ADVANCED ICS HACKING  

Abstract:

Industrial control systems (ICS) are often a sitting target for cybercriminals. The majority of these  systems monitor complex industrial processes and critical infrastructures that deliver power, water,  transport, manufacturing and other essential services.

There are many vulnerabilities in ICS systems that could expose an installation to attacks. Downtime  or infiltration of an ICS network could result in massive outages, hundreds of thousands of impacted  users and even national disaster. Penetration testing on ICS systems is a very specific field that  requires in-depth knowledge and hardware availability.

This training is going to help you to understand ICS systems, analyze their weaknesses, attack them  and design strategies to protect them. It is aimed at security professionals who want to understand  ICS systems, improve their skills or specialize in ICS security, and will take them from the  fundamentals of ICS security to advanced hacking techniques.

We will focus on methodologies for hacking commercial hardware devices such as PLCs as well as  simulators, and we will also provide an excellent opportunity for participants to have hands-on  experience in penetration testing of these devices and systems. The ICS setup will simulate the ICS

infrastructure with real-time PLCs and SCADA applications. We will cover the most common ICS  protocols (Modbus, S7, DNP3, OPC, Profinet), analyze packet captures and learn how to use these  protocols to talk to PLCs. You will learn how to program a PLC, to better understand how to exploit

them.

Throughout the course, we will use a virtual machine created by us specifically for ICS penetration  tests, it has all the necessary tools for ICS hacking. The course is structured for beginner to  intermediate level assistants and there is no need of previous experience in ICS, reversing or  hardware.


Course Outline

Day 01: Overview of ICS, Protocols & Hacking

ICS Basics

1.1 Introduction to ICS

1.2 Vocabulary

1.3 The CIM model

1.4 Classic architectures

1.5 History of ICS

1.6 Briefing of ISA99/IEC62443, NIST 800-82, ANSSI

1.7 IT vs OT

1.8 ICS systems exposed on Internet

ICS Components

2.1 ICS Architecture, Components and Roles

2.1.a. RTU

2.1.b. HMI

2.1.c. DCS

2.1.d. Sensors

2.1.e. PLC

2.1.f. SCADA

2.1.g. Historian

Programming PLCs

3.1 PLC Wiring

3.2 PLC Programming in ladder

3.3 Programming PLC hands-on

ICS Protocols

4.1 Modbus

4.1.a. Introduction and protocol overview

4.1.b. Reconnaissance

4.1.c. Sniffing and Eavesdropping

4.1.d. Baseline Response Replay

4.1.e. Modbus Flooding

4.1.f. Modifying PLC values

4.1.g. Rogue Interloper

4.1.h. Hands-on practice

4.2 S7

4.2.a. Introduction and protocol overview

4.2.b. Reconnaissance

4.2.c. Sniffing and Eavesdropping

4.2.d. Uploading and downloading PLC programs

4.2.e. Start and Stop PLC CPU

4.2.f. Hands-on practice

4.3 DNP3

4.3.a. Introduction and protocol overview

4.3.b. Reconnaissance

4.3.c. Length Overflow Attack

4.3.d. Reset Function Attack

4.3.e. Rogue Interloper

4.3.f. Hands-on practice

4.4 Profinet

4.4.a. Introduction and protocol overview

4.4.b. Reconnaissance

4.4.c. Sniffing and Eavesdropping

4.4.d. Replay Attacks

4.4.e. Packet Forging Attacks

4.4.f. Hands-on practice

4.5 OPC/OPC-UA

4.5.a. Introduction and protocols overview

4.5.b. Reconnaissance

4.5.e. OPC Attacks

4.5.d. Hands-on practice


Day 02: Bypassing the Airgap, Pentesting & Attacks

Bypassing the Air Gap

5.1 Tools and techniques

Common ICS Vulnerabilities

6.1 Lack of network segmentation

6.2 Lack of hardening

6.3 ICS protocols insecurity

6.4 Other vulnerabilities

Discussion of real attacks

Pentesting ICS systems

8.1 Pentesting Tools

8.2 Pentesting ICS Theory

8.2.a. Reconnaissance

8.2.b. Exploitation

8.3 Warnings and precautions

Hands-on Pentesting ICS practice

9.1 PLC Scanning and Reconnaissance

9.2 Network capture analysis & replaying packets

9.3 Attacking ICS protocols

9.4 Fuzzing ICS protocols

9.5 Attacking PLC standard interfaces and features

9.6 Attacking HMI

9.7 Attacking Windows ICS components

9.7.a. Find credentials on Windows systems

9.7.b. Exploiting to gain admin privileges

Securing ICS Systems

10.1 System hardening

10.2 Network segmentation

10.3 Security supervision and other measures

ICS System Case Study


Why people should attend this course:

This course is a perfect fit for professionals who want to understand ICS systems, improve their skills

or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced

hacking techniques. It’s an excellent opportunity for participants to acquire hands-on experience in

penetration testing ICS devices and systems.


3 takeaways that students will learn:

• Deep understanding of ICS components and protocols

• Real-life penetration testing experience against key ICS components and protocols

• Strategies and methods to secure ICS systems

Lecture vs hands-on:

The time will be distributed on 40% lecture vs 60% hands-on. The focus of the course

will be mostly dedicated to the hands-on laboratories. The theory lessons will be used

to explain necessary concepts that will boost the practical exercises.

Hands-on labs:

• PLC Programming: 30 minutes.

• Modbus: ~ 30 minutes.

• DNP3: ~ 30 minutes.

• S7: ~ 30 minutes.

• OPC: ~ 30 minutes.

• Profinet: 30 minutes.

• PLC Scanning: ~ 30 minutes.

• Network Capture and Replay: ~ 30 minutes.

• Attacking ICS Protocols: ~ 1 hour.

• Fuzzing ICS Protocols: ~ 1 hour.

• Attacking PLC: ~ 1 hour.

• Attacking HMI: ~ 1 hour.

• Attacking Windows ICS Components: ~ 30 minutes.

• ICS System Case study: ~ 1 hour.

Keywords: ICS Hacking, Industrial Control Systems, Industrial Network Protocols, SCADA, PLC,

Modbus, DNP3, OPC, S7, Profinet


Who should take this course:

• Penetration Testers / Read Team Members who want to pentest ICS systems or bypass the

airgap

• Government officials from defensive or defensive units

• SCADA and PLC programmers


• IT and OT security professionals seeking to increase their knowledge of ICS hacking and

security

• Anyone interested in ICS security

Student Requirements:

• Basic knowledge of Linux

• Basic knowledge of networking and pentesting


What students should bring:

• Laptop with at least 40GB free space

• 8 GB minimum RAM

• Virtualization Software such as VMWare or Virtualbox

• Admin/Root access on their laptop

What students will be provided by:

• Slides/lectures of the training

• VM with test environment, exercises and all the tools used in class

Max capacity: 40

Absolutely max capacity: 45


Twitter handlers:

• Trainer 1: @ylevalle

• Company: @DreamlabGlobal


Español

2 días

19, 20 Sep

Buenos Aires

Costo

Early bird (Hasta 31 de marzo)


Instructor

  




Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive

Security Professional with more than 15 years of experience in the InfoSec field with expertise on

ICS systems security.

Yamila currently works as Security Researcher and Consultant in Dreamlab Technologies, where she

conducts researches, publishes investigations regarding several information security topics and

spread her skills giving trainings. She is an international security conferences speaker and has

presented her researches at important events, such as BlackHat Arsenal Las Vegas, PHDays Moscow,  Northsec Montreal, AusCERT Australia, OWASP Latam Tour, and others.