Close

Hack Chat Transcript, Part 2

A event log for SCADA Security Hack Chat

There's a lot of infrastructure out there

dan-maloneyDan Maloney 07/14/2021 at 20:310 Comments


Bill S12:25 PM
@primetimber Ture, Then when everything goes to hell, the board gets a new CEO who says that last guy was the worst and continues to do nothing. Think VW

Chris Ryding12:25 PM
Where do you tend to see more security vulnerabilities - insecure devices, poor configuration/management, or both?

eireann.leverett12:25 PM
It covers a crazy history of electrical systems, automotive safety, and medical safety.

Mr.Unbekannt2.012:26 PM
Would the benefits of airgapping outway the ease of maintenance and datatransfare? Or is it not possible for infrastructure to work like an island?

eireann.leverett12:26 PM
Then goes on to regulatory and certification approaches.

eireann.leverett12:26 PM
On the airgapping debate, Ronnie knows where I stand :D

eireann.leverett12:26 PM
Though I guess it's worth repeating....

Galactic creature 4212:26 PM
Thx

adamskhan12:27 PM
Always good to airgap but typically, hardly practical?

eireann.leverett12:27 PM
Airgaps are mostly myths in practice. They seem easy to maintain and they're not. For example, how are you going to check any SSL/TLS certifitcate in an airgap?

eireann.leverett12:27 PM
They are very very dangerous to the mind...too.

DM12:28 PM
How so?

Bas Withagen12:28 PM
also, how would you get status accross an airgap?

adamskhan12:28 PM
People get a false sense of security, I've seen that before

Dick Brooks12:28 PM
CRL verification would be challenging

eireann.leverett12:28 PM
Largely my "coming of age" story in this industry was older engineers telling me we didn't need software security practices because it was all airgapped.

Damir Diminić12:28 PM
From the security perspective (aside from regulations and certifications), what are your thoughts about using cheap SBCs instead of high priced VPN routers (+ even more expensive "access servers") to connect dislocated PLCs to a central SCADA?

As far as I saw, those "premium" devices mostly use OpenVPN which is a breeze to configure today (with a bit of fiddling with iptables).

So does it make sense to pay for those industrial routers today?

Dick Brooks12:28 PM
Then came 802.11

Bill S12:29 PM
What happens is that you do just 1 connection to the air gap with a network device that never gets updates or is ever looked at again

eireann.leverett12:29 PM
I knew it wasn't true, and those airgaps were becoming an impediment to real improvements and innovations.

eireann.leverett12:29 PM
So I set out to prove people wrong in 2010.#

toet12:29 PM
https://cyberics.github.io/News/news.html keeps track on what new vulnerabilties have been released

eireann.leverett12:29 PM

https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf

CAM
Read this on Cam

eireann.leverett12:29 PM
This is the result of that effort.

eireann.leverett12:30 PM
I was kind of an angry hacker back then :D

adamskhan12:30 PM
Is the document safe :p

Galactic creature 4212:30 PM
Imho - 100% airgap is not possible these days. But -> connecting OT to internet having sensitive devices accesible from anywhere…. That’s bad idea :) Anyway - airgap means can be achieved but it costs extra money (nuclear powerplants do have airgapped systems)

eireann.leverett12:31 PM
Absolutely. The reaon it's a bad idea is because the vendors thought it was THE idea.

eireann.leverett12:31 PM
An airgap for most people is no ethernet

eireann.leverett12:32 PM
i'm afraid you still need to get data on and off the system. Ladder logic needs loaded on the PLCs somehow.

primetimber12:32 PM
What about tools like this one? https://firmwareiq.net/

Dick Brooks12:32 PM
Today, they push software updates to jet fighters in flight, turns out air is a pretty good medium for communications.

eireann.leverett12:32 PM
So I prefer people do better checking on inputs and outputs. Don't get me wrong if your airgap really is part of defense in depth cool...but if it's your only defence....I get cranky.

russell paul12:33 PM
even when I think a system is air-gapped, a technician decides to connect (say) our cooling water vendor to the SCADA network, which has a 4G connection to their engineers in another country.

eireann.leverett12:34 PM
Firmeware verification is hot, and i like many companies doing it. Adolus is one of my favourites, but maybe just because Eric Byres inspired me with his myths and facts paper.

