Irfan Ahmed Assistant Professor Department of Computer Science University of New Orleans
|
|
- Stella Sharp
- 5 years ago
- Views:
Transcription
1 Irfan Ahmed Assistant Professor Department of Computer Science University of New Orleans
2 Canizaro-Livingston Endowed Assistant Professor in Cybersecurity Faculty of Computer Science at the University of New Orleans (UNO) Director, Cyber-Physical Systems (CyPhy) Lab at UNO Associate Director, Greater New Orleans Center for Information Assurance (GNOCIA) designated as NSA National Center of Academic Excellence in Cyber Operation One of the nineteen universities/centers in the USA that has this designation Research interests include Industrial Control Systems (ICS) Digital Forensics Security via Virtualization Malware Detection and Analysis Cybersecurity Education 2
3 Control Center Corporate Network HMI Engineering Workstation Modem Corporate LAN SCADA System LAN PBX PBX Modem Wide Area Network Internet Historian Control Server (MTU) External Communication Infrastructure Modem PLC Modem PLC WAN Card PLC Field Sites 3
4 4
5 What components were affected in an ICS environment? How was the attack executed? Who was the perpetrator and what was his location? Was he either an internal or an external actor, and what was his motivation? Is the attack still active, and can it be repeated? 5
6 HMI SCADA System LAN Historian Control Center Engineering Workstation Control Server (MTU) Modem PBX Modem PLC PBX Modem Modem Corporate Network Wide Area Network PLC Corporate LAN External Communication Infrastructure Field Sites WAN Card Internet PLC Little or no understanding of digital artifacts Limited ICS forensics tools Local Access to a PLC Resource-constrained PLC Insufficient Logging Disruption on the availability Remote Data Acquisition Closed-source Software such as Firmware 6
7 Control logic the code runs in a PLC defines how a PLC controls a physical process. Stuxnet modifies control logic monitors the frequency of variable frequency drives only launches an attack if the frequency is within a certain normal range, 807 Hz ~ 1,210 Hz attack involves changing the motor speed periodically from 1,410 Hz to 2 Hz to 1,064 Hz and then over again Ladder Logic Code Snippet 7
8 Control Center Corporate Network HMI Engineering Workstation SCADA System LAN Control Logic PBX PBX Modem Corporate LAN Modem Wide Area Network Internet Historian Control Server (MTU) External Communication Infrastructure Modem PLC Modem PLC WAN Card PLC Field Sites 8
9 Forensic investigators cannot use the engineering software as a reliable forensic data acquisition tool DEO 1: Hiding infected control logic from the engineering software DEOs 2 & 3 : Jeopardize the engineering software s capability to acquire control logic from a PLC remotely 9
10 Attack Scenario 1 Engineering Software Original Program Original Program MITM Attacker Program Attacker Program PLC 10
11 Attack Scenario II Engineering Software Attacker Program MITM Original Program PLC Crash 11
12 Attack Scenario III Engineering Software Attacker Program PLC Attacker Program Attacker Error 12
13 RSLogix Forensic Analysis of the Network Traffic AB Micrologix 13
14 a) Ladder-logic source code snippet of a traffic-light program 14
15 a) Ladder-logic source code snippet of a traffic-light program b) Binary ladder-logic snippet of a traffic-light program 15
16 LADDIS Rung-0: (XIC/[I1:0/0]) AND (XIO/[T4:2/DN]) --> (TON/[T4:0/1.0/3/0]) Rung-1: (XIC/[T4:0/TT]) --> (OTE/[B3:0/3]) Rung-2: (XIC/[T4:0/DN]) --> (TON/[T4:1/1.0/5/0]) Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) Rung-5: (XIC/[T4:2/TT]) --> (OTE/[B3:0/2]) Rung-6: (XIO/[I1:0/0]) AND (XIO/[T4:3/DN]) --> (TON/[T4:3/1.0/1/0]) Rung-7: ( (XIC/[O0:0/0] AND XIO/[T4:3/DN]) OR (XIC/[T4:3/DN] AND XIO/[O0:0/0]) ) --> (OTE/[B3:0/0]) Rung-8: ( ( XIC/[B3:0/0]) OR ( XIC/[B8:0/0]) ) --> (OTE/[O0:0/0]) Rung-9: ( ( XIC/[B3:0/1]) OR ( XIC/[B8:0/1]) ) --> (OTE/[O0:0/1]) Rung-10: ( ( XIC/[B3:0/2]) OR ( XIC/[B8:0/2]) ) --> (OTE/[O0:0/2]) Rung-11: ( ( XIC/[B3:0/3]) OR ( XIC/[B8:0/3]) ) --> (OTE/[O0:0/3]) Rung-12: END Disassembled to 16
17 LADDIS Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) c) Laddis ASCII output of decompiling the binary ladder-logic snippet d) Laddis graphical output of decompiling the binary ladder-logic snippet 17
18 Identify Instruction Anatomy Opcodes for instructions Instruction format Low-level representation does not have variable names/tags and comments Ladder logic file is not sufficient for disassembly A typical PE/ELF executable file is self contained for disassembly Ladder logic disassembly requires multiple files Ladder logic file Main Configuration file Timer File Counter File etc. 18
