4. White-Box, Grey-Box, Black-Box Testing
All information is
provided up front
Someinformation is
provided up front
Zero information is
provided up front
5. ICS Assessment Types
ICSVulnerability Assessment
Apassivereviewofdocumentationandopportunistic
samplingofrawdata (networkcapture,host
information)toidentifyvulnerabilitiesandpotential
impact,oralignmenttoa setofstandardsacrossthe
ICSnetwork(s).
ICSPenetration Test
AWhiteboxorGreyboxactiveassessmentwhere
systems(devices,controls,configurations,protocols)
aretestedtoidentifyvulnerabilities,exploitation
potential,andsecuritycontroleffectivenesstypically
workingwiththeBlueTeam.
ICSRed Team
ABlackboxadversarysimulationassessmentwhere
weevaluatetheexploitationpotential,detection
capabilityandsecuritycontroleffectivenesswhen
attacking a predeterminedtargetorobjective.
6. ICS Purple Teaming
Red Team + Blue Team = PurpleTeam
Cybersecurity Team, Engineering Team, Site Operations Team
7. ICS Purple Team: Role of the Blue Team
• Provide pertinent
information which can
help the to progress
through the network
quickly and efficiently
8. ICS Purple Team: Role of the Red Team
• Communicate
enumerations, attacks,
network pivots and
privilege escalations
• Assist the Blue Team in
troubleshooting detection
9. ICS Assessment Specific Challenges
Safety& Reliability Communication
Specialized Cultural
Dangerous environments thatrequirea culture of safety
and have zerotolerance fordowntime.
Operators want toknow exactly what you aredoing, when
you aredoing it and have theoption to shut it all down.
Each ICSenvironment is unique with its own
technologies and challenges.
Engineering, Process Control, IT,Cybersecurity and trust
issues.
!?
11. A Tale of Two ICS Assessments
The Red Teaming Assessment
The Purple TeamingAssessment
• EnergyCompany
• 24/7SOC,SIEM,EndPoint,ICSNetworkMonitoring
• Objective: Pivotinto anyICS network(thereweredozens)
• EnergyCompany
• Completed a multi-year cybersecurity program
• Objective: Pivot to specific ICS network
12. Red Team Assessment
01 FOOTHOLD
Corporate
Network
02 ESCALATION
Open File
Share
03 PIVOT
SSHTunnel
04 PIVOT
Credential
Reuse
05 SUCCESS
ICS Network
13. Purple Team Assessment
01 FOOTHOLD
Mousejack
02 ESCALATION
LAPS
03 ESCALATION
BackupService
04 PIVOT
AD VM
05 FAILURE
Only1 Port
Open
14. The Purple Team Advantage
01
Low Chanceof
Impacting
Safety or
Reliability
02 03
Testingand
Tweaking
Detectionsin
Realtime
Leveraged
OT and IT
Team
Knowledge
15. Purple Teaming and the ICS Specific Challenges
Safety& Reliability Communication
Specialized Cultural
Engineering and operations areactively involved which
reduced theoverall risk.
Ongoing opencommunications with operations teamand
daily update calls.
Working with operators and engineers who understand
thetechnologies and site specific architecture.
Building trustacross theteamsastheycollaborate
openly towardsa common goal ofcyber risk reduction.
!?
In ICS, the capabilities of the Blue team can vary wildly depending on the level of maturity of the organization. Some customers we work with are able to detect our attacks in real-time and we work with them to fine-tune their ICS detection capabilities. Other customers lack capabilities and are interested in finding as many problems as possible in an effort to secure remediation budget. These teams often join our red team and help provide insider information to maximize our findings. At the very least, constant communication with the customer about what activities are going on and setting the expectation up front that they will be part of the assessment and critical to its success is very important. Customers (usually) understand their network far better than we possibly could within the span of a 1-week engagement, so recruiting them into your penetration testing team is very important. Customers enjoy the experience of taking an adversarial view of their own network and the opportunity to learn from ICS penetration testing experts. Building trust and a stronger customer relationship is often a byproduct of assessment work.
