Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to get into ICS Security
Chris Sistrunk, PE
1
About Me
Chris Sistrunk, PE
@chrissistrunk
Electrical Engineer
Sr. Consultant, FireEye
• Control system security assessmen...
How small mistakes lead to big disasters
3
FPL Blackout, February 26, 2008
Enormous possible consequences
Quingdao, China Pipeline
November 2013
Guadalajara, Mexico - 1992
San Bruno, California – September 2010
6
8 deaths, 58 injured
PG&E fined $1.6 Billion
Enterprise
ICS Security
7
OTIT
Some numbers
https://www2.fireeye.com/industrial-control-systems-vulnerability-trend-report-2016.html
8
Some numbers
Industrial Control
System Humans
MANY
Engineers, Technicians
Operators, Vendors,
etc
Security
Humans
~189,000...
Is 0.5% enough to protect Critical Infra?
10
So…what would you say you do here?
• Why are you here?
• What excites you about ICS
security?
• Is ICS or security in your...
I’m recruiting you for ICS Security
12
OT Side > ICSsec
13
Operational Technology
• You’ve got the engineering or technical background
• You know how the plant or process works
• Yo...
Get familiar with security
• Learn
• Security Conferences!
• Lots and lots of security material online (SecurityTube, etc)...
Make an ICS Security Lab
• Many companies with control systems have labs
• If not, you may have spare equipment laying aro...
So…Stuxnet happened
17
What would be your Stuxnet?
• Think like a bad guy…with a hard hat!
• …like an attacker has your prints
• Who knows…you mi...
Red Team and Blue Team
• Learn how to use Metasploit
• Search shodan.io
• Learn about Modbus Fuzzing
• Write some Snort ru...
Energy drinks
20
Get to know your IT Security gurus
21
22
IT Side > ICSsec
23
Information Technology
• You’ve got the computer and networking skills
• You know how business technology work
• You proba...
ICS Engineers
25
https://www.youtube.com/watch?v=RXJKdh1KZ0w
Google all the things
• Modbus.org > modbus specification
• Tons of code on github: opendnp3, modbus, etc
• Wireshark
• Pc...
Videos
• YouTube & Vimeo
• “SCADA”
• “Control Systems”
• “PLC”
• Conference Talks
• “How It’s Made” Marathon!
27
Make an ICS network at home
• Raspberry Pi
• opendnp3, modbus, BACnet
• Arduino
• modbus
• $15 HMI from eBay
(got lucky)
•...
You know security, but not ICS…yet
• What I am about to tell you is the single greatest secret to go from IT
Security into...
Donuts
30
Get your hardhat dirty
31
Ask questions
• What is it?
• Why is it important?
• How can we secure it?
Example:
Ladder logic on a PLC
Understand the w...
Take the opportunity to collaborate
Problem:
• ICS network is flat with the corporate network
• ICS network has no logging...
ICS Security Resources
34
Connect!
• SCADAsec email list at Infracritical
• ICS Security Conferences
• ICSJWG – FREE
• DigitalBond’s S4
• SANS ICS S...
Information Sharing
National Council of ISACs
• Downstream Natural Gas www.dngisac.com
• Electricity www.esisac.com
• Oil ...
Books
• Robust Control System Networks, Ralph Langner
• Industrial Network Security, 2nd Edition, Knapp & Langill
• Cybers...
Intelligence Sources
• ICS-CERT portal
• ISAC portals
• FBI Infragard
• FireEye iSight (ICS intel)
• Twitter #ICS #SCADA
•...
Standards
• NIST SP800-82 Revision 2
• IEC 62443
• NERC/CIP
• CFATS
• …to name a few
39
Purdue Model - Reference Architecture
L0L1L2L3L4
L0L1L2L3L4
Training
• ICS-CERT
• Free online training and resources
• Free 5-day Red vs Blue ICS exercise
• ICS Vendor Training
• SAN...
Certification
• There isn’t a Professional Engineering license for Security...
…but not everyone is an engineer.
• GICSP i...
Links
• https://ics-cert.us-cert.gov/Standards-and-References
• http://dx.doi.org/10.6028/NIST.SP.800-82r2
• https://scada...
You’re still here
• What excites you about ICS security?
• Do you want to join us in ICS security?
44
Apply What You Have Learned Today
• Next week:
• Identify critical components within your ICS network
• Find out if they h...
Questions?
chris.sistrunk@mandiant.com
@chrissistrunk
46
Upcoming SlideShare
Loading in …5
×

Hacker Halted 2016 - How to get into ICS security

2,766 views

Published on

This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!

