One of the vendors whose code was found vulnerable was Triangle Microworks, a.k.a. TMW, which sells source code for deploying DNP3 to several SCADA vendors. The company has since patched its DNP3 Master and Outstation Source Code Library packages. The improper input validation bug could allow an attacker to remotely send a malicious TCP packet from the master station on an IP network, sending the substation device into an "infinite loop." An attacker with physical access to the master station could do the same thing to a serially connected device.
"It would be missing data and run until someone notices," Crain said. "If an operator isn't directly on that server, depending on how the software is architected internally, he might never know, and it might remain deadlocked until someone notices the data has not refreshed."
Not all of the vendor patches have gone smoothly. One vendor initially released details of the bug in its release notes, and two others issued so-called "silent fixes," meaning that they didn't coordinate their patches with ICS-CERT or notify their customers of the problem. And another vendor attempted to fix the flaw a couple of times, but ultimately "gave up," Sistrunk says.
There are some ways to mitigate DNP3-borne exploits, including not allowing DNP3 networks to touch the corporate firewall, ensuring strong physical security at substations, and ensuring that third-party software is tested for security before you buy it, Sistrunk says. "Ask for secure authentication and encryption," he says. "You can do SIEM on the enterprise side and just watch and know if you see something is wrong."
Meanwhile, the DNP Users Group board of directors emphasized in a document about the vulnerability reports that the problems were not with the DNP3 protocol itself, but rather with software implementations of it. DNP3 includes secure authentication in the application layer for both serial and IP communications.
The users group worked with Sistrunk and Crain on guidance for application developers on DNP3, which is available here (PDF) for download.
"The DNP3 protocol is sound. It is indeed possible to write a robust DNP3 implementation. This is evidenced by the few devices that Crain and Sistrunk were not able to crash with the Aegis fuzzer," says Jacob Brodsky, Chair of the DNP Users Group. "However, there is no denying that the DNP3 protocol is subtle and complex, mostly because SCADA systems themselves are a subtle and complex endeavor."
Sistrunk says deploying secure authentication doesn't preclude all of the bugs he and Crain discovered.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.