SlideShare a Scribd company logo

BSidesAugusta ICS SCADA Defense

Download as PPTX, PDF
Chris Sistrunk
Chris Sistrunk

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

1 of 46
Chris Sistrunk, PE Sr. Consultant Mandiant
@chrissistrunk  Electrical Engineer  Mandiant, Entergy (11 years)  SCADA Expert  Loves Security  DNP3 User Group  Button Pusher but I like Blue
http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
What happens when you use nmap (or a fuzzer) on an ICS?
 Latin for “bulwark”  @jadamcrain and I started in April 2013  26 advisories / 32 tickets  24 DNP3, 1 Modbus, 1 Telegyr 8979  Aegis ICS Fuzzing Framework - OSS www.automatak.com/robus www.automatak.com/aegis
TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
 ICS/SCADA lags IT by 10-15 years  735 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy”  Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the ICS device talking to?  Does it uses serial or IP protocols…or both?  How do we defend unsecured protocols?  Is the physical security sufficient?  Will you be called at 2AM?
The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?  Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!
 Software/firmware patches/device upgrades  Robust RTU/PLC and master configurations  Robust IP network configurations  ICS Protocol-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors
NERC/CIP? CFATS? ????
 If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus) …GO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
 USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ ICS devices are on SHODAN  Many appear to have the same configurations
 What does SCADA stand for? ◦ Supervisory Control and Data Acquisition  What is the standard TCP port for modbus? ◦ 502  What are the 2 start bytes for DNP3? ◦ 0x0564  What year was STUXNET discovered? ◦ 2010  What ICS protocol did HAVEX malware use? ◦ OPC
 When possible, DISABLE functions that aren’t required in your production systems  DNP3 function code examples ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
 Segment your ICS/SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network! ◦ The bad guys sure will  Use encryption and authentication ◦ Use DNP3-SA and TLS ◦ Remote access VPNs, radios, etc ◦ Look at IEC 62351 standard (dovetails with SA)  No ICS protocols on Corporate WAN
Examples of SCADA tools and Enterprise networks that understand ICS  Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets  IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint  Routers such as the Cisco CGR 2010  Field firewall w/ICS Deep Packet Inspection ◦ Secure Crossing and Tofino
 Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network  Security Operations Center ◦ Security Analyst(s) using a SIEM ◦ Log aggregation ◦ Anomaly and intrusion detection ◦ Indicators of Compromise (IOCs)  Security Onion (Linux distro)  www.securityonion.net
We in SCADA Security are in
1986
RTU Corp SCADAnet Is this happening in your ICS??? Your Company Cust 2 Inside cover of The Cuckoo’s Egg Internet Pump Plant 1 DMZ Cust 1 Hist Plant 2 HMI
 http://www.liquidmatrix.org/blog/2014/07/01/is-there- a-cuckoo-in-your-control-system/  tl;dr ◦ ≥1 person who really cares! ◦ Security Onion (or other NSM) ◦ ICS Honeypot (Conpot, etc)  Full Packet Capture (even serial)
So, Chris, why haven’t we seen many ICS incidents? You can’t see where you aren’t looking!
Put. NSM. In. Your. ICS/SCADA. NOW
 What is the proper amount of physical security? It depends…  If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?  Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6  Harden your external barriers  The better the defenses, the more time it buys you to respond
3/8” Mesh ASTM Grade 6 These may buy you extra time to respond
“Thieves hit our store last night. This is how they circumvented the door alarm…” via http://redd.it/1pn1xi
 Train your folks on ICS/SCADA security ◦ Security Conferences, several training classes available ◦ http://ics-cert.us-cert.gov/Training-Available-Through- ICS-CERT ◦ GICSP Certification  Security awareness is important  Have a questioning attitude  Report suspicious computer or personal activity/incidents ◦ Who do you call? ◦ Internal hotline, supervisor, SOC, etc ◦ ICS-CERT (877-776-7585)
 Ask your vendors for DNP3-SA if they don’t have it or are already working on it  Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack ◦ Positive Tests: FAT/SAT ◦ Negative Tests: Fuzzing (it’s not new folks!)
 DNP3 isn’t a special case. Other ICS protocols will see the same fate. Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…  You can defend your SCADA.  Early testing both slave/server AND master/client sides of the protocol are important!  Compliance != Security, but the culture is important.  Don’t count on the government to protect your critical systems…it’s your job.
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense

Recommended

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 

Recommended

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
Dam Frank
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Scada security
Scada securityScada security
Scada security
sommerville-videos
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
Chris Sistrunk
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
Jan Seidl
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
TapOffice
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 

More Related Content

What's hot

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
Dam Frank
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Scada security
Scada securityScada security
Scada security
sommerville-videos
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
Chris Sistrunk
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
Jan Seidl
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
TapOffice
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 

What's hot (20)

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Scada security
Scada securityScada security
Scada security
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
ICS security
ICS securityICS security
ICS security
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 

Viewers also liked

ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security Experts
James Arlen
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
Maurice Dawson
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
pgmaynard
 
Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control Systems
David Spinks
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
Digital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...
AFCEA International
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
London School of Cyber Security
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.Shantanu Kumar Das
 

Viewers also liked (20)

ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security Experts
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control Systems
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.HoneyPot for Network Security - building and testing against exploits.
HoneyPot for Network Security - building and testing against exploits.
 

