Last Monday was a busy day for Digital Bond and volunteers at S4x14 setting up the ICS Village. Starting with laying out and setting up networks for attendees of the conference to utilize to reach the devices inside the ICS Village. As shown in previous blogs, there were four separate zones that were built into the ICS Village network. A corporate zone was put into place to simulate a typical corporate network for communications to the various other zones, such as a FTP process that was uploading a file to the ICS DMZ Zone. The ICS DMZ and Control Center Zone had communications to the Field Zone.
This year Digital Bond implemented a new wireless network to help support the ICSVillage and to give more users the ability to get to the ICS Village all week long, especially during the sessions in the ballroom at Kovens Conference Center. Digital Bond had more than 300 meters of cat5 ran to various parts of the conference center to ensure wireless coverage during the week. We were expecting most people to want to use the wireless to get reach the devices in the ICS Village zones. With the wireless networks up and running on Tuesday morning when people started showing up, it was not long before we started seeing people on the wireless networks attempting to get to the devices within the networks.
Belden delivered a Hirschmann Switch that was used within the Control Center zone, as well as a Tofino Firewall that was put into place inside the Field Zone in front of a PLC. Attackers were prevented, while this firewall was in place, from determining the vendor of the product behind the Tofino Firewall as well as restricted from viewing what modbus function codes were available.
At the center of the four zones was a Checkpoint Appliance acting as a firewall with typical firewall rules for the first day and a half of the ICS Village. This allowed ICS Village Sponsor Checkpoint to showcase some of their ICS Specific capabilities within the appliance. This allowed the users of the ICS Village Corporate network to see what they could do in a normal attacker scenarios. However, if one only wanted to only take a look at the ICS Village Field Zone, or any other zone for that matter, looked like from the same subnet, you could have plugged straight into that network. We had around 20 people who plugged into the ICS Village Field Zone network from anywhere to 15 min to 2 hours at a time.
At lunch on Wednesday the 15th there was a ‘management’ decision to open up the firewall to allow trouble shooting of issues within the ICS Village Corporate network to all the zones within the ICS Village. After this was discovered we saw a peak usage of the ICS Village wireless networks. At one point in time there was 68 users on wireless in the conference room at Kovens. With the most active user sending over 12Gb of traffic to the ICS Village zones.
Tenable as a ICS Village Sponsor, was present in the ICS Village and was performing Nessus scans that could have been used to cut down on the amount of recon that would have needed to be done of the ICS Village four zones. During the scans Tenable performed we saw around 3Gb of information flowing from their laptops across the wireless networks. Tenable collected information about systems such as known vulnerabilities as well as fingerprints of the ICS devices there were present within the network zones. You can read more about their findings at Tenable’s blog.
S4x14 Sponsor Cisco (Sourcefire) also was present in the village; they had deployed IDS sensors within the village networks to capture data and alert on malicious attacks that were seen. As shown they say a variety of traffic that would of been suspicious, such as VNC, FTP, and RDP. Traffic that was sent across the ICS Village networks were used to show the vendors that were present what kind of data might be sent against ICS specific devices in different levels of attack. It also gave the vendors a good chance to test out some of their ICS specific functionality.
Over all this year provided many challenges as Digital Bond expanded the ICS Village and network infrastructure to support it. Without the ICS Village Sponsors Checkpoint and Tenable, as well as Volunteers that dedicated time to help with the ICS Village, it would not have been as big of a success as it was. If you have any feedback that you would like to provide feel free to contact myself or anyone else here at Digital Bond. We hope to get more ICS vendors involved next year in adding and supporting their offerings in the ICS Village.