Tuesday, September 10, 2013

Google+ Comment – 09-09-13 – DNP Work

Jake Brodsky, a long time reader and prolific cross-the-web commentor on all things control-system-security, left an interesting Google+ comment on a ‘BTW’ comment I made in last night’s post on the latest Crain-Sistrunk ICS-CERT advisory. I made a toss-off comment about Adam and Chis working on a re-write of the DNP protocol. Jake made the following clarification:

“Speaking as Chairman of the DNP Users Group, I would like to clarify that the protocol is sound. Crain and Sistrunk are working with the technical committee on development of more robust test procedures. I will have more to say about this later.”

As always I appreciate the clarification. With an open source product like DNP developing vigorous test procedures is almost more important than refining the protocol. This is especially true if it helps to catch implementation errors like those that Adam and Chris have been pointing out in the last couple of months.

One of the challenges for gadflies like myself (with limited technical expertise) is that it is hard to tell if a series of reported problems with an open source product like DNP is the result of a basic flaw in the product or if the problem is in the implementation in applications.

Adam and Chris have pointed out a number of improper input validation vulnerabilities in applications that are DNP based. Because they all have been coordinated disclosures and no exploit code is available, it is hard to tell how similar the vulnerabilities actually are. If they are inherent in the DNP protocol, then DNP needs to be fixed. If they are implementation based vulnerabilities, there may still need to be revisions made to DNP to make it more difficult to make these types of errors.

I know that Jake is a hard-working man with a strong personal and professional interest in control system security. Adam and Chris obviously have a good understanding of this specific DNP issue. With the three of them (and others I’m sure) at work on the issue, I’m sure that the DNP protocol and its various implementations will be more secure at the end of the day. That is all that anyone can ask of any product.

1 comment:

Adam Crain said...

I'd like to clarify that DNP3 isn't open source. It's an open standard, i.e. just a specification. My efforts with opendnp3, an open source implementation of the specification, are completely separate from the DNP3 user group and technical committee.

/* Use this with templates/template-twocol.html */