I got an interesting email from Adam Crain today. It was part of a continuing message chain, but he tossed off a new subject:
“FYI, I just announced the release of the DNP3 fuzzer at SANS SCADA in March 2014”
He then provided a link to a new page on his Automatak.com web site - http://www.automatak.com/aegis/.
Adam and his compatriot, Chris Sistrunk, have demonstrated a talent for finding vulnerabilities in DNP3 applications. They have made a name for themselves in the last couple of weeks from their being listed as the responsible researcher on 8 ICS-CERT advisories. I don’t know the details of their disclosure agreements with the affected vendors, but I seriously doubt that they have made much, if any, money off of these disclosures.
BTW: There are now 17 ‘pending’ disclosures on the Project Robus web site; two more than earlier this week. So, contrary to my earlier supposition, they haven’t stopped their testing efforts.
This is the problem that most ‘ethical researchers’ have run in to; there is little or no money to be made from coordinated disclosures. This is one of the reasons that so many cybersecurity researchers have turned to selling vulnerabilities on either the black or grey markets; it’s a way to pay the bills and keep food on the table. The rub, of course, is that these markets put owner/operators at risk.
Adam, it seems has come up with a slightly different marketing angle. Instead of selling vulnerabilities he is effectively going to sell tools he develops to find vulnerabilities. It is not explicitly pointed out on his web site, but his email makes clear that he is looking to vendors and utility owner/operators to be members of his “consortium of industrial control system (ICS) stakeholders” thus staying on the side of ‘ethical hackers’.
BTW: I made the comment in an earlier blog post that other ICS protocols might undergo examination by Crain-Sistrunk. A side-bar on the AEGIS page points out that there is a “Modbus master/slave” under development. I suspect that we will shortly begin seeing ICS-CERT advisories pointing out vulnerabilities in Modbus related applications. Fortunately (sarcasm warning) there aren’t too many of those out there. In fact, some of those 17 pending disclosures might be Modbus related instead of DNP3. Some people would be happy to see that.
It will be interesting to see how well Automatak does with this project. I hope that he succeeds, we need more owner/operator-friendly hacker business-models.