Explaining ICS To A Fool Of A Took

okay so um welcome to my talk I'm going to be um explaining industrial control systems to a full of a toque so this won't be very um won't be very lowlevel it'll be high level it'll be explaining what I've been learning over the last few years what I've been interested in for the past six years um and so yeah I'm a software engineering teacher I'm a secondy year PhD candidate so this is the area that I'm researching in and um that's in industrial cyber security So lately I've been trying to spend more time outside than inside so I love coding it's what I do for my job but you'll find me with a book more than

you'll find me coding these days in my spare time so firstly a disclaimer I've talked for Wales it's probably good I have 45 minutes um I'm here for fun um it's not part of my studies or my job but I will be talking about some of the equipment that we do have at work um and expressing some personal opinions so it doesn't reflect where I work um and I finished teaching at 400 p.m. yesterday so I'm pretty tired I got to London quite late um so I'm not funny but I joke when I'm anxious so um there will be jokes in here and they will be awful um so I'm sorry about that um so I'm

still learning myself so if I'm incorrect tell me later um maybe not in front of everyone if it's really embarrassing but you can call me out if you want to but just come find me later talk to me cuz I'm still learning and I want to learn from you and I'm hoping that you're all going to learn from me too so we have a problem like we have a problem and our problem is it's possible to hack things and we rely on things so that is the the premise of this whole talk so we're reliant on technology going back about maybe a 100 years we wouldn't be reliant on technology for a fraction of the things I'm about

to talk about things would have been done manually they wouldn't have been done they wouldn't have been autom automated and there wouldn't have been so many problems happening there' been a lot of human error but less technical error so this is what this Talk's going to be about so from the watch on your wrist to the thermostat in your home to the machine that squeezes your orange juice and the app you use to buy your train ticket which I imagine almost all of you did if you use a train to get here and to the card machine that takes your payments and I know even in the last year we've had issues where card payments um like Master Card has gone

down or VISA has gone down it's almost a it's good that a lot of people have at least one or the other so they're able to pay for something so there's more so I want you to imagine and no not that but that's what came to my mind when I made this cuz I was going to say I want to imagine a scenario but then I'm one of the people that if I am told I want you to think about a red apple I can't visualize a red apple unless I'm literally just about to fall to sleep so I'm one of those people and you probably didn't need to know that but so I want you to imagine seriously you

have a thermostat in your home it controls the temperature someone hacked into that how would you feel they could make it probably quite hot but I imagine there fail safe there it won't be able to get too hot it'll waste a lot of money and it might be annoying or maybe it'll make it really cold and that would be really annoying too but you wouldn't die from it it would just be annoying so I I think what about medical devices for those those of you that were here for the opening talk we were asked not to hack into BL devices so insulin pumps that kind of thing that people here today might be walking around

wearing but that's on a bigger scale we use technical devices in hospitals that can be hacked into and these might be connected to the internet what do you think about that how about traffic lights and train signal in systems what happens if you hack into them what about a nuclear reactor same premise as a Theros you know gets too hot it cools down gets too cold it increases very simply put what happens if that goes wrong so when I proposed this talk there were 13 pillars uphold in society have chemicals civil nuclear Communications defense mergency Services energy Finance food government Health space transport water but there's a 14th now so one thing about all of

these is that could we go without theme previously they weren't reliant on technology or not the technology we know these days the interconnected electronic technology but now they are all reliant on each other so we now have a new pillar data centers so the 14th sector has been added as a critical National infrastructure in the UK and and these are seen as critical to society's functioning and I I have the definition in the next slide this was announced by the UK government as of the 12th of September this year this makes a lot of sense how many of if I go back how many of these rely on data centers now everything's in the cloud people

running their own servers in their own business um locations no a lot of them are working from home a lot of them don't have business locations and yes you have the big data centers that you can um rent out and then companies do have their own data centers and they would both be part of this but one has a lot more um one's probably oh it's interesting actually so I would say you have more control over your own data center then if something goes wrong like a flood you're not really covered you have a lot control over your data but then if you save it to a large data center a large data company and I can imagine you all

thinking of company names right now they might have like three four backups of your data across the world just in case one location goes down so you always have access so it's about weighing it up so critical National infrastructure according to the ncsc are National Assets that are ENT poal for the functioning of society such as those associated with the energy Supply water supply Transportation health and communication so they're class as critical for maintaining Life as we know it so the first thing I'm going to talk to you about is cyber security demonstrator what is that so they are shiny things used to convin convince SE sweet exacts to spend money and they like flashy things the

