|
Automated Testing of SCADA Protocols
V. TEST RESULTS
This section presents some of the more common controller vulnerabilities and non-conformance issues Achilles (using the blackPeer framework) has detected. Detected vulnerabilities are loosely categorized into one of three classes:
- Critical: the controller exhibited an internal fault and power cycled (akin to a hard reset);
- Loss-of-view: the communication between the vendor control software (HMI for example) and the device under test was eliminated; and
- Non-critical: the controller exhibited an error in expected functionality but did not experience a reset.
Common triggers of critical vulnerabilities are:
- Unicast, broadcast and multicast Ethernet storms
- Random Ethernet storms
- Derivatives of IP land attacks
- Unicast IP storms
- Minor attacks on proprietary application services
Common triggers of loss-of-view vulnerabilities are:
- < 10Mbs Ethernet or IP DoS's
- ARP floods
- unsolicited ARP replies
- Invalid IP fragments
- IP SYN floods
- Unicast, broadcast and multicast IP storms
- Minor attacks on proprietary application services
- MODBUS/TCP function code 8 sub-function code 2 requests
Common triggers of non-critical vulnerabilities are:
- Carefully crafted invalid packets at layers 2 through 7
- Minor attacks on proprietary application services
For examples of non conformance to a protocol's specification we will show a subset of MODBUS/TCP conformance tests conducted against two representative PLC's. The MODBUS/TCP grammar selected for this example examines the behavior of the device under test in response to valid and invalid function code requests.
The function codes tested by this grammar are:
- 20 Read File Record
- 21 Write File Record
- 22 Mask Write Holding Registers
- 23 Read / Write Multiple Registers
- 24 Read FIFO Queue
- Fuzzed Headers
« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Next »
|
