ICS410
Welcome to the CutSec SANS ICS410 resources page. These are just a few extra online resources and items that didn’t make it into the class. We hope these help your ICS / OT cybersecurity journey. Contact us if you have something to add or a suggestion.
Videos
- Updated BP Texas City Animation on the 15th Anniversary of the Explosion
- 1947: Texas City Disaster Part 1
- 55 gallon steel drum can crush using atmospheric pressure
- Stuxnet Documentary “Zero Days” – this movie has been moved to pay-per-view
- Social Engineering – Reporter Gets Mobile Account Hacked
- S4 Conference Videos: S4Events Youtube
- SANS ICS Videos: YouTube
- Op de Schouders van Reuzen – De zes stormvloedkeringen van Rijkswaterstaat (On the Shoulders of Giants – The six storm surge barriers of Rijkswaterstaat) – In Dutch
- CISA Known Exploited Vulnerabilities
Certification Study Links
- Leslie Carhart guide to taking sans test. Better GIAC Testing with Pancakes
- Matthew Toussain – Get Certified! All You Need to Know to Rock GIAC Exams
- Matthew Toussain – Wargaming GIAC Certifications
- Matthew Toussain – Rocking the GIAC Exam with Voltaire
- Matthew Toussain – Voltaire (Index building App)
- Anki Powerful Flash Cards
- Develop Technical Recall Skills: Spaced Repetition with Anki
- Ron Hamann –Are You Certifiable? | SANS@MIC Talk
General Topic Links
- Differences between SCAP and STIGs
- Wireshark OUI Lookup Tool
- CISA Network Architecture Verification and Validation (NAVV)
- INL Consequence-driven Cyber-informed Engineering (CCE)
- Google Learn Computer Networking Free Course
- CISA ICS Training Resources
- Information Trust Institute (ITI) ICS Security Tools GitHub
Equipment Links
- Remote / Onsite Security Assessment Jumpkit – I started documenting my equipment in 2019. I’ll try to keep this up-to-date. Feel free to submit a Community Case to the project.
Purdue Level 0/1 Links
- Image of an old relay setup to help understand where Ladder Logic came from.
- Modernizing Hardwired Relay Logic With PLCs – blog post about taking old relay setup and converting to Ladder Logic.
- Forescout OT:ICEFALL Report
- Velocio Datasheet
- Industrial Protocols and Ports
- More Industrial Protocols and Ports
- Top 20 Secure PLC Coding Practices
- Simply Modbus
- How to Analyze I2C – Saleae Support
- Remote Terminal Units (RTUs) based on SIMATIC
- Introduction to Yokogawa DCS
- DNP3 vs IEC104 vs IEC61850
- Hardware Hacking Class: ControlThings.io Accessing and Exploiting Control Systems and IIoT
- Riverloop Hardware Hacking
- Hacking The Xbox
- Wireshark and Fieldbus Protocols
- OPC DA DCOM Port Range Restrictions
- Microsoft Tech Blog – RPC/DCOM port ranges are more limited after win2008 (49152-65535)
- OPC Expert
- OPC Training Institute
Attacks on Remote Sites
- General
- Aurora Attack – Staged cyber attack reveals vulnerability in power grid
- Repository of Industrial Security Incidents Database – last updated on January 28, 2015
- Dallas Emergency Sirens Activated in 2017 via UHF 450MHz radio signal.
- Water:
- US Moves to Shield Drinking Water
- Maroochy Water Services Attack (Insider Threat)
- CISA Exploitation of Unitronics PLCs used in Water and Wastewater Systems
- Electrical:
- Nuclear
- Rail
- Ports
- Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Biggest Ports (Insider Threat)
Physical Security Links
- The White House: National Strategy for Physical Protection of Critical Infrastructure
- CISA Cybersecurity and Physical Security Convergence Action Guide
- CISA SECTOR SPOTLIGHT: Electricity Substation Physical Security
- CutSec Blog: ICS/OT Cybersecurity Self Analysis – Physical Security
- Light Water Reactor Sustainability (LWRS) INL
- Public Health Emergency (PHE): Physical Security
Incident Response Table Top Links
- CISA Tabletop Exercise Packages (CTEPs)
- Dean Parson’s ICS Incident Response Tabletops
- Lenny Zeltser Cheat Sheets and Presentations
- NERC’s Grid Security Exercise (GridEx)
- MITRE Cyber Exercise Playbook
- Black Hills Information Security (BHIS) Backdoors and Breaches
- BHIS ICS/OT Backdoors and Breaches
- Center for Internet Security: Tabletop Exercises – Six Scenarios to Help Prepare Your Cybersecurity Team
- Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
- Dragos Preparing for Industrial Cyber Response
- Dragos Preparing for Incident Handling and Response in ICS
- Dragos Tabletop Exercise
- ICS4ICS Incident Command System for Industrial Control Systems
Velocio and PLC Links
- Velocio PLC Teardown/Review
- Velocio Youtube Channel
- Velocio Tutorials
- Learning PLCs on a Budget
- CLICK PLC Hardware: The Best PLC for Everyday Control Systems Needs
- Virtual Cyber Ranges: Thomas Van Norman
Network Links
Radio Links
- GRC Transmission Analysis: Getting To the Bytes – how-to use Gnu-Radio to get data out of transmissions, instead of Universal Hacker Radio.