sea SES do the lights go out when bad things happen so just like I was asking you to imagine things think of the Apple those of you who can imagine the Apple you would have maybe really been able to imagine what could have gone wrong and those of you who can't maybe it was a bit more difficult so these are visual physical things in front of people that show them exactly what go wrong so it's chaotic good as money spent on Cyber is money well spent and you're all here today so I assume all of you are on the same page as me there so they're not always useful for actual cyber security research some

might just have some python code or an Arduino running these simulations to show what would happen but some might have actual plc's under the hood controlling it and then you can actually rent actual cyber attacks on them and then they will demonstrate what can go wrong so I'm going to show an example here and I've got two people in the room here who will recognize this um so this is one from work and this photo is literally taken yesterday and to me it's pretty cool and I wish I could have put a video in here but I wasn't sure how it would show up but it runs through phases of what happens as different areas of national

infrastructure go down so it allows C sweet exacts to come in see what could happen and then figure out what they need to do to make sure that doesn't happen to them

so industrial Control Systems what you're all here for right so the example I've always gone for so this is actually I think the third talk I've given to do with operational technology or scar systems or industrial Control Systems I always go for the thermostat example is my favorite and as this is explaining IC to a fool of a toque and for those who don't understand the reference it is a Lord of the Rings reference fool of a is um it's a halfling um reference so um my mind's G blank paragen toque um so thermostat set to that view so we're going very simple you set the thermostat temperature to a value if temperature is equal or more than value the heater is

off if temperature is less than said value heater is on sometimes people make out that this is a really complex topic it's not it's a control Loop so the sensors pick up signals in these systems you have sensors and they pick up signals in this case that would be temperature the actuators such as a motor would then make the change and it is that simple so a lot of buzzwords here you have operational technology industrial Control Systems scar systems and I think one thing about this is that it's happened over time because there are generations and for for example iot industrial internet thing things that didn't exist when Scar systems existed so all these new

buzzwords are popping up all over the place because people are coming up with new Tims so OT operational technology ICS industrial Control Systems scar systems supervisory control and data acquisition systems DCS distributed control systems and then on the side industrial Internet of Things so there are four generations of Industrial Systems you have monolithic distributed networked and Industrial iot so the first generation monolithic these were built around the 1960s and 1970s and I am generalizing here there might be some that were built after then but I'm generalizing so these are called monolithic because they were large mainframes and they're still in use today they should be air gapped and controlled locally this means that rather than

connecting to it externally you would had to be in the room with it connected directly to it to control it second generation distributed you can then have smaller systems with more powerful main frame connected through a local area network you can then control it maybe in the other room maybe in another building but it isn't as large as the internet so this allowed for an increase in interoperability between systems so the third generation networked these were built in the 1990s and they increased network connectivity and interoperability even more so the network protocols that were being defined in 1990 um allowed for the increased network connectivity and interoperability so before then um the connections between these

systems wasn't defined by these protocols so the fourth generation industrial iot so this is much more recent built 2000s these systems are linked via an API they can be to human machine interfaces such as web applications but these four generations they don't all stand alone they're all interconnected because critical National infrastructure uses a pleora of these four that have all been bodged together and if you could imagine that the first generation is secure by air gap and we need to connect that to Industrial iot devices that means a network connection needs to be created increasing secur introduces security risks into the first so I'm going to go through something called the puru model so in the control Loop we talked

about sensors and actuators so these would be field devices these are Level zero so I see this as quite similar similar kind of thing as the OSI model um it allows to differentiate between the different components um within a industrial networks so level zero be field devices such as sensors and actuators um one would be local controller so these would be programmable logic controllers and remote lature units among others cuz I will have a slide for each of these um level two that's local supervisory so human machine interfaces and historians same for three but there is a difference which I will go through so three is sitewide supervisory four business networks workstations and local servers and five

is Enterprise networks so Enterprise Ive directory and Enterprise sock so um this was created by Theodore J Williams and the data I'm going to be using in the next six slides comes from the introduction to IC security part two so I'm going to be going through that but it comes from their course so level zero field devices so these are like I said sensors and actuators um for the cell line process or distributed control system solution it's often combined with level one so these can include basic sensors and actuators smart sensors and actuators and speaking field bu protocols that should be two separate um bullet points there um intelligent electronic devices um industrial Internet of Things devices

