Jake
Brodsky, a long time reader and prolific cross-the-web commentor on all
things control-system-security, left an interesting Google+ comment on a ‘BTW’
comment I made in
last night’s post on the latest Crain-Sistrunk ICS-CERT advisory. I made a
toss-off comment about Adam and Chis working on a re-write of the DNP protocol.
Jake made the following clarification:
“Speaking as Chairman of the DNP
Users Group, I would like to clarify that the protocol is sound. Crain and
Sistrunk are working with the technical committee on development of more robust
test procedures. I will have more to say about this later.”
As always I appreciate the clarification. With an open
source product like DNP developing vigorous test procedures is almost more
important than refining the protocol. This is especially true if it helps to
catch implementation errors like those that Adam and Chris have been pointing
out in the last couple of months.
One of the challenges for gadflies like myself (with limited
technical expertise) is that it is hard to tell if a series of reported problems
with an open source product like DNP is the result of a basic flaw in the
product or if the problem is in the implementation in applications.
Adam and Chris have pointed out a number of improper input
validation vulnerabilities in applications that are DNP based. Because they all
have been coordinated disclosures and no exploit code is available, it is hard to
tell how similar the vulnerabilities actually are. If they are inherent in the
DNP protocol, then DNP needs to be fixed. If they are implementation based
vulnerabilities, there may still need to be revisions made to DNP to make it
more difficult to make these types of errors.
Posts
1 comment:
I'd like to clarify that DNP3 isn't open source. It's an open standard, i.e. just a specification. My efforts with opendnp3, an open source implementation of the specification, are completely separate from the DNP3 user group and technical committee.
Post a Comment