SESSION ID: LAB3-W02 Pentesting ICS 102 Arnaud SOULLIE Alexandrine TORRENTS Manager Wavestone @arnaudsoullie Senior Consultant Wavestone @DrineTorrents #RSAC #RSAC Lab Prerequisite KALI LINUX ADDITIONAL SCRIPTS LAB Mbtget Plcscan PCAP samples Scripts skeletons TOOLS ModbusPal Opcua-client tinyurl.com/ics102-2020 The VM is also available on USB stick 2 #RSAC Agenda 01 Introduction to ICS 02 What’s wrong with ICS security? 03 ICS protocols 04 Capture the flag! 05 Takeaways 30’ 90’ 3 #RSAC Introduction to ICS #RSAC Where do we find Industrial Systems? Manufacturing plants, Food Power plants, Building automation systems (AC/HVAC/…) Water treatment, Pharmaceutical manufacturing, Chemical plants But also… swimming pools, building heating system, dams, etc. #RSAC A bit of vocabulary ICS (Industrial Control System) = IACS (Industrial Automation and Control Systems) ≈ SCADA (Supervisory Control And Data Acquisition) ≈ DCS (Distributed Control System) Nowadays, people tend to say “SCADA” for anything related to ICS #RSAC What is an Industrial Control System (ICS)? ICS Supervision network – SCADA Production network Supervision consoles Maintenance laptops RTUs Corporate IT IHM PLC Wireless industrial networks Group WAN ERP server Production management Data Historian MES Server Scada server Physical world Corporate network PLCs Corporate IS handle data ≠ ICS handle interfaces data with physical world (cyber-physical systems) #RSAC ICS Components Sensors and actuators: allow interaction with the physical world (pressure sensor, valves, motors, …) Local HMI: Human-Machine Interface, permits the supervision and control of a subprocess PLC (Programmable Logic Controller) : manages the sensors and actuators Supervision screen: remote supervision of the industrial process Data historian: Records all the data from the production and Scada networks MES: Manufacturing execution system (production status, scheduling, etc.) RTU: Remote Terminal Unit (standalone PLC) Other low level devices: Intelligent electronic devices, wireless devices, variator frequency drives, remote I/O, etc #RSAC Focus on PLC Real-time digital computer used for automation Replaces electrical relays Lots of analogue or digital inputs & outputs Rugged devices (immune to vibration, electrical noise, temperature, dust, …) What’s inside? Siemens S7-1200 #RSAC Focus on PLC programming SoMachineBasic is the software provided by Schneider Electric to program the entry-level PLCs. PLCs used in big plants are usually programmed using Unity Pro, for which there is no free demo version. Fortunately, the way this software work is very much the same PLC programming – Create a project – Define the hardware setup – Create variables – Define the program – Test – Debug – Push to PLC – START #RSAC CIM (Computer Integrated Manufacturing) pyramid Level 4 Global planification (ERP) Orders and stock management, clients and accounting Level 3 Production management (MES) Level 2 Supervision Execution and control of manufacturing, scheduling Of an industriel process Level 1 PLCs Level 0 Sensors and actuators #RSAC Tired: IT vs OT AKA: Why OT security sucks compared to IT security Lifetime of components span over decades The essential criteria for ICS security is availability, not confidentiality IT The use of COTS and standard protocols is relatively new OT ICS were designed to be isolated, but today need to communicate with the outside world #RSAC Wired: OT vs IT AKA: Leverage OT specifities to improve cybersecurity Long lifetime means less change so it’s easier to monitor for abnormal changes Mostly no confidential data, so that’s a thing less to worry about ;) Strong culture of quality & change management Safety is there to prevent all catastrophic events ICS operations = Safety + Availability + Quality #RSAC What’s wrong with ICS security? #RSAC What is wrong with current ICS security? Organization & awareness Lack of « Patch management » Lack of security supervision Risks and vulnerabilities families Lack of security mechanism in equipment and protocols Inexistant network segmentation Lack of third party management #RSAC The slow evolution of ICS security Most sites Mature sites Roles and responsibilities not formally defined ; lack of awareness Organization & awareness Creation of ICS cybersecurity sector with local relays Lack of network filtering with the co