ISuTest®: Automated vulnerability assessment for industrial automation components

More and more machines and systems in the manufacturing industry are networked. This opens up opportunities, for example to improve processes with generated data. At the same time, however, there are also risks, as industrial automation components become more susceptible to faults and attacks via the network.

Privacy warning

With the click on the play button an external video from www.youtube.com is loaded and started. Your data is possible transferred and stored to third party. Do not start the video if you disagree. Find more about the youtube privacy statement under the following link: https://policies.google.com/privacy

The Industrial Security Testing Framework ISuTest is a tool for finding vulnerabilities in networked automation components. Discovered vulnerabilities can be fixed by the manufacturer, thus reducing the component's attack surface. In the future, robustness against attacks will be a quality criterion that manufacturers can use to set themselves apart from others.

The ISuTest is designed as an open, extensible framework and thus sets itself apart from commercial competitors with closed-source software. The direct target group of the ISuTest are manufacturers and integrators of automation components. It supports its users from the setup of a vulnerability test to the execution to the isolation of vulnerabilities to the post-processing of the bug to the developer, who can subsequently fix it.

First successes with the ISuTest could be achieved by the discovery of several weaknesses confirmed by the manufacturers. Companies use the ISuTest laboratory operated by the Fraunhofer IOSB in Karlsruhe to test their automation components for vulnerabilities. First cooperations for the integration of ISuTest into the development process of manufacturers have begun. These successes show: The ISuTest opens up the domain of security testing to automation experts - the vision of "Security by Design" becomes realizable in practice.

© Fraunhofer IOSB

Idea

The protection of industrial automation components such as programmable logic controllers, human-machine interfaces or gateways against attacks via the network is only slowly gaining importance for component manufacturers, even today. Examples of discovered vulnerabilities show that a single network packet can lead to a crash of the component or even to the shutdown of an entire system (Phoenix Contact, 2018).

A decisive reason for this lack of interest is the lack of affordable tools that can be used intuitively by automation experts. Although commercial integrated test systems are available on the market, their six-figure entry price in euros sets high hurdles for their use. As closed-source software, they cannot be extended by the user. In addition, they require deeper network, protocol and security knowledge when analyzing their test results. In addition, there are free implementations, which, however, only cover partial areas of the functionality required for comprehensive tests of industrial automation systems.

Against this background the idea was born in 2016 to develop the Industrial Security Testing Framework ISuTest, an open, transparently comprehensible and expandable tool for testing industrial automation components. In particular, other, specialized test tools such as vulnerability scanners or web security scanners should be able to be controlled and integrated.

Studies such as the vulnerability assessment of six German automation components presented at the German IT Security Congress of the BSI have impressively proven the practical suitability of ISuTest (Pfrang, S., & Borcherding, A., 2019). The target group of ISuTest is the industry that produces or integrates network-compatible sensors, actuators and controllers. These are experts in their respective fields, and ISuTest helps them deliver their products with fewer vulnerabilities through automated security testing, thus providing better protection against network attacks.

© Fraunhofer IOSB

Benefit

Manufacturers, integrators and operators of industrial automation components benefit from the use of ISuTest. Manufacturers reduce development costs with ISuTest, because they detect software errors faster and can fix them more easily with the help of our tool. Automated vulnerability tests can be performed more frequently and with higher coverage compared to manual tests. In addition, manufacturers can clearly document against which threats they have tested their components and thus gain customer confidence.

ISuTest enables integrators of industrial automation components to select supplier products under security aspects. In addition, integrators with vulnerabilities discovered by ISuTest can put pressure on manufacturers to fix defects in their products. This increases the protection of the integrated component against attacks. In addition, integrators act as vendors to operators, so all vendor benefits apply to them as well.

Operators of industrial automation components as well as integrators benefit from the possibility to choose from a security point of view as well as from the possibility to prove vulnerabilities. In addition, the increased protection of the automation components used against attacks via the network by means of early vulnerability tests is effective.

Last but not least, the population benefits from safer automation components, because beyond manufacturing and process automation, these components are also used in modern trains, power plants and other critical infrastructures.

Realization

Figure 1: The security testing concept and its implementation in the ISuTest demonstrator.

ISuTest consists of a software framework and associated hardware components. The software framework runs on Linux and is based on open source software, including Python as programming language. It is modular, extensible and designed to be published as open source software in the future. The hardware components are used for the automated execution of vulnerability tests, taking into account any input and output of the automation components to be tested. Figure 1 shows the test and monitoring scheme of ISuTest on the left. On the right side a hardware schema of ISuTest is shown.

The procedure of an automation expert during the search for vulnerabilities using ISuTest is shown in Figure 2. In the lower half of the diagram it is highlighted which process steps ISuTest specifically supports in order to detect and eliminate vulnerabilities in an automation component.

