ICS Penetration TestingUnderstanding the Challenges and Techniques
Connor Leach
Jackson Evans-Davies
18 June, 2018
© 2018 by Honeywell International Inc. All rights reserved.
Introductions
• Connor Leach, GPEN, OSCP
- Senior Penetration Tester
- Member of Canadian H-ICS Team for 8 years
- Based in Kelowna, BC
- CTF Competitor
• Jackson Evans-Davies, GPEN
- Penetration Tester
- Member of Canadian H-ICS Team for 7 years
- Based in Edmonton, AB
- Currently Working Towards OSCP
1
© 2018 by Honeywell International Inc. All rights reserved.
ICS Penetration Testing
• What is an ICS Penetration Test?
- Simulated ICS Cyber-Attack
• Enterprise Penetration Test vs ICS Penetration Test
- CIA Triad
- Tactics and Techniques
• Challenges of an ICS Penetration Test
- Denial of Service
- Security Maturity Level
- Objective Misalignment
- Us vs Them Mentality
- Different Zones of Ownership
- Compliance
2
© 2018 by Honeywell International Inc. All rights reserved.
Why Perform ICS Penetration Testing?
• Risks to ICS Networks
- Risk = Threat * Consequence * Vulnerability
- Sophisticated Threats
- Consequences of a Cyber-Incident
• Technical and Non-Technical Vulnerabilities and Misconfigurations
- Context of Observed Vulnerabilities
- Provide Remediation Steps to Resolve Weaknesses
• Provide Risk Ranking to Organization
• Validation of Security Posture
- Threat Emulation
- Dress Rehearsal – Protective, Detective, and Corrective
3
© 2018 by Honeywell International Inc. All rights reserved.
Honeywell Industrial Cyber Security Penetration Testing
• Our Goal: Engage ICS Networks using Offensive Tactics, Techniques, and Tools while
Prioritizing Safety
• Threat Modeling ICS Networks
- Security Maturity Level
- High vs Low Threat Sophistication
• Segment an Engagement into Different Phases
- External, Perimeter, Process, and Complete
Unique Goals
Scoping and Rules of Engagement
• Safeguards to Prioritize the Availability of the ICS
- Black, Grey, or White Box
- Escorted Digital Access
- Table Top or Paper Exercise
4
Enumeration
ExploitationPost
Exploitation
© 2018 by Honeywell International Inc. All rights reserved.
External Penetration Testing
• Attack Begins on the Internet
• Common Tactics:
- Enumerate Internet Footprint
- User Profiling
- Social Engineering
- Spear-Phishing
• Common Techniques:
- Enumeration:
OSINT, Port Scanning, Email Addresses, Documentation
- Exploitation:
Remote Services, Users
- Post-Exploitation:
Local Privilege Escalation, Persistence
• End goal: Foothold on the BLAN
5
BLAN
Internet
© 2018 by Honeywell International Inc. All rights reserved.
Perimeter Penetration Testing
• Attack Begins on the BLAN
• Common Tactics:
- ICS Network Enumeration via BLAN
- Establishing an ICS Foothold
- Lateral Movement
- Network and Endpoint Pivoting
• Common Techniques:
- Enumeration:
Port Scanning, Emails, Documentation, Users
- Exploitation:
Endpoints, Network Equipment, Shared Services, Users
- Post-Exploitation:
Local and Domain Privilege Escalation, Session Hijacking, Pivoting
• End goal: Elevated Access on the DMZ and a Foothold on the ICS
6
Level 3
DMZ
BLAN
© 2018 by Honeywell International Inc. All rights reserved.
Process Penetration Testing
• Attack Begins at ICS Level 3 or in a Lab Environment
• Specialized Engagement
- Validate a Specific Security Control
- Consequence Analysis
- Vulnerability Research
• Common Tactics and Techniques:
- Enumeration:
Port Scanning, Application Assessment, Traffic Analysis
- Exploitation:
Traffic Modification, Man-in-the-Middle, ICS Exploits
• End goal: Control of ICS Assets while Maintaining System Integrity
7
Level 1/2
Level 3
© 2018 by Honeywell International Inc. All rights reserved.
Penetration Testing with Honeywell Industrial Cyber Security
• 15+ Years Working in ICS Environments
• Prioritization of the Availability of ICS Networks
• Knowledge of ICS Environments
- Potential Instability Points within ICS Networks
- Understanding of Security Controls or Lack Thereof
- A Penetration Testing Offering that is Specifically Developed for ICS Networks
• An Assessment that Provides Value and Focuses on Actionable Vulnerabilities
8
© 2018 by Honeywell International Inc. All rights reserved.
Get this Hot Deal at Americas HUG9
Secure Media Exchange systems for $9,999 each and SMX ATIX subscriptions for:
- $7K/year per SMX System – on 1 year agreements- $5K/year per SMX System – on 5 year agreements
Visit the Promotions Center to learn more.
Get details at the Promotions Center or www.hwll.co/HUG18offers. These limited-time discounts and offerings are only available and valid for new inquiries and commitments made at 2018 Americas HUG in San Antonio, TX, June 18-23. Orders must be placed within 90 days of receiving an estimate.
© 2018 by Honeywell International Inc. All rights reserved.
Questions?
10
Honeywell Confidential - © 2018 by Honeywell International Inc. All rights reserved.
www.becybersecure.com
© 2018 by Honeywell International Inc. All rights reserved.
Honeywell Industrial Cyber Security Penetration Testing Tools
• Tools
- Common Penetration Testing Tools
NMap, Metasploit, Empire, John, Ettercap, Sqlmap, Impacket Tools, Burpsuite, Responder, BeEF, Social
Engineering Toolkit (SET), Mimikatz, Powersploit, Hashcat
- Advanced Threat Emulation Tools
Cobalt Strike
Custom Payloads and Tools
• Penetration Testing Execution Standard (PTES)
- Framework to Provide Highly Repeatable Quality Penetration Testing
12