Loading...
Critical Infrastructure Testing | Industrial Cyber Security2021-06-06T13:39:50+00:00

Redbot Security’s OT TESTING

Let us show you how an attacker can traverse your Critical Systems

Redbot Security starts from an external perspective, pivoting to your internal IT network identifying your critical systems and data.  Once identified we test SCADA from a controlled onsite perspective, typically after hours to prevent any service interruptions or downtime.

Simulating real world attacks – before they become real.

Redbot Security identifies, evaluates, exploits, reports (proof of concept) and provides best practice remediation steps for Real-World vulnerabilities within your critical infrastructure. The modern threat landscape is evolving faster than industrial control technology can keep pace . Redbot’s industrial sector clients include:

  • Energy Sector –The security of critical infrastructure networks and systems in the electricity sector is increasingly at risk due to the improper segmentation of IT and OT. Cyber vulnerabilities are increasing in frequency due to the multitude of attacks targeting utilities in the United States – The Wall Street Journal reported China, Russia, and other countries may have penetrated the US electrical grid – implanted back doors that can be used to disrupt system. These Nation States are the greatest threat to our critical infrastructure with Russia’s and China’s cyber capabilities being the most sophisticated.
  • Water Districts– The primary concern that keeps managers of Water companies awake at night is the contamination of the water. Malicious Actors have proven their ability to penetrate the common industrial controls used by our Nation’s water companies and have demonstrated their ability to increase the level of chemicals used in our Nation’s water supply. Detection of a contaminated water supply can takes weeks and public safety is at a serious risk. This nightmare scenario nearly played out earlier this year in Oldsmar, Florida. A hacker accessed the water system and boosted levels of sodium hydroxide, a cleaning agent, to dangerous levels. Redbot Security has been able to successfully duplicate this scenario with multiple water plants.
  • Health Organizations – Cyberattacks are identified as the top threat in many healthcare systems’ annual Hazard Vulnerability Analyses
    (HVA). Critical systems and data within IT networks have proven vulnerable primarily by ransomware attacks. With many policies and procedures already in place the health industry is still highly vulnerable to the multitude of attacks that are happening every day. The Conti ransomware hacking group has successfully exploited at least 16 healthcare sector and first responder networks, including 911 dispatchers, emergency medical services, law enforcement, and municipalities in the last year, according to a May 20 FBI Alert.“ Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information.” FBI
  • National Transportation Systems – Redbot Security recently was engaged in a National Transportation Testing project and was able to shut down rail cars, lock doors and access video and intercom equipment, in less than 2 days. Our national transportation systems are highly vulnerable and malicious actors with bad intent can easily shut down a city’s transportation system, wreaking havoc and causing panic and causing chaos, especially if attacks were changed together with multiple terror attacks. Default passwords with no network encryption are the leading cause a exploitable vulnerabilities within this sector. Most Railcars in the US are provided by China.

Updated  Industrial Critical Infrastructure Threat Feed.  Full article links to CISA.

An ICS-CERT Alert is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.

ICS-CERT Advisories

Advisories provide timely information about current security issues, vulnerabilities, and exploits.

  • Mitsubishi Electric MELSEC-F Series
    on July 20, 2021 at 2:00 pm

    This advisory contains mitigations for a NULL Pointer Dereference vulnerability in the Mitsubishi Electric MELSEC-F Series Ethernet interface block.

  • Ypsomed mylife
    on July 15, 2021 at 2:00 pm

    This advisory contains mitigations for Insufficiently Protected Credentials, Not Using an Unpredictable IV with CBC Mode, and Use of Hard-coded Credentials vulnerabilities in the Ypsomed mylife diabetes management platform.

  • Schneider Electric C-Bus Toolkit
    on July 14, 2021 at 3:40 am

    This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the Schneider Electric C-Bus Toolkit.

  • Schneider Electric SCADApack RTU, Modicon Controllers, and Software
    on July 13, 2021 at 3:35 pm

    This advisory includes mitigations for Insufficiently Protected Credentials, Authentication Bypass by Spoofing, Deserialization of Untrusted Data, and Missing Encryption of Sensitive Data vulnerabilities in Schneider Electric SCADApack RTU, Modicon Controllers and associated software products.

  • Siemens PROFINET Devices
    on July 13, 2021 at 3:30 pm

    This advisory contains mitigations for an Allocation of Resources Without Limits or Throttling vulnerability in Siemens PROFINET Devices.

  • Siemens SINUMERIK Integrate Operate Client
    on July 13, 2021 at 3:25 pm

    This advisory includes mitigations for an Improper Certificate Validation vulnerability in the Siemens SINUMERIK Integrate Operator client.

  • Siemens SIMATIC Software Products
    on July 13, 2021 at 3:20 pm

    This advisory includes mitigations for a Classic Buffer Overflow vulnerability in Siemens SIMATIC Software Products.

  • Siemens SIMATIC Software Products
    on July 13, 2021 at 3:15 pm

    This advisory includes mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Siemens SIMATIC Software Products.

  • Siemens Industrial Products LLDP
    on July 13, 2021 at 3:10 pm

    This advisory includes mitigations for Classic Buffer Overflow, Uncontrolled Resource Consumption vulnerabilities in Siemens Industrial Products (LLDP).

