Loading...
Redbot Security: Critical Infrastructure Testing | Industrial Cyber Security2022-05-19T20:20:53+00:00

Redbot Security ICS/SCADA Testing

We can traverse your Critical Systems

Redbot Security starts from an external perspective, pivoting to your internal IT network identifying your critical systems and data. Redbot Security has the expertise to safely test your OT networks from an assumed breached position, ultimately hardening the security of your entire operations.

Learn more

Secure your Critical Data and Systems

identify, evaluate, exploit and report (proof of concept) 

Secure your mission critical network and devices from advanced cyber attacks and minimize critical service disruptions. Redbot Security provides controlled penetration testing performed by Senior Level, expert ICS/SCADA engineers. We specialize in manual exploitation of  ICS/SCADA Networks and we provide the industry’s best customer experience, scoping and timely service delivery.

Learn more

Penetration Testing Experts

Senior Level Personnel within Redbot Security’s combined Penetration Testing Team certifications:

Amazon Web Services Cloud Practitioner, CompTIA A+ CISSP, Certified Cloudera Administrator for Hadoop (CCAH), Certified Ethical Hacker (CEH), Cisco Certified Network Associate (CCNA), GIAC CompTIA Linux+, Marine Corp Red Team Operator, Metasploit Professional, Certified Specialist Nexpose, Certified Administrator (NCA,) Microsoft Certified Professional (MCP), CompTIA Network+, CompTIA IT, Operations Specialist (CIOS), CompTIA Secure Infrastructure Specialist (CSIS), Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), Metasploit Professional, Certified Specialist Rapid7, Advanced Vulnerability Manager Rapid7, Network Assault Certified Rapid7, Application Assault Certified, GIAC Exploit Researcher, Advanced Penetration Tester (GXPN), GIAC Mobile Device Security Analyst (GMOB), GIAC Advanced Smartphone Forensics (GASF), GIAC Reverse Engineering Malware (GREM), GIAC Network Forensics Analyst (GNFA), GIAC Certified Intrusion Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), GIAC Security Essentials (GSEC), Portswigger Burpsuite Certified Practitioner, Cisco Certified Network Associate (CCNA), Cisco Certified Network Associate-wireless, CompTIA Network+, US Navy Joint Cyber Analyst Course (JCAC)

Learn more

Proof of Concept

Data that is useful!

Testing is useless unless it achieves actionable results. With Redbot you get reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations.

Learn More

Redbot Security Customer Reviews

RedBot Security is extremely professional and detail oriented and extremely easy to work with. I would rate them A++ or a 5. The report provided was detailed and written to easily turn it into action items to correct.

google review

Highly Recommended~!! the team at Redbot was efficient, friendly, ultra reliable and a great pleasure to work with. We had a demanding customer timeline for our requirement and Redbot did exactly what was needed for our testing and exceeded at every instance to help us meet our goal. Super Redbot team and thank you all very much again!

Google Review
Worked with us and kept us updated throughout the entire process, provided a detailed pen test report along with recommendations and suggestions. Very professional and for the quality a very reasonable price! Would happily use them again.
Google Review

Great company to work with. I’m glad I picked Redbot for my security audits as everyone there are talented and very easy to work with. They deliver on their promises and work hard towards making you aware of any potential threats or issues in your IT infrastructure as well as following up with you to ensure that any issues have been corrected. I would recommend this company to anyone who’s looking to improve their network and IT infrastructure with best practices.

Google Review

I made several calls, shopped around and from the first email no one compares. My goal was to protect our users both patient and physician from any open doors. They delivered way within timeline and exceeded all of my expectations. Do not waste your time calling anyone else. They are simply the best!

Google Review

The entire team at Redbot was fantastic to deal with throughout the process!

Google Review

Another fantastic work. Scanning and identifying the issues in a timely fashion was impressive. Their professional suggestions were highly helpful. Looking forward to continuing working with Redbot Security!

Google Review

It was a pleasure to work with RedBot security to perform an external penetration test for us (GYANT.com). Everyone I’ve interacted with is very professional and responsive. The penn test was thorough and well-documented. I also appreciate the prompt re-test.

Google Review
Contact Us!

Why is it critical to Pen-Test Industrial Control Systems?

