Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 3 (Control Systems & Protocols)
FULL TRANSCRIPT
hello and welcome to unit three or part
three for getting started in industrial
cyber security so I appreciate you for
coming and we'll go and Jump Right In
This is actually going to be the monster
section of the course so if you can make
it through all of this content it should
be all downhill after after this this
section but this definitely is is the
the monster section of the entire course
so what we're going to cover
in this section one is we're going to
walk through a real world example of a
industrial control environment we're
going to use a power plant it was the
first project that I was involved with
on site and so that's the one that's
just always clicked with me and I think
it can be applicable to a lot of
different folks but just also keep in
mind that it doesn't matter really what
type of IC or OT environment you're in
the basics of cyber security are the
same
throughout so it doesn't matter if
you're in a power plant or a chemical
refinery or a Subway or a mine or a
hospital or Etc it's the the basic
concepts are are the same we just are
going to customize them slightly for
each unique environment
so we're going to talk about
some industrial
control aspects of those prod projects
from the engineering perspective so
we're going to talk about some terms
like isbl osbl or inside battery limits
outside battery limits and what that
means we're going to talk about
Greenfield and Brownfield projects again
some terms that I've I've heard and was
exposed to in whether it's you know in
my day job working for one of the
world's largest engineering companies or
just in other
conversations with folks in industrial
controls C cyber security so I wanted to
make sure we we put those in here as
well and then we're going to get really
into the the meat of the section where
it makes it look so simple here on the
agenda but looking at we're going to
talk about the different types of
control systems so if you're coming from
an it or it cyber security background or
you're not familiar with control systems
at all this is really hopefully the
section that's going to mean the most
right we're going to talk about the
different types of control systems and
what they are and what do they do when
we talk about what is a PLC or a
programmable logic controller or what is
an HMI or an rtu or ICS versus scada
versus you we're going to get into the
the majority of the control systems that
you're going to be exposed to and need
to understand to have a a basic
understanding of control system cyber
security then we're going to spend some
time talking about industrial control
protocols and there's lots of industrial
control protocols and we talked you know
in in previous history we had industrial
control protocols that stood on their
own and ran on their own networks in
dedicated environments and you can still
see those today and we'll talk about
some of those examples but most
industrial control protocols that we're
going to see in the real world have also
been adapted to run over tcpip since
that's the one common protocol the vast
majority of networks used today
and that's primarily because tcpip is
the protocol that we use to communicate
over the Internet so we use it because
it's everywhere but it also gives us
that inherent risk that there could be
some type of connection out to the
internet from the OT Network that we're
not aware
of so we're going to look at how tcpip
works and we're going to talk about some
of these different industrial control
protocols that run over tcpip or also a
standalone version
we're mostly going to talk about modbus
which is the most common version of
industrial control protocol in use and
used you know being transferred or
transmitted over over
tcpip and then real quick we'll wrap up
the section with talking about learning
to program Control Systems particularly
plc's the whole idea of that
programmable logic controller while
we're going to talk about the
programmable asset ECT and this is one
thing that's really for me it's really
critical to understand even just putting
a few hours into learning how to program
control systems and that closed or that
closed loop or control Loop we talked
about in the last section and
understanding how that's created right
it really helps bring into
focus at least some aspects of control
systems and then that builds into having
a better you know understanding that big
picture when it comes to how do we
secure these environments so that's what
we're going to talk about in this
section or in this
part so again as I mentioned really as
we go throughout this course you I
wanted to make sure we used a a real
world industrial control environment as
an
example that we could talk about and so
again as I mentioned my mind always goes
back to my first project that I ever
went on site for I used to start to talk
with
Engineers about projects that you were
in different parts of the world and but
I never got to go on
site and then finally when I did after I
don't probably about a year and a half
or so getting to go on site after
talking with with all again different
engineers and even clients and others
around the world it was just amazing how
it really brought everything into Focus
for me and I think we can probably
understand if we're just reading and
talking about something you know we
really don't truly understand when until
we we set foot like in that power plant
and that part of it was was actually
energized and it was in the process of
being commissioned so it part of it was
actually up and running in life which is
really really exciting and and also
realized it's a very dangerous
environment so it's very exciting but
it's also very dangerous at the same
time and it really if anything ever
before had talked about you know
understanding the importance of safety
and control system environments it it
was that site visit and realizing how
dangerous these environments can
be so that's the example that we're
going to use as we go throughout the
course we're going to talk about this
combined cycle natural gas power plant
and as you imagine so the the power
plant brings in natural gas and and uses
that to uh ultimately generate
electricity we'll actually walk through
that that process and what that actually
looks
like before we get to that I did want to
mention the idea of an overall life
cycle in this case of a power plant or
really again there the same concept for
any industrial environment or any really
OT environment even just a kind of a
standard manufacturing
facility so when we go to design and
build a new facility right if I'm want
say I'm a power company and I want to
build a new power plant so first we have
to figure out where we're going to build
the plant where can we build right where
we have to worry about local and and um
kind of the country or the County County
laws and that might you know prevent us
from building in a specific place the
site has to be uh physically compatible
to with with being able to build the the
project there we have to so we have to
find where we can actually literally
build this thing in the dirt we have to
make sure that like in the case of the
the power plant that we're using in this
example we have to be close enough to
where it makes sense where it's feasible
for us to bring in utilities like
natural gas and probably electricity
from another provider to get up and
running and so in other resources water
is going to also be an extremely
important resource that we need to bring
in to the site so we have to make sure
that we find a location that fits all
these needs right that we can legally
build in a power plant in that
environment right it's probably not
going to be too close to the general
public we're going to have to make sure
that the land the environment right we
can we can purchase it and that it's
going to be viable it's going to be
feasible to be be able to construct a
power plant there and that we also have
access to those resources that we're
going to need to run the power plant
itself so there's a lot of things and
that's just kind of scratching the
surface but those are some of the big
items that we have to take into
consideration when we're going to build
a new
facility so as we're going through that
and and some of these steps might happen
at the same time so in this case a
client like for ours for us will go out
and hire a company like floor to do
front-end engineering design or what we
call feed or feed work and so this is
where we have the engineers and others
on the teams will actually build out if
you want to think the design or the
schematics or the blueprints on what
that power plant is actually going to
look like and down to the you placement
of the very last bolt down to its exact
measurements it's really am amazing the
the work that engineering companies like
floor actually do um I'm just really I'm
still mind-boggled especially at the
size and scope of some of the projects
that that we have but that's the idea of
feet so an engineering
construction a lot or an an an
engineering company like floor will will
focus on feed work right being able to
do the engineering work and and for some
engineering companies that's all they do
they just designed the facility so floor
does more than that and we'll get into
that so floor is what we call an EPC or
engineering procurement and construction
company plus a whole lot of other things
we throw in there so but again I'm going
to Jumping ahead but we'll get to that
so so we go through feed so we have
engineers and others that work on
actually designing the
facility now as we're getting closer to
oh we have a site we know where we can
build it and that we're designing
the facility itself and that we need to
go ahead and get the permits right with
the appropriate governing bodies to make
sure we can indeed build in that
location that that we've
selected and then we get into this
process of procurement and construction
so that's the the PC of the EPC which I
mentioned so Flor is an engineering and
procur or construction and uh
procurement company right the idea is
that procurement we're going out through
our supply chain to bring in the raw
materials that we need or the materials
that we need to build that facility like
steel and concrete Control Systems right
wiring
Etc and then of course we have to build
it and some of these projects they can
take years to design and they can take
years to to
build the at least the large and
sometime we call Mega projects so
anything over you know a billion dollars
or usually like $500 million that's
considered a mega mega project and
that's really the the the floor World um
of construction and and
engineering and so we go through that
process though of right bringing in all
of the resources that we need to build
the facility not even just all the the
supplies and the resources as far as the
materials but also the staff right the
team members we have to bring in the
equipment as well so there's a lot that
has to come into play to be able to
build a facility even if we're just
building a let say a three story office
building right pretty standard pretty
cookie cutter if somebody was building
that today there's still a lot that goes
into building
that so once the site has been built
then it goes into do testing right we
want to make sure everything's up and
running so in that power plant right we
want to make sure that the power plant
can operate and operate safely so that
we're not putting anybody In Harm's Way
and so we want to make sure that it talk
about the different power plant or units
at the at the site so the first power
plant that I was on site for they
actually had essentially basically three
power plants in one and so you would
bring up one unit and test it make sure
everything's running and working
appropriately and then you would do the
same thing with the second one and the
third
one so once everything's tested then you
put the facility into production which
is what they call commissioning and so
that's usually where like a company like
floor once we have designed and in this
case built the the site that we turn
over the keys to the owner right to the
asset operator or asset owner is like
okay here's here's your site and then
sometimes we'll continue to work with
the owner or whether it's maybe as The
Operators of that facility or in some
other capacity at least initially for
probably the near future to be there to
be able to support the client in case
there were any
issues and then once the plant is up and
running and it is in production that's
where we go into you operations and
maintenance or talk about o andm work so
we talked earlier about we have
the operators of the site which again
could be the same company as the owners
could be somebody completely different
entity but they're the ones responsible
for running the site on a day-to-day
basis right they're the ones that are
Staffing the people in the power plant
that are ensuring that it stays up and
running and is generating
electricity we have team members like
different technicians and analysts that
do maintenance to make sure that we're
keeping up in the facility to prevent
things from breaking that would impact
the availability of the site which in
this case again would could impact our
ability to generate
electricity and then over time
eventually it might be 10 20 30 40 50
years down the road then that site is
going to be no longer
necessary or at least it's lived its
useful lifespan and it needs to go ahead
and be turned off and decommissioned
ultimately so that's this idea of the
overall life cycle of any really any
industrial site but in this case the
power plant that we're going to use for
example so is it absolutely necessary to
understand this to learn cyber
security in ic OT environments no of
course not but I thought it added a
little bit background which at least I
find fascinating and interesting maybe
that's just because of my background
working at floor but at the same time I
think again it just gives us a little
bit more of that big picture that helps
us understand especially if you're
coming from an it or it cyber security
background again just one more piece to
help understand the entire big
picture so when we look at how does this
plant work and I took this from there's
a a great video on YouTube that talks
about how these combined cycle natural
gas power plants work but the idea is
that the plant itself again the plant
that I was at actually was three
different power plants in in one but
what we had was where you can bring into
one of those units right if you want to
think of it as one one power plant
itself but you bring in natural gas into
the power plant right and we're going to
go ahead and and it gets heated en able
to turn a turbine and then that turbine
in turn will turn a generator which of
course the generator is designed as it
turns to create
electricity so bringing in natural gas
we heat it up it turns a turbine that
turbine is connected to a generator that
it spins and by spinning the generator
it creates
electricity and a lot of electricity
now many traditional power plants that
that could be your that's it you're done
but what we've seen is that we can go
ahead and create another if you want
Loop or another circuit where we go
ahead and we take that exhaust off that
first turbine and then we take that heat
and we use it to heat water to create
Steam and then that steam in turn can
turn a second turbine
and of course that turbine just like the
first is connected to its own generator
and as that generator turns it generates
its own electricity so we're actually
getting a huge boost in the output of
electricity that we're
generating for you know less resources
that we're bringing so if we're already
bringing in the resources to turn the
first turbine in the first generator
well let's create another circuit where
it's worthwhile I think it increases
depending on the plant you let's say we
we get 50% electric generation off of
that first turbine generator combination
you we might get 30% let's say off of