we talked about um iot earlier so they go in at level zero and um communication gateways so level one often combined with level zero devices and systems to provide automated control of process cell line or DCS solution modern IC Solutions often compile yeah often combine level one and zero like I said this has come from Sans because it's just everyone describes it slightly different and this is the vision that I like so plc's control processes programmable relays rtus and and process specific microcontrollers when you break it down it's really quite simple local supervisory monitoring and supervisory control for single process sell line or distributed control system solution isolate processes from one another grouping by function type or

risk so again H hmis alarm Savers process analytic systems historians control room if scoped for a single process and not the whole site so then we have the sitewide wide supervisory which is similar to two but sitewide again very simple monitoring supervisory and Operational Support for site or region so Management Service hmis alarm servers analytic systems historians then we have the DMZ that splits the OT from the it now we're on to what you would usually expect within businesses so we've got business workstations obviously local file and Print Service local phone systems Enterprise um active directory replicas and I don't think we have another one there so that splits the DMZ you would have firewalls

between your OT and your it and that's really important um but not a lot of organizations do that a lot of organizations would have people working on workstations within the OT Network and that split is one of the things that can be done and enforced to decrease risks so Enterprise networks corporate level Services supporting individual business units and and users these systems are usually located corporate data centers so servers providing Enterprise active directory internal email customer relationship Management Systems human resource systems document Management Systems backup Solutions Enterprise Security operation Center and that's it so the reason I've used that from um from the course as it is is that that data is just couldn't put it back

myself and sometimes when you're trying to relay something go something that you know works is good so moving on how do you control these controllers well use something called lad logic so it's a language used for programming plc's and it took me a while to get my head around the fact that it wasn't this very complex language that I was terrified to learn because it's actually created um because it's actually created for engineers working on these systems to be able um to visually um control the circuit diagram so I was terrified to give lad ago and there was no reason to be um so it's one of the main languages used for program plcs like I said so it

looks like a circuit diagram um with power flowing across running one line at a time so I think last summer I had a student um bite ladder Logic for their um dissertation and it was just really fun to get involved with it so it's one of the IC 61313 standard languages and I'm glad I read that right cuz dyslexia so industrial specific Network protocols this could be a talk completely in itself so I won't be talking through each of these but I will be showing you some test beds um that are used for attacks on modbus and canbas um so the list there modbus canbas profibus profinet and I got someone in work looking at profibus and

profinet so hopefully he can come to one of the B sides in the future and do some talks on that um eat CIP cnx had a dissertation student look at cnx last year so if anyone's interested in that I can send you across his report um amqp and backnet so that is definitely a talk for another time um they are a massive area to talk about um and I do want to focus on the equipment and keeping it simple so um let's look at some cyber physical system test beds so these are the ones that I'm lucky enough to be involved with or use play with you know it's really fun so I did the hacktronics

course they came into the university so um this is a course using the Bristol University box showing the image um so we wrote scripts to reverse the direction um of a factory iio convey about um and we exploited a vulnerability in VNC um and it was was run by Professor o and Rashid and Dr Joe Gardner and it was honestly a really really great course um so the second one was a Sans IC course this um was provided for postgraduate students which I am at my University so they they came in and did a full day course um we used PLC and open PLC for this um and I would say it's a very it was a

very different experience to the hacktronics course um I think I I learn better myself through um through the kind of lecturing that Joe does definitely this was very Americanized very sales pitchy but there was a lot of really good information there and I learned a lot from it um so that's just personal opinion on it but it is a really good course so they're the two that I've um been involved with through courses but then back at work we have an oil and gas rig it's in the Cyber lab and it was built by David seel for um Abu um Abu Baka Muhammad's uh PhD so using this Abu managed to detect a field flooding

attack and which is a man-in-the-middle attack which um he was able to do a de off on the PLC and he actually recreated this on three other test beds um and that became his PhD so and if anyone is interested wants to talk more about this equipment later we've got two security Engineers from work in the in the room right now so you can have a chat with them um we also have a smart city with a Hornby Railway so anyone that knows me would know why I'm quite excited about being able to play with this I can play with a model train it work so that's really cool um so it uses a Schneider Electric PLC that

controls the train it uses a seaman S7 PLC that controls the smart city and it's it's a demonstrator but it's also a test bed and it was one of the test beds that Abu who I mentioned in the previous slide managed to detect his field flooding attack on um and the third one was I think he had access to a test bed a manufacturing test bed up in Talis um up up in the valley so those were two of the three that he managed to detect them on so we also have a car simulator so if you've been to quite a few bsides you would probably recognize this because it's a replica of one that's come to

