1 00:00:00,230 --> 00:00:02,410 Mitigating vulnerabilities. 2 00:00:02,410 --> 00:00:04,780 So, we've talked about a lot of specialized systems here, 3 00:00:04,780 --> 00:00:07,240 especially in the ICS and SCADA world. 4 00:00:07,240 --> 00:00:08,680 And so, the question is, 5 00:00:08,680 --> 00:00:11,630 how do you start mitigating some of these vulnerabilities? 6 00:00:11,630 --> 00:00:13,580 Well, the go-to guide for this is going to be 7 00:00:13,580 --> 00:00:16,734 the NIST Special Publication 800-82. 8 00:00:16,734 --> 00:00:18,320 Now, again, this is a good read 9 00:00:18,320 --> 00:00:20,590 if you happen to work in a manufacturing environment 10 00:00:20,590 --> 00:00:22,900 or someplace that uses ICS and SCADA. 11 00:00:22,900 --> 00:00:24,540 Now, you don't have to read this entire guide 12 00:00:24,540 --> 00:00:25,980 yourself because I'm going to give you 13 00:00:25,980 --> 00:00:28,030 the four key controls for mitigating 14 00:00:28,030 --> 00:00:29,870 vulnerabilities in specialized systems. 15 00:00:29,870 --> 00:00:32,100 And this is really what you need to know for the exam. 16 00:00:32,100 --> 00:00:33,550 But again, if you're working in an environment 17 00:00:33,550 --> 00:00:35,250 that is automation and manufacturing 18 00:00:35,250 --> 00:00:37,030 and you have ICS SCADA systems, 19 00:00:37,030 --> 00:00:38,930 this entire guide is a great read 20 00:00:38,930 --> 00:00:40,360 for you in the real world. 21 00:00:40,360 --> 00:00:41,920 Now, the first thing we want to talk about 22 00:00:41,920 --> 00:00:44,260 is how you can establish administrative control 23 00:00:44,260 --> 00:00:46,580 over operational technology networks. 24 00:00:46,580 --> 00:00:48,840 The best way to do this is by recruiting staff 25 00:00:48,840 --> 00:00:51,280 who have expertise with these things. 26 00:00:51,280 --> 00:00:55,320 Because, as I said, these are not your normal IT networks. 27 00:00:55,320 --> 00:00:57,860 I am really knowledgeable when it comes to IT networks, 28 00:00:57,860 --> 00:00:59,790 but I am not really knowledgeable when it comes 29 00:00:59,790 --> 00:01:02,600 to ICS and SCADA networks in the OT realm, 30 00:01:02,600 --> 00:01:04,130 I've done a little bit of work with them, 31 00:01:04,130 --> 00:01:05,800 but just enough to be dangerous. 32 00:01:05,800 --> 00:01:07,440 So, you wouldn't want to hire me for that. 33 00:01:07,440 --> 00:01:09,680 Instead, you want to find people who know 34 00:01:09,680 --> 00:01:10,780 what they're talking about when it comes 35 00:01:10,780 --> 00:01:13,460 to OT. OT is a different beast. 36 00:01:13,460 --> 00:01:15,040 And so, you want to make sure you get somebody 37 00:01:15,040 --> 00:01:18,577 who understands SCADA and ICS and PLCs 38 00:01:18,577 --> 00:01:19,941 and FPGAs and all the stuff we've been talking 39 00:01:19,941 --> 00:01:22,000 about the last couple of lessons. 40 00:01:22,000 --> 00:01:23,670 These are specialists and they're worth 41 00:01:23,670 --> 00:01:25,197 the money to have on staff, especially 42 00:01:25,197 --> 00:01:27,900 if you're running a big manufacturing plant. 43 00:01:27,900 --> 00:01:29,350 The second big tip, 44 00:01:29,350 --> 00:01:30,690 you want to make sure you're implementing 45 00:01:30,690 --> 00:01:32,030 the minimum network links 46 00:01:32,030 --> 00:01:34,070 by disabling any unnecessary links, 47 00:01:34,070 --> 00:01:36,110 services, and protocols. 48 00:01:36,110 --> 00:01:37,420 Essentially, when you have 49 00:01:37,420 --> 00:01:38,901 an operational technology network, 50 00:01:38,901 --> 00:01:40,310 you want to eliminate it 51 00:01:40,310 --> 00:01:41,740 from all of the rest of the networks, 52 00:01:41,740 --> 00:01:43,000 as much as possible. 