19 Rung starts with 0x00 0x00 Rung Signature Rung Size File No. Word offset Bit address XIO File No. [00E4] name = Examine_if_closed inscode = XIC instype = bit size = 8 Word offset Bit address TON XIC File No. Timer Addressing First Rung [00E8] name = Examine_if_Open instype = bit inscode = XIO size = 8 [0158] name = Timer_on_delay instype = timer inscode = TON size = 10 Signature (first two enclosed bytes) and Size (next two enclosed bytes) of Rungs END
20 MAIN CONFIG Start of 10-byte tuples; Each representing a data file 10-bytes of first tuple Processor Name Data file information Starts with offset 0x86 Instruction addressing operand Zero Padding File Size INPUT File Type TIMER Zero Padding File Type File Size Starting Offset for Addressing Starting Offset for Addressing 20
21 TIMER CE 4F (CONFIG) - CE 4F (LADDER) = 0x00 T4 à 4 is the sequence number of the timer data tuple in the main config file 21
22 Rung-0: (XIC/[I1:0/0]) AND (XIO/[T4:2/DN]) --> (TON/[T4:0/1.0/3/0]) Rung-1: (XIC/[T4:0/TT]) --> (OTE/[B3:0/3]) Rung-2: (XIC/[T4:0/DN]) --> (TON/[T4:1/1.0/5/0]) Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) Rung-5: (XIC/[T4:2/TT]) --> (OTE/[B3:0/2]) Rung-6: (XIO/[I1:0/0]) AND (XIO/[T4:3/DN]) --> (TON/[T4:3/1.0/1/0]) Rung-7: ( (XIC/[O0:0/0] AND XIO/[T4:3/DN]) OR (XIC/[T4:3/DN] AND XIO/[O0:0/0]) ) --> (OTE/[B3:0/0]) Rung-8: ( ( XIC/[B3:0/0]) OR ( XIC/[B8:0/0]) ) --> (OTE/[O0:0/0]) Rung-9: ( ( XIC/[B3:0/1]) OR ( XIC/[B8:0/1]) ) --> (OTE/[O0:0/1]) Rung-10: ( ( XIC/[B3:0/2]) OR ( XIC/[B8:0/2]) ) --> (OTE/[O0:0/2]) Rung-11: ( ( XIC/[B3:0/3]) OR ( XIC/[B8:0/3]) ) --> (OTE/[O0:0/3]) Rung-12: END 22
23 23
24 INSTRUCTION LEVEL 24
25 LOGIC LEVEL 25
26 Compatibility With Older Versions 26
27 Attack Scenario 1 Timer : 5 secs Timer : 100 secs Engineering Software Original Program Original Program Timer : 5 secs MITM Attacker Program Attacker Program Timer : 100 secs PLC 27
28 Evaluation of Laddis on Attack Scenario I C2: Attacker changed the preset of second timer (T4:1) data from 5 sec to 100 (0x64) sec Preset Accum EN DN TT [Time base] 00: 0.01 sec / 01: sec / 10: 1 sec T4:2 T4:3 T4:0 T4:1 MAC address of attacker system (00:0c:29:c6:f5:36) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/100/22] Preset of T4:1 is 100 sec Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] MAC address of RSLogix system MAC address of PLC a) Decompiled ladder logic program (PLC Attacker) MAC address of attacker system (00:0c:29:9f:ad:bb) < (00:0c:29:c6:f5:36) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/5/0] Preset of T4:1 is 5 sec Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] a) Decompiled ladder logic program (Attacker RSLogix) 28
29 Attack Scenario II 0xFF 0XFF 0XFF replace XIC instruction Engineering Software Attacker Program MITM Original Program PLC Crash 29
30 Evaluation of Laddis on Attack Scenario II MAC address of attacker system MAC address of PLC Start of Rung #0 Original instruction :XIC a) Original binary ladder logic Attacker replace the original instruction (XIC) with a malformed instruction b) Malformed binary ladder logic Reply (00:0c:29:c6:f5:36) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] a) Decompiled ladder logic program (PLC Attacker) MAC address of RSLogix system (00:0c:29:9f:ad:bb) < (00:0c:29:c6:f5:36) Detect unknown instruction code 'ffff' at file offset '0x6' Detect unknown instruction code 'ffff' at file offset '0x8' Detect unknown instruction code 'ffff' at file offset '0xa' Detect unknown instruction code 'ffff' at file offset '0xc' Rung-0: XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] MAC address of attacker system Malformed rung b) Decompiled ladder logic program (Attacker RSLogix) Original rung 30
31 Attack Scenario III Engineering Software Attacker Program PLC Attacker Program Attacker Error 31
32 Evaluation of Laddis on Attack Scenario III Insert a new rung into a binary ladder logic MAC address of RSLogix system MAC address of PLC (00:0c:29:9f:ad:bb) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/5/0] Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] Rung-4: XIC/[T4:1/DN] --> TON/[T4:2/1.0/2/0] Rung-5: XIC/[T4:2/TT] --> OTE/[B3:0/2] Rung-6: XIO/[I1:0/0] AND XIO/[T4:3/DN] --> TON/[T4:3/1.0/1/0] Rung-7: ( ( XIC/[O0:0/0] AND XIO/[T4:3/DN] ) OR ( XIC/[T4:3/DN] AND XIO/[O0:0/0] ) ) --> OTE/[B3:0/0] Rung-8: ( ( XIC/[B3:0/0] ) OR ( XIC/[B8:0/0] ) ) --> OTE/[O0:0/0] Rung-9: ( ( XIC/[B3:0/1] ) OR ( XIC/[B8:0/1] ) ) --> OTE/[O0:0/1] Rung-10: ( ( XIC/[B3:0/2] ) OR ( XIC/[B8:0/2] ) ) --> OTE/[O0:0/2] Rung-11: ( ( XIC/[B3:0/3] ) OR ( XIC/[B8:0/3] ) ) --> OTE/[O0:0/3] Rung-12: XIC/[I1:0/0] --> OTE/[O0:0/3] Inserted rung by attacker Rung-13: END 32
