1 00:00:00,010 --> 00:00:03,190 ICS and SCADA vulnerabilities. 2 00:00:03,190 --> 00:00:05,590 So, at this point, we've talked about a couple of pieces 3 00:00:05,590 --> 00:00:07,710 inside embedded systems, 4 00:00:07,710 --> 00:00:09,599 and a lot of these things are going to be put together 5 00:00:09,599 --> 00:00:12,860 into an ICS or SCADA network. 6 00:00:12,860 --> 00:00:14,070 Now, before we dive into that, 7 00:00:14,070 --> 00:00:16,060 let me first just take a step back and talk 8 00:00:16,060 --> 00:00:18,630 about the type of technology we're talking about here. 9 00:00:18,630 --> 00:00:20,830 Now, in general, we work in IT, 10 00:00:20,830 --> 00:00:22,620 which is information technology. 11 00:00:22,620 --> 00:00:25,020 That's our standard Windows computers, and networks, 12 00:00:25,020 --> 00:00:26,250 and things like that. 13 00:00:26,250 --> 00:00:27,994 But when we start talking about ICS and SCADA, 14 00:00:27,994 --> 00:00:32,180 we are talking about OT, which is operational technology. 15 00:00:32,180 --> 00:00:33,720 This is a communications network 16 00:00:33,720 --> 00:00:36,470 that's designed to implement an industrial control system 17 00:00:36,470 --> 00:00:38,270 rather than data networking. 18 00:00:38,270 --> 00:00:40,890 So, here, we're really not talking about end-user machines. 19 00:00:40,890 --> 00:00:42,770 We're not talking about having a Windows 10 host 20 00:00:42,770 --> 00:00:43,940 sitting on this network. 21 00:00:43,940 --> 00:00:45,940 Instead, with OT, we're talking about things 22 00:00:45,940 --> 00:00:47,587 that's using technology and computers 23 00:00:47,587 --> 00:00:50,350 to be able to do things in the physical world, 24 00:00:50,350 --> 00:00:53,690 like open or shut a valve, like do manufacturing, 25 00:00:53,690 --> 00:00:56,140 like create power generation in a power plant, 26 00:00:56,140 --> 00:00:57,680 things like that. 27 00:00:57,680 --> 00:01:00,510 So, if I look here, for instance, this is what OT looks like. 28 00:01:00,510 --> 00:01:02,040 Usually, they look like big cabinets 29 00:01:02,040 --> 00:01:04,110 with dials and gauges and buttons. 30 00:01:04,110 --> 00:01:06,040 So, if I wanted to open or shut different valves 31 00:01:06,040 --> 00:01:07,540 or turn on or off different pumps, 32 00:01:07,540 --> 00:01:09,120 I would push the different buttons 33 00:01:09,120 --> 00:01:12,050 on that diagram on the front of that cabinet, 34 00:01:12,050 --> 00:01:14,330 instead of using something like a Windows machine 35 00:01:14,330 --> 00:01:17,520 and using the command like, start, open valve, enter, right? 36 00:01:17,520 --> 00:01:19,320 This is a different way of thinking. 37 00:01:19,320 --> 00:01:22,280 Now, you can still have computers like Windows computers 38 00:01:22,280 --> 00:01:23,450 that can talk to these networks 39 00:01:23,450 --> 00:01:25,890 if you integrate the two, but you don't have to. 40 00:01:25,890 --> 00:01:28,461 A lot of OT can just be done in a manufacturing plant 41 00:01:28,461 --> 00:01:30,520 using systems like this. 42 00:01:30,520 --> 00:01:32,341 Now, when we deal with industrial control systems, 43 00:01:32,341 --> 00:01:34,900 these are going to prioritize availability 44 00:01:34,900 --> 00:01:37,330 and integrity over confidentiality. 45 00:01:37,330 --> 00:01:40,670 So, if we talk about the CIA triad normally in IT, 46 00:01:40,670 --> 00:01:43,063 here, we're really talking about the AIC triad. 