that second one but if it's not
consuming you know 30% or 50% or another
100% in resources like why wouldn't
we and so that was the type of power
plant that that was my first on-site
project and again when you look at and
some of these you know turbines and
generators are massive I remember
standing in the the room that you go
into the room that stores the the the
actual generator and you're standing at
it's like four or five stories up and
you can reach out and touch essentially
the top of the generator I mean the
generator is that large just
massive but that's the idea when um kind
of think of a gas power plant
and so there are some great videos on
YouTube here's some examples so here's
you know the one I think I mentioned um
that we were just looking at and there
there's some other ones um we're talk
about thermal power plants there's
nuclear power plants I think this is the
one that was really interesting because
you not a lot of us get to walk through
nuclear power plants or you we can kind
of imagine what they might look like but
if you've never seen one or if you've
never walked in or been inside a nuclear
facility AB like that I think it's
really impressive again it's just
another piece of the overall big picture
to help us just better understand that
background and how to secure these
environments and why it's important to
secure these
environments so I do like to talk about
isbl and Os this is one that these are
some of those terms that I used to hear
all the time where it was like huh what
part of it was we would hear them
because of my day job at floor these are
terms that that get tossed around on
projects all the
time but I also remember having you know
conversations outside of my day job and
whether it's you going to Sans
conferences or other classes with
different Engineers or just talking with
you different folks on the side right
isbl and osbl would come up all the time
so I like to think of you at a high
level the idea is that isbl means means
this is all of the components all the
systems that in our example the power
plant right that make up the power plant
itself so I mentioned the the turbines
the
generators right the ability to you the
the water itself you know running
through the pipes that we're heating to
generate steam right that's all within
the plant itself that's inside the
battery
limits outside the battery limits is
everything that's still on the on site
for the power
plant right but it's all of the
resources on site that are used to run
the power plant but that aren't the
plant itself so and this give me a
second this is what we'll pop over to
this picture that I took off of Google
maps of that the power plant that I had
uh been on site for and so you can
actually kind of see there are what
three different uh I always want to say
trins but it's three different units
when we talk about power plants uh when
you talk about natural gas environments
we talked about trains so but there's
three different plants in in one and so
you can see anything within that yellow
box roughly is that's the power plant
itself those again all the systems that
we use to generate
electricity now we have you can see
there's other aspects and other like
buildings and components that are at the
actual site itself from the parking lot
to the security guard as you come in to
the control room to the water storage
tank to water cooling stations to etc
etc so we need all of those other
resources like the control room and the
water tank to be able to run the power
plant but they're not part of the plant
itself right they're not wired as part
to run they're not as part of the system
that makes up the power
plant hopefully that makes sense right
the overall yes we need those resources
to allow the power plant to run but
they're brought
in right to the power plant
to allow the power plant to run right
their resources brought in to the plant
to then be consumed or transformed
into our ultimate output right so we're
bringing in things like
water right and
oxygen natural gas right we're bringing
those in from outside of the power plant
we're bringing in those resources to
then create an output to then right send
back
out so that's the idea of inside and
outside the battery limit right there's
also this idea that the
the kind of demarcation point between
the two acts as a little safety barrier
almost like a
DMZ so the idea is that we shouldn't
have any equipment within a certain area
you don't want to have equipment
especially on the power plant side that
could be dangerous that let's say it
exploded accidentally that it would
present a threat to anybody standing
outside of the battery limits and we can
also use it as a idea kind of again
going back to the DMZ of how we bring
resources into the plant and then let's
say there was an issue in the plant a
safety issue and so we can think of
things like well let's turn off the
water let's turn off the natural gas
let's turn off the resources that we're
feeding the plant that the plant then
uses to consume to then create some
other type of
output so again that's isbl versus
OS I did better in the last half than
the first half hopefully that makes
sense I should have started with the
picture I think hopefully that makes
more
sense now I also hear of Greenfield
versus Brownfield projects and I you
when I heard these terms I'm like I
think I know what they're talking about
and I I did I just didn't know you know
100% I was guessing but it it's probably
not that hard right Greenfield projects
just means it's it's a brand new
facility I get a work in I'm very
spoiled in my work at Florida I get to
work in most Green Field environments
right I get pulled into a project that
we're just starting to talk about the
feed work remember that front
engineering and and design
work so we're just talking about
designing the facility so that's the
best time to be able to talk about
things like how do we build cyber
security into a
facility it's much different when we
talk about trying to retrofit or build
cyber security into Brown field
environments Brownfield environments or
projects are those that have existed and
usually when they we talk about they've
exist they've existed for 10 20 30 40 50
years so it's not just as easy as coming
in and saying let's deploy a
firewall because we could literally
bring the site down very quickly with a
small
change because you feel maybe some of
those environments are really held
together with was it like gum and shoest
strings or whatever the expression is
it's like a house of cards you don't
want to touch it in case you pull the
wrong card and the whole thing comes
crashing down and when we talk about our
primary concern is physical safety and
then the safety of the environment and
the availability of the environment the
plant
itself then we start to really have
considerations of how careful we need to
be and how stage and approach needs to
to be when we Implement cyber security
in a Brownfield environment that already
exists but that's the difference between
greenfield and
Brownfield so now we start to get in the
real meat and potatoes of the section
another I don't know kind another weird
American expression sorry and so when we
talk about we're going to look at
the idea of the Purdue model now we're
going to come back and talk about this
the Purdue model in the next part so for
now we're really just trying to focus on
the different parts or physical systems
that we use to create a control system
environment so we're going to talk about
things like field devices and you can
see the list right and plc's and all the
the DCS and HMI and all the fun things
we're going to talk about so let's go
ahead and jump in
so field devices field devices operate
at the lowest layer of again what call
the Purdue model and so when we go back
and in some of these we started to touch
on when you think about the previous you
OT example of we used of you that
thermostat you might have at home or in
your
office where it has a field
device known as a a
sensor to sense or determine right how
warm or cold right what the temperature
is and in the
room so we can bring in that information
and there's different types of sensors
and we talk about there's analog versus
digital and there's all other
conversations that we have there but for
now right just understand we have things
like
sensors that we can use to bring in
information into a control system like
the temperature or you see humidity or
maybe I have a motion sensor right to
detect yeah if somebody's maybe
moving and we have things like actuators
you see valves pumps compressors things
that help us move
systems and things out in the real world
so we're going to come back and we're
going to talk about some examples of
those then things like Motors and the
list goes on and on but even just using
our thermostat at home example and the
idea is oh it gets too warm I want to be
able to go ahead and turn on the air
conditioning unit which has its own
essentially motor
right allows us to generate cooler air
push it through the the venting and the
duct system and the room becomes
cooler so we'll spend some more time as
we go throughout talking about field
devices but field devices is the
one aspect of any type of
asset or part in a control system
environment that is most overlooked from
a cyber security perspective think the
idea is somebody would physically have
to be on site and be able to touch that
sensor or an actuator to be able to make
changes that could affect or impact the
control system Network and not that's
not always 100% but I think that's the
vast majority of the time and so because
a lot of people think well an attacker
has to come into the environment and we
have you know our environment it sits
out in the middle of nowhere or we have
a chain link fence we have security
guard so nobody's going to come and
attack the you the sensor that we have
deployed out in the field Never Say
Never so we'll talk about again later on
some additional considerations for cyber
security around field devices because
it's one of those areas that not a lot
of people pay attention to partly
because it's I think in part it's
wrapped up with the whole physical
security discussion which I know we've
already touched a little bit on in
previous sections and we'll touch we'll
talk more about it as we go on as
well so the first type of control system
that we're really going to focus on is
the PLC or the programmable controller
the idea is the PLC is the most common
type of control system that is in use
today
and there's some there's different types
of controllers uh we're not not going to
get into those yet we'll talk about a
few as we go throughout later sections
of the course but for now keep in mind
the the
PLC is the thermostat example that we
were looking at earlier right so this
idea is that the thermostat right or now
a PLC is it's just like another
computer I think I've mentioned that I
know a lot of Engineers that that don't
like when I say that but for the most
part right it has its it its processor
it has memory u i point that out because
a lot of Engineers don't think that
plc's are Su susceptible to cyber
attacks things like buffer overflows
where they are very much so right they
have an operating system a processor
memory a code right so there's
vulnerabilities there's hardware and
software there that we as an attacker
could take advantage of now plc's other
Control Systems don't have a lot of
storage because remember the idea is
that that our OT assets or Control
Systems they're not processing 8
gigabyte Excel spreadsheets or large
engineering AutoCAD drawings right
that's that's in the it side of the
house in OT
we're running code right logic to bring
in data from our inputs like sensors to
then determine if we need to make
changes out in the real world and if we
do we we send signals to make those
changes happen we continue to collect
collect data and and make adjustments
over time as as need be and that's it's
like that's all that control systems do
but that's all that control systems do
yeah at a fundamental level so they
don't the point is they don't need to
store large amounts of data right so
we're not storing large amounts of data
we're not worried about storing large
securing large amounts of data now you
can find what they call ruggedized
versions of
plc's that are designed physically to
exist and reside in environments that
have harsh conditions so if you think if
they're out in the field where they're
exposed to extreme weather right extreme
cold extreme heat uh or maybe they're in
an environment like a some type of
desert type of
environment where you have a lot of sand
right how do it's like how do we protect
equipment against those types of
extremes right a a normal you know
computer or network switch or firewall
right you're not going to be able to put
in those types of environments and have
it live probably very long so plcs that
are going to be out in an environment
that are are exposed to extreme
environments then then you are going to
want to have those
ruggedized um
versions now we also talk about the
plc's we program them and so there are
automation professionals PLC programmers
and that's all they do usually between
programming plc's and also hmis which
we're going to talk about in in a little
bit so they always go go very well hand
in hand and hopefully you'll see that by
the end of this this
section so we do see that uh that log
that latter logic is the programming
language that we use most commonly still
today now I have seen like on LinkedIn
some different surveys and it looks like
latter logic is being phased out there's
you know I think five really Main
programming languages that we'll use for
plcs these days and latter logic does
seem like it
is being phased out potentially but I
know um like at floor in my day job
ladder logic is still going to be the
most popular uh language that we use for
programming plc's right so that's the
one that we're going to talk about in
this course as as we go
along now remember the idea of that
thermostat right we have that PLC we
have that system that computer that has
inputs and outputs remember the inputs
allow us to bring in
data from things like sensors to be able
to tell us yeah what the temperature in
the room is or you going see here what
if it's a not only maybe a maybe we're
checking the temperature in a like a
data center but also maybe the
humidity so we can bring that
information in and then we also with the
logic right we can make decisions based
off of that information we bring in and
then if we have to make changes out in
the real world we'll send
signals out the outputs right so we'll
send those those signals remember those
changes are all based around when we
talk about those set point so we have
that variable that we can set in the
system or multiple variables right in
the example of the the thermostat right
we had that variable that we could set
to well how hot or how cold do I want it
what do I want the temperature to be in
the
room and then the logic handles
everything from there because once it
looks to once it measures well how what
is the temperature in the room oh it's
too hot well let's turn on the air
conditioner oh it's too cold let's turn
on the heater right so it sends those
signals down the
outputs so here's another way of looking
at it so I found this one diagram online
which I thought did a really really nice
job of showing yeah we have again the
PLC which very similar to another
another computer right processor memory
has its own operating system limited
amount of storage right not not like an
a traditional it asset and then what
does really make it stand apart is that
it the inputs and the outputs right
because we have those inputs that bring
in sensor data in this case like
temperature maybe humidity
and then we have that set point or those
variables right so how um you know what
how what range of humidity do we need in
the data center what um you know what
temperature does it need to be in the
data center right so we can go ahead and
the PLC can then remember if it needs to
