As promised, Adam Crain announced this morning on TWITTER® that AEGIS had publicly released their DNP3 Fuzzer. It is available, along with documentation, on the AEGIS web site.
Adam and Chris Sistrunk have made something of a name for themselves over the last year testing various DNP3 applications with this tool and publicly disclosing the vulnerabilities they found through a strict coordinated disclosure process (so strict that we still don’t know who 11 of the 28 vendors are). So far, they claim that they haven’t found an application that did not have a discoverable vulnerability.
While most people that will be downloading this Fuzzer will be security researchers wanting to get a good look at the tool that Adam and Chris have been using to such good effect, Adam has made it clear that he really wants DNP3 system owners to get and use this tool to identify for themselves the vulnerabilities in their particular systems.
To my way of thinking, it certainly would be smart to know what your system vulnerabilities are before someone with a black hat starts testing.
BTW: Adam and Chris already are putting to use a similar Modbus TCP tool. I will be keeping an eye out for the ICS-CERT Advisories.