ICS410

Welcome to the CutSec SANS ICS410 resources page. These are just a few extra online resources and items that didn’t make it into the class. We hope these help your ICS / OT cybersecurity journey. Contact us if you have something to add or a suggestion.

Videos

• Updated BP Texas City Animation on the 15th Anniversary of the Explosion
• 1947: Texas City Disaster Part 1
• 55 gallon steel drum can crush using atmospheric pressure
• Stuxnet Documentary “Zero Days” – this movie has been moved to pay-per-view
• Social Engineering – Reporter Gets Mobile Account Hacked
• S4 Conference Videos: S4Events Youtube
• SANS ICS Videos: YouTube
• Op de Schouders van Reuzen – De zes stormvloedkeringen van Rijkswaterstaat (On the Shoulders of Giants – The six storm surge barriers of Rijkswaterstaat) – In Dutch
• CISA Known Exploited Vulnerabilities

Certification Study Links

• Leslie Carhart guide to taking sans test. Better GIAC Testing with Pancakes
• Matthew Toussain – Get Certified! All You Need to Know to Rock GIAC Exams
• Matthew Toussain – Wargaming GIAC Certifications
• Matthew Toussain – Rocking the GIAC Exam with Voltaire
• Matthew Toussain – Voltaire (Index building App)
• Anki Powerful Flash Cards
• Develop Technical Recall Skills: Spaced Repetition with Anki
• Ron Hamann –Are You Certifiable? | SANS@MIC Talk

General Topic Links

• Differences between SCAP and STIGs
• Wireshark OUI Lookup Tool
• CISA Network Architecture Verification and Validation (NAVV) 
• INL Consequence-driven Cyber-informed Engineering (CCE)
• Google Learn Computer Networking Free Course
• CISA ICS Training Resources
• Information Trust Institute (ITI) ICS Security Tools GitHub

Equipment Links

• Remote / Onsite Security Assessment Jumpkit – I started documenting my equipment in 2019. I’ll try to keep this up-to-date. Feel free to submit a Community Case to the project.

Purdue Level 0/1 Links

• Image of an old relay setup to help understand where Ladder Logic came from.
• Modernizing Hardwired Relay Logic With PLCs – blog post about taking old relay setup and converting to Ladder Logic.
• Forescout OT:ICEFALL Report
• Velocio Datasheet
• Industrial Protocols and Ports
• More Industrial Protocols and Ports
• Top 20 Secure PLC Coding Practices
• Simply Modbus
• How to Analyze I2C – Saleae Support
• Remote Terminal Units (RTUs) based on SIMATIC
• Introduction to Yokogawa DCS
• DNP3 vs IEC104 vs IEC61850
• Hardware Hacking Class: ControlThings.io Accessing and Exploiting Control Systems and IIoT
• Riverloop Hardware Hacking
  • Dumping EMMC Flash
  • Introduction to JTAG
  • Communicating with JTAG via OpenOCD
• Hacking The Xbox
• Wireshark and Fieldbus Protocols
• OPC DA DCOM Port Range Restrictions
  • Microsoft Tech Blog – RPC/DCOM port ranges are more limited after win2008 (49152-65535)
  • OPC Expert
  • OPC Training Institute

Attacks on Remote Sites

• General
  • Aurora Attack – Staged cyber attack reveals vulnerability in power grid
  • Repository of Industrial Security Incidents Database – last updated on January 28, 2015
  • Dallas Emergency Sirens Activated in 2017 via UHF 450MHz radio signal.
• Water:
  • US Moves to Shield Drinking Water
  • Maroochy Water Services Attack (Insider Threat)
    • MITRE Malicious Control Systems Cyber Security Attack Case Study – Maroochy Water Services, Australia
    • Maroochy Water Breach YouTube Video
    • Maroochy Shire Sewage Spill
  • CISA Exploitation of Unitronics PLCs used in Water and Wastewater Systems
    • Hackers breach US water facility via exposed Unitronics PLCs
    • Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
• Electrical:
  • Watch How Hackers Took Over a Ukrainian Power Station – HMI attack on power substation
  • The story of Jason Woodring, the Arkansas power grid vandal
  • Why the US Power Grid Is Under Attack
  • California Man Arrested for Transformer Bombings
  • Smart Meters in Puerto Rico Hacked
• Nuclear
  • Can you HEAR Stuxnet damaging centrifuges at Natanz?
• Rail
  • Polish Teen Hacks Tram in 2008
  • The Cheap Radio Hack That Disrupted Poland’s Railway System
• Ports
  • Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Biggest Ports (Insider Threat)

