Ingredients for an ICS Lab: How to Build an ICS Lab from Scratch Part 1

Knowing about OT is a big part of my job these days: while my background includes traditional IT experience from consulting audit firms, I built up an ICS skillset while working with an ICS Network Security Monitoring (NSM) vendor.

Now I help asset owners to defend their systems against intruders, and as part of my ongoing practice, I’ve built Capture the Flags (CTFs) for various conferences. But there’s always more to learn; in particular, I want to understand ICS protocols and the uniqueness of the ICS assets to better assist in protecting asset owners.

To that end, I’ve decided to build an ICS Lab that will give me hands-on freedom to experiment and run tests.

Approach

There are two approaches to building this ICS lab which I intend to focus on. The first is the most simple and economical: using a Raspberry Pi, we can simulate the ICS environment with several virtual machines (VMs). While this would be great for some low-level dabbling, I’m interested in something more substantial.

The second approach is to go full ICS: purchase and assemble real ICS Program Logical Controllers (PLCs), Human Machine Interfaces (HMIs), Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs). Needless to say, this produces the full effect of building a real, working ICS environment.

The second approach offers another big advantage over the first in the form of data. Only so much asset inventory information can be displayed using a simulated ICS environment. This limits user experience, thereby increasing the learning curve once they transition to a realistic ICS environment.

IT & OT Environment

While an ICS environment is good for demonstrating the effect of attacks on the Purdue Layer 2 network, we also want to simulate other Purdue Levels. The Purdue Model – for those who don’t know – is a way to visualize how IT and OT networks intertwine; therefore, we must obtain firewalls, switches, and other IT infrastructure to continue building our lab.[

For starters, I’m selecting an ESXi server on the network to house the email server, intranet, and other business applications including IT defensive software. There will also be engineering workstations on the ESXi server assigned to the ICS vLAN.

The ultimate purpose of building all of this is to have multiple attack scenarios and simulations so that my team and I can better learn the risks our clients will face, and how to defend them.

Lastly! Documentation

When building these labs and CTFs, I’ve found that I often forget to document my work after it has been completed. I suggest documenting your work as you progress. I’m generally a busy person and there are entire weeks when I cannot work on this lab.

Without documentation about what I’ve been doing and where I left off, it’s hard to understand my progress or resume building. Documentation also allows us to store a baseline for our network. Once the attack and defensive simulations are complete, the lab can be reverted to its last known stable state.  Combine Level 5 and Level 4. Call it Level 4 and the name is Enterprise Security Zone


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

What’s the Difference Between OT, ICS, SCADA and DCS?

Every day, multiple technologies work in the background to make modern life possible. Two of the most important examples include Information Technology (IT) and Operational Technology (OT). While most of us recognize IT as a term that broadly encompasses digital computing, what about OT?

OT can be difficult to understand, but that’s only because most of us are unaware of the nomenclature. In recent times, exciting developments are bringing about a convergence between OT and IT that have big implications for technology and industry.

In this article, we’ll define what it is, and how it relates to other terms.

Operational Technology

Industrial Control Systems

OT or Operational Technology encompasses the computing systems that manage industrial operations. This includes monitoring of Oil & Gas, the Electric Utility Grid, manufacturing operations, and more.

Simply put, OT runs the networks that allow common civilized norms to continue like the electricity turning on in your house or the clean running water coming out of your faucet.

Industrial Control System

Industrial Control System (ICS) is an umbrella term that includes both SCADA and DCS. An ICS network can monitor many infrastructure and raw material systems. For instance,

  • Conveyor belts in a mining operation
  • Power consumption in the electric grid
  • Valve pressures in a natural gas facility

ICS networks are mission critical, requiring immediate and high-availability. In many ways, this emphasis represents the main difference between IT and OT/ICS systems. For IT, security is high priority preserved by the Confidentiality, Integrity, and Availability (CIA) triad. In OT/ICS networks, both integrity and confidentiality come second to availability.

SCADA

Supervisory Control and Data Acquisition (SCADA) is a systems architecture for managing large and complex processes. SCADA systems are normally found in utility providers such as natural gas and electric power transmission, where control functions are distributed over a large geographic area.

SCADA systems consist of three main components:

  1. A central command center consists of all the servers running SCADA software
  2. Multiple, remotely located local control systems directly control and automate process equipment
  3. Communication systems connect the servers at the central command center to the remote locations

The main purpose of SCADA is data acquisition: the networks consist of multiple remote terminal units (RTUs) that are used to collect data back at the central command center, where they can be used to make high level decisions.

Distributed Control System

Distributed Control System (DCS) is a type of process control system that connects controllers, sensors, operator terminals and actuators. The data acquisition and control functions are performed by distributed processors situated near the peripheral devices or instruments from which data is being gathered.

While DCS and SCADA are functionally very similar, DCS is generally employed at large, continuous processing facilities. Operations are almost always controlled onsite rather than remotely.


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

A New Security Risk for ICS Controllers: Triton Malware Explained

Over the past few years, we’ve started to see malware specifically developed to target industrial control systems (ICS). Among the most notable of recent culprits are BlackEnergy, Industroyer and Triton. FireEye was the first security firm responding to the Triton incident, and recently published more information about the Triton Threat Actor TTP profile which we will review in this article. 

