Effective Fuzz Testing for Programmable Logic Controllers - Research for Nuclear Safety

Slide Note
Embed
Share

This paper discusses the significance of fuzz testing for Programmable Logic Controllers (PLCs) to ensure nuclear safety, citing incidents like the Stuxnet worm attack. It delves into the methodology, zero-day vulnerability findings, and results of the research conducted by authors in February 2020, emphasizing the need for robust testing measures in industrial PLCs.

ane_fil
ane_fil Follow

Uploaded on Sep 15, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. EFFECTIVE FUZZ TESTING FOR PROGRAMMABLE LOGIC CONTROLLERS VULNERABILITY RESEARCH TO ENSURE NUCLEAR SAFETY Authors: Authors: Jakub Suchorab Marcin Dudek Kinga Staszkiewicz Joanna Walkiewicz Co Co- -author author: : Jacek Gajewski IAEA-CN-278/619 Paper presentation Vienna, February 2020

  2. Presentation outline Introduction Introduction Fuzz Fuzz testing testing Laboratory Laboratory configuration configuration Research Research on on methodology methodology Found Found zero zero- -day day vulnerability vulnerability Results Results Summary Summary 2 2

  3. Introduction Programmable Programmable Logic Control Control Systems Systems (ICS) Examples Examples of of incidents Stuxnet worm attack on Iranian nuclear facilities reprogrammed PLC damaged centrifuges (2010), Malfunctioning PLC led to shut down of reactor in the Browns Ferry nuclear power plant (2006); The The security security of of communication communication of of PLCs PLCs should should be In In was was decided decided to to create create a a specialized specialized laboratory fuzz fuzz testing testing methodology methodology for for PLC PLCs s. . Logic Controllers Controllers (PLCs) (ICS); ; incidents involving involving PLCs (PLCs) plays plays an an important important role role in in Industrial Industrial PLCs: : be tested tested; ; laboratory in in order order to to define define an an efficient efficient 3 3

  4. Fuzz testing Input Input generator generator Delivery Delivery mechanism mechanism System Under System Under Test Test Fail detection Fail detection mechanism mechanism Fig. 1. Fuzzing framework: Input generator, a delivery mechanism and a fail detection mechanism. [Source: M. Almgren, D. Balzarotti, J. Stijohann and E. Zambon Report on automated vulnerability discovery techniques] 4 4

  5. Laboratory configuration Table 1. Hardware and software used in laboratory Component Component Importance Importance Specification Specification PLC Siemens S7-317 PLC Siemens S7-1511 PLC Siemens S7-1512 1 desktop computer 1 laptop computer D-Link Web Smart Switch DGS-1224T PLC required Hardware Hardware Computer required Switch optional Fuzzer PLC configuration software Network protocol analyzer SCADA/HMI required Defensics from Synopsys Software Software required TIA Portal v14 recommended Wireshark Fig. 2. Laboratory setup optional WinCC 5 5

  6. Research on methodology 1. 1. Initial configuration and interoperability testing; Initial configuration and interoperability testing; 2. 2. Encountered false positive error caused by faulty Profinet DCP protocol test suite; Encountered false positive error caused by faulty Profinet DCP protocol test suite; 3. 3. Full Full- -scale tests of available protocols; scale tests of available protocols; 4. 4. PLC PLC failure encountered during IPv4 protocol failure encountered during IPv4 protocol testing testing. . 6 6

  7. Found zero-day vulnerability IP packet with modified header sent to S7 IP packet with modified header sent to S7- -1500 PLC about 33000 times 1500 PLC about 33000 times; ; In result, no communication with the target using IP In result, no communication with the target using IP- -based protocols based protocols; ; Report Report including proof sent to including proof sent to Siemens CERT; Siemens CERT; Vulnerability was classified as not previously known Vulnerability was classified as not previously known; ; The code CVE The code CVE- -2018 2018- -13805 was assigned to the vulnerability 13805 was assigned to the vulnerability; ; 7 7

