The document introduces the group "We Are The Artillery" which uses open source intelligence (OSINT) techniques to discover and analyze industrial control systems with the goal of improving security. It outlines their OSINT process including discovery of assets through vendors, social media, conferences and more. It provides examples of systems they have analyzed and warns that critical infrastructure does not need to be publicly available to be discovered. The presentation aims to educate others and encourage more security for non-regulated utilities.
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
1. ================================================================================
| __ |
| / . ./ |
| .-. | | .:";'.:.." / |
| _.-' __/ (M^^.^~~:.'"). |
| _.-' - (/ . . . ) - |
| / _/ WE ARE THE ARTILLERY: |
| | _ /” Using Google Fu |
| | /_’ To Take Down The Grids |
| _/ ((| :. ~ ^ :. .|)) |
| """" - (- | / | /) - |
| - / /- |
| / / |
================================================================================
2. #WeAreTheArtillery
@chrissistrunk
-fluent in RS-232 and Kirchhoff’s Laws, #sockstatus,
#DJaaS, #NAPCON
@synackpwn
-spends most of his time in a hardhat and popping
MS08-067 in control systems
@krypt3ia
-An infamous curmudgeon blogging about national
security issues and OSINT
11. OSINT Process For ICS
+Discover:
Vendor – Asset Owner Press releases
Social Media (FB, Twitter, Flikr, Instagram...)
LinkedIn Bios (hardware, software, type of infrastructure)
Conference Presentations (Distributech, ICSJWG, etc)
Job postings
Open shares (TB drives on the internet shared out)
Open FTP servers (Anonymous)
Open misconfigured websites (lots of caches of documents)
Weeding (Using keyword searches and following the trail)
14. OSINT Process For ICS
+Pivot:
Engineering groups
(schematics, construction pictures)
RFPs and Contracts
Public information on capital projects or upgrades
Open Access Same-Time Information System (OASIS)
Maps (GIS)
16. OSINT Process For ICS
+Context:
Vendor support portals
Application/configuration software
Firmware
Configuration/Admin/User Guides
SCRIBD
The perils of autoregistration
17.
18. Firing for effect
How to make contact with
the pwn’d
Escalation procedures
best practices
(Contacting affected
persons/companies)
23. @k1LL_sw17ch
Rockwell Automation PLCs
• Many online
• Serial number dump
• Reported to Rockwell
Unfortunately they don’t keep
track of what company gets what
serial number.
24. @krypt3ia
• Google dork led
directly into a
hydroelectric
dam’s internal
systems (NOT THE
ONE PICTURED)
• Google dork
nuclear facility
and found red
team report
25.
26. What can be done
Go OSINT Yourself
and your company
Be open to random
warning emails
Some Security via
Obscurity would be nice
27. What can be done
Security education for
non-NERC/CIP utilities
In this presentation we will show how effective a team of individuals can be in using open source intelligence gathering techniques in gathering leaked data on the electrical grid. By using Google dorking alone, the team has been able to not only gather insider information on grid technologies but also their deployment in the US including and up to passwords to systems and blueprints and runbooks. Using such information an attacker could not only attempt to gain access to power company and grid networks but also easily be able to connect the dots and perform hybrid (physical and electronic) attacks on the US power grid systems.
I've said it before and I'll say it again, the power grid(s) is the most complex machine that humans have ever built. Power grid equipment fails all the time. 99% of the time you never even notice. The top three causes of outages were weather, equipment failure, and animals.
Hilt to talk about Flikr
Hilt take this slide
I found some substation Communication Processors with telnet via shodan. They belonged to distribution utilities (because of the things I saw connected to them). I couldn’t determine who owned them via IP address. But one of the telnet screens showed the firmware, the configuration, and most importantly the serial number. I contacted the vendor and provided the serial numbers, and they had records which utilities owned those….and the vendor worked with the utilities to have them taken off the internet. Notified the same day.
Found a SCADA engineer had backed up his work laptop onto his home 1TB harddrive with Anonymous FTP login.
@synackpwn and I found his phone number, then cold called him from a throwaway Google Voice number
He took it down 10 min later
War Story: One of the Terabyte stations I found while doing this was not directly tied to electrical systems but had a word that could be dual use. In the drive I located I found that this guy was actually the Doctor to GW Bush while he was in office. There was a lot of stuff on there from the military and about Bush. After perusing it a while I decided to contact someone at <REDACTED> and filled them in. They got in touch with the guy and he took his stuff offline within 30 minutes.
Another time, a Google Dork led me directly into a dam's systems and gave me access unauthenticated to their internal systems to run the hydroelectric. The total clicks to PWN were 2. I contacted <REDACTED> and had it removed from the net.
While dorking a nuclear facility I located internal documents including their security assessment (RED TEAM) I contacted <REDACTED> and had it taken offline that day.