Readers of this blog will certainly recall a number of vulnerabilities (the latest for example) that I have reported upon concerning the DNP3 products from a number of different vendors all of which were reported by Adam Crain. Well, Adam was nice enough to point me at a report prepared by the DNP User’s Group about those vulnerabilities and what they mean about the general security of the DNP3 Protocol.
Anyone that is using or thinking of using a DNP3 based produce from any vendor should read this report. It doesn’t provide a lot of details about the individual problems that Adam has identified, but it does reaffirm what both Adam and Jake Brodsky (and others) have told me about the problems; they are not inherent in the DNP3 protocol, but problems with individual vendor implementations of that protocol.
The most important part of the report, in my opinion, though is found at the end where it discusses SCADA security for DNP3 in general:
• SCADA protocols were designed for use on trusted networks. On untrusted networks, these protocols must be deployed within a system that uses adequate security measures [emphasis added].
• The current DNP3 specification is IEEE 1815-2012, and is available from the dnp.org Document Library.
• DNP3 is one of the few SCADA protocols that already includes built-in security features.
• DNP3 devices should be certified for interoperability, but these certification tests do not necessarily verify robust behavior in all circumstances.
• No single security feature can defend against all types of attacks. Experts suggest using a defense-in-depth security methodology.