Roland Koch and students at the University of Applied Sciences in Augsburg, Germany have released a PROFINET fuzzer called ProFuzz. While not a top 3 protocol in the US, PROFINET is the most widely used ICS protocol in Europe, particularly in the manufacturing sector. PROFINET is the Ethernet enabled version of PROFIBUS, and Siemens makes PROFINET chips that a large percentage of the devices use. This fuzzer would be particularly useful to test vendors who develop their own PROFINET stack.
ProFuzz runs on the Scapy fuzzing framework. A solid choice in our opinion — we used Scapy in a previous S4 course to teach students how to develop a DNP3 fuzzer. ProFuzz currently will fuzz the following PROFINET frame types:
- afr (Alarm Frame Random)
- afo (Alarm Frames Ordered)
- pnio (Cyclic RealTime)
- dcp (DCP Identity Requests)
- ptcp (Precision Transparent Clock Protocol – BETA)
Roland and the team are working on a PROFINET preprocessor for Snort with a scheduled release date of February 2013. It will be released as open source code. This is not an easy project as PROFINET is much closer to EtherNet/IP in protocol complexity as compared to the very simple protocols such as Modbus TCP and DNP3.
It’s great to see the students develop some practical, useful tools that will be released and actually used.
Years ago the organization responsible for the protocol, PI, released a security whitepaper whose basic guidance was the classic don’t let the bad guys get to your PROFINET devices. Any European readers have an update on efforts to integrate security measures into PROFINET? Is there a device we should add to Project Basecamp?