33 Evaluation of Laddis on Attack Scenario III 10-byte tuples representing data files Related to integrity of ladder logic file Related to size of ladder logic file File type: ladder logic File size a) Configuration file (type: 0x03) Base Address Related to size of ladder logic file b) Unknown file (type: 0x24) 33
34 Introduced a new class of attacks on industrial control systems denial of engineering operations developed Laddis a ladder logic decompiler that can correctly reconstruct the source of the original code from a network trace Generally, ICS forensics is an underrepresented area and needs more attention from cybersecurity researchers Funding should be directed for the research on this topic Solutions should cover a wide variety of vendors and protocols 34
35 Irfan Ahmed, Sebastian Obermeier, Sneha Sudhakaran, Vassil Roussev, Programmable Logic Controller Forensics, IEEE Security & Privacy, Vol. 15, No. 6, November 2017 Saranyan Senthivel, Shrey Dhungana, Hyunguk Yoo, Irfan Ahmed, Vassil Roussev, Denial of Engineering Operations Attacks in Industrial Control Systems, In 8th ACM Conference on Data and Application Security and Privacy (CODASPY 18), March 2018, Tempe, AZ, USA. Saranyan Senthivel, Irfan Ahmed, Vassil Roussev, "SCADA Network Forensics of the PCCC Protocol", In the 17th Annual Digital Forensics Research Conference (DFRWS'17), August 2017, Austin, USA. 35
MicroLogix 1100 RSLogix 500 LAB#2
MicroLogix 1100 RSLogix 500 LAB#2 Timing, Counting & Comparing 1 What we are going to do: I:0/0 O:0/0 ] [ ( ) I:0/1 ]/[ ] [ ]/[ ( ) T4:0/DN ] [ O:0/1 I:0/2 O:0/1 ] [ O:0/1 ] [ I:0/3 C5:0 ] [ ( RES ) L
More informationTo program and test PLC ladder programs that use timer instructions. Timer Instructions of the Trainer PLC. the timer-on-delay (TON) instruction;
Exercise 5 Timer Instructions EXERCISE OBJECTIVE To program and test PLC ladder programs that use timer instructions. DISCUSSION Introduction PLC timer instructions are output instructions that can be
More informationThe GenCyber Program. By Chris Ralph
The GenCyber Program By Chris Ralph The Mission of GenCyber Provide a cybersecurity camp experience for students and teachers at the K-12 level. The primary goal of the program is to increase interest
More informationCurriculum Vitae of Irfan Ahmed
Curriculum Vitae of 2000 Lakeshore Dr. New Orleans LA 70148 Tel No.: (+1) 504-280 - 4409 Email: irfan@cs.uno.edu PERSONAL I am a Permanent Resident (Green Card Holder) of the USA. RESEARCH INTERESTS Digital
More informationMAKER: Mobile Device App for Wireless Control of a PLC-Based Automated
Paper ID #14538 MAKER: Mobile Device App for Wireless Control of a PLC-Based Automated System Prof. Thomas G. Hart, Tarrant County College 1998 - Present served as Faculty &Coordinator of Robotics and
More informationSequencer Instructions
Enter 1 s at the proper bit locations of data file B10 so that it contains the same data as Table 7-2 below. When you have finished, close data file B10. Note: To enter a 1 at a bit location, double-click
More informationCTEET003_Programmable Logic Controls CTAG Rubric EET. Some applied skills present
depends strongly on courses taught primarily at the some applied skills and applied skills strongly levels. 1. Recall the history of control systems and PLCs.* Describe what electrical control is. Create
More informationProgrammable Logic Controllers
Programmable Logic Controllers PLC Addressing and Basic Instructions Dr. D. J. Jackson Lecture 3-1 Basic addressing For the Allen-Bradley PLCs and the simulator used, the input and output image areas (in
More informationCourseware Sample F0
Electric Power / Controls Courseware Sample 3617-F ELECTRIC POWER / CONTROLS COURSEWARE SAMPLE by the Staff of Lab-Volt (Quebec) Ltd Copyright 24 Lab-Volt Ltd All rights reserved. No part of this publication
More informationConnect to the Future Today with Allen-Bradley s SLC 5/05 Processor with Ethernet
Connect to the Future Today with Allen-Bradley s SLC 5/05 Processor with Ethernet SLC 5/05 Programmable Controllers (Cat. Nos. 1747-L551, -L552, -L553) Product Profile Allen-Bradley s SLC 5/05 Programmable
More informationSCADA Security - how to safely audit and protect Industrial Control Systems?
