If I Were to Michael Bay The Plant, This Is How I Would Do It!

hello everyone my name is chris raider and thank you for joining me for my presentation if i were to michael bay the plant this is how i would do it today i'm going to be talking about ics with industrial control systems and the miter attack for ics framework that was released earlier this year i am a senior cyber security consultant and you can find me on linkedin and twitter at c raider cbus i'll also post these in the chat window if you'd like to connect up with me after the presentation so before we get started go ahead and bring up this page in a web browser we'll need it for some of the later slides but don't get hung up on reading

it because it's kind of what we're going to walk through today and this will also be posted in the chat window so a little bit about me uh i've been in it consulting since 1997 and officially been focused on ot since 2016 but my actual involvement predates that i just didn't call it ot at the time i've been involved some nei 0809 milestone 8 projects that's some work in nuclear plants and also numerous assessments across the electrical utilities and oil and gas industries this is my second besides columbus presentation so i really hope you enjoy it and a quick fun fact about me is that the picture in here you can see me with the old beat up hilux

toyota pickup that i drove across the middle east for about two months i came back to the united states for about six weeks and then went back over to the middle east uh doing assessments at oil and gas facilities except this time we had a more luxurious rav4 um the other photo is me uh at a nuke plant with the homer simpson pink donut so so why michael bay i mean obviously michael billy is synonymous with ridiculously huge movie explosions and some of his franchise you may be familiar with are bad boys the rock armageddon and of course the transformer movies so big budget high concept super stylistic gigantic explosions another kind of fun thing that i didn't

know existed was the michael bay explosion tournament which is kind of like a bracket march madness style uh breakdown as movie explosions uh if you're interested in that it's obviously uh it's on the the wayback machine at the archive.org but before we kick into this presentation i i also um i don't want to downplay the seriousness of cash drop events explosions you know loss of life loss of property uh that's not cool but i'm just trying to uh bring a bit of levity into the presentation by by having some michael bay uh ridiculousness um and even you know catastrophic explosions are obviously will get you the budget um and most attention and funding uh if for remediation and projects in in

your facilities uh just because they are catastrophic there are also extremely dangerous situations that can exist in an industrial environment even without fires and explosions so it's not just explosions there's other things but uh i said we're focused on michael-based stuff today so electrical explosions ah and see transformers get it electrical transformers transformers the movie uh-huh yeah collective grown i know um but here's some electrical explosions obviously we have the uh in the upper right that that's a wisconsin substation fire that was ultimately determined to be a mechanical failure and in the lower left you might recognize that from i think it was like new year's day uh in 2019 or maybe it was new year's eve i don't

recall uh maybe new year's day uh there was the arc flash and transformer fire due to some voltage monitoring uh malfunction at a new york city substation so there's some some michael bay for you and we can actually tie that into some some recent events that have happened uh in the news uh you remember all those uh uh mysterious activities that happened uh or incidents that happened in iran this spring there seemed to be some some information that that that was kind of retaliatory from israel uh when iran attacked some water treatment plants earlier this year um then all of a sudden you know these industrial quote unquote accidents start happening across iran uh and also even more recently than that

uh some news some recent uh united states news is that the uh the cia has been green lighted to attack some critical infrastructure in adversarial countries typically critical infrastructure has been kind of off limits especially like public targets but now that that's been kind of made made public that critical infrastructure the ca has now been allowed to attack critical infrastructure targets like petrochemical probably some uh you know power grid facilities uh in in adversarial nations and also some kind of hack and dump things kind of like what russia's you know famous for kind of wikileaks so that's gonna almost certainly increase exposure for us-based critical infrastructure to require more security uh more security activities by the uh

aforementioned growth infrastructure uh industries you know uh uh oil and gas um you know electrical utilities uh telecom i mean you know with the covid pandemic we've come to see that how many things are critical infrastructure now you know even you know rail transportation retail you know amazon those kind of things those logistical companies so uh you know unfortunately those kind of uh actions give us uh as security professionals you know a bit more it might give us more budget or some cause to to do some different things um one interesting thing that i found out during this doing the research for the presentation is that this is on twitter so take it for what

