ICS Penetration Testing

Size: px

Start display at page:

Download "ICS Penetration Testing"

Erick Goodman
5 years ago
Views:

1 Connor Leach Jackson Evans-Davies 18 June, 2018 ICS Penetration Testing Understanding the Challenges and Techniques

2 Introductions 1 Connor Leach, GPEN, OSCP - Senior Penetration Tester - Member of Canadian H-ICS Team for 8 years - Based in Kelowna, BC - CTF Competitor Jackson Evans-Davies, GPEN - Penetration Tester - Member of Canadian H-ICS Team for 7 years - Based in Edmonton, AB - Currently Working Towards OSCP

3 ICS Penetration Testing 2 What is an ICS Penetration Test? - Simulated ICS Cyber-Attack Enterprise Penetration Test vs ICS Penetration Test - CIA Triad - Tactics and Techniques Challenges of an ICS Penetration Test - Denial of Service - Security Maturity Level - Objective Misalignment - Us vs Them Mentality - Different Zones of Ownership - Compliance

4 Why Perform ICS Penetration Testing? 3 Risks to ICS Networks - Risk = Threat * Consequence * Vulnerability - Sophisticated Threats - Consequences of a Cyber-Incident Technical and Non-Technical Vulnerabilities and Misconfigurations - Context of Observed Vulnerabilities - Provide Remediation Steps to Resolve Weaknesses Provide Risk Ranking to Organization Validation of Security Posture - Threat Emulation - Dress Rehearsal Protective, Detective, and Corrective

Different Phases - External, Perimeter, Process, and Complete Unique Goals Scoping and Rules of Engagement Safeguards to Prioritize the

5 Honeywell Industrial Cyber Security Penetration Testing 4 Our Goal: Engage ICS Networks using Offensive Tactics, Techniques, and Tools while Prioritizing Safety Threat Modeling ICS Networks - Security Maturity Level - High vs Low Threat Sophistication Segment an Engagement into Different Phases - External, Perimeter, Process, and Complete Unique Goals Scoping and Rules of Engagement Safeguards to Prioritize the Availability of the ICS - Black, Grey, or White Box - Escorted Digital Access - Table Top or Paper Exercise Post Exploitation Enumeration Exploitation

6 External Penetration Testing 5 Attack Begins on the Internet Common Tactics: - Enumerate Internet Footprint - User Profiling - Social Engineering - Spear-Phishing Common Techniques: - Enumeration: OSINT, Port Scanning, Addresses, Documentation - Exploitation: Remote Services, Users - Post-Exploitation: Local Privilege Escalation, Persistence End goal: Foothold on the BLAN Internet BLAN

7 Perimeter Penetration Testing Attack Begins on the BLAN Common Tactics: - ICS Network Enumeration via BLAN - Establishing an ICS Foothold - Lateral Movement - Network and Endpoint Pivoting Common Techniques: - Enumeration: Port Scanning, s, Documentation, Users - Exploitation: Endpoints, Network Equipment, Shared Services, Users - Post-Exploitation: Local and Domain Privilege Escalation, Session Hijacking, Pivoting End goal: Elevated Access on the DMZ and a Foothold on the ICS BLAN DMZ Level 3 6

8 Process Penetration Testing 7 Attack Begins at ICS Level 3 or in a Lab Environment Specialized Engagement - Validate a Specific Security Control - Consequence Analysis - Vulnerability Research Common Tactics and Techniques: - Enumeration: Port Scanning, Application Assessment, Traffic Analysis - Exploitation: Traffic Modification, Man-in-the-Middle, ICS Exploits End goal: Control of ICS Assets while Maintaining System Integrity Level 3 Level 1/2

9 Penetration Testing with Honeywell Industrial Cyber Security Years Working in ICS Environments Prioritization of the Availability of ICS Networks Knowledge of ICS Environments - Potential Instability Points within ICS Networks - Understanding of Security Controls or Lack Thereof - A Penetration Testing Offering that is Specifically Developed for ICS Networks An Assessment that Provides Value and Focuses on Actionable Vulnerabilities

10 Get this Hot Deal at Americas HUG 9 Secure Media Exchange systems for $9,999 each and SMX ATIX subscriptions for: - $7K/year per SMX System on 1 year agreements - $5K/year per SMX System on 5 year agreements Visit the Promotions Center to learn more. Get details at the Promotions Center or These limited-time discounts and offerings are only available and valid for new inquiries and commitments made at 2018 Americas HUG in San Antonio, TX, June Orders must be placed within 90 days of receiving an estimate.

11 10 Questions?

12 Honeywell Confidential -

13 Honeywell Industrial Cyber Security Penetration Testing Tools 12 Tools - Common Penetration Testing Tools NMap, Metasploit, Empire, John, Ettercap, Sqlmap, Impacket Tools, Burpsuite, Responder, BeEF, Social Engineering Toolkit (SET), Mimikatz, Powersploit, Hashcat - Advanced Threat Emulation Tools Cobalt Strike Custom Payloads and Tools Penetration Testing Execution Standard (PTES) - Framework to Provide Highly Repeatable Quality Penetration Testing

Live Adversary Simulation: Red and Blue Team Tactics

SESSION ID: HTA-T06 Live Adversary Simulation: Red and Blue Team Tactics James Lyne Head of R&D SANS Institute @JamesLyne Stephen Sims Security Researcher & Fellow SANS Institute @Steph3nSims Agenda 2