Published in: Education
  • Login to see the comments

Hacker Halted 2016 - How to get into ICS security

  1. 1. How to get into ICS Security Chris Sistrunk, PE 1
  2. 2. About Me Chris Sistrunk, PE @chrissistrunk Electrical Engineer Sr. Consultant, FireEye • Control system security assessments • NSM and DFIR for ICS • ICS Village (DEF CON & RSA Conference) Entergy (11+ years) • SCADA Engineer (10 years) • Project Robus (ICS Protocol Fuzzing) • 30+ implementation vulnerabilities in DNP3 stacks • Substation Security Team BSidesJackson 2
  3. 3. How small mistakes lead to big disasters 3 FPL Blackout, February 26, 2008
  4. 4. Enormous possible consequences Quingdao, China Pipeline November 2013
  5. 5. Guadalajara, Mexico - 1992
  6. 6. San Bruno, California – September 2010 6 8 deaths, 58 injured PG&E fined $1.6 Billion
  7. 7. Enterprise ICS Security 7 OTIT
  8. 8. Some numbers https://www2.fireeye.com/industrial-control-systems-vulnerability-trend-report-2016.html 8
  9. 9. Some numbers Industrial Control System Humans MANY Engineers, Technicians Operators, Vendors, etc Security Humans ~189,000 ICS Security Humans <1000 0.5% of Security “LinkedIn data identified over 189,000 professionals in active information security positions worldwide as of June 2015.” - Cory Scott 9
  10. 10. Is 0.5% enough to protect Critical Infra? 10
  11. 11. So…what would you say you do here? • Why are you here? • What excites you about ICS security? • Is ICS or security in your job now? • Do you want it to be? 11
  12. 12. I’m recruiting you for ICS Security 12
  13. 13. OT Side > ICSsec 13
  14. 14. Operational Technology • You’ve got the engineering or technical background • You know how the plant or process works • You probably already work with: • ICS components like PLCs and RTUs • ICS protocols like Modbus, Ethernet/IP, DNP3, etc • Networking (ethernet, serial, including wireless) • NERC/CIP or CFATS requirements • But you don’t know IT systems, risks, threats, and security 14
  15. 15. Get familiar with security • Learn • Security Conferences! • Lots and lots of security material online (SecurityTube, etc) • ICS Security Training (ICS-CERT, SANS ICS, Red Tiger, SCADAhacker) • SamuraiSTFU, Kali, Security Onion Linux Distros • shodan.io • Make friends with the IT Security team 15
  16. 16. Make an ICS Security Lab • Many companies with control systems have labs • If not, you may have spare equipment laying around…get creative! 16
  17. 17. So…Stuxnet happened 17
  18. 18. What would be your Stuxnet? • Think like a bad guy…with a hard hat! • …like an attacker has your prints • Who knows…you might find a vulnerability “To make things work well, you must break them” “Find evil, or ways for evil to do evil things” 18
  19. 19. Red Team and Blue Team • Learn how to use Metasploit • Search shodan.io • Learn about Modbus Fuzzing • Write some Snort rules • Read up on Digital Forensics & Incident Response (DFIR) • Take the ICS-CERT RvB Course 19
  20. 20. Energy drinks 20
  21. 21. Get to know your IT Security gurus 21
  22. 22. 22
  23. 23. IT Side > ICSsec 23
  24. 24. Information Technology • You’ve got the computer and networking skills • You know how business technology work • You probably already know: • Routers, switches, firewalls, domain controllers • Web, email, and business applications • Certifications like CCNA and CISSP • HIPAA or PCI DSS requirements • But you don’t know the engineering and physics behind the process 24
  25. 25. ICS Engineers 25 https://www.youtube.com/watch?v=RXJKdh1KZ0w
  26. 26. Google all the things • Modbus.org > modbus specification • Tons of code on github: opendnp3, modbus, etc • Wireshark • Pcaps online > Netresec has a library, SANS, S4 26
  27. 27. Videos • YouTube & Vimeo • “SCADA” • “Control Systems” • “PLC” • Conference Talks • “How It’s Made” Marathon! 27
