Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 11 (Review Questions)

Getting Started with ICOT Cyber Security: Review Questions

Introduction to the Course and Resources

• The final part of the "Getting Started" course for ICOT Cyber Security focuses on review questions that many may not know exist.

• The review questions can be found in a GitHub repository, which includes various resources such as eBooks and quick guides related to ICOT Cyber Security.

Accessing Review Questions

• There are 100 review questions available, divided into 10 parts with 10 questions each.

• An answer key is provided at the end of the document for self-assessment.

Importance of Cyber Security in Industrial Control Systems (ICS)

• The first unit discusses why cyber security is crucial in ICS, emphasizing the protection of critical infrastructure like energy and water services.

Key Concepts in OT vs IT Cyber Security

• Question one addresses concerns in industrial control environments, highlighting that physical safety is prioritized over data confidentiality, which contrasts with IT security priorities.

• In OT environments, physical safety comes first, followed by environmental safety and then uptime or site availability.

Notable Malware Attacks

• Question two references Stuxnet, a malware attack discovered in 2010 that targeted Iran's nuclear facility. It represents a significant moment where nation-states used cyber weapons against each other.

• Stuxnet was created by the United States and Israel to disrupt uranium enrichment without causing civilian casualties, marking a pivotal point in cyber warfare history.

Implications of Stuxnet on Global Cybersecurity

• The attack opened discussions about international cyber warfare norms; it demonstrated how one nation's actions could influence others' cybersecurity strategies.

Cybersecurity in ICS/OT: Key Insights

The Consequences of Cyber Attacks

• Discusses the lack of repercussions for attacking other countries, likening it to "Crossing the Rubicon," indicating a point of no return in cybersecurity ethics and practices.

Attack Framework for ICS/OT Assets

• Introduces an attack framework designed for targeting common Industrial Control System (ICS) and Operational Technology (OT) assets from vendors like Schneider and Omron, emphasizing its relevance in cybersecurity discussions.

• Describes this framework as akin to Metasploit but tailored for ICS/OT environments, focusing on leveraging existing system capabilities rather than exploiting vulnerabilities.

Pipe Dream Framework

• Explains that the Pipe Dream framework utilizes "living off the land" techniques, employing default system capabilities against themselves instead of relying solely on code vulnerabilities.

• Provides an example where systems like Schneider Electric or Siemens PLC can be exploited through their default services (e.g., SNMP), highlighting potential security oversights such as unassigned passwords.

• Mentions demonstrations by the DRO team at events like Defcon showcasing Pipe Dream's application in simulated attacks on facilities like water treatment plants.

Responsibility for Cybersecurity

• Addresses who is ultimately responsible for cybersecurity within a facility, asserting that asset owners bear this responsibility despite varying interpretations among stakeholders.

• Clarifies the distinction between asset owners and operators, using Dominion Energy as an example where they serve both roles in managing a power plant project.

• Acknowledges challenges faced by smaller ICS/OT environments lacking dedicated resources or personnel to manage cybersecurity effectively.

Notable Cyber Incidents

• Identifies Sandworm as the nation-state adversary group responsible for the Ukrainian blackout in 2015, linking it back to broader geopolitical tensions involving Russia and Ukraine.

Critical Infrastructure Sectors

• Discusses CISA's classification of critical infrastructure sectors, noting recent security incidents affecting their operations.

Critical Infrastructure and Cybersecurity Insights

Understanding Critical Infrastructure Sectors

• The speaker discusses the classification of data centers within critical infrastructure sectors, noting that while they play a vital role in daily life, they are not explicitly named as a sector.

• The defense industrial base is identified as a key sector involving contractors and subcontractors aiding U.S. government missions, highlighting its significance in national security.

Overlooked Aspects of Cybersecurity

Physical Security Concerns

• The discussion shifts to overlooked aspects of cybersecurity in IT and operational technology (OT), emphasizing physical security as a major concern often neglected by cybersecurity professionals.

• The speaker illustrates vulnerabilities in programmable logic controllers (PLCs), stressing that many do not recognize their susceptibility to attacks despite being critical assets.

