Topics

1.1 Course Overview, Introductions and Ground rules

• Pass out course Virtual Machine files and Course Binders
• Virtual Environment Installation, Configuration, and Customization

Operation 1.1.1: Configuring & Understanding Virtual Machines

1.2 ICS Systems Overview

• Classification of Typical ICS Systems
• SCADA Component Functions

1.3 ICS Inputs, Outputs, and Sensor Networks

1.4 Controllers, Embedded Systems and Protocols

• PLCS, DCS, Hybrid Controllers, PC-Control

Operation 1.4.1: Locating PLC equipment on a LAN

Operation 1.4.2: Reviewing the PLC Ladder Logic program

Operation 1.4.3: Scanning internal PLC registers

1.5 SCADA and ICS Protocols

• Evolution of Serial Protocols
• RS-232, RS-485, Proprietary vs. Open Protocols
• Parsing Modbus RTU and Modbus TCP as examples
• OPC and its role in connecting device drivers to HMI Applications

Operation 1.5.1: Capturing and Analyzing ModbusTCP Protocol

Operation1.5.2: Installing and Configuring an OPC Server

Operation 1.5.3: Installing and Configuring an HMI Operator Console

Operation 1.5.4: Working with a ModbusTCP Simulator

Topics

2.1 Introduction to Wireless Networks (SCADA/Smart Grid)

• Spread Spectrum Technology (used in SCADA and Security Systems)
• 802.15.4 (Zigbee used in SCADA and Smart Grid Systems)

Operation 2.1.1: 900 MHz, 2.4 GHz, and 5.6 GHz RF Spectrum Analysis - LIVE Demonstration using new USB radios

Operation 2.1.2: WiFi and Bluetooth Wireless Discovery

2.2 802.11 WiFi

• History of WiFi and WEP
• WPA and WPA2 (Personal and Enterprise)
• WiFi Scanning (WarWalking, WarDriving, WarChalking, WarCharting, WarKiting, WarBalloning, and WarRocketing)

2.3 Wireless Networks Security Testing

• Detailed description of each step in a WiFi connection from the originating client to the Access Point (with clues to weaknesses in this process)
• Jasager, Interceptor, and Fon Bomb (learning about AUTH and DEAUTH)

Operation 2.3.1: Candidates will observe a working version of Jasager, which showcases a LIVE wireless man-in-the-middle exploit.

2.4 Overview of tests performed against SCADA Systems

• External Penetration Testing (from the Internet)
• Internal Penetration Testing (from the Corporate LAN)
• Vulnerability Assessments (inside the SCADA LAN)
• Wireless Audits
• Annual Testing Cycle (SCADA Security Lifecycle)

2.5 SCADA Vulnerability Assessment Methodology (Passive Approach for Conducting Testing of Live Operational Systems)

• 6-Layer Assessment Methodology

1. Physical Security
2. Network Infrastructure (Switches, Routers, and Firewalls)
3. Assets in the SCADA DMZ
4. Control Room Servers, Workstations, and Applications
5. SCADA Protocols
6. PLC, RTU, DCS, and Embedded Controllers

• Review of Sample Assessment Report Deliverable

Operation 2.5.1: SCADA-Scanning - Candidates will use various tools to scan a live SCADA environment. Objective is to learn about the attack surface of various embedded controllers, telemetry equipment, and applications to discover security weaknesses.

Topics

3.1 SCADA and Smart Grid Vulnerabilities

• SCADA Vulnerabilities from a data set of over 38,000 vulnerabilities from over 150 assessments performed out in the field and in industrial facilities
• Vulnerabilities with new SMART Grid Technology
• Provides a lead into the rest of Day 3 - SCADA Security Testing (Active Techniques)

3.2 SCADA Testing Techniques Recap (Passive Vs. Active)

3.3 Red Team Attack Exercises

• Purpose and Overview of the Red Team Attack
• Structure and Process for a Red Team Attack
• Selecting the Target
• Physical and Cyber Security Teams
• Physical and Cyber Recon
• Gaining Access (Physical and Cyber)
• Obtaining Proof of Access
• USB-based Physical Access Tools

3.4 Introduction to the BackTrack Environment

• A little bit of background on the Linux OS
• Finding your way around BackTrack
• Managing the various BackTrack services
• The Bash environment, text manipulation and scripting

