Chris Sistrunk - How to Get Into ICS Security

Uh, I'm indifferent. And Chris is, you know, he's pretty enough in the dog. It's all good. Introduce Chris and I'll be right over. I'm recording. Okay. All right. Good afternoon. Are you all having fun at Augusta? All right. Really good. So uh if we have met yet Phil uh including this track today and uh really appreciate everybody coming uh and taking time out of their Saturday to do something uh excellent for this community. Uh I was actually really pleased to see the number of folks under 18 uh here today. So that's really awesome. Uh and I can tell you first year we had I think I shared some of these stats this morning about 175

people. Last year about 275 people. This year over 500 people showed up as some of you can remember if you sat in our registration line this morning. So we appreciate all your patience and uh and work with us on that. So glad you're having fun. Our next speaker I'm privileged to work uh directly with our next speaker on a few things. Uh I had a buddy of mine move on from a former life that he and I had worked together and he moved to a major automobile manufacturer and uh he said listen we're having some trouble uh with our vehicles and uh we we'd like to bring somebody in that understand and can help us uh you know

do some things around that. So immediately turned to our SCA team uh in Manion where uh this next speaker and I work together uh and and ask if they could help. So uh it's nice to have one of those experts to be able to just touch and and reach out to on chat and uh and talk about it. So uh this guy knows quite a bit about ICS and SCA. So uh it's my privilege to introduce Chris Cro.

All right. How to industrial control system security. That's what my talk's about. A little bit about me. Um I'm a registered professional engineer. Electrical engineer. I worked for a power company called Energy for almost 12 years and I was the SCADA engineer there for 10 years. Did all aspects of the SCADA system there and worked on a lot of different things like the substation security team that we had. Um also I just fell in my lap with the project robust. If you Google that um you'll find out that me and a colleague of mine at another company we found a whole bunch of vulnerabilities in DP3 protocol implementations and then about just over a year and a

half ago I was uh hired by Manny um I wasn't looking for a job they just gave me an offer and now I'm with the industrial control systems consulting practice there and I help out with u knowledge and trying to get folks like you interested in control systems do I village like at DevCon and RSA and other places even at Besides Nashville we had and then I also organize Bides Jackson which you know shameless plug it's November 7th in Jackson Mississippi so you're here u how many people here are familiar with industrial control systems at all okay all right of those uh how How many of you work in control systems? Used to. Okay. How many people

here by those raise your hands the first time work in security? Okay. So, we got more security folks and then a few uh control system folks. Okay. And this is going to be a two-way conversation because I want to find out what excites you about control system security. Do you do it in your job now? Do you want it? Do you want to be able to do this? and find out all these things. But before we uh go any further, I'm going to show you a funny uh video that kind of explains what we do.

That's cool.

Headquarters research has been proceeding to develop a line of automation products that establishes new standards for quality. All right, try that again.

research has been proceeding to develop a line of automation products that establishes new standards for quality technological. This basically describes what I do with customer success as our primary focus. Work has been proceeding on the clearly conceived idea of an instrument that would not only provide inverse reactive current for use in unilateral phase detractors but would also be capable of automatically synchronizing cardinal grand meters. [Music] Such an instrument comprised of Dodge gears and bearings reliance electric motors Allen gravity controls and all monitored by Rockwell software is Rockwell Automation's retro calculator. Now basically the only new principle involved is that instead of power being generated by the relative motion of conductors and fluxes it's produced by the modial interaction

of magneto reluctance and capacitive directance. The original machine had a base plate of prefabulated amuli surmounted by a malleable logarithmic casing in such a way that the two spurting bearings were in a direct line with a panametric fan. The lineup consisted simply of six hydrootic marble veins so fed to the ambacas lunar wing shaft that side function was effectively prevented. The main winding was of the normal lotus o deltoid type placed in canermic semiboid slots of the stator. Every seventh conductor being connected by a non-reversible trim pipe to the differential girdle spring on the up end of the trans. Moreover, whenever fluorescent score motion is required, it may also be employed in conjunction with a drawn

reciprocation dingle to reduce social deleation. The retro calculator has now reached a high level of development and it's being successfully used in the operation of Milford trends. It's available soon wherever Rockville automation products are sold. Is that real? It it is a longunning um engineering gag. It actually first appeared in I forget which publication it was in the ' 40s and uh an engineer thought it would just be funny to have Technobample show up and then now there's been a lot of uh other uh takes on it. So Rockwell Automation had had a really I mean that guy had a straight face the entire time, right? Now you know what a girl spring is and a

and a dingle arm. Let's see here. Okay.