  8. Results Prepare a list Prepare a list of protocols of protocols Yes Yes Is there Is there any untested any untested protocol protocol? ? Przeprowad Przeprowad proces proces wyodr bniania wyodr bniania podatno ci podatno ci extracting process extracting process Conduct Conduct Vulnerability Vulnerability Yes Yes Run a full test of the Run a full test of the next protocol from next protocol from the list the list Is there Is there any any failure failure? ? Mark protocol Mark protocol as tested as tested No No No No Prepare full Prepare full documentation documentation Fig. 3. Diagram presenting developed fuzzing methodology. 8 8

  9. Results Test failed Test failed No No Is the Is the optimal optimal sequence sequence found? found? Yes Yes Multiple Multiple failed test failed test rerun rerun Yes Yes Is failure Is failure repeatable? repeatable? Modify and rerun test Modify and rerun test case sequence case sequence Analyse the Analyse the results results No No Prepare proof Prepare proof of concept of concept script script Mark Mark the non non- -recurrent recurrent the failure failure as as Report to Report to vendor vendor 9 9 Fig. 4. Diagram presenting vulnerability extracting process. 9 9

  10. Summary The proposed systematic approach to fuzz testing of The proposed systematic approach to fuzz testing of PLCs of new and existing devices in order to find vulnerabilities associated with of new and existing devices in order to find vulnerabilities associated with incorrect protocol processing incorrect protocol processing; ; PLCs allows the examination allows the examination No testing can cover every single possible combination of test cases No testing can cover every single possible combination of test cases, , so is to find as many vulnerabilities as possible in a systematic way, thus reducing a is to find as many vulnerabilities as possible in a systematic way, thus reducing a threat of undetected ones threat of undetected ones. . so the the goal goal 10 10

  11. Thank you for your attention! Vienna, February 2020

Related


Understanding Programmable Logic Arrays (PLA)

Understanding Programmable Logic Arrays (PLA)

jakai
Understanding Programmable Logic Controllers (PLC)

Understanding Programmable Logic Controllers (PLC)

tansy
Ensuring Safety and Security in Pakistan's Nuclear Power Sector

Ensuring Safety and Security in Pakistan's Nuclear Power Sector

mordecai
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine
Logic Families

Logic Families

eilonwy
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities

decimus
Android Bluetooth Game Controllers Support and Setup Guide

Android Bluetooth Game Controllers Support and Setup Guide

brer593
Recent Developments in Nuclear Data and Workshops Summary

Recent Developments in Nuclear Data and Workshops Summary

jerry
Understanding Logic Circuits in Aircraft Systems

Understanding Logic Circuits in Aircraft Systems

ailani
Understanding Programmable Logic Devices (PLD) in Digital Electronics

Understanding Programmable Logic Devices (PLD) in Digital Electronics

bethan
NUSSC 57th Meeting - End of Term Report & Safety Standards Update

NUSSC 57th Meeting - End of Term Report & Safety Standards Update

kal_no
Exploring Nuclear Interactions through Holography and Gauge/Gravity Duality

Exploring Nuclear Interactions through Holography and Gauge/Gravity Duality

eaan477
Mechanism of Low-Energy Nuclear Reactions in Low-Temperature Plasma

Mechanism of Low-Energy Nuclear Reactions in Low-Temperature Plasma

caiden
Nuclear Power Program Development for Energy Security in New Nuclear Countries

Nuclear Power Program Development for Energy Security in New Nuclear Countries

psark
Advancements in Nuclear Physics Research at Laboratori Nazionali di Legnaro