The Triton Malware 

On April 10, 2019, FireEye confirmed that they were “responding to an additional intrusion by the attacker behind Triton at a different critical infrastructure facility,” following an earlier report from December of 2017.  

As an attack framework built to interact with the Triconex Safety Instrumented System controllers (SIS), Triton was designed and deployed to manipulate industrial safety systems; specifically, it aimed at systems with the privilege to issue emergency shutdowns over industrial processes. 

The malware consisted of two main modules documented by FireEye: trilog.exe and library.zip. Trilog.exe was the main executable that utilized the library.zip, which comprised a custom communication library used to interact with the Triconex controllers.  

Courtesy: FireEye 

Anatomy of the Attack 

Lateral Movement  

The attackers were able to gain access to the network’s ICS layer by moving laterally through the IT network. While moving laterally, they were able to achieve what FireEye calls “prolonged and persistent access to the target environment.” The Threat Actors created custom tools to mirror the functionality of open source commodity tools, allowing Triton to masquerade as a legitimate application and thereby evade anti-virus measures or detection. It seems, however, that this method was only employed during critical phases of the attack, or when evading detection was absolutely necessary. 

While moving through the target network, the threat actors utilized many techniques to hide their activities such as:  

  • Renaming their files to appear legitimate 
  • Utilizing native Microsoft Windows tools like RDP and WinRM 
  • Modifying timestamps of their files to blend in with the copious number of files in their payload directories 

This offered a further layer of protection rendering security measures completely ineffective. 

Persistence 

According to FireEye, the Threat Actors maintained a persistent presence on the target networks since 2014 at the latest. The actors demonstrated an interest in the OT network and spent time researching, developing, and weaponizing OT assets for their own purposes. Apparently, custom tools were used to maintain this persistent state, hearkening back to the methods used for lateral movement and evasion of detection. 

Asset Owners Need to Prepare 

ICS-targeted attacks have gained a discouragingly high profile in recent years. The IT and OT convergence has already happened, and in response, diligent asset owners must prepare for malware threatening both their IT and OT networks. 

Blackenergy affected human machine interfaces (HMIs), Industroyer manipulated remote terminal units (RTUs) and Triton affected programmable logic controllers (PLCs), showing vulnerabilities at every level of the ICS stack. If threat actors are learning from each other, it seems that – between these three attacks – they have developed a comprehensive understanding of OT networks. 

Asset owners can prepare by doing routine assessments and audits of their IT and OT networks. Performing Red Team exercises, a more targeted assessment than a penetration test, could also help Asset Owners understand possible methods of evasion and how to detect them.  

It is important to note that Triton did not adhere to the MITRE ATT&CK framework. Not all threat actors follow this framework, but we utilize it to help build asset owners defenses. Once comfortable, we utilize non-framework techniques to test asset owners’ defensive capabilities against threat actors.  


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

Ransomware ‘LockerGoga’ Disrupting Industrial Operations

It has recently been reported that a new breed of ransomware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware LockerGoga’ has, within the past few weeks, infiltrated Norwegian aluminum Manufacturer Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cybersecurity incident response plans 

In recent history, LockerGoga has hit two other manufacturing companies, Hexion and Momentive. For Momentive, LockerGoga led to a global IT outage that left the company to decommission their infrastructure and start anew.  

According to a FireEye report, a new strain of LockerGoga has been forcing systems to shut down entirely, locking user accounts, and making it difficult for organizations to pay the ransom. It is not yet known how attackers are gaining access to the victims’ networks, but evidence shows that their targets’ credentials were known prior to the intrusion. 

Anatomy of An ICS Attack 

Attackers may be utilizing phishing attacks to gather credentials in a campaign prior to accessing the victim’s network. Once they have access, they use common, opensource tools like Metasploit and Cobalt Strike to move laterally throughout the network. While moving towards the ICS layer of the network, password scrapers like Mimikatz are being used to extract cleartext and hashed passwords from memory to gain escalated system privileges.  

After they have attained Domain Administrator – the highest privilege for network users – they utilize Microsoft Active Directory tools to deploy their ransomware on target machines. Payloads are then signed to appear legitimate prior to execution of the code used that encrypts files, blocking an organization from access unless they pay up. The hackers are also killing processes to forcibly disable antivirus on the target machines.  

The newest strain of LockerGoga has been disabling network adapters attached to organizational computers, removing them from the network. This forces the system to cease any communication, causing widespread network disruptions.  

A New Breed 

It’s worth noting that LockerGoga is different from previous ransomware that have affected ICS systemsNotPetya utilized fewer extreme methods of disrupting operational processes. NotPetya did showcase that malware could be created to migrate laterally through the network autonomously.  

Although, LockerGoga has some manual direction from the attackers, it is more precisely targeted than NotPeya. Crucially, this attack is not limited to ICS organizationsit is also infecting other industries through crimes of opportunityAny networks that have publicly exploitable vulnerabilities may end up as victims. 

Takeaway  

Norsk Hydro fell victim to LockerGoga, but never included Cybersecurity Incident Response Plan in their Business Continuity Plan. This leading them to have a longer recovery time because they were unsure how to proceed. Organizations should include CIRP in their BCP and plan to undergo routine vulnerability assessments/penetration tests of both their IT and ICS networks. If you fail to plan, then you plan to fail 

Resources:

https://www.hydro.com/en-US 

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html 

 https://blog.talosintelligence.com/2019/03/lockergoga.html 


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!