API Cybersecurity Conference Industrial Control Systems Workshop. Sponsored by Alpine Security

Similar documents
Security Testing in Critical Systems

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Penetration Testing of Industrial Control Systems

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Virtual Learning Tools in Cyber Security Education

Team Members: Jared Romano, Rachael Dinger, Chris Jones, Miles Kelly Supervising Professor: Dr. George Collins Industry Advisor: Dr.

Vulnerability Assessment and Penetration Testing

Vulnerability analysis

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Seven Strategies to Defend ICSs

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

How Secure is Your SCADA System?

CRYPTUS DIPLOMA IN IT SECURITY

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Penetration Testing with Kali Linux

Cyber Security for SCADA/ICS Networks

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

How to build a security assessment program. Dan Boucaut

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Build Your Own Security Lab

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

CYBERTRON NETWORK SOLUTIONS

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Vinny Hoxha Vinny Hoxha 12/08/2009

LOGIIC APPROVED FOR PUBLIC DISTRIBUTION

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

How To Test A Control System With A Network Security Tool Like Nesus

IDS and Penetration Testing Lab ISA656 (Attacker)

SCADA Security Example

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Advanced & Persistent Threat Analysis - I

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Course Title: Course Description: Course Key Objective: Fee & Duration:

Ethical Hacking Course Layout

ICS-CERT Incident Response Summary Report

NETWORK PENETRATION TESTING


Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

EC-Council Certified Security Analyst (ECSA)

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Penetration Testing. Presented by

The Four-Step Guide to Understanding Cyber Risk

Information Security. Training

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Endpoint Security and the Case For Automated Sandboxing

Building the Next Generation of Computer Security Professionals. Chris Simpson

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Penetration Testing Workshop

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

WHITEPAPER. Nessus Exploit Integration

10 Application and Network Security and security testing. IT Governance CEN 667

An Introduction to Network Vulnerability Testing

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

ISACA rudens konference

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

MONTHLY WEBSITE MAINTENANCE PACKAGES

Development of an Intrusion Detection and Prevention Course Project Using Virtualization Technology. Te-Shun Chou East Carolina University, USA

Creation of Pentesting Labs

Cisco Advanced Services for Network Security

Certified Ethical Hacker (CEH)

INFORMATION SECURITY TRAINING CATALOG (2015)

Firewalls and Software Updates

The Nexpose Expert System

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

Penetration Testing. Security Testing

An Analysis of the Capabilities Of Cybersecurity Defense

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Protecting Critical Infrastructure

External Supplier Control Requirements

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Intro to Firewalls. Summary

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

Are you prepared to be next? Invensys Cyber Security

Transcription:

API Cybersecurity Conference Industrial Control Systems Workshop Sponsored by Alpine Security

www.alpinesecurity.com

Intro Incidents ICS Overview Lab Environment ICS Discovery ICS Vulnerability Scanning ICS System Exploitation ICS Protocol Exploitation

Objectives Learn how to perform a safe security assessment on an ICS environment Hands-on experience with tools and methods used to test/exploit ICS systems and protocols Provide a valuable and fun experience

Expectations Hands-on Environment vs Reality Not a race - don t just blindly go through exercises If you get stuck, ask an ICS Workshop Team member for help Not a Hacking workshop Don t hack into anything other than your own Virtual Machines Foundation building workshop

Aaron Dellamano Dave Jones Myles Kellerman Rich Norton Daniel Sewell Chris White Paul Wojciechowski Christian Espinosa ICS Team Members

Logistics Cell Phones Breaks Snacks Restrooms Emergencies Questions Timing

ICS Incidents

Stats 43% of global mining, oil, and gas companies were victims of at least one cyber attack in 2014 Symantec Energy companies lose $13.2 million on average annually due to cyber incidents, higher than any other industry - Ponemon Institute $1.9 Billion cost to Oil and Gas by 2018 - Reuters

Why ICS? ICS networks now connected to Internet Belief that standalone systems are secure Greater damage can be achieved with tangible consequences Hoover Dam

Targeted energy sector Compromised 100s of organizations globally Aimed at disrupting energy supplies Targeted petroleum pipeline operators Malicious Attack Energetic Bear

Malicious Attack Energetic Bear Attack Vectors Havex Trojan well-known malware Metasploit free well-known tool Spear-phishing Watering Hole Attacks Compromised SCADA/ICS software updates

Malicious Attack Saudi Aramco Saudi Aramco world s largest oil producer was attacked in August 2012 Shamoon malware erased data on over 30k computers Forced company offline for 10 days

