ICS410

Welcome to the CutSec SANS ICS410 resources page. These are just a few extra online resources and items that didn’t make it into the class. We hope these help your ICS / OT cybersecurity journey. Contact us if you have something to add or a suggestion.

Quick Reference Links

• Updated BP Texas City Animation on the 15th Anniversary of the Explosion
• 1947: Texas City Disaster Part 1
• 55 gallon steel drum can crush using atmospheric pressure
• Social Engineering – Reporter Gets Mobile Account Hacked
• S4 Conference Videos: S4Events Youtube
• SANS ICS Videos: YouTube
• Op de Schouders van Reuzen – De zes stormvloedkeringen van Rijkswaterstaat (On the Shoulders of Giants – The six storm surge barriers of Rijkswaterstaat) – In Dutch
• CISA Known Exploited Vulnerabilities (KEV)
• ICS Advisory Project – CVE-CPEs Dashboard
• Free 8 hour Linux Basics Course
• Industrial Control Systems – Understanding ICS Architectures by Chris Sistrunk
• A microsecond is 1/1000th of a millisecond (1000 μs = 1 ms)

Certification Study Links

• Leslie Carhart guide to taking sans test. Better GIAC Testing with Pancakes
• Matthew Toussain – Get Certified! All You Need to Know to Rock GIAC Exams
• Matthew Toussain – Wargaming GIAC Certifications
• Matthew Toussain – Rocking the GIAC Exam with Voltaire
• Matthew Toussain – Voltaire (Index building App)
• Anki Powerful Flash Cards
• Develop Technical Recall Skills: Spaced Repetition with Anki
• Ron Hamann –Are You Certifiable? | SANS@MIC Talk

Books

• The Cuckoo’s Egg by Cliff Stoll
• Countdown to Zero Day by Kim Zetter
  • Stuxnet Documentary “Zero Days” – this movie has been moved to pay-per-view
• Sandworm by Andy Greenberg

Important OT Podcasts, Talks, and Interviews

• OT Under Threat: Dragos’ Robert M. Lee on Navigating Cyber-Physical Risks
• Water Sector Cyber Risk with Gus Serino
• Killing Time – SANS ICS Security Summit 2021 with Jeff Shearer
• Triton – A Report From The Trenches with Julian Gutmanis
• FuxNet: The New ICS Malware that Targets Critical Infrastructure Sensors with Noam Moshe

General Topic Links

• Differences between SCAP and STIGs
• Wireshark OUI Lookup Tool
• CISA Network Architecture Verification and Validation (NAVV) 
• INL Consequence-driven Cyber-informed Engineering (CCE)
• Google Learn Computer Networking Free Course
• CISA ICS Training Resources
• Information Trust Institute (ITI) ICS Security Tools GitHub
• Original Sheep-Dip Project

Equipment Links

• Remote / Onsite Security Assessment Jumpkit – I started documenting my equipment in 2019. I’ll try to keep this up-to-date. Feel free to submit a Community Case to the project.
• Essentials for Your ICS Incident Response Jump Bag – Dean Parson’s brief on “What’s inside your jump bag for incident response for industrial control systems? The gear you take with you is critical! Watch Dean explain the essential items you need in your ICS IR jump bag.”

Purdue Level 0/1 Links

• Image of an old relay setup to help understand where Ladder Logic came from.
• Modernizing Hardwired Relay Logic With PLCs – blog post about taking old relay setup and converting to Ladder Logic.
• Forescout OT:ICEFALL Report
• Velocio Datasheet
• Industrial Protocols and Ports
• More Industrial Protocols and Ports
• Top 20 Secure PLC Coding Practices
• Comparison of Real-Time Operating Systems (RTOS)
• Simply Modbus
• How to Analyze I2C – Saleae Support
• Remote Terminal Units (RTUs) based on SIMATIC
• Introduction to Yokogawa DCS
• DNP3 vs IEC104 vs IEC61850
• Choosing the Best Communication Protocol: DNP3 vs IEC 61850
• Hardware Hacking Class: ControlThings.io Accessing and Exploiting Control Systems and IIoT
• Riverloop Hardware Hacking
  • Dumping EMMC Flash
  • Introduction to JTAG
  • Communicating with JTAG via OpenOCD
• Hacking The Xbox
• Wireshark and Fieldbus Protocols
• OPC DA DCOM Port Range Restrictions
  • Microsoft Tech Blog – RPC/DCOM port ranges are more limited after win2008 (49152-65535)
  • OPC Expert
  • OPC Training Institute
• How Relays Work – Basic working principle
• SEL RTAC Security – Leveraging Security – Using the SEL RTAC’s Built-In Security Features
• IAEI Blog describing Timing Considerations for Arc Flash Protections – Key Considerations for Selecting an Arc-Flash Relay