Similar to BSidesAugusta ICS SCADA Defense

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
Chris Sistrunk
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
csandit
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Day4
Day4Day4
Day4
Jai4uk
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
Sylvain Martinez
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
NiMa Bagheriasl
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
Yehia Mamdouh
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypots
Mohammad Reza Zamiri
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
Nadun Rajasinghe
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

Similar to BSidesAugusta ICS SCADA Defense (20)

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Day4
Day4Day4
Day4
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypots
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 

More from Chris Sistrunk

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
Chris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
Chris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Chris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
Chris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
Chris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
Chris Sistrunk
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
Chris Sistrunk
 

More from Chris Sistrunk (11)

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

BSidesAugusta ICS SCADA Defense

  • 1. Chris Sistrunk, PE Sr. Consultant Mandiant
  • 2. @chrissistrunk  Electrical Engineer  Mandiant, Entergy (11 years)  SCADA Expert  Loves Security  DNP3 User Group  Button Pusher but I like Blue
  • 4. What happens when you use nmap (or a fuzzer) on an ICS?
  • 5.
  • 6.
  • 7.
  • 8.  Latin for “bulwark”  @jadamcrain and I started in April 2013  26 advisories / 32 tickets  24 DNP3, 1 Modbus, 1 Telegyr 8979  Aegis ICS Fuzzing Framework - OSS www.automatak.com/robus www.automatak.com/aegis
  • 9. TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
  • 10.
  • 11.
  • 12.  ICS/SCADA lags IT by 10-15 years  735 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy”  Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
  • 13. Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the ICS device talking to?  Does it uses serial or IP protocols…or both?  How do we defend unsecured protocols?  Is the physical security sufficient?  Will you be called at 2AM?
  • 14. The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?  Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!
  • 15.
  • 16.  Software/firmware patches/device upgrades  Robust RTU/PLC and master configurations  Robust IP network configurations  ICS Protocol-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors
  • 17.
  • 19.  If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus) …GO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
  • 20.  USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ ICS devices are on SHODAN  Many appear to have the same configurations
  • 21.
  • 22.  What does SCADA stand for? ◦ Supervisory Control and Data Acquisition  What is the standard TCP port for modbus? ◦ 502  What are the 2 start bytes for DNP3? ◦ 0x0564  What year was STUXNET discovered? ◦ 2010  What ICS protocol did HAVEX malware use? ◦ OPC
  • 23.
  • 24.
  • 25.  When possible, DISABLE functions that aren’t required in your production systems  DNP3 function code examples ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
  • 26.  Segment your ICS/SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network! ◦ The bad guys sure will  Use encryption and authentication ◦ Use DNP3-SA and TLS ◦ Remote access VPNs, radios, etc ◦ Look at IEC 62351 standard (dovetails with SA)  No ICS protocols on Corporate WAN
  • 27. Examples of SCADA tools and Enterprise networks that understand ICS  Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets  IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint  Routers such as the Cisco CGR 2010  Field firewall w/ICS Deep Packet Inspection ◦ Secure Crossing and Tofino
  • 28.  Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network  Security Operations Center ◦ Security Analyst(s) using a SIEM ◦ Log aggregation ◦ Anomaly and intrusion detection ◦ Indicators of Compromise (IOCs)  Security Onion (Linux distro)  www.securityonion.net
  • 29.
  • 30. We in SCADA Security are in
  • 31. 1986
  • 32. RTU Corp SCADAnet Is this happening in your ICS??? Your Company Cust 2 Inside cover of The Cuckoo’s Egg Internet Pump Plant 1 DMZ Cust 1 Hist Plant 2 HMI
  • 33.  http://www.liquidmatrix.org/blog/2014/07/01/is-there- a-cuckoo-in-your-control-system/  tl;dr ◦ ≥1 person who really cares! ◦ Security Onion (or other NSM) ◦ ICS Honeypot (Conpot, etc)  Full Packet Capture (even serial)
  • 34. So, Chris, why haven’t we seen many ICS incidents? You can’t see where you aren’t looking!
  • 35. Put. NSM. In. Your. ICS/SCADA. NOW
  • 36.  What is the proper amount of physical security? It depends…  If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?  Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6  Harden your external barriers  The better the defenses, the more time it buys you to respond
  • 37.
  • 38. 3/8” Mesh ASTM Grade 6 These may buy you extra time to respond
  • 39. “Thieves hit our store last night. This is how they circumvented the door alarm…” via http://redd.it/1pn1xi
  • 40.
  • 41.  Train your folks on ICS/SCADA security ◦ Security Conferences, several training classes available ◦ http://ics-cert.us-cert.gov/Training-Available-Through- ICS-CERT ◦ GICSP Certification  Security awareness is important  Have a questioning attitude  Report suspicious computer or personal activity/incidents ◦ Who do you call? ◦ Internal hotline, supervisor, SOC, etc ◦ ICS-CERT (877-776-7585)
  • 42.  Ask your vendors for DNP3-SA if they don’t have it or are already working on it  Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack ◦ Positive Tests: FAT/SAT ◦ Negative Tests: Fuzzing (it’s not new folks!)
  • 43.
  • 44.  DNP3 isn’t a special case. Other ICS protocols will see the same fate. Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…  You can defend your SCADA.  Early testing both slave/server AND master/client sides of the protocol are important!  Compliance != Security, but the culture is important.  Don’t count on the government to protect your critical systems…it’s your job.