multiple bsides so it was created by Dave Rogers a copper horse for the University um and it simulates attacks while driving um so it can be used for research but it's a really good education piece especially when we get um students in from from schools because we can show them what it's like to um if you're driving you can press buttons and it will show what it would be like to hack into a car and what it would feel like to have your um accelerator clutch and your brakes cut all at the same time all separate um but like I said if you've been to bsides in the past you've probably been able to have a go on one

of these um so it uses open cam which is an open- Source version of cut um and it is both a demonstrator and test bed so it can show people what it's like if you hack into this and you can actually feel it it's a it's a physical experience but also because it uses um the open source version of canas it can be used for security research as well so digital Twins and simulations um so what's the difference between these so digital twins can have a bidirectional connection all one way um there are different opinions on this so simulations are then Standalone and aren't connected to the Cyber physical system however there are there is quite a lot of um research out there

where digital twin has been used as a term for Standalone simulations um but it is the ncsc's definition that for a simulation to be a digital twin it has to have a oneway or two-way connection to the system that it's mimicking so what this would mean is that you could have your industrial control system and then have a connection to it and then have a simulation that mirrors everything happening so something changes over here it changes over here there's an update over here then it updates over here so this means that if anything needs to be patched on your system you can run it on the mirror first to see how it goes the one-way

connection um is more secure than the two-way connection for obvious reasons um but there are benefits to the the two-way connection because it means that they are mirroring each other okay so um here's an example of one so this was a student project they were um working um part-time with um cyber Innovation Hub it's part of carduni um and Ben bin created a smart house which simulated utility usage um and then for his dissertation um he then did a Waterway imulation showing what would happen if you contaminated the water and he had quite a punny Acron he named it um simulation of hydrological impact treatment I don't I can't remember what the tea is um but it took

him a while to to perfect to to find a perfect acronyms and I think that actually ended up on his dissertation so good on him um um another one this is another um student project I forgot to put his name on but his name is Y Jones um and he used Factory IO to um create a virtual um but he he designed a virtual Factory simulation connected into Factory iio this is the student that was using ladder logic um so it shows cascad and effects visually and I should have said this earlier when I was talking about the demonstrator but demonstrators show what would happen if something happens to a system that affects another system that

affects another system which we'll come back into later when I talk about how the sectors affect each other then you have cyber ranges so these simulate networks in a virtual topology so this is something else I couldn't really get my head around when I first started because it's as you can see on this this massive server and I thought that this was some impressive thing I thought this thing was the Cyber range and it could only come from one company but no cyber range is just a virtual sandook sandbox for Cyber attack research you could create yourself on some old Hardware put some um hypervisor software on it and um yeah you so it's a project of the moment

I'm working on is actually creating my own one from scratch to teach myself how to do this um but you can also connect the um the Cyber range into physical devices too so um say one of the test beds that has a PLC on it you can connect it into the Cyber range and then use VMS to attack it it might sound very simple but this is something that when you're researching in a whole new area all the little things really do add up so industrial Network vulnerabilities so one thing I'll say is that generic Network Protocols are used and generic Network protocols aren't secure so all generic Network protocol vulnerabilities apply to operational technology or industrial

control systems or Scara systems whichever they are all different But whichever two you want to use so plcs are vulnerable to Doos such as the field flooded man in the middle attack that Abu um that well the novel attack that Abu discovered and Industrial Pro protocols lack inced data streams so that's the big one here you need to scare them from the outside because the connections inside they lack encrypted data streams another one is I know was mentioned earlier industrial Control Systems use vmc which uses unencrypted data streams so if you have a human machine interface that uses VNC um to connect virtually to something that's un encrypted and you could tap that and see what's on the

screen so the interconnectivity of the now 14 sectors they all lie on one another nuclear lies on water you cannot put a nuclear power plant somewhere unless there is water for cooling water relies on transport how does it get around you've got the systems but then got bottled water you got the equipment that runs the the water plant everything into with each other so it's cascading effects it's like dominoes Finance relies on data centers so bringing the 14th sector in emergency services rely on communication would the Emergency Services work without communication so this isn't the be all and end all this is just basically it's a very active area of research so we're still trying to

protect it but back to the first thing anyone ever says in this area is don't breach the a gap and I know we're having to because the four um the four generations are merging with each other but don't reach the ear Gap un that's absolutely necessary and if you do make sure you know what you're doing separation of it an an operational technology OT where possible and then restrict access to crial systems to those trained so for those who've been to um which probably isn't many but a couple those have been to my scar talk in the past I did my undergrad dissertation on a um information security policy forth guarder systems and I talked to security