SCADA Security - how to safely audit and protect Industrial Control Systems? Mariusz Stawowski, Ph.D. CISSP, CEH Technical Director, CLICO CLICO Competence Center +35 security and networking experts Biggest
More informationECIT Institute (Est.2003)
ECIT Institute (Est.2003) Research Excellence & Innovation 180 people 4 Queen s University Belfast Research Groups - Digital Communications - High Frequency Electronics - Speech, Imaging and Vision Systems
More informationDenial of Service, Traceback and Anonymity
Purdue University Center for Education and Research in Information Assurance and Security Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS Network
More informationA Strategic Approach to Industrial CyberSecurity. Kaspersky Industrial CyberSecurity
A Strategic Approach to Industrial Cyber Kaspersky Industrial Cyber 2015 Do industrial control networks need protection from cyberattacks? It s a question that, just a few years ago, was unlikely to feature
More informationAUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID
AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID Sherif Abdelwahed Department of Electrical and Computer Engineering Mississippi State University Autonomic Security Management Modern
More informationPractical SCADA Cyber Security Lifecycle Steps
Practical SCADA Cyber Security Lifecycle Steps Standards Certification Jim McGlone CMO, Kenexis Education & Training Publishing Conferences & Exhibits Bio Jim McGlone, CMO, Kenexis GICSP ISA Safety & Security
More informationAdvantech AE Technical Share Document
Advantech AE Technical Share Document Date 2015 / 03 / 28 SR# 1-1928828895 Category FAQ SOP Related OS Microsoft Windows7 Abstract Set the connection between WebAccess and AB Micrologix PLC Keyword AB
More informationWhy Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG
Why Should You Care About Control System Cybersecurity Tim Conway ICS.SANS.ORG Events Example #1 Dec 23, 2015 Cyber attacks impacting Ukrainian Power Grid Targeted, synchronized, & multi faceted Three
More informationEnhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services
Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services European Union Agency for Network and Information Security Securing Europe s Information society 2
More informationELECTRICAL ENGINEERING TECHNOLOGY Introduction to RSLogix 5000 and the Compact Logix PLC
KENNESAW STATE UNIVERSITY ECET 4530 ELECTRICAL ENGINEERING TECHNOLOGY Introduction to RSLogix 5000 and the Compact Logix PLC Introduction: In this exercise you will setup, configure, program and operate
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationEtherNet/IP DEVICE CONFIGURATION. A Step by Step Guide
EtherNet/IP DEVICE CONFIGURATION A Step by Step Guide EtherNet/IP Device Configuration A Step By Step Guide Rev 7.0 1. RSLINX COMMUNICATION SETUP Configure a new driver in RSLinx. Select Ethernet Devices
More informationRndxxxxx - Ladder Diagram Page 1
Rndxxxxx - Ladder Diagram Page 1 1/2/212 7:5:55 PM The following random generator is adaptation for RSLogix5K of C# code: http://www.codeproject.com/kb/recipes/simplerng.aspx (by John D. Cook). Workaround
More informationMulti-hop Messaging using SLC 5/05 Processor via Ethernet
Release Note Multi-hop Messaging using SLC 5/05 Processor via Ethernet Introduction Read this document before using SLC 5/05 (1747-OS50?, FRN?) processors. Keep this document with your SLC 500 and Micrologix
More informationAn Overview of Mobile Security
An Overview of Mobile Security Dr. Fan Wu Professor, Department of Computer Science, College of Business and Information Science (CBIS) Director, Center of Information Assurance Education (CIAE) Interim
More informationMicroLogix RSLogix 500 LAB#3. Sequencing and Subroutines. Copyright 2007 Rockwell Automation, Inc. All rights reserved. 1
MicroLogix 1100 RSLogix 500 LAB#3 Sequencing and Subroutines 1 What we are going to do: S:1/15 ] [ MOV MOVE Source 2112 Dest N7:10 MOV MOVE Source 1152 Dest N7:11 MOV MOVE Source 768 Dest N7:12 Here we
More informationTC40 - Pre-Instructional Survey
TC40 - Pre-Instructional Survey 1. Identify the instruction symbol shown. A. Normally Open B. Examine Input Open C. Examine Input Closed D. Normally Closed 2. Identify the instruction symbol shown. A.