it's worth uh that some iranian groups were claiming uh responsibility for the uss the bonom richard uh fire that it that happened a week or two ago cleaning sabotage for that so i don't know if that's related or not but you know we'll see so how does miter attack fit into all this well i'll give you a little bit of attack on the on the miter corporation or my organization um if you're familiar with some of their other work so they are basically a public-private partnership that's funded by the government to do independent research information sharing in the public interest they've done a lot of work recently with threat intelligence and monitoring trends by advanced persistent threats or apt

groups and what actually is attack so attack is a in simple terms just a knowledge base of adversary behavior based on real world observations so focuses on tactics techniques and procedures the ttps and one cool thing about it is free and open source so people can contribute to it whenever they want uh you know if you want to it's open for research it's free to use in commercial uh you know in reports in commercial activities and it can also be used with other kill chain models i'll show how it kind of fits in with with that in a future slide but this screen grab i have here is just a small subset of the attack for enterprise uh and the the

uh across the top here this uh the column headers are um tactics and the column contents are our techniques so if you are on the attack website you can click on on these uh items for more information for each uh technique that's that's used they do a pretty good job of defining everything

so with the ics technology domain they've branched out from from enterprise so why is there an ics technology domain well it's a different focus um ics as i mentioned earlier is industrial control systems and it's also referred to as operational technology or ot and a lot of times you hear those terms used interchangeably some of the things that compose the ics domains are you know process control systems operator interface monitoring real-time historical data alarming those would be things like hmi so some of these equipment would be like hmis like the human machine interface which would be like you know your display panels that you'll see uh in industrial settings uh panel mount pcs or engineering workstations

um uh historians that log uh data of the system uh obviously you know alarming systems um also rtus uh which are remote terminal units that are very common in electrical substations uh sensors all kinds of things like that so uh in addition we have like safety instrumented systems and protection systems and those are uh are typically separate components that are that form the safety systems of the industrial control system so things that monitor like um temperature and pressure uh voltage things that could really cause damage uh they're specifically there for safety function you know fire is another one and then also engineering and maintenance system like i mentioned in engineering workstations and some of the

maintenance systems might be a laptop or instrumentation that's used for calibrating and maintaining any some of the industrial control systems so here's just a quick shot of some some ot devices um a feeder relay which is something that you'd see in an electrical substation the front panel you know the little little lcd interface with some buttons uh and the back side you'll see all those terminal strips for you know different inputs and outputs that the substation might require uh in the middle is a scada rtu so scadas is also something that probably found in a power substation and rtu can kind of thought of as like kind of like a a bit of like a primary controller it

might connect to multiple uh inputs and outputs and sensors and actuators and devices and then it's connected by ip or serial to some sort of primary controlling node and these can be like panel mount you'll see them stuck in panels or on walls they're not necessarily something you'd see you might see it in a rack you might not there's um it just depends on that particular application uh the final thing is a bentley nevada seismic sensor that's the little silver can looking thing and then a bentley nevada plc cabinet bentley nevada is synonymous with kind of rotational equipment turbines generators pumps anything that kind of has a rotational aspect to it they do a lot of work with

vibration vibration monitoring and things like that to help detect predictive failure uh over speed overspeed controls things like that so you definitely see those uh they're very common in anything that's uh like a power generation facility like a gas turbine very common

so why are people attacking ics and it may be um you know obviously some people uh but advertisers have have different motivations versus uh enterprise attacking so in an enterprise you know some of the things you might want to uh some of the goals might be data exfiltration or compromise of financial records or um maybe intellectual property theft so things like that uh where in ics the goals are typically to impact and affect the process controls like we want the system to do something that it's not supposed to do or not designed to do the technology is going to be different you have embedded systems uh embedded uh like real time linux operating systems or

uh windows 7 embedded kind of highly specialized hardware that runs uh stripped-down operating systems and then you also have industrial protocols that are different than the typical tcp a lot of things like modbus modbus over ip opc and a lot of the a lot of these protocols are unauthenticated and they're in clear text so they're very easy to see and spoof and and kind of do bad things with and also some of the defenses that are in ics networks the immature security programs you know enterprise attacks have been around for a long time uh ics is getting more and more uh visibility but there's still some immature security programs uh and there may be like a lack of

funding especially in the um municipal space like wastewater treatment plants to get adequate security in some of the more government or municipal based smaller government facilities in municipal cities might be more difficult and there's a lot of uh you know vendor and oem reliance uh that means that basically the the the asset owner the plan operator won't do anything without the guidance from the vendor with good reason that uh you know when a vendor installs a system or oem installs a system everything is specifically tuned and designed to run like specific firmware specific patch levels so those things won't get updated updated or upgraded until they've been vetted um you know i have a quick story to