- Radio Communication Analysis using RfCat – how-to use RfCat to do analysis on 900 MHz transmissions to get to the data.
- Software Defined Radio with HackRF Lessons – free radio courses that take a deep dive into radio theory.
- MouseJack – CrazyRadio PA – keyboard and mouse interception and injection project.
- Hak5 WiFi Pentesting – Lots of wireless tools
- Field Expedient SDR – book about Gnu Radio Companion and radio theory basics.
- LoRa and LoRaWAN
- Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare (GPS related)
- Satellite attack write-ups
- A Wake-up Call for SATCOM Security (April 2014)
- Last Call for SATCOM Security (Aug 2018)
- Missed Calls for SATCOM Cybersecurity (March 2022)
- SATCOM Terminal Cyberattacks Open the War in Ukraine (March, 2022)
- VIASAT incident: from speculation to technical details. (March 2022)
- Update on SATCOM Terminal Attacks During the War in Ukraine (May 2022)
Remote Access Links
Just a few solutions to help start research into remote access solutions. These are not a recommendation, just links to the solutions.
- Beyond Trust Privileged Access Management
- Zscalar Secure Remote Access
NBAD / Asset Management Links
Just a few solutions to help start research into asset management and Network Behavior Anomaly Detection (NBAD) solutions. These are not a recommendation, just links to the solutions.
- PAS Automation Asset Management
- Hexagon Asset Lifecycle Information Management
- Claroty Integrated and Comprehensive IoT-OT Security
- Dragos Industrial Cybersecurity Platform
- Nozomi Automating My Asset Inventory
- Otorio RAM^2 Asset Inventory Management
- Armis Cybersecurity Asset Management
- Tenable Tenable.OT
Software Bill of Materials (SBOM) Links
Just a few solutions to help start research into Software Bill of Materials (SBOM) solutions. These are not a recommendation, just links to the solutions.
- Adolus Technology OT & IoT Supply Chain Security
- NetRise Firmware Security
- Cybeats SBOM Studio
- Finite State End-to-end SBOM Solutions
- Security Risk Advisors Cyber Physical Systems Security
Incident Response and IR Table Tops
- CISA Tabletop Exercise Packages (CTEPs)
- Dean Parson’s ICS Incident Response Tabletops
- Lenny Zeltser Cheat Sheets and Presentations
- NERC’s Grid Security Exercise (GridEx)
- MITRE – Cyber Exercise Playbook
- Blackhills Information Security: Backdoors and Breaches
- Center for Internet Security: Tabletop Exercises – Six Scenarios to Help Prepare Your Cybersecurity Team
- Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
- Dragos Preparing for Industrial Cyber Response
- Dragos Preparing for Incident Handling and Response in ICS
Josh Wright Links
- Will Hack For SUSHI
- Essential Crypto for Pen Testers (Without the Math!)
- PcapHistogram Python Version
Jason Larsen Videos
- 14 Hours and a Power Grid: BSides Track 2 3:30-4:15 Jason Larsen
- 14 Hours and a Power Grid: S4Events: 14 Hours And An Electric Grid – Jason Larsen
- Rocking the Pocket Book: Hacking Chem Plants: DEFCON 23 – Krotofil, Larsen
- Remote Physical Damage from Jason Larsen of IOActive – 55 gallon barrel implosion
Monta Elkins
- Hackers in your power tools & other unexpected places – news article about hacking hardware to demonstrate control of the device.