make changes to the outside world it can
send signals out down those outputs now
in this case what if it's not a
thermostat but this is a PLC sitting in
a power
plant and so maybe I have this
combustion chamber that I need to be
able to send a signal to to ignite the
combustion chamber to turn on to create
heat right and then use that heat to
generate or turn a turbine to then turn
a generator to generate
electricity and then or and then maybe
here is yeah where we're unlocking or
allowing the turbine to spin
so that's the idea of a PLC and this is
where again attackers get caught up when
they get into an environment they might
access that
PLC and then see that it's connected to
something right but they don't know
exactly what so that's where they have
to start reverse engineering the
processed data that they can see that
try to understand what's connected on
the other end is it an air conditioning
is it a water pump is is it a combustion
chamber and a power plant that's where
we had that example that we talked about
earlier where those those activists had
accessed what they thought was a water
treatment
plant in I think in
Israel and instead of being this water
treatment plant that you know provided
clean drinking water to you maybe
hundreds of thousands or tens of
thousands of people like they thought it
was a water treatment facility which
really was just kind of the the the pool
cleaning apparatus at a at a hotel right
that cleaned and maintain their swimming
pool that's the main challenge for
attackers right it's not getting into
the OT Network it's not even gaining
access to the plc's or the hmis that
work in coordination with the plc's to
control these systems out in the real
world it's for them to understand well
what are they connected to what are they
controlling how do they control them so
we're going to walk through some
examples of that as we go throughout the
course but again for now just think of
that computer that PLC is again the
thermostat you could take that
thermostat off the wall and use it to
control something like part of a power
plant because it really is that simple
now are you going to do it no the
thermostat is not designed for that
purpose but hopefully you get the idea
right now here's an example of Latter
logic we're going to come back and we're
going to walk through a more real world
example to actually show you um you kind
of how ladder logic works but I just
want to get you this idea of of kind of
what it looks like and so it's a
structured approach to how we can
program that logic in plc's I think s i
remember the first Sans course I went to
they did a really good job of high
liting how ladder logic worked and they
actually had um the labs built around
right doing some programming which I
thought was great and that and that for
me that was my first exposure to PLC
programming back like 10 years ago so
we'll come back and we'll we'll talk
about real world example this this isn't
probably necessarily the greatest
example for for um kind of learning
latter logic but there are a couple
resources out there there's a lot of
resources you know I'm always focused on
free resources one is an online PLC you
can see simulator so you can play with
that um so you can see that one there's
a few out there that's the one I kind of
liked it seemed to have the most most
functionality for me so and then I think
I've mentioned before already the
automation direct line of plc's so the
click PLC uh line and that's the one of
the plcs that I have in my home lab and
so it's it's not only is it a fully
functional PLC that you can use in
control system environments so I know
engineers and PLC programmers and other
automation professionals that that use
those click plc's they're also the the
plc's that they use in the grid course
at s so the the course that Rob Lee
teaches uh but but also it's the nice
thing is you can get a fully loaded one
brand new for like 400 bucks you can't
go out and buy any brand new Schneider
or seamons or Rockwell Etc you PLC brand
new fully loaded for you probably
anything less than you know maybe $1,500
if you're lucky and that's just getting
getting started so to get something
fully loaded for like 400 bucks and very
functional very capable it's they're
they're a great great line of tools and
so they have a a Ser a learning series
that goes along with that so some of the
videos are a little little dated at this
point so they probably want to redo
those uh but otherwise um it's a great
resource it's and it's all again made
available for free so if you want to
especially if you're looking at getting
real hands on you can go and buy one of
their plcs and even the the low one
right fully loaded 400 bucks low end you
can you can get in for you probably
about a hundred or so US Dollars we're
talking about here so still really
incredible deal because if you really
want to get start getting hands-on
experience in OT the place to start is
to get a PLC and start start learning
the how to program PLC you don't have to
become an expert in PLC programming but
at least getting some hands-on
experience really helps you start to
think along along the lines of kind of
again thinking like an engineer right
thinking like an automation team member
right how somebody from the OT side of
the house thinks
so another thing I wanted to mention
before we move on from plc's is that
plc's have a key switch now sometimes on
more expensive models it's literally a
physical key that you would insert into
a key switch and Inter turn a lot of
times like on the click plc's and and I
have some expensive uh Schneider and
seen equipment and it's it's just a dip
a little dip switch right a little
little switch that you flip the idea is
that plc's us have at least two modes
one called program mode and one run mode
generally or the idea is one is readon
mode and one is read write
mode so
that we can control when somebody can
remotely update or even locally update
the firmware and the programming of a
PLC
right so from a cyber security
perspective if we have a PLC running in
run mode that's the readon mode it means
the PLC is running it's doing its job
and nobody can actually change make
changes to the PLC the only way you can
make changes to the PLC if it's in run
mode is to change the key switch back to
program mode so if it's in program mode
the PLC will still do its job it will
still function function but you also
have the ability to upload firmware make
changes to the code
Etc so that's the nice thing it's a very
simple concept on how we can secure
plc's from being hacked right because if
they're in run mode and if your
attacker's remote if they're not
physically there at the
PLC as long as that PLC is in run mode
they can't remotely make changes to it
it's secure from that perspective now if
you have somebody make changes to a PLC
maybe they're doing an update in a
maintenance window and updating firmware
or maybe they made an adjustment to the
programming code on the PLC and they
forget to put the key switch back into
run mode that's where we get into
trouble because if an attacker is in the
environment they find the PLC and then
they find that it's in run mode then
they could potentially make make changes
either you know to the firmware or to
the the code running running on the the
system but it's really that easy that we
can protect PC plc's if the key switch
is over in readonly
mode if you have a physical key switch
then that's where you probably have to
check it out maybe you have to go to a
supervisor they have the keys in a safe
and then they would actually check it
out and then they have a process to make
sure did somebody return the key and
ideally when they returned the key they
made sure the PLC got turned back into
run mode right before they were able to
take out the
key or then if you have the little dip
switches so it's
not as secure right to determine whether
somebody has locked a key like locked a
PLC or not so what you have to do is you
have to have somebody walk and
physically check plc's from time to time
to see if that switch is in run mode or
there are some platforms like the dros
platform has ability to check certain
plc's remotely to see just a query to
see hey are you in run mode or are you
in program
mode that's actually what my thesis my
Master's thesis is is on actually
basically creating an open- Source tool
that allow people to remotely check
plc's to see if they're in red mode or
not I know it's nothing fancy but it was
what I could them on so I was like okay
I'll I'll take it I wanted to do a much
much bigger paper on kind of the whole
kind of risk kind of threat landscape
and the risk associated with plc's and
how all the different ways they could be
attacked
but um we'll go with the uh PLC key
switch security so so more on that to
come uh and here's a quick mixure I
found oh I don't have that I think this
actually came from the the dros research
on the the blog posting that they did
with um plc's and talking about the the
key switch so I talk about run mode
versus program mode some plcs I think
mentioned on the other slide have
additional modes I'm not a fan like one
allows you to remotely configure the PLC
to whether you can remotely make changes
to it or not you know so the idea is I
don't want to have to send people out
into the field right with keys or to
flip dip switches because if it's a
dangerous environment I'm putting
somebody physically In Harm's Way I
completely understand but if we have a
system that can remotely configure a PLC
to whether it can be programmed or not
an attacker is going to find that system
and they're going to use it against you
so it's one of those where the benefits
are especially if it's a very hostile
dangerous environment then we're
probably we want to air on the side of
caution not put People In Harm's Way so
we would have some type of program that
would allow us to do that we were just
talking about this actually for a
project at the office this morning um so
in one where the environment is very
very very very cold so you would not
survive you know out in the the winter
months for for very long at all so we
don't want people you know outside in
that type of weather
so so in control systems you'll hear
mostly about
plc's or and sometimes more generically
controllers well and again we'll we'll
talk about some different types of
controllers and plc's as as we go a
little bit later on through the course
and then you'll also hear the term
DCs so for myself you coming from an it
an IT security background I look at this
probably a little bit differently and
the idea is
in a Windows environment you know with
Windows systems if you only have if you
have a very small business and you have
a couple of computers it's really easy
just to manage those let's say three
computers very individually right you
can go and create user accounts and
passwords on each one maybe you do some
system hardening and you create some
policies so it's it's not too hard to
set those up on each machine right you
do it three times but what if you're
like floor and you have 35,000
workstations right that's not something
that you want to set up and
control on a machine by Machine basis so
we set up or use tools like active
directory to manage all those systems
centrally so that's how I think of the
DCS world now there's different types
of systems when we talk about DCS that
we'll get into some variations as we go
throughout the course as as well but I
think of you know if I have
a in this case you that going back to
the power plant
environment and let's say just looking
at part of that power plant some of the
the major components or physical systems
that we have in the real world are
remember the combustion chamber that we
can use to generate heat right the heat
that turns the turbine and in turn the
turbine turns the generator to generate
electricity so in this example let's
just say we have a PLC that is
responsible for controlling each of of
those physical systems that we have in
the real
world so PLC number one again we're
going to use it to control the
combustion chamber so we're mixing
oxygen and natural gas to a specific
mixture so that way we can then ignite
it right we take that heat we use it to
turn the turbine right we can have that
turbine control controlled by a second
PLC and then that turbine turns that
generator which is controlled by a third
PLC right and ultimately we get
electricity so again very simple example
but let's say we have a PLC for each of
these types of systems out in the real
world so I can manage each of those
individually but what if and if we go
back to the power plan example that we
were using earlier and we actually have
three different power plants at that
location or three different power units
if you
want so in this case so each of those
units or if you want each of the power
plants within the power plant right we
can take those three plc's and we can
tie them into their own controller so we
can use that controller to manage each
of those individual
plc's and then ultimately we could tie
those controllers back back in this
hierarchy back to kind of this the idea
of the the main DCs so we have overall
this DCS system this distributed system
to be able to control all of these
different physical systems these
processes that we have in the real
world so again for now I again this is
just how I think of it is we can manage
in plcs individually or we can do it in
this Collective or this centralized
process using a distributed hierarchy or
the
DCs so again we'll talk about some more
examples as we go throughout the course
so this is just a again kind of
highlevel example of how Mike looks at
it so again we'll we'll uh we'll see
some more examples we'll talk about some
real world examples as we go
on so we also talk about scada so we
talked or we touched on scada a little
bit earlier when we talked about how we
Define I versus scada that was one of
the things I remember Rob Lee mentioning
that you know IC is land and SK is when
and was just like oh yeah that makes
complete sense where just so many people
myself included or at least maybe I
shouldn't speak for others but I know
myself it just I IC and skada it was you
know 101 15 years ago the terms were
used in a way that could be very
confusing and and you couldn't determine
the difference
and so when he said that it was like oh
my gosh I wish somebody had told me that
before but when we talk about scada and
this is where we'll come back and talk
about you we have the ability to
remotely monitor a control system or
asset at a remote site so the most
common example we use is in power
transmission so if I am gender or not
only generating electricity but what if
we're transmitting the power over long
distances we'll have substations that
are responsible for monitoring the power
over over distances right as we're
transmitting it
and
when sorry I just thought something
we'll we'll get back to that so we have
these substations right and the
substations could be miles away
and so we're going to connect to those
over some type of wide area connection
so you might have a cellular device or
maybe satellite A lot of times
especially in the United States you'll
see Cellular Connections and that
Cellular Connection is connected to what
they call an
rtu and then that rtu gives us kind of
that interface into other control assets
at that location as well so we'll go
over the wire to connect to that rtu
which then also allows us to connect to
other devices like plcs and controllers
that are at that
substation and there's other special
types of devices like IEDs that we'll
see there not the bad type of IEDs but
we'll talk about those in a minute so
the idea was supervisory control we have
the visibility that we've talked about
right where we can reach out and we can
pull data back the Telemetry on how that
system and the systems that it's
connected to how they're
operating so we can bring that
information back we can display it to an
operator like in something like an
HMI and then remember that
HMI also gives us the ability to control