  • Siemens Solid Edge
    on July 13, 2021 at 3:05 pm

    This advisory includes mitigations for a Heap-based Buffer Overflow in Siemens Solid Edge products.

Sophisticated cyber terrorists and Nation-State actors are working around the clock to disrupt your service.  The risk of an attack on your systems is increasing.  Redbot Security has a proven track record and can quickly help to secure your industrial control systems.

Testing is useless unless it achieves actionable results. With Redbot you get reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations.  View Scoping and Testing Process here.

Redbot Security is a complete service provided by our team of ICS/SCADA experts to ensure that vulnerabilities are minimized and that your defenses are running in top shape by offering the following:

  • ICS/SCADA Risk & Vulnerability Assessments
  • Penetration Testing (black-box, gray-box, white-box)
  • Real-World Attacker Tactics and Techniques- Controlled Manual Penetration Testing without Interruption
  • Actionable and easy-to-follow results – Risk Rating (NIST), Exploit Storyboard and Remediation Recommendations
  • Security Program Development and Deployment
  • ICS Security Controls

ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.)

SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. SCADA systems consist of both hardware and software. Typical hardware includes an MTU placed at a control center, communications equipment (e.g., radio, telephone line, cable, or satellite), and one or more geographically distributed field sites consisting of either an RTU or a PLC, which controls actuators and/or monitors sensors.

Major security objectives for an ICS implementation should include the following:

  • Restricting logical access to the ICS network and network activity. This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
  • Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
  • Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.
  • Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event.
  • Restoring system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly a system can be recovered after an incident has occurred.

Our Critical Infrastructure Sr. Level Engineers have more than just penetration testing skills and also come equipped with deep knowledge in networks and physical security.

Redbot Security Red Team Experts

Redbot Security’s  experts are equipped with additional skill sets including network and physical security knowledge.

Personnel within our combined project team are Certified Incident Responders and Industrial Control System Certified – Incident Command System, FEMA, U.S Department of Homeland Security Cyber Emergency Response Team, OPSEC, Influence of Common IT Components ICS, Mapping IT Defense to ICS, Current Trends (threats) (vulnerabilities)– ICS, IT & ICS Attack Methodologies, ICS Domains, Determining the Impacts of a Cybersecurity Incident. Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT), EC Council Certified Ethical Hacker C|EH, Certified Digital Forensic Examiner (CDFE) Defense Cyber Crime Institute (DCITA) DoD, Certified Digital Media Collector (CDMC) Defense Cyber Crime Institute (DCITA) DoD, Certified Information Assurance Security Officer (IASO) DoD. Penetration Certification,   Security+, CCNP, CCNA, CCDP, CCDA, MCSE,  A+ CWNA CWDP and a variety of firewall and network solution Certifications.

Secure Contact
Project Timeline *
Preferred Method of Initial Response? *

Performing Industrial Control System Vulnerability Assessments

Organizations should perform a risk assessment for the ICS systems and use its results to prioritize the ICS systems based on the potential impact to each system. However, because of the potential for disruption to the devices, vulnerability scanners should be used with caution on production ICS networks .  A major concern is an accidental DoS to devices and networks. Vulnerability scanners often attempt to verify vulnerabilities by extensively probing and conducting a representative set of attacks against devices and networks. ICS were designed and built to control and automate real-world processes or equipment. Given the wrong instructions, they could perform incorrect actions, causing product loss, equipment damage, injury, or even deaths.

Identifying the vulnerabilities within an ICS requires a different approach from that of a typical IT system. In most cases, devices on an IT system can be rebooted, restored, or replaced with little interruption of service to its customers. An ICS controls a physical process and therefore has real-world consequences associated with its actions. Some actions are time-critical, while others have a more relaxed timeframe.

When performing an inventory or vulnerability scan on a system or network segment, there are several steps that are generally performed. These techniques may make the work somewhat more difficult, but should help to mitigate problems associated with active scanning.

To Be Identified Usual IT ACTION DO THIS INSTEAD ICS ACTION
Host, Nodes, and Networks Ping Sweep (Nmap)
  • Examine router configuration files or route tables
  • Perform physical verification (chasing wires)
  • Conduct passive network listening or use intrusion detection (e.g., snort) on the network
  • Specify a subset of IP addresses to be programmatically scanned
Services Port Scan (Nmap)
  • Do local port verification (e.g., netstat)
  • Scan a duplicate, development, or test system on a non-production network
Vulnerabilities within a Service Vulnerability Scan (Nessus)
  • Perform local banner grabbing with version lookup in Common Vulnerabilities and Exposures (CVE)
  • Scan a duplicate, development, or test system on a non-production network

 


NIST 800-82 r2 Defense-in-Depth Strategy for Industrial Controls

In a typical ICS this means a defense-in-depth strategy that includes:

  • Developing security policies, procedures, training and educational material that applies specifically to the ICS. Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.

  • Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.

  • Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

  • Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).

  • Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).

  • Ensuring that critical components are redundant and are on redundant networks.

  • Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events.

  • Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.

  • Restricting physical access to the ICS network and devices. Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).

  • Considering the use of separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).

  • Using modern technology, such as smart cards for Personal Identity Verification (PIV). Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.

  • Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.

  • Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.

  • Tracking and monitoring audit trails on critical areas of the ICS.

Load More Posts