At S4x14 Adam Crain of Automatak, along with Chris Sistrunk, presented the results of their Project Robus that fuzzed DNP3 stacks and found most had problems with processing malformed or illegal responses. This year at S4x15 Adam talked about Avoiding Insecurity in ICS Protocols.
Adam compares Schweitzer’s Streaming Encryption Protocol (SEP) with DNP3 Secure Authentication Version 5 (SAv5).
Two of the main criteria he discusses and demonstrates with those two protocols are 1. have a clear trust boundary and 2. keep it simple. It is clear why there were so many bugs that led to vulnerabilities in the DNP3 protocol stacks.
This is a must watch for any group adding security to an ICS protocol or those that need to start this important and necessary ICS protocol feature.