Jake Brodsky, a long time reader and prolific cross-the-web commentor on all things control-system-security, left an interesting Google+ comment on a ‘BTW’ comment I made in last night’s post on the latest Crain-Sistrunk ICS-CERT advisory. I made a toss-off comment about Adam and Chis working on a re-write of the DNP protocol. Jake made the following clarification:
“Speaking as Chairman of the DNP Users Group, I would like to clarify that the protocol is sound. Crain and Sistrunk are working with the technical committee on development of more robust test procedures. I will have more to say about this later.”
As always I appreciate the clarification. With an open source product like DNP developing vigorous test procedures is almost more important than refining the protocol. This is especially true if it helps to catch implementation errors like those that Adam and Chris have been pointing out in the last couple of months.
One of the challenges for gadflies like myself (with limited technical expertise) is that it is hard to tell if a series of reported problems with an open source product like DNP is the result of a basic flaw in the product or if the problem is in the implementation in applications.
Adam and Chris have pointed out a number of improper input validation vulnerabilities in applications that are DNP based. Because they all have been coordinated disclosures and no exploit code is available, it is hard to tell how similar the vulnerabilities actually are. If they are inherent in the DNP protocol, then DNP needs to be fixed. If they are implementation based vulnerabilities, there may still need to be revisions made to DNP to make it more difficult to make these types of errors.