In my presentation, I will share some stories about our experience performing assessments and penetration tests against the ICS networks of fortune 500 companies (names have been changed to protect the innocent) and empathize the importance of a collaborative approach to ICS assessments rather than an adversarial one.
Dragos is a US-based software products company – We have a solution called the Dragos Platform which provides passive monitoring and visibility into ICS networks. Our product secret sauce is its Threat Based analytics which are curated by our Dragos Worldview Item team and its Playbooks which provide guidance and a step by step triage methodology when ICS specific threats are detected.
Austin Scott, (GICSP, CISSP, OSCP) is a Principal in the Dragos Threat Operations Center (TOC) team and is focused on performing assessments, penetration tests and red teams within industrial control networks. Prior to Dragos, Austin worked as part of the industrial cybersecurity team at Sempra and as an industrial cybersecurity consultant at Accenture.
Austin is a published author with two books on PLC Programming:
Learning RSLogix 5000 – PACKT Publishing - ISBN 9781784396039 - 2015
PLC Programming RSLogix 5000 - PACKT Publishing - ISBN 1849698449 – 2013
Austin is a SANS Cybersecurity Difference Maker (2015) winner for his industrial cybersecurity contributions. In August 2018, Austin and his teammate won the DEFCON ICS Village HACK THE PLAN(3)T competition and were awarded the DEFCON UBER black badge.
The Dragos platform incorporates the intelligence from Dragos WorldView – ICS threat intelligence, and the Dragos Threat Operations Center - ICS threat hunting, assessments, incident response and hands-on training - so that the ICS security teams have access to the ongoing intelligence and latest experience of the Dragos team.
Cybersecurity assessment types are typically categorized in shades of boxes. White being all the data is shared prior to or during the assessment. Black being none of the data is shared prior to or during the assessment.
Grey-box testing simulates an activity groups that has access to an environment for an extended amount of time. This is typically referred to as an activity group’s dwell time in an environment.
An ICS assessment is a passive review of documentation and sampling of raw data (network capture, host information) to identify vulnerabilities and potential impact, or alignment to a set of standards across the ICS network(s).
An ICS Penetration test is a Whitebox or Greybox, Active assessment where systems (devices, controls, configurations, protocols) are tested to identify vulnerabilities, exploitation potential, and security control effectiveness.
An ICS red team is a Blackbox adversary simulation assessment where we evaluate the exploitation potential, detection capability and security control effectiveness when attacking a predetermined target or objective.
Blue Team – Network Defenders monitor SIEMs, ICS visibility tools
An ICS Purple Team is a collaborative assessment between the Red Team and the Blue Team rather than an adversarial assessment.
It is important to note that the ICS Blue Team is comprised of not just the ICS cybersecurity team in (if one exists) but often involves the site Operations team, Engineering team and IT team. It is nearly impossible to book all of these resources for an entire week long or multiweek engagement, but it is sufficient to have them available at critical times or on call during the assessment.
Is Purple Teaming Cheating?
Some might argue that Purple Teaming is cheating a bit. Providing information that may or may not be available to an attacker does give the Red Team an advantage and does take some of the sport out of the exercise. However, there are often situations where a customer does not necessarily want the Red Team to produce many critical findings. For example, after completing a multi-year or multi-million dollar cybersecurity upgrade, the blue team may be looking for a way to show senior leadership a return on their investment. In my opinion, the ultimate goal of any cybersecurity assessment should be maximizing cyber risk reduction. If all parties involved are not working toward that common goal, I would consider that to be a lost opportunity to reduce cyber risk.
The Blue Team assists the Red Team with pertinent information which can help the to progress through the network quickly and efficiently. This information could take an activity group weeks or months to figure out on their own but is provided to the Red Team on the spot as required.
The Red Team assists the Blue Team in communicating the enumerations, attacks, network pivots and privilege escalations in real-time.
