For a couple of years now the SCADA security community has heard at a variety of venues about a PLC/controller test tool from Eric Byres and BCIT called Achilles.  The tool runs a battery of tests against field devices to identify implementation vulnerabilities in the protocol stack. 

While I’m a big fan of Eric and the Achilles concept, I always left the presentations unsatisfied because little detail was provided on the testing methodology and coverage.  This detail probably was not appropriate at an ISA Expo, Kema or PCSF, but it is perfect for S4.

So we chased and landed a paper from Nate Kube at Wurldtech Security who developed a large portion of the testing grammar algorithm.  You may remember that last year Eric and the team left BCIT; Eric formed ByresSecurity and is focusing on the field security device Tofino; Wurldtech took over the Achilles product.  Most of the BCIT team is in either one or the other of these two companies.

In Nate’s paper he describes the attribute grammar, named blackPeer, and how it generates protocol test sequences.  This technique can be equally applied to core IT protocols and SCADA protocols.  After some simple protocol test sequence generating examples and discussions of coverage, Nate provides specific test result examples from the grammar running on two unnamed Modbus TCP implementions.

Function Code 21

Both PLC X and PLC Y returned incorrect error codes under the following circumstances:

1. when the byte count <7 or greater than 245
2. when the reference type !=6
3. when the record number >10000 or the record number + register length >10000

The paper also provides some more general results on common triggers of critical, loss-of-view, and non critical vulnerabilities in Modbus TCP implementations.  Some of the critical vulnerabilities match our experience, and others were new to us and quite interesting.

Complete S4 Agenda

Register for Physical or Virtual Attendence at S4