47 00:01:44,330 --> 00:01:45,930 Availability is paramount. 48 00:01:45,930 --> 00:01:47,700 And this makes sense if you think about it, 49 00:01:47,700 --> 00:01:50,950 because OT was originally designed to do manufacturing, 50 00:01:50,950 --> 00:01:53,460 and anytime the plant was down, we weren't making money. 51 00:01:53,460 --> 00:01:55,850 So, for them, availability was everything. 52 00:01:55,850 --> 00:01:58,057 Also, the plant didn't talk to the Internet, originally. 53 00:01:58,057 --> 00:02:00,790 It was all within the borders of the plant. 54 00:02:00,790 --> 00:02:02,410 And so, we had that physical boundary. 55 00:02:02,410 --> 00:02:04,610 So, confidentiality wasn't as big of a deal 56 00:02:04,610 --> 00:02:06,830 because we trusted the people working for us. 57 00:02:06,830 --> 00:02:09,690 So, availability was much more important. 58 00:02:09,690 --> 00:02:11,280 So, now that we've done an introduction 59 00:02:11,280 --> 00:02:14,140 to operational technology, let's talk specifically 60 00:02:14,140 --> 00:02:15,650 about three key areas. 61 00:02:15,650 --> 00:02:18,610 I've already talked about the terms ICS and SCADA. 62 00:02:18,610 --> 00:02:20,357 And we're also going to talk about Modbus. 63 00:02:20,357 --> 00:02:22,180 Now, let's start with ICS. 64 00:02:22,180 --> 00:02:24,889 ICS is an Industrial Control System. 65 00:02:24,889 --> 00:02:27,701 When you hear ICS, this is essentially just a network 66 00:02:27,701 --> 00:02:29,825 that manages embedded devices. 67 00:02:29,825 --> 00:02:33,660 So, if I work in some place like an electrical power station 68 00:02:33,660 --> 00:02:34,717 or a water supplier, 69 00:02:34,717 --> 00:02:37,440 or I work in a hospital doing health services, 70 00:02:37,440 --> 00:02:39,880 I might work in telecommunications in the backbones. 71 00:02:39,880 --> 00:02:43,100 I might work in manufacturing, or in defense needs. 72 00:02:43,100 --> 00:02:45,330 All of these things use ICS. 73 00:02:45,330 --> 00:02:47,738 They all use this operational technology 74 00:02:47,738 --> 00:02:50,430 using these Industrial Control Systems. 75 00:02:50,430 --> 00:02:53,169 For instance, if you're driving a U.S. Navy warship, 76 00:02:53,169 --> 00:02:56,484 there are a ton of ICS and SCADA systems on those things, 77 00:02:56,484 --> 00:02:58,596 because you essentially have a power plant on board. 78 00:02:58,596 --> 00:03:00,360 You have the engines on board, 79 00:03:00,360 --> 00:03:03,348 and all that stuff is essentially a big manufacturing plant, 80 00:03:03,348 --> 00:03:05,310 and it has similar components to that. 81 00:03:05,310 --> 00:03:08,700 And so, those things all run on ICS and SCADA, as well. 82 00:03:08,700 --> 00:03:10,640 Now, one of the things that ICS uses 83 00:03:10,640 --> 00:03:12,166 is what's known as Fieldbus. 84 00:03:12,166 --> 00:03:14,669 Fieldbus is a digital serial data communications 85 00:03:14,669 --> 00:03:17,250 that are used in operational technology networks 86 00:03:17,250 --> 00:03:19,200 to link different PLCs together. 87 00:03:19,200 --> 00:03:21,712 So, we talked about those PLCs in a previous lesson, right? 88 00:03:21,712 --> 00:03:24,370 I might have a PLC that opens and shuts this valve 89 00:03:24,370 --> 00:03:26,268 to let more gas into the engine, 90 00:03:26,268 --> 00:03:28,980 so that we can go faster on a ship, for instance. 