How to get started in Industrial Control Systems (ICS) cyber security

Intro

Last year I made a switch from Application Security in Banking, Insurance & Finance domain to a Penetration Tester profile in Energy, Solar & Industrial Automation. I was overwhelmed with how huge the cyber security landscape is within Industrial Control Systems (ICS) world. In this post, I’m going to describe my transition journey. I’d like to state that views expressed in this post are my own and not that of my employer.

How I started

My past experience in application and network security helped me quickly find my feet in this new domain but there was a lot more to learn and to come up to speed with my fellow colleagues. I quickly spent long hours searching online on topics I needed to know of, reading blogs and research papers, watching conference talks and doing hands-on at home and at office to acquire skills to do my job better.

What’s there to learn

Operational Technology (OT) is a term for usage of computing systems for management and monitoring of industrial processes. These processes include manufacturing & mining operations, oil & gas and power generation monitoring, etc. and they can be continuous, batch, discrete or hybrid in nature.

ICS consists of systems that monitor and control processes such as bottle filling & packing operations, managing conveyor belts, measuring power generation & consumption at a power grid, building automation process, etc. In short, ICS provides high availability & efficiency to vital applications in critical environment for e.g. nuclear power plants, national electricity grids, etc.

Supervisory Control and Data Acquisition (SCADA) is an automation control system that gathers data in real time, aides in equipment controls and monitor conditions in an industrial environment. It involves use of sensors, actuators, Programmable Logic Controller (PLC), Remote Terminal Units (RTU), Distributed Control System (DCS), etc.

PLC is a device that is programmed to perform above mentioned processes with high efficiency and time criticality. At a macro level, below is a rough depiction that summarizes the landscape.

OT/ ICS terms are sometime used interchangeably. Now that some basic terminologies and explanation is covered, lets deep dive.

Compare to modern Information Technology (IT), OT world is still catching up including IT-OT convergence. Inferring from the ICS CERT Advisories, one can observe that low hanging but critical issues such as buffer overflows, improper session management, hard-coded credentials, improper access control, etc. are present in many applications and devices deployed in the ICS environment.

At a micro level, a typical security assessment is performed on devices such as PLC, Industrial Internet of Things (IIoT) device, gateway device, etc. and involves their related software components such as configuration tool, mobile application, firmware, cloud application, etc.

OT is deployed in myriads of industries such as mining and manufacturing, electrical and power grids, oil and gas to name a few. SCADA systems in each of these industries use various protocols to communicate, monitor, diagnose and control devices and equipment. In a typical ICS system, following protocols are widely used Modbus, PROFINET, DNP3, Common Industrial Protocols (CIP) such as EtherNet/IP, BACnet and HART. For a more detailed list of automation protocols, check this link.

A device using these protocol(s) undergoes a process of fuzzing to test the robustness and ability of the protocol stack/driver along with potential abuse such as causing Denial of Service (DoS), etc. thereby affecting the availability of the device. One can use open source protocol specific fuzzers or commercial fuzzing tools or even develop one’s own fuzzer to test the device. Reliably high availability of a device is an important factor in ICS. A minute of downtime or even few seconds of intermittently induced delays can be hazardous in the overall security posture of the application.

Besides above protocols, a device may also support commonly used IT protocols such as FTP, SSH, HTTP/S, SNMP, Telnet, SSL/TLS and sometimes product specific services running on custom ports. These have to be audited too as part of the security assessment. Some helpful references are PTES and OWASP.

Many of the industrial devices such as PLCs have to be configured accordingly before deploying it to the production environment. ICS vendors provide configuration tools and utilities for their corresponding devices that are mostly thick client applications. Here’s a link to know what to look for when testing thick client application.

One has to become thorough with reverse engineering binary files and protocols. Having coding knowledge will be of great use. Learning basics of PLC programming languages such as Ladder Logic or Structured Text will be handy. Also, having basic understanding of Bluetooth and Wi-Fi attack surface is useful. All of these will help you develop a better offensive mindset when reviewing threat models, design and auditing products.