  28. 28. Make an ICS network at home • Raspberry Pi • opendnp3, modbus, BACnet • Arduino • modbus • $15 HMI from eBay (got lucky) • ~$700 for a new Phoenix Contact PLC 28
  29. 29. You know security, but not ICS…yet • What I am about to tell you is the single greatest secret to go from IT Security into ICS… 29
  30. 30. Donuts 30
  31. 31. Get your hardhat dirty 31
  32. 32. Ask questions • What is it? • Why is it important? • How can we secure it? Example: Ladder logic on a PLC Understand the why… …then try to secure/monitor it 32
  33. 33. Take the opportunity to collaborate Problem: • ICS network is flat with the corporate network • ICS network has no logging or visibility • IT has security goals • OT has safety and uptime goals • Can you do some things that satisfy both? 33
  34. 34. ICS Security Resources 34
  35. 35. Connect! • SCADAsec email list at Infracritical • ICS Security Conferences • ICSJWG – FREE • DigitalBond’s S4 • SANS ICS Summit • 4SICS • EnergySec • Oil & Gas Security Summit • ICS Cyber Security Conference “Weisscon” 35
  36. 36. Information Sharing National Council of ISACs • Downstream Natural Gas www.dngisac.com • Electricity www.esisac.com • Oil & Natural Gas www.ongisac.org • Water www.waterisac.org ISAOs coming, knowledge sharing, ICS-ISAC, “BEER-ISAC” 36
  37. 37. Books • Robust Control System Networks, Ralph Langner • Industrial Network Security, 2nd Edition, Knapp & Langill • Cybersecurity for Industrial Control Systems, Macaulay & Singer • Countdown to Zero Day, Kim Zetter • Hacking Exposed Industrial Control Systems, Bodungen, et al • Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky 37
  38. 38. Intelligence Sources • ICS-CERT portal • ISAC portals • FBI Infragard • FireEye iSight (ICS intel) • Twitter #ICS #SCADA • Google 38
  39. 39. Standards • NIST SP800-82 Revision 2 • IEC 62443 • NERC/CIP • CFATS • …to name a few 39
  40. 40. Purdue Model - Reference Architecture L0L1L2L3L4 L0L1L2L3L4
  41. 41. Training • ICS-CERT • Free online training and resources • Free 5-day Red vs Blue ICS exercise • ICS Vendor Training • SANS ICS • ICS410 and ICS515 • Red Tiger Security • Lofty Perch • SCADAhacker 41
  42. 42. Certification • There isn’t a Professional Engineering license for Security... …but not everyone is an engineer. • GICSP is a new certification out to teach IT folks the basics of ICS and OT folks the basics of security. 42
  43. 43. Links • https://ics-cert.us-cert.gov/Standards-and-References • http://dx.doi.org/10.6028/NIST.SP.800-82r2 • https://scadahacker.com/library/index.html • http://www.dhs.gov/dhs-daily-open-source-infrastructure-report • http://news.infracritical.com/mailman/listinfo/scadasec • http://scadaperspective.com/ • http://pen-testing.sans.org/holiday-challenge/2013 • http://www.netresec.com/?page=PcapFiles • http://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp • https://www.shodan.io/explore/category/industrial-control-systems • http://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada- cybersecurity/ 43
  44. 44. You’re still here • What excites you about ICS security? • Do you want to join us in ICS security? 44
  45. 45. Apply What You Have Learned Today • Next week: • Identify critical components within your ICS network • Find out if they have any published security vulnerabilities, or if they are connected to the IT network, or even the Internet • In the next three months: • Understand who is accessing the ICS, from where, and why • Within six months: • Drive an implementation project to protect the most critical ICS devices • Develop a roadmap to enhance ICS security architecture • Capture some ICS network traffic and look for “evil” 45
  46. 46. Questions? chris.sistrunk@mandiant.com @chrissistrunk 46

×