ICS networks are mission critical, requiring immediate availability.

Industrial control systems (ICS), including supervisory control and data acquisition (SCADA)

ICS are found in many industries such as electric, water and wastewater, transportation, oil and natural gas, chemical, pharmaceutical,  and manufacturing (e.g., automotive, aerospace, etc). Because there are many different types of ICS with varying levels of potential risk and impact, there are many different methods and techniques for securing ICS, one of the most important method is Penetration Testing.

Consequences of an ICS incident/breach:

*  Impact on national security—facilitate an act of terrorism.
*  Reduction or loss of production at one site or multiple sites simultaneously.
*  Injury or death of employees.
*  Injury or death of persons in the community.
*  Damage to equipment.
*  Release, diversion, or theft of hazardous materials.
*  Environmental damage.
*  Violation of regulatory requirements.
*  Product contamination.
*  Criminal or civil legal liabilities.
*  Loss of proprietary or confidential information.
*  Loss of brand image or customer confidence.

Did you know?

according to the 2019 CyberX Global ICS IIoT Risk Report

84% of industrial sites have at least one remotely accessible device
69% of industrial sites have plain-text passwords traversing their ICS networks
53% of industrial sites have obsolete Windows systems such as Windows XP
40% of industrial sites have at least one direct connection to the internet

The security controls that fall within the NIST SP 800-53 Risk Assessment (RA) family provide policy and procedures to develop, distribute, and maintain a documented risk assessment policy that describes purpose, scope, roles, responsibilities, and compliance as well as policy implementation procedures. An information system and associated data is categorized based on the security objectives and a range of risk levels. A risk assessment is performed to identify risks and the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of an information system and data. Also included in these controls are mechanisms for keeping risk assessments up-to-date and performing periodic testing and vulnerability assessments.

 The operational and risk differences between ICS and IT systems create the need for
increased sophistication in applying cyber security and operational strategies.

Testing is useless unless it achieves actionable results. With Redbot you get reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations

Redbot Security is a complete service provided by our team of ICS/SCADA experts to ensure that vulnerabilities are minimized and that your defenses are running in top shape by offering the following:

  • ICS/SCADA Risk & Vulnerability Assessments
  • Penetration Testing (black-box, gray-box, white-box)
  • Real-World Attacker Tactics and Techniques- Controlled Manual Penetration Testing without Interruption
  • Actionable and easy-to-follow results – Risk Rating, Exploit Storyboard and Remediation Recommendations

Scoping Process:

SCOPE OF WORK

Scoping Questionnaires, Demos | Recommendation and alignment

EFFORT DETERMINATION

Budget Limitations, Client Expectations| Statement of Work Delivery

KICK OFF

Scheduling Calls, Rules of Engagement, Meet the Team| Discuss final details

EXECUTION

Daily/Weekend Updates | Notification of high risk findings

Next Step Exploit

Discuss Exploits and next steps | Key findings Report Creation

FINAL REPORT DELIVERY

Executive Summary |  Detailed Engineering Report

REMEDIATION

Validate & Confirm Findings | Provide Recommendations

RETEST

Retest vulnerabilities after remediation.

Threats to control systems can come from numerous sources, including adversarial sources such as hostile governments, terrorist groups, industrial spies, disgruntled employees, malicious intruders, and natural sources such as from system complexities, human errors and accidents, equipment failures and natural disasters. To protect against adversarial threats (as well as known natural threats), it is necessary to create a defense-in-depth strategy for the ICS.

Source: Government Accountability Office (GAO), Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity

Threat Agent

Description

Attackers Attackers break into networks for the thrill of the challenge or for bragging rights in the attacker community. While remote cracking once required a fair amount of skill or computer knowledge, attackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use.
Bot-network operators Bot-network operators are attackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks.
Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the U.S. through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop attacker talent.
Foreign intelligence services Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrines, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power – impacts that could affect the daily lives of U.S. citizens.
Insiders The disgruntled insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems. Insiders may be employees, contractors, or business partners.
Phishers Phishers are individuals or small groups that execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives.
Spammers Spammers are individuals or organizations that distribute unsolicited e-mail with hidden or false information to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (e.g., DoS).
Spyware/malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware.
Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware to generate funds or gather sensitive information.  Terrorists may attack one target to divert attention or resources from other targets.
Industrial spies Industrial espionage seeks to acquire intellectual property and know-how by clandestine methods

Redbot Security identifies, evaluates, exploits, reports (proof of concept) and provides best practice remediation steps for Real-World vulnerabilities within your critical infrastructure.