Okay. All right. So, let's talk about some numbers. Some of the folks in here are industrial control system humans. And there's lots of us there. There's industrial control systems everywhere. Think about it. Um, elevators, escalators, power grid, oil and gas, water, manufacturing. There's I don't even know how many industrial control system professionals and technicians and vendors and operators, all those people. There's a lot of people that it's I can't even count it. at RSA in I think it was in April or was it February um someone tweeted or it might have been at at Defcon or Black Hat someone tweeted that there were 189,000 security professionals and that seems like a pretty fair number. I mean

there's almost all of them here in Augusta today with a huge conference like this is pretty awesome. Uh so if you take the vin diagram uh the the meaning of security humans and also industrial control system humans I think there's less than a thousand in the US there there's maybe over a thousand in the whole world I'm not really sure but that's there's not very many of us at all uh that do just industrial control system security and of that if you take that number divide divided in 189,000 is.5% of security folks focus on control systems and as we know control systems are responsible for all the critical infrastructure we have is 5% enough I have the wrong point it's

supposed to be 5% 5% enough to protect critical infrastructure No, I don't think so. So, I'm recruiting you for IC security. Thanks to this goes for extend a little bit of my thunder, but he's a great guy. He did a great job with that uh keynote and getting everyone riled up and say, "Hey, yeah, we need to protect all the things instead of hacking all the things." So, we want you to help us with industrial control system security. So there's two ways we can get into industrial control system securities. You can go from the engineering type side from the OT that's operational technology. You can go from that side into industrial control system security or you can go from IT side into

industrial control system security. So I'm going to go with this first route with operational technology side. Let's say you've got the engineering background or technical background like me. I'm an electrical engineer, power engineer for the power company. Okay, I know how the plan or the process works or how the power grid works or how the oil and gas works or how the water works and all those things, right? How the manufacturing works. Uh, you know, you probably already work with access components like PLC, RTUs, HMIS, Modbus, Ethernet, over IP, MP3, Profet, Prime Bus, you if you probably know RS232 because we still have a lot of that. You know, Mr. Hayes is here walking around.

That's pretty cool, right? Haze modems, right? uh wireless and might be familiar with nip or cfass if you're dealing with those standards in those industries. Um but how do we get you familiar with security? Well, there's, you know, there's got to be reasons why I do it. You either want to do it or you kind of just get thrown into it or sucked into it. Uh with me, uh I got sucked into it and it was just fascinating. It was really fascinating to me about security. How can we protect our control systems and our critical infrastructure better? So, I had to start learning how, you know, go to security conferences. Um, thanks to Iron Deep for recording this

video and others that I have done and others that my colleagues have done in the past and have put online. I appreciate that. Um, Security Cube has lots and lots of security. um you know videos and in instructional videos on how to do security and it's easy to learn to do step by step uh lots of material online you know Google's your friend and then there's uh IC specific security training from SANS red tiger skate hacker a couple of others there's a couple of uh Linux distributions Samurai SCU which is written by Justin Surl uh Cali, if everyone knows Cali or should know and then security engine of course for the blue team and if you're an engineer like me

and you want to know more about security will you become friends with people that are on the IT security team. So that's great a great thing. What's what's one of the best ways that if you're an engineer if you want to go talk to the folks in IT security what do you do? um you just uh like say, "Hey, here's some Red Bull. Tell me about security. Tell me about some of these things that you're learning. What what is the reverse AR?" You know, things like that. Even basic IT things you might need to learn about um what what why is it bad to have hard-coded backdoor passwords? Um or, you know, the length of password,