91 00:03:28,980 --> 00:03:32,583 Well, that is just one PLC, but I might have another PLC 92 00:03:32,583 --> 00:03:35,390 that opens and shuts a breaker that allows electricity 93 00:03:35,390 --> 00:03:36,690 to go to a different part of the ship. 94 00:03:36,690 --> 00:03:38,520 And if I want to connect all those things together, 95 00:03:38,520 --> 00:03:39,700 I need a way to do it. 96 00:03:39,700 --> 00:03:41,040 And that's what we use Fieldbus for. 97 00:03:41,040 --> 00:03:43,230 It's this digital serial data communications 98 00:03:43,230 --> 00:03:45,154 that we use to link all these things together. 99 00:03:45,154 --> 00:03:47,160 Now, another thing we have to be able to do 100 00:03:47,160 --> 00:03:48,770 is we need to be able to talk to these machines 101 00:03:48,770 --> 00:03:49,940 and tell them what to do. 102 00:03:49,940 --> 00:03:54,020 And that's where we use an HMI: a Human Machine Interface. 103 00:03:54,020 --> 00:03:56,572 This is the input and output controls on a PLC 104 00:03:56,572 --> 00:03:59,737 that allows a user to configure and monitor the system. 105 00:03:59,737 --> 00:04:02,850 So, when I'm trying to tell the system to do something, 106 00:04:02,850 --> 00:04:06,060 like open a valve, I need a way to give it that input. 107 00:04:06,060 --> 00:04:07,580 I can do that by pushing a button. 108 00:04:07,580 --> 00:04:09,243 That could be a Human Machine Interface. 109 00:04:09,243 --> 00:04:11,320 Or, I could open that valve on a touchscreen 110 00:04:11,320 --> 00:04:13,090 by tapping it and saying open. 111 00:04:13,090 --> 00:04:15,107 These are all different ways I can interface with it. 112 00:04:15,107 --> 00:04:15,940 Now, ICS is all about managing process automation 113 00:04:15,940 --> 00:04:16,871 by linking together these PLCs 114 00:04:21,200 --> 00:04:24,670 using the Fieldbus to make changes in the physical world. 115 00:04:24,670 --> 00:04:26,556 I want to open a valve. I want to start a motor. 116 00:04:26,556 --> 00:04:28,184 Those kind of things. 117 00:04:28,184 --> 00:04:30,890 Now, I, as a human, need to be able to see 118 00:04:30,890 --> 00:04:33,180 what the machine is doing by reading gauges 119 00:04:33,180 --> 00:04:34,310 or other screens, 120 00:04:34,310 --> 00:04:35,810 and be able to give input into the machine 121 00:04:35,810 --> 00:04:36,643 of what I want it to do, 122 00:04:36,643 --> 00:04:39,430 by pushing buttons, turning knobs, entering keystrokes, 123 00:04:39,430 --> 00:04:41,220 or even using a touchscreen. 124 00:04:41,220 --> 00:04:43,046 So, for example, here if I worked in a hospital, 125 00:04:43,046 --> 00:04:45,640 I might have a Human Machine Interface 126 00:04:45,640 --> 00:04:46,750 that's a flat panel screen, 127 00:04:46,750 --> 00:04:49,110 and I can touch it and tell it what I want to be done. 128 00:04:49,110 --> 00:04:51,311 This way, this panel can then send the information 129 00:04:51,311 --> 00:04:53,248 to that machine to do what it needs to do. 130 00:04:53,248 --> 00:04:55,430 In this case, it's a radiography machine 131 00:04:55,430 --> 00:04:56,485 that's going to take an X-Ray. 132 00:04:56,485 --> 00:05:00,030 This also has PLCs connected to it, within a control loop. 133 00:05:00,030 --> 00:05:01,980 And that whole process automation system 134 00:05:01,980 --> 00:05:04,550 is governed by some kind of a control server. 135 00:05:04,550 --> 00:05:06,586 This is how all this stuff ties together. 