Cyber Security Assessment of Mission Critical SCADA Systems

March 19, 2012 (at 10 a.m.)

In this workshop we will explore key aspects involved in the assessment of the security posture of SCADA systems that are used to operate machines, such as the electric grid, that are designed for continuous operation. No prior knowledge of such critical infrastructure is required and the introduction to this class of system could well be eye opening to seasoned penetration testers. Traditional approaches to Assessments will be presented with the balance of the workshop providing an introduction to security processes developed by Edmond Rogers and Sergey Bratus in their experiences penetration testing critical infrastructure. There will be discussions on the use of well-known tools and considerations that should be made before using such tools on SCADA networks. To end the workshop, there will be a discussion of mitigation used for SCADA control networks.


Introductions and Overview of Scada Systems (1 Hour)

Performing Best Practice Assessments of Critical Systems (2 hours)

Presentation of Vulnerability Assessment Methodology as linked above

Discussion of Tools used to perform testing. (1 hour)

Recon Tools * Wireshark * Nmap * Kismet * NetAPT * Zigbee Tools (Sergey’s toolkit)

Active Probing * Man in the middle (Arp Poisioning): Ettercap & Arp-sk * Scapy * NfQueue * Metasploit * Fuzzers

Lunch break

Differences between penetration testing and vulnerability assessment (1 Hour)

Using traditional tools in a mission critical network * Using test networks * Scanning Representative systems * Engaging Operations

Field testing man in the middle against live SCADA protocols (Sergey) * ICCP * Others

Fuzzing protocols Q and A.

Examples from previous engagements (Closed Session, 1hour)

Mitigations for SCADA systems (1 Hour)

Use of IPSec * Advantages of IPSec * Disadvantages of IPSec * IPSec redefines the attack surface * How to address devices that do not support IPsec

DMZ Setups * Only allow traffic outbound to DMZ * Connections should not be allowed to initiate outside the protected network

Use of Traditional Methods (And their value) * IDS and IPS * Anti-virus * Host based software

Denouement (1 hour)

Beer and Whiskey

Sergey Bratus

Sergey Bratus is a Research Assistant Professor the Computer Science Dept. at Dartmouth College. His research interests include designing new operating system and hardware-based features to support more expressive and developer-friendly debugging, secure programming and reverse engineering; Linux kernel security (kernel exploits, LKM rootkits, and hardening patches); data organization and other AI techniques for better log and traffic analysis; and all kinds of wired and wireless network hacking.

Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.

Edmond Rogers

Edmond Rogers is a Smart Grid Cyber Security Engineer at the University of Illinois Information Trust Institute. His research efforts focus on assessment of electric grid SCADA systems. Prior to his tenure at the university Edmond was a Security Analyst at a fortune 500 utility in the Midwest of the United States.