More informationInstructor Guide. 401: Programmable Logic Controllers Module 2: Advanced Programming Systems
Instructor Guide 401: Programmable Logic Controllers Module 2: d Programming Systems Elevator Escalator Programmable Logic Controllers Table of Contents Overview....... SLC500 Series Processor Operation..
More informationBird of a Feather Automated Responses
Bird of a Feather Automated Responses Energy-Sec Summit 2017 13 Th Security and Compliance www.inl.gov August 2017 INL s Position Nationally A network of 17 DOE national labs DOE s lead lab for nuclear
More informationTools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems
Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems Presenters: Rima Asmar Awad, Saeed Beztchi Co-Authors: Jared M. Smith, Stacy Prowell, Bryan Lyles Overview Supervisory
More informationCyber Security in Power Systems
KTH ROYAL INSTITUTE OF TECHNOLOGY Cyber Security in Power Systems Matus Korman Industrial information and control systems, KTH www.ics.kth.se Image source: zdnet.com ? Example consequences:
More informationLogix5000 Data Access
Reference Manual Logix5000 Data Access Purpose This documents describes how to access data from a Logix5000 controller using the following methods: CIP Services (inherent Logix5000 mode of communications)
More informationCyber Security of Industrial Control Systems (ICSs)
Cyber Security of Industrial Control Systems (ICSs) February 23, 2016 Joe Weiss PE, CISM, CRISC, ISA Fellow Managing Partner Applied Control Solutions, LLC (408) 253-7934 joe.weiss@realtimeacs.com Applied
More informationIndustrial Communications Training
Standards Certification Education & Training Publishing Conferences & Exhibits Industrial Communications Training Optimizing the flow and value of real-time data Expert-led training with real-world application
More information1 of 8. I. (13pts) TRUE OR FALSE
Sample PLC Final Exam Name (1pt): By signing I agree to abide by the UWA policies governing academic integrity. I. (13pts) TRUE OR FALSE 1. The user memory segment stores information needed to execute
More informationBuilding Partnerships to meet. Global Security Challenges. Dr. Taylor Eighmy August 14, 2018
Building Partnerships to meet Global Security Challenges Dr. Taylor Eighmy August 14, 2018 Charting Our Cybersecurity Future Cyber UTSA A leader in cyber education since 1999 Undergraduate Masters Doctoral
More informationCyber Resilience Solution for Smart Buildings
Cyber Resilience Solution for Smart Buildings Integrated IT/OT Security Oren Aspir, Cyberbit, CTO 2017 by CYBERBIT 2017 by CYBERBIT Proprietary CYBERBIT Proprietary Buildings getting smarter IT systems
More informationMultistage Cyber-physical Attack and SCADA Intrusion Detection
Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26 th August, 2016 Kieran McLaughlin, BooJoong
More informationProgrammable Logic Controllers. Second Edition
Programmable Logic Controllers James A. Rehg Second Edition Glenn J. Sartori Pearson Education Limited Edinburgh Gate Harlow Essex CM20 2JE England and Associated Companies throughout the world Visit us
More informationTopics. PLC Fundamentals Ladder Logic Fundamentals
PLC Fundamentals Ladder Logic Fundamentals MET 382 Controls & Instrumentation for Automation Spring 08 T.E. Kostek Topics PLC programming languages Anatomy of a ladder program Logic functions Logical continuity
More informationDetection and Analysis of Threats to the Energy Sector (DATES)
Detection and Analysis of Threats to the Energy Sector (DATES) Sponsored by the Department of Energy National SCADA Test Bed Program Managed by the National Energy Technology Laboratory The views herein
More informationCyber Physical System Security
S2ERC Industry Outreach Workshop Cyber Physical System Security Manimaran Govindarasu Dept. of Electrical and Computer Engineering Iowa State University gmani@iastate.edu Outline Background CPS Security
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationAllen-Bradley Replacement
Preface...? Who Should Use this Manual...? Purpose of this Manual...? Common T echniques Used in this Manual...? Setting Up Your Equipment... Hardware Requirements... Controller Styles... Setting Up a
More informationRSLogix500 Project Report
RSLogix500 Project Report Processor Information Processor Type: MicroLogix 1200 Series C (1 or 2 Comm Ports) Processor Name: UNTITLED Total Memory Used: 88 Instruction Words Used - 37 Data Table Words
More informationDriver Manual. FS EtherNet/IP
A Sierra Monitor Company Driver Manual (Supplement to the FieldServer Instruction Manual) FS-8704-14 EtherNet/IP APPLICABILITY & EFFECTIVITY Effective for all systems manufactured after July 2012 Driver
