Completed
21 person who really cares! Security Onion (or other NSM) ICS Honeypot (Conpot, etc) Full Packet Capture (even serial)
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
ICS SCADA Defense
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Chris Sistrunk, PE @chrissistrunk Electrical Engineer Mandiant, Entergy (11 years) SCADA Expert Loves Security DNP3 User Group Button Pusher but I like Blue
- 3 Project Robus Latin for "bulwark" @adamcrain and started in April 2013 26 advisories / 32 tickets 24 DNP3, 1 Modbus, 1 Telegyr 8979 Aegis ICS Fuzzing Framework - OSS
- 4 Now What? Let's take a step back and ask some questions: What's the risk if this device is compromised? Probability * Impact - Risk Check out my RTU risk score pres from S4x13 What is the ICS device …
- 5 Anticipate...Mitigate! The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use? Defense in depth - more t…
- 6 ICS Vulnerability Mitigation Software/firmware patches/device upgrades Robust RTU/PLC and master configurations Robust IP network configurations ICS Protocol-aware network tools Proper physical secur…
- 7 Get The Bug Fix! If there is a software or firmware patch or hardware upgrade that's out there that fixes a known vulnerability (such as DNP3, modbus) ...GO GET IT Properly test it before you roll it…
- 8 Robust Device/Master Configuration USE DNP3-SA! (application layer security) Correct master only talks to the correct RTU But it won't protect against all "bugs" Disable unused serial and network por…
- 9 Robust Device/Master Configuration When possible, DISABLE functions that aren't required in your production systems DNP3 function code examples Cold and/or Warm Restarts (FC 13 & 14)
- 10 Robust IP Networks Segment your ICS/SCADA WAN Routers, Firewalls, DMZS, & VLANS This can help isolate the network when needed Understand your network! The bad guys sure will Use encryption and authen…
- 11 ICS-Aware Network Tools Examples of SCADA tools and Enterprise networks that understand ICS Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets IDS/IPS such as SNORT, Bro, CyberX SilentDefe…
- 12 Network Security Monitoring Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network Security Operations Center Security Analyst(s) using …
- 13 21 person who really cares! Security Onion (or other NSM) ICS Honeypot (Conpot, etc) Full Packet Capture (even serial)
- 14 Proper Physical Security What is the proper amount of physical security? It depends... If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does n…
- 15 Employee Awareness Train your folks on ICS/SCADA security Security Conferences, several training classes available ICS-CERT GICSP Certification Security awareness is important Have a questioning atti…
- 16 DNP3 Will Be Here A While Ask your vendors for DNP3-SA if they don't have it or are already working on it Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including …
- 17 DNP3 isn't a special case. Other ICS protocols will see the same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP... You can defend your SCADA. Early testing both slave/server AND master/client s…