• A scenario is presented where physical access to devices can lead to significant breaches, underscoring the importance of securing physical environments against unauthorized access.

Compliance vs. Safety

• In comparing IT and OT cybersecurity priorities, compliance is deemed the least important aspect; while necessary for safety, it does not guarantee protection from cyber threats.

• Emphasis is placed on the CIA triad (Confidentiality, Integrity, Availability), with compliance viewed as a supportive measure rather than an ultimate goal in ensuring safety and operational continuity.

Case Study: Colonial Pipeline Attack

Impact of Ransomware on Critical Infrastructure

• The Colonial Pipeline incident serves as a pivotal example of ransomware's impact on critical infrastructure; it forced one of the largest oil pipelines offline for about ten days due to an attack by non-state actors.

• This event marked a shift from nation-state adversaries targeting OT environments to ransomware groups operating independently but still linked to foreign entities like Russia.

• The attack was executed through phishing emails aimed at widespread infection across systems, demonstrating how easily vulnerabilities can be exploited if proper precautions are not taken.

Introduction to Industrial Control Systems and Cybersecurity

Overview of Recent Cybersecurity Incidents

• Discussion on the impact of a ransomware attack that took down the largest pipeline in the U.S., highlighting real-world implications such as gas shortages.

Understanding Field Devices in ICS

• Introduction to field devices within the Purdue model, focusing on their role at level zero.

• Explanation of sensors as common field devices, using thermostats as an example for continuous temperature monitoring.

• Description of PLCs (Programmable Logic Controllers) receiving data from sensors, emphasizing their importance in industrial control systems.

Data Historians and Communication Protocols

• Definition of data historians as Windows servers running SQL or Oracle databases to store operational data about environments.

• Clarification on engineering workstations used for programming PLCs, connecting either remotely or locally.

Security Measures for PLC Programming

• Discussion on securing PLC operations through key switches and run modes, noting misconceptions about their effectiveness against hacking attempts.

Vulnerabilities in Control Systems

• Identification of control systems running commodity operating systems like Windows and Linux as prime targets for attackers due to known vulnerabilities.

• Insights into how attackers exploit data historians by leveraging unpatched software vulnerabilities to gain access.

Common Programming Languages for PLCs

Programming PLCs: Common Languages and Protocols

Overview of PLC Programming Languages

• The most commonly used programming language for PLCs is ladder logic, which remains popular among programmers.

• Other emerging languages include structured text and function block diagram (FBD), with structured text being the most frequently mentioned in discussions.

• There are additional programming languages available, but the speaker expresses limited familiarity with them.

Control Systems Explained

Distributed Control System (DCS)

• A DCS coordinates operations across multiple systems at a single location, such as managing several thermostats in an office building from one central system.

Human-Machine Interface (HMI)

• An HMI serves as a graphical interface to monitor and adjust PLC operations, often featuring touchscreens that display process representations like conveyor belts.

Safety Instrumented System (SIS)

• The SIS acts as a fail-safe backup to safely shut down facilities during faults or emergencies, ensuring safety for personnel and equipment.

Cybersecurity Concerns in Control Systems

Data Historians as Targets

• Data historians are primary targets for attackers due to their use of common operating systems like Windows Server and Microsoft SQL Server, making them vulnerable if not properly secured.

Industrial Control Protocol Identification

• NetBIOS is identified as an IT protocol rather than an industrial control protocol. Traditional protocols include S7 and Modbus, which may operate on self-contained networks.

Transitioning to Security Measures

Introduction to Unit 3

Understanding the Purdue Model and Its Application

Overview of the Purdue Model

• The Purdue model is a framework that illustrates how IT (Information Technology) and OT (Operational Technology) systems interact within a secure network architecture.

• PLCs (Programmable Logic Controllers) typically reside at Level 1 of the Purdue model, with sensors positioned at Level 0 feeding data into them.

Levels of the Purdue Model

• Sensors are categorized at Level 0, while PLCs are found at Level 1, indicating a hierarchical structure in data flow.

• A DMZ (Demilitarized Zone), referred to as Level 3.5, exists between Levels 3 and 4 to enhance security between IT and OT networks.