that process remotely so if there's an
issue maybe we have an alert or an alarm
that we need to respond to we can do
that through our
tools but remember scada is doing that
over the wide area link if we're sitting
in the Operation Center and we're
monitoring and controlling assets and
the process at that same location let's
say we're in the the Operation Center or
the control room for the power plant
we're on site then that's
IC if we're remotely monitoring let's
say that remote
substation we're going out over let's
say that Cellular
Connection to remotely Monitor and
control systems and the process at that
substation that's
G
now the HMI which we just had mentioned
and we hadn't really got to yet is with
the HMI the idea is it's a graphical
interface now a lot of people joke a lot
of times they have a very like
8090s look and feel to them they look
like you know some of the original
websites that we had when the internet
or when the worldwide web first
started uh and this mostly because
they're very stripped down they don't
have a lot lot of additional features or
components they're not running things
like JavaScript which is good because we
don't want all of those additional
components that are going to introduce
vulnerabilities there already are
actually quite a significant number of
vulnerabilities associated with hmis
which we're going to talk
about so the idea though is we have this
graphical interface right that again
very simple very straight down
straight slimmed down and that it gives
the operator right gives the human the
visibility into the process to see
what's going on so we can look at in a
simple picture oh here's some type of
air conditioning uh system right we can
see some of the data that's collected by
different sensors and have it
displayed we can see oh in this case all
the lights are green which could be good
it depends on the environment sometimes
good green is is good sometimes red is
good believe it or not so it just
depends on the
environment and that the HMI also gives
the operator or the control aspect so we
have buttons we can push so we can push
stop or start or turn them off or we can
push 1 2 3 4 5 now looking at the screen
we don't know what 1 2 345 does so that
would be something that the operators
would know or if I'm a attacker well I'm
need to figure out what one two 3 4 five
does and those are the I know when the
attackers get onto these systems it's
where they they slow down because they
have to figure out what are all these
things but the HMI is going to be a
really popular Target for attackers
because the HMI right not only gives us
visibility into the process of the PLC
or other systems that are connected to
it but almost always a
PLC but then also so it gives the person
using the HMI the ability to control the
PLC which in turn right allows us to
control the process right the physical
systems that it's connected
to so it gives us the visibility it
gives us the control and when I look at
from an attacker perspective or if I'm a
penetration
tester and I'm getting paid to play the
role of a hacker in the
environment the idea with hmis is a lot
of hmis these days it runs
windows but it's not a traditional like
workstation laptop or server so a lot of
people don't think about patching it
it's like printers in the IT world
printers are just other windows or Linux
machines typically but how often do
printers get patched not not too often
unless you have an automated uh cloud
service usually that does it for you
which is like what we have at
floor so are we patching our hmis cuz if
I'm in attacker and I get in the
environment and I scan for host and I
find oh there's a a Windows machine and
then oh it's running probably a web
service because that interface can be
drawn as a web page so not only do I see
a Windows machine that's probably not
that up to date on its patches so it
could be vulnerable could be extremely
vulnerable to attack it also is running
a web service like built-in I and
windows the internet information server
or maybe it has another web service
that's been added to it whether it's
Apache or it might say something like
light httpd or any of these other oneoff
types of browsers so those probably
haven't been
updated and then remember this is
actually drawn as a web page so the web
page itself can have vulnerabilities so
you have the the operating system you
have the web server itself and then you
have the web page that's actually
running on the web service all three of
those can have vulnerabilities that
could allow an attacker to gain control
over that
asset the other interesting thing is
let's say I do take control over that
HMI and then I use it to attack other
systems like the PLC that is connected
to if I did set off some type of alarm
that if environment is watching for
suspicious activity and there is an
analyst that sees that event or that
alarm and then they look to see oh it's
an HMI sending traffic to a PLC it's
going to say oh that's that's just
regular traffic it's it's an HMI nobody
you know it's it's not an attack it
can't be it's an HMI just like going
back to our it example is a
printer because if I'm an attacker I
want on the printer because if I'm using
it to attack the rest of the network if
an analyst sees that alert they say oh
it's just a printer nobody can use it to
attack the rest of the network but they
can right because it's just another
Windows machine just like a laptop or a
server or a
workstation so that's why hmis are one
of the top targets for attackers because
it's kind of easy to to hide it's
probably easy to take control over the
HMI and then once you have access think
of what it gives you right you have that
visibility into the process right you
can use that to reverse engineer what's
going on you can use it to see what's
going on right we have the visibility
and it gives us the control it had gives
us the ability to manipulate that PLC
and the systems the process that it's
connected to that it
controls so the HMI is
extremely important asset that we need
to protect because it is going to be a
top Target for
attackers so that's the the idea of an
HMI now here's another example now this
is one I found on the internet took
about 10 seconds through Showdown and
we're going to come back in in I think
unit six or seven part seven we're going
to come back and talk about using showan
to find
exposed OT assets on the internet right
finding control systems like plc's and
hmis that are exposed to the internet
because there's still still some out
there not as bad as as we were but but
there are still some out
there so again um you know they're very
you talk of primary targets for
attackers especially anything connected
to the internet in this example you can
see oh here's an HMI for it looks like a
a pump in somebody's well whether it's
for a house maybe it's for an office
building I have one of these for my
house in in South Carolina so the idea
is I'm not on City water it's not piped
in I just have a pump that's dropped
into the ground right under the water
table and it brings up water and and
pumps it into the
house now when you see these exposed to
the internet sometimes they actually
could be exposed to where you could
interact with the interface and you
would be able to push the buttons If you
want to make changes a lot of times
though they're exposed to the internet
in a readon fashion so at least the
owners and operators in those cases were
thinking a little bit when they were
exposing those assets or those you the
the control systems to the
internet we still don't want it exposed
regardless well in any way shape or form
but at
least if it's exposed in read only you
know at least they're not giving the
attackers the ability to remotely
control it you're still giving them
visibility but you're not giving them
the ability for control unless they're
able to hack the interface and then
bypass the readon access we'll come back
and talk about that because a lot of
times too they're exposed to basically a
second device which then enforces the
read only so again we'll come back and
and talk about that especially when we
get into the the showan section which is
going to be in unit
7 but that's
hmis now the sis the safety instrumented
system in a OT environment this is the
fail safe backup this is the most
important system that we have in the
environment period the end because not
only is it designed to keep the facility
safe but we're keeping the facility safe
not just for availability reasons but
ultimately to protect human Liv
life right we want to keep our on-site
Personnel safe we want to keep if
there's general public in the area of
that facility we want to make sure that
they are
safe but the idea is with the sis is
that it
monitors the entire plant and if there's
ever a fault condition detected that
could result in yes something bad
happening to the plant where maybe it
just we're just worried about the plant
essentially breaking down to where we
have to take it offline to fix
it but again most importantly if there's
ever any condition that could lead to
let's say a type of explosion that would
would kill somebody or maybe a gas leak
that could kill
somebody so idea is that the sis if it
ever detects that there's some type of
fault that could lead to some type of
dangerous situation it can shut down
part or the entire plant to keep it safe
or we talked about in the second part
about the crcis
incident where the Russian nation state
had come in over the wire had control
over the Sao ramco petrochemical
facility and they're in there for 3
years and in that time they reverse
engineered the OT Network and the
processes and were able to remotely
access the sis and take
99.99% control over
it and then once you if you had 100%
control over tcis right and you can I
remember I think there's there's quite a
few of course articles about tcis out
there and all of them feature Rob Lee
and in most of them you can see he'll
rattle off 10 different ways an attacker
could create an explosion in that
environment very
quickly and he always again stresses
that the this idea and why an attacker
would want to take over the sis is so
that they're going to kill
people or again I always think well
they're going to create some type of
explosion or other some type of other
dangerous condition that's going to you
know potentially destroy the facility
which of course if somebody is on site
they're going to be
killed so you can understand how
important it is to protect
the sis so we take additional steps to
protect it like putting it on its own
network segment completely air gap or if
you want islanded so that it's not
connected to anything else so if an
attacker was going to take control over
the sis they would physically have to be
on
site that's the only way you can really
even start to protect the sis to where
you can trust it to do its
job looks like this slide's out of order
so but we talked about this in the HMI
section right so so we'll move on now
there's the engineering workstation
right the engineering workstation
whether it's a like a physical
workstation or a laptop that we can use
to be in the environment to do things
like program plcs
now if it's a workstation right the
workstation is usually sitting in
sometime like a room or area designated
for engineers to work a lot of times
it's off of the control room or the the
Operation Center could be in the data
center but the idea is that you have a
workstation and you'll sit there and of
course it's not mobile right but you'll
be connecting to the PLC that you're
going to make changes to over the wire
right over typically tcpip
if you have a laptop you could
physically go to the PLC which I think
is actually what's happening in this
case right you have somebody sitting
there with a laptop and I think this
looks like the maybe a Serial cable
could be an ethernet cable that's being
used to connect the laptop to a PLC up
here this is another picture you can see
by the way that I found on the the
subreddit for the PLC subreddit so lots
of lots of interesting
pictures so you can use again the
workstation or
laptop to connect to a PLC to do things
like upgrade firmware and make changes
to
code of course if it's a laptop there
are a lot more security considerations
to take in to well into consideration
because that laptop could be taken off
site it could
[Music]
be then at that point you know you you
don't know what could happen with that
laptop you have additional security
controls on it sure like things like EDR
to help protect it but we have to have a
hideen sense of you know security around
our laptops especially those laptops
that we're using to do things like
operations and maintenance
task so just something to think about
but also think about you from an
attacker perspective what do we
get if we gained access to an
engineering Workstation
well then we would have you access to
programming data right the code that
we're running so if I'm worried about as
an attacker trying to reverse engineer a
process or what's going on in the
environment then there's nothing better
than have access to that engineering
workstation or laptop right that has
that programming data which we're going
to come back and talk about later on
on it so we can access that information
and use it to reverse engineer the
environment to understand what's going
on that's the idea of engineering
workstations or laptop you see ews all
the time I remember seeing ews and it
was like what the heck and it's was like
oh engineering workstation I'm like okay
that makes sense and then it was like oh
it's just another Windows
machine like okay I get
that and then data historian for me the
data historian is going to be the most
popular Target for an attacker and we'll
talk about why but the idea is data
historian it
stores the what call the process data
from the OT environment so remember we
have the process in the OT environment
of you what that environment produces so
if I'm the power plant and I'm producing
electricity or if I'm the insulin
manufacturing plant and I'm
creating insulin
injections so we have processed data
that explains different aspects of that
process like how many injections of
insulin did we generate today how much
power did we generate
today what resources were consumed to
generate those
things right those are just some
examples of processed data that we can
store and we'll come back and we'll talk
about some detail examples later on but
for now think we have this data that
talks about or describes what's going on
in the plant or in the site we're going
to put it in a regular old database like
something sitting there in Microsoft SQL
Server sitting on a Windows server and
that's what we call a data historian
right it's storing that processed data
for historical
purposes think the the big use for that
is we take that data we take that
process data from the OT Network and we
push it out to the OT the sorry the it
Network where the business is where they
can use that to do things like Bill
customers or coordinate shipping
Logistics when I mentioned earlier that
it's going to be the number one attack
Target for either attackers or
penetration testers and part of that is
if imagine remember most of our attacks
in OT come from the it Network so if I'm
an attacker and I get into your it
Network which we know is going to happen
right it's only a matter of
time if you allow the it Network to talk
with the OT Network more than likely
there's a DMZ between it and
OT and that the one host if there's any
host that's exposed between it and OT
that's sitting in that DMZ it's a data
historian and that data storian remember
it's just another Windows Server running
Microsoft SQL Server which SQL server
has its own vulnerabilities on top of
the operating system which has its own
vulnerabilities so it's going to be one
of those easier to attack
targets and it's going to be exposed so
it makes it an easy target for
attackers so hopefully we'll come back
well we will come back in the next part
and talk about secure network
architecture and how we can prevent it
from being