Physical Security Links

• The White House: National Strategy for Physical Protection of Critical Infrastructure
• CISA Cybersecurity and Physical Security Convergence Action Guide
• CISA SECTOR SPOTLIGHT: Electricity Substation Physical Security
• CutSec Blog: ICS/OT Cybersecurity Self Analysis – Physical Security
• Light Water Reactor Sustainability (LWRS) INL
  • Risked Informed Physical Security
  • Physical Security Resources
• Public Health Emergency (PHE): Physical Security

Incident Response Table Top Links

• CISA Tabletop Exercise Packages (CTEPs)
• Dean Parson’s ICS Incident Response Tabletops
• Lenny Zeltser Cheat Sheets and Presentations
• NERC’s Grid Security Exercise (GridEx)
• MITRE Cyber Exercise Playbook
• Black Hills Information Security (BHIS) Backdoors and Breaches
• BHIS ICS/OT Backdoors and Breaches 
• Center for Internet Security: Tabletop Exercises – Six Scenarios to Help Prepare Your Cybersecurity Team
• Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
• Dragos Preparing for Industrial Cyber Response
• Dragos Preparing for Incident Handling and Response in ICS
• Dragos Tabletop Exercise
• ICS4ICS Incident Command System for Industrial Control Systems

Velocio and PLC Links

• Velocio PLC Teardown/Review
• Velocio Youtube Channel 
• Velocio Tutorials
• Learning PLCs on a Budget
• CLICK PLC Hardware: The Best PLC for Everyday Control Systems Needs
• Virtual Cyber Ranges: Thomas Van Norman

Network Links

• Wireshark OUI
• Private VLANs
• Multicast Addresses
  • IANA Multicast Address Space

Radio Links

• GRC Transmission Analysis: Getting To the Bytes – how-to use Gnu-Radio to get data out of transmissions, instead of Universal Hacker Radio.
• Radio Communication Analysis using RfCat – how-to use RfCat to do analysis on 900 MHz transmissions to get to the data.
• Software Defined Radio with HackRF Lessons – free radio courses that take a deep dive into radio theory.
• MouseJack – CrazyRadio PA – keyboard and mouse interception and injection project.
• Hak5 WiFi Pentesting  – Lots of wireless tools
• Field Expedient SDR – book about Gnu Radio Companion and radio theory basics.
• LoRa and LoRaWAN
• Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare (GPS related)
• Satellite attack write-ups
  • A Wake-up Call for SATCOM Security (April 2014)
  • Last Call for SATCOM Security (Aug 2018)
  • Missed Calls for SATCOM Cybersecurity (March 2022)
  • SATCOM Terminal Cyberattacks Open the War in Ukraine (March, 2022)
  • VIASAT incident: from speculation to technical details. (March 2022)
  • Update on SATCOM Terminal Attacks During the War in Ukraine (May 2022)

Remote Access Links

Just a few solutions to help start research into remote access solutions. These are not a recommendation, just links to the solutions.

• Beyond Trust Privileged Access Management
• Zscalar Secure Remote Access

NBAD / Asset Management Links

Just a few solutions to help start research into asset management and Network Behavior Anomaly Detection (NBAD) solutions. These are not a recommendation, just links to the solutions.

• PAS Automation Asset Management
• Hexagon Asset Lifecycle Information Management
• Claroty Integrated and Comprehensive IoT-OT Security
• Dragos Industrial Cybersecurity Platform
• Nozomi Automating My Asset Inventory
• Otorio RAM^2 Asset Inventory Management
• Armis Cybersecurity Asset Management
• Tenable Tenable.OT

Software Bill of Materials (SBOM) Links

Just a few solutions to help start research into Software Bill of Materials (SBOM) solutions. These are not a recommendation, just links to the solutions.

• Adolus Technology OT & IoT Supply Chain Security
• NetRise Firmware Security
• Cybeats SBOM Studio
• Finite State End-to-end SBOM Solutions
• Security Risk Advisors Cyber Physical Systems Security

Incident Response and IR Table Tops

• CISA Tabletop Exercise Packages (CTEPs)
• Dean Parson’s ICS Incident Response Tabletops
• Lenny Zeltser Cheat Sheets and Presentations
• NERC’s Grid Security Exercise (GridEx)
• MITRE – Cyber Exercise Playbook
• Blackhills Information Security: Backdoors and Breaches
• Center for Internet Security: Tabletop Exercises – Six Scenarios to Help Prepare Your Cybersecurity Team
• Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
• Dragos Preparing for Industrial Cyber Response
• Dragos Preparing for Incident Handling and Response in ICS

Josh Wright Links

• Will Hack For SUSHI
• Essential Crypto for Pen Testers (Without the Math!)
• PcapHistogram Python Version

Jason Larsen Videos

• 14 Hours and a Power Grid: BSides Track 2 3:30-4:15 Jason Larsen
• 14 Hours and a Power Grid: S4Events: 14 Hours And An Electric Grid – Jason Larsen
• Rocking the Pocket Book: Hacking Chem Plants: DEFCON 23 – Krotofil, Larsen
• Remote Physical Damage from Jason Larsen of IOActive – 55 gallon barrel implosion