Security Measures in Network Architecture

• Firewalls are essential appliances for creating an IT/OT DMZ; dedicated hardware firewalls from different vendors provide enhanced security against potential exploits.

• While using multiple vendors increases administrative overhead, it significantly improves overall network security.

Human-Machine Interface (HMI)

• HMIs are generally hosted at Level 2 of the Purdue model, controlled by PLCs which receive data from sensors located at lower levels.

Internet Connectivity in the Purdue Model

• According to the Purdue model, only assets at Level 5 should be directly connected to the internet, although realistically both Levels 4 and 5 may have connections.

ICS-Specific Malware Attacks

Case Study: Cybersecurity Breach

• The TCIS malware attack targeted safety instrument systems in a petrochemical facility in the Middle East, highlighting vulnerabilities due to lack of segmentation.

• Saudi Aramco has since improved its cybersecurity measures significantly following this incident, establishing one of the best ICS/OT cybersecurity programs globally.

ISA/IEC Standards for OT Networks

Logical Grouping of Systems

• ISA/IEC standard ISA 62443 emphasizes breaking down OT networks into zones based on functional groupings for better management and security.

Industrial Internet of Things (IIoT)

Definition and Implications

• IIoT refers to connecting OT assets to the internet; this connection allows for data analysis through cloud computing resources.

Cybersecurity Considerations and Asset Management

Importance of Physical Security in Cybersecurity

• The discussion emphasizes that cybersecurity teams often overlook physical security, despite its critical role in protecting the environment.

• Many professionals in cybersecurity do not view physical security as part of their responsibilities, which can lead to vulnerabilities.

Social Engineering and Information Security

• Question 10 addresses social engineering tactics used to obtain sensitive printed information, highlighting risks associated with careless disposal methods.

• "Dumpster diving" is identified as a method where attackers retrieve sensitive information from trash or recycling bins.

Asset Registers: Foundation for Security Controls

• Unit four introduces asset registers as essential tools for securing operational technology (OT) environments, providing clarity on what needs protection.

• An effective asset register should include hardware, software, and firmware details but exclude personnel records.

Building a Complete Asset Register

• Various methods for creating an asset register are discussed; these include physically walking through the environment and reviewing existing documentation.

• Active scanning of certain levels within the Purdue model is deemed inappropriate for building an IoT asset register due to potential risks.

Risks Associated with Physical Inspection

• Physically inspecting environments like power plants poses safety risks; this method is considered dangerous when building an asset register.

• Key properties typically included in an asset register are outlined, while unnecessary details such as invoice approvals are deemed irrelevant.

Completeness of Asset Registers

Understanding Network Changes and Asset Management

The Nature of Network Changes

• Acknowledges that network configurations are subject to change, emphasizing the importance of authorized modifications by technicians rather than unauthorized changes by attackers.

• Highlights that while Industrial Control Systems (ICS) networks change less frequently than IT networks, one should never assume a network is 100% secure or complete.

Asset Registers in ICS Environments

• Discusses the prevalent use of Microsoft Excel for maintaining asset registers, which document hardware, software, and firmware details within an environment.

• Stresses the importance of physically inspecting sites when building asset registers to ensure accurate data collection.

PLC Operational Modes

• Advises checking the operational mode of Programmable Logic Controllers (PLCs), specifically ensuring they are set to 'run mode' for security against unauthorized access.

• Notes that while being in 'run mode' may prevent malicious firmware uploads, it does not guarantee protection from remote programming changes.

Testing and Documentation Challenges

• Emphasizes the necessity of testing different PLC models due to potential gaps in documentation regarding their security features.

• Mentions that thorough checks on PLC key switch positions can be a time-consuming but essential task for maintaining security.

Active Discovery Tools and Vulnerability Management

ARP Cache Display on Windows Systems

• Explains how to display the ARP cache using command line tools on Windows systems, which helps identify IP addresses and associated MAC addresses within a network.

Active Discovery Techniques

• Introduces Nmap as a tool for active discovery in ICS environments despite its limited application at lower levels of the Purdue model.