Malicious Attack Turkish Oil Pipeline Explosion In 2008 an explosion of a Turkish oil pipeline was originally thought a malfunction Dec 2014 - confirmed Russian hackers performed a cyber attack that over-pressurized crude oil in the pipeline

Non-Malicious Attack Discovery Scanning Incident Ping sweep was performed on network that controlled 9- foot robotic arms One arm became active - swung 180 degrees The person in the room was outside the reach of the arm

Non-Malicious Attack Vulnerability Scanning Incident A vulnerability scan was performed on a food manufacturer s network Some traffic made it onto the control network Caused all PLCs controlling manufacturing to hang Resulted in $1M worth of damage

Non-Malicious Attack Penetration Testing Incident A gas utility hired a security company to conduct penetration testing on the corporate IT network The security company ventured out of scope into the ICS network, locking up the ICS system Gas utility was not able to send gas through its pipelines for 4 hours

ICS Security Overview

Source: https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

Common ICS Vulnerabilities Out-of-date technologies Out-of-date Operating Systems Out-of-date applications Unsecure network connectivity Unsecure interfaces Virus protection weak or nonexistent Lack of monitoring War-dialing vulnerabilities Software overflow weaknesses Etc.

Known Vulnerabilities Search for scada

Known Vulnerabilities Search for hmi

Known Vulnerabilities Search for plc

Source: https://ics-cert.us-cert.gov/sites/default/files/documents/cyber_security_assessments_of_industrial_control_systems.pdf

Source: http://energy.sandia.gov/wp-content/gallery/uploads/sand_2005_2846p.pdf

Exercise Caution Scan test network or non-production systems Backup systems prior to scanning Don t scan critical systems or scan during critical operations timeframes If the system truly is critical, there should be a redundant pair Scan one IP at a time or a small range Scan one IP of a failover pair

Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

ICS Workshop Lab Setup

Lab Setup Overview Thumb Drive Manuals VMware All VMs expire Friday at 6pm,Central

Virtual Machines 1. Kali 2. Master PLC / HMI 3. Slave PLC 4. Targets

Exercises ICS Discovery ICS Vulnerability Scanning ICS System Exploitation ICS Protocol Exploitation

Kali Metasploit Armitage John the Ripper Wireshark Nmap Nessus Netcat Etc. Tools Used

Methodology Review Target Discovery Vulnerability Identification Penetration / Exploitation Discovery Vulnerability Identification Exploitation

ICS Workshop Setup and Configuration 25 Minutes

ICS Discovery

Discovery Vulnerability Identification Exploitation

Discovery Scanning Discovery Scanning involves finding live targets Examples: HMI PLCs Engineering Workstation Historian

What are we looking for? HMIs typically run on Windows, often XP Slave PLCs

Nmap Scripting Engine (NSE)

Nmap for ICS NSE Nmap Scripting Engine Has scripts designed to help discover and enumerates ICS systems: bacnet-info modbus-discover stuxnet-detect https://github.com/drainware/nmap-scada Siemens-CommunicationsProcessors.nse Siemens-SCALANCE-module.nse Siemens-WINCC.nse

Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

ICS Target Discovery Exercise 25 Minutes

ICS Target Discovery Exercise Recap

ICS Vulnerability Scanning

Vulnerability DiscoveryICS System Exploitation Identification Exploitation

Vulnerability Scanners More intrusive than discovery tools like Nmap Dramatically increase likelihood of creating a DOS or undesired event Use with Extreme Caution or not at all on Production networks

Nessus SCADA Plugins

Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

ICS Vulnerability Scanning Exercise 45 Minutes

ICS Target Discovery Exercise Recap

ICS System Exploitation

Vulnerability DiscoveryICS System Exploitation Identification Exploitation

Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

ICS System Exploitation Exercise 45 Minutes

ICS Target Discovery Exercise Recap

ICS Protocol Exploitation

Vulnerability DiscoveryICS System Exploitation Identification Exploitation

00 00 00 00 00 06 7B 08 00 04 00 00

Risk Discovery Scanning Vulnerability Scanning Penetration Testing Non-intrusive Assessment

ICS Protocol Exploitation Exercise 35 Minutes

ICS Target Discovery Exercise Recap

ICS Workshop Survey https://www.surveymonkey.com/r/api-ics Contact Information christian.espinosa@alpinesecurity.com www.alpinesecurity.com (844) 9-ALPINE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information