These are my attempts at the level 200 questions of the SANS ICS Challenge.
The first question is about ICS Security models.
- In the Purdue Enterprise Reference Architecture, what level is an Operations network or manufacturing zone found at, and what level are sensors and actuators found at.
The Purdue reference model looks like the image above. The Operations network exists at level 3, and the actual sensors and actuators are on level 0.
- For the Defense in Depth model, what zone should always exist at a minimum between control systems and the internet, and unauthenticated internet accessible control systems are what?
Defense in Depth is a traditional approach to security-although there is an argument to be made that it is a
flawed model. At a minimum there should always be a firewall between the control systems and the internet, even better would be a full fledged DMZ with IDS and IPS systems. Unauthenticated internet accessible control systems are a terrible idea and should be considered compromised.
- What are the 4 phases of the Active Cyber Defense Cycle (ACDC), and what phase has been noted to excel in ICS networks.
The ACDC model consists of 4 stages:
The first stage, Asset Identification and Network Security Monitoring is easy for ICS networks. Unlike a standard enterprise IT environment with hundreds of users on the web going out to thousands of websites, ICS networks are very static and stable, so identifying and monitoring changes is easier.
- In stage 1 of the ICS Cyber Kill Chain, what category would "Delivery, Exploit, and Install" fall into, and what is the second step in stage 2.
The ICS kill chain is an application of Lockheed Martin's widely known
threat model to control systems. The first stage looks like this:
As we can see, "Delivery, Exploit, and Install falls into the Cyber Intrusion category. However, with an ICS compromise, landing malware on a target is often only part of the end goal, which is why there is a second stage to the kill chain.
The second step of stage 2 is the test stage.
- In the provided pcap, how many non broadcast and non multicast devices are on the network? Give MAC and IP addresses. What ICS protocol is being used, and what TCP and UDP ports are being used.
So we fire up wireshark and take a look.
We can take a look at the protocol hierarchy to get a better idea of what's going on in the network.
So we can see multiple protocols in use-NBNS, NBDS, SMB, but the only ICS protocol being used is Modbus. Going further we can look at the list of conversations and endpoints to come up with the MAC address and IP addresses: 00:C0:82::01:0C:C2/192.168.1.3, 00:0F:73:00:76:FC:/192.168.1.200, 00:0D:9D:8D:F5:DA/192.168.1.20, 00:A0:45:C0:56:70/192.168.1.1.
The ports used in the pcap are: 80, 443, 502, 1059, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097, 1098, 1100,1101, 1102, 1103, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118,20562, 21811, 52340. And on UDP, 137, 138, 502,1048, 1947, 52339.
The next set of questions revolves around the Federal Energy Regulatory Commission.
- What action granted the FERC the authority to impose mandatory regulations on the electric system owners and operators as well as assess penalties. Which organization did the FERC designate as the Electric Reliability Organization. Which FERC order created the ERO CIPR standards.
The Federal Energy Policy Act of 2005 gave the FERC the authority to impose regulations. The North American Electric Reliability Corporation was desginated as the ERO. The Critical Infrastructure Protection Reliability standards were established with FERC order 706.
We are then asked about more specifics of ICS operation.
- A control room operator interfaces with an ICS through what? Which of the following would probably make use of large scale SCADA systems: chemical plant, electric grid operation, manufacturing, warehouse distribution facility. What's the difference between SCADA and DCS. What's the difference between PLC and RTU. What's the difference between discrete, continuous, and batch processing.
An operator would interface with an ICS through a Human-Machine Interface (HMI), And the electric grid would most likely use a large SCADA system.
The differences between SCADA and DCS arose back when bandwidth and network capacity were scarce. SCADA implied data acquisition, while DCS just implied control. However now with high speed networking the line is very blurred.
An RTU uses wireless to communicate and can be spread out across a large area They do not support control loops and algorithms. PLC's use physical media to communicate.
Continuous processing runs without interruption, typically making things like fuel, chemicals, etc. Batch processing is to make a batch of something at once, typically small to medium amounts. Could conceivable be used for drinks, medicine, food. Discrete processing is to make components of a product, like parts for cars or robots.
The next questions talk about the NERC regulations.
- What is the report filing requirement for notifying E-ISAC in the event of a reportable computer security incident. How often does the incident response plan need to be tested. How often does the identification of a bulk electric system asset need to be reviewed. How often must transmission owners perform a risk assessment.
According to CIP-800-5-Incident Response and Report Planning, the E-ISAC has to be notified within 1 hour. The same CIP also defines that the incident response plan for medium and high impact business systems has to be tested every fifteen calendar months. 800-5 also states that the identification of a bulk electric system needs to be reviewed every fifteen calendar months. CIP-014-1 states that risk assessments have to be performed every 30 months.
The last question is about what to bring for an incident response:
- What should an incident response jump kit contain?
Contact information for other members of the incident response team is a must. Team members must also have a way of communicating out of band from the on site network as it may be compromised, so both walkie-talkies and cell phones would be good. A flashlight is a must, as is a pad and pen for taking notes. Various cables-ethernet, serial, usb, firewire, anything you could be expected to run into. Clean USB and hard drives. A network tap, bootable CDs/USBs, and spare networking cables both crossover and straight through should also be included.
This concludes the level 200 questions for the ICS challenge.
f3n3s7ra