learning how fast it can be cracked, things like that. So you talk and you make friends with IT security community and places like this is a perfect uh place to do that at conferences. If you have like devices that work for your control system, why not take some of those and turn them into a security lab? So a lot of companies have control systems have labs. test patches and some of them used for backups, things like that. Well, if you don't have a budget for a lab, might have some spare equipment lying around like spare PLC, spare HMIs, and say, "Hey, if no one's using this, can I use it?" and and do some security like research, maybe

hardening. How can we harden this HMI and and find a way to make it harder for attackers to come in and and shut off all the unused ports and services or uh maybe even fuzz testing some of your own equipment. And I like to put this uh cartoon made a typo in my annual budget request, but don't worry, there are only two things you can buy can't buy for the Tesla this year, hardware software. So, you have to really be resourceful. And I see some nodding heads. Some people just don't have the budget to to do some of this stuff. So, you got to just make do with the best you have. Um, what got me

into into this as an engineer stuck stamp um in 2010 kind of like was the scariest thing that could happen and it's also very sexy uh intriguing. You could take a virus and make a control system go do bad things. uh stuck sent that that really is the whole I think there's there was a dark age for a while there people been talking about control system security since about 2000 2001 and nothing really happened between then and about 2010 that's the last decade the dark ages for us in control system security then stuff happened and it woke everybody up and said okay this can actually happen. What as an engineer or technician or an end user, an operator or vendor, what

would be the stud net for your system? Think you have to think like a bad guy. Put on a hard hat and say, "How can I destroy my my system?" But do it in the right way. I mean, you don't want to actually destroy your system. That would be bad. You probably go to jail. Um, but think about how to attack it and ways to make it better so that you can fix those problems and mitigate some of these things. What if the attacker had all of your prints for your control system? Well, you you have all those in your head. If you're a control system engineer or control system technician, you would probably know how the system works.

Well, what if they an attacker had that knowledge like you had? But what can you do to protect things? And you you might find a vulnerability like what happened to me. Uh I found a lot of vulnerabilities and I wasn't even really looking for them. And to make things work well, this is one of the things I've always like to say. You to make things work well, you must break them and then fix them and then break them again and then fix them again. That's a really great way to harden the system. Red team and blue team exercises. Uh there's a lot of those that are going around. Capture the flags. Um where you learn how to use metasloit, learn how to

watch like for instance mod bus fuzzy like use wire chart to to see what what's on your network uh as a blue team member and maybe write some modus snark rules, things like that. Test them out on your own system. Um I I don't know how to write exploits but other people have and they put them into exploit and you can run them on your own systems and see what happens. Um and obviously in a lab environment. Okay. So for the most of you in here uh most of you are on the IT side of the house and you want to get into control system security. So I suggest uh one thing is Google all the things right

you go to modbus.org org and download the Modbus specification. It's free and learn protocols just like it's go said I mean Mindbus is one of the simplest protocols out there. It's been around since 1979 and it's it's ubiquitous. It's everywhere. If you learn how to do MB bus then you can get into more difficult protocols like DP3 um backnet Ethernet over IP other things. And there's a lot of code that already exists on GitHub about different control system uh stacks. Open DMP3 is one of them. My friend Adam who was with me uh when we found all the DMP3 modules, he had written the fuzzer to test his open DMP3 stack. And he said, "Well, I I made this fuzzer

and why don't you try it out?" So I tried it out and it just found vulnerabilities in everything he touched but he didn't find very many vulnerabilities in his because he's very good writes very good code. Well just so happens that open DMP3 is a really great resource if you want to learn about DB3. There's tons of modus on GitHub u other protocols but wire current already has 30 or more uh industrial control system protocol parsers. So it's pretty smart. Um there's a lot of packet captures online. So net sec people that make network miner they have a library page that point to all the different places where you can download control system packet captures. Um SANS

also has um PCAS available and so does S4 uh ICS village in S4. of course every year and there's a lot of other things that you can Google too. I mean, the history of control systems, I mean, uh, just about anything Google Clot of videos. Any Anybody ever watched How It's Made? Anybody seen that show? Almost every one of those shows has some kind of control system in it. If they're making Legos or uh, potato chips, right? There's control systems behind all those things. And you have to learn about the process and learn how the different pieces fit together. Once you learn what the engineer may already know, then you can figure out how to defend it. Uh because in Modbus,

