Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 17 views

    19isdfs KW Presentation

    Uploaded by

    Meir Zushnov
    This document describes plans for a SCADA testbed at Sam Houston State University for conducting vulnerability assessments, penetration testing, and incident forensics research. It outlines the need for such a lab given growing cyber threats to critical infrastructure SCADA systems and a lack of expertise in securing these systems. The proposed lab would implement common SCADA protocols and software in a realistic environment mimicking real-world vulnerabilities. It would allow students to perform security tasks and research using various tools. Verification tests and a schedule are provided to validate the lab's functionality and operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    19isdfs KW Presentation

    Uploaded by

    Meir Zushnov
    17 views22 pages
    This document describes plans for a SCADA testbed at Sam Houston State University for conducting vulnerability assessments, penetration testing, and incident forensics research. It outlines the need for such a lab given growing cyber threats to critical infrastructure SCADA systems and a lack of expertise in securing these systems. The proposed lab would implement common SCADA protocols and software in a realistic environment mimicking real-world vulnerabilities. It would allow students to perform security tasks and research using various tools. Verification tests and a schedule are provided to validate the lab's functionality and operations.

    Original Title

    19isdfs-kw-presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document describes plans for a SCADA testbed at Sam Houston State University for conducting vulnerability assessments, penetration testing, and incident forensics research. It outlines the need for such a lab given growing cyber threats to critical infrastructure SCADA systems and a lack of expertise in securing these systems. The proposed lab would implement common SCADA protocols and software in a realistic environment mimicking real-world vulnerabilities. It would allow students to perform security tasks and research using various tools. Verification tests and a schedule are provided to validate the lab's functionality and operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    17 views22 pages

    19isdfs KW Presentation

    Uploaded by

    Meir Zushnov
    This document describes plans for a SCADA testbed at Sam Houston State University for conducting vulnerability assessments, penetration testing, and incident forensics research. It outlines the need for such a lab given growing cyber threats to critical infrastructure SCADA systems and a lack of expertise in securing these systems. The proposed lab would implement common SCADA protocols and software in a realistic environment mimicking real-world vulnerabilities. It would allow students to perform security tasks and research using various tools. Verification tests and a schedule are provided to validate the lab's functionality and operations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 22

    SCADA Testbed for Vulnerability Assessments, Penetration

    Testing and Incident Forensics

    Sundar Krishnan & Dr. Mingkui Wei


    Department of Computer Science
    Sam Houston State University, Huntsville, Texas

    ISDFS 2019
    SCADA – Overview

     SCADA (Supervisory Control and Data Acquisition) -> critical infrastructure


     SCADA security is often an add-on -> Focus on safety
     SCADA’s integration with cyberspace
     Vendors seldom upgrade, invest -> Aging infrastructure
     Growing cyber threats -> Insider-threats (employees), Hackers
     Few labs for students that focus on SCADA Cyber-Vulnerability Assessments,
    SCADA Pen-tests & SCADA Incidents Forensic research
     Growing job market & a niche skill in the Industry

    … SCADA world is a ripe target for Cyber threats with limited security and forensic expertise.
    LAB – Problem Statement
    Lack of a SCADA LAB at SHSU for Vulnerability assessments, Penetration
    testing and Incident Forensics research

    LAB - Benefits

    1. Learn and understand SCADA, HMI, PLC concepts


    2. Lab designed with a real-world scenario in mind
    3. Supports a Build-Exploit-Break-Investigate study approach
    4. Conduct Cybersecurity tasks and Forensics research in SCADA world
    5. SCADA Penetration-testing/Vulnerability testing using tools like Wireshark,
    Metasploit, CANVAS, SQLMap, NETCAT, BurpSuite, HPING etc.
    6. Perform live SCADA Incident management and forensics.
    7. Conduct Cyber Vulnerability Assessments prescribed in NERC’s, NIST, DHS
    standards
    LAB – Highlights

    SCADA LAB Design


    1. LAB design is modelled after generally found deployment architecture in
    the ICS world
    2. Devoid of servers, minimum firewalls, use of WIN-XP machines, missing
    OS security patches and unsecure Wi-Fi

    ICS/SCADA Design:

    1. Use of PLC/RTU and stimulators


    2. Top 5 SCADA protocols used in Oil and Gas Industry (MODBUS/TCP-IP,
    KOYO-ECOM, OPC-UA,OPC-DA, CodeSys ARTI, DNP3)
    3. SCADA/HMI software: InduSoft studio
    4. Custom user interface developed to invoke SCADA protocol traffic
    5. Use of InduSoft’s thin client (web/browser based) and InduSoft’s secure viewer
    KOYO-ECOM: Automationdirect protocol OPC: OLE for Process Control MODBUS: Modicon’s protocol DNP3 (Distributed Network Protocol)
    OPC UA: OPC Unified Architecture OPC Data AccessCodesys Arti (Asynchronous Runtime Interface)
    LAB – Highlights (contd.)

    Database

    SQL Server Database (2000 and 2008)

    Websites
    1. Websites custom programmed using classic ASP and JavaScript
    2. Using ODBC for DB connectivity
    3. Hosted on IIS with shallow security features

    Design features with a purpose..


    1. Minimal use of firewalls, switches, routers
    2. Missing security patches
    3. Scatter of WIN-XP and WIN7 O/S
    4. Unsecure Wireless Access Point
    5. Wireless security camera
    .. all to mimic a real-world scenario..
    Lab - Project Risks

    RISK Consequence Level Mitigation


    SCADA/ICS Hardware Delay to schedule High Plan and co-ordinate procurement with
    procurement (donation) from vendors
    vendors

    Lab space availability Delay to schedule Medium Work closely with Dept. Facilities

    SCADA/ICS Hardware Delay to schedule Medium Plan, schedule and co-ordinate with
    Configuration InduSoft Engineers

    Lab IT-Hardware (desktops, Delay to schedule Medium Work closely with Dept. and IT Support
    switches) availability
    LAB – Project schedule

    Phase Task

    Planning Project Proposal & Approvals

    Source hardware (SCADA, desktops, switches)


    Project Kick-Off (stakeholder meeting)
    Configure SCADA hardware (with guidance from InduSoft Engineers)
    Execution Coding using InduSoft Studio
    Phase-I Verification (Testing) of Protocol Traffic
    Milestone - stakeholder meeting
    Install and configure Penetration-testing software
    Install and configure Forensics software
    Execution/Verifi
    Verification (Testing) of pen-test and forensics tools
    cation Phase-II

    Milestone - stakeholder meeting

    Demonstrate/Validate Lab
    Validation
    Phase-III Lab Go-Live

    Close-out Project close-out (project documentation, metrics, lab documentation, manuscript preparation)
    LAB - KAT Engineering and Chemicals
    Company Overview
    1. Fictious chemical manufacturing company
    2. It’s manufacturing plant processes batches of chemicals during manufacturing process
    involving batch-mixing, motors, pipelines, furnaces, storage tanks and loading.
    3. Releases processed water into environment (a nearby stream/bayou). Valid permits
    exist for certain toxicity limits.
    4. Financial penalties if toxicity limits breached. Reduced penalties if reported to
    government agencies within SLAs.
    5. PLCs monitor and report (on HMI screens) various processes including quality of
    processed water being released into nearby stream.

    Red and Blue teams

    1. KAT employs in-house IT-security for operational support, incident management


    and forensics – traditional Blue team
    2. Red Team are external hackers or disgruntled employees depending on the lab
    exercise.
    Prized capture by Red Team is access-to Operator’s HMI screen.
    LAB – HMI Screen
    LAB – Network Architecture of KAT Engineering and Chemicals Company

     Network Firewall rules help segment network. Switches and routers present. Dynamic and static IPs issued.
     System Patching irregular - tuned per lab exercise.
     A “timed incident bomb” will cause disruption (if Red team is unsuccessful).
    SCADA LAB – Project verification controls
    # Test Case(s) Primary Software tool used

    1 Test for MODBUS protocol traffic Wireshark


    2 Test for OPC DA protocol traffic Simulator logs

    3 Test for OPC UA protocol traffic Wireshark

    4 Test for KOYO protocol traffic (KOYO is transmitted as UDP packets) Wireshark

    5 Test for EATON’s CodeSYS ARTI protocol traffic Simulator logs

    6 Test for DNP 3.0 protocol traffic Wireshark


    7 Verify network for IE104 protocol traffic Simulator logs

    8 Verify if Direct06 PLC is configured to respond via HMI (Indusoft) interface HMI alarms and logs

    9 Verify if Eaton PLC is configured to respond via HMI (Indusoft) interface HMI alarms and logs
    10 Test for password strength using password cracker tools John the Ripper

    11 Perform a penetration test using any known exploit against the lab network Metasploit

    12 Test for Windows security patches to expose backdoors Microsoft Baseline Security Analyzer

    13 Test for SQL Injection against lab websites SQL Map

    14 Test for open and vulnerable ports against lab network NMap

    15 Test for website vulnerabilities against lab network Vega

    16 Test for MD5 or SHA1 cryptographic hashes on drives for forensic evidence Microsoft File Checksum Integrity Verifier
    integrity
    LAB – Historian database
    LAB – SQL Server 2008
    LAB – SQL Server 2008
    LAB – SQL Server 2008
    LAB – Simulators MODBUS and OPC
    LAB – Simulators DNP and IE104 contd.
    LAB – Batch FTP Jobs
    LAB – FTP Destination Screen
    LAB – Completed Deliverables

    1. Functional and Operational LAB for SCADA research


    2. Implementation of top 5 Oil & Gas Industry SCADA network protocols
    (MODBUS/TCP-IP, KOYO-ECOM, ARTI, OPC, DNP3, IE104) in the lab
    3. Demonstrate the ability to use vulnerability, penetration testing and
    forensic tools
    4. Documentation for Lab maintenance
    5. Define a course material/lab exercises for students interested in SCADA
    vulnerability assessments, SCADA penetration-testing and SCADA
    forensics
    LAB – Lab Then and Now!

    Budget of $50 in 4
    months with vendor
    donated industrial
    hardware

    Now .. after an external Grant

    You might also like