Attack Consequence Videos

• United States Chemical Safety and Hazard Investigation Board YouTube Awareness Videos
• Hydrocarbon Release Hazard Awareness
• Animation of Bayer CropScience Pesticide Waste Tank Explosion

Attacks on Remote Sites

• General
  • Aurora Attack – Staged cyber attack reveals vulnerability in power grid
  • Repository of Industrial Security Incidents Database – last updated on January 28, 2015
  • Dallas Emergency Sirens Activated in 2017 via UHF 450MHz radio signal.
• Water:
  • US Moves to Shield Drinking Water
  • Maroochy Water Services Attack (Insider Threat)
    • MITRE Malicious Control Systems Cyber Security Attack Case Study – Maroochy Water Services, Australia
    • Maroochy Water Breach YouTube Video
    • Maroochy Shire Sewage Spill
  • CISA Exploitation of Unitronics PLCs used in Water and Wastewater Systems
    • Hackers breach US water facility via exposed Unitronics PLCs
    • Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
• Electrical:
  • Sektor CERT – The attack against Danish critical infrastructure
  • Watch How Hackers Took Over a Ukrainian Power Station – HMI attack on power substation
  • The story of Jason Woodring, the Arkansas power grid vandal
  • Why the US Power Grid Is Under Attack
  • California Man Arrested for Transformer Bombings
  • Smart Meters in Puerto Rico Hacked
• Nuclear
  • Can you HEAR Stuxnet damaging centrifuges at Natanz?
• Rail
  • Polish Teen Hacks Tram in 2008
  • The Cheap Radio Hack That Disrupted Poland’s Railway System
• Ports
  • Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Biggest Ports (Insider Threat)

Physical Security Links

• The White House: National Strategy for Physical Protection of Critical Infrastructure
• CISA Cybersecurity and Physical Security Convergence Action Guide
• CISA SECTOR SPOTLIGHT: Electricity Substation Physical Security
• CutSec Blog: ICS/OT Cybersecurity Self Analysis – Physical Security
• Light Water Reactor Sustainability (LWRS) INL
  • Risked Informed Physical Security
  • Physical Security Resources
• Public Health Emergency (PHE): Physical Security

Managing Your IR Efforts

• What are your goals?
• What questions help you achieve your goals?
• What data would answer those questions?
• How do you acquire that data?

Incident Response Table Top Links

• CISA Tabletop Exercise Packages (CTEPs)
• CISA ICS Training
• Dean Parson’s ICS Incident Response Tabletops
• Lenny Zeltser Cheat Sheets and Presentations
• NERC’s Grid Security Exercise (GridEx)
• MITRE Cyber Exercise Playbook
• Black Hills Information Security (BHIS) Backdoors and Breaches
• BHIS ICS/OT Backdoors and Breaches 
• Center for Internet Security: Tabletop Exercises – Six Scenarios to Help Prepare Your Cybersecurity Team
• Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
• Dragos Preparing for Industrial Cyber Response
• Dragos Preparing for Incident Handling and Response in ICS
• Dragos Tabletop Exercise
• ICS4ICS Incident Command System for Industrial Control Systems
• European Network for Cyber security (ENCS) Red Team – Blue Team Training

