CompTIA CYSA+ CS0-002 – Specialized Technology Part 2

4. ICS & SCADA Vulnerabilities (OBJ 1.5)

ICS and SCADA vulnerabilities. So at this point we’ve talked about a couple of pieces inside embedded systems and a lot of these things are going to be put together into an ICS or SCADA network. Now before we dive into that, let me first take a step back and talk about the type of technology we’re talking about here. Now in general we work in It, which is information technology. That’s our standard Windows computers and network and things like that. But when we start talking about ICS and SCADA, we are talking about OT, which is operational technology. This is a communications network that’s designed to implement an industrial control system rather than data networking.

So here we’re really not talking about end user machines, we’re not talking about having a Windows Ten host sitting on this network. Instead with OT, we’re talking about things that using technology and computers to be able to do things in the physical world, like open or shut a valve, like do manufacturing, like create power generation in a power plant, things like that. So if I look here, for instance, this is what OT looks like. Usually they look like big cabinets with dials and gauges and buttons. So if I wanted to open or shut different valves or turn on or off different pumps, I would push the different buttons on that diagram on the front of that cabinet. Instead of using something like a Windows machine and using the command like Start, open, valve enter.

Right? This is a different way of thinking. Now, you can still have computers like Windows computers that can talk to these networks if you integrate the two, but you don’t have to. A lot of OT can just be done in a manufacturing plant using systems like this. Now when we deal with industrial control systems, these are going to prioritize availability and integrity over confidentiality. So if we talk about the CIA Triad, normally in It here we’re really talking about the AIC triad. Availability is paramount. And this makes sense if you think about it, because OT was originally designed to do manufacturing and anytime the plant was down, we weren’t making money. So for them availability was everything. Also, the plant didn’t talk to the Internet originally.

It was all within the borders of the plant. And so we had that physical boundary. So confidentiality wasn’t as big of a deal because we trusted the people working for us. So availability was much more important. So now that we’ve got an introduction to operational technology, let’s talk specifically about three key areas. I’ve already talked about the terms ICS and SCADA, and we’re also going to talk about modbus. Now, let’s start with ICS. ICS is an industrial control system. When you hear ICS, this is essentially just a network that manages embedded devices. So if I work in some place like an electrical power station or a water supplier, or I work in a hospital doing health services, I might work in telecommunications, in the backbones, I might work in manufacturing or in defense needs.

All of these things use ICS. They all use this operational technology using these industrial control systems. For instance, if you’re driving a US Navy warship, there are a ton of ICS and SCADA systems on those things because you essentially have a power plant on board, you have the engines on board and all of that stuff is essentially a big manufacturing plant and it has similar components to that. And so those things all run on ICS and SCADA as well. Now, one of the things that ICS uses is what’s known as Field bus. Field bus is a digital serial data communications that are used in operational technology networks to link different PLCs together. So we talked about those PLCs in a previous lesson, right? I might have a Plc that opens and shuts this valve to lit more gas into the engine so that we can go faster on a ship, for instance.

Well, that is just one Plc, but I might have another Plc that opens and shuts a breaker that allows electricity to go to a different part of the ship. If I want to connect all those things together, I need a way to do it. And that’s what we use field bus for. It’s this digital serial data communications that we use to link all these things together there. Now another thing we have to be able to do is we need to be able to talk to these machines and tell them what to do. And that’s where we use an HMI, a human machine interface. This is the input and output controls on a Plc that allows a user to configure and monitor the system. So when I’m trying to tell the system to do something like open a valve, I need a way to give it that input.

I can do that by pushing a button that could be a human machine interface. Or I can open that valve on a touch screen by tapping it and saying open. These are all different ways I can interface with it. Now, ICS is all about managing process automation by linking together these PLCs, using the field bus to make changes in the physical world. I want to open a valve, I want to start a motor, those kind of things. Now, I, as a human, need to be able to see what the machine is doing by reading gauges or other screens and be able to give input into the machine of what I want to do by pushing buttons, turning knobs, entering keystrokes, or even using a touchscreen.

So for example, here if I worked in a hospital, I might have a human machine interface that’s a flat panel screen and I can touch it and tell it what I want to be done. This way this panel can then send the information to that machine to do what it needs to do. In this case, it’s a radiography machine that’s going to take an X ray. This also has PLCs connected to it within a control loop. And that whole process automation system is governed by some kind of a control server. This is how all this stuff ties together. Now, one of the other things we have to think about is having some way to know what all these systems have done in the past, because if we’re doing an instant response, we only be able to figure all that out.

And so as a cyber security analyst, one of the things you want to look for is the data historian. Now, the data historian is a software that aggregates and catalogs data from multiple sources within an industrial control system. Now again, as an analyst, this is important for you to know because if you’re working in a place that has an industrial control system, you want to find out where the data historian is and how you can use it because that’s going to have valuable information for you. All right, so now that we’re done talking about ICS, let’s focus on the second part of this lesson, which is all about SCADA. SCADA is the supervisory control and data acquisition. This is a type of industrial control system.

