Fuzz-testing of Proprietary SCADA/Control Network Protocols
Power control network asset owners may suspect that their equipment’s proprietary protocols are susceptible to attacks via malformed crafted inputs, but lack the means of testing their assets and prioritizing them for protective measures (other than ordering expensive and specialized penetration tests). Fuzzing is a methodology for performing such testing; however, most fuzzing tools were developed for different environments and tasks, and do not fit power network scenarios. Additionally, many tools assume that a specification of the targeted protocol is available, which is not the case for proprietary control protocols. We created LZfuzz, which addresses both the need for fuzzing proprietary protocols, and the specific features of a power control network environment. The goals of this project were to give SCADA/control network asset owners a simple way to test their assets for brittleness; to develop algorithms to efficiently fuzz proprietary SCADA protocols without specifications or with only rudimentary specifications; and to implement necessary network scaffolding to fuzz software/hardware that cannot be intrusively instrumented. LZfuzz creates a “network pipe” to intercept, analyze, and mutate targeted traffic, and does not require instrumentation of the targeted computers (a necessary condition for SCADA, where the asset owner is typically not allowed to modify control device computers, as per vendor’s support contact). Our approach uses a variant of the Lempel-Ziv compression algorithm to derive an approximate partitioning of a proprietary protocol’s payload into “tokens,” which it then fuzzes using a set of heuristics, which currently are provided by the GPF fuzzer. LZfuzz has been used in several network security assessments at a major power company and has been presented to the general audience at the leading security industry conference BlackHat USA in 2008, and also presented privately and in more depth to industry stakeholders.