In this workshop we will explore key aspects involved in the assessment of the security posture of SCADA systems that are used to operate machines, such as the electric grid, that are designed for continuous operation. No prior knowledge of such critical infrastructure is required and the introduction to this class of system could well be eye opening to seasoned penetration testers. Traditional approaches to Assessments will be presented with the balance of the workshop providing an introduction to security processes developed by Edmond Rogers and Sergey Bratus in their experiences penetration testing critical infrastructure. There will be discussions on the use of well-known tools and considerations that should be made before using such tools on SCADA networks. To end the workshop, there will be a discussion of mitigation used for SCADA control networks.

Outline

1. Introductions and Overview of Scada Systems (1 Hour)

• Intros
• Overview of SCADA systems
• Components of  SCADA systems
• Cyber Systems used in the Electric Grid
• Conclusions (Questions)

2. Performing Best Practice Assessments of Critical Systems (2 hours)

• Discussion of white paper, co-wrote with Ray Parks from Sandia National Labs – http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/26-CIP_CyberAssessmentGuide.pdf
• Overview of compliance best practices
• How best practice and requirements of SCADA systems clash

- Burdens due to legacy systems

- Challenges of how to comply with best practices

• Presentation of Vulnerability Assessment Methodology as linked above

3. Discussion of Tools used to perform testing. (1 hour)

• Recon Tools

- Wireshark

- Nmap

- Kismet

- NetAPT

- Zigbee Tools (Sergey’s toolkit)

• Active Probing

- Man in the middle (Arp Poisioning): Ettercap & Arp-sk

- Scapy

- NfQueue

- Metasploit

- Fuzzers

4. Lunch break

5. Differences between penetration testing and vulnerability assessment (1 Hour)

• Using traditional tools in a mission critical network

- Using test networks

- Scanning Representative systems

- Engaging Operations

• Field testing man in the middle against live SCADA protocols (Sergey)

- ICCP

- Others

• Fuzzing protocols
• Q and A.

6. Examples from previous engagements (Closed Session, 1hour)

• [Agenda redacted]

7. Mitigations for SCADA systems (1 Hour)

• Use of IPSec

- Advantages of IPSec

- Disadvantages of IPSec

- IPSec redefines the attack surface

- How to address devices that do not support IPsec

• DMZ Setups

- Only allow traffic outbound to DMZ

- Connections should not be allowed to initiate outside the protected network

• Use of Traditional Methods (And their value)

- IDS and IPS

- Anti-virus

- Host based software

8. Denouement (1 hour)

• Conclusions
• Follow-ups
• Q and A.

9. Beer and Whiskey

This workshop is held by Edmond Rogers and Sergey Bratus, two veteran TROOPERS. In more depth:

Edmond Rogers is a Smart Grid Cyber Security Engineer at the University of Illinois Information Trust Institute.  His research efforts focus on assessment of electric grid SCADA systems. Prior to his tenure at the university Edmond was a Security Analyst at a fortune 500 utility in the Midwest of the United States.

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.

We are looking forward to an interesting workshop with you!
The ERNW / TROOPERS Team