Monta Elkins

• Hackers in your power tools & other unexpected places – news article about hacking hardware to demonstrate control of the device.
• Hacking firmware where you least expect it: in your tools – presentation about hardware hacking

Justin Searle Videos

• Dealing with Remote Access to Critical ICS Infrastructure

Paul Piotrowski Links

• ICS 410 Supplementary Practice Slides
• Duke fined $10M for cybersecurity lapses since 2015

• MIT-HACK: Tetris at the MIT Green building

Don C. Weber Videos

• SANS Instructor Spotlight – Don C. Weber
• SANS ICS Videos: YouTube
• SANS@MIC – Pen Testing ICS and Other Highly Restricted Environments
• SANS Webcast (registration required) – Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
• SANS Webcast (registration required) – Yes, IT and OT Are Converging So How Does This Affect Compliance
• DEF CON 20 – Cutaway – Looking Into The Eye Of The Meter
• Black Hat USA 2012 – Looking into the Eye of the Meter

Podcasts

• @BEERISAC – a consolidation of ICS / OT podcasts
• Unsolicited Response Podcast
• The CyberWire
• Darknet Diaries
• Malicious Life

RfCat Send Modbus

In the ControlThings.io Linux virtual machine, start a terminal. Run the command ‘rfcat -r’. Paste in the following commands. NOTE: copy and paste this whole section. Some of the data does not display in the browser but it will be picked up when you copy it all. Paste into a text editor to confirm you have all code, even the bytes that are not displayed.

 
import time packets = ["\x00\x00\x00\x00\x00\x06\xff\x04\x08\xd2\x00\x02", \ 
    "\x7c\xfe\x00\x00\x00\xc9\xff\x04\xc6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xdb\x00\x00\x01\xd6\x00\x00\x4a\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x61\x69\x6d\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x31\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", \ 
    "\x00\x04\x17\x02\x58\xb7\x78\xe7\xd1\xe0\x02\x5e\x08\x00\x45\x00\x00\x34\x70\x29\x40\x00\x80\x06\x00\x00\x8d\x51\x00\x0a\x8d\x51\x00\x56\xdf\x60\x01\xf6\x54\xdc\x43\x72\x80\x54\xd4\x37\x50\x18\xf8\x60\x1b\x29\x00\x00\x00\x01\x00\x00\x00\x06\xff\x02\x00\x63\x00\x1e", \ 
    "\x00\x00\x00\x00\x00\x07\xff\x04\x04\x00\x00\x00\x00"] 
d.setFreq(433000000) 
d.setMdmModulation(MOD_ASK_OOK) 
d.makePktFLEN(250) 
while True: 
    time.sleep(0.5) 
    d.RFxmit("A&ECS: Last Day, Best Day!!!") 
    for p in packets: 
        time.sleep(0.5) 
        d.RFxmit(p) 

TShark Commands

Industrial Control Protocols

Purpose:

• Identify master servers and client / slaves
• Identify common protocols in use by master servers
• Also want to identify proprietary protocols in use, but this will be more difficult as Wireshark / Tshark may not have protocol dissectors for their identification and analysis.

# Modbus

## Masters
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -r <file.pcap> | sort | uniq
## Masters with function codes
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -e modbus.func_code -r <file.pcap> | sort | uniq
## Slaves
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -e eth.dst -r <file.pcap> | sort | uniq
### Note: The OUI hardware address does not resolve for field outputs. You have to check them yourself.
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -r <file.pcap> | sort | uniq | wc -l

# Aveva / WonderWare SuiteLink
## Servers
tshark -Y "tcp.dstport == 5413" -T fields -e ip.dst -r <file.pcap> | sort | uniq
## Clients
tshark -Y "tcp.dstport == 5413" -T fields -e ip.src -r <file.pcap> | sort | uniq

# Aveva / WonderWare InBatch
## Servers
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.dst -r <file.pcap> | sort | uniq
# Clients
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.src -r <file.pcap> | sort | uniq

# BACnet
## I-Am responses to Who-Is - sorted by source IP address
tshark -d udp.port==47809,bvlc -Y 'bacapp.unconfirmed_service == 0' -T fields -e ip.src -e bacapp.instance_number -e bacnet.sadr_mstp -e bacnet.snet -E separator=, -r <file.pcap>| sort | uniq | sort -g -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4
## Device Count BACnet source
tshark -d udp.port==47809,bvlc -Y 'bacnet' -T fields -e ip.src -e ip.dst -r <file.pcap> | grep -v ',' | sort | uniq > <file.pcap>
### NOTE: The resulting file still needs to be counted. Probably best to export Wireshark filtered communications to an MS Excel file and do a pivot table.