Galactic creature 4212:34 PM
@eireann.leverett yes, data exchange is very important nowadays, getting real time telemetry etc.. Systems needs to be segregated as much as it ia possible… yes, a bit more complex for operation. But we have to consider:

Bill S12:34 PM
what are other good defenses? I saw a bunch of allen bradley plc's in the picture for this chat. In my experience, they don't care much about security

andypugh12:34 PM
Someone mentioned Shodan, and I think at the EMF talk you listed a few places that _you_ had got in to with the help of Shodan?

Galactic creature 4212:34 PM
reliability, security and safety :)

Mr.Unbekannt2.012:34 PM
Yeah, I see the false sense of security, I think I only know one customer in Infrastructure who has a total airgap. The software is old & adapting the software is a hassle.

DM12:34 PM
How do Unidirectional Gateways fair in this picture?

eireann.leverett12:35 PM
They could work well, but we needs some co-evolution with protocols to work well with them.

eireann.leverett12:35 PM
Now, more generally, let's talk some books and success stories.

eireann.leverett12:35 PM

http://industrial-landscape.com/#/home

INDUSTRIAL-LANDSCAPE 
BRIAN HAYES

Infrastructure: A Guide to the Industrial Landscape

Welcome to the world we've made for ourselves! Natural gas pumping station and storage tanks beneath the buttes of Red Rock State Park, near Gallup, New Mexico. A "trickling filter" at a sewage-treatment plant in Henderson, North Carolina. Making Sense of It All The ExxonMobil refinery at Chalmette, Louisiana, photographed from a ferry crossing the Mississippi.

Read this on Industrial-landscape

Dick Brooks12:36 PM
Eric/aDolus is one of the C-SCRM vendors that filed with FERC in support of SBOM's: https://elibrary.ferc.gov/eLibrary/filelist?document_id=14927761&optimized=false

eireann.leverett12:36 PM
I loved this one...not security minded, but such a great how things work book.

eireann.leverett12:36 PM
One chapter was about agriculture.

Dan Maloney12:36 PM
Oh, man -- you really gave me book-envy when you suggested that book...

eireann.leverett12:36 PM
100 years ago 99% of people would have been farmers. Today it's about 1%. How did that happen?

eireann.leverett12:36 PM
Automation

eireann.leverett12:37 PM
Can we do the same with other things, and then once we have, how do we secure it?

Galactic creature 4212:37 PM
We are lazy.

eireann.leverett12:37 PM
Lol, best mathematician is a lazy one?

eireann.leverett12:38 PM
Concrete factories are cool too....

eireann.leverett12:38 PM
they are truly distrubuted infrastructure primarily because of how quickly concrete sets

Galactic creature 4212:38 PM
No sir, I mean naturally, human being is lazy so thinks how to improve things 8-)

toet12:38 PM

https://verveindustrial.com/resources/ics-advisory-report-thank-you/

VERVE INDUSTRIAL

ICS Advisory Report - Verve Industrial

Verve's mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve Industrial brings over 25 years of ICS/OT experience or what is possible to bridge the IT OT challenges of securing these environments.

Read this on Verve Industrial

eireann.leverett12:38 PM

https://www.amazon.co.uk/s?k=the+knowledge

AMAZON

Amazon.co.uk : the knowledge

Select Your Cookie Preferences We use cookies and similar tools that are necessary to enable you to make purchases, to enhance your shopping experience, and provide our services, as detailed in our Cookie Notice. We also use these cookies to understand how customers use our services (for example, by measuring site visits) so we can make improvements.

Read this on Amazon

Galactic creature 4212:39 PM
(Sorry for typos, english is not my natural language)

eireann.leverett12:39 PM
This one is fun too

eireann.leverett12:39 PM
No worries

eireann.leverett12:39 PM
It has one chapter on a guy who built a toaster from scratch

eireann.leverett12:39 PM
mined the copper, moulded the plastic, wired the cable everything

Galactic creature 4212:39 PM
Thx for posting these articles :) will read it indeed

eireann.leverett12:40 PM
My own book isn't muhc of a security book, it's more a risk and quantiative approach, but I wrote a chapter I'm proud of on vulnerabilities generally: https://www.google.co.uk/books/edition/Solving_Cyber_Risk/xn91DwAAQBAJ?hl=en&gbpv=1&pg=PA103&printsec=frontcover

eireann.leverett12:41 PM
I do recommend Jake's book for SCADA security especially

eireann.leverett12:41 PM

https://blackwells.co.uk/bookshop/product/9781498717076?gC=5a105e8b

BLACKWELLS

Blocked IP Address due to Suspicious Activity

blackwell.online@blackwell.co.uk and provide the following information:The information you provide will be used to further our investigation. All attempts will be made to restore your access as quickly as possible. You are also advised to contact your service provider or IT Admin to report this issue. We apologise for any inconvenience this has caused.

