S4x15 Video – The Pragmatic Pwn of ICS

Bryan Singer and Lily Glick start off the S4 Technical Sessions with a great presentation they named The Pragmatic Pwn of ICS. They focus on the engineering aspects of a cyber attack and the defense of a process using a distillation column (making 80 proof vodka) as an example.

They describe a Process Hazards Analysis (PHA) and introduce the concept of a Cyber Security Process Hazards Analysis (CS-PHA). “A PHA establishes criticality, but likelihood only from entropic failure”. A CS-PHA would include directed threats as well.

Some rarely heard but important points made in this presentation include:

  • Properly designed systems will have mechanical devices/processes that will prevent certain hazards (explosion in the column due to too much steam), even if a cyber attacker has complete control.
  • Manual process can be hacked if you know the system well. Trigger alarms that cause the operators or technicians to take the manual action you want taken.
  • Manual verification of true status before potentially dangerous control actions are taken can be an effective defense.
  • Operator rounds can be a detection security control.

There are a lot of gems in this session worth watching for those who generally focus on ICS hacking.

S4x15 Mini Keynote … Now What?

Here is my short, 13-minute introduction to S4x15. After going into a brief review of S4x12, x13 and x14, it covers the theme of S4x15 and where ICS security research is heading.

Assume an attacker has gained a presence on the ICS, such as gaining control of a computer or finding a way to connect to the ICS network.

  • What could and would an attacker do?
  • What can a defender do?

This moves the discussion from a “hacking” focus to engineering and automation. The “hacking” continues to be the easiest part of an ICS attack. What an adversary does after gaining control of a cyber asset is a much more difficult project than the common “I can take down …” bravado that is often read.

Engineering and automation also offers great opportunities on the defensive side, particularly on reducing the consequences of a cyber attack.

Admittedly this moves the ICSsec research community further out front of the ICS community, and there is a concern that we may be outrunning our supply lines. However, if we keep doing “research” on known and solved issues we will lose the best researchers and not be ready when the ICS community comes to the realization this is a problem that can be and needs to be solved.

One final thought that I’ll write more about later. While the ICS security researchers and thought leaders need to press forward, there is a huge and growing need for the typical ICS security conferences and training programs that the S4 attendee has little interest in. The ICSsec 101 needs to be taught to large numbers of people, and scaling these learning activities up is likely to be a major problem.

  • Critical Intelligence

S4x15 CTF Winners, Drone Footage & the SCADA Diva

Stephen had an article yesterday on the ICS Village / Capture The Flag (CTF) competition at S4x15. We also will be putting up a page with more info on the flags, techniques and pcaps in the next week. In the meantime, check out the interview with the winning team.

 

The Classic S4 Cocktail Party on Wednesday had an area where you could try piloting a drone. There was a larger drone overhead recording the party on the Kovens deck.

 

Finally, the SCADA Diva mantle has been passed from S4x14 winner Ronnie Fabela to the new SCADA Diva … Chris Sistrunk. He was awarded the ceremonial pink hard hat and all of the other perks that come with the office. Bonus points are awarded for on-site pictures with the hard hat. Of course based on long standing tradition, Chris will select the next SCADA Diva at S4x16.

SCADA Diva

S4x15 Capture the Flag

ffc-capture-the-flag-400x400

This year at S4x15, Digital Bond set out to create an ICS  Capture The Flag, or CTF. Flags were created to simulate real world situations that an attacker would encounter if he targeted an ICS. By the end of the CTF, there were over 30 teams playing. Most of the teams consisted of a single player, however the top scoring teams had multiple team members.

An example of an easy (100 point) and more general forensics flag was to identify the potentially infected machine on the Corporate Zone.  To do this you needed to visit the GigaView TAP Aggregation Switch that Digital Bond had placed within the ICS Village. (A big thanks to Liam Randall at Critical Stack for providing this for our use in the ICS Village.) Once you collected some traffic, you needed to find a host that was trying to perform a DNS lookup of a known malicious site.

Two more flags were related to this infection inside of the Forensics section of the CTF scoreboard. Below is the traffic you would be looking for and once you found this traffic, the host name was the flag

BLOG_DNS1

Another flag  that had good feedback from contestants required reading values from a PLC on the network. There were two flags hidden in the Holding Registers of a Modicon PLC. The first one was found in Holding Registers 23 to 33. These values were stored in these registers were decimal representation of ASCII Characters. Depending on the tool you were using this could take some work on converting the numbers found in the registers to ASCII; however, some Modbus Scanners would convert this right out of the box which made it easier for some.

BLOG_MODBUS2

In the same Modicon PLC, there was a flag that consisted of a series of Boolean registers that one needed to convert the binary 1’s and 0’s into ASCII. This flag was rewarded with a higher point value than the other Modbus read flag, as it took more time to concatenate the information back together and convert it to ASCII. Below shows a screenshot of the Holding Registers that were configured with the some of the Boolean values that made up the flag.

BLOG_MODBUS1

A BACnet Flag was hidden inside of an actual BACnet device and could be found on the Internet. There were many different techniques teams used to capture this flag. Some teams downloaded and tried multiple tools, while other teams attempted to modify Digital Bond’s Redpoint script to collect more information to find the Flag. In this case, the Flag was found within the Object Name of an Analog Input inside of the BACnet controller. The Flag is shown below; to find this Flag you would have to read the descriptions of the analog points to know that this Object name was the proper string for the flag.

BLOG_BACNET1

One Flag (1000 points) proved to be quite difficult, and only one team was able to capture it. This flag was the only 1000 point flag that was found without bending the rules (looking at you team Foobar), and was in the Forensics category. This flag involved using some reverse engineering skills as well as a few hints that were handed out by the judges during the CTF. On the FTP Server in the Corporate zone, there was a Firmware file in a .hex format. In this case, it was a SREC format file. After the team was able to dissemble the file, they were left with assembly code. It was no small task running though the code to find the flag as the flag was hidden inside of an add instruction as shown below. The hex value 0x4841434b then converts to HACK which was the flag.

flag_in_hex_simple

At the end of the S4x15 CTF, 10 of the 42 Flags were not captured. This is not unusual for a CTF. Out of the remaining flags, some of them were focused around 0-days inside of the ICS based products that were inside of the ICS Village CTF Network. However some of the flags were just overlooked and the judges didn’t give out hints to those flags. Here is the final scoreboard as we shut down the flag submissions:

scoreboard_image13

Over three days the CTF changed leaders a few times with a final result of a team made of Swedes and one Canadian won. Team Foobar won with a final score of 11200 points. The top 10 teams (of which there is single player teams) are as follows:

scoreboard_image12

A big thank you to our sponsors Cisco and mGuard, as well as Checkpoint and Belden for providing hardware for the ICS Village. Without their help, the ICS Village CTF would not have gotten where it did this year. Once again, thanks to all those who played, and we look forward to once again improving the ICS Village next year.

S4x15 OTDay Presentations Are Up

cigarlogofinalWe have posted the presentations from Tuesday’s Operations Technology Day (OTDay) of S4x15. The purpose of OTDay is to provide very practical information on how to apply mission critical IT technology and processes to OT.

There were 150 people in attendance for this bonus day / early start to the week.

In addition to the OTDay sessions, the ICS Village opened and the Capture The Flag competition began. Sponsors all had tabletop displays lining the bustling main hallway.

The event was capped off with the Welcome Party sponsored by PFP Cybersecurity and Waterfall Security Solutions. It was a Cuban themed party with cigar rollers, mojito’s, Cuban food, domino contests, and absolutely perfect weather this year.

Friday News and Notes

Letter FGet your S4x15 Hotel Reservation at The Surfcomber today or tomorrow. They still have rooms for Tuesday through Friday nights at the $249 conference rate. The non-conference rate is $529.

We are in the fourth and final tier of S4x15 registration. Seats 151-190 and they are going fast. 36 seats left at the time of this writing.

I’ve been heads down writing assessment reports, so haven’t had time to comment on the attack on Sony Pictures. Probably a good thing as I would have just added to much of what has been mostly speculation without facts. The most relevant aspect to ICS to watch is the response. We better understand the expected response to an actual war, in Thomas Rid’s definition. How companies and countries will react to attacks by ICS cyber weapons that cause economic damage, environmental damage and perhaps minimal loss of life is a wild guess at this point. How many people would have predicted capitulation if you ran the Sony Pictures scenario past them before it occurred.

The more relevant attack news this week came from a German BSI report on ICS attacks in Germany and neighboring countries. (Thanks to Stephan Beirer of GAI NetConsult for the tip and translation.) They discuss some incidents related to Havex, but the most interesting is the attack that damaged a steel plant. It was from the easy to accomplish attack vector of spearphishing people who have remote access to the ICS. “The results were massive damage to the system” (translated).

Less attention has been paid to the disturbance in the Austrian power grid covered in Section 3.4.2 of the BSI report. “The failure was probably due to a Control command issued during the commissioning of a gas system in Southern Germany … triggered errors and also reached Austrian power grid. … This caused major disruptions to Instrumentation and control system for network control. … The grid stability could during the incident be ensured only with great effort.” (translated) We are trying to find someone to speak to this report at ICSage and would appreciate any tips or referrals.

Friday News & Notes

SCADA Security NewsThe big story of the week was from Bloomberg’s Robertson & Riley: Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era. While the headline isn’t correct, the sourcing is anonymous and some of the technical conclusions are wrong, this is a great example of what cyber weapons may be used for in the future. There may be, and I’d argue will be, many uses of ICS cyber weapons that will not be “war”. I’m looking forward to these discussions at ICSage.

The US House and Senate passed some cybersecurity legislation this week. It will have little impact on critical infrastructure / ICS security, but now the Representatives and Senators can say they did something. It is truly sad if Rep. Meehan is correct in saying, “S. 2519 is the first significant cyber legislation in a decade and among the most important legislation that has been passed this Congress.” You can judge for yourself. Here is the House write-up of the benefits of S.2519 National Cybersecurity Protection Act.

Bedrock Automation has been in semi-stealth mode, if there is such a thing. They have been positioning a “clean sheet of paper” approach to ICS and ICS security. Building a new system from scratch. Details have been and are still very limited, but they released a white paper this week.

Adam Segal from the Council on Foreign Relations published The Top Ten Cybersecurity Incidents in China of 2014.

Not sure exactly when this was published in 2014, but also worth reading is Chris Valasek and Charlie Miller’s A Survey of Remote Automotive Attack Surfaces.

The US Dept. of Homeland Security (DHS) will provide research funding for two somewhat ICS security related topics: Privacy Protecting Analytics for the Internet of Things and Enhanced Distributed Denial of Service Defense.

 

 

Aqualillies at S4x15

aqualillies3

The South Beach Pool Party will be at the Surfcomber Hotel on Thursday after the S4 Technical Sessions. We are pleased to announce the entertainment for the party … The Aqualillies!

This synchronized swimming group will perform a few numbers in the great Surfcomber pool and then mingle and take pictures. They have performed at TED, Disney World, award shows and other great events.

The pool at the Surfcomber is the perfect venue for the party and this entertainment with balconies, the pool deck, and of course the ocean view at sunset.

I like the Aqualillies mission statement:

Our goal is to inspire people with beauty, grace, and spectacle, bringing to life the magic of the universe through synchronized swimming and dance. By following our dreams we hope to encourage others do the same: to free their imagination, seek out adventure, believe in themselves and their power to make the world a better place. We are reinventing water ballet for the new millennium!

Screen Shot 2014-12-09 at 11.23.01 AM

We have some other fun surprises for this very unusual ICSsec event.

After the party you will be right in the heart of South Beach so you can grab dinner, more drinks, go to a club or just people watch. We will have a bus going back to the Trump at 11PM for those wanting to stay down in South Beach post party.

Registration Update

The registration count is at 126. This means there are 24 seats left at the tier 3 price and only 64 seats left in total. You need to book now if you want to get your spot at S4x15 Week.

Hotel Update

The room block at the Trump International is SOLD OUT. There are still rooms left at the conference rate at the Surfcomber Hotel in South Beach (where the party on Thursday will be held). This room block is available until December 20th so book your room now.

S4x15 Advanced Training Classes

S4x15 attendees have some choices for the Friday activity. There is the ICSage: ICS Cyber Weapons conference and now two one-day advanced training classes. We pick classes that will teach students with the right experience a new, leading edge skill in one day. These classes are typically being taught for the first time. The two classes this year are:

CANBus Hacking

Instructors: Corey Thuen and Reid Wightman of Digital Bond

Corey has been digging into CANBus as part of his research project he will present in the S4 Technical Sessions. He learned a lot and wants to pass that along to the students.

There is no way to do this course without the right hardware. So there is a $100 hardware supplement so every student will have a BeagleBone with CANBus Cape they can use in the course and take home with them.

Why Should the Red Team Have All the Fun?

Instructors: Jim Gilsinn and Bryan Singer of Kenexis

Jim and the Kenexis team have developed a new ICS lab environment that they can bring on the road. So there will be some instruction focusing on defensive techniques and then the class will have a Red/Blue competition.

Each lab pod will have three students on each team and some of the lessons learned will be on the techniques and reasons why the various teams won and lost.

——

The 100+ that have already registered for S4x15 should have received an email on how they can switch from ICSage to the class or add the class if they want.

Seats for each class are limited and look closely at the required knowledge. You will be left behind if you don’t have the required knowledge.

Send In The Drones, S4x15

Drones

This year we have a fun addition to the S4 Cocktail Party held on the Kovens Center deck overlooking the Intracoastal Waterway … drones. We are bringing in CineDrones to let attendees fly a drone through an obstacle course. They claim the drones are virtually indestructible, and I’m sure some first time pilots will put this to the test. We will have prizes for the best times on the course.

CineDrones will also pilot a drone overhead with a camera and display the events on screens inside and outside. Kovens does a great job with the food at this event, and it’s always fun to relax on the deck at sunset after a long day of hardcore ICSsec technical talks. cigar-roller2The Welcome Party on Tuesday is sponsored by PFP Cybersecurity and Waterfall. It is a Cuban themed party down on the beach at the Trump International. We have cigar rollers, domino tables, Cuban food and drink and music, and some other fun surprises. This was a big hit even in unseasonably cold weather last year, so we decided to run it back for another year. The South Beach Pool Party is the big finish of the S4x15 social events on Thursday. We have some fun surprises for this that we will disclose next week. Stay tuned.