Mission: Find vulnerabilities in my lab's PLC in the easiest and fastest way possible!

-



Mission: Find vulnerabilities in my lab's PLC in the easiest and fastest way possible!


Let me introduce a very easy use case for managing a old PLC in my room. Since I didn't have any special physical collection equipment at home, I just ran '#Edge' on my laptop (VM-EWS) on the same network as the PLC and the results were quickly delivered to the solution's analysis server in the cloud. That's all I did. Let’s take a look at what I get with this simple action.

Ta-da! I'm glad to see detailed information, starting with the same graphical images of the PLC that would have been hard to see in my dark room through the solution GUI.


[Asset Management]

  • First of all, not only the IP and MAC, but also the manufacturer, device type, Purdue level, model, firmware version and rack/slot of my PLC were automatically detected.


[IR Management]

  • Okay, now I will add additional information / label such as contact and physical location through the solution GUI for my PLC. The reason is to follow my own SoP/Playbook to respond quickly if incidents occur on my PLC.


[Risk Management]

  • Through the solution, I can see security vulnerabilities and found out that the 'Firmware' version of my PLC is 'Outdated'. From a management perspective, a 'Risk Simulator' in the solution allows me to understand how much security can be improved by supplementing relevant risk factors through an automatically reflected/changed 'Risk Score'. That's really useful!


[Vulnerability Management]

  • Next, I can find the list of CVEs that perfectly match my PLC model and version. Among these, looking at ICSA-22-041-01 (including CVE-2021-37205, CVE-2021-37204, and CVE-2021-37185), I found that my PLC can be affected through DoS by unauthenticated attackers sending prepared packet over port 102/tcp. 


[Patch Management & Mitigation]

  • According to the 'Recommendation' of CVEs presented by the solution, my PLC belongs to the SIMATIC S7-1200 CPU family, so I need to prepare 'Update to v21.9.4 or later'. The problem is that updates are not possible right away. As a workaround, I plan to integrate the solution with firewalls to automatically implement enhanced policies for the port (102/tcp) and unmanaged communications.


Let me summarize: "Mission cleared with a latest CPS/OT solution"

  • Starting with using this data/information provided by the solution by simply running a 'Edge' on my host, I could eventually make plans for management of 'Asset/Vulnerability/Risk & Incident Response' in relation to the requirements listed in #NIS2.
  • I wanted to share my real-experience of OT security in a very simple and easy way by utilizing the latest technology solution.

#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안

Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more

Let's create our own ICS Labs in the VMs!

-
Image
Let's create our own ICS Labs in the VMs: A Step-by-Step Guide Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab , including HMI, EWS, PLC, and other critical components. 1. Lab Architecture Overview Key Components in an ICS Lab: HMI: Graphical interface for controlling industrial processes. Engineering Workstation (EWS): Used to configure PLCs and SCADA systems. PLC: Controls physical processes (e.g., motors, valves). SCADA System: Supervisory control and monitoring of ICS networks. Historian: Logs and stores process data for analysis. Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks. Attacker Machine: Kali Linux or Metasploit for penetration testing. 2. Choosing the Virtualization ...
Read more