hacker halted 2016 - how to get into ics security
TRANSCRIPT
How to get into ICS Security
How to get into ICS SecurityChris Sistrunk, PE1
About MeChris Sistrunk, PE @chrissistrunkElectrical EngineerSr. Consultant, FireEyeControl system security assessmentsNSM and DFIR for ICSICS Village (DEF CON & RSA Conference)Entergy (11+ years)SCADA Engineer (10 years)Project Robus (ICS Protocol Fuzzing)30+ implementation vulnerabilities in DNP3 stacksSubstation Security TeamBSidesJackson
2
How small mistakes lead to big disasters3
FPL Blackout, February 26, 2008
WHAT WENT WRONG1. Engineer investigating faulty voltage-control switch disabled two protective devices.2. Short circuit occurred.3. Because protection systems were disabled, they could not contain the short circuit.
3
Enormous possible consequences
Quingdao, China PipelineNovember 2013
Quingdao china, oil pipeline explosion, killed 62 people22 November 20134
Guadalajara, Mexico - 1992
252 people were killed, nearly 500 injured and 15,000 were left homelessNew water pipes, made ofzinc-coatediron, were built too close to an existingsteelgas pipelineGalvanic corrosion between dissimmilar metals caused the gas pipeline to leak into the water line5
San Bruno, California September 2010
68 deaths, 58 injuredPG&E fined $1.6 Billion
Replacement of power supplyBreaker removed from serviceControl panel looses powerErroneous Low pressure signalValves openValves cannot be controlled with power outLine overpressured Weld breaksIgnition, explosion, fire
8 deaths, 58 injured
6
EnterpriseICS Security7OTIT
Talk briefly about what IT and OT are and how they work together in an enterpriseEnterprise-wide security doesnt mean just the IT side7
Some numbers
https://www2.fireeye.com/industrial-control-systems-vulnerability-trend-report-2016.html
8
2001 2010 = The Lost Decade2010 Present = The Age of Stuxnet8
Some numbers
Industrial ControlSystem HumansMANY
Engineers, TechniciansOperators, Vendors,etc
SecurityHumans~189,000ICS SecurityHumans ICSsec13
Operational TechnologyYouve got the engineering or technical backgroundYou know how the plant or process worksYou probably already work with:ICS components like PLCs and RTUsICS protocols like Modbus, Ethernet/IP, DNP3, etcNetworking (ethernet, serial, including wireless)NERC/CIP or CFATS requirements
But you dont know IT systems, risks, threats, and security
14
But you may lack the IT security know how14
Get familiar with securityLearnSecurity Conferences!Lots and lots of security material online (SecurityTube, etc)ICS Security Training (ICS-CERT, SANS ICS, Red Tiger, SCADAhacker)SamuraiSTFU, Kali, Security Onion Linux Distrosshodan.ioMake friends with the IT Security team15
Make an ICS Security LabMany companies with control systems have labsIf not, you may have spare equipment laying aroundget creative!
16
SoStuxnet happened
17
What would be your Stuxnet?Think like a bad guywith a hard hat!like an attacker has your printsWho knowsyou might find a vulnerability
To make things work well, you must break themFind evil, or ways for evil to do evil things
18
Red Team and Blue TeamLearn how to use MetasploitSearch shodan.ioLearn about Modbus FuzzingWrite some Snort rulesRead up on Digital Forensics & Incident Response (DFIR)Take the ICS-CERT RvB Course
19
Energy drinks20
Get to know your IT Security gurus
21
22
22
IT Side > ICSsec23
Information TechnologyYouve got the computer and networking skillsYou know how business technology workYou probably already know:Routers, switches, firewalls, domain controllersWeb, email, and business applicationsCertifications like CCNA and CISSPHIPAA or PCI DSS requirements
But you dont know the engineering and physics behind the process
24
But you dont understand the engineering or how the process worksElectrical engineeringChemical engineeringMechanical engineeringetc24
ICS Engineers
25
https://www.youtube.com/watch?v=RXJKdh1KZ0w
25
Google all the thingsModbus.org > modbus specificationTons of code on github: opendnp3, modbus, etcWiresharkPcaps online > Netresec has a library, SANS, S4
26
VideosYouTube & VimeoSCADAControl SystemsPLCConference TalksHow Its Made Marathon!
27
Make an ICS network at homeRaspberry Piopendnp3, modbus, BACnetArduinomodbus$15 HMI from eBay(got lucky)~$700 for a newPhoenix Contact PLC
28
You know security, but not ICSyetWhat I am about to tell you is the single greatest secret to go from IT Security into ICS29
Donuts
30
Get your hardhat dirty
31
Ask questionsWhat is it?Why is it important?How can we secure it?Example:Ladder logic on a PLC
Understand the whythen try to secure/monitor it
32
Take the opportunity to collaborateProblem: ICS network is flat with the corporate networkICS network has no logging or visibility
IT has security goalsOT has safety and uptime goalsCan you do some things that satisfy both?
