DNP3 Vulnerabilities Part 1 of 2 - NERC’s Electronic Security Perimeter is Swiss Cheese

If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures on their way. Even the New York Times and Wired Magazine have picked up this story.

Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?

Do the DNP3 SCADA Master Vulnerabilities make NERC’s Electronic Security Perimeter a Fairytale Castle?

Finding Industrial Security Vulnerabilities in All the Wrong Places

All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his AEGIS Project. The scary part is that Adam’s tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.

This introduces a new world of attack possibilities against the power industry. Successfully attack an RTU in a substation and you might knock that station off line. Successfully attack a SCADA master and you can knock a whole system off line.

To make matters worse, these attacks work great over serial links, not just TCP/IP networks. Since NERC-CIP exempts serial communications from any security controls, the hundreds of millions of dollars the power industry has spent to date to secure the power grid could be for naught. Dale Peterson describes these problems well in his blog “Why the Crain/Sistrunk Vulnerabilities are a Big Deal”.

The NERC-CIP Electronic Security Perimeter (ESP) is Full of Holes

Last week Darren Highfill posted a blog explaining that the situation is worse than many thought. The vulnerabilities in DNP3 masters don’t even require that the attacker climb a fence:

The first place that most people have started talking about these [DNP3] devices is a substation. Too many engineers are searching for ways to make themselves feel better because there is a fence and/or a locked building keeping the bad guys out. Maybe even a camera, too... no half-way informed attacker is going to mess with a substation when they have much easier access to many more pad-mount and pole-mount devices in more remote and less noticeable locations. With no cameras.

Darren has a valid point – DNP3 communication links run into millions of physically insecure pad and pole devices around the world. Get at just one of these and you can control a much larger power system.

Darren’s scenario completely defeats NERC-CIP’s vision of an Electronic Security Perimeter (ESP): a pull-up-the-drawbridge model where everything (and everyone) bad is kept out by a perfect electronic fortress. To be effective against these attacks, NERC’s ESP now has to include the entire country. Like other bastion models of security that I have discussed in the past, the ESP concept is fatally flawed.

A Serious Technical Error?

Unfortunately, I believe Darren makes a serious technical error in his discussion, which I will discuss in my blog next week. In the meantime, consider the fact that this is NOT just a DNP3 or a power industry problem. Any ICS protocol that uses a master/slave (aka client/server) polling scheme (i.e. 99% of them) will suffer from similar vulnerabilities in the masters (aka clients). This means that any industry that has remote assets in poorly secured locations could be vulnerable to Darren’s proposed “client-side” attacks.

Think about these types of attacks the next time you drive by a sewage lift pump box in a suburban neighborhood. Or when you see an oil well at the side of a prairie road. These are all potential backdoors into much larger critical infrastructures. All it will take is another well designed test tool to find those backdoors in the devices using other ICS protocols like Modbus, EtherNet/IP or PROFINET. That, plus a few people with malicious intent.

Related Content to Download

Presentation - "Defense in Depth Sound Security Strategy"

 

In this presentation Eric Byres goes into detail about:

  • The Defense in Depth strategy
  • The problem with relying on traditional firewalls with a single point of failure
  • Proper Defense in Depth design that provides reliable security for the plant floor

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

2

I would have thought that you would not be on the bandwagon too!

Let's keep track of just how many Master stations (the "M" is capitalized for a reason, to signify that it is the Master for a system and not just a substation) are involved here.

Taking out a central site via substations is nothing new, so I am not quite sure why this is catching so many eyes. These reports criticize the deployment of DNP3-to-OPC servers which actually are a very good protocol "proxy" and can offer significant security ... yet no one is even mentioning this. These devices act as the "sacrificial lamb" effectively isolating the Central systems from being compromised when a remote site is pwned.

I have talked about this further on my blog ...
http://scadahacker.blogspot.com/2013/11/stop-madness-mr-wonderful-shark-...

Eric, you make some sound statements and revelations about the vulnerabilities facing ICS. I believe, however, that while NERC CIP standards are off the mark in certain places (such as serial communications considerations), the recently announced NIST Security Framework will make for a good (better at least) approach to ICS security.
So while NERC CIP can be scrutinized and criticised, it would be better to put effort into ensuring that the NIST framework is well built and mitigates short comings within CIP. NERC CIP can be used in "Lessons Learned" in the "Short Comings in ICS Security" incident :-)

Add new comment