A Intro on Hacking Industrial Control Systems…In Order to Better Defend Them
Last year the largest hacker conference in the world, DefCon, experienced something for the first time: an Industrial Control Systems Village. Villages are specialized areas within the conference, dedicated to a portion of cyber security. This village was dedicated purely to hacking Industrial Control Systems (ICS) as a way to better understand their weaknesses and thus identify better ways to protect them. Throughout DefCon, thousands of hackers and security experts from all over the globe came running to the ICS Village. They hoped to fulfill their Hollywood-inspired dreams of hacking traffic control systems, exploding chemical production facilities, backing up the sewage to their ex’s house, or who knows what else.
They were greeted with a water filtration system plant on one wall, a small army of miniature robot arms and switches, a home-automated brewery, and more. Exuberant, they sat down and plugged into the Programmable Logic Controllers (PLCs) that controlled them…and scratched their heads.
They had direct access to devices that controlled an array of robots, switches, pumps, valves, and filters, and they weren’t sure what to do. They ran Nmap and scanned every port for openings, and searched for known exploits in Metasploit, but these devices befuddled them.
As those of us that were running the ICS Village prepared for this year’s DefCon, we contemplated how we could help attendees get started. Last year taught us that, for many, ICS environments were somewhat alien. So, I decided to give a presentation in the village that would introduce them to the world of hacking and protecting Industrial Control Systems in a language we can all understand: Star Wars.
Thus…(Cue John Williams)…“ICS Sec for n00bz: An Introduction to ICS Hacking by Attacking the Death Star” was born.
The premise:
Did you know there are hackers in Star Wars? They’re called slicers. Slicers are so similar to hackers that once, an anonymous slicer even told Lord Vader not to use his pet’s name for a password. For two half-hour sessions in the ICS Village, I became a slicer instructor to a select group of Rebel Alliance fighters. After all, wouldn’t it be better to hack the Death Star than to send our last X-Wing fighters into a death trap?
As you might imagine, something as awesome as the Death Star is comprised of many Industrial Control Systems. Industrial Control Systems are computer systems that control industrial facilities and operations. For example, electricity generation, building automation, weapons systems, etc. Oil and Natural Gas is an excellent example, but we have no intelligence that there are oil refineries aboard the Death Star. Control Systems are the computers and devices that make those facilities work. The androids that build more androids and AT-AT walkers, HVAC aboard the Millennium Falcon and your X or Y-Wing, shield generators, hyper drives – all these things are controlled by Industrial Control Systems.
In the presentation, I introduce the basic elements of an ICS network and how the components interact with each other. We look at an ICS network diagram retrieved from the Empirical database, comprised of the ISA95 and ISA99 documentation. Many Bothans died to get this information…(Just kidding, this is a real thing. Look it up.)
Perhaps more important than the technical jargon and protocols, however, is the thought process that must go into attacking an ICS network in order to better secure it.
First, gaining access: in many ways, an ICS network is like going back in time a couple decades. Vulnerabilities and practices that we might have thought were abolished have just been chased into the ancient underbelly of industrial controls. These old systems may still have hard-coded passwords written into the firmware that you can’t disable, clear-text communications, all ports left open by default, a complete lack of authentication, and more. Sometimes the software’s own manual can be your best penetration-testing tool.
But what do you do once you get into a control device? That all depends on your ultimate goal…and along with understanding the vulnerable pathways to access, understanding what a hacker wants to do is incredibly important to securing against that outcome. In the presentation we look at the goals of potential ICS hackers. Is the intrusion for Industrial espionage? Maybe you should just copy their code and keep a silent eye on their production process – unless you want to sabotage a competitor so you can release a product first. In that case, you might gradually alter the number of degrees a robot arm is rotating, so it starts destroying its own process and puts them behind schedule. Or you might put significant wear on a cooling fan or change the desired temperature so a process overheats, destroying products or damaging production facilities. Are you a state sponsored actor, such as a Rebel Alliance slicer trying to destroy the Death Star, or an Empirical Storm Trooper tasked with defending it? We look at motives behind those intrusions and others in the presentation as well.
You can see a few minutes of the talk below/can ask the DefCon team for the full video if you’re interested.
You can also DOWNLOAD the full presentation by clicking here – and if you have questions/want to engage in dialogue on any of it, you can drop me a line at kturner@isightpartners.com
Take a read through the slides/watch the presentation and let’s talk.
The post ICS Security for Noobz…from DefCon 23 appeared first on iSIGHT Partners.