More informationOpening Doors to Cyber and Homeland Security Careers
Opening Doors to Cyber and Homeland Security Careers Opening Doors to Cyber and Homeland Security Careers Today s Presenters: Frederic Lemieux, Ph.D. Professor and Program Director, Cybersecurity Strategy
More informationMechatronics Programmable Logic Controller Basic Programming Courseware Sample
Mechatronics Programmable Logic Controller Basic Programming Courseware Sample 52281-F0 Order no.: 52281-10 First Edition Revision level: 08/2015 By the staff of Festo Didactic Festo Didactic Ltée/Ltd,
More informationUsing Diagnostic Tools
Using Diagnostic Tools The Tools System Diagnostics page on the INVESTIGATE view provides several diagnostic tools that help troubleshoot various kinds of network problems and process monitors. Tech Support
More informationICS Breach, what to do after oh no, frameworks and issues of IM/IT. Dr. Samuel Liles
ICS Breach, what to do after oh no, frameworks and issues of IM/IT Dr. Samuel Liles http://selil.com Agenda Through the lens of risk Cybery thoughts From ICS to IoT Threats Vulnerabilities Frameworks Just
More informationCompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]
s@lm@n CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ] Topic break down Topic No. of Questions Topic 1: Volume A 117 Topic 2: Volume B 122 Topic
More information435NBX Basic Ladder Logix Setup
435NBX Basic Ladder Logix Setup Real Time Automation, Inc. 1 1-800-249-1612 Trademarks CompactLogix, ControlLogix, & PLC-5 are registered trademarks of Rockwell Automation, Inc. EtherNet/IP is a trademark
More informationWebAccess Driver Configuration Manual
WebAccess AB MicroLogix 1400 ABDrv.DLL Driver date: 2015/3/30 English Version 1.1 Revision History Date Version Author Reviewer Description 2018-10-29 1.0 Alger.Tan ChiRen.Wei Initial Release 2018-11-2
More informationA SCADA System Testbed for Cybersecurity and Forensic Research and Pedagogy
A SCADA System Testbed for Cybersecurity and Forensic Research and Pedagogy Irfan Ahmed, Vassil Roussev, William Johnson, Saranyan Senthivel, Sneha Sudhakaran Department of Computer Science University
More informationIndustrial Control Systems November 18, 2015
Industrial Control Systems November 18, 2015 ABOUT SANS - TRAINING SANS provides intensive, hands-on, immersion training Highest quality 70+ courses covering basic security skills to cutting edge topics
More informationC A S E S T U D Y D E C E M B E R P R E P A R E D B Y : Iftah Bratspiess
FINANCIAL INSTITUTES PENETRATION INTO A BANK NETWORK USING TRANSPARENT NETWORK DEVICES C A S E S T U D Y P R E P A R E D B Y : Iftah Bratspiess 2018 Sepio Systems www.sepio.systems US: 11810 Grand Park
More informationIntroduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know
Introduction Privacy, Security and Risk Management What Healthcare Organizations Need to Know Agenda I. Privacy, Security and Confidentiality Definitions in a Healthcare Context Patient Privacy concerns
More informationSCADA Security: How Do I Know If I ve Already Been Owned?
SESSION ID: SOP-W04 SCADA Security: How Do I Know If I ve Already Been Owned? Gib Sorebo Chief Cybersecurity Technologist Leidos @gibsorebo 17-Leidos-0918-1850 Overview Reasons for Concern Cybersecurity
More informationThe Future of Industrial Control Systems Security
The Future of Industrial Control Systems Security Amir Samoiloff, CEO, Siga Security Ilan Gendelman, CTO, Siga Security www.sigasec.com The Importance of Operating Technology Systems Modern life relies
More informationCyber Security and Privacy Issues in Smart Grids
Cyber Security and Privacy Issues in Smart Grids Acknowledgement: Slides by Hongwei Li from Univ. of Waterloo References Main Reference Liu, J. and Xiao, Y. and Li, S. and Liang, W. and Chen, C. Cyber
More informationPLC-5 LADDER LOGISTICS - Rockwell Software Inc. Revision v8.07
+----------------------------------------------------------+ PLC-5 LADDER LOGISTICS - Rockwell Software Inc. Revision v8.07 Project Name:AI5 Time/Date:15:27 10/23/08 +----------------------------------------------------------+
More informationREF IC012 PLC & SCADA Systems Feb $4,250 Abu Dhabi, UAE
Training Title PLC & SCADA SYSTEMS Training Duration 5 days Training Venue and Dates REF IC012 PLC & SCADA Systems 5 05 09 Feb $4,250 Abu Dhabi, UAE Training Fees 4,250 US$ per participant for Public Training
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationIndustrial Control System Security white paper
Industrial Control System Security white paper The top 10 threats to automation and process control systems and their countermeasures with INSYS routers Introduction With the advent of M2M (machine to
More informationA SCADA test bed For Cyber Security Education & Research