Threat and Vulnerability Management Overview

• Transitioning into Unit 5 focuses on threat and vulnerability management differences between Operational Technology (OT) and traditional IT environments.

Importance of Asset Registers in Vulnerability Management

• Reiterates that asset registers are crucial for identifying vulnerabilities related to specific hardware and software versions present in an environment.

Risk Calculation Factors

Understanding Risk in Vulnerability Management

The Relationship Between Threats, Vulnerabilities, and Impact

• The concept of risk is tied to threats, which can include attackers (like nation-states or ransomware groups) as well as natural disasters (e.g., hurricanes or earthquakes).

• A vulnerability must exist for a threat to exploit it; however, the act of exploitation itself is not included in the risk equation.

• Evaluating impact involves considering both worst-case scenarios and typical outcomes within an environment.

• Probability assessment is crucial; this includes evaluating risks from various sources such as cyberattacks or environmental events affecting operational technology (OT).

• Overall risk calculation requires understanding how vulnerabilities affect IT systems and their potential cascading impacts on OT operations.

Phases in Vulnerability Management Lifecycle

• After addressing known vulnerabilities during the remediation phase, it's essential to verify that fixes were effective through rescanning or manual checks.

• Verification processes may involve checking registry entries or patch histories on systems to ensure issues are resolved.

Risk Classification Based on CVSS Scores

• A recently announced vulnerability with a CVSS score of 8.8 falls into the high-risk category, indicating significant concern for security teams.

• Understanding CVSS scoring helps prioritize vulnerabilities based on their severity levels—critical (9–10), high (7–8.9), etc.

Limitations of Traditional Vulnerability Scanners

• Traditional vulnerability scanners primarily focus on operating system vulnerabilities but often overlook web applications unless additional plugins are used.

• These scanners check for missing patches and security configurations but may not perform thorough scans of web applications by default.

• To effectively assess web application vulnerabilities, dedicated tools like Burp Suite are recommended instead of relying solely on standard IT vulnerability scanners.

Remediation Priorities in Operational Technology

• In OT environments, certain vulnerabilities may take longer to remediate due to operational constraints compared to traditional IT settings.

Understanding the Purdue Model and Its Implications for Cybersecurity

Update Frequency Across the Purdue Model Levels

• Updates to assets in the Purdue model occur with varying frequency, decreasing as one moves down the levels. Initial updates may happen monthly, while lower levels see infrequent changes.

• At level zero, field devices like sensors are rarely updated, contrasting with higher levels where updates are more regular.

Vulnerabilities and Remediation Priorities

• The last vulnerabilities to be remediated typically reside at level zero of the Purdue model, such as pressure sensors that are less frequently updated compared to systems exposed directly to the internet.

• Systems like Windows or Linux data historians in IT DMZ require timely updates due to their exposure.

Active Scanning Suitability by Level

• Level one of the Purdue model is generally not suitable for active scanning due to potential risks associated with older environments and PLC stability concerns.

• In contrast, IT environments allow frequent active scanning without significant operational impact.

Indicators of Compromise (IoCs)

• Lower levels of the Purdue model do not receive immediate software or firmware updates because they are deeply embedded within networks, making them less accessible targets for attackers.

• Indicators of compromise include known IP addresses or file hashes linked to attacks; however, serial numbers do not qualify as IoCs since they pertain only to individual assets.

Sector-Specific Cyber Threat Intelligence Sharing

Understanding Information Sharing and Open Source Intelligence in OT Environments

The Role of ISACs in Cybersecurity

• Various Information Sharing and Analysis Centers (ISACs) exist to support different sectors, including automotive and AI. These groups facilitate the sharing of critical information regarding cybersecurity threats.

• Members of ISACs share indicators of compromise from their experiences, fostering a collaborative learning environment. However, many participants tend to be passive observers rather than active contributors.

Utilizing Open Source Intelligence (OSINT)

• Unit six focuses on using OSINT to assess Operational Technology (OT) environments for vulnerabilities, particularly concerning assets exposed to the internet that could be exploited by attackers.

