A lot has been said about the effectiveness of awareness training recently. While Training and awareness are necessary to build a solid foundation, practicing with real tools and hardware elevates your knowledge and hones your craft. As part of my series about ‘The Rack‘, I cannot stress enough the importance of practice. For example, take a lineman, as a lineman you start as a journeyman. Until you have enough practice and experience then you can work your way up to become a master. You cannot simply take enough training classes to go from journeyman to master, you must learn through experience and practice.
I spent many years, all the way back to my high school years, just spending hours with tools to see how they work, and then trying them out on as much as possible. In the early years my family was most of the guinea pig. When I was playing with ettercap with in the first few times, after changing images in web pages, I took it up to doing more complex things and then one day my sister got very mad when I was replying to her AIM messages for her.
Recently I’ve been researching a lot of tools that are coming out and their applicability into control systems, at any chance I get I test, test and test until I felt comfortable with the tools. Then once given the opportunity to run the tools inside a control system lab, I have a list of everything I want to test to see how things react. This step was very educational, as it will show what you might be able to run on a production system and what you can’t.
One of the hardest parts about Control Systems assessments it the devices themselves. They are sensitive to most types of scans, with weak IP stack implementation and limited memory of the devices to maintain a large connection table just as examples.
It is very important for us to practice the tools that we use to see what the response is going to be from a device, to see what possible issues might arise, and what can be done to prevent devices from failing during an assessment. This will make your assessment go easier, and make the control system operators more comfortable with you being around.
Having a dedicated lab to practice tools is a must in this day in age. When it comes to embedded devices like PLCs these devices should be tested on by the assessment team. For a lot of consultants and people trying to get into the control system assessments this is difficult to do, as these labs are expensive to build and maintain. Most other systems can be tested in VMs as long as you can make it resemble what you will see as close as possible.
If a lab environment for the devices is not available, it’s best to know what each device is, how it functions and what its purpose is. With knowing this it will make it easier to assess the devices with a given tool. That’s not a replacement for being able to test the devices and practice the tools, but it will help to some extent. For example, if you see a SEL 2030, you might want to know exactly what it is, and how it functions. This will help the assessment and help reduce risks of errors while doing the assessment.
When doing an assessment the last thing you want to be doing is questioning yourself, because then the others will start questioning you too. The last thing you want to hear while on an assessment is comments about how can you even assess something if you don’t know what it is, or how the tool works. Practicing whenever you can, it will greatly help you in the assessment and will help gather greater results in the assessment. It will help you gain the confidence you need to know how a device will behave and what kind of results you should be getting from devices.
Image from JustJoeP