let's say like a a PLC has ladder logic in it. And inside the ladder logic, you might be writing values to Modbus protocol. Well, you're going to see Modbus register 4,0001 40,0001 40,0002. Well, you don't know what those are. Those are just registry values. But if you have some knowledge about the process, then you can reverse engineer or actually just know what's what's in the the PLC. Just do a lot of YouTube searches on SCADA control systems, PLC, different conference talks. You'll have lots and lots of time to learn about the basics about control systems. Anybody ever make a Raspberry Pi? Uh, this one has Open DVD3 on it. And we have a Pi face board that plugs into the GPIO

pins. And my friend, he actually wrote the little driver to talk from Open DMP3 to the Pi face where you can actually control, you can see on the picture, you can control the lights. And then there's two relay outputs so you can control things like the Christmas lights or whatever. You know, this is about probably about $100 when you get the case and all the fun stuff. Uh and this is the Raspberry Pi one. Um you can get stacks for MP3, Modbus, MacNet, probably a few others as well. Arduino already has the Modbus library in the software. Uh so you just go download the the sketch file and you can turn on the LED on the board. Um also eBay if you want

to learn about uh control systems normally the equipment's really expensive like a PLC cost $10,000 with different configurations. They can go up to 20,000 $30,000 easily. So most of us don't have that much extra cash lying around. So, you just got to get lucky on eBay. Uh, this one on the the far right, uh, so industrially hardened PC running Windows XP is an older unit. Uh, I got this off of eBay for 15 bucks and it still had the configuration on it. So, I was able to pull the SAM file, crack the password, and then I found out that it was running Wonderware HMI. I mean, it still had the original configuration on it. So, I I didn't

really do anything. I reported who who it belonged to and hopefully they won't be doing that in the future selling their um used equipment without taking the the configuration off. But I was able to get that piece of equipment for pretty cheap. Uh you can get new equipment, you know, $700 or less. Fenix contact just like Esco mentioned have have a little kit that you can get. So, it's not quite as expensive as $10,000, but it's still pretty expensive. So, make an IC network at home. Raspberry Pi and Argument is the best probably the best ways to learn about those things. This is the greatest secret. Um, if you're in security and you want to learn about control systems, it's

It's pretty amazing. What you do is you take a box of donuts down to the engineers and the technicians and you just talk to them. And if you bring engineers food, they will like you immediately. Um, if you go to a place that has different kinds of donuts, maybe like u sprinkles or cream ones or maybe kalachis like you know the basic big pig in the blankets, right? That really or those chicken biscuits from Chick-fil-A. I'm telling you, take one of those boxes to the A Homer. He he works at the nuclear plant and he loves them. So, I'm telling you, control system engineers and technicians, they love donuts, too. And if you bring them

a box of donuts and say, "Tell me about your job. Tell me what is interesting about control systems. I want to learn about control systems." And they will probably just tell you all their war stories. Learn what they do. What learn walk for with them for a day or two if you can. If if your business has both IT and um ICS, show that you care and you're eager to learn. Create relationships across the company and across the industry because you know, hey, I know a guy in our department that knows how how to program ladder logic and that's pretty cool. Um well, and then he knows now I'm teaching him about security. So, you're

it's a win-win. you're teaching uh they're teaching you about control systems and you're teaching them about security. Oh, and and the biggest thing to do when you work for a company that has control system is RTFM. Everybody knows what that means, read the manual. And there's lots and lots of manuals. This 421 relay has about 1,400 pages in it PDF manual. I used to have it memorized just about, but I've started to lose some of those things as I've been away from America. Very good documentation is very helpful. There's a few other things that we can do with control systems and learning about security. So, connect with other people. There's a email list out there

called Skate Sec. It's on informed run by Bob Graowski and Jay Brosky. They're really two good friends of mine. um they've been in this business just about as long as anybody else and that's a great way to learn about control system security and what the heartbeat of it is. There's emails that go out every day. You can actually go look at the entire archive. They're online on on for critical website. Then there's IC security conferences. Uh digital bond has one that they've been doing for over a I think a decade now. Um S4 is in Miami every year. It'll be in February or January, I'm sorry. And we have SAS IC Summit which is in February in