A SCADA test bed For Cyber Security Education & Research TRS No. : XXXXX Abstract: Critical infrastructures such as electric power grids, oil and gas pipelines and refineries, transportation systems, water
More informationConformance Test Policy for the Modbus/TCP Conformance Test Laboratory. Version 1.1. The University of Michigan Modbus/TCP Conformance Test Laboratory
The University of Michigan Modbus/TCP Conformance Test Laboratory Conformance Test Policy for the Modbus/TCP Conformance Test Laboratory Version 1.1 Prepared for: SCHNEIDER ELECTRIC Prepared By: Warren
More informationTowards Effective Cybersecurity for Modular, Open Architecture Satellite Systems
SSC16-IV-6 Towards Effective Cybersecurity for Modular, Open Architecture Satellite Systems Presented to: 30 th Annual AIAA/USU Conference on Small Satellites August 2016 Presented by: Geancarlo Palavicini
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationIntroduction to ICS Security
Introduction to ICS Security Design. Build. Protect. Presented by Jack D. Oden, June 1, 2018 ISSA Mid-Atlantic Information Security Conference, Rockville, MD Copyright 2018 Parsons Federal 2018 Critical
More informationEssentials of Cyber Security Intelligence for Protecting ICS
November 3, 2016 Essentials of Cyber Security Intelligence for Protecting ICS Jeffery S. Bridgland Advisory Board Member N-Dimension Solutions jeff.bridgland@n-dimension.com Lots of Ground to Cover ICS
More informationIntegration of In-Sight with AB PLCs running RSLogix
Integration of In-Sight with AB PLCs running RSLogix Author: Samantha Frost Published: August 11, 2017 Revision: 1.0 Contents Communicate with a Rockwell ControlLogix PLC... 4 Integration with RSLogix
More informationKaspersky Industrial CyberSecurity. Kaspersky Industrial CyberSecurity: solution overview #truecybersecurity
Kaspersky Industrial CyberSecurity Kaspersky Industrial CyberSecurity: solution overview 2018 www.kaspersky.com/ics #truecybersecurity Kaspersky Industrial CyberSecurity: solution overview 2018 Attacks
More informationAutomatic Analysis of Relay Ladder Logic Programs
Automatic Analysis of Relay Ladder Logic Programs Zhendong Su Report No. UCB/CSD-97-969 September 1997 Computer Science Division (EECS) University of California Berkeley, California 94720 Automatic Analysis
More informationDigital Forensic Science: Ideas, Gaps and the Future. Dr. Joshua I. James
Digital Forensic Science: Ideas, Gaps and the Future Dr. Joshua I. James Joshua@cybercrimetech.com 2015-08-09 Overview Digital Forensic Science where are we now? Past Present Where are we going? Future
More informationFurther Programmable Logic Controllers (PLCs)
Unit 42: Unit code Further Programmable Logic Controllers (PLCs) H/615/1510 Unit level 5 Credit value 15 Introduction Programmable Logic Controllers (PLCs) were invented by the American Richard ( Dick
More informationThe Six Most Dangerous New Attack Techniques and What's Coming Next
SESSION ID: EXP 208R The Six Most Dangerous New Attack Techniques and What's Coming Next MODERATOR: John Pescatore Director SANS Institute @John_Pescatore PANELISTS: Ed Skoudis SANS Instructor Counter
More informationAllen-Bradley MLGX Driver Configuration Manual
Allen-Bradley MLGX Driver Configuration Manual Version 7.0 rev 0a Advantech Corp., Ltd. page 1 Table of Contents Allen-Bradley MLGX Driver Configuration Manual 1 1. Configuration 2 1.1... 2 1.2 Module
More informationConformance Test Policy for the Modbus/TCP Conformance Test Laboratory. Version 1.0. The University of Michigan Modbus/TCP Conformance Test Laboratory
The University of Michigan Modbus/TCP Conformance Test Laboratory Conformance Test Policy for the Modbus/TCP Conformance Test Laboratory Version 1.0 Prepared for: SCHNEIDER ELECTRIC Prepared By: Warren
More informationProtecting Smart Buildings
Protecting Smart Buildings The next frontier of critical infrastructure security Suzanne Rijnbergen - MBA visibility detection control Who am I? Global Director Professional Services @SecurityMatters (ForeScout)
More informationConformance Test Policy for the Modbus/TCP Conformance Test Laboratory. Version 2.0. The University of Michigan Modbus/TCP Conformance Test Laboratory
The University of Michigan Modbus/TCP Conformance Test Laboratory Conformance Test Policy for the Modbus/TCP Conformance Test Laboratory Version 2.0 Prepared for: CONTROL.COM Prepared By: Warren Strong
More information(Catalog Number 1747 PT1) User Manual. Allen-Bradley Parts
(Catalog Number 1747 PT1) User Manual Allen-Bradley Parts Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application,
More informationMicroLogix 1100 Programmable Controllers FRN 16
