I am delighted to announce that I will give my brand new training at Hack in the Box Singapore in July
Please find all information including registration at the following link: https://conference.hitb.org/hitbsecconf2020sin/sessions/3-day-training-2-industrial-control-systems-build-break-secure/
This training is a progressive approach to Industrial Control Systems, with 3 words in mind:
- BUILD (how does it work?)
- BREAK (how to attack it?)
- SECURE (what can we do about it?)
The idea is that attendees will have to create a small ICS setup with the provided hardware kit, then attack it, then understand how to secure it.
Key Learning Objectives
Understand Industrial Control Systems by DOING (programming a PLC, using ICS protocols, programming a SCADA)
Have a realistic CTF event the last afternoon to perform pentest on Windows AD, pivot to the ICS network, and hack the PLCs
Give a realistic vision of ICS, not only technical, that will allow attendees to work closely with ICS teams by having a common understanding and vocabulary
Who Should Attend
This training is mostly designed for IT security professionals who want to discover Industrial Control Systems, with a technical focus and an attack mindset. There are no specific prerequisites, but a basic technical knwoledge is required (tcp/ip, virtual machines, command line usage…).
Hardware / Software Requirements
- Students need to bring a laptop capable of running two 64-bit virtual machines, I recommend 8Gb RAM and 50Gb disk space.
- Students will be provided with a hardware kit (called “WhiskICS simulation platform”) that attendees keep after the training.
*The WhiskICS Student Kit
The WhiskICS student kit is a hardware and software kit that allows attendees to create their own simple ICS, attack it and secure it. At the core of WhiskICS are two main components:
- An Arduino and several electronic components (LED matrix, 7-segment display, LEDs…) that emulate the real world. This is not attackable; it is only here to reproduce the “logic” of the real-world physics.
- A Raspberry Pi PLC: by using a Raspberry Pi and Codesys runtime, it is possible to obtain a full-fledge PLC for a reasonable cost. Codesys is one the major manufacturer-independent automation software developer. It allows us to have a Raspberry Pi based PLC that shares its core code with other PLCs manufacturers like Wago, Schneider, …. This Raspberry PLC is connected to the Arduino, as well as a screen to act as a local HMI.
- During the training, attendees will also connect this setup to a VM that will act as the SCADA software (Schneider IGSS trial version) to control & monitor the PLC.
As the name suggests, WhiskICS simulates a (very simplified) process of distillation, used in the whisky making process. Attendees will need to control valves, a heater and condenser to fill a whisky barrel; they will also perform attacks to impact the process reliability and quality.
Agenda – Day 1:
[BUILD] Introduction to ICS
- A brief history of ICS
- The CIM model
- Classic architectures
- ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles OT vs IT
[BUILD] Introduction to the case study and the WhiskICS student kit
- Short introduction to whisky making
- Different steps and focus on distillation
- Technical presentation of the WhiskICS student kit
[BUILD] Automation Basics & programming PLC
- Introduction to automation (PID loop…)
- Basic steps of programming a PLC
- LAB: programming several examples on the student kit with Codesys IDE
[BUILD/BREAK] ICS protocols
- General presentation of ICS protocols (fieldbus, supervision, data exchange)
- LAB: exercises on analysis of network packet capture (modbus/tcp, OPC-UA)
- LAB: Exchange data with the student kit PLC using modbus clients (serial & tcp) as well as OPC-UA client
[BREAK] Hacking the process
- Short discussion on the difficulties of hacking a real process and presentation of research work on the topic (“easy button for cyber-physical ICS attacks” by Reid Wightman, “Rocking the pocket book: hacking chem plants” by Marina Krotofil and Jason Larsen).
[BREAK] Attacking the non-ICS part of the PLC
- Presentation of PLCs internal architecture
- Discussion about OS and middleware (codesys)
- Presentation of vulnerabilities on standard interfaces (web, ftp, snmp…)
- LAB: Identify & exploit exposed interfaces on the student kit PLC
[BREAK] PLC proprietary protocols
- Presentation of Modbus 90 function used by Schneider PLCs
- LAB: Use of specific exploits against Schneider simulators
[SECURE] An introduction to safety
- Presentation of layers of safety, including SIS, physical safety…
- Presentation of safety analysis methods and link to cybersecurity (SPR: Security PHA review)
- LAB: Performing a SPR on a simplified HAZOP analysis of the distillation process
Agenda – Day 2:
[BUILD] Process supervision: SCADA and DCS
- General presentation on supervision systems (SCADA & DCS)
- LAB: Programming a SCADA software to interact with the WhiskICS student kit
[BREAK] Linking to corporate environments: Windows & Active Directory security
- Presentation of Windows
- Introduction to Active Directory
- Credential management in Active Directory (NTLM, Kerberos..)
- LAB: Exploiting a Windows vulnerability with Metasploit
- LAB: Gathering credentials and pivoting to other systems
- LAB: Gathering information from Active Directory (users, computers…)
[BREAK] SCADA/DCS specific vulnerabilities
- Description of common DCS/SCADA vulnerabilities
- LAB: Gathering interesting data from SCADA project files
[BUILD] Industry 4.0 & IIoT
- Industry 4.0 genesis & use cases
- Industry 4.0 technologies
- Industry 4.0 & IIot communications protocols (LoRa, Sigfox, MQTT…)
- LAB: Analysis of a MQTT network capture
- LAB: MQTT pentest
[SECURE] ICS cybersecurity general approach
- Leading ICS cybersecurity standards (NIST, IEC62443)
- Open discussions on how to get it done!
Agenda – Day 3:
[SECURE] Data exchange between ICS and the outside world
[BREAK] ICS security assessments