Read this on Blackwells

eireann.leverett12:41 PM
Though there are many others too.

eireann.leverett12:41 PM
LOL blocked IP address

andypugh12:42 PM
Irony

Dan Maloney12:42 PM
Huh

eireann.leverett12:42 PM
I think all security people in OT should read safety books like Erik's https://erikhollnagel.com/ideas/safety-i%20and%20safety-ii.html

Galactic creature 4212:42 PM
Regarding the toaster…. Friend of mine is attempting to build smartphone (although he is not going to mine gold and silicon 🤣🤣🤣)

eireann.leverett12:43 PM
I have many more links and things to share, but I'll go back to questions for a bit :)

eireann.leverett12:43 PM

https://www.plcacademy.com/ladder-logic-tutorial/

PLC ACADEMY

PLC Ladder Logic Programming Tutorial (Basics) | PLC Academy

One of the best visual programming languages is a PLC programming language called ladder logic or ladder diagram (LD). The great thing about ladder logic is that it's much more visual than most programming languages, so people often find it a lot easier to learn.

Read this on PLC Academy

eireann.leverett12:43 PM
Ok, a little ladder logic tutorial wouldn't hurt :)

Lord3nvy12:43 PM
@eireann.leverett do you think with "average" SCADA setups (in terms of focus on security) there is a common lack of focus on anything in particular? In other words, if you had to pick a thing or two, what do you think is the most typical low-hanging fruit of SCADA network security improvements?

Galactic creature 4212:43 PM
👍

eireann.leverett12:44 PM
@Lord3nvy Switches and network equipment, and network monitoring.

eireann.leverett12:44 PM
Secure your networking infrastructure first.

toet12:45 PM
http://oscada.org/ if you want to build a custom scada overview, its old but still works

Chris Ryding12:45 PM
Do you see more vulnerabilities because of poor configuration/management or in devices (such as PLCs) themselves?

eireann.leverett12:45 PM
One really interesting thing about realtime networks: to MITM often requires an attacker to operate under the real time constraints of the system itself.

eireann.leverett12:45 PM
that's a brilliant constraint that defenders can use to their advantage

Galactic creature 4212:46 PM
Good point

eireann.leverett12:46 PM
here's my talk on industrial ethernet switch security:

eireann.leverett12:46 PM
A bit of the offense side, but plenty of lessons for defender from firmware management and verification, to default credentials, to switch hardening

Lord3nvy12:47 PM
Very cool - thank you! Network monitoring makes a lot of sense - I think it has a tendency to get pigeonholed into the "IT" world and sometimes doesn't get communicated to the boots on the ground, so to speak, when anomalies happen.

eireann.leverett12:48 PM
So much of SCADA is protocols that work really well, but assume only trusted people have access, so focus on rejecting attacker access, and thus switches first, plcs, rtus, other equipment next, logging, and network monitoring.

eireann.leverett12:49 PM
one other thing....OT/SCADA has engineers as standard employees. Literate, numerate, people. Ok, Numerate people. But seriously, they care about the system more than other users, and they think critically as engineers...we need to leverage that and not deride them as homers.

DM12:50 PM
Care to elaborate on the 'leverage' part?

eireann.leverett12:50 PM
Name another environment where you can count on standard people within the org to have STEM degrees? If we can't explain security to them, we're communicating risk badly.

eireann.leverett12:50 PM
@DM do mean leveraging the employees? Like how do we do it?

eireann.leverett12:51 PM
Expand a little and I'll try to answer.

DM12:51 PM
Yes, you mentioned that engineers are critical thinkers and that we should leverage this. How best do we do this practically?

eireann.leverett12:51 PM
Random link to one of my fave papers on CNI analysis

eireann.leverett12:51 PM

https://ieeexplore.ieee.org/document/969131

IEEE

Identifying, understanding, and analyzing critical infrastructure interdependencies

The notion that our nation's critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies (so-called "cyberbased systems"), is more than an abstract, theoretical concept.

Read this on Ieee

Galactic creature 4212:52 PM
Regarding anomalies - does it make sense to focus on anomies down to protocol level (.101 or .104) or focus a bit more to hardening peers? I mean to create who is allowed to communicate and who’s not to each other, and just alert when anomaly happens?

Discussions