exposed but that's the idea of the data
historian and we'll come back and talk
more about process data and and tags and
so on in a little
bit and here we're just talking about
the process data right so we're going to
record all this information about what's
going on in the
environment and we can we can use that
for security purposes
potentially but mostly it's getting that
data into the hands of the business so
they can make certain decisions or they
can take certain
actions and then you can also use or
examine that data to identify issues
with operations or maybe I can watch the
process over time to determine things
like Predictive Analytics to determine
when certain parts in my assets are
going to break down over time so I want
know ooh this part's going to break in
in 3 months so we need to make sure that
on our maintenance schedule sometime
between now and the next three months we
replace that
part that's another example of how we
can use process data and again you could
use it to find
potentially uh security issues in the
environment but that's typically not its
use it's for making business decisions
on the it side of the house and then
also potentially using it to identify
operation issues that we need to be
aware
of so here's an example of a operation
Monitoring Center this is one for you
see an now is a green green power Energy
company in play South
America and so they had put place you
put this out on the internet so I
thought it was great to be able to to
share with everybody cuz yeah this looks
like a kind of you know typical Maybe
mediumsized
Operation Center or control
room and basically right we have the
ability for for control operators to sit
right and watch screens filled with
hmis and it looks like maybe an Excel
spreadsheet in that lower left hand
corner you see some other screens that
they're using to monitor different
aspects of the environment and be aware
of different different aspects that they
need to be but mostly it's a collection
of hmis right that give us visibility
and control allows us to see what's
going on with the process allows us to
see what's going on in the plant we can
monitor for aler alerts and alarms and
then it gives us the ability to control
remember we can go ahead and we can
interact we can make changes to that
process in the the physical world if we
need to
react so I that that was just a nice
simple example of a control room I could
share now there are a lot of other
different types of control systems and
we'll we'll talk about some of these
right we already started mentioning rtus
in incada we mentioned those IEDs which
are responsible for monitoring what's
going on on in power transmission right
making sure that the power is being um
carried across the wire
appropriately uh we'll talk about some
of the other ones like vfds and Feats
and um talk about mzes a lot mzes are
kind of the Bane in my
existence from a secure network
architecture perspective but we'll talk
about that in in the next part so again
there are a lot of different types of
control systems again we're not going to
get into all the technical details of
all of these but but we'll talk about
you know few of these as we go
throughout the rest of the course and
then as you get into different types of
environments you'll find that um you'll
definitely want to learn about those
control systems that are specific to
your your unique type of OT environment
right if you're in manufacturing you
want to know everything you can about
manufacturing execution systems you
probably do not care about intelligence
electronic devices which are essentially
just for power
transmission and vice versa if you're in
power transmission you want to know
everything about IEDs and you don't
really care about the mzes of the
world so again we'll we'll talk about
some of the more common ones and and
some of the examples especially in power
because we're we're focused on using
power as our example but but we again
we'll talk about some of these and the
other ones definitely encourage you to
to look them up as you come across them
and you know only takes a couple minutes
right of reading to then understand it's
like oh okay like that's what vsad is
like okay that you know that makes
complete
sense so we're moving into the last half
of this section I I did warn everybody
this was this was going to be the
biggest part or section in in the course
but so the first half we talk about the
different types of control systems
that's what we primarily focused on
there and then in this last half we're
going to talk about networking so we are
going to talk about different industrial
control protocols but before we get
there we're going to cover some
networking Basics so if you're from the
it side of the house and and have a good
grasp on networking Essentials then this
next part of the section is is going to
be um boring for you uh if you're coming
from an OT background or or from it and
and don't have a a strong background in
in networking then then hopefully this
will be a great uh introduction or may
be a refresher for some people so let's
go and jump in so the idea is when we
Network computers together especially
now we have whether it's computers
talking over the Internet or thinking an
OT Network where we have different types
of systems so we have control systems
like plc's and hmis and rtus and sis and
DCS and and the list goes on and we also
have Windows machines you know laptops
and workstations and
servers and the idea is that we can
allow different systems with different
Hardware with different software like
different operating systems so Windows
versus Linux and all the different
versions of those right we can allow
these different operating systems and
different pieces of Hardware to
communicate and share information and
and also think of all the different
applications that we run and not only on
you think of like servers and
workstations and laptops but our phones
and our Smart TVs and our iot devices
and the list goes on and on so any
device that is networked especially if
there's internet connectivity right idea
is
that originally when computers like
Xerox Intel digital or or deck had
started to network their computers
together they wanted to be able to
network
the different companies together right
that would be really excited
exciting but they realized there was no
basis for communication between their
own individual networks that they had
created kind of in a in a
um in in kind of their own own little
world and
so there was this need for a common
framework and as long as you wrote or
created hardware and wrote software and
operating systems to play by these seven
rules then those systems could
communicate with each other even again
if they're completely different
platforms so these are the seven rules
of networking that if again if you play
by these your your system can talk with
other
systems so we talk about the seven
layers and they're they're numbered one
through seven you with starting at the
the lowest level the physical layer so
level one is the physical layer this we
talk about this is where the zeros and
ones right the the bits of data that are
transmitted over some some type of
pathway right whether it's you have an
ethernet cable or maybe it's Wi-Fi like
80211 but the idea is that you have that
physical path that you're sending your
data on right zeros and ones there's
either the presence of electricity or
not at a specific point in time zeros
and ones that's that's all we're sending
over
the network when we're sending
data now when you think that if I'm
sending information over that network
over that wire or that Wi-Fi connection
right to allow my computer to do that I
have to have a network card and so the
network card operates at the data link
layer so the data link layer itself is
actually broken into sub two sub layers
so there's The Logical link control
layer and then there's the media access
control sublayer so the
Mac sub layer is where the network card
is so if you're familiar with the MAC
address that's assigned to every network
card remember every network interface
card has a 48 bit unique address to
identify it uniquely from every other
host on that that that subnet or that
Network so the Mac sublayer is where the
network card lives the network
interface the LLC The Logical link
control that's where we have the
software driver that allows the rest of
the operating system to talk with and
access and use the network art right so
the physical layer lay level one and
then the first part of the data link
layer that's all physical Hardware right
we have again the network card that
allows us to then Connect into either
Wi-Fi or uh ethernet connection right to
have a cable
connected the LLC is the software driver
that allows us to work with or interface
with the network C from the operating
system
perspective so everything else from the
network layer up right if we're looking
at it from a like a workstation or
server perspective this is all operating
system so at the network layer this is
where the IP of TCP IP comes
in so when we talk about the Internet
Protocol this is where especially in
particularly addressing and routing come
into place so every host on a IP network
has to have a unique IP address if you
don't you're going to have drop package
or mis deliveries and you're not going
to have you're going to have failed
communication just like if the delivery
person for the Post Office comes to your
street and let's say you live at 574 but
there's another house across the street
with the same number
574 they won't know who to deliver to so
they might just guess and go to one
rather the the other and it it makes it
for a
mess so we have to make sure that every
system on the local network has a unique
IP address from all other host otherwise
we have communication
issues and then you can see there yes
there's different versions of IP version
4 we typically see IP or IP there's
different versions so there's IP version
4 which is 32bit addresses and there's
version 6 which is 128 bits out on the
public internet essentially we ran out
of IP version 4 addresses a long time
ago so we want to use IP version six
where we have billions and billions of
cab billions of of of IP addresses that
will never run out of so so they say
right Never Say Never
but it's it's really you ugly to work
with IP version 4 is not necessarily the
prettiest thing but it's a lot simpler
than working with IP version 6 for a lot
of people so it's very slow to very very
slow to be adopted so when especially
you're in an environment like a OT
Network you'll see IP version 6
addresses the only time you usually see
IP version 6 at least for me when I see
IP version 6 in an OT network is because
there's Windows machines that
automatically start with IP version 6
addresses now and so usually most of
your windows machines have both IP
version 6 and IP version for IP
addresses so which is which is not a
good thing because attackers know and
work with IP version six much
better than than most cyber security
Defenders and and network admin
administrators so so a lot of attackers
when they get in environments they can
use IP version six to move about the
environment and they might not ever be
detected because a lot of Defenders
aren't looking for the IP version 6
traffic they might not even know IP
version 6 traffic is there but it's
there by default in newer Windows
operating systems
so but so IP addressing takes place in
network at the network level at level
three we also talk about routing so if
you're going to move from one subnet or
one network to another you're going to
pass through a router right that happens
because of the addressing scheme so
especially think of if I'm going out to
the internet I'm passing through a
router or a default gateway to get to uh
different resources out on the internet
and the the Internet is just collection
of all these different IP networks that
are connected with with
routers so the network layer gives us
the internet and all this internet or
interconnectivity between
networks now when two computers want to
talk to each other they also not only
need an IP address to reach that
destination like the delivery person
coming to your home but let's say they
want to actually come inside and drop
off the
package so the idea is to make a
connection to a remote computer we also
use a transport protocol so transport
protocol are we're going to have two
choices so there's
TCP and there's UDP I don't have them
listed here so TCP is the one that I
think most people are familiar with and
it's a connection oriented protocol and
we'll come back and talk about the
differences between them a little bit
later
on whereas UDP is a connection list
protocol but the idea is the transport
layer is responsible for taking large
chunks of data and breaking it down into
these equally sized chunks that we put
put out on the wire which eventually
really get remember chunked down into
zeros and ones right but overall we're
logically taking these larger chunks of
data and breaking them down into these
equally sized chunks to send out on the
wire and we do that because it's much
more efficient to send that data so it
makes it
faster but that's where TCP and UDP live
so when we talk about making a
connection to a remote port on a
destination system like I'm going to
tcp8 or TCP 443 to browse a website
right that's happening at the transport
layer with
TCP now the session layer is where we
establish the session logically between
two systems so it's very important but
not ton to talk about there the
presentation layer is where we would see
things like encryption and and
compression we talk data manipulation
right happening with the zeros and ones
or the chunks of data that we're sending
over the
network though realistically a lot of
that functionality is now moved up into
upper layers or it's even handled in
applications that are running on the
system not the application layer
itself so the application layer or layer
seven it's not again the applications
running on top of the operating system
even though I have pictures of word and
different browsers here but the idea
it's the apis or or the
layer that allows applications running
on the operating system to
talk with the networking
layers that allows an application like a
web browser to send a request out over
the network out over the internet to a
web server somewhere on the other side
of the planet to then get a response
back and then display a web page for us
sitting in front of our
computer we also talk about application
layer protocols like we're just talking
about HTTP and https which are used for
web browsing or FTP for file transfers
or SMTP which we use for
email again the idea is we have these
seven different layers or these seven
different rules so as long as you create
your Hardware or you write your software
and operating systems to play by these
seven
rules then it it doesn't matter what
Hardware or software you're using
doesn't or vendor agnostic as long as we
play by the rules we can connect and we
can exchange and share
information and we won't spend a lot of
time on it but what it looks like in
this idea of data encapsulation is let's
say I do want to go out to even just
going out to google.com to load the the
main search page you our browser is
going to go ahead and take that request
and pass it off onto the application
layer right the data of the the request
itself so get this web page
www.google.com and it goes through each
of the
layers and as it goes through each ler
layer there's a
header there's header data that's added
that represents that layer and as we go
through each of those layers of the OSI
model that Header information is added
until we get all the way down to the
data link layer right where we're
actually remember the the sub the Mac
layer where our network card is where
we're taking the packet we're also
adding what they call the CRC or the
cyclic redundancy check which is
essentially a hash or fingerprint of the
data to make sure especially when the
data is transmitted over the
network that the receiving computer can