Release Notes MicroLogix 1100 Programmable Controllers FRN 16 Catalog Numbers 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD Topic Page Enhancements 2 Corrected Anomalies 5 Additional Resources 9 About
More informationGOVERNMENT POLYTECHNIC, MUMBAI
GOVERNMENT POLYTECHNIC, MUMBAI INDUSTRIAL AUTOMATION - EE 11 405 LABORATRY MANUAL ELECTRICAL ENGINEERING DEPARTMENT Course Teacher Dr. Mahesh S. Narkhede, LEE Special Thanks to Mr. Avinash Dabade (Faculty
More informationIE156: ICS410: ICS/SCADA Security Essentials
IE156: ICS410: ICS/SCADA Security Essentials IE156 Rev.001 CMCT COURSE OUTLINE Page 1 of 6 Training Description: In this five-day intensive training, participants will develop and reinforce a common language
More informationCCNA 1 Chapter 5 v5.0 Exam Answers 2013
CCNA 1 Chapter 5 v5.0 Exam Answers 2013 1 2 A host is trying to send a packet to a device on a remote LAN segment, but there are currently no mappings in its ARP cache. How will the device obtain a destination
More informationNational Cybersecurity Center of Excellence
The 3rd Annual Intelligence and National Security Forum Jim McCarthy NIST / NCCoE 05/11/2018 This presentation is unclassified in its entirety Foundations Collaborative Hub The NCCoE assembles experts
More informationOne Timer Element Is Made of Three 16-bit Words
LADDER DIAGRAM Timers T4, Timer File The timer file stores only timer elements. An element is a word or group of words that work together as a unit. A timer is made of three pieces or words. Preset value
More informationBuild Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement
FEMP Cybersecurity Program Review Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa,
More informationCOMPUTER FORENSICS (CFRS)
Computer Forensics (CFRS) 1 COMPUTER FORENSICS (CFRS) 500 Level Courses CFRS 500: Introduction to Forensic Technology and Analysis. 3 credits. Presents an overview of technologies of interest to forensics
More informationShift Register Instructions/The Force Function
Exercise 9 Shift Register Instructions/The Force Function EXERCISE OBJECTIVE To program and test PLC ladder programs that use shift register instructions. To become familiar with the Force function of
More informationDoD Terminology Decision In Progress: PIT, CS, PIT-CS, ICS,OT, SCADA, CPS, IoT, IIoT
DoD Terminology Decision In Progress: PIT, CS, PIT-CS, ICS,OT, SCADA, CPS, IoT, IIoT PIT = Platform Information Technology CS = Control Systems PIT-CS = PIT Control Systems ICS = Industrial Control Systems
More informationHow can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits
How can I use ISA/IEC- 62443 (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits What is ISA 62443? A series of ISA standards that addresses
More informationAn Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist
An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist Standards Certification Education & Training Publishing Conferences & Exhibits Speakers: Bryan L. Singer, CISM, CISSP, CAP
More informationImproving SCADA System Security
Improving SCADA System Security NPCC 2004 General Meeting Robert W. Hoffman Manager, Cyber Security Research Department Infrastructure Assurance and Defense Systems National Security Division, INEEL September
More informationHow enterprises can use cyber threat information effectively? Shimon Modi,
How enterprises can use cyber threat information effectively? Shimon Modi, Ph.D. smodi@trustar.co @shimonmodi About Me 10+ years of Applied R&D experience in Information Security Currently @ TruSTAR Technology
More informationCyber Security of Industrial Control Systems and Potential Impacts on Nuclear Power Plants
Cyber Security of Industrial Control Systems and Potential Impacts on Nuclear Power Plants IEEE NPEC April 18, 2006 Joe Weiss, PE, CISM KEMA, Inc. Joe.weiss@kema.com (408) 253-7934 2 Why are we here? Ostensibly:
More informationTestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified
TestOut Network Pro - English 4.1.x COURSE OUTLINE Modified 2017-07-06 TestOut Network Pro Outline - English 4.1.x Videos: 141 (18:42:14) Demonstrations: 81 (10:38:59) Simulations: 92 Fact Sheets: 145
More informationBuilding a resilient ICS
Building a resilient ICS By Dr Jules Pagna Disso, @julesdisso Building a resilient Industrial Control System (ICS) 1: From ICS to Critical National Infrastructure 2: Thenatureof the problem 3: Building
More informationSecurity Challenges with ITS : A law enforcement view
Security Challenges with ITS : A law enforcement view Central Observatory for Intelligent Transportation Systems FRENCH MINISTRY OF INTERIOR GENDARMERIE NATIONALE Colonel Franck MARESCAL franck.marescal@gendarmerie.interieur.gouv.fr
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More information