Orlando for SICS which is next month in October. It's in stock suite energy se which is next week in Washington DC but it hops around. Um oil and gas security summit they have them in the Middle East in the US like in Houston. uh start whatever your field is like whatever your whatever you want to get into uh there's a cyber security conference there's also Joe he's been had one for a long time called ICS cyber security conference so just look up any of these and there's probably more and more of these growing um we actually had a skate size um last year in conjunction with ICJWG conference which is the industrial control system working group

conference. So just look online, look for those security conferences, go to those and try to learn and connect with those folks there. There's also standards. One of the best standards that's out there that me and my colleagues, we've all helped put effort into is from NIST SP800-82 revision 2. It just came out this year. Revision 2. It probably is chock full of most important things about control system security and has a lot of good information uh that can help your organization have a more secure control system. Um IEC 62443 is another standard used to be ISA uh 99. Then there's the nerdip uh reliability and compliance standard. CFAS for chemical um they're regulated and that's

just a few of the the standards and and other documents that we use in in the industry. There's some good training out there as well. ICS serve they have free online training about IC security. So go online check out some of their things. They also have a few one or two or three day classes, but the the big one that they make is a five-day red versus blue class up in Iowa Falls. Uh they take about 50 students and for 3 days you're in a environment like this learning about made learning about how to exploit control systems and then on the the fourth day I believe because I' I've taken this training they split you into

two teams. 40 people go to the blue team where you actually have it's like a for it's like a real cyber city. It's you actually have a company and you are in charge of the email server. You're in charge of the domain controller. You're in charge of all the things. There's even a substation and there's actually these two big chemicals. It's just water and there there actually's ladic in the PLC that mixes the batch of chemicals and every time it completes that cycle and sells it, you get points for every batch of chemicals you make. So the the other 10 people are on the red team and all they're doing done is given a public web page that ICS set up

and you attack through the web page pivot all the way down to the control system and you try to dump their water everywhere on the floor which we were able to do but we still lost cuz uh I kind of think they favor the blue team. Um blue team when we did it did a really good job. That's a completely free training. All you have to do is just pay your way to get up there. Then SANS, uh, their training isn't free, but it's very good. Uh, ICS 410 class. And then and that is more about just general control system security. And then the new one from Rob Lee who wrote Scaling Me, you know, the kids

book, uh, and for man, it's ICS 515. It's uh it's a defense class, how to defense and forensics and control systems. So, that's a pretty good class. Um, Red Tiger Security, some of my buddies, uh, you know, they're I guess technically they're competitors, but I don't care. They're my my friends and I always support them. Uh, Red Tiger Security, Vult Perch, Skate Hacker, that's Joel Engle. They all have training classes on control system security. So, I I highly suggest them. And then there's uh vendor training for GE, AB, Seammens, they all have very good training classes and Rockwell a couple of others. Uh there's also certification. You know, you have lots of alphabet soup certification in uh IT security, right?

CISSP, all all the all alphabet. Um I'm a professional engineer, so there's not really a professional engineering license for security. uh and everybody that we need in control system security, we don't need them to be an engineer. They just we just need all help we can get right now. So there's this new cert that just came out about a year and a half ago, maybe two years ago was it's called GICSP. It's a new certification that will basically teach it folks the basics of control systems. uh it's test your knowledge and takes control system folks and tests their security knowledge so they have a basic level of understanding on industrial control system security. So I I recommend that I haven't gotten

it myself. I just haven't had time to take the test. I asked Mike Sante who's over sands part of it asked if if I could clip out of it and he said no money. So that's okay. um getting close to the end here. Uh if you have any questions about control system security, I'll be happy to answer your questions and I think I'll go ahead and take questions now. So if you have questions or you know what what interest you yes in the back

