The home of the Samurai Project's Security Testing Framework for Utilities (SamuraiSTFU).
What is SamuraiSTFU?
For years we've had pen test distributions like BackTrack and SamuraiWTF to help us perform penetration testing in most IT environments, however these distributions have been generic in nature to enable their use in a wide variety of different environments. One environment where these distributions have failed to meet the needs of their users is on SCADA and Smart Grid systems. We are fixing this problem. Taking our experience running SamuraiWTF over the last four years, UtiliSec, a leading provider of security consulting services in the energy sector, has created an open source linux distribution specifically for Electric Utility security teams. SamuraiSTFU takes the best in bread security tools for traditional network and web penetration testing, adds specialized tools for embedded and RF testing, and mixes in a healthy dose of energy sector context, documentation, and sample files. Oh, and I shouldn't forget the inclusion of emulators for SCADA, Smart Meters, and other types of energy sector systems to provide leverage a full test lab. So whether you work for an electric utility or are interested in gaining sufficient experience to start doing security work in these environments, please check out distribution out.
What problems are we trying to address?
- Not enough people in the energy sector with the necessary knowledge or experience to perform penetration testing
- Many security firms with highly technical staff have the knowledge for 80% of the work, but don't realize it
- Wired and Wireless Network Testing
- Web and Traditional Application Testing
- Embedded Hardware Testing
- The main thing these firms are missing is energy sector context
- Utilities are hesitant to bring in security firms with little control system specific experience
- Few utilities have the in-house expertise and need a greater number of security firms to pick from
- Very few security tools exist to work with control system protocols beyond packet capture and decode
Goals of SamuruaiSTFU:
- Leverage last 5 years of experience developing and managing the SamuraiWTF (Web Testing Framework) project
- Live DVD / VM for performing penetration tests on control systems
- Primary audiences are utilities and vendors in the energy sector
- Secondary audience are utilities from other sectors such as gas, water, oil, and control systems in general
- Tertiary audiences are security contractors and independent researchers
- Include "cream of the crop" free and open source tools for all aspects of SG Pentesting
- Best web pentesting tools (small subset of SamuraiWTF)
- Best network pentesting tools (small subset of Backtrack)
- Best hardware pentesting tools (not currently included on any distribution)
- Extra features designed for utility security teams and security firms trying to gain utility experience:
- Include documentation on tools, architecture, methodology, and protocols
- Include simulated Smart Grid systems for educational purposes
- Include sample packet captures and data dumps for exercises