• Overview
• Advice for CEOs
• Automated Testing of SCADA Protocols
• A Study of Security Vulnerabilities in Control Protocols

Automated Testing of SCADA Protocols

V. TEST RESULTS

The results of the tests on PLC X and PLC Y are shown in table 1. We see that the two PLC’s failed the majority of the MODBUS/TCP conformance tests.

Table 1: Results

We now break down the failed tests by function code.

VI.D.I. Function Code 20

Both PLC X and PLC Y returned incorrect error codes under the following circumstances:

• when the byte count < 7 or greater than 245
• when the reference type !=6
• when the record number >10000 or the record number + register length >10000

VI.D.II. Function Code 21

Both PLC X and PLC Y returned incorrect error codes under the following circumstances:

• when the byte count < 7 or greater than 245
• when the reference type !=6
• when the record number >10000 or the record number + register length >10000

VI.D.III. Function Code 23

PLC X incorrectly reports an error when:

• the starting write address was valid and the starting write address + quantity of registers to write was within range and the quantity of registers was 120 or 121 (limit is 121)

PLC X returned incorrect error codes under the following circumstances:

• when the starting write address was valid and the quantity of registers to write was 120 or 121 and the starting address + quantity of registers to write was out of range and the data was valid

PLC Y returned incorrect error codes under the following circumstances:

• when the read starting address was valid but the quantity of registers was zero
• when the read starting address was valid and the read quantity of registers was out of range and the read starting address+ read quantity of registers was valid or invalid
• when read starting address was invalid and the read quantity of registers was zero or out of range
• when the write starting address was valid and the write quantity of registers was zero
• when the write starting address and the write quantity of registers was valid and the write quantity + write starting address was within range but the actual data length and the and the specified data length were not in agreement
• when the write starting address was valid and the write quantity was invalid and the write quantity + write starting address was or was not within range and the actual data length and the specified data length were or were not in agreement

VI.D.I. Fuzzed MODBUS Headers

When fuzzing the MODBUS header PLC X displayed the following incorrect behaviors:

• invalid function codes over 70 caused PLC X to send a TCP Reset thereby terminating the communication
• incorrectly specified MODBUS packet lengths caused PLC X to send a TCP Reset thereby terminating the communication

When fuzzing the MODBUS header PLC Y displayed the following incorrect behaviors:

• incorrectly specified MODBUS packet lengths caused PLC Y to send a TCP Reset thereby terminating the communication

We see that the level of granularity provided by the blackPeer framework is quite high. Furthermore, the tests only took approximately 5 minutes to conduct and the analysis approximately 20.

« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Next »