um is do you see the vendors um taking security more seriously in the past some of the older systems have back passwords and things like that. Do you see them back seriously or they let it dry? Yes. Uh, good question. I guess everybody heard that since we have a microphone. That's great. Um, yes, the big vendors, the the big vendors like GE, Seammens, especially Seammens after stuff happened, right? Uh, ABB, they all have security departments now and a way to report vulnerabilities even. Um, and they're removing their vulnerabilities. Swatch Engine Labs was one uh that we're very good. I mean, when we broke um when we found that their DD3 staff was broke, they had a

patch in 17 days and they when you log into one of these out of the box, it forces you to put a hardcoded I mean not a hardcode a a difficult password and there's not just RTU rtu or whatever. It won't let you put that in. It actually forces you to create a complicated and long password. So there's a lot of uh like I said with seammens they they went through the fire with with stucks sand and then u let's see I have a if I can show it to you but in my talk that I gave yesterday at a security conference I had a graph that showed all the publicly known IC vulnerabilities and it's just shot up to over they're

over 1,200 now since about 2010 and most of them are all after um 2010 because of what stuff that happened. So that all of these big vendors they realized that yeah we can't do the back door password anymore. We've got to do device driver signing and configuration signing and better encryption and things like that. And the smartphone industry has really helped out on that. These things are small and fast where it used to be you couldn't and now you can get uh some of these same processors and control system equipment that are wide temperature range and they have all the horsepower to do all the cryp cryptography. So hopefully that answered your question. All right, any other

questions? Yes, sir. I don't hear this. Um are you seeing that um company like companies like how plants and stuff like that are they hiring ICS security staff are they just outsourcing so man comes in or are they just putting extra responsibility on the engineers to say um hey this year for uh professional development you need to get good at security too like what kind of what's the trend in the in the industry relative to that? Okay. Um the best way uh well let's say the the when you mentioned the power plants the electrical industry is regulated by NRIP which is a big cyber security. It's a lot of people say compliance is not even security but it does a really

good job. There's no flat networks anymore on those control systems for power companies that are applicable because they're making them do a basic level of security and there's security teams at the power companies and I was on security team got a couple folks in here that I recognize that I mean for God's sake he's actually a sock analyst for their control system. So there's uh the money is there because of the compliance uh being driven into um electric sector uh like chemicals that's seats uh they're regulated so they actually have uh budget to to do these cyber security compliance things which does support the security uh training and development things like that. We had to do when I was at the American, we had

to do annual cyber security training. I mean, you had to do like no uh tailgating when you walk through locked doors, things like that. I mean, even down physical security and u but once you get outside of that, it it could be hit or miss. So, oil and gas, they do. They've got money. Um but some of the like mom and pop like water companies, they probably don't. And manufacturing, they probably don't. They just trying to make and make their control system last as long as possible. So that's just kind of where we are. The the bigger companies are better off and they have security. It sounds like a nearest commercial, you know. I mean,

like small small mediumsiz companies can't afford resources and the big companies can financials regulated. Yeah. Think about it like the hospital. um hospitals, they they they have just enough money to scrape by what they have to meet for HIPPA and all these other things, but outside of that, I mean, there's still a lot of XP still at a lot of the hospitals, right? Um and same way control system, there's just enough money to go take out all the vulnerable systems and rip them out and put new ones in. So that's why I've been um adamant about doing monitoring, but that's pretty advanced to do security. Uh if you don't have a security budget, then you got a lot more things to worry

about than monitoring cuz a lot of companies are still getting configurations.

[Music] Yes sir. So, how closely does it work with ICS and do you see the relationship between industry and ICS getting better as far as reporting vulnerabilities? Yeah. Um, you know, I know everybody just about at ICS cuz I started dealing with ICR when I was at the power company and I still reported vulnerabilities. I do vulner responsible disclosure to ICSR and the vendors if I find anything. Um, so and we actually have a few ex ICsert employees that work for me. So we have a pretty good relationship with ICER. Um, other companies I I don't know. Um, I mean when I was at the power company, we really didn't have any expertise in that

and I was the first one to ever report anything. So it's just kind of a trial and error. If anybody ever finds a vulnerability, I can help you figure out how the best way to disclose it because uh because critical infrastructure, you got to be careful about it. You can't just post the vulnerability on pace bin. Uh any other questions? Do you have a daily read? A daily read? Yeah. like uh you know RSS feed or something you know sites that you check uh that are ICS focused or IC check Twitter and actually I actually had to get permission in the American company to look at Twitter for control system stuff cuz actually a lot of

information is coming out there through the news. It's travels fast there. Um, then there's um there's a I think there's a energy sector um I forget the link. I should have put it in here, but it's a web page that let me see I might just go to it right now.