check the CRC to make sure that the data
did not become corrupted during
transmission so much more important in
the older days when we didn't have such
reliable
networks but we take the data right we
create all the Header information by
adding a piece from each layer we add
that cyclic redundancy check put the
packet out on The Wire so that way it
gets sent over to our destination right
there's our zeros and
ones and then the Destin the destination
receives the packet and then it passes
it back up the its own OSI
layer which then remember we check the
CRC make sure oh okay we got the packet
intact if it showed up as corrupted we
could request that it be resent but it's
going to be let's say we got the packet
intact
and so then we pass the packet up the
OSI layer stripping off that Header
information for each appropriate layer
because it tells the system how to
process that
data so as we go up the data link layer
right we strip off the data link Header
information we go up to the network
layer we strip off the network Header
information and so on and so forth till
we eventually get the data in this case
to the web server to say hey we want to
see
www.google.com and so then the web
server says oh okay well get you
www.google.com here you go and then we
go through the exact reverse order so
back down the OSI model put those zeros
and ones out on the network come back to
our computer come back up with OSI model
Right strip off all the Header
information till we get the web
page so when we want to
troubleshoot network connectivity issues
we can use a a packet sniffer to capture
that Network traffic the zeros and ones
but then it translates those zeros and
ones into information that we can
understand and use for troubleshooting
purposes on the on the
screen so we're going to talk about wies
shark which is the most
popular packet sniffer out there because
its open source is so powerful and it's
free so why wouldn't you use it right
but you can use packet sniffers like wi
shark and there are a few others out
there but but wire shark is the most
popular one to be able to do packet
analysis so there's different types of
activities we can use packet Stiers for
so he mentioned one of those would be
troubleshooting network connectivity
issues I remember the the first day I
was on the power plant uh on site they
were using wire shark to troubleshoot
Wi-Fi connectivity issues so I was able
to to to help out a little bit there we
can also use it to understand or
establish a network Baseline which means
we want to watch especially in OT
environment we want to see which assets
exist in the environment and which a
assets are talking to each other and
when they talk to each other well what
are they
saying and that allows us if we create
that Network Baseline to then over time
understand when something out of the
ordinary happens and when something out
of the ordinary happens it could
potentially be a security issue Maybe
not maybe
not but it could be that's why we want
to create these Network baselines to
understand what
common functionality and communication
in an OT Network looks
like we can also use it and we're going
to come back and in later sections talk
about how do we create an asset register
if we don't have one so one of those
options is to take packet cap captures
in the environment and start with well
what IP addresses do we see
talking and go from there and then again
we can use it for troubleshooting
network
issues so we'll actually look through
some different examples of all of these
as we go throughout the
course but again we mentioned that um oh
and sorry before I jump ahead that you
know we can use tools like wire shark
and
for asset Discovery right finding
systems oh there's an IP address we
didn't know about or maybe there's a MAC
address maybe it's not running tcpip
maybe it's you're running some other
protocol but oh we can see a MAC address
for a network interface
C we can also use that to potentially
map out things like operating systems or
applications that are running on systems
which we could also then potentially
used to map out
vulnerabilities and again ultimately
from a network security monitoring
perspective we can look for anything out
of the ordinary right that suspicious
activity you see the picture I was
trying to get somebody with a magnifying
glass looking over right finding finding
the the malicious Network traffic mid
Journey came up with two magnifying
glasses so I I just went with
it that's where that came from
though all right so wire shark I
mentioned again it's the it's the most
popular packet uh sniffer out there
because not only is it open source and
it's
free but that it's extremely powerful so
you can see we have over 3,000 what they
call dissectors or parsers right it
allows wire shark to interpret over
3,000 different network protocols which
is a
ton which includes our most common
protocols like sure
tcpip and then also industrial protocols
like modbus which we're going to spend
most of our time in this course when we
talk about protocols we're going to be
focused on
modbus but also S7 dmp3 backnet OPC
opcua so on and wireless versions as
well so not only 80211 but we can talk
about things like zigby which I always
love to say and wireless heart and um
you the the list goes on and and
on so we're going to be able to we'll
look at some examples of of some of
those so you can download it at wi.org
but Wireshark was created by Gerald
comes you see he actually worked at an
ISP and he wanted a packet sniffer to
troubleshoot some network connectivity
issue but he went to look at them and
there were tens of thousands of of
dollars and they didn't have the money
to to purchase a a packet sniffer or a
packet analyzer so he decided he was
going to build one himself I mean just
amazing and then it created this tool
that I if you work in it and if you've
ever troubleshoot troubleshot network
connectivity issues you've used wi shark
wire shark's also a great security tool
for Defenders and for
attackers and it's a great tool even if
you're learning how different types of
attack tools work the best way to
understand how the tool works is to
watch it what's going on behind the
scenes so if you're running a tool let's
say like nmap what's really happening
when you're running an end map
scan that's how you can really truly
understand what those tools are doing Ed
scus hands I remember that was one of
the things he always preached I mean
he's preached that for 20 plus years run
a packet sniffer in the background like
wire shark while you're running those
tools to understand what's happening
what's really going on behind the scenes
and I actually had pointed that out to
one of the the IC SS instructors because
the book was not correct because it's
like oh no if you watched it through
wies shark when you run map with the
switches that they were recommending it
did not do what they
said I don't know if they actually ever
updated that the book or not I never
went back and
checked but that was actually because of
of
Ed that's wi shark all right so we talk
about you know capturing or sometimes
you use the term sniffing or sometimes
you hear like passive sniffing of pack
right the idea is that we have those
zeros and ones going over the network
and so I'll have a workstation now a
workstation or any device especially in
tcpip it's designed only to pay
attention to those packets that are
specifically sent to it and there's
different types of traffic that we're
not covering here but whether it's
unicast so it's going directly to your
system we have other types of traffic
like multicast and broadcast that go
like broadcast go to all systems so your
system would also listen to those those
uh
broadcasts but the idea is by default
your system is not going to listen to
All packets on The Wire that it can see
it's only looking for the things that
are addressed to it so you can if you
have administrative access you can put
your network card into what they call
promiscuous
mode and so if I'm running a tool like
wi shark I put the network card into
promiscuous mode it does allow me to see
all all of the network packets the zeros
and ones on the wire whether they're
addressed to my computer or
not so we're able to see those zeros and
ones and then remember the beauty of wi
shark is it takes those zeros and ones
and put it puts it into an interface
that we can see and that we can
essentially read and understand what's
going on now it might still look really
really really strange at first but if
you've been doing it for a while or even
for a little while you can start to get
pretty familiar I think fairly quickly
with it to do some basic troubleshooting
and understand what's going on so we'll
we'll look at some
examples oh and here's so this is this
is more of a it example but I thought it
was it was one where we're capturing
zeros and ones off the network and we're
allowing wi shark to do that translation
and it's telling us hey what we captured
here in these zeros ones this is ntp
traffic or the network time protocol so
the network time protocol is used to
synchronize
clocks particularly especially in it
environments now clock synchronization
is very very important in OT networks
undoubtedly but we might not leave it up
to just regular old ordinary ntp right
so but so in it environments we'll have
ntp and we can see things like IP
addresses we can see clock times we can
see you know time stamps so we could use
this to understand what's going on with
the ntp protocol between these two
computers that are talking we would also
see things like IP addresses talking to
each other um we're just not seeing it
in the screen but we can use that again
for troubleshooting to understand what's
going on again so that's just an example
of how it takes these zeros and ones and
translates into something that we can
see and use better for troubleshooting
purposes so again we'll come back and
we'll see some great examples as we go
through the rest of the
section so now we talked about in every
Network environment pretty much these
days the main protocol is tcpip and
that's mostly because in some way shape
or form almost all networks are
connected to the internet and the
protocol that we use for communication
over the Internet is
dcpip if the internet had been BAS based
off of I don't know the mic protocol
then the mic protocol would be the most
popular protocol in use today right
everybody wants to be connected to the
internet we even even have a lot of OT
environments that want to be connected
to the internet for things like the
industrial internet of things which are
going to come back and talk about
later so there are industrial control
protocols now there were versions of
these that ran on their
own and they didn't you know you didn't
have TCP right you just had modbus was
the protocol that used to communicate
and share information between
systems or S7 which is a seens
proprietary protocol or OPC which is
still a scary protocol which we'll talk
about but or you know the idea with OPC
it it literally is built off of the same
system that Microsoft uses called Olay
or object linking embedding which allows
you to take data from one Microsoft op
application like word or Excel and then
post it into like a PowerPoint
presentation that's the same system that
they
use for industrial control I was like
what mindboggling and I've never met an
engineer that actually likes working
with OPC now OPC UA is a new standard or
new protocol which which is which is
much cleaner which might which is much
nicer and we'll see an example when we
get into the vulnerability management
part where 's actually a new uh
vulnerability scanner looking for
vulnerabilities just specific to opcua
servers so I wanted to include that into
the vulnerability management section
which I thought was very cool so and
there's also Wireless uh different
industrial control protocols as well and
we have you know we still use things
like 80211 right just regular old Wi-Fi
but there are Wireless you know specific
Wireless industrial control protocols
like Sig and and wireless heart and any
you still use things like Bluetooth as
well so we'll talk a little bit more of
those in some examples as we go
throughout the
course so again we're going to focus on
mod modbus in this course and we're
going to look at the version of one of
the versions of modbus that runs over
tcpip
so there are some great GI GitHub
repositories out on the internet for uh
Industrial control and in learning cyber
security in in OT one of them is this
the
it repository or you can see from Tim
Yardley and I mean there's a ton that he
has in this GitHub repository but why I
really love it is that he has this
peaps uh folder or repository where he
has all of not only these different
packet captures
for industrial control protocols but
they're very small captures with just
exactly very specific types of traffic
so you can really narrow in on the
different types of traffic that you want
to load into wi shark and examine
further as I you know love the love the
collection so we're going to use one of
those packet
captures for
theor so I mention we're going to focus
on modbus since it's the most commonly
used control system protocol that we see
again it's a version that runs over
tcpip uh and you can see so mbus was
created by modon which eventually got
bought by Schneider Electric uh but it
was used and you can see over serial
communication like
rs232 cables kind of like the the cables
that you you might have seen connecting
like a UPS to a uh like a
server um and or we use them to connect
from maybe an engineering workstation to
a PLC right for
programming but uh so we run it over TCP
IP now you see the default Port is TCP
502 so when we're looking at a packet
capture if we see traffic to or from TCP
502 or if we do a packet
scan of a remote system and we see TCP
502 open more than likely it's modbus
that we're looking at a version of
modbus there's again there's many
different versions of modbus um but uh
again we're going to focus on one of the
versions that runs over
tcpip for me it works just like SNMP
which we mostly see in the IT world so
if you're familiar with SNMP or the
simple Network management protocol the
idea is it's this client server
relationship that allows you to remotely
connect to an asset and pull information
about it that it stores essentially in a
little database called a MIB so we see
these especially the most common example
is for Network switches so I can connect
to a network switch remotely and so say
I'm a network administrator I can
connect to that network switch and then
I can go into this database into a
specific field or entry that I am
looking for to say oh okay let's say
this is a 24 Port switch and it can I
can look in the values for those 24
ports to see which ports are active I
can see you know how much data is being
transmitted uh at that point in time in
that Port how much is being received on
that Port uh we can look for are there
any errors over the last 5 minutes on
that Port right so on and and so forth
so SNMP again allows us to store
information about that asset about that
system and how it's performing so it's
very similar in control systems where if
I connect to a PLC with modbus I can see
all these different aspects of the
system
itself so you might even have a value to
say let's say that PLC controls ass that
maybe it's that thermostat we have in in
at home or in the office and that if I
look up let's just say the value in the
first slot just for now we'll use some
generic terminology if I look at the
first value and I see a one it means the
air conditioner is on if I see a zero it
means the air conditioner is
off so start thinking about well if I
can see a zero or one to then know if
the air conditioning is on or off well
do I have the ability to manipulate the
zero and one to be able to churn the air
conditioner on or off even if I'm not a
authorized party into being able to
control that process right and that's
where the security questions come into
mind so and we'll talk about some other
networking tools but this is much more
