ICS, SCADA, and Non-Traditional Incident
Response
Kyle Wilhoit
Threat Researcher, Trend Micro
1
�$whoami
• Threat Researcher, FTR, Trend Micro
• Threat Researcher at Trend Micro- research and blogger on criminal
underground, advanced persistent threats, and vulnerabilities/exploits.
• Research:
• Malware detection/reversing
• Persistent Threats (Malware based espionage)
• ICS/SCADA Security
• Vulnerabilities and the Underground
• Offensive Exploitation
2
�Agenda
3
� What are ICS devices?
• Used in production of virtually anything
• Used in water, gas, energy, automobile manufacturing, etc.
• Notoriously insecure…in every way
• Software is sometimes embedded, sometimes not
• Typically proprietary
4
�Glossary
• HMI: Human Machine Interface
• IED: Intelligent Electronic Device
• SCADA: Supervisory Control And Data Aquisition
• RTU: Remote Terminal Unit
• Historian: Data Historian
• Modbus: Most common ICS Protocol
• DNP3: Very common ICS Protocol
5
�Typical ICS Environment
6
� Security Concerns- ICS vs. Traditional IT Systems
ICS IT
• Correct Commands Issued (Integrity) • Protect the data (Confidentiality)
• Up-time (Availability) • Protect communication (Integrity)
• Limit interruptions (Availability)
• Protection of data (Confidentiality)
7
�ICS Vulnerabilities
• In 2012, 171 unique vulnerabilities affecting ICS products.
• 55 Vendors…
8
�Unique ICS Concerns- Incident Response
• Remote…
• Lack of INFOSEC knowledge
• Lack of engineer knowledge of INFOSEC
• Unknown embedded/proprietary OS
• Lack of network layout knowledge
• Lack of logical access
9
�Unique ICS Concerns- Forensics
• Remote…
– Imaging?!?!?
• Embedded/Proprietary operating systems
• WAN/LAN Links
10
�BUT WHAT CAN WE DO?
11
�Story Time…
• Small town in rural America
• Water pump controlling water pressure/
availability
• Population 18,000~
12
�Story Time…
• Water pressure system Internet facing
• No firewalls/security measures in place
• Could cause catastrophic water pressure
failures
• First accessed Dec. 2012
13
�Story Time…
Attacked several times…During Q3-Q4
Attackers successfully gained access
Has not been made public
This is not a story…
Real life event..
14
�This Happened.
15
�Story Time…
In my basement…
16
�Enter Pro-Active Incident Response
17
� Honeypot Overview
• Two low-interaction
• One high-interaction
• Ran for 28 days in total
• One Windows Server 08
• Two Ubuntu 12.04 Servers
18
�What They See
19
�What is an Attack?
• ONLY attacks that were targeted
• ONLY attempted modification of pump system (FTP, Telnet, etc.)
• ONLY attempted modification via Modbus/DNP3
• DoS/DDoS will be considered attacks
20
�Attacks
CHILE, 1 CROATIA, 1 NORTH
KOREA, 1
PALESTINE, 1
RUSSIA, 3
VIETNAM, 1 US, 9
POLAND, 1
BRAZIL, 2
JAPAN, 1
NETHERLAND LAOS, 6
S, 1
UK, 4
CHINA, 17
1 Spear Phishing
Attempt…
21
�Attacks
Vxworks exploitation attempt
Attempt to shutdown pump system
Modify temperature output
Modify pump pressure
Count
Secured area access attempt
Modbus traffic modification
Modification of CPU fan speed
0 2 4 6 8 10 12 14
22
�Need for ICS Incident Response
• No focused interest seen…anywhere…
• Needed to understand attacks.
– Are we even attacked???
• Need to understand differences
– Security event
– Engineering event
– Hardware event
– Etc.
• Educated response leads to decreased risk
• CRITICIAL INFRASTRUCTURE!!!
23
�“Traditional” Incident Response
24
�ICS/SCADA Incident Response
• Must include forensics
• Must be dynamic enough to diversify
• Must have SME’s
• Must follow documented process
• Must have a wide range of expertise
• Muse utilize threat intelligence
25
�ICS INCIDENT RESPONSE
APPROACHES
26
�Proposed ICS IR Flow
Asset
Identification
Pro-active
Recovery
Identification
Forensic Capture Incident
and Analysis
Identification
Investigation/
Containment
Assessment
Threat Actor
Identification
27
�Asset Identification
• Identify all assets deemed “ICS”
• Perform criticality assessment
• Logically map all equipment
• Map connectivity points to LAN/WAN segments
• Identify make, model, and manufacturer or ICS equipment
28
�Pro-Active Identification
• Honeypots
• IDS (Not IPS in active mode!)
– Must be placed parallel to other ICS equipment
• IOC’s
• Threat Intelligence (HUMINT, SIGINT)
• Offensive Incident Response
• Network Segmentation
29
�Incident Identification/Investigation
• Identify Incident
– Engineering mistake?
– Security Incident?
– Hardware Incident?
• In the ICS world- take off network (Likely)
• Primary business priority- get back online
30
�Threat-Actor Identification
• Why care? Especially during incident.
• Helps look for parallel attackers
• Can help planning of offensive IR (Offensive countermeasures)
• Use OSINT!!!
31
�OSINT Case Study
32
�Containment
• Typical Containment Methods:
– Firewalls
– IPS/IDS
– Take device off net
– ACL’s
– Bastion hosts
– Whitelisting
– IOC development
– Increased logging
– Sniffer deployment
The list goes on…
33
�ICS Forensics
• Done to understand incident on micro level
• Will allow classification of future “events”
Asset retrieval (If
applicable)
Interpret and draw Chain of custody
inferences
established
Analyze forensic data
Forensic imaging
(String search, data
(Physical, Logical, and
carving, artifact analysis,
Memory)
etc)
Capture of forensic
network data (Where
Applicable)
34
�Recommendations
• Implement forensics and incident response into ICS
environments
• Have SME’s for threat intelligence, malware, incident response,
and forensics
• Have pro-active protections in place
• Utilize logging!!!
• Take devices off the Internet
• Utilize network segmentation
35
�Thanks!
kylewilhoit@gmail.com
Kyle_wilhoit@trendmicro.com
@lowcalspam
36