Yeah, it's right here. I have it doc. So it's a DHS open source infrastructure report and so here's the one from yesterday and then you have different sectors and you just look at the energy sector and it has all the news things. That's a great that's a great resource talks about financial. It's probably good for everybody just to look at, but it really does have a focus on critical manufacturing, nuclear, dams, food and agriculture. I mean all these water waste water all the stuff that has ICS and the people also uh you know you just check in with you know you might have an RSS feed that you might create or create some Google alerts uh if you know how to

do that on SCADA and hack or ICS and vulnerability things like that also you can look at uh I always look at open source vulnerability database that goes guys go guys over they put a lot of effort into actually looking at um vulnerabilities that were not reported that were just silently fixed and they looked at the release notes of like SCADA software and they said oh we fixed this vulnerability but they didn't mention it to anyone and they go and look through all the release notes. So okay any any more questions in the back? Which do you see as a better entry point? Do you see going in through working under a company such a

manufacturer that's employing these systems or working for an actual manufacturer of these systems? So like working in gear manufacturing versus working how to grab your team. Yeah, you know the the best way to learn is probably for an end user uh of those systems. So like our company manufacturing things like that. I would say um you know some of the vendors like GE Seammens they they actually do have a good department and so if you weasle your way and get up into the security that probably take quite a while to do that if you don't have those skills right now the best way to learn from just from an entry level is um say I'm

going to go work for the power company and uh learn about maybe learn on their SIP team or or maybe work with their control system team learn how to do some of the basics. Did that answer your question? Okay. Uh there there may be all kind of just whatever interests you. Whatever makes you get up in the morning and say I think I'm really interested in this and I can and you find a way to do it somehow. It just I fell into security and now I'm working doing industrial control system security every day and I love my job. So, how much time we have left? You got time to give away the giveaways. Okay. Yep.

All right. Um, this is a uh an alpha network USB uh you know network device 2.4 GHz. Um, first person who can tell me what the standard TCP port for my bus is. Oh, somebody 102 102. No, no, that's uh that's another control system protocol though. No, that's another protocol, too. 502. 502. We have a winner.

102 is for Seammen's S7 protocol and 20,000 is for DN3. If you go maybe we should go there. Let's go let's go to show. If you haven't seen Showdown, it's got some really cool things that they've added.

And let's go to the

whole thing on control systems and they have all the protocols. So if you want to learn what my bus is on the internet sign in you can get a free account sign in. So here's all my bus that's on the internet right now and they're actually scanning with my bus. Okay, so we got another giveaway. Blue team handbook incident response edition by Don Murdoch. Um, let's see. What's that's another good question. Um, what does PLC stand for? Reparable logic controller. Okay. Who yelled that out? I guess. Okay. Got new facts, folks.

when the Raspberry Pi was given and this is a Raspberry Pi given from the World Tech Fund. I think that's Chris Sanders organization. Really great uh great thing. So, let's see. Let me think of a harder one. That one was a little too fast. Let's see.

Does anybody know what controller was attacked instead? Simons. Simons. Well, it's it's a Seammens. But what's the model number? There's two of them. And I'll take a good one. What's the Seammen's PLC model number? Step seven. It was a step seven. So, what model number though? Okay. Well, that that's close enough. I mean that's

the step seven. Uh, that was the HMI software. The the PLC model number was S7400 and then there's the S7 300 as well. All right. Well, thanks. And if you have any questions, just uh send me an email and uh or send me on Twitter, send me direct messages. I would love to help you guys. Thanks. Thanks, Chris. We'll get started.