136 00:05:06,586 --> 00:05:09,170 Now, one of the other things we have to think about 137 00:05:09,170 --> 00:05:11,620 is having some way to know what all these systems 138 00:05:11,620 --> 00:05:13,040 have done in the past, 139 00:05:13,040 --> 00:05:14,560 because if we're doing an incident response, 140 00:05:14,560 --> 00:05:16,100 we want to be able to figure all that out. 141 00:05:16,100 --> 00:05:17,470 And so, as a cybersecurity analyst, 142 00:05:17,470 --> 00:05:20,310 one of the things you want to look for is the data historian. 143 00:05:20,310 --> 00:05:22,781 Now, the data historian is a software that aggregates 144 00:05:22,781 --> 00:05:24,865 and catalogs data from multiple sources 145 00:05:24,865 --> 00:05:27,115 within an industrial control system. 146 00:05:27,115 --> 00:05:28,560 Now, again, as an analyst, 147 00:05:28,560 --> 00:05:29,740 this is important for you to know 148 00:05:29,740 --> 00:05:31,221 because if you're working in a place 149 00:05:31,221 --> 00:05:33,106 that has an industrial control system, 150 00:05:33,106 --> 00:05:35,830 you want to find out where the data historian is 151 00:05:35,830 --> 00:05:37,200 and how you can use it, 152 00:05:37,200 --> 00:05:39,305 because that's going to have valuable information for you. 153 00:05:39,305 --> 00:05:41,611 All right, so now that we're done talking about ICS, 154 00:05:41,611 --> 00:05:44,320 let's focus on the second part of this lesson, 155 00:05:44,320 --> 00:05:46,030 which is all about SCADA. 156 00:05:46,030 --> 00:05:49,231 SCADA is a Supervisory Control and Data Acquisition. 157 00:05:49,231 --> 00:05:51,315 This is a type of industrial control system. 158 00:05:51,315 --> 00:05:55,730 So, it's a type of ICS that manages large-scale, multi-site 159 00:05:55,730 --> 00:05:58,541 devices and equipment spread over a geographic region. 160 00:05:58,541 --> 00:06:01,821 So, when I'm talking about ICS, I'm looking at one plant. 161 00:06:01,821 --> 00:06:04,971 When I talk about SCADA, I'm talking about multiple plants. 162 00:06:04,971 --> 00:06:07,660 That's really the way I like to distinguish these two. 163 00:06:07,660 --> 00:06:08,900 So, when you deal with SCADA, 164 00:06:08,900 --> 00:06:11,495 this typically runs a software on ordinary computers 165 00:06:11,495 --> 00:06:13,548 and it gathers data and manages it 166 00:06:13,548 --> 00:06:15,375 across the different plant devices 167 00:06:15,375 --> 00:06:18,581 and the different equipment that has embedded PLCs. 168 00:06:18,581 --> 00:06:20,190 So, when you're dealing with SCADA, 169 00:06:20,190 --> 00:06:21,160 it typically is going to use 170 00:06:21,160 --> 00:06:23,111 some kind of a wide area network connection. 171 00:06:23,111 --> 00:06:24,550 That could be cellular. 172 00:06:24,550 --> 00:06:26,371 That could be microwave. That could be satellite. 173 00:06:26,371 --> 00:06:27,805 Whatever you want to use. 174 00:06:27,805 --> 00:06:29,600 And then, they're all going to link back 175 00:06:29,600 --> 00:06:32,610 to those field devices, back to the central SCADA server. 176 00:06:32,610 --> 00:06:35,807 So, I mentioned earlier, I have a smart meter on my house. 177 00:06:35,807 --> 00:06:37,400 They don't have to come out once a month 178 00:06:37,400 --> 00:06:39,479 and read my electrical meter to know how much to bill me. 179 00:06:39,479 --> 00:06:40,940 Why don't they have to do that? 180 00:06:40,940 --> 00:06:42,610 Because it's part of a SCADA network, 181 00:06:42,610 --> 00:06:44,050 and all the houses in my area 182 00:06:44,050 --> 00:06:45,185 are part of that SCADA network. 