Velocio and PLC Links

• Velocio PLC Teardown/Review
• Velocio Youtube Channel 
• Velocio Tutorials
• Learning PLCs on a Budget
• CLICK PLC Hardware: The Best PLC for Everyday Control Systems Needs
• Virtual Cyber Ranges: Thomas Van Norman

Network Links

• Wireshark OUI
• Private VLANs
• Multicast Addresses
  • IANA Multicast Address Space

Radio Links

• GRC Transmission Analysis: Getting To the Bytes – how-to use Gnu-Radio to get data out of transmissions, instead of Universal Hacker Radio.
• Radio Communication Analysis using RfCat – how-to use RfCat to do analysis on 900 MHz transmissions to get to the data.
• Software Defined Radio with HackRF Lessons – free radio courses that take a deep dive into radio theory.
• MouseJack – CrazyRadio PA – keyboard and mouse interception and injection project.
• Flipper Zero
• Great Scott Gadgets HackRF
  • PortaPack Versions
• Hak5 WiFi Pentesting  – Lots of wireless tools
• Field Expedient SDR – book about Gnu Radio Companion and radio theory basics.
• LoRa and LoRaWAN
• Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare (GPS related)
• Satellite attack write-ups
  • A Wake-up Call for SATCOM Security (April 2014)
  • Last Call for SATCOM Security (Aug 2018)
  • Missed Calls for SATCOM Cybersecurity (March 2022)
  • SATCOM Terminal Cyberattacks Open the War in Ukraine (March, 2022)
  • VIASAT incident: from speculation to technical details. (March 2022)
  • Update on SATCOM Terminal Attacks During the War in Ukraine (May 2022)

Remote Access Links

Just a few solutions to help start research into remote access solutions. These are not a recommendation, just links to the solutions.

• Beyond Trust Privileged Access Management
• Zscalar Secure Remote Access

NBAD / Asset Management Links

Just a few solutions to help start research into asset management and Network Behavior Anomaly Detection (NBAD) solutions. These are not a recommendation, just links to the solutions.

• PAS Automation Asset Management
• Hexagon Asset Lifecycle Information Management
• Claroty Integrated and Comprehensive IoT-OT Security
• Dragos Industrial Cybersecurity Platform
• Nozomi Automating My Asset Inventory
• Otorio RAM^2 Asset Inventory Management
• Armis Cybersecurity Asset Management
• Tenable Tenable.OT

Software Bill of Materials (SBOM) Links

Just a few solutions to help start research into Software Bill of Materials (SBOM) solutions. These are not a recommendation, just links to the solutions.

• Adolus Technology OT & IoT Supply Chain Security
• NetRise Firmware Security
• Cybeats SBOM Studio
• Finite State End-to-end SBOM Solutions
• Security Risk Advisors Cyber Physical Systems Security

Josh Wright Links

• Will Hack For SUSHI
• Essential Crypto for Pen Testers (Without the Math!)
• PcapHistogram Python Version

Jason Larsen Videos

• 14 Hours and a Power Grid: BSides Track 2 3:30-4:15 Jason Larsen
• 14 Hours and a Power Grid: S4Events: 14 Hours And An Electric Grid – Jason Larsen
• Rocking the Pocket Book: Hacking Chem Plants: DEFCON 23 – Krotofil, Larsen
• Remote Physical Damage from Jason Larsen of IOActive – 55 gallon barrel implosion

Monta Elkins

• Hackers in your power tools & other unexpected places – news article about hacking hardware to demonstrate control of the device.
• Hacking firmware where you least expect it: in your tools – presentation about hardware hacking

Justin Searle Videos

• Dealing with Remote Access to Critical ICS Infrastructure

Paul Piotrowski Links

• ICS 410 Supplementary Practice Slides
• Duke fined $10M for cybersecurity lapses since 2015

