Project Robus

Adam Crain April 01, 2014
Project Robus

During 2013, Chris Sistrunk and I reported a large number of defects in implementations of the DNP3 protocol. The bugs were found using a custom smart fuzzer I wrote to test opendnp3. This prototype was later refined and expanded with Modbus and IEC 104 support to become the Aegis Fuzzer we sell today.

This work garnished us a lot of recognition, and shook the industry up a little bit. A couple of mainstream publications wrote about the work:

For the informed reader, a couple of well-known industry security bloggers summarized the work well:

For posterity’s sake, a table of all the advisories from DHS CISA (previously ICS-CERT) follows:

AdvisoryVendor/Product
ICSA-13-161-01IOServer
ICSA-13-213-03IOServer
ICSA-13-219-01SEL
ICSA-13-226-01Kepware
ICSA-13-234-02TOP Server
ICSA-13-240-012Triangle Microworks
ICSA-13-213-04AMatrikon
ICSA-13-252-01Subnet
ICSA-13-282-01Alstom
ICSA-13-297-01Catapult
ICSA-13-297-02GE IP
ICSA-13-337-01Elecsys
ICSA-13-346-02Cooper Power (now Eaton)
ICSA-13-346-01Cooper Power (now Eaton)
ICSA-13-352-01Novatech
ICSA-14-014-01Schneider
ICSA-14-006-01Schneider
ICSA-14-098-01OSISoft
ICSA-14-149-01Triangle Microworks
ICSA-14-154-01COPADATA
ICSA-14-010-01Matrikon
ICSA-14-238-01CG Automation
ICSA-14-254-02Rockwell
ICSA-14-289-01IOServer
ICSA-14-329-01Matrikon
ICSA-14-303-02Elipse SCADA
ICSA-14-287-01GE IP
ICSA-15-055-02Kepware
ICSA-15-055-01TOP Server
ICSA-16-299-01Siemens
ICSA-14-100-01IOServer
ICSA-14-196-01Subnet