DTM components: shadow keys to the ICS kingdom presented at ZeroNights 2014

by Alexander Bolshev, Gleb Cherbov, Svetlana Cherkasova,

Summary : Today, industrial control system architectures are complex, multilayered networks, based on many popular (now and not so long ago) technologies, such as XML, COM, ActiveX, OLE32, JSON, .Net, and others. FDT/DTM is one of such architectural elements. In short, FDT/DTM standardizes the communication and configuration interface between all (industrial) field devices and host systems. This is archived with the help of DTM - COM, ActiveX or .Net components. Such components exist for many devices used in oil, gas, energy, nuclear, chemical, and other critical industries. Look at any factory, plant, or other industry object, and you'll find an RTU or PLC that is configured by a DTM component.
During our research, we've analyzed the components for hundreds of field devices based on low-level protocols. Many of them are exposed to insufficient filtration of user-supplied data, XSS, XML injections, RCE, SSRF, DoS, and other vulnerabilities. We will provide detailed statistics on the security flaws of DTM components from various vendors.