HITB Singapore [July 20-22 2020]

I am delighted to announce that I will give my brand new training at Hack in the Box Singapore in July

Please find all information including registration at the following link: https://conference.hitb.org/hitbsecconf2020sin/sessions/3-day-training-2-industrial-control-systems-build-break-secure/


This training is a progressive approach to Industrial Control Systems, with 3 words in mind:

  • BUILD (how does it work?)
  • BREAK (how to attack it?)
  • SECURE (what can we do about it?)

The idea is that attendees will have to create a small ICS setup with the provided hardware kit, then attack it, then understand how to secure it.

Key Learning Objectives

  • Understand Industrial Control Systems by DOING (programming a PLC, using ICS protocols, programming a SCADA)
  • Have a realistic CTF event the last afternoon to perform pentest on Windows AD, pivot to the ICS network, and hack the PLCs
  • Give a realistic vision of ICS, not only technical, that will allow attendees to work closely with ICS teams by having a common understanding and vocabulary

Who Should Attend

This training is mostly designed for IT security professionals who want to discover Industrial Control Systems, with a technical focus and an attack mindset. There are no specific prerequisites, but a basic technical knwoledge is required (tcp/ip, virtual machines, command line usage…).

Prerequisite Knowledge

Hardware / Software Requirements

  • Students need to bring a laptop capable of running two 64-bit virtual machines, I recommend 8Gb RAM and 50Gb disk space.
  • Students will be provided with a hardware kit (called “WhiskICS simulation platform”) that attendees keep after the training.

*The WhiskICS Student Kit

The WhiskICS student kit is a hardware and software kit that allows attendees to create their own simple ICS, attack it and secure it. At the core of WhiskICS are two main components:

  • An Arduino and several electronic components (LED matrix, 7-segment display, LEDs…) that emulate the real world. This is not attackable; it is only here to reproduce the “logic” of the real-world physics.
  • A Raspberry Pi PLC: by using a Raspberry Pi and Codesys runtime, it is possible to obtain a full-fledge PLC for a reasonable cost. Codesys is one the major manufacturer-independent automation software developer. It allows us to have a Raspberry Pi based PLC that shares its core code with other PLCs manufacturers like Wago, Schneider, …. This Raspberry PLC is connected to the Arduino, as well as a screen to act as a local HMI.
  • During the training, attendees will also connect this setup to a VM that will act as the SCADA software (Schneider IGSS trial version) to control & monitor the PLC.

As the name suggests, WhiskICS simulates a (very simplified) process of distillation, used in the whisky making process. Attendees will need to control valves, a heater and condenser to fill a whisky barrel; they will also perform attacks to impact the process reliability and quality.

Agenda – Day 1:

[BUILD] Introduction to ICS

  • A brief history of ICS
  • Vocabulary
  • The CIM model
  • Classic architectures
  • ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles OT vs IT

[BUILD] Introduction to the case study and the WhiskICS student kit

  • Short introduction to whisky making
  • Different steps and focus on distillation
  • Technical presentation of the WhiskICS student kit

[BUILD] Automation Basics & programming PLC

  • Introduction to automation (PID loop…)
  • Basic steps of programming a PLC
  • LAB: programming several examples on the student kit with Codesys IDE

[BUILD/BREAK] ICS protocols

  • General presentation of ICS protocols (fieldbus, supervision, data exchange)
  • LAB: exercises on analysis of network packet capture (modbus/tcp, OPC-UA)
  • LAB: Exchange data with the student kit PLC using modbus clients (serial & tcp) as well as OPC-UA client

[BREAK] Hacking the process

  • Short discussion on the difficulties of hacking a real process and presentation of research work on the topic (“easy button for cyber-physical ICS attacks” by Reid Wightman, “Rocking the pocket book: hacking chem plants” by Marina Krotofil and Jason Larsen).

[BREAK] Attacking the non-ICS part of the PLC

  • Presentation of PLCs internal architecture
  • Discussion about OS and middleware (codesys)
  • Presentation of vulnerabilities on standard interfaces (web, ftp, snmp…)
  • LAB: Identify & exploit exposed interfaces on the student kit PLC

[BREAK] PLC proprietary protocols

  • Presentation of Modbus 90 function used by Schneider PLCs
  • LAB: Use of specific exploits against Schneider simulators

[SECURE] An introduction to safety

  • Presentation of layers of safety, including SIS, physical safety…
  • Presentation of safety analysis methods and link to cybersecurity (SPR: Security PHA review)
  • LAB: Performing a SPR on a simplified HAZOP analysis of the distillation process

Agenda – Day 2:

[BUILD] Process supervision: SCADA and DCS

  • General presentation on supervision systems (SCADA & DCS)
  • LAB: Programming a SCADA software to interact with the WhiskICS student kit

[BREAK] Linking to corporate environments: Windows & Active Directory security

  • Presentation of Windows
  • Introduction to Active Directory
  • Credential management in Active Directory (NTLM, Kerberos..)
  • LAB: Exploiting a Windows vulnerability with Metasploit
  • LAB: Gathering credentials and pivoting to other systems
  • LAB: Gathering information from Active Directory (users, computers…)

[BREAK] SCADA/DCS specific vulnerabilities

  • Description of common DCS/SCADA vulnerabilities
  • LAB: Gathering interesting data from SCADA project files

[BUILD] Industry 4.0 & IIoT

  • Industry 4.0 genesis & use cases
  • Industry 4.0 technologies
  • Industry 4.0 & IIot communications protocols (LoRa, Sigfox, MQTT…)
  • LAB: Analysis of a MQTT network capture
  • LAB: MQTT pentest

[SECURE] ICS cybersecurity general approach

  • Leading ICS cybersecurity standards (NIST, IEC62443)
  • Open discussions on how to get it done!

Agenda – Day 3:

[SECURE] Data exchange between ICS and the outside world
[BREAK] ICS security assessments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: