I’m attending the SANS SCADA Summit for the next three days. Today was the introductory course offered for free by the DoE and DHS. I op’d for the intermediate course as I’ve had some moderate SCADA network exposure in the past.

Today was like the intro to most training or hands-on conferences I’ve attended. INL put on a show with less powerpointing and more hands-on chances to see what can happen once you’re inside a SCADA network. They performed their renowned attack that turned on/off points on a PLC and RTU with the horrific chatting effects. They explained how both were running a proprietary protocol that took a contractor with no control system experience about eight months to reverse engineer and understand.

It was then time to let the class loose with a live knoppix cd with some additional tools that INL added to the CD. During the demonstration they mentioned using an ARP MITM to learn what type of traffic was being communicated between two hosts. They didn’t however mention ettercap or any ways of doing the MITM to succeed in compromising hosts on the test network. I’ve used ettercap quite a bit in the past and op’d to do it myself. However the entire network was a daisy-chained hub setup, so it didn’t really matter.

The network was layed out with a corporate network, dmz, and a SCADA network. The object was to see where you could get with what communications where being sent across. The first thing I noticed was a port higher than 1024 running some odd type of traffic. I looked around the CD and noticed a bunch of fuzzing utilities. I found one, modified it some, and sent a bunch of random data to the port. The process wasn’t reachable anymore. =\ So I raised my hand and asked, sure enough it had crashed. Some other interesting things were java applets with database credentials. Then hoping in the database to find credentials to the web application. Then scanning the web application and logging into it. I’m not a huge web application guru, but I found that the one script could read files on the file system.

Next we were in the DMZ, you could see some telnet stuff and login to that box. That box was dual-homed and plugged into the SCADA network. That network consisted of 7 hosts a couple windows boxes, some linux/unix, plc, and rtu.

There were some breaks between them manually switching us to each network and the folks from INL went over some powerpoint presentation about protecting your network (from the things we were learning). There were a few piece of technology mentioned during these talks that I wasn’t really sure INL had experience with, however they made comments about them.

One being SIM/SEM, they kept discussing how a lot of these attacks could be monitored by correlating and collecting logs. And of course after getting the logs adding a mechanism to alert on suspicious behavior, etc. They kept discussing it, but not putting the industry known name of SIM/SEM with it.

The next comment that I held back on was IPS. We started discussing IDS/IPS placement and a comment was made that “INL doesn’t recommend IPS on a SCADA network”. I won’t comment on where or what SCADA networks I’ve used IPS on, but I can say with proper testing and tuning IPS can be a very valuable defense mechanism on ANY network.

Overall I enjoyed today’s exercises and look forward to the Summit tomorrow.