share is that in some of our assessments the the asset owner will be like can you give us some recommendations for improving the security of our systems and you know we go through the typical things like hey make sure your configurations uh for uh you know your user accounts admin accounts privileges uh you know and uh you know patch levels make sure your patch levels are you're using you know current software everything is patched you know there's typical things that that you know we recommend you know patch it is as good as you can the astronomer might come back and say well okay but you know we use honeywell and we can't do anything unless it comes

from honeywell you know that would be like windows patches application patches and then you know we can just say all right then well uh just basically do whatever honeywell tells you to do you know keep up with your maintenance contracts and you can only be as you're secure as as what honeywell will um will provide so you also have that limited intrusions uh specific ics leads to a smaller knowledge base and that's kind of with respect to enterprise um there are likely more uh significantly more industrial uh tactics and techniques that may be used but a lot of those events go unreported uh the the attack uh structure is more mature when it comes to enter when it comes to

enterprise so there's a lot of a lot less uh it's kind of like breaking new ground in the ics space so what are some of the differences between enterprise and and ics when it comes to miter's attack frameworks you know why did miter create a new matrix well there even though there is some overlap between enterprise and ics like you still have windows systems uh you still have active directory you're still going to have windows servers you're looking at printers things are very similar but what miter wanted to do is kind of focus on the non-i.t systems they wanted to make sure that they could focus on things that were actually affecting or directly changing

the industrial control system like things that were changing the plc's the the programmable logical logic controllers the actual code on the devices instead of just attacking the the windows systems with random random malware and there's a i'm going to talk a little bit about the purdue level and there's actually this the next slide coming up it breaks it out uh in in better detail but enterprise attack deals with the purdue levels purdue network levels of three and a half to five three point five to five or five down to three point five it's probably a better way to put it an ics attack deals with purdue levels three down to zero um and i'll i'll break those network

architectures out for you in the next slide and also uh finally the impact failure scenarios are different if you take a look at the uh the ics framework and the enterprise framework uh you go to some of the the the impact of the systems are different uh in the in the case like i said in the case of enterprise it might be like data exfiltration um or ip theft where as i'm the ics i just see it's more about like denying control or changing control of the system or preventing control or preventing loss of safety so for those familiar with the purdue reference architecture it's a it's a way to visualize uh ics networks and their relationship

to enterprise networks so we start with level five at the top uh that would be kind of your typical uh enterprise dmz email servers web servers vpns vpn connections citrix what not being at level five and enterprise level four is your uh you know kind of your back office systems your domain controllers your web servers business servers your erp systems and you know your corporate desktops level three is where we start to kind of get in that border that that difference between um uh enterprise and ics so level three would be the plant dnz so it's like a boundary between the enterprise level and the plant level and plant systems you may see some of

these also called three uh you know layer 3.5 which is something that i have i pointed that out in the previous slide that may be kind of like another like sub dmz where you have um additional firewalls uh maybe up in this level and another firewall down here and servers that do replication you have your antivirus wsus server that sits in these levels and these might pull uh definitions down from you know either the internet or from a vendor site that so they can get deployed in in a manner that's consistent with the uh requirements of of that particular vendor system you also have data historians data historians are used to typically feed the erp systems of the of

the enterprise and also kind of monitor process health over time and then you'll have remote access remote access and jump servers as a way to drop down into the from the corporate network down into the to the ics level so you start getting into ics these are still kind of you know in in level three still kind of enterprise and that kind of blends in when you hit down into the the ics level here and these are going to be your your application specific systems for that um for that particular control system so there may be um you know energy management system or distributed control system that those applications and databases are sitting this level two and three

and we down here when we start to get into the uh layer two or level twos in both two and below this is where the actual process controllers and this is pure ics down here uh in level zero you have the you know the field devices would be like in in a case of an electrical network uh it would be uh relays synchro phasor sensors voltage sensors um and in the you know in the case of industrial process it might be sensor like you know like the bentley nevada sensors or uh other equipment temperature and pressure sensor sensors uh controllers and actuators that are all they're fed up into the uh controller land which is kind of level one this is

