welcome to phoenix contact industrial network security seminar · all confirmed and published by us...

Welcome to PHOENIX CONTACT

Industrial network security seminar

Matt CowellMatt CowellPhoenix ContactASE – North Central

Who am I?

Matt CowellASE (Automation Sales Engineer) – Central region( g ) gTenure – Joined Phoenix Contact Jan 2008Located Gurnee, IL (north of Chicago)

R ibl f ll A t ti d t l i C t lResponsible for all Automation product sales in Central RegionAutomation product responsibility includes Ethernet, p p y

controllers and software, Industrial PC’s, HMI’s, I/O and WirelessTerritory includes IL WI MN MO IA KS NE ND SDTerritory includes IL, WI, MN, MO, IA, KS, NE, ND, SDBackground – Various Engineering roles with later years

focused in Process Automation

2 | Presentation | Matt Cowell | ASE Central | 25 April 2012

Agenda

Industrial networking introductionRecent product vulnerabilitiesRecent product vulnerabilitiesCase studies of recent security breaches ‘Typical’ network layouts and comparisons to ITyp y p Introduction to basic Hacking techniquesLive demonstration of hacking techniques used Highlighting ease of implementation on live network Offering simple countermeasures and prevention

How mGuard can helpHow mGuard can helpRemote connectivity reviewMore secure remote connectivity options to consider


y p

Objectives of this seminar

Not intended as a class in hacking toteach would-be hackersteach would be hackers

Raise awareness to often overlooked vulnerabilities

Offer simple concepts and solutionsf i d itfor improved security


WARNING!

Lots of TLA’s and other acronyms


Why consider security now?

Scope of industrial networks has grown beyond conventional “switch only” networks (layer 2) Device access from IT/enterprise network is desired Remote access to SCADA systems is required for support Industrial devices lack network security features we have become y

familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS etc.) Vulnerabilities are being discovered dailyg y Increase in network devices & trends are relying upon use of ‘the cloud’ Few standards in place yet to enforce security Stuxnet demonstrated the sophistication and damage that can be Stuxnet demonstrated the sophistication and damage that can be

caused by industrial specific malware – don’t wait for stuxnet 2.0 Industrial attacks are becoming more common and brazen - 1/3 of ALL

malware was developed in past year (Stuxnet Night Dragon Stars all


malware was developed in past year (Stuxnet, Night Dragon, Stars all made news headlines)

You already know physical security…

Cameras and surveillance Analogous to IDS (Intrusion Detection System)/logginga ogous to S ( t us o etect o Syste )/ ogg g

Access control – access based upon credentials Analogous to account/password control policy

Perimeter security – fences, gates, locks Analogous to firewall’s

AlarmsAlarms Analogous to Email/SMS/SNMP/HMI alarms SIEM (Security Information & Event Management) or IDS

Security guard Analogous to IT/security focused professional

W ll t k h i l it i lWe generally take physical security very seriously7 | Presentation | Matt Cowell | ASE Central | 25 April 2012

Typical industrial network - machineTypical production network interfaceOft S it hOften Switch

sometimes router


Characteristics of an Ind. Eth. network

Often engineer governedDesire high speed (typically small data transfer – bits vsDesire high speed (typically small data transfer bits vs.

mB)DeterministicAcceptable latency typically measured in mSHigh reliability data transfer in rugged form factor

T i ll i i i t l (M db TCP DNP3Typically comprising various protocols (ModbusTCP, DNP3, E/IP) Interconnected via various media (Fiber copper wirelessInterconnected via various media (Fiber, copper, wireless,

leased lines etc.)Originally isolated islands (no WAN or internet connectivity)Longer system life cycle = more older technology and OS


Typical Enterprise network

Large network, vast data transfer, variable speed dependant upon load, latency measured in seconds, isolation of p , y ,devices less critical, broadcast traffic common, integrated

security (anti virus/sw firewall)

Internet


Industrial link to Enterprise?Enterprise/Company level

Why use router/firewall here?Internet

hout

Limit excess traffic – control network doesn’t need to be burdened with excess traffic (broadcasts etc) from enterprise network

Router/Firewall

Production Floor level

s th

roug

hpSecurity – Engineering can control who/what can access control networkSimplification of IP addresses often machine IP

Acc

essSimplification of IP addresses – often machine IP

addresses come preset, a router can provide network access without changing IP addresses on control devices


Machine/Cell/Line level

The cyber threat is real….

12 | Presentation | Matt Cowell | ASE Central | 25 April 20128:40

Types of cyber incident

Auditing Legitimate attack/testeg t ate attac /test Vulnerability assessment

Accidental Broadcast storm, misconfiguration, faulty product etc..Wrong IP

Non malicious intrusionNon malicious intrusionMonitoring data, stealing information etc..

