Authors:
Steffen Pfrang
;
David Meier
;
Michael Friedrich
and
Jürgen Beyerer
Affiliation:
Fraunhofer IOSB, Germany
Keyword(s):
Security Testing, Fuzzing, Network Protocols, IACS, Industrial Automation and Control Systems, Vulnerabilities, Device Under Test.
Abstract:
Testing for security vulnerabilities is playing an important role in the changing domain of industrial automation and control systems.
These systems are increasingly connected to each other via networking technology and are faced with new cyber threats.
To improve the security properties of such systems, their robustness must be ensured.
Security testing frameworks aim at enabling the assurance of robustness even at the time of development and can play a key role in bringing security into the industrial domain.\\
Fuzzing describes a technique to discover vulnerabilities in technical systems and is best known from its usage in IT security testing.
It uses randomly altered data to provoke unexpected behaviour and can be used in combination with regular unit testing.
Combined with the power of fuzzing, the effectiveness of security testing frameworks can be increased.
In this work, different fuzzing tools were evaluated for their properties and then compared with the requir
ements for an application in the industrial domain.
As no fuzzer was fully satisfying these requirements, a new fuzzer, combining the strength of different others, was designed and implemented, and then evaluated.
The evaluation includes a real-world application where multiple vulnerabilities in industrial automation components could be identified.
(More)