53 00:01:43,000 --> 00:01:44,040 We want to cut those links, 54 00:01:44,040 --> 00:01:45,650 we want to disable services. 55 00:01:45,650 --> 00:01:47,990 So, if I have a manufacturing plant, 56 00:01:47,990 --> 00:01:50,800 I should have two networks, my corporate network, 57 00:01:50,800 --> 00:01:54,660 the IT network, and the plant network, the OT network. 58 00:01:54,660 --> 00:01:56,710 If there's any connection between those two, 59 00:01:56,710 --> 00:01:57,920 it should be very minimal 60 00:01:57,920 --> 00:02:00,000 and should be heavily monitored. 61 00:02:00,000 --> 00:02:01,560 The third thing we want to talk about 62 00:02:01,560 --> 00:02:03,290 is how we can develop and test 63 00:02:03,290 --> 00:02:05,470 a patch management program for operational 64 00:02:05,470 --> 00:02:06,840 technology networks. 65 00:02:06,840 --> 00:02:09,610 Again, these OT networks are different 66 00:02:09,610 --> 00:02:11,710 than our information technology networks. 67 00:02:11,710 --> 00:02:15,290 You can't just go ahead and use your Microsoft SCCM servers. 68 00:02:15,290 --> 00:02:16,950 That's not going to work for you. 69 00:02:16,950 --> 00:02:18,580 So, you want to make sure you understand 70 00:02:18,580 --> 00:02:19,760 what options you have 71 00:02:19,760 --> 00:02:22,420 and how you're going to do a patch management program. 72 00:02:22,420 --> 00:02:24,970 Remember, these are things unlike PLCs, 73 00:02:24,970 --> 00:02:27,620 they have firmware that needs to be upgraded sometimes, 74 00:02:27,620 --> 00:02:28,990 that's going to require maintenance windows, 75 00:02:28,990 --> 00:02:30,540 that's going to require downtime. 76 00:02:30,540 --> 00:02:31,550 You need to have a process 77 00:02:31,550 --> 00:02:32,660 of how you're going to do this. 78 00:02:32,660 --> 00:02:34,460 And that's why it's important to develop 79 00:02:34,460 --> 00:02:36,440 and test your patch management program. 80 00:02:36,440 --> 00:02:37,900 And then, the fourth thing we need to think about 81 00:02:37,900 --> 00:02:39,324 is how we're going to perform regular audits 82 00:02:39,324 --> 00:02:41,760 of logical and physical access 83 00:02:41,760 --> 00:02:43,080 to these different systems 84 00:02:43,080 --> 00:02:44,280 so that we can detect possible 85 00:02:44,280 --> 00:02:45,960 vulnerabilities and intrusions. 86 00:02:45,960 --> 00:02:47,580 Now, this isn't going to be as easy 87 00:02:47,580 --> 00:02:50,330 as hooking up Nessus to the network and doing a scan. 88 00:02:50,330 --> 00:02:51,760 You're going to have to have specialists 89 00:02:51,760 --> 00:02:52,730 who know what they're looking 90 00:02:52,730 --> 00:02:54,840 for when they're scanning these areas. 91 00:02:54,840 --> 00:02:56,588 Also, a big word of warning here. 92 00:02:56,588 --> 00:02:59,780 Your enumeration tools and vulnerability scanners, 93 00:02:59,780 --> 00:03:01,570 they can cause a lot of problems 94 00:03:01,570 --> 00:03:03,680 on operational technology networks. 95 00:03:03,680 --> 00:03:05,700 Generally, if you're trying to do scanning 96 00:03:05,700 --> 00:03:07,037 of an operational technology network, 97 00:03:07,037 --> 00:03:09,850 you are not going to be doing active scanning. 98 00:03:09,850 --> 00:03:13,060 Instead, you're going to hook up something like Wireshark. 99 00:03:13,060 --> 00:03:14,770 You're going to do packet capture, 100 00:03:14,770 --> 00:03:16,710 and then, using that passive analysis 101 00:03:16,710 --> 00:03:18,070 of that network traffic, 102 00:03:18,070 --> 00:03:19,780 you'll be able to identify those devices 103 00:03:19,780 --> 00:03:21,080 to do your enumeration, 104 00:03:21,080 --> 00:03:23,540 or you'll be able to use that passive analysis 105 00:03:23,540 --> 00:03:25,060 to start figuring out what vulnerabilities 106 00:03:25,060 --> 00:03:26,710 you may have inside your network.