for especially when we get into
penetration testing course you know much
more dedicated hours into you know how
do we test security how do we break into
control system networks but you know
tools like mmap but we'll see we'll see
inmap before the the course is over so
looking at doing some basic Port scans a
modb CLI is a client utility that you
can use to bake connections to mod bus
servers to request pieces of
information uh scapy is a tool that
allows you to kind basically create your
own Network packets and anything you can
imagine you can put out on the network
whether it's going to work or not so um
Metasploit is a automated well more of a
automated attack framework mostly in the
IT world but it has some OT
functionality built into it so but it's
mostly used to it makes exploiting
vulnerabilities in it let's just say
known ex vulnerabilities in the IT world
very very
easy or as easy as it can be how about
that we'll go we'll go with that so and
we'll talk a little bit more about MPL
maybe we'll see some examples before the
the course is over again the main main
idea is we're going to focus on modbus
that the version that runs over tcpip
and that the default port for modbuz is
TCP 502 so if we ever see activity on
TCP 52 it's almost always going to be
modbus not always so don't we're not
going to always assume it is
but more than likely we'll we'll think
it is how about that so um now this is
where we're starting to talk about how
modbus is like SNMP where it stores
information about the asset locally and
so modbus stores information or data in
slots or little placeholders called
coils and registers so if you're
familiar with how databases are
structured so we create different fields
in the database and we have different
sizes or different amounts of data that
we can store in these different
fields and that we can read and write to
these these fields depending on the
permissions we have but if you think if
I'm an engineer that I'm making updates
to PL PLC programming right I need to to
have the ability to write if I'm
upgrading the firmware as a as a tech I
need the ability to write to the
system potentially an attacker has the
abil ability to remotely manipulate
those values remember we talked about
just going to the the first value and
changing a zero to one it turns on the
air
conditioner or changing the one to a
zero which turns off the air
conditioner you see they are zero based
so the first one is zero and then the
second one is one and the third one is
two and so on and so forth but they talk
about so when we store information in
coils and registers So Co oils store
it's a single a bit right it's 01 right
so true false on off right you when you
load that value you either see a z or A1
so we'll see those in in y
shark now you can also if you want to
store larger values like if we go back
to our thermostat example if I'm storing
the
temperature then the temperature let's
say it's going to be 80 degrees inside
the room well a little warm for my taste
but say if it's 80 degrees Fahrenheit
then I can't store that as a zero or one
right I need to store store a larger
value so we need to have a register to
be able to do
that and we'll look at some examples now
there's different modbus function codes
so there's different commands so you can
see the first one well read coils
remember we can have coils and registers
coil stores just zeros and ones and you
see all these different variation we're
not going to get into all of them you
can see yeah I can read coils I can
write coils I can read and I can write
to
registers we'll again we'll see some of
these examples and how they look through
wi shark now bobus and you can see here
there some troubleshooting or diagnostic
commands you also see report slave ID
which shows a a relationship between
devices you know with with modbus so
it's based off of a Master Slave
communication scheme but we're moving
away from that into uh using the you
know client server aing convention so
trying to get away from all the the
racist connotations so you're just still
unfortunately still going to see kind of
Master and slave pop up from from time
to time because it's you it's going to
take time to to get rid of
it um now here's an example um and where
we look at and these are some great free
tools and I I love love showing and and
using free tools so I I don't want
anybody to ever have to purchase
anything when going through a class but
these are examples of different tools
that you can use to
simulate
modbus and so here you know we have the
the modbus the server simulator right or
you can see it's really simulating a PLC
running mod bus and so it's where it's
storing all this information now you can
see it's not varying the the data it'll
change the data it'll rotate it but it's
still the same value in all these memory
spaces so it's it's nothing special from
from that I think you can also play with
it a little bit more if you really want
um but even just spinning it up and then
using the the pulling the client it's
just a graphical interface the we
mentioned earlier um it's just command
line and it's built into like Cali Linux
if you're familiar with that especially
from a security testing or penetration
testing uh perspective right but you can
see in this case we have the client you
can see in the lower right hand corner
of the client it's connected to the
Local Host in TCP Port
502 and that it's pulling the data from
those memory spaces inside the host
which is what you're seeing right you
can see the the values in the memory or
in the database let's say on the on the
P the the simulated PLC and then we can
see those values in the the client on
the right hand side so you can
definitely check those and play check
out those and and play with those and
again there are also other free client
servers out there there's there's others
that you can pay uh and they're not too
expensive to simulate things like plc's
and and uh mod bus Communications so
it's just something to to play a little
bit with and it's also one of those if
you're especially doing it over the wire
or at least locally where you can
capture it with wire shark again it
allows you to go in those wire shark
captures and understand a little bit
better what you're looking at in in W
shark but again and we'll look at an
example here right so if we have this
idea remember that the PLC acts as the
the server
right the the modbus server and then we
have the the modbus client which could
be like in this case our engineering
workstation that goes and sends out a
request to the server to the PLC like oh
okay what is the value in the first coil
in your
database and then yeah it'll it'll give
us a response as long as we have that
connection and that permission and it's
you usually pretty pretty wide
open
at least in
readon uh format maybe not read right
hopefully not and that's where we get
into remember our key
switch so we want to make sure that we
have all of our PCS in run mode which
this one is not we can see in the
picture right because in run mode it's
in read only so people can't just
manipulate those values remotely and
turn a zero to one or a one to a
zero or maybe we turn the 80° set point
to to 100° or
40° so crank the heat up all the way or
crank the air conditioner up all the
way so again it access this client
server where we can issue yeah different
requests right read write or any of
those Diagnostics that that we have
access
to so
when we look at this in wire
shark here's a bit of a sample
and there's a definitely a lot more to
it and and we'll come back and we'll
actually open up bu shark in a second
but what we're seeing is part of the
wire shark window where you can see the
packets we've captured so you can see
the number of packets right 1 2 3 four 5
six and this is one of the the ITI Tim
Yardley packet captures and very short
Suite to the point very concise gives us
exactly what we're looking for I can can
see the in the packet capture I can see
the source IP address I can see the
destination IP address so I can see
there's two hosts talking to each other
10.0.0 57 and 10.0.0 3 we can see the
protocol so some of these packets are
for tcpip this is where we
have uh this kind of interesting those
first three packets are actually a
previous Network session between those
hosts being torn down right so those
hosts were talking with each other and
then they wrapped up and they said okay
we're done talking that's what you're
actually seeing in those those those
first three packets those those should
have been chopped
out the next three so packets four five
and six that's where we're establishing
a new oh actually sorry no so packets
one through four that's where those two
hosts were talking and then they they
said hey we're okay we're done so
packets 5 six and seven that's where we
see the three-way handshake to establish
communication between two computers or
assets running
tcpip so that's where you can see where
there's the sin syac and a so we don't
get into it here but that's the
three-way handshake that we use to
establish a connection between two
computers running tcpip and not only are
we establishing the connection but we
can see the ports in which they're
establishing the connection now the
source port is not necessarily important
this port of
2578 it's somewhat randomly chosen what
is important is the destination Port
which we can see is 502 remember Port
502 and tcpa and we see this is TCP
traffic for TCP 502 is used for mod bus
so more than likely this is going to be
mod bus traffic and we see exactly that
so once that TCP connect connection is
established then all the other traffic
going over it is that mod bus over TCP
traffic and then you can start to see
well what are they sending oh well we're
sending queries and then we're getting
responses so if we're looking at this so
the source of
10.0.0 57 is sending a query to
10.0.0.0 which is means
10.0.0 3 in this case is our
PLC and then
10.0.0 57 it could be an engineering
workstation it could be another host on
the network it could be an
attacker or it could be a technician
that has
authorization we don't know that looking
at the packet right that's additional
context we would need in the case of an
investigation but from the packet
capture itself again we see the first
four packets really are inconsequential
these two hosts were talking with each
other they finished they wrapped it up
they closed those sessions that's what
we're actually seeing there packets 567
that's where we established the TCP
connection between those two hosts using
that three-way handshake and then
everything else is the mod bus traffic
and then wi shark remember using that
dissector or the parser it translates
that information into something that oh
hey oh well what is it asking for
right well what type of response did we
get so we're going to come back and and
look at
that now you can also do a filter in
wire shark to say hey I don't even care
about the TCP IP traffic like I get I
get it right the computers you know will
set up the connection and hey these
these four packets where the computers
were talking to each other and they
closed the connect I don't care I just
want to see the mod bus traffic I want
to see what's going on which hosts are
talking with modbus what types of
commands are they
issuing right are they trying to make
updates right are they just reading
what's going on that's all I want to
see so you can do a filter like in this
case where we just say show mbuzz and
here's the name of the packet so if
you're looking in that ITI repository
you can get the modbuz test dataor part
one so let's go ahead and open that up
now
so let
me find our friend wi
shark and we'll install the update later
like a good cyber security
professional and then let's find I think
this is the packet capture right here I
hope let's let's open it up so you can
see this is a little bit different where
we're seeing the entire wire shark
screen but this is exactly the packet
capture that we were looking at earlier
right remember first Flo is the the
computers that were talking with each
other but are no longer and then five
six and seven those are the packets
where they're establishing a new
connection to talk and then we start
issuing essentially
commands right but the idea is remember
that wire shark looks at the zeros and
ones going over the wire captures all of
them and then displays it in information
that we can understand remember when we
talked about the OSI models and we had
that Header information that's actually
what's being displayed in the lower
leftand corner now the right hand corner
is ideally where they're showing the
zeros and ones except if we just showed
zeros and ones a it's meaningless and
just we don't have enough real estate on
the screen to be able to display all
that it means
nothing but so we convert it to hex so
it's a little bit more
manageable but most people don't talk in
binary or speak or read in binary and
most don't even speak or talk or read in
in
HEX
but so in that lower leftand corner
though and this is interesting because
when you look at that first section this
is actually all the information related
to the physical layer level one and then
as you move up the OSI models well the
next layer right is level
two so that's where we see ethernet
remember that's also where we see the
media access control so we can see the
MAC address right the media Access
Control address of the network cards or
interfaces that are talking to each
other we can oh and I should note that
the first half of that 48 bit address
right so these are 48 bits addresses in
HEX the first
half is actually mapped to the vendor so
the i e maintains the database so
anybody that manufactures a network card
they actually register or they'll
get a range of addresses assigned to
them so that's why you can see wire
shark is saying hey if your Mac address
starts with 00002 B3 that means the
manufacturer of that interface card is
Intel or if your Mac address starts with
00278 then oh that network interface was
created by this company called run
toop so it can help us identify
different Assets in the environment also
if I'm an attacker it can help us
identify different Assets in the
environment but just keep that in mind
we'll see some better examples on where
that can come in handy a little bit
later but remember each of these maps to
the different layers of the OSI model so
remember layer one the physical layer
Layer Two the physical or the sorry the
the data link layer where we have the
Mac sub layer where we see the the the
Mac addresses which is exactly what we
see
here now the network layer remember
that's where IP works so that's where we
see things like IP addresses so this is
where we can see yeah 10.0.0 57 is
talking with
10.0.0 do3 you can click into each of
these and there's even more information
but I think the highlights are kind of
what we're seeing here and then remember
layer four that's the transport layer so
that's where TCP and UD UDP take place
and where are the the ports that we
connect to operate with or or take
place and then again we can see sure the
source Port of two 2387 can not as
meaningful what we're really looking for
is the destination port and we see TCP
502 so then we can more than likely
especially in this scenario it's going
to be mod Buzz so we know there's a mod
bu server or mod bu endpoint there right
so that's what we're seeing in wire
shark and then again if we want to just
limit it to mod bus traffic we can put a
filter in say yeah just show me mod bus
get rid of all the generic
tcpip information I I just don't care I
don't need it's not going to help me
and that's that's kind of looking at
wire shark you know just to get it up
and running now there's some other
things that we can look at so what
happens when we start digging into these
requests and the responses that we're
we're seeing so we'll look at one of
these real quickly so we can jump down
like to packet 51 here now it's
interesting also because now there's a
third host in the packet capture because
now we're also seeing 10.0.0
n and 10.