like where the these are typically hardwired the sensors and field devices typically hardwired to these controllers here and then there might be ip connectivity up to this local hmi uh up up in level two and these uh controlling systems and it's also important to note that with respect to ics networks typically levels four and five are considered untrusted so these would be untrusted zones with the firewall a lot of asset owners and plan operators do do not allow any connections in from these just they consider those to be you know as secure as an internet connection and typically adversaries will have to get down into um you know level zero two to level zero and two kind of in the ics

scada zone in order to uh impact the systems so here's the tactics and techniques of the enterprise it i'm sorry i'm the uh the attack for ics framework you can see it looks it's a little bit different than enterprise attack and this may be where you can look at the uh the the page that i had to bring up earlier at the beginning of the presentation because it doesn't really lend itself that much to this tiny you know tiny screen uh so you can get a you can get a better view of it um the left side of the matrix is is pretty similar to what you'd see on the enterprise side well as you start moving over to the

right that's where things really start becoming different um especially these these last three columns that i'll have in uh i've kind of expanded the other slides you don't have to worry about trying to trying to view it here uh another cool thing that i like about the the miter framework on their website is that you can click each of these these are all hyperlinks you can click each one and it really breaks down to what the definitions are how they're defining each of these different techniques for the ics framework and i do want to plug into one of my colleagues stuart bailey is a gentleman that i work with and he's developed a ics flash cards

for the framework so he's he's put all these different um different techniques into flash cards so you can go through and kind of quiz yourself and learn different techniques and techniques and kind of commit those to memory so it's easier to talk about and i've put a reference to that in the link to that in the reference section at the end of the presentation so why do we focus on this this right hand side um well it's basically these events have happened they're like legit things have been documented seen in the wild so it's it's you're not bordering on speculation here you're like well this stuff's actually happened so when you're kind of working through

different things of the of the framework maybe you're doing threat modeling or something you can see that hey these things have actually happened can we relate these back to our systems so as i stated before protecting life is this is the primary goal of of ics and you have your process you need to protect the process but life is the number one number one thing to protect second you know the environment and the property you don't need uh you don't need like an oil spill or a chemical spill you don't need things blowing up catching on fire and then and then finally uh you know protecting the the uh the process and basically as you can see in this impact

section almost anything that happens um loss of productivity and revenue that's going to be a consequence of almost anything that happens in an ics environment uh whether or not um lives have been lost or is there any casualties or any other property damage so you know this kind of where i get into the the michael bay effect is like these you know these things are catastrophic and can definitely impact um can can definitely impact the uh uh asset owner or the company or even the industry

so one of the use cases for the attack framework is uh mapping attacks to apts that's kind of what it was was almost designed to um uh dragos has had a lot of input into the uh attack framework so they you know they use some of their terminology and uh and some of their apt names when they when they talk about it but that's the classic use case for attack um you can map it out and there are actually links to this on some of their uh on their pages on the um on the miter page so you know you have used shimon which was the saudi aramco data wiper um black energy that's a

sandworm uh apt uh it's it's a pretty extensive modular coated root kit um that was targeted ukraine energy sector uh not pecha uh there's also sandalworm apt utility or malware that also targeted ukraine energy companies power goods and banks actually spread to germany by the updating process of some ukrainian attack software triton most likely russian malware specifically targeted targeted at schneider electric's tri-connects safety instrumented systems and that that's obviously one of the first malware that's specifically designed to cause a loss of life specifically designed to disable and affect a safety instrumented system so that way um if a process exceeded its its parameters uh it could definitely cause a catastrophic explosion and not um and not safely shut the system down

um in destroyer is another one um actually i kind of like industry i think it's one of the coolest names that they've come up with um and uh dragos calls it crash override so you'll see it a lot of times uh eset did some initial work on it they call the miller and destroyer dracos calls a crash override so you'll see that both places um that's also that's some modular malware that was designed to specifically targeted substations uh using serial connections or serial communications iec 104 iec 61850 and opc protocols so that one was specifically targeted to the protocols that are used in um ukrainian substations some of the things that i that that could happen is that

it can be easily adapted to dnp3 which is used a lot in the united states so this this type of malware is something that that may be seen in the future kind of targeted towards some of the united states substations so we let's do an attack ics walk through using in destroyer and crash override so there's a um on the link here is a it points to the breakdown that that miter has has kind of applied to uh then destroy our crash override malware um i said before it was a uh substation attack uh that was the electrum apt so that that's the uh the dragos terminology there and it was actually uh got in through

