DNP3 network scanning and reconnaissance for critical infrastructure

The Distributed Network Protocol v3.0 (DNP3) is one of the most widely used protocols to control national infrastructure. The move from point-to-point serial connections to Ethernet-based network architectures, allowing for large and complex critical infrastructure networks. However, networks and configurations change, thus auditing tools are needed to aid in critical infrastructure network discovery. In this paper we present a series of intrusive techniques used for reconnaissance on DNP3 critical infrastructure. Our algorithms will discover DNP3 outstation slaves along with their DNP3 addresses, their corresponding master, and class object configurations. To validate our presented DNP3 reconnaissance algorithms and demonstrate it's practicality, we present an implementation of a software tool using a DNP3 plug-in for Scapy. Our implementation validates the utility of our DNP3 reconnaissance technique. Our presented techniques will be useful for penetration testing, vulnerability assessments and DNP3 network discovery.

[1]  Ronald M. van der Knijff,et al.  Control systems/SCADA forensics, what's the difference? , 2014, Digit. Investig..

[2]  Ernest Foo,et al.  Real-Time and Interactive Attacks on DNP3 Critical Infrastructure Using Scapy , 2015, AISC.

[3]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[4]  Karen A. Scarfone,et al.  SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) , 2011 .

[5]  Adolfo S. Coronado CCNP Security IPS 642-627 Official Cert Guide , 2014 .

[6]  Colin J. Fidge,et al.  Component Modeling for SCADA Network Mapping , 2015, ACSC.

[7]  Benoit Donnet,et al.  Internet topology discovery: a survey , 2007, IEEE Communications Surveys & Tutorials.

[8]  Manimaran Govindarasu,et al.  An evaluation of cybersecurity assessment tools on a SCADA environment , 2011, 2011 IEEE Power and Energy Society General Meeting.

[9]  Mauricio Papa,et al.  Passive Scanning in Modbus Networks , 2007, Critical Infrastructure Protection.

[10]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[11]  Ernest Foo,et al.  Internet-wide Scanning Taxonomy and Framework , 2015, AISC.

[12]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[13]  Sujeet Shenoi,et al.  A Taxonomy of Attacks on the DNP3 Protocol , 2009, Critical Infrastructure Protection.

[14]  Helge Janicke,et al.  SCADA security in the light of Cyber-Warfare , 2012, Comput. Secur..

[15]  Gyu Sang Choi,et al.  Mitigating ARP poisoning-based man-in-the-middle attacks in wired or wireless LAN , 2012, EURASIP J. Wirel. Commun. Netw..

[16]  Sujeet Shenoi,et al.  Critical Infrastructure Protection III , 2009 .

[17]  N.C. Rowe,et al.  Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.