- Hacking firmware where you least expect it: in your tools – presentation about hardware hacking
Justin Searle Videos
Paul Piotrowski Links
- ICS 410 Supplementary Practice Slides
- Duke fined $10M for cybersecurity lapses since 2015
-
MIT-HACK: Tetris at the MIT Green building
Don C. Weber Videos
- SANS Instructor Spotlight – Don C. Weber
- SANS ICS Videos: YouTube
- SANS@MIC – Pen Testing ICS and Other Highly Restricted Environments
- SANS Webcast (registration required) – Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
- SANS Webcast (registration required) – Yes, IT and OT Are Converging So How Does This Affect Compliance
- DEF CON 20 – Cutaway – Looking Into The Eye Of The Meter
- Black Hat USA 2012 – Looking into the Eye of the Meter
Podcasts
- @BEERISAC – a consolidation of ICS / OT podcasts
- Unsolicited Response Podcast
- The CyberWire
- Darknet Diaries
- Malicious Life
RfCat Send Modbus
In the ControlThings.io Linux virtual machine, start a terminal. Run the command ‘rfcat -r’. Paste in the following commands. NOTE: copy and paste this whole section. Some of the data does not display in the browser but it will be picked up when you copy it all. Paste into a text editor to confirm you have all code, even the bytes that are not displayed.
import time packets = ["\x00\x00\x00\x00\x00\x06\xff\x04\x08\xd2\x00\x02", \ "\x7c\xfe\x00\x00\x00\xc9\xff\x04\xc6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xdb\x00\x00\x01\xd6\x00\x00\x4a\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x61\x69\x6d\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x31\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", \ "\x00\x04\x17\x02\x58\xb7\x78\xe7\xd1\xe0\x02\x5e\x08\x00\x45\x00\x00\x34\x70\x29\x40\x00\x80\x06\x00\x00\x8d\x51\x00\x0a\x8d\x51\x00\x56\xdf\x60\x01\xf6\x54\xdc\x43\x72\x80\x54\xd4\x37\x50\x18\xf8\x60\x1b\x29\x00\x00\x00\x01\x00\x00\x00\x06\xff\x02\x00\x63\x00\x1e", \ "\x00\x00\x00\x00\x00\x07\xff\x04\x04\x00\x00\x00\x00"] d.setFreq(433000000) d.setMdmModulation(MOD_ASK_OOK) d.makePktFLEN(250) while True: time.sleep(0.5) d.RFxmit("A&ECS: Last Day, Best Day!!!") for p in packets: time.sleep(0.5) d.RFxmit(p)
TShark Commands
Industrial Control Protocols
Purpose:
- Identify master servers and client / slaves
- Identify common protocols in use by master servers
- Also want to identify proprietary protocols in use, but this will be more difficult as Wireshark / Tshark may not have protocol dissectors for their identification and analysis.
# Modbus ## Masters tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -r <file.pcap> | sort | uniq ## Masters with function codes tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -e modbus.func_code -r <file.pcap> | sort | uniq ## Slaves tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -e eth.dst -r <file.pcap> | sort | uniq ### Note: The OUI hardware address does not resolve for field outputs. You have to check them yourself. tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -r <file.pcap> | sort | uniq | wc -l # Aveva / WonderWare SuiteLink ## Servers tshark -Y "tcp.dstport == 5413" -T fields -e ip.dst -r <file.pcap> | sort | uniq ## Clients tshark -Y "tcp.dstport == 5413" -T fields -e ip.src -r <file.pcap> | sort | uniq # Aveva / WonderWare InBatch ## Servers tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.dst -r <file.pcap> | sort | uniq # Clients tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.src -r <file.pcap> | sort | uniq # BACnet ## I-Am responses to Who-Is - sorted by source IP address tshark -d udp.port==47809,bvlc -Y 'bacapp.unconfirmed_service == 0' -T fields -e ip.src -e bacapp.instance_number -e bacnet.sadr_mstp -e bacnet.snet -E separator=, -r <file.pcap>| sort | uniq | sort -g -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4 ## Device Count BACnet source tshark -d udp.port==47809,bvlc -Y 'bacnet' -T fields -e ip.src -e ip.dst -r <file.pcap> | grep -v ',' | sort | uniq > <file.pcap> ### NOTE: The resulting file still needs to be counted. Probably best to export Wireshark filtered communications to an MS Excel file and do a pivot table.