Furthermore the Red Team can assist the Blue Team in fine-tuning and troubleshooting their detection mechanisms by making recommendations for detection improvements and running the attacks multiple times.
ICS Safety and Reliability
Safety & Reliability is of paramount importance within ICS environments.
Quite often there is a strong safety culture that within ICS environments that must be aligned with. Any behavior that is considered to be unsafe can get a contractor barred for life from a site. Safety infractions can include:
Improper Personal Protective Equipment (PPE) for the area you are working (Safety glasses, H2S sensors, Steel Toed boots)
Not having the required safety training (H2S alive, Confined Space training, First Aid) to access a site
Wondering into restricted areas
Taking photos (as fire eye sensors can be triggered by a camera flash) without permission
Taking your phone or electronics in a Class I, Division 1 area (an area where ignitable concentrations of flammable gases exist)
Not holding hand rails when ascending or descending stairs
Touching industrial equipment without the authorization of the site Operators (touching ANYTHING without permission really).
Speeding in parking lots or site access areas
The site operations team and engineering team are very sensitive to the reliability of the system. Putting an ICS system into an unknown or unrecoverable state can be:
Dangerous to the people at the site
Damaging to equipment
Can cause costly outages (each hour of downtime is sometimes measured in millions of dollars)
Performing any action that even has a remote possibility of tripping the process is out of the question. Most sites we work in do not allow us to introduce any packets into the ICS Perdue Level 1 or Level 2 network. We have alternative “Passive” methods of effectively collecting and reporting on data in critical ICS network. We will use “Active” methods opportunistically if we can guarantee the running process will not be impacted and have explicit permission from the site operations team.
If testing ICS Networks is so darn risky, why do it at all?
We perform assessment on ICS network because Activity Groups are actively targeting them.
It does require, careful planning, experience working in these environments and constant communicate to be successful in these engagements. Sometimes we can find ways of mitigating risk such as:
Testing in a lab / training environment where possible
Setting up a test environment or virtualized environment
Testing during an outage when possible
ICS Specialized Equipment
There are plenty of proprietary protocols, engineering tools, wireless and OT technologies that are unique to ICS. It is critical for the Red Team to understand these technologies and the risk they could pose to the operating assets and the company as a whole. During our assessment, we will work with the Operations and Engineering team to identify the crown jewel assets of a site. A Crown Jewel assets is a piece of equipment that is of critical importance to the safety, reliability or profitability of the site.
For example at an oil and gas site, if there was a critical vulnerability at a Disposal Well, the operations team is not likely to care as much as if there was a critical vulnerability at their Custody Transfer Metering Systems.
Communication is critical during an ICS assessment
Reliability of the system –
Requires careful planning and communication.
Test in a lab environment where possible
Test up to the ICS environment
Use more passive methods for information gathering / test offline where possible.
Specialized:
Proprietary protocols, engineering tools, wireless and OT technologies.
Why would you do it if its so risky?Because the adversary groups are targeting those environments.
Some in the cybersecurity industry refer to this as Purple Teaming (Red team + Blue team = Purple team). In ICS, the capabilities of the Blue team can vary wildly depending on the level of maturity of the organization. Some customers we work with are able to detect our attacks in real-time and we work with them to fine-tune their ICS detection capabilities. Other customers lack capabilities and are interested in finding as many problems as possible in an effort to secure remediation budget. These teams often join our red team and help provide insider information to maximize our findings. At the very least, constant communication with the customer about what activities are going on and setting the expectation up front that they will be part of the assessment and critical to its success is very important. Customers (usually) understand their network far better than we possibly could within the span of a 1-week engagement, so recruiting them into your penetration testing team is very important. Customers enjoy the experience of taking an adversarial view of their own network and the opportunity to learn from ICS penetration testing experts. Building trust and a stronger customer relationship is often a byproduct of assessment work.
In my presentation, I will share some stories about our experience performing assessments and penetration tests against the ICS networks of fortune 500 companies (names have been changed to protect the innocent) and empathize the importance of a collaborative approach to ICS assessments rather than an adversarial one.