SlideShare a Scribd company logo

BSidesAugusta ICS SCADA Defense

Download as PPTX, PDF
Chris Sistrunk
Chris Sistrunk

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

Technology
1 of 46
Chris Sistrunk, PE Sr. Consultant Mandiant
@chrissistrunk  Electrical Engineer  Mandiant, Entergy (11 years)  SCADA Expert  Loves Security  DNP3 User Group  Button Pusher but I like Blue
http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
What happens when you use nmap (or a fuzzer) on an ICS?
 Latin for “bulwark”  @jadamcrain and I started in April 2013  26 advisories / 32 tickets  24 DNP3, 1 Modbus, 1 Telegyr 8979  Aegis ICS Fuzzing Framework - OSS www.automatak.com/robus www.automatak.com/aegis
TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
 ICS/SCADA lags IT by 10-15 years  735 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy”  Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the ICS device talking to?  Does it uses serial or IP protocols…or both?  How do we defend unsecured protocols?  Is the physical security sufficient?  Will you be called at 2AM?
The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?  Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!
 Software/firmware patches/device upgrades  Robust RTU/PLC and master configurations  Robust IP network configurations  ICS Protocol-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors
NERC/CIP? CFATS? ????
 If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus) …GO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
 USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ ICS devices are on SHODAN  Many appear to have the same configurations
 What does SCADA stand for? ◦ Supervisory Control and Data Acquisition  What is the standard TCP port for modbus? ◦ 502  What are the 2 start bytes for DNP3? ◦ 0x0564  What year was STUXNET discovered? ◦ 2010  What ICS protocol did HAVEX malware use? ◦ OPC
 When possible, DISABLE functions that aren’t required in your production systems  DNP3 function code examples ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
 Segment your ICS/SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network! ◦ The bad guys sure will  Use encryption and authentication ◦ Use DNP3-SA and TLS ◦ Remote access VPNs, radios, etc ◦ Look at IEC 62351 standard (dovetails with SA)  No ICS protocols on Corporate WAN
Examples of SCADA tools and Enterprise networks that understand ICS  Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets  IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint  Routers such as the Cisco CGR 2010  Field firewall w/ICS Deep Packet Inspection ◦ Secure Crossing and Tofino
 Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network  Security Operations Center ◦ Security Analyst(s) using a SIEM ◦ Log aggregation ◦ Anomaly and intrusion detection ◦ Indicators of Compromise (IOCs)  Security Onion (Linux distro)  www.securityonion.net
We in SCADA Security are in
1986
RTU Corp SCADAnet Is this happening in your ICS??? Your Company Cust 2 Inside cover of The Cuckoo’s Egg Internet Pump Plant 1 DMZ Cust 1 Hist Plant 2 HMI
 http://www.liquidmatrix.org/blog/2014/07/01/is-there- a-cuckoo-in-your-control-system/  tl;dr ◦ ≥1 person who really cares! ◦ Security Onion (or other NSM) ◦ ICS Honeypot (Conpot, etc)  Full Packet Capture (even serial)
So, Chris, why haven’t we seen many ICS incidents? You can’t see where you aren’t looking!
Put. NSM. In. Your. ICS/SCADA. NOW
 What is the proper amount of physical security? It depends…  If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?  Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6  Harden your external barriers  The better the defenses, the more time it buys you to respond
3/8” Mesh ASTM Grade 6 These may buy you extra time to respond
“Thieves hit our store last night. This is how they circumvented the door alarm…” via http://redd.it/1pn1xi
 Train your folks on ICS/SCADA security ◦ Security Conferences, several training classes available ◦ http://ics-cert.us-cert.gov/Training-Available-Through- ICS-CERT ◦ GICSP Certification  Security awareness is important  Have a questioning attitude  Report suspicious computer or personal activity/incidents ◦ Who do you call? ◦ Internal hotline, supervisor, SOC, etc ◦ ICS-CERT (877-776-7585)
 Ask your vendors for DNP3-SA if they don’t have it or are already working on it  Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack ◦ Positive Tests: FAT/SAT ◦ Negative Tests: Fuzzing (it’s not new folks!)
 DNP3 isn’t a special case. Other ICS protocols will see the same fate. Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…  You can defend your SCADA.  Early testing both slave/server AND master/client sides of the protocol are important!  Compliance != Security, but the culture is important.  Don’t count on the government to protect your critical systems…it’s your job.
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense

Recommended

ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 

Recommended

ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
IT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsIT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsCommunity Protection Forum
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating systemabdullah roomi
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Data Center Security
Data Center SecurityData Center Security
Data Center Securitydevalnaik
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)shraddha_b
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 

More Related Content

What's hot

SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating systemabdullah roomi
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Data Center Security
Data Center SecurityData Center Security
Data Center Securitydevalnaik
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)shraddha_b
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 

What's hot (20)

Firewalls
FirewallsFirewalls
Firewalls
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
IT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsIT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOs
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
IoT security
IoT securityIoT security
IoT security
 
Information security
Information securityInformation security
Information security
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
Information Security
Information SecurityInformation Security
Information Security
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Firewall
FirewallFirewall
Firewall
 

Viewers also liked

ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsJames Arlen
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksMaurice Dawson
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsDavid Spinks
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...AFCEA International
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 

Viewers also liked (20)

ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security Experts
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control Systems
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 

Similar to BSidesAugusta ICS SCADA Defense

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Felipe Prado
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02NiMa Bagheriasl
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Networks
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsMohammad Reza Zamiri
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 

Similar to BSidesAugusta ICS SCADA Defense (20)

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Day4
Day4Day4
Day4
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypots
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 

More from Chris Sistrunk

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeChris Sistrunk
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachChris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridChris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteChris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisChris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityChris Sistrunk
 

More from Chris Sistrunk (12)

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

BSidesAugusta ICS SCADA Defense

  • 1. Chris Sistrunk, PE Sr. Consultant Mandiant
  • 2. @chrissistrunk  Electrical Engineer  Mandiant, Entergy (11 years)  SCADA Expert  Loves Security  DNP3 User Group  Button Pusher but I like Blue
  • 4. What happens when you use nmap (or a fuzzer) on an ICS?
  • 5.
  • 6.
  • 7.
  • 8.  Latin for “bulwark”  @jadamcrain and I started in April 2013  26 advisories / 32 tickets  24 DNP3, 1 Modbus, 1 Telegyr 8979  Aegis ICS Fuzzing Framework - OSS www.automatak.com/robus www.automatak.com/aegis
  • 9. TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
  • 10.
  • 11.
  • 12.  ICS/SCADA lags IT by 10-15 years  735 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy”  Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
  • 13. Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the ICS device talking to?  Does it uses serial or IP protocols…or both?  How do we defend unsecured protocols?  Is the physical security sufficient?  Will you be called at 2AM?
  • 14. The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?  Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!
  • 15.
  • 16.  Software/firmware patches/device upgrades  Robust RTU/PLC and master configurations  Robust IP network configurations  ICS Protocol-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors
  • 17.
  • 19.  If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus) …GO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
  • 20.  USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ ICS devices are on SHODAN  Many appear to have the same configurations
  • 21.
  • 22.  What does SCADA stand for? ◦ Supervisory Control and Data Acquisition  What is the standard TCP port for modbus? ◦ 502  What are the 2 start bytes for DNP3? ◦ 0x0564  What year was STUXNET discovered? ◦ 2010  What ICS protocol did HAVEX malware use? ◦ OPC
  • 23.
  • 24.
  • 25.  When possible, DISABLE functions that aren’t required in your production systems  DNP3 function code examples ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
  • 26.  Segment your ICS/SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network! ◦ The bad guys sure will  Use encryption and authentication ◦ Use DNP3-SA and TLS ◦ Remote access VPNs, radios, etc ◦ Look at IEC 62351 standard (dovetails with SA)  No ICS protocols on Corporate WAN
  • 27. Examples of SCADA tools and Enterprise networks that understand ICS  Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets  IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint  Routers such as the Cisco CGR 2010  Field firewall w/ICS Deep Packet Inspection ◦ Secure Crossing and Tofino
  • 28.  Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network  Security Operations Center ◦ Security Analyst(s) using a SIEM ◦ Log aggregation ◦ Anomaly and intrusion detection ◦ Indicators of Compromise (IOCs)  Security Onion (Linux distro)  www.securityonion.net
  • 29.
  • 30. We in SCADA Security are in
  • 31. 1986
  • 32. RTU Corp SCADAnet Is this happening in your ICS??? Your Company Cust 2 Inside cover of The Cuckoo’s Egg Internet Pump Plant 1 DMZ Cust 1 Hist Plant 2 HMI
  • 33.  http://www.liquidmatrix.org/blog/2014/07/01/is-there- a-cuckoo-in-your-control-system/  tl;dr ◦ ≥1 person who really cares! ◦ Security Onion (or other NSM) ◦ ICS Honeypot (Conpot, etc)  Full Packet Capture (even serial)
  • 34. So, Chris, why haven’t we seen many ICS incidents? You can’t see where you aren’t looking!
  • 35. Put. NSM. In. Your. ICS/SCADA. NOW
  • 36.  What is the proper amount of physical security? It depends…  If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?  Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6  Harden your external barriers  The better the defenses, the more time it buys you to respond
  • 37.
  • 38. 3/8” Mesh ASTM Grade 6 These may buy you extra time to respond
  • 39. “Thieves hit our store last night. This is how they circumvented the door alarm…” via http://redd.it/1pn1xi
  • 40.
  • 41.  Train your folks on ICS/SCADA security ◦ Security Conferences, several training classes available ◦ http://ics-cert.us-cert.gov/Training-Available-Through- ICS-CERT ◦ GICSP Certification  Security awareness is important  Have a questioning attitude  Report suspicious computer or personal activity/incidents ◦ Who do you call? ◦ Internal hotline, supervisor, SOC, etc ◦ ICS-CERT (877-776-7585)
  • 42.  Ask your vendors for DNP3-SA if they don’t have it or are already working on it  Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack ◦ Positive Tests: FAT/SAT ◦ Negative Tests: Fuzzing (it’s not new folks!)
  • 43.
  • 44.  DNP3 isn’t a special case. Other ICS protocols will see the same fate. Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…  You can defend your SCADA.  Early testing both slave/server AND master/client sides of the protocol are important!  Compliance != Security, but the culture is important.  Don’t count on the government to protect your critical systems…it’s your job.