183 00:06:45,185 --> 00:06:47,240 They have a cellular chip in there, 184 00:06:47,240 --> 00:06:48,705 and it takes that reading once a month, 185 00:06:48,705 --> 00:06:51,690 sends it back over cellular as a text message 186 00:06:51,690 --> 00:06:53,740 or data format, whatever they use, 187 00:06:53,740 --> 00:06:55,130 to their SCADA server, 188 00:06:55,130 --> 00:06:57,840 collates that information, passes it to the billing system, 189 00:06:57,840 --> 00:06:59,230 and then I get a bill. 190 00:06:59,230 --> 00:07:01,560 That's how SCADA can be used in the real world. 191 00:07:01,560 --> 00:07:02,660 Now, the third part of this 192 00:07:02,660 --> 00:07:04,570 we need to talk about was Modbus. 193 00:07:04,570 --> 00:07:06,360 Now, because ICS and SCADA 194 00:07:06,360 --> 00:07:08,108 are really focused on operational technology, 195 00:07:08,108 --> 00:07:10,160 they don't have to use things 196 00:07:10,160 --> 00:07:12,410 that we'd only use in the IT world. 197 00:07:12,410 --> 00:07:14,370 But they have to have a way to communicate with each other. 198 00:07:14,370 --> 00:07:15,788 And Modbus is that way. 199 00:07:15,788 --> 00:07:17,865 Modbus is a communications protocol 200 00:07:17,865 --> 00:07:20,870 that's used in operational technology networks. 201 00:07:20,870 --> 00:07:23,320 So, in our IT networks, what do we usually use? 202 00:07:23,320 --> 00:07:24,830 TCP/IP, right? 203 00:07:24,830 --> 00:07:27,420 Well, we don't have to use that inside these OT networks. 204 00:07:27,420 --> 00:07:28,480 And often, we don't. 205 00:07:28,480 --> 00:07:29,896 Modbus is instead what we use. 206 00:07:29,896 --> 00:07:32,570 So, Modbus is going to give the control servers 207 00:07:32,570 --> 00:07:34,450 and the SCADA host the ability to query 208 00:07:34,450 --> 00:07:36,741 and change configurations of each PLC. 209 00:07:36,741 --> 00:07:38,203 Now, this is important to know. 210 00:07:38,203 --> 00:07:40,534 Because this is more of a proprietary protocol, 211 00:07:40,534 --> 00:07:42,762 it looks different than TCP/IP. 212 00:07:42,762 --> 00:07:45,121 So, if you're trying to do an incident response, 213 00:07:45,121 --> 00:07:47,740 and you think somebody's in your ICS SCADA network, 214 00:07:47,740 --> 00:07:51,434 and you've been studying how to do TCP/IP your entire life, 215 00:07:51,434 --> 00:07:53,660 are you going to know what you're looking at? 216 00:07:53,660 --> 00:07:54,720 Most likely not. 217 00:07:54,720 --> 00:07:57,990 And that's why there are experts in ICS and SCADA systems. 218 00:07:57,990 --> 00:07:59,486 Because it is a different way of thinking. 219 00:07:59,486 --> 00:08:01,130 It is a different way of communicating, 220 00:08:01,130 --> 00:08:02,920 and they use a different protocol. 221 00:08:02,920 --> 00:08:04,150 So, keep that in mind. 222 00:08:04,150 --> 00:08:06,110 If you're dealing with an ICS or SCADA network, 223 00:08:06,110 --> 00:08:08,010 it is different and you have to follow 224 00:08:08,010 --> 00:08:09,170 different ways of doing things, 225 00:08:09,170 --> 00:08:11,650 because a lot of your normal tools that you would use 226 00:08:11,650 --> 00:08:13,267 for ethernet and TCP/IP 227 00:08:13,267 --> 00:08:16,173 either won't work or they could cause damage.