It’s that time of year again — pack your bags; we’re going to Vegas in August 🔥. ICS security is often featured at general infosec conferences with attack presentations and exploitation stories. Not saying they are all FUD, but it can be hard to decipher which “Hackerz can shut down the Gridz” talk is ironic or serious.
As industrial security professionals attending Black Hat and DefCon presentations, here’s what to watch out for: good, bad, and ugly. Also, memes…
Note: SynSaber will be out at Black Hat! Join us for music, beverages, or just to chill (https://synsaber.com/news-and-events/black-hat-2022/)
Critical Infrastructure Under Attack
The severity and frequency of ICS attacks seem to be increasing, but keep in mind that the sample size is still incredibly small compared to enterprise. While we now have use cases of specific ICS attack events, it’s important to remember that having a meaningful impact on critical infrastructure is still difficult.
These events and the malware associated with them are a wealth of technical knowledge but beware of these phrases and claims that often overblow the threat:
- Overuse of named malware or attacks as proof of ICS fragility
- STUXNET, Ukraine, Colonial, and ALLCAPSMALWARE are great use cases that warrant discussion, but often are used as blunt objects to prove a point.
- Nation-state presence and impact claims
- $NationState is in our grid and can “flip the switch” at any time. Of course, it’s much more complicated than that (It’s not a single grid, but a collection of…), let alone the enormous geopolitical implications of such an attack. Don’t let current political climates overhype the threats to our critical infrastructure..
MacGyver-Like Exploitation Methods
Attack research is always of high interest and therefore popular at Black Hat and DefCon. When it comes to ICS, the ingenuity of attackers makes for exciting research material, but sometimes the reality of execution is lost. The good talks dive into the attack paths necessary to exploit and the ability (or not) to disrupt operations.
Remember, it’s not enough to just get root in ICS, and if the exploitation prerequisites seem insane, they probably are. Here are some red flags in attack and exploitation talks to consider.
- Stunt hacking techniques that require a ton of logical and physical access in order to be successful.
- Attack scenarios that lack context on the potential impact to operations and solely focus on the presence of a vulnerability.
- Bridging “Air Gaps” in new and exciting ways. While it’s fun to see how an attacker with full control of a system can create an exfiltration path using radio waves and morse code, it’s hard to understand how this is practical in any way.
ZOMG, ICS is Connected to the Internet
An increasingly common add-on to any presentation about ICS security is this notion that critical infrastructure is much more accessible. While accurate in most respects, it is still uncommon for critical infrastructure to be connected and accessible directly to the internet. But what about insert screenshot of ICS devices on Shodan?!?!
These exposed devices represent a small fraction of real critical infrastructure systems and subsystems worldwide. While finding ICS on Shodan is never a good thing, it’s not the harbinger of doom as sometimes presented. Think twice if you hear some of these phrases or claims in a presentation:
- Anything presented as “easy” and discounting or missing completely the necessary steps to access critical infrastructure. These typically involve exploitation and pivoting through enterprise networks, and then exploitation and pivoting through ICS networks.
- No, your local power plant is not accessible on the internet, even if you searched for port 502 on Shodan. Understanding that any industrial system accessible on the internet is one too many, it’s not common that actual critical infrastructure is online.
Have Fun, and Stay Hydrated
Going to hacker summer camp and seeing the latest and greatest presentations on security topics is always fun. For ICS, keep in mind that we are still often over-hyped by those new to the industry or looking to make a splash.
If you hear some of these ICS security presentation red flags in Vegas, take the opportunity to discuss (respectfully) the context with the presenter or researcher. Resist the temptation to create “more of a comment than a question” type of interactions, but take the chance and help educate when possible.
🚰 Papa Ron Safety Moment: Stay hydrated! Please, please, please… it’s like the surface of the sun out there, complicated by lack of sleep and too many beverages. Stay safe, and we’ll see you at Black Hat!