The modern threat landscape is evolving faster than industrial control technology can keep pace . Redbot’s industrial sector clients include:

  • Energy Sector –The security of critical infrastructure networks and systems in the electricity sector is increasingly at risk due to the improper segmentation of IT and OT. Cyber vulnerabilities are increasing in frequency due to the multitude of attacks targeting utilities in the United States – The Wall Street Journal reported China, Russia, and other countries may have penetrated the US electrical grid – implanted back doors that can be used to disrupt system. These Nation States are the greatest threat to our critical infrastructure with Russia’s and China’s cyber capabilities being the most sophisticated.
  • Water Districts– The primary concern that keeps managers of Water companies awake at night is the contamination of the water. Malicious Actors have proven their ability to penetrate the common industrial controls used by our Nation’s water companies and have demonstrated their ability to increase the level of chemicals used in our Nation’s water supply. Detection of a contaminated water supply can takes weeks and public safety is at a serious risk. This nightmare scenario nearly played out earlier this year in Oldsmar, Florida. A hacker accessed the water system and boosted levels of sodium hydroxide, a cleaning agent, to dangerous levels. Redbot Security has been able to successfully duplicate this scenario with multiple water plants.
  • Health Organizations – Cyberattacks are identified as the top threat in many healthcare systems’ annual Hazard Vulnerability Analyses
    (HVA). Critical systems and data within IT networks have proven vulnerable primarily by ransomware attacks. With many policies and procedures already in place the health industry is still highly vulnerable to the multitude of attacks that are happening every day. The Conti ransomware hacking group has successfully exploited at least 16 healthcare sector and first responder networks, including 911 dispatchers, emergency medical services, law enforcement, and municipalities in the last year, according to a May 20 FBI Alert.“ Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information.” FBI
  • National Transportation Systems – Redbot Security recently was engaged in a National Transportation Testing project and was able to shut down rail cars, lock doors and access video and intercom equipment, in less than 2 days. Our national transportation systems are highly vulnerable and malicious actors with bad intent can easily shut down a city’s transportation system, wreaking havoc and causing panic and causing chaos, especially if attacks were changed together with multiple terror attacks. Default passwords with no network encryption are the leading cause a exploitable vulnerabilities within this sector. Most Railcars in the US are provided by China.

Updated  Industrial Critical Infrastructure Threat Feed.  Full article links to CISA.

An ICS-CERT Alert is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.

ICS-CERT Advisories

Advisories provide timely information about current security issues, vulnerabilities, and exploits.

Sophisticated cyber terrorists and Nation-State actors are working around the clock to disrupt your service.  The risk of an attack on your systems is increasing.  Redbot Security has a proven track record and can quickly help to secure your industrial control systems.

Testing is useless unless it achieves actionable results. With Redbot you get reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations.  View Scoping and Testing Process here.

Redbot Security is a complete service provided by our team of ICS/SCADA experts to ensure that vulnerabilities are minimized and that your defenses are running in top shape by offering the following:

  • ICS/SCADA Risk & Vulnerability Assessments
  • Penetration Testing (black-box, gray-box, white-box)
  • Real-World Attacker Tactics and Techniques- Controlled Manual Penetration Testing without Interruption
  • Actionable and easy-to-follow results – Risk Rating (NIST), Exploit Storyboard and Remediation Recommendations

ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.)

SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. SCADA systems consist of both hardware and software. Typical hardware includes an MTU placed at a control center, communications equipment (e.g., radio, telephone line, cable, or satellite), and one or more geographically distributed field sites consisting of either an RTU or a PLC, which controls actuators and/or monitors sensors.

Major security objectives for an ICS implementation should include the following:

  • Restricting logical access to the ICS network and network activity. This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
  • Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
  • Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.
  • Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event.
  • Restoring system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly a system can be recovered after an incident has occurred.

Our Critical Infrastructure Sr. Level Engineers have more than just penetration testing skills and also come equipped with deep knowledge in networks and physical security.