So it’s a type of ICS that manages large scale multisite devices and equipment spread over a geographic region. So when I’m talking about ICS, I’m looking at one plant. When I talk about SCADA, I’m talking about multiple plants. That’s really the way I like to distinguish these two. So when you deal with SCADA, this typically runs as software on ordinary computers and it gathers data and manages it across the different plant devices and the different equipment that has embedded PLCs. So when you’re dealing with SCADA, it typically is going to use some kind of a wide area network connection.That could be cellular, that could be microwave, that could be satellite, whatever you want to use.

And then they’re all going to link back to those field devices back to the central SCADA server. So I mentioned earlier, I have a smart meter on my house. They don’t have to come out once a month and read my electrical meter to know how much to bill me. Why don’t they have to do that? Because it’s part of a SCADA network and all the houses in my area are part of that SCADA network. They have a cellular chip in there and it takes that reading once a month, sends it back over cellular as a text message or data format, whatever they use to their SCADA server, collates that information, passes it to the billing system, and then I get a bill. That’s how SCADA can be used in the real world.

Now the third part of this we need to talk about was modbus. Now, because ICS and SCADA are really focused on operational technology, they don’t have to use things that we only use in the It world but they have to have a way to communicate with each other and Modbus is that way. Modbus is a communications protocol that’s used in operational technology networks so in our It networks, what do we usually use? TCP IP. Right. Well, we don’t have to use that inside these OT networks and often we don’t. Modbus is instead what we use. So Modbus is going to give the control servers and the SCADA host the ability to query and change configurations of each Plc.

Now, this is important to know because this is more of a proprietary protocol it looks different than TCP IP so if you’re trying to do an instant response and you think somebody’s in your ICS SCADA network and you’ve been studying how to do TCP IP your entire life, are you going to know what you’re looking at? Most likely not. And then that’s why there are experts in ICS and SCADA systems, because it is a different way of thinking, it is a different way of communicating, and they use a different protocol. So keep that in mind. If you’re dealing with an ICS or SCADA network, it is different, and you have to follow different ways of doing things, because a lot of your normal tools that you would use for ethernet and TCP IP either won’t work or they could cause damage.

5. Mitigating Vulnerabilities (OBJ 1.5)

Mitigating vulnerabilities. So we’ve talked about a lot of specialized systems here, especially in the ICS and SCADA world. And so the question is, how do you start mitigating some of these vulnerabilities? Well, the go to guide for this is going to be the NIST special publication 882. Now again, this is a good read if you happen to work in a manufacturing environment or someplace that uses ICS and SCADA. Now, you don’t have to read this entire guide yourself because I’m going to give you the four key controls for Mitigating vulnerabilities in specialized systems and this is really what you need to know for the exam.

But again, if you’re working in an environment that is automation and manufacturing and you have ICS Gada systems, this entire guide is a great read for you in the real world. Now, the first thing we want to talk about is how you can establish administrative control over operational technology networks. The best way to do this is by recruiting staff who have expertise with these things because as I said, these are not your normal It networks. I am really knowledgeable when it comes to It networks, but I am not really knowledgeable when it comes to ICS and SCADA networks in the OT realm. I’ve done a little bit of work with them, but just enough to be dangerous. So you wouldn’t want to hire me for that.

Instead, you want to find people who know what they’re talking about when it comes to OT. O T is a different beast. And so you want to make sure you get somebody who understands SCADA and ICS and PLCs and FPGAs and all the stuff we’ve been talking about the last couple of lessons. These are specialists and they are worth the money to have on staff, especially if you’re running a big manufacturing plant. The second big tip, you want to make sure you’re implementing the minimum network links by disabling any unnecessary links, services and protocols. Essentially, when you have an operational technology network, you want to eliminate it from all of the rest of the networks as much as possible. We want to cut those links.

We want to disable services. So if I have a manufacturing plant, I should have two networks my corporate network, the It network and the plant network, the OT network. If there’s any connection between those two, it should be very minimal and should be heavily monitored. The third thing we want to talk about is how we can develop and test a patch management program for operational technology networks. Again, these OT networks are different than our information technology networks. You can’t just go ahead and use your Microsoft Sccm servers. That’s not going to work for you. So you want to make sure you understand what options you have and how you’re going to do a patch management program.

Remember, these are things unlike PLCs, they have firmware that needs to be upgraded. Sometimes that’s going to require maintenance windows. That’s going to require downtime. You need to have a process of how you’re going to do this, and that’s why it’s important to develop and test your patch management program. And then the fourth thing we need to think about is how we’re going to perform regular audits of logical and physical access to these different systems so that we can detect possible vulnerabilities and intrusions. Now, this isn’t going to be as easy as hooking up nests to the network and doing a scan. You’re going to have to have specialists who know what they’re looking for when they’re scanning these areas.

Also, big word of warning here your enumeration tools and vulnerability scanners. They can cause a lot of problems on operational technology networks. Generally, if you’re trying to do scanning of an operational technology network, you are not going to be doing active scanning. Instead, you’re going to hook up something like wireshark, you’re going to do packet capture, and then using that passive analysis of that network traffic, you’ll be able to identify those devices to do your enumeration, or you’ll be able to use that passive analysis to start figuring out what vulnerabilities you may have inside your network.

• Category: Uncategorized