This document provides recommendations for securing SCADA and ICS devices that use the DNP3 protocol. It suggests assessing risks, understanding network configurations, applying software patches, disabling unnecessary functions, implementing defense in depth with measures like firewalls and encryption, and ensuring proper physical security. It also stresses the importance of employee training and working with vendors to implement security best practices like protocol testing and use of authentication.

1. Chris Sistrunk, PE
Sr. Consultant
Mandiant

2. Let’s assume that your SCADA
device has a faulty DNP3 stack…

3. http://threatpost.com/copa-data-patches-dnp3-scada-vulnerability
“Crain and Sistrunk have discovered a boatload
of ICS vulnerabilities over the years”
DNPtha-reeeeeee

4. Let’s take a step back and ask some questions:
 What’s the risk if this device is compromised?
◦ Probability * Impact = Risk
◦ Check out my RTU risk score pres from S4x13
 What is the device talking to?
 Is it DNP3 serial or IP…or both?
 Is the physical security sufficient?
 Will you be called at 2AM?

6. The answers to the questions tell you that you
have to do something to protect the device(s)
 What types of mitigations exist?
 Which ones will you use?
◦ Defense in depth – more than one!
◦ Belt and suspenders!
 When will they be deployed?
◦ The sooner the better!

7.  Software/firmware patches/device upgrades
 Robust device and master configurations
 Robust IP network configurations
 DNP3-aware network tools
 Proper physical security
 Employee awareness
 Secure coding and SDL for Vendors

8. NERC/CIP?

9.  If there is a software or firmware patch or
hardware upgrade that’s out there that fixes a
known DNP3 vulnerability…GO GET IT
 Properly test it before you roll it out
 If you’re not used to patching your SCADA
system, please work with your vendors to do
this to minimize downtime

10.  USE DNP3-SA! (application layer security)
◦ Correct master only talks to the correct RTU
◦ But it won’t protect against all “bugs”
 Disable unused serial and network ports
 Use a possible workaround (ex: auto restart)
 Check the default settings
◦ DNP3 or other protocols may be factory configured
◦ If not used, disable them!
◦ DNP3 devices are on SHODAN
 Many appear to have the same congfigurations

11.  When possible, DISABLE functions that aren’t
required in your production systems
◦ Cold and/or Warm Restarts (FC 13 & 14)
◦ Start/Stop Application (FC 17 & 18)
◦ Save Configuration (FC 19) old
Activate Configuration (FC 31) new
◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)
 If you can’t disable these, use IDS/IPS or DPI
Firewalls to prevent unwanted DNP3 traffic

12.  Segment your SCADA WAN
◦ Routers, Firewalls, DMZs, & VLANs
◦ This can help isolate the network when needed
 Understand your network!
◦ The bad guys sure will
 Use encryption and authentication
◦ Use DNP3-SA and TLS
◦ Remote access VPNs, radios, etc
◦ Look at IEC 62351 standard (dovetails with SA)
 No SCADA protocols on Corporate WAN

13. Examples of tools used in SCADA and
Enterprise networks understand DNP3
 Protocol analyzers such as Wireshark, ASE &
TMW RTU Test Sets
 IDS/IPS such as SNORT, Bro, McAfee ADM,
and Checkpoint
 Routers such as the Cisco CGR 2010
 Field firewall w/ DNP3 Deep Packet Inspection
◦ Secure Crossing & Tofino (in the works)

14.  Newer enterprise security technologies can be
used to help detect, respond, and contain
threats on your SCADA network
 Security Operations Center
◦ Security Analyst(s) using a SIEM
◦ Log aggregation
◦ Anomaly and intrusion detection
◦ Indicators of Compromise (IOCs)
◦ Full packet capture
 Security Onion (Linux distro)
 www.securityonion.net

15.  What is the proper amount of physical
security? It depends…
 If your Critical SCADA master has top physical
security, but the serially-connected tiny
distribution RTU does not, is that okay?
 Use a lock that meets or exceeds: UL 437,
ANSI 156.30 Grade A, or ASTM F883 Grade 6
 Harden your external barriers
 The better the defenses, the more time it
buys you to respond

17. 3/8” Mesh
ASTM Grade 6
These may buy you
extra time to respond

18. “Thieves hit our store
last night. This is how
they circumvented the
door alarm…”
via
http://redd.it/1pn1xi

20.  Train your folks on ICS/SCADA security
◦ Security Conferences, several training classes available
◦ http://ics-cert.us-cert.gov/Training-Available-Through-
ICS-CERT
◦ GICSP Certification
 Security awareness is important
 Have a questioning attitude
 Report suspicious computer or personal
activity/incidents
◦ Who do you call?
◦ Internal hotline, supervisor, SOC, etc
◦ ICS-CERT (877-776-7585)

21.  Ask your vendors for DNP3-SA if they don’t
have it or are already working on it
 Require in the bids for new SCADA systems or
upgrades to be tested by a 3rd party,
including the DNP3 protocol stack
◦ Positive Tests: FAT/SAT
◦ Negative Tests: Fuzzing (it’s not new folks!)

22.  DNP3 isn’t a special case. Other ICS protocols will
see the same fate
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…
 You can defend your SCADA
 Early testing both slave/server AND master/client
sides of the protocol are important!
 Compliance != Security, but the culture is
important
 Don’t count on the government to protect your
critical systems…it’s your job