Advancements in Nuclear Physics Research at Laboratori Nazionali di Legnaro

jak
Understanding Propositional Logic and Mathematical Logic in Computer Science

Understanding Propositional Logic and Mathematical Logic in Computer Science

leov452
Introduction to Symbolic Logic: Understanding Logical Inferences

Introduction to Symbolic Logic: Understanding Logical Inferences

ais_m
Workshop on Fine-grained Measurements App with P4 Programmable Switches

Workshop on Fine-grained Measurements App with P4 Programmable Switches

jream
Programmable Parser and Header Definitions at University of South Carolina

Programmable Parser and Header Definitions at University of South Carolina

hzirk
Evolution of Programmable Switches and Routers

Evolution of Programmable Switches and Routers

dart938
Future of Radiological and Nuclear Defense Programs and Capabilities

Future of Radiological and Nuclear Defense Programs and Capabilities

nadia
Step-by-Step Guide to Configuring APACS & AAN Controllers

Step-by-Step Guide to Configuring APACS & AAN Controllers

rier330
Exploring Nuclear Power: Benefits and Risks

Exploring Nuclear Power: Benefits and Risks

kabir
Texas A&M University Cyclotron Institute NSDD Evaluation Center Report 2019-2022

Texas A&M University Cyclotron Institute NSDD Evaluation Center Report 2019-2022

chandra

More Related Content

Nuclear Symmetry Energy in QCD Degree of Freedom
Nuclear Symmetry Energy in QCD Degree of Freedom
Italian Positioning and Perspectives in the Euratom-Fission Program
Italian Positioning and Perspectives in the Euratom-Fission Program
Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program
Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program
Software Testing Foundation Level: Testing Throughout the SDLC Quiz
Software Testing Foundation Level: Testing Throughout the SDLC Quiz
Testing Approach in SCREAM for E3SM Fall All-Hands 2019
Testing Approach in SCREAM for E3SM Fall All-Hands 2019
Amended Convention on Physical Protection of Nuclear Material Tabling in Parliament
Amended Convention on Physical Protection of Nuclear Material Tabling in Parliament
Understanding Nuclear Structure and Forces in Physical Science
Understanding Nuclear Structure and Forces in Physical Science
Understanding Nuclear Physics and Radiation Hazards
Understanding Nuclear Physics and Radiation Hazards
Applications of Radioisotopes in Nuclear Medicine
Applications of Radioisotopes in Nuclear Medicine
Challenges to Australian Compliance with Nuclear Ban Treaty
Challenges to Australian Compliance with Nuclear Ban Treaty
Proposing Science and Technology Initiatives for Nuclear Security and Disarmament
Proposing Science and Technology Initiatives for Nuclear Security and Disarmament
Topic : Distinction between Modern and Traditional Logic.
Topic : Distinction between Modern and Traditional Logic.
Understanding Predicate Logic in Artificial Intelligence
Understanding Predicate Logic in Artificial Intelligence
Understanding Binary Logic Systems in Documentation
Understanding Binary Logic Systems in Documentation
UBU Performance Oversight Engagement Framework Overview
UBU Performance Oversight Engagement Framework Overview
Importance of Software Testing in Preventing Catastrophic Failures
Importance of Software Testing in Preventing Catastrophic Failures
Nuclear Data Needs for Spent Fuel Management Overview
Nuclear Data Needs for Spent Fuel Management Overview
The Complexities of Nuclear Power: Advantages, Waste Management, Opposition, and Safety Concerns
The Complexities of Nuclear Power: Advantages, Waste Management, Opposition, and Safety Concerns
Understanding NFV and SDN Controllers in Networking Architecture
Understanding NFV and SDN Controllers in Networking Architecture
Accomplished Career in Nuclear Physics and Gamma-ray Spectroscopy
Accomplished Career in Nuclear Physics and Gamma-ray Spectroscopy
Nuclear Physics Research Highlights: Neutron Stars, Nuclear EOS, and Pb Isotope Studies
Nuclear Physics Research Highlights: Neutron Stars, Nuclear EOS, and Pb Isotope Studies
Proposed NRC Safety Culture Policy Statement Overview
Proposed NRC Safety Culture Policy Statement Overview
Exploring Nuclear Medicine: Career as a Nuclear Medicine Technologist
Exploring Nuclear Medicine: Career as a Nuclear Medicine Technologist
Overview of United Arab Emirates Federal Authority for Nuclear Regulation (FANR) Operations Division Education & Training
Overview of United Arab Emirates Federal Authority for Nuclear Regulation (FANR) Operations Division Education & Training