Tuesday, March 4, 2014

Have you heard about Fuzz Testing of Protocols?

We have to learn new terms every day. One new term is now used quite often: Fuzz testing.

What is it? In Wikipedia you can read:

Fuzz testing” or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.”

So, it is no surprise to read about fuzz testing and protocols used in the power industry. One discussion is about the fuzz testing and DNP3.

Click HERE to read what experts discuss [Post on Digitalbond website on DNP3].

I have discussed quite often the issue of security and improving the quality of protocol implementations and applications, e.g.,

Is Security really a big Issue in the Power Industry?
Security Measures in Power Grids – often ignored

There is another (related issue): Who is in charge to define the detailed test-cases for conformance testing IEDs?

  • Is it a users group? Maybe.
  • Is it a test lab accredited by a users group? Hopefully not!
  • Is it the vendor of IEDs? This would cause some issues in the future.

The organization that has published a specification and that is responsible for the maintenance MUST define the details of test cases and decide what should be tested.

In the case of DNP3 it is IEEE, because DNP3 is now published as IEEE standard 1815. In case of IEC 61850 it is the IEC TC 57 and especially the working groups 10, 15, 17, 18, and 19.

This means: Users have to get more involved in the standardization work and in the testing activities to make sure that the testing follows the standards – and not vice versa. Sure: issues found during testing have to be fed back to the standardization groups.

No comments: