Testing of SCADA Protocols
VIII. CONCLUSIONS
The blackPeer test framework allows for the economical creation of powerful test suites capable of quickly and efficiently testing a protocol's implementation against its specification. The blackPeer test framework is superior to conventional testing methods in two key areas:
- the framework not only automates the generation of test cases but also automates the interpretation of the DUT’s behavior in response to these test cases. This is achieved by the novel approach of statefully generating a test case oracle in conjunction with each generated test case; and
- the framework provides a formal language medium in which the tester can express a test suite. The grammar serves as a concise documentation of the test suite providing the tester the ability to make quantifiable claims regarding the nature of his testing.
The SCADA industry urgently needs to adopt better security robustness testing as standard practice. Industry bodies like the American National Standards Institute (ANSI) and the International Electromechanical Commission (IEC) need to mandate standardized security/conformance testing and certification for these critical devices. The number of errors routinely detected and the errors' significance shows that the security testing/certification of SCADA devices is critical to protect our national infrastructures from both accidental and deliberate attacks. As well as demonstrating the need for such testing, this paper also illustrates how it can be successfully conducted.
IX. REFERENCES
[1] Vulnerability Note VU#190617: LiveData ICCP Server heap buffer, US Computer Emergency Response Team, May 16, 2006, http://www.kb.cert.org/vuls/id/190617
[2] D. P. DUGGAN, M. BERG, J. DILLINGER and J. STAMP; "Penetration Testing of Industrial Control Systems", Sandia National Laboratories, March 7, 2005.
[3] E.J. BYRES, J. CARTER, A. ELRAMLY and D. HOFFMAN; "Worlds in Collision: Ethernet on the Plant Floor", ISA Emerging Technologies Conference, Instrumentation Systems and Automation Society, Chicago, October (2002).
[4] R. KAKSONEN, M. LAASKO and A. TAKANEN, "Vulnerability analysis of software through syntax testing," University of Oulu, Finland, Tech. Rep. (2000).
[5] O. TAL, S. KNIGHT and T. DEAN, "Syntax-based vulnerability testing of frame-based network protocols," Privacy, Security and Trust (2004).
[6] D. INCE, "The automatic generation of test data," The Computer Journal, 30, 1 (1987).
[7] E. G. SIRER and B. N. BERSHAD, "Using production grammars in software testing," PLAN '99: Proceedings of the 2nd conference on Domain-specific languages, New York, NY, pp 1-13, ACM Press, (1999).
« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
|
|
