Shout Outs Charles Perine - @caperine John Matherly - @achillean K. Reid Wightman - @ReverseICS Joel Langill - @SCADAHacker
Securing Nuclear Facilities, On The Cheap RETR3AT - October 31, 2015 edward.prevost@comp.romiser.com - @edwardprevost - @compromiserLLC
Reformed Christian (http://reformedpresbytery.org)
Ed Who?
Husband & Father Farmer Computer Geek
Reformed Christian (http://reformedpresbytery.org)
Ed Who?
Husband & Father Farmer Computer Geek
Reformed Christian
Calvinistic Christ Centered World-View Inherently Paranoid
Husband & Father
Wife Children Responsibilities
Farmer Free Range Chickens Heritage Hogs Dairy Cattle Barn Cats
Computer Geek
What’s this all about? Industrial Control System Security This presentation aims to provide you with a little: history and terminology corporate tools opensource tools encouragement
https://scadahacker.com/library/ http://www.digitalbond.com/tools/ics-security-tool-mail-list/
ICS History
Water
ICS History
Gears
ICS History
Belts
ICS History
Flues
ICS History Pneumatics DCS - Distributed Control System PLC - Programmable Logic Controller PAC - Programmable Automation Controller IoT - Internet of Things
Everybody Open Immunity
CTRL/Command + F1
JUST KIDDING
Pneumatics Clean, Dry and Oil Free Voluminous (PRV, multi-line) Reliability On/Off vs Inherent Modulation
DCS Distributed Electrical Cumbersome Rocks at Analog Feedback/Feedforward
PLC Auxiliary Electrical Rocks at Discrete Proprietary Ladder/Relay Logic Constant I/O Coverage SCADA
PAC Auxiliary Electrical Open Standards IDE with (OPC etc.) Exception I/O Coverage SCADA
IoT Things Connected To Each Other
Now Forget Everything I Just Told You
PROTOCOLS
A LOT OF THEM
https://en.wikipedia.org/wiki/List_of_automation_protocols
https://en.wikipedia.org/wiki/List_of_automation_protocols
https://en.wikipedia.org/wiki/List_of_automation_protocols
So What Do The Big Corporations Use?
Not Really Much
Corporate Tools Wurldtech Belden (Tofino) Portswigger (Burp) Ettus National Instruments Mocana
Open Source nmap/Redpoint/Shodan Killerbee/HackRF/Other Burp Sulley/Taof Wireshark/scapy
nmap/Redpoint/Shodan
Reconnaissance https://github.com/digitalbond/Redpoint/
https://icsmap.shodan.io/ https://code.google.com/p/plcscan/
pfsense
Proxy https://www.pfsense.org/
Data Diode Impenetrable Proxy https://mitmproxy.org/ http://www.squid-cache.org/ Some Cost
http://blog.cimation.com/blog/defend
Killerbee/HackRF RF Attacks http://gnuradio.org https://github.com/riverloopsec/killerbee http://edwardprevost.info/RETR3AT/killerbeehw.php https://greatscottgadgets.com/hackrf/ http://greatscottgadgets.com/sdr/
JTagulator
Devices interfaces galore http://www.grandideastudio.com/portfolio/jtagulator/
CANBus Triple
Cars haz computerz https://canb.us/
Shikra
UART etc.
http://www.xipiter.com/musings/using-the-shikra-to-attack
Burp Proxy Spider Repeater
https://github.com/madeye/proxydro
Sulley Data Generation Health Monitoring Fault Tracking Automated
https://github.com/OpenRCE/sulley
TAOF GUI Quick Setup
http://edwardprevost.info/RETR3A
http://edwardprevost.info/RETR3A
Wireshark GUI Powerful https://www.wireshark.org/
Scapy Powerful Everything is an object
http://www.secdev.org/projects/scapy
SURPRISE Two utility python scripts to speedup fuzzing
http://edwardprevost.info/RETR3AT/
http://edwardprevost.info/RETR3AT/
Surprise Surprise Virtually indistinguishable from Wurldtech
http://www.filewatcher.com/m/isic-0.0 http://clem1.be/isicng/
verschlimmbessern