Where to learn from

There are tons of content scattered all over the internet and is just an online search away. I have got lost many times following the rabbit holes. Some of the content that helped me is listed below. Your mileage may vary.

YouTube

• DEF CON 24 Internet of Things Village — Elvis Collado — Reversing and Exploiting Embedded Devices
• Introduction to Firmware Reversing
• Pentesting Hardware And IoT by Mark Carney
• HITBGSEC 2015 — Marina Krotofil — Hacking Chemical Plants for Competition and Extortion
• 30c3 — Hardware Attacks Advanced ARM Exploitation and Android Hacking
• DEF CON 26 — Thiago Alves — Hacking PLCs and Causing Havoc on Critical Infrastructures
• DEF CON 17 — Travis Goodspeed — Locally Exploiting Wireless Sensors
• 34C3 — SCADA — Gateway to (s)hell
• Reverse engineering with #Ghidra: Breaking an embedded firmware encryption scheme
• Black Hat USA 2012 — SQL Injection to MIPS Overflows: Rooting SOHO Routers
• Secure Coding Practices for PLC’s
• Project Basecamp — PLC Hacking Intro
• ICS Security Assessment Methodology, Tools & Tips
• Attack Surface in ICS
• Cheng Lei — Attacking PLCs by PLC in deep
• 4SICS 2015 Main Stage Panel day 2 Research on ICS attacks and ICS attackers
• Integrated Circuit Offensive Security | Olivier Thomas from Texplained | hardwear.io USA 2019
• From Bluetooth Standard to Standard Compliant 0-days | Daniele Antonioli | Hardwear.io Virtual Con

Blog posts & Research papers

• Hacking Connected Home Alarm Systems — The Cheap [Part 1] — NVISO Labs
• IOT Security — Introduction to embedded hardware hacking
• http://www.devttys0.com/
• https://www.pentestpartners.com/hardware-hacking/
• https://www.tenable.com/blog
• https://ioactive.com/resources/ics/
• https://blog.talosintelligence.com/
• https://www.automation.com/
• A collection of resources for getting started in ICS SCADA cyber security
• https://www.osti.gov
• Access Control Attacks on PLC Vulnerabilities
• On Ladder Logic Bombs in Industrial Control Systems
• PLC Ransomware
• Guide to Industrial Control Systems (ICS) Security
• Build a cyber security program for industrial control system

Books

• Hacking Exposed Industrial Control Systems ICS and SCADA Security Secrets & Solutions
• Industrial Network Security
• IoT Penetration Testing Cookbook
• Industrial Cybersecurity: Efficiently secure critical infrastructure systems

Advisory

• https://www.us-cert.gov/ics/advisories
• https://ics-cert.kaspersky.com/
• https://cert.vde.com/en-us/

Conferences

• S4 (USA)
• CS3Sthlm (Sweden)
• DEFCON ICS Village (USA)
• Black Hat (USA/EU/Asia)
• Chaos Computer Club [CCC] (Germany)
• SANS ICS Security Summit (USA)
• Hack In the Box (Singapore/Amsterdam/Abu Dhabi)
• Hardwear.io (The Netherlands)

The above resources are just a tip of the iceberg of great learning content available online. I kept it short because ICS cyber security landscape is huge but this should help you get started.

I’d like to express my gratitude to Prashanth AC who gave me the opportunity to start in ICS cyber security.

Outro

The goal of the write-up is to help students and professionals looking to move into ICS cyber security space to get an insight into what to look for and prepare. I intend to cover more ICS related topics in-depth in future blog posts. If there is anything you want me to write on specifically, do drop a comment.

Also, I am not an expert but just another person who is trying to learn and come up in this field. If I have missed something and you want to bring to my attention or something that you found helpful during your journey in ICS cyber security, kindly let me know. I am open for constructive feedback. Thank you for your time.