Engineers this is back in 2016 about their systems and they hadn't been trained in security they they weren't aware of what would have happened if someone hacked into it one of them had worked for the walls Factory and we had a bit of a laugh because we were joking about all the what would happen you know all the ice cream would melt everywhere if someone hacked into it and turn all turned all the freezers off so that's a funny one but then you hacken to like I keep saying a nuclear reactor you have a different story so train them and you need them you need to be able to trust them so I something I H on here you got

to treat your employees well otherwise justun employees aren't aren't great so training personnel and enforced security policy and obviously I have to bring Stu into it do you activate the USB ports so joang thank you very much um and I have put my logo card logo and the fyber Innovation Hub logo on there um so thank

you any

questions yeah how much how much to blame are vendors for security problems being introduced into IC yeah so um I remember when so the reason I decided to look into this for my dis station years ago was because I read the chatam house report in my second year and there was just the the section about how there are pieces of Hardware with the same serial number with added into connectivity and they're keeping the serial number the same and they're not making it explicit that they now have network connectivity um so in that case they ask blame for leaving um for making it so obvious what admin a default admin passwords are they are Blain um but

also I think I'm speaking from 10 years ago there these days that's not something I've I've looked into so I'm not sure whether that's getting better um but I think there are a lot more um a lot of a lot more regulations in place at the moment which is great great for new things but of course nuclear reactors might have stuff to the wall that is 40 years old yeah it's um it's an area of research that everyone's trying to figure out I guess at the moment um yeah I was just going to ask another question with interlocks like physical hardware interlocks and things like that have you seen um people moving those Hardware into box into

software that is actually happening at the moment the Eur European digitalization well the the European system of digital C in is coming to the UK um currently so um there are safety benefits and there's also capacity benefits which means that more trains can run at once but it also means that it's being controlled um digitally so that is happening right now I'm wondering cuz yeah without that physical interlock on there just going like if you're looking at physical cabling now which is which is what goes at feeding your signaling system does that start causing issues where somebody goes through wir something up say that again well because what you've got is ultimately you're going to have sensors on points and

everything like that to start knowing where trains are and everything like that so on there I'm thinking on lines of is that if somebody wires up a signal incorrectly could you end up in a situation where you're feeding the wrong information the C system if it's wir up incorrectly then yes you get the wrong signal signals the wrong sense the signal

yeah hi there um what I'm wondering is uh for both for academic researchers and practitioner researchers uh from broader uh infosite areas that want to break into this NES what would be sort of the learning groups you would recommend so you asking about getting into Academia no what I'm asking is uh uh like to enter into this particular Niche right like what would be like um I do academic research in information security area broader research but like specifically this area how do you what would be the you know what would you learn first should we follow the same root that you have in learning or would you like what would be the things you would learn first before jumping into

like either academic research in this or exploit development in this Etc so I think I'm interested in this because I play around with things and I learn by playing around with things but also um I've read I think um three textbooks back to back on the topic one being industrial cyber security account exactly who it's by um but books are amazing on this area um but reading papers reading good papers where they're not gatekeeping the secrets they're actually teaching you through the paper and I think if you're already in Academia you'll be able to recognize that paper that kind of paper straight away hello um this is the last question so I'm very happy that I'm able to ask

it um is a more of a similar question the previous gentleman was asking but in terms of like practical opportunities training or playing around with Labs or cheaper alternatives to getting test beds or demonstrators what opportunities are there for defensive security folk to learn about potentially break into this industry or to find Opportunities I'm not I know you're a self- engineering teacher but I'd love to know what your opinion is okay um so you saying that you want to use Tas pads okay any practical application or EnV or

course so my route is definitely books playing with things reading around the area reading papers there are some really good courses out there um I we're also running courses on this um where I work as well for people wanting to get into the industry um and if you want to talk to me after I can tell you about that I don't want to um you know um I'd say both of you raised a really good point in that I really struggled up Skilling myself in this area because I feel like it's quite a gatee keeped area or gate kept area um everyone within the area acts like it's really complex and um really impressive to be within it

once you start to break it down and learn it you realize that you just need to put time into it and um and be patient with it but yeah [Music] sorry sorry I should have said that yeah

no I used open I should thank you look good