First, the expert commissions the automation component and connects it to ISuTest. Then, the ISuTest GUI supports the expert in setting up the tests. At first, ISuTest searches for the offered services of the component and presents the potential attack surface. The expert can now select the offered security tests for these services and configure the monitoring of the critical services of the component.

Now the central cycle of testing and test evaluation can begin. In-depth tests allow the automated isolation of vulnerabilities. These can now be exported as exploit code for use outside ISuTest. This allows developers to reproduce the tests and fix the bugs in the component. Retesting with ISuTest can verify success.

Figure 2: Procedure of an automation expert during the vulnerability assessment with ISuTest.

Usage

The distributed, open architecture of ISuTest (Figure 3, left) allows parallel security tests on automation components at several test stations. A user creates a test order for a specific component using a GUI. As soon as the respective test station is ready, it executes this test and stores the results in the database. These results can now be displayed and evaluated via the GUI.

The GUI focuses on usability and recommends security tests for all services offered by the component. The central overview (Figure 3, right) of a component shows its current test progress. Possibly discovered vulnerabilities can be easily tracked and isolated.

Figure 3: The distributed architecture of ISuTest and a screenshot of the GUI.

However, ISuTest can not only be operated manually by a user, but can also be integrated into an already existing test infrastructure. For this purpose the test stand can be completely configured via an automation interface and generate output in standardized formats. With this approach ISuTest enables continuous security tests during development.

Offer

The ISuTest framework can be used in different ways. The simplest case is to use our proven and tested security test laboratory infrastructure to have one of your devices tested with ISuTest. If you would like to get an insight into testing yourself and gain your own experience with ISuTest, we offer a pre-installed ISuTest appliance for rent or purchase. Last but not least, ISuTest can be embedded into your existing test infrastructure during development. In addition, we offer training, consulting and development services around ISuTest.
 

Testing of components in the security test laboratory with ISuTest

In the simplest case you send us a component to be tested to our security test laboratory with ISuTest at the Fraunhofer IOSB in Karlsruhe. Products can be considered in the life cycle from prototype status to operational readiness. We analyze your component with ISuTest and create a report about the state of IT security. Besides component manufacturers, integrators and operators can also use our analysis to evaluate and assess products. This way, the state of IT security of a component can also be taken into account in their purchase decisions.
 

Use of the ISuTest Appliance

Maybe you have already had a component tested with ISuTest and want to gain experience with ISuTest yourself? Perfect, we are happy to offer you a pre-installed ISuTest appliance for rent or purchase. After an introductory training on the use of ISuTest you can start testing the practical use of ISuTest in your company. For this purpose we are happy to support you with consulting and development services.
 

Integration into existing test infrastructure

The use of ISuTest by means of the ISuTest appliance was successful and you would like to perform the security tests regularly instead of only selectively? No problem, ISuTest provides an automation interface which allows remote control of the framework. Both the control of the tests and the delivery of the test results into existing test systems is possible. Thus ISuTest can supplement existing, functional tests with security tests.
 

Training, Consulting and Development

As a modular and expandable framework ISuTest can be extended in all possible directions. Manufacturer's own configuration protocols? The testing of these frequently susceptible protocols is also possible. We implement the protocol for you, or we show you how you can do it yourself. You need to control another component for testing? No problem. You want to test a different type of device, for example medical devices? Talk to us, we will find a solution.

You are interested? Please do not hesitate to contact us via the adjoining contact fields or call us. We will be happy to advise you!

 

© Fraunhofer IOSB

Literature

Pfrang, S., & Borcherding, A. (2019). Security Testing Für Industrielle Automatisierungskomponenten: Ein Framework, sein Einsatz und Ergebnisse am Beispiel von Profinet-Buskopplern, IT-Sicherheit als Voraussetzung für eine erfolgreiche Digitalisierung : Tagungsband zum 16. Deutschen IT-Sicherheitskongress. - Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn. - Gau-Algesheim: SecuMedia Verl.. - 978-3-922746-82-9 (ISBN). - (2019).

Pfrang, S., Meier, D., & Kautz, V. (2017). Towards a modular security testing framework for industrial automation and control systems: ISuTest. 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), 1-5.

Pfrang, S., Meier, D., Friedrich, M., & Beyerer, J. (2018). Advancing Protocol Fuzzing for Industrial Automation and Control Systems, ICISSP 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal, January 22-24, 2018 - Vol. 1: ForSE, / von/by Mori, Paolo [Ed.]. - Setubal: SCITEPRESS. - 978-989-758-282-0 (ISBN). - (2018).

Pfrang, S., Borcherding, A., Meier, D., & Beyerer, J. (2019). Automated security testing for web applications on industrial automation and control systems. At - Automatisierungstechnik, 67(5), 383-401.

Phoenix Contact (2018). Security Advisory for Phoenix Contact AXL F BK. Abgerufen von https://www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/Security_Advirory_CVE-2018-16994.pdf