In this workshop we will explore key aspects involved in the assessment of the security posture of SCADA systems that are used to operate machines, such as the electric grid, that are designed for continuous operation. No prior knowledge of such critical infrastructure is required and the introduction to this class of system could well be eye opening to seasoned penetration testers. Traditional approaches to Assessments will be presented with the balance of the workshop providing an introduction to security processes developed by Edmond Rogers and Sergey Bratus in their experiences penetration testing critical infrastructure. There will be discussions on the use of well-known tools and considerations that should be made before using such tools on SCADA networks. To end the workshop, there will be a discussion of mitigation used for SCADA control networks.
Presentation of Vulnerability Assessment Methodology as linked above
Recon Tools * Wireshark * Nmap * Kismet * NetAPT * Zigbee Tools (Sergey’s toolkit)
Active Probing * Man in the middle (Arp Poisioning): Ettercap & Arp-sk * Scapy * NfQueue * Metasploit * Fuzzers
Using traditional tools in a mission critical network * Using test networks * Scanning Representative systems * Engaging Operations
Field testing man in the middle against live SCADA protocols (Sergey) * ICCP * Others
Fuzzing protocols Q and A.
Use of IPSec * Advantages of IPSec * Disadvantages of IPSec * IPSec redefines the attack surface * How to address devices that do not support IPsec
DMZ Setups * Only allow traffic outbound to DMZ * Connections should not be allowed to initiate outside the protected network
Use of Traditional Methods (And their value) * IDS and IPS * Anti-virus * Host based software
Sergey Bratus is a Research Assistant Professor the Computer Science Dept. at Dartmouth College. His research interests include designing new operating system and hardware-based features to support more expressive and developer-friendly debugging, secure programming and reverse engineering; Linux kernel security (kernel exploits, LKM rootkits, and hardening patches); data organization and other AI techniques for better log and traffic analysis; and all kinds of wired and wireless network hacking.
Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.
Edmond Rogers is a Smart Grid Cyber Security Engineer at the University of Illinois Information Trust Institute. His research efforts focus on assessment of electric grid SCADA systems. Prior to his tenure at the university Edmond was a Security Analyst at a fortune 500 utility in the Midwest of the United States.