33
Segmenting the network keeps commodity malware from spreading either directionIt also keeps the Operators from surfing ebay from the Compressor Station
Visibility helps the SOC watch the ingress/egress pointsVisibility helps the ICS engineers keep a better inventory and find PLC misconfigurations33
ICS Security Resources
34
Connect!SCADAsec email list at InfracriticalICS Security ConferencesICSJWG FREEDigitalBonds S4SANS ICS Summit4SICSEnergySecOil & Gas Security SummitICS Cyber Security Conference Weisscon35
Information SharingNational Council of ISACs Downstream Natural Gas www.dngisac.com Electricity www.esisac.com Oil & Natural Gas www.ongisac.org Water www.waterisac.org
ISAOs coming, knowledge sharing, ICS-ISAC, BEER-ISAC
36
BooksRobust Control System Networks, Ralph LangnerIndustrial Network Security, 2nd Edition, Knapp & LangillCybersecurity for Industrial Control Systems, Macaulay & SingerCountdown to Zero Day, Kim ZetterHacking Exposed Industrial Control Systems, Bodungen, et alHandbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky37
Intelligence SourcesICS-CERT portalISAC portalsFBI InfragardFireEye iSight (ICS intel)Twitter #ICS #SCADAGoogle
38
38
StandardsNIST SP800-82 Revision 2IEC 62443NERC/CIPCFATSto name a few
39
Purdue Model - Reference ArchitectureL0L1L2L3L4
L0L1L2L3L4
ExplainThis is a reference architecture produced by academics at Purdue University, and adopted by the International Society of Automation (ISA)The entire purpose of industrial automation and control systems is to remove humans from the loop. Program the logic into the machines so people dont have to be at each location taking measurements and making adjustments.
Sensors and actuators operate at Level 0. Sensors measure things in the physical world; such as flow, temperature, pressure, level.Actuators move. Things like valves and connect/disconnect switches for motorsThey are wired into the controllerThey are generally not TCP/IP enabled, but this is changing
Controllers are programmable devices found at Level 1The programming specifies how the actuators move when the sensors provide certain readings.They can also include Variable Frequency Drives and Protective RelaysMany of these are TCP/IP enabled
Level 2 includes more standard computing and networking technologyThe SCADA stands for supervisory control and data acquisition. Supervisory means that it allows a human operator, normally seated at a human-machine interface screen to identify abnormalities (normally by viewing alarms that pop up on the screen), and step in and issue remote commands to the system. If a process loses SCADA, nothing is going to happen, at least for a while. The logic exists in the controllers themselves to regulate the process. The job of process operators has been described as 90% intense boredom, and 10% sheer panic.The engineering workstation is used to program the control logic. You can think of this as a software development environment. Instead of languages such as python, C, and VisualBasic, the languages used are called ladder logic, Fuction block and structured text. This machine would normally have the ability to talk to any PLC on the network to push new logicThis layer also includes database technology called a process historian. The historian catalogs readings from the sensors and positions of the actuators to make available in other applications, such as predictive maintenance and process optimization efforts. The historian records data that is not displayed to the operator.
Ideally the SCADA network is segmented from the business network by a dual firewall DMZ. This facilitates firewall management, while limiting ingress and egress.
40
TrainingICS-CERTFree online training and resourcesFree 5-day Red vs Blue ICS exerciseICS Vendor TrainingSANS ICS ICS410 and ICS515Red Tiger SecurityLofty PerchSCADAhacker
41
CertificationThere isnt a Professional Engineering license for Security...but not everyone is an engineer.GICSP is a new certification out to teach IT folks the basics of ICS and OT folks the basics of security.
42
Linkshttps://ics-cert.us-cert.gov/Standards-and-Referenceshttp://dx.doi.org/10.6028/NIST.SP.800-82r2https://scadahacker.com/library/index.htmlhttp://www.dhs.gov/dhs-daily-open-source-infrastructure-reporthttp://news.infracritical.com/mailman/listinfo/scadasechttp://scadaperspective.com/http://pen-testing.sans.org/holiday-challenge/2013http://www.netresec.com/?page=PcapFileshttp://www.giac.org/certification/global-industrial-cyber-security-professional-gicsphttps://www.shodan.io/explore/category/industrial-control-systemshttp://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada-cybersecurity/
43
Youre still hereWhat excites you about ICS security?Do you want to join us in ICS security?44
Apply What You Have Learned TodayNext week:Identify critical components within your ICS networkFind out if they have any published security vulnerabilities, or if they are connected to the IT network, or even the InternetIn the next three months:Understand who is accessing the ICS, from where, and whyWithin six months:Drive an implementation project to protect the most critical ICS devicesDevelop a roadmap to enhance ICS security architectureCapture some ICS network traffic and look for evil45
Questions?
[email protected]@chrissistrunk
46