Protecting Your DNP3 Networks • 1. Chris Sistrunk, PE Sr.

Windows 7 Pro Oa Latam Hp Download Iso on this page. Quentin Harris No Politics Rarity. Oct 16, 2017. 1 // 2 // DNP3 was initially used over serial links; it defined its own application 3 // layer, transport layer, and data link layer. Layer may look like this DNP3 7 // Packet: 8 // 9 // DNP3 Link Layer DNP3 Transport Layer DNP3 Application Layer 10 // 11 // (This hierarchy can be viewed in the Wireshark visually.).

Consultant Mandiant • Let’s assume that your SCADA device has a faulty DNP3 stack • “Crain and Sistrunk have discovered a boatload of ICS vulnerabilities over the years” DNPtha-reeeeeee • Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the device talking to?  Is it DNP3 serial or IPor both?  Is the physical security sufficient?  Will you be called at 2AM? • The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?

 Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!

•  Software/firmware patches/device upgrades  Robust device and master configurations  Robust IP network configurations  DNP3-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors • NERC/CIP? •  If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known DNP3 vulnerabilityGO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime •  USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ DNP3 devices are on SHODAN  Many appear to have the same congfigurations •  When possible, DISABLE functions that aren’t required in your production systems ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to prevent unwanted DNP3 traffic •  Segment your SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network!