Key Questions Addressed

1. Human Intelligence:

• The first question relates to intelligence gathered from confidential informants and spies, which is categorized as human intelligence.

2. Domain Name Information:

• WHOIS records are essential for obtaining detailed information about domain names and their registrations.

3. Host Lists Associated with Domains:

• DNS Dumpster is highlighted as a useful tool for retrieving lists of hosts linked to specific domain names.

4. Sensitive Organizational Information:

• LinkedIn can provide valuable insights into target organizations by revealing employee roles and technologies used within the company.

5. IC Protocol Identification:

• A discussion on identifying non-OT protocols reveals that HTTPS is not traditionally considered an IC or OT protocol despite its prevalence in modern web services.

Searching for Exposed Devices

Understanding Modbus and Incident Detection

Modbus Protocol and Network Searches

• The default port associated with the Modbus protocol is TCP 502, which is crucial for understanding network communications in industrial settings.

• To search for findings across an entire subnet range, use the command net: <range>, which retrieves assets within that specified network range.

Building Automation Systems and Honeypots

• The protocol associated with building automation systems is BACnet, a key acronym to remember in this context.

• Honeypots are intentionally vulnerable systems placed on networks to observe attacker behavior. They serve as both bait for attackers and tools for incident detection when compromised.

Incident Detection Techniques

• High-fidelity alerts from honeypots indicate potential security breaches; immediate response is necessary if they are triggered on internal networks.

• The use of image searches can help identify Human-Machine Interfaces (HMIs) exposed to the internet, although their numbers are decreasing, indicating improved security practices.

Pyramid of Pain and Indicators of Compromise

• According to the Pyramid of Pain, hash values are the most specific indicators of compromise (IoCs), providing definitive identification of malicious files.

• IP addresses and domain names can change status over time; thus, they may not always be reliable IoCs compared to static hash values.

Frameworks for Understanding Attacker Behavior

• MITRE ATT&CK framework helps defenders understand attacker tactics once they gain access to a system. It provides insights into techniques used by adversaries.

Types of Intrusion Detection Systems

• Network-based intrusion prevention systems (NIPS) actively prevent attacks while intrusion detection systems (NIDS) passively monitor traffic without taking action.

Intrusion Detection and Prevention in OT Environments

Network-Based Intrusion Prevention Systems

• Discusses the concept of network-based intrusion prevention systems (NIPS), emphasizing their role in detecting attacks and taking action, such as updating firewalls or blocking traffic.

Importance of Detection Over Prevention

• Highlights the preference for detection rather than prevention in Operational Technology (OT) environments to avoid blocking necessary traffic, which could lead to availability and safety issues.

Host-Based Intrusion Detection Platforms

• Explains that host-based intrusion detection platforms can alert on known malicious traffic and take steps to block activity, identifying options C or D as potential answers.

Understanding Hubs in Networking

• Clarifies that a hub broadcasts received packets out to all available ports, raising security concerns due to the visibility of network traffic when using sniffing tools like Wireshark.

Centralized Security Event Management

• Introduces Security Information and Event Management (SIEM) systems used for centrally storing security events and performing event correlation to identify suspicious activities requiring human investigation.

Benefits of SIEM Systems

• Emphasizes the importance of correlating events from multiple assets (firewalls, hosts, PLCs, etc.) for a comprehensive view of potential attacks rather than analyzing isolated events.

Logging and Collection of Security Data

• Discusses best practices regarding logging security event data, stressing the need for centralized archiving while acknowledging limitations in human analysis capabilities due to large volumes of data generated daily.

Human Analysis Limitations

• Points out that human analysts cannot manually analyze vast amounts of security event data effectively; automation is essential given the scale (e.g., 10 terabytes daily).

Open Source Honeypot Platforms

• Identifies "Teapot" as an open-source honeypot platform capable of simulating an Industrial Control System (ICS)/Operational Technology (OT) asset.

Threat Hunting Practices

• Defines proactive threat hunting as searching for signs of malicious activity within networks rather than waiting for alerts from installed tools.

