API Cybersecurity Conference Industrial Control Systems Workshop. Sponsored by Alpine Security

Size: px

Start display at page:

Download "API Cybersecurity Conference Industrial Control Systems Workshop. Sponsored by Alpine Security"

Kellie Wilkins
8 years ago
Views:

1 API Cybersecurity Conference Industrial Control Systems Workshop Sponsored by Alpine Security

3 Intro Incidents ICS Overview Lab Environment ICS Discovery ICS Vulnerability Scanning ICS System Exploitation ICS Protocol Exploitation

4 Objectives Learn how to perform a safe security assessment on an ICS environment Hands-on experience with tools and methods used to test/exploit ICS systems and protocols Provide a valuable and fun experience

5 Expectations Hands-on Environment vs Reality Not a race - don t just blindly go through exercises If you get stuck, ask an ICS Workshop Team member for help Not a Hacking workshop Don t hack into anything other than your own Virtual Machines Foundation building workshop

6 Aaron Dellamano Dave Jones Myles Kellerman Rich Norton Daniel Sewell Chris White Paul Wojciechowski Christian Espinosa ICS Team Members

7 Logistics Cell Phones Breaks Snacks Restrooms Emergencies Questions Timing

9 ICS Incidents

10 Stats 43% of global mining, oil, and gas companies were victims of at least one cyber attack in 2014 Symantec Energy companies lose $13.2 million on average annually due to cyber incidents, higher than any other industry - Ponemon Institute $1.9 Billion cost to Oil and Gas by Reuters

11 Why ICS? ICS networks now connected to Internet Belief that standalone systems are secure Greater damage can be achieved with tangible consequences Hoover Dam

12 Targeted energy sector Compromised 100s of organizations globally Aimed at disrupting energy supplies Targeted petroleum pipeline operators Malicious Attack Energetic Bear

13 Malicious Attack Energetic Bear Attack Vectors Havex Trojan well-known malware Metasploit free well-known tool Spear-phishing Watering Hole Attacks Compromised SCADA/ICS software updates

14 Malicious Attack Saudi Aramco Saudi Aramco world s largest oil producer was attacked in August 2012 Shamoon malware erased data on over 30k computers Forced company offline for 10 days

15 Malicious Attack Turkish Oil Pipeline Explosion In 2008 an explosion of a Turkish oil pipeline was originally thought a malfunction Dec confirmed Russian hackers performed a cyber attack that over-pressurized crude oil in the pipeline

16 Non-Malicious Attack Discovery Scanning Incident Ping sweep was performed on network that controlled 9- foot robotic arms One arm became active - swung 180 degrees The person in the room was outside the reach of the arm

17 Non-Malicious Attack Vulnerability Scanning Incident A vulnerability scan was performed on a food manufacturer s network Some traffic made it onto the control network Caused all PLCs controlling manufacturing to hang Resulted in $1M worth of damage

18 Non-Malicious Attack Penetration Testing Incident A gas utility hired a security company to conduct penetration testing on the corporate IT network The security company ventured out of scope into the ICS network, locking up the ICS system Gas utility was not able to send gas through its pipelines for 4 hours

19 ICS Security Overview

20 Source:

21 Common ICS Vulnerabilities Out-of-date technologies Out-of-date Operating Systems Out-of-date applications Unsecure network connectivity Unsecure interfaces Virus protection weak or nonexistent Lack of monitoring War-dialing vulnerabilities Software overflow weaknesses Etc.

22 Known Vulnerabilities Search for scada

23 Known Vulnerabilities Search for hmi

24 Known Vulnerabilities Search for plc

25 Source:

26 Source:

27 Exercise Caution Scan test network or non-production systems Backup systems prior to scanning Don t scan critical systems or scan during critical operations timeframes If the system truly is critical, there should be a redundant pair Scan one IP at a time or a small range Scan one IP of a failover pair

28 Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

29 ICS Workshop Lab Setup

30 Lab Setup Overview Thumb Drive Manuals VMware All VMs expire Friday at 6pm,Central

31 Virtual Machines 1. Kali 2. Master PLC / HMI 3. Slave PLC 4. Targets

32 Exercises ICS Discovery ICS Vulnerability Scanning ICS System Exploitation ICS Protocol Exploitation

33 Kali Metasploit Armitage John the Ripper Wireshark Nmap Nessus Netcat Etc. Tools Used

34 Methodology Review Target Discovery Vulnerability Identification Penetration / Exploitation Discovery Vulnerability Identification Exploitation

35 ICS Workshop Setup and Configuration 25 Minutes

36 ICS Discovery

37 Discovery Vulnerability Identification Exploitation

38 Discovery Scanning Discovery Scanning involves finding live targets Examples: HMI PLCs Engineering Workstation Historian

39 What are we looking for? HMIs typically run on Windows, often XP Slave PLCs

41 Nmap Scripting Engine (NSE)

42 Nmap for ICS NSE Nmap Scripting Engine Has scripts designed to help discover and enumerates ICS systems: bacnet-info modbus-discover stuxnet-detect Siemens-CommunicationsProcessors.nse Siemens-SCALANCE-module.nse Siemens-WINCC.nse

43 Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

44 ICS Target Discovery Exercise 25 Minutes

45 ICS Target Discovery Exercise Recap

46 ICS Vulnerability Scanning

47 Vulnerability DiscoveryICS System Exploitation Identification Exploitation

48 Vulnerability Scanners More intrusive than discovery tools like Nmap Dramatically increase likelihood of creating a DOS or undesired event Use with Extreme Caution or not at all on Production networks

49 Nessus SCADA Plugins

52 Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

53 ICS Vulnerability Scanning Exercise 45 Minutes

54 ICS Target Discovery Exercise Recap

55 ICS System Exploitation

56 Vulnerability DiscoveryICS System Exploitation Identification Exploitation

62 Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

63 ICS System Exploitation Exercise 45 Minutes

64 ICS Target Discovery Exercise Recap

65 ICS Protocol Exploitation

66 Vulnerability DiscoveryICS System Exploitation Identification Exploitation

71 B

72 Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

73 ICS Protocol Exploitation Exercise 35 Minutes

74 ICS Target Discovery Exercise Recap

75 ICS Workshop Survey Contact Information (844) 9-ALPINE

Security Testing in Critical Systems

Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base