the network through a data historian running server 2003 which uh i think at that time this is i trying to recall if it was unsupported at the time it may have been just on the cusp of being unsupported um but obviously it was probably not patched um so whatever happening is the the malware got infected into some engineering workstations and ended up sending kind of spurious commands sent to the reclosers which led to the substation islanding itself islanding itself means it's disconnected from the rest of the rest at the grid and that's something that can be uh the result of uh uh repeated operation of reclosers you know either intentional or the result of natural events like

uh that's it's pretty common when when there's a blackout uh it's it's uh uh the reclosers that uh have opened up the circuits to prevent uh electricity flow so here's the the breakdown using the the tactics and techniques matrix that is provided by the ics framework so we have the initial access the data historian compromise um execution the the malware was actually launched by command line interface um an evasion in the masquerading uh it took over processes of a primary server and node and kind of spoofed everything so the other uh other devices on the network thought that the the rogue device was actually the proper device um some of the discovery methods uh uses

opc calls and enumeration uh serial device discovery network connection enumeration uh a lot of these things are pretty typical in an enterprise but the opc and serial device connections are pretty much specific to the ics networks also in the collection phase uh the malware looked for specific configuration files they this was a pretty targeted attack they knew that that the equipment that this substation was using was going to have specific config files in specific locations so it went out and looked for those uh files to pull those into its database and search the network for other other devices to to attack um inhibit response so acting as the the malware is acting as a primary

node it can intercept and alter commands so it can prevent the that can lead to things like um uh impairing process control so now that the if if operators are trying to do certain commands they're not going to occur uh or maybe the uh the actual results or things uh the actual commands and status that's reported by the devices doesn't get back to the operators so you have things like uh you know that's denial uh denial of control denial of view those things are like actively prohibiting that uh that particular action uh loss of safety and loss of view means it's just a it's a natural consequence uh that's temporary it's not like they're actively

um you know maybe something maybe device is resetting and rebooting that would be like a loss where it's going to come back up and then you'll be uh you'll be able to take control or view that or view that device and then you have manipulation control and view obviously it's kind of like uh almost like a man in the middle attack a little bit but the one thing you can see is that not all the tactics are used there's a list i believe it's 11 uh tactics uh and here we have eight so that's not important that it's not necessarily important that uh all the attack all the tactics be used it's kind of some things may be used and and others

are not so it don't feel obligated to try to fill out everything in a um in one of the tactics or fill out at least one thing in every tactic and that's not necessarily going to happen um and when i said initially how this works with other kill chain models as you can see they kind of omit the initial step uh you basically assume that the the initial access to the ics network is through data historian compromise how that got that far into the network um the miter attack ics framework doesn't really care it's just assumed that that's already happened the enterprise network's been compromised somehow um it leaves out the the kill chain steps

that you'll typically see about the the recon um the malware development the malware testing that that gets left out so this takes place and kind of let you do like a more detailed look um after the exploit has happened it doesn't worry so much about how it got into the network per se it's more about uh how does that get into um how does that affect the network once it's in there so this is one of the use cases i wanted to take a look at how you can use the um the miter attack framework to do some threat modeling so other than uh just kind of doing apts and kind of diagnosing things after the

fact you can use this to determine and identify threat behaviors so you know put on your your evil cat or i mean hat um you know how can your system integrity be compromised um you know the operators will know that um and also you know don't forget the the maintenance staff you kind of have to uh look at it and in a different perspective uh you know many times that you know engineers you know will say like why would someone do that or that could never work and this is not to um to to disparage the engineers at all um they've done things where they're they've done failure scenarios uh they've done fmeas failure modes and

effects analysis they've done a lot of work about about how this this can um how the system can fail and how how the things can be prevented but sometimes you though you fall into the trap of you know this is your system and you know really well why would somebody do a particular action and it doesn't even have to be malicious intent it could just be it's an accident and somebody you know screwed up or accidentally clicked this button or forgot to do that or you know there's all kinds of different ways that that could happen um you know so how would an adversary do some of these through some of these things uh as we've seen with with the uh