Operation 3.4.1: Several hands-on operations within the BackTrack environment

3.5 Netcat

• Connecting to a port
• Listening on a port
• File transfer
• Remote connection for administration or exploitation

• Bind shell
• Reverse shell

Operation 3.5.1: Several hands-on operations leveraging Netcat as a listener or transmitter of packets for chat sessions, file transfer, or remote administration and exploitation

3.6 External Penetration Techniques

• The role that External Penetration Testing has in securing SCADA and Control Systems
• What to look for with External (public) networks

• The Attacker's Cycle

  • Footprinting, Scanning, Enumeration, Exploitation, Privilege Escalation, Harvesting, Backdoors, Backups, Covering Tracks

• DNS lookup, Netblock, Zone Transfer
• Open Source Intelligence Gathering

• Whois
• Samspade
• Maltego
• Google hacking
• Shodan

Operation 3.6.1: Follow along with several tools for external penetration testing discovery steps (NSLOOKUP, DIG, WHOIS, GOOGLE, SHODAN etc..)

3.7 Internal Penetration Techniques

• The role that Internal Penetration Testing has in securing SCADA and Control Systems
• Active versus Passive Tools

• Overview of Several Tools

  • TCPDUMP, Wireshark, HPING, Ear/Trumpet, NMAP, NCAT, NESSUS

• Video Demos:

• Locating and gaining access to a DCS Operator Console with no knowledge of any usernames / passwords
• Pivoting off of servers in DMZs to then route attacks into process controllers

Topics

4.1 Basic Principals of Computing

• Simple computer architecture
• Different levels of programming languages
• CPU registers
• Execution of a program

4.2 Understanding the Exploitation Process

• Finding bugs
• Replicating the crash
• Controlling the instruction pointer
• Locating space for your Shellcode
• Redirecting the execution flow
• Basic Shellcode creation

4.3 The Metasploit Framework

• An introduction to the Metasploit framework
• Discuss a bit of terminology
• Present the different ways to interface with Metasploit
• Discover the different types of payloads
• Learn about the basic steps of exploitation using MSF

4.4 The Metasploit Framework

• An introduction to the Metasploit framework
• Discuss a bit of terminology
• Present the different ways to interface with Metasploit
• Discover the different types of payloads
• Learn about the basic steps of exploitation using MSF

4.5 Free for All Session

• Discover all SCADA device IP addresses and open ports
• Determine vulnerable services
• Gain presence on some of the devices or cause them to operate in a way they were not programmed
• Exploit other virtual environments available on the local network
• Compete for free prize giveaways for 1st to exploit systems and original and interesting exploitation techniques

Topics

5.1 SCADA DMZ Design and Network Segmentation

• Compare and Contrast insecure and best practice network designs
• DMZ Architectures for SCADA Networks
• Leveraging SCADA DMZ Designs for Additional Security Benefits

5.2 SCADA Remote Access Design Considerations

• Review of insecure methods for remote access and dial-up solutions
• 2-Factor Remote Access Solutions Designed Specifically for SCADA
• Managing Employee, Contractor, and Vendor Access to SCADA

5.3 Deployment of IDS/IPS - Including Custom Signatures

• Where and how to properly deploy IDS and IPS sensors
• IDS / IPS System Tuning
• Where and how to properly deploy IDS and IPS sensors
• HIDS versus Application Whitelisting

5.4 Security Event Monitoring and Logging for SCADA

• Security Event Monitoring - what systems create events/logs?
• SMNP-to-OPC, Syslog, and log aggregation options
• Alert Management - Incident Response

5.5 Overview of Security Frameworks that impact SCADA (NIST 800-53, NIST 800-82, ISA S99, CFATS, NERC CIP)

• Review each of the major SCADA Security Standards and Regulations
• Show how they can map to one all-inclusive security controls matrix
• Map components of the matrix to Physical, Cyber, and Procedural controls

5.6 SCADA Security Product Breakdown

• The SCADA Security product landscape is growing, and some of our clients are confused as to how all of the solutions fit together, do they overlap, where should they be deployed, and are they effective?
• This session breaks down various recent SCADA Security products by where they are typically deployed in the 6 layered model.

5.7 Writing Effective Deliverables

• Making the case - Turning Vulnerabilities Into Recommendations
• Bridging the Gap Between Operations, Engineering, and IT
• Knowing the Audience, and Writing Tips for Reaching Executives