• MIT-HACK: Tetris at the MIT Green building

Mike Hoffman Videos

• Gaining Endpoint Log Visibility in ICS Environments

Don C. Weber Videos

• SANS Instructor Spotlight – Don C. Weber
• SANS ICS Videos: YouTube
• SANS@MIC – Pen Testing ICS and Other Highly Restricted Environments
• SANS Webcast (registration required) – Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
• SANS Webcast (registration required) – Yes, IT and OT Are Converging So How Does This Affect Compliance
• DEF CON 20 – Cutaway – Looking Into The Eye Of The Meter
• Black Hat USA 2012 – Looking into the Eye of the Meter

Podcasts

• @BEERISAC – a consolidation of ICS / OT podcasts
• Unsolicited Response Podcast
• The CyberWire
• Darknet Diaries
• Malicious Life

RfCat Send Modbus

In the ControlThings.io Linux virtual machine, start a terminal. Run the command ‘rfcat -r’. Paste in the following commands. NOTE: copy and paste this whole section. Some of the data does not display in the browser but it will be picked up when you copy it all. Paste into a text editor to confirm you have all code, even the bytes that are not displayed.

 
import time packets = ["\x00\x00\x00\x00\x00\x06\xff\x04\x08\xd2\x00\x02", \ 
    "\x7c\xfe\x00\x00\x00\xc9\xff\x04\xc6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xdb\x00\x00\x01\xd6\x00\x00\x4a\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x61\x69\x6d\x00\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x31\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", \ 
    "\x00\x04\x17\x02\x58\xb7\x78\xe7\xd1\xe0\x02\x5e\x08\x00\x45\x00\x00\x34\x70\x29\x40\x00\x80\x06\x00\x00\x8d\x51\x00\x0a\x8d\x51\x00\x56\xdf\x60\x01\xf6\x54\xdc\x43\x72\x80\x54\xd4\x37\x50\x18\xf8\x60\x1b\x29\x00\x00\x00\x01\x00\x00\x00\x06\xff\x02\x00\x63\x00\x1e", \ 
    "\x00\x00\x00\x00\x00\x07\xff\x04\x04\x00\x00\x00\x00"] 
d.setFreq(433000000) 
d.setMdmModulation(MOD_ASK_OOK) 
d.makePktFLEN(250) 
while True: 
    time.sleep(0.5) 
    d.RFxmit("A-ECS: Last Day, Best Day!!!") 
    for p in packets: 
        time.sleep(0.5) 
        d.RFxmit(p) 

TShark Commands

Industrial Control Protocols

Purpose:

• Identify master servers and client / slaves
• Identify common protocols in use by master servers
• Also want to identify proprietary protocols in use, but this will be more difficult as Wireshark / Tshark may not have protocol dissectors for their identification and analysis.

# Modbus

## Masters
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -r <file.pcap> | sort | uniq
## Masters with function codes
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -e modbus.func_code -r <file.pcap> | sort | uniq
## Slaves
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -e eth.dst -r <file.pcap> | sort | uniq
### Note: The OUI hardware address does not resolve for field outputs. You have to check them yourself.
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -r <file.pcap> | sort | uniq | wc -l

# Aveva / WonderWare SuiteLink
## Servers
tshark -Y "tcp.dstport == 5413" -T fields -e ip.dst -r <file.pcap> | sort | uniq
## Clients
tshark -Y "tcp.dstport == 5413" -T fields -e ip.src -r <file.pcap> | sort | uniq

# Aveva / WonderWare InBatch
## Servers
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.dst -r <file.pcap> | sort | uniq
# Clients
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.src -r <file.pcap> | sort | uniq

# BACnet
## I-Am responses to Who-Is - sorted by source IP address
tshark -d udp.port==47809,bvlc -Y 'bacapp.unconfirmed_service == 0' -T fields -e ip.src -e bacapp.instance_number -e bacnet.sadr_mstp -e bacnet.snet -E separator=, -r <file.pcap>| sort | uniq | sort -g -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4
## Device Count BACnet source
tshark -d udp.port==47809,bvlc -Y 'bacnet' -T fields -e ip.src -e ip.dst -r <file.pcap> | grep -v ',' | sort | uniq > <file.pcap>
### NOTE: The resulting file still needs to be counted. Probably best to export Wireshark filtered communications to an MS Excel file and do a pivot table.