in destroyer it requires domain expertise um it also requires uh a lot of resources and time i mean you're not going to like you could get a script kitty he's going to drop some malware and ics network and and uh do something it's going to be more uh more or less um unlimited recently i hate to use the phrase nation state actors but that's pretty much a lot of the domain of of uh of ics attacks um so now you can once you do some of the threat modeling you can you know build or modify your defenses to mitigate the threats it's it's pretty typical um defense and process improvement um you know one of the

things i wanted to mention about the kind of like you know how someone would michael bay plant the maintenance staff is very very key uh to get their knowledge don't don't forget about them don't write them off as a bunch of old-timers that have you know been here forever because they'll typically know the systems inside and out and in one of the locations that we did an assessment um you know the question was you know they had bentley nevada uh they had turbines and pumps and he said what happens if the bentley nevada systems down what if you can't see these um you know what do you do because the systems will still contain the

the mechanical systems will still continue to run so what they said is the maintenance department they'll go out there every hour to each assist each sensor location with a stethoscope uh and listen to the device like and do manual inspection on these turbines uh that that's just kind of the expertise they have that they know um they can tell by the sound of something whether it's overspinning or the bearing might be close to failure so that's definitely a resource you don't want to miss out on um consequence based modeling that's also something that's you know very common uh in in the ics space um it can iterate enough protecting life is the primary goal uh environment next and then protect the

process safety is number one and i just include the safety third thing because i think those are funny like the safety third uh stickers i always get a chuckle about them so what does your threat model look like this is one of my favorite uh one of my favorite gifts um so if if you're in critical infrastructure you are 100 a target um you know as i said in one of the earlier slides about the the ca getting greenlighted go after critical infrastructure well that's just going to come back on the us as well so if you're in critical infrastructure you're 100 a target nation states obviously uh hacktivists just kind of some of the things that are

going on right now i wouldn't be surprised to see some more hacktivism uh and also accidents and human error um the the attack framework doesn't necessarily designate between malicious and non-malicious there could be things that are uh you know accents in human error the intent was malicious but the outcome could very well be also insider threats you know the whole twitter breach that happened uh last week was it an insider probably um you know somebody got paid off you know who knows um i guess i'm not really going to speculate on that uh and then also uh profiteers so this was more for a presentation that i had focused on the electrical uh grid uh was the potential for energy

energy market price manipulation so if you could somehow affect the grid uh the pricing structure uh of of what different grid operators saw you might be able to theoretically manipulate the um price of of uh energy so i want to just talk quickly about the um in the ics this shows up on the ics uh attack framework the uh configure virus uh or worm um technique and uh uh threat and technique so i'm gonna uh just uh get my 15 or you know not even my five minutes of fame here uh i was actually retweeted by swift on security uh after he posts the the meme on the right um and and said you know

an industrial submit of xp machines is continually reinfecting each other with conficker and then i just responded yep i saw this irl last year they've been happily passing it around for about 10 years so it was a it was a bunch of windows xp machines and a server 2000 you know server 2003 box had not been updated since 2009 um no antivirus no patches that's just the way that the system was designed to run and then somebody came in at some point with we presume an infected usb stick uh or you know lab a maintenance laptop that had it and just passed it on to this system now luckily they were isolated so they don't

really do anything i mean the the the virus uh the contractor warm if you remember uh just basically tried to grab passwords for like online gaming sites or something like that so it's not like um uh malicious but it's there and it's a real pain to clean up um because you have to fix you have to patch your systems you have to take everything offline um and it's not specifically targeting ics networks but it's pretty common you'll see it fairly commonly in industrial networks based on the unpatched xp systems and actually in 2016 it shut down a new german nuclear plant in order for them to remediate it because they had to take it offline

and and take care of it so as part of this um uh virus claim when i did you know we did see it at a plant it had been there since 2009 um but was kind of interesting is the engineers who were in charge of the system were like super happy that we'd found this malware because they'd been kind of banging on management for years to get these systems replaced and updated and now that they finally had hard evidence of a compromise even though it was you know not very consequential they was kind of like see i told you so they were able to get that out there so that this one good thing that came

out so you know to map that on the on the um uh the attack framework the initial access right here replication through removable media uh impact loss of availability and loss of productivity and revenue so it's not really consequential but there again the loss of productivity and revenue is going to happen almost all the time and just getting into the last couple slides here so thank you for uh staying with me this long i'm getting on about 45 minutes here um i'm going to talk quickly about the nest core failure scenarios and these are failure scenarios that are specific to the electrical uh electrical sector and in 2015 a big collaborative effort came came by

