|
On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols
VII. CONCLUSIONS
The blackPeer test framework allows for the economical creation of powerful test suites capable of
quickly and efficiently testing a protocol's implementation against its specification. The blackPeer test framework is superior to conventional testing methods in two key areas:
- the framework not only automates the generation of test cases but also automates the interpretation of the DUT's behavior in response to these test cases. This is achieved by the novel approach of statefully generating a test case oracle in conjunction with each generated test case
- the framework provides a formal language medium in which the tester can express a test suite. This ability allows the tester to make quantifiable claims about the coverage of his tests
We ran approximately 5000 conformance tests against each PLC. The design of the test framework enabled efficient execution of the tests and quick interpretation of the results. The amount of coverage offered by other conformance testing tools, such as those distributed by the MODBUS-IDA, is much smaller than that offered by blackPeer and the interpretation of the resulting tests is a much more onerous task.
blackPeer discovered more than 60 categories of errors between the two PLC's tested. This is unacceptable for devices that may be deployed in critical safety systems. Most of the errors blackPeer detected came in
the form of incorrect error responses. Human Machine Interface (HMI) software, such as WonderWare, interprets error responses and displays their meaning to the plant operator; such errors result in the operator receiving incorrect information. The receipt of this incorrect information could have catastrophic consequences.
The errors blackPeer discovered surrounding the use of illegal serial function codes was also troubling. The fact that PLC Q could be taken offline indefinitely by the simple execution of a MODBUS function code 8 sub
function 4 request is extremely dangerous. This failure could result in the plant operator losing complete control of potentially safety critical systems. This error could not have been discovered by formally investigating the TCP or MODBUS protocols in isolation. A test framework capable of testing protocols embedded within protocols, such as blackPeer, is required for such discoveries.
The SCADA industry urgently needs to adopt better security robustness testing as standard practice. Industry bodies like the American National Standards Institute (ANSI) and the International Electromechanical Commission (IEC) need to mandate standardized security/conformance testing and certification for these critical devices. The number of errors detected in the two PLCs and the errors' significance shows that the security testing/certification of SCADA devices is critical to protect our national infrastructures from both accidental and deliberate attacks. As well as demonstrating the need for such testing, this paper also illustrates how it can be successfully conducted.
« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | Next »
|