0.0.3 and so we can look to see if we
expand down here under modbus and modbus
tcpip right we can actually see that
okay we know that 10.0.0 n is issuing a
query for
recoil so it wants to say okay give us a
coil I'm going to read the first coil
which is number
zero and I'm only going to get a single
coil so I'm going to
get then when I do the
response right we're going to go ahead
and okay the PLC in this case is going
to look up to see what is the value in
that first slot and it's going to send
that value back and say yeah the value
it's zero remember a coil can only store
a zero or a one so we're expecting a Zer
or a one so we issue the query to say
okay what's the value in the first coil
essentially I'm kind
of shortcutting it but yeah we're just
saying what's the value in the first
coil and then the PLC is coming back and
saying okay the value is zero so okay
maybe in that case that means the air
conditioner is
off so if I can read the coil again this
is where the attackers get stuck right
cuz I'm able to see zeros and ones I
don't know what that what does a zero
mean for that first slot that first slot
it might actually be completely
meaningless we don't know that's where
oh if I'm an attacker if I have things
to access like your program files or
program data or process data or I'm on
your engineering workstation and I can
use that information to reverse engineer
right what's happening in the
environment right that's that's a
possibility and then as we go through
the capture this is where oh we see all
these recomends but oh now we see
right again this could be a completely
legitimate user that's issuing these
right
commands but what if it is an attacker
right how would we know right that's a
really big question we'll come back and
talk about in the last part of the
course right when we get into to network
security monitoring and when we detect
anomalies going through the
investigation process to determine is
this something bad happening in the
environment and so in this case we can
see that they want to go ahead and
update a value in one of those coils and
then you can see well what are you going
to update it to right so I want to
change that zero to a one or a one to a
is
zero that's where we're really kind of
going through in in this example so we
kind of walk through these so we'll just
go and Skip through these oh and you can
and this is referencing where you don't
have to pull one register or one coil at
a time you can actually say hey give me
the next 10 coils or the next 10
registers right you don't have to just
do one at a time which makes it nice
right
but um so we go through
there um oh I'm sorry I thought I
actually had a different I thought I had
a different example in here so I'll have
to come back and and add that into uh uh
the later part of the the section but so
that's a real quick highlevel uh look at
modbus we'll come back in and look at
some other examples as well if you want
to really look into some modbus Labs um
David oh his the last name is escaping
me but he has a company called fortified
with a
pH yd I remember if I remember right and
he actually has some amazing amazing
Labs uh where it sets up like um it's
kind of like where you're watching like
a power plant and a chemical refinery
and different environments like through
a webcam and then you're able to
manipulate different values on the
control system as like the plc's to see
if you can create some type of dangerous
condition where you can actually watch
like of like the power plant catch on
fire right
or or a chemical refinery start to
smoke um so it's it simulates right the
the real world type of uh attacks in a
in a really cool fashion he mentioned he
got some money from the Air Force think
to build them out so really uh really
awesome work um and you can somebody had
pointed out when I did this course uh
live that he made them available at
least the original versions uh on
uh GitHub which is very very cool um so
you can actually just download and and
Implement in fact actually let's just
find it uh real quick you can see my
feed but um we'll do
GitHub I think it's fo4 to five like
that yeah I think this um I think this
fortified
logic yes I think this is so OT security
with OT logic yeah I think he also has a
new project for associated with secure
PLC coding I think he was down at the
the recent conference in Atlanta talking
about that um here's uh graphical
realism framework for industrial control
I
don't okay yeah so it looks like and
these are the the simulations yeah so
you can see where you can set up like a
a software based version of a PLC and
HMI there firewall and so on you can
also purchase
access to his online labs and they're
updated um um and I think you get access
for like 6 months I took his class that
he taught at besides Augusta and so you
get like six months of of access so it's
very cool stuff um I said I was really
impressed um with the the labs David
forby that's that's that's his name Kim
um so yeah really nice guy um I think he
had got into this and when he was doing
his PhD work um and has really just you
know taken off and run with it um since
so so definitely check those out if you
have the time and and the want and I'll
probably be doing some demos of that um
down the road uh sometime but but not
probably as part of this this course but
definitely check check that
out so I'm going to pull myself back a
little bit before I go too far off the
rails and we we can talk about some of
the other industrial control protocols
we'll we'll we'll be definitely
referencing some of these additional
ones as we go throughout the course uh
even some that that aren't aren't
actually listed in this section like
back Nets not here back Nets used in
building automation systems so that's
one probably that it's going to be more
common for people especially even it to
come across but so S7 is a proprietary
protocol from semens so if you have
semens in your environment it can be
talking S7 just like with modbus it can
run on its own but more than likely
you're going to see it running over
tcpip these
days uh very similar to modbus it you
know allows you to read values write
values issue commands for things like
troubleshooting so this is what it looks
like from The Wire shark perspective now
the one kicker with this example when I
started looking at them the first thing
that jumped out is the IP address
addresses because if you look at the IP
addresses these are public IP addresses
these are host on the
internet right these are not internal IP
addresses they're not private IP
addresses so this would as you imagine
would indicate this is traffic over the
Internet which
that's more than likely right now you
can actually use public IP addresses
internally and still have it private but
on the surface this would look like two
host communicator over the Internet
which we never want our OT assets
exposed to the internet not directly
because that's going to leave them open
and vulnerable to attack right uh but
this is what it looks like through wire
shark so it's very similar in this case
you can see um it's not reading writing
functions it's it's oh okay I want tell
me what the the time is on that PLC and
then you can see the next set if we kind
of go back get rid of the arrows right
it's not only read the clock but oh set
the clock so what if maybe an attacker
could change the value of the clock or
the time or the date right that's that's
that can literally be potentially
dangerous in an OT network if not if
anything it's just going to potentially
break your process
so and then there you can see um wire
shark right deciphering with the diss
sector the the information for S7 I
mentioned OPC this is the one that's
based off of the object linking in but I
I still can't say this without laughing
because it's like oh my gosh you did
what um I I still can't believe this to
today it's still kind of funny now the
newer version of opcua is a modern
open-source
protocol um uses kind client client
server model there's also a publish
subscribe um there's other protocols
that support so you can see TCP UDP
we're also going to come back and talk
about
mqtt um not really the gathers and not
in this course but we will talk about
mqtt as a messaging protocol as well you
can see it actually has security
features where with the original version
of OPC there were no security features I
think the one key between OPC and OPC
UPA they're completely different
protocols though there's no connection
other than they come from oh I don't
have the picture anymore the OPC uh
Foundation folks so um and then again
there's there's a lot other's that we're
going to talk about so I mentioned
backnet uh we'll we again we'll talk
about backnet a little bit we'll talk
about dmp3 a little bit um we'll talk a
little bit about PC Works Omron Cod
CODIS will definitely be talking about
um
and um there's a lot more to the the
CODIS conversation there where it's more
than just this idea of a protocol but so
those are definitely some we'll talk
about the list goes on and on we'll even
talk about more when we get into The
Showdown section so it should be unit 7
or part seven when we get down there um
so we'll see some more there but and
then there's also again the wireless
protocols so we'll come back and and see
some examples later on in the course
about different wireless communication
remember Wireless can be anything in the
IT world when we say Wireless we're just
usually talking about 80211 maybe
Bluetooth maybe like NE nearfield
communication for like badge readers uh
to open up doors but in the OT world we
can have lots of different types of
wireless communication RF like radio
radio frequency zigg be and wireless
heart those are some of the ones that
I'm more familiar with CU I see those
more in environments but you Al you also
see 80211 everywhere in in control
system environments which because it's
very dangerous because WiFi inherently
is not not safe it's not secure and it's
it's hard to secure especially in OT
environments and so we're leaving these
environments open to to attack but we'll
come back and and we'll talk about that
uh hardening especially when we get into
things like secure network
architecture and a little bit later on
and yeah how what what are we doing with
with wireless protocols and and how
we're going to secure
those so we kind of ran through a lot
there I know that's a lot of of
information but we talked about
different types of control systems and
then we got into different control
protocols and the main one we're focused
on is mod bus over tcpip because that's
the one we're going to see everywhere I
think it's it's also makes some for some
fairly straightforward examples but
again we'll come back and and we'll talk
through some more of those examples we
didn't get too far in the weeds I think
we just wanted to kind of hit it at a
high level and then we'll come back and
start digging it a little little a
little bit deeper so and that's that's
the end of this part so and we'll uh
come back in the next section is where
we really start to talk about okay how
do we secure our networks and this is
where I also like because we're also
talking about well how do we secure them
well well what are we securing them from
right so what are the different types of
attacks so that's that's what we're
going to going to be able to
see so I think yeah with that that's
that's the part so thanks again for
watching if you liked it if you can like
it on YouTube and if you haven't already
subscribed I appreciate it if you do uh
otherwise then I will see you in part
four thanks again for checking it
out
UNLOCK MORE
Sign up free to access premium features
INTERACTIVE VIEWER
Watch the video with synced subtitles, adjustable overlay, and full playback control.
AI SUMMARY
Get an instant AI-generated summary of the video content, key points, and takeaways.
TRANSLATE
Translate the transcript to 100+ languages with one click. Download in any format.
MIND MAP
Visualize the transcript as an interactive mind map. Understand structure at a glance.
CHAT WITH TRANSCRIPT
Ask questions about the video content. Get answers powered by AI directly from the transcript.
GET MORE FROM YOUR TRANSCRIPTS
Sign up for free and unlock interactive viewer, AI summaries, translations, mind maps, and more. No credit card required.