Assumption of Breach Philosophy

• Advocates for assuming a breach exists within networks, highlighting the necessity for continuous monitoring and investigation into potentially harmful activities by either attackers or negligent employees.

Incident Response Fundamentals

Understanding Events in Incident Response

Understanding Cybersecurity Incidents and Responses

Event Context and Classification

• The login of an account (e.g., Mike's) on an engineering workstation is neutral without additional context; it could be legitimate or an attack.

• A security incident involving unauthorized access to sensitive data is classified as a breach, where attackers can access classified information not meant for exposure.

• Breaches are serious because attackers may take data without visible actions like file copying, highlighting the need for vigilance in monitoring access.

Risk Assessment in Malware Incidents

• When assessing malware spread from a maintenance laptop to other systems, risk classification depends on organizational context and operational impact.

• Multiple infected hosts increase severity; questions about operational impact and safety must be considered, especially in OT environments.

• While the situation might seem low-risk if operations aren't impacted, the spread of malware suggests a medium risk classification due to potential escalation.

Physical Safety and Incident Classification

• Any cybersecurity incident that risks physical or environmental safety is automatically classified as critical due to its potential consequences.

• Organizations prioritize physical safety; any suspicion of danger can lead to immediate site shutdown procedures to protect personnel.

Phases of Incident Response Process

Preparation Phase

• The preparation phase includes training for incident response team members, ensuring readiness before incidents occur.

Eradication Phase

• Resetting passwords and tokens occurs during eradication when an attacker is detected. This step aims to lock out unauthorized access effectively.

Lessons Learned Phase

• The final phase involves evaluating strengths and areas for improvement post-incident, emphasizing continuous enhancement of response strategies.

Communication During Incidents

Incident Response Communication Strategies

Importance of Controlled Communication

• Emphasizes the need to avoid broadcasting incidents to all employees, as many may turn out to be non-threatening.

• Shares an example where a suspected nation-state attack was actually just spyware, highlighting the importance of accurate communication.

Out-of-Band Communication

• Discusses the necessity of using out-of-band communication methods for incident responders, assuming attackers may have access to standard communication tools like email and internal messaging systems.

• Suggests using secure platforms (e.g., Signal) specifically for incident response communications to maintain confidentiality.

Incident Response Tools

• Introduces the concept of playbooks versus runbooks; playbooks are high-level guides while runbooks provide step-by-step instructions for incident response actions.

• Clarifies that both playbooks and runbooks can be useful but emphasizes the need for clear instructions during incidents.

Learning Tools for Incident Response

Engaging Learning Methods

• Mentions "Back Doors and Breaches," a card game designed by Black Hills Security, which serves as an effective tool for learning about incident response through tabletop exercises.

• Highlights "Threat Gen," an AI-based platform that creates dynamic scenarios tailored to various environments, enhancing understanding of incident response strategies.

Risk Assessments in Governance and Compliance

ISA 62443 Lifecycle Phases

• Discusses the ISA 62443 lifecycle phases, particularly focusing on risk assessment processes where organizations determine their risk tolerance levels.

• Explains that during the assess phase, organizations evaluate what they want to protect against—be it nation-state threats or more common risks like ransomware.

Grouping Systems and Security Levels

• Defines logical groupings of systems with shared missions into zones based on their interactions and functions within an organization.

• Identifies security level four as necessary when protection against nation-state adversaries is required, emphasizing resource allocation towards such high-level defenses.

Safety Instrumented Systems (SIS)

Understanding Security Levels in ISA 62443

Critical Issues and Security Levels

• The discussion emphasizes that any physical, environmental, or availability issue that could lead to harm or damage is classified as a critical issue, warranting the highest security level.

Assigning Security Levels in ISA 62443 Lifecycle

• In the assess phase of the ISA 62443 lifecycle, organizations determine desired security levels for zones; for example, aiming for a level three to protect against common threats.

• A practical scenario is presented where a manufacturing plant aims for security level two to guard against ransomware without concern for more sophisticated attacks.

Achieving and Determining Security Levels

• The process of determining current achieved security levels can occur during various phases: assess, design and implement, or improve.