Malicious intrusion Bad intentions/causing harm Breaking something (equipment/process/data)


A few recently discovered vulnerabilities

All confirmed and published by US CERT (DHS) Schneider Sc e de

– ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET MODULE MULTIPLE VULNERABILITES

– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER BUFFER OVERFLOWBUFFER OVERFLOW

– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER MULTIPLE VULNERABILITIES

SiemensSiemens– ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION

VULNERABILITIES– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE

VULNERABILITIESVULNERABILITIES – ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN

SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES


..more recently discovered vulnerabilities

Rockwell Automation– VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC

th ti ti d th i ti l bilitiauthentication and authorization vulnerabilities– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™

COMMUNICATION INTERFACE – ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE

VULNERABILITY

Others Others– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS

GENESIS (32 & 64) – ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASSICSA 11 173 01 CLEARSCADA REMOTE AUTHENTICATION BYPASS – ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX

VULNERABILITIES– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN

DATA ARCHIVER BUFFER OVERFLOW VULNERABILITYDATA ARCHIVER BUFFER OVERFLOW VULNERABILITY


Network security breach case study: StuxnetStuxnetThe industrial virus that brought mass media attentionComplex rootkit exploiting 4 x zero day exploitsComplex rootkit exploiting 4 x zero day exploitsDesigned to attack Siemens control networks and Win OSUsed stolen digital certificates to look inconspicuousg pCould manipulate PLC logic and network trafficAutomatically spreads via USB jump driveReports updates back to internet serverTargeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwidesignificant damage but also spread worldwideSuspected to be a state sponsored virus It has a ‘kill date’ coded into it to stop spreading on 6/24/12It has a kill date coded into it to stop spreading on 6/24/12


Network security breach case study: South Houston wastewater facilitySouth Houston wastewater facility On Nov 18th 2011 a hacker named ‘Pr0f’ breached into south Houston’s

network as reaction to DHS downplaying suspected security breach in IL He posted his rant and HMI screenshots on pastebin.com Took advantage of Siemens vulnerability using 3 character default

password to gain access to publicly available HMI Breach wasn’t malicious but could have been He could of affected processes causing harm as well as accessing site

documentation and drawingsg He could also have placed virus on the network to cause harm/gain

access at later date No official announcement was made other than the DHS and FBI areNo official announcement was made other than the DHS and FBI are

investigating further


Network security breach case study: Maroochy Shire wastewater facilityMaroochy Shire wastewater facilityDisgruntled former contractor gained access via insecure

wireless networkReleased 264,000 gallons of sewage into rivers Responsible for killing marine life not to mention create a

stench for residentsThis occurred over 3 week period, no one noticed for 1st 2.5

wkswks.He was later arrested and sentenced to prison


Even Big Bird cant help you!


Why do people ‘hack’?

There are a number of motivators, including: Egogo Criminal Political/Spying

H kti i Hacktivism TerrorismWar Personal gain Corporate gain Sabotage Sabotage Retribution Personal Concern


How do people hack? Inside job/disgruntled employee - abusing network privileges Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure

messages (HTTP, SNMP v1 & 2) may contain passwords in text form Password cracking exploiting defaults password generator phishing Password cracking – exploiting defaults, password generator, phishing,

keylogging, brute force DoS – Denial of Service attacks overwhelm a network interface by sending

excessive traffic to that device. Spoofing – Firewalls define rules based upon IP address, mac address and

port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter Wireless attack – Using packet captures and decryption tools its possible toWireless attack Using packet captures and decryption tools its possible to

extract the WEP key of a wireless AP. Virus/Worm – Self replicating infectious computer code (malware) that can take

control of a system or steal information. Infect and spread.T j M li i d tt h d t l iti t fil i th Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would. Exploiting vulnerabilities – latest windows updates, stuxnet Social Engineering – manipulating people to divulge information or perform


Social Engineering manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

How easy is it to ‘hack’ a facility?

Just ask GoogleWireless breachWardriving

If no access to the inside network, first have to find it: Specialist search engines Public IP and Port scans Social engineering via Trojan or Phishingg g j g

Vulnerabilities Easy targets Publically available online and being found daily

Dedicated tools to make life easieras we will see…..as we will see


Our demonstration scenario 192.168.0.100

PC (HMI)Master

LANWAN192.168.0.200

192.168.0.101Attacking PC

Internet

LANWAN

Lean Managed

Switch

PC

192.168.0.11.2.3.4

Router

Perimeter

PLCSlave


192.168.0.102

1. Explore and learn the network (learning)

Time


1. Explore and learn the network

What did we learn? What subnet they are using (192.168.0.x – ie 255.255.255.0) What devices are on the network (Linksys, LMS, VL, PLC)

– What manufacturer (First 3 bytes MAC ID)– What host name (if used)

What IP addresses/MAC addresses appear vacant for our attacking PC What traffic is being broadcasted and who from – see multicast too with

unmanaged switch.

Recommendations: Regulate who has access to network – layer 1 prevention? Isolation using Routers/VLAN’s eliminate what devices can be scanned


2. Sniffing (learning cont.)

Time


2. Sniffing

What did we learn? Switch sends traffic to destination MAC address only, therefore to sniff

someone elses packets, need to do an ARP spoof Now we can see what devices are communicating with each other (VL-

PLC) What