with uh industry experts asset owners and academics and they came up with uh working groups to develop these different failure scenarios of electrical electrical grids and i'm not going to get into the weeds of the the failure scenarios there's a link to it in the um in the references section if you want to want to get into it but um it's uh we're gonna this is gonna be a transmission and distribution kind of scenario that i go through here um and this scenario does also include not the scenario but the the nest core failure scenarios also take into account malicious and non-malicious cyber events kind of like what i talked about before is like not everything is is done with with ill

intent even if it does cause some sort of consequences in the future so we're going to focus on a distributed energy resource scenario also known as der those are things like cogeneration at cogen plants smaller wind turbines not the big industrial size wind turbines and and also solar this would be like the rooftop solar not the gigantic solar farm so in ohio we don't have a lot of this yet this is very common out west uh you know in arizona california nevada where they have solar panels on homes and those things those are considered distributed energy generation resources because they're at people's houses

so this is the nescor scenario der.1 um if you if you read the nescore scenario it's all laid out right there if you read the um the full write-up so in this scenario that the distributed energy resources owner fails to change the default password or not set a password for the system interface a threat agent could be you know inept installer hacker or industrial spy gets access through the user interface and changes the air setting so it does not trip upon trip off upon low voltage protection but continues to provide power during a power system fault so what that basically means is something happens where the system is not shut off it's it's still providing power to the grid

or to some resource but the person working on it doesn't know it they touch the you know they go in to do a repair they touch some wires and they can get electrocuted because the operators did not know that the system was off so definitely you know particular loss of life situation there so while it's not specifically laid out uh in the mitre attack ics framework i basically um kind of just kind of brainstormed and kind of put some things together about how would this look when it's mapped to the framework so um you know this may be different depending on the environment maybe you take a look at this and and have some different things so i hope

you know if there's some time at the end here um if someone has some thoughts on this you know definitely you know kind of bring that up because that's kind of uh i wanted some uh you know kind of back and forth that we could have done in in a live scenario where i could put up some scenarios and we could kind of brainstorm some different ways about how to use the attack framework to definitely map things out and you can apply those to different tabletop exercises or threat modeling scenarios that you do so here we have initial access external remote services um you know maybe there's some remote access vpn that is used for maintenance and and that's

left open um execution well they the password is well known they probably logged in and they're using the gui persistence that's something that we haven't seen before but um hey they have a valid account uh default passwords you know the discovery so you can go through control device identification um your network connections you know remote discovery depending on what the capabilities are of that particular software or that application um data from information repositories and role identification um where does that particular piece of equipment sit in the uh yeah in the in the infrastructure um once you're in there can you inhibit the responses can you suppress alarms can you prevent alarms can you turn things off

can you turn things on um and these are things that are going to be specific to that application uh where uh you know the the subject matter expert for the application can maybe go go through some of these different scenarios and say yes this is possible this is possible that's not possible or or just kind of look at ways of how we how we defend against that you know impair process control you can modify parameters if you have access to the system you could stop services you could send unauthorized command messages because obviously you're not authorized to do commands so that you know those things would be unauthorized uh also depending on the protocols you

know maybe uh if it's on authenticated protocols that that might also be a case and then you know lastly the impact damage to property loss of safety and safety is obviously gone and and then you have loss of life damage to property may be cause of fire and then of course manipulation of control uh you know if someone's skilled enough could probably uh prevent operators from uh you know reversing the control or or maybe you can change the control so there's there's there's definitely different impacts that can happen they can have here i and you know i did leave some off um but that's just one way that you can use the uh attack ics framework to kind of like

categorize different different aspects of your uh you know your threat modeling so and with that uh i'm at about 50 minutes here i'm going to wrap it up um and i thank you all for participating those that did you know hopefully i can answer some questions in the chat or live definitely thanks for participating and i'm sure the slides will be made available but here's some of the references that i used that you can refer back to and definitely get more information um you can kind of take this and basically take it go forth and kind of do your own thing with it it's it's um it's definitely a a powerful framework and just another resource for

everyone to use and again thank you for thank you for attending and i hope you all have a great day thank you