Senior Level Personnel within Redbot Security’s combined Penetration Testing Team certifications:

Amazon Web Services Cloud Practitioner, CompTIA A+ CISSP, Certified Cloudera Administrator for Hadoop (CCAH), Certified Ethical Hacker (CEH), Cisco Certified Network Associate (CCNA), GIAC CompTIA Linux+, Marine Corp Red Team Operator, Metasploit Professional, Certified Specialist Nexpose, Certified Administrator (NCA,) Microsoft Certified Professional (MCP), CompTIA Network+, CompTIA IT, Operations Specialist (CIOS), CompTIA Secure Infrastructure Specialist (CSIS), Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), Metasploit Professional, Certified Specialist Rapid7, Advanced Vulnerability Manager Rapid7, Network Assault Certified Rapid7, Application Assault Certified, GIAC Exploit Researcher, Advanced Penetration Tester (GXPN), GIAC Mobile Device Security Analyst (GMOB), GIAC Advanced Smartphone Forensics (GASF), GIAC Reverse Engineering Malware (GREM), GIAC Network Forensics Analyst (GNFA), GIAC Certified Intrusion Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), GIAC Security Essentials (GSEC), Portswigger Burpsuite Certified Practitioner, Cisco Certified Network Associate (CCNA), Cisco Certified Network Associate-wireless, CompTIA Network+, US Navy Joint Cyber Analyst Course (JCAC)

INSIGHT

Performing Industrial Control System Vulnerability Assessments

Organizations should perform a risk assessment for the ICS systems and use its results to prioritize the ICS systems based on the potential impact to each system. However, because of the potential for disruption to the devices, vulnerability scanners should be used with caution on production ICS networks .  A major concern is an accidental DoS to devices and networks. Vulnerability scanners often attempt to verify vulnerabilities by extensively probing and conducting a representative set of attacks against devices and networks. ICS were designed and built to control and automate real-world processes or equipment. Given the wrong instructions, they could perform incorrect actions, causing product loss, equipment damage, injury, or even deaths.

Identifying the vulnerabilities within an ICS requires a different approach from that of a typical IT system. In most cases, devices on an IT system can be rebooted, restored, or replaced with little interruption of service to its customers. An ICS controls a physical process and therefore has real-world consequences associated with its actions. Some actions are time-critical, while others have a more relaxed timeframe.

When performing an inventory or vulnerability scan on a system or network segment, there are several steps that are generally performed. These techniques may make the work somewhat more difficult, but should help to mitigate problems associated with active scanning.

To Be Identified Usual IT ACTION DO THIS INSTEAD ICS ACTION
Host, Nodes, and Networks Ping Sweep (Nmap)
  • Examine router configuration files or route tables
  • Perform physical verification (chasing wires)
  • Conduct passive network listening or use intrusion detection (e.g., snort) on the network
  • Specify a subset of IP addresses to be programmatically scanned
Services Port Scan (Nmap)
  • Do local port verification (e.g., netstat)
  • Scan a duplicate, development, or test system on a non-production network
Vulnerabilities within a Service Vulnerability Scan (Nessus)
  • Perform local banner grabbing with version lookup in Common Vulnerabilities and Exposures (CVE)
  • Scan a duplicate, development, or test system on a non-production network

 


NIST 800-82 r2 Defense-in-Depth Strategy for Industrial Controls

In a typical ICS this means a defense-in-depth strategy that includes:

  • Developing security policies, procedures, training and educational material that applies specifically to the ICS. Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

  • Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.

  • Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

  • Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).

  • Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).

  • Ensuring that critical components are redundant and are on redundant networks.

  • Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

  • Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.

  • Restricting physical access to the ICS network and devices. Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

  • Considering the use of separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

  • Using modern technology, such as smart cards for Personal Identity Verification (PIV). Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.

  • Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.

  • Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

  • Tracking and monitoring audit trails on critical areas of the ICS.

Redbot Security – How to prevent a cyber attack. Fix these issues to improve your network security!

Most companies know that critical vulnerabilities can be resolved simply by updating critical security patches. However, more often than not, many systems across multiple client sectors are found to be using obsolete operating systems and missing patches such as the MS17-010 critical security update.