Saturday, January 23, 2016

ICS Holiday Challenge

I was a bit late to the party for the SANS ICS Challenge, I found out about it on the last day before it closed. SANS will be posting on their ICS blog about questions people had a lot of trouble with, but this is my attempt at the challenge. Bear in mind that since I came late to the challenge, these are not officially verified as correct.

The first question was to list 5 kinds of ICS besides SCADA. I am not an ICS expert although I am learning, so I had to research it. Although SCADA (Supervisory Control And Data Acquisition) is often used as an umbrella term for all industrial control systems, it is only one subset. The other kinds most often mention are Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC).  However, SANS themselves has a document on ICS, which describes several other types of control systems: Building Management Systems (BMS), Instrumentation and Control (I&C), and Safety Instrumented System (SIS). The differences between all of these categories is a little vague to me, but my best guess for question one is:

  • BMS
  • I&C
  • DCS
  • PLC/PCS
  • SIS
The next question asks us for 10 protocols which are used by ICS, and one has to be ethernet, one has to be wireless, and one has to be serial. I could name Modbus and DNP3 off the top of my head, as they are the most well known protocols. Shodan is an excellent resource for ICS, and has a list of several common protocols. EtherNet/IP is listed as an ethernet protocol and Modbus/TCP can communicate over ethernet also-the original Modbus was a serial protocol. Siemens S7, BACNet, Tridium, HART-IP, and ISO-TSAP are several more ICS protocols, but we need a wireless one. It turns out HART has a wireless implementation called WirelessHART. This covers all ten protocols. My answers to question 2 are:

  • Modbus
  • DNP3
  • EtherNet/IP
  • ISO-TSAP
  • HART-IP
  • Modbus/TCP
  • WirelessHART
  • Tridium
  • S7
  • BACNet
The third question asks about a secure version of a common ICS protocol, and the common attack scenarios it attempted to address with the added features. I was having a little trouble coming up with an answer for this. I found out that DNP3 has modifications for Secure Authentication, so I'm going to assume that is the correct answer.  The secure version of DNP3 was designed to handle spoofing, modification, and replay attacks.

The next is about the stages of testing conducted between ICS vendors and customers. This would be the Factory Assessment Test (FAT) and Site Assessment Test (SAT). A FAT is conducted by the vendor prior to shipping the product, and they test it to make sure it meets the customers specifications. A SAT is conducted on site to make sure everything is working properly and in accordance to the specifications.

Then we are asked about the first presidential directive addressing critical infrastructure protection, and when it came out. That would be the Presidential Directive PDD-63, from May 1998.

Next we are asked to identify the information sharing organization established, how many members there are, and two of the members. The Information Sharing and Analysis Center (ISAC) is the organization, there are 24, and they include the Electricity Sector ISAC and the Emergency Management and Response ISAC.

The seventh question is identify 4 standards or regulations. These would be:

  1. Nuclear Sector Regulation/NSR 5.71
  2. United States Nuclear Regulatory Commission/10 CFR US 73 and 73.54
  3. NERC CIP Standards/CIP 001-009
  4. NEI 13-10


Another question asks for three examples of ICS targeted malware. The obvious one is Stuxnet, the malware which caused the destruction of Iran's nuclear centrifuges. A second example is the BlackEnergy2 malware which was used in the attacks on Ukraine's power grids. A third piece of malware would be HAVEX, which I read about in F-Secure's report.


That concludes all of the 100 point questions in the challenge.

f3n3s7ra
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)