• The speaker reflects on where the official assignment of achieved security levels occurs within the ISA framework but acknowledges uncertainty about specific details.

Addressing Risk: The Four T's

• Question six addresses risk management strategies known as the four T's: tolerate, transfer, terminate, and treat. It clarifies that tolerating risks should be minimal and only applied to negligible issues.

Cybersecurity Defense Strategies: The 5Ds

• In question seven regarding cybersecurity defense strategies (the 5Ds), it’s noted that while we can deter, deflect, and delay attackers, directing them is not considered a valid strategy.

Establishing Cybersecurity Policies

Importance of Cybersecurity Policies

• Effective cybersecurity begins with established policies authorized by top organizational authorities (e.g., CEO or CISO), outlining acceptable behaviors for employees and partners.

Enforcement of Cybersecurity Policies

• Enforcing these policies is crucial; without enforcement mechanisms in place, actual cybersecurity cannot be realized within an organization.

Regulatory Framework in Cybersecurity

Governing Regulations for Power Generation Entities

• Question nine highlights that regulations governing cybersecurity for electricity generation and transmission entities in North America are managed through NERC (North American Electric Reliability Corporation).

ISA 62443 Foundational Requirements

Secure Network Architecture Principles

• Question ten discusses foundational requirements from ISA 62443 related to secure network architecture. Key principles include restricting data flow between multiple zones within operational technology environments.

Zone Management in OT Environments

Understanding Communication Restrictions in Asset Security

Importance of Restricted Data Flow

• Allowing unnecessary communication between assets can lead to vulnerabilities. If an attacker gains access to one asset, they could exploit communication channels to compromise others.

• Emphasizes the need for authorization before conducting penetration testing on systems, typically from the asset owner or a representative like the CISO.

Penetration Testing Fundamentals

• Establishing Rules of Engagement is crucial for defining the scope of penetration tests, including which environments are tested (e.g., IT vs. OT).

• Common scenarios involve testing access into DMZ areas without breaching production environments.

Tools and Techniques in Penetration Testing

Payload Crafting and Exploitation

• Metasploit is highlighted as a primary tool for crafting payloads and launching exploits against vulnerable assets, particularly in IT contexts.

• The discussion includes how significant damage can occur in OT environments even without traditional exploits by leveraging default functionalities.

Understanding the IC Kill Chain

• The IC kill chain stages are outlined, with stage two focusing on attackers gaining access to the IC network after infiltrating IT networks.

Types of Penetration Tests

Black Box Testing

• Black box testing involves no prior information about the target environment, which can be risky; basic information should still be provided by asset owners.

Technical Aspects of Modbus Protocol

Enumerating Modbus Assets

• Specific Nmap commands are discussed for enumerating Modbus assets running on Port 502, emphasizing correct syntax and parameters.

Function Codes in Modbus

• The function code for "recoil" is identified as one, highlighting its relevance within Modbus operations where coils and registers store information.

Fuzzing as a Vulnerability Assessment Technique

Fuzzing Overview

Understanding Password Attacks and Web Vulnerabilities

Word List Attack Explained

• A word list attack involves using a pre-compiled file of potential passwords to attempt unauthorized access to a target asset over the network.

• This method typically utilizes a text file containing common passwords, such as the top 500 most frequently used passwords, to try logging into systems like PLCs.

Directory Traversal Vulnerability

• Directory traversal is a web application vulnerability that allows attackers to access files outside the web app's root directory.

• This vulnerability can enable an attacker to execute commands on a server, potentially gaining significant control over the system.

Importance of HMI in ICS Security

• Human-Machine Interfaces (HMIs) are increasingly running as web applications, making them susceptible to vulnerabilities similar to those found in traditional web apps.

• The graphical interface of HMIs often operates through web pages hosted on servers, which can be exploited if not properly secured.

Targeting Web Services in OT Environments

• In Operational Technology (OT), data historians are primary targets for attacks; however, HMIs and their associated web services should also be prioritized due to their overlooked security vulnerabilities.

• Many organizations may neglect patching Windows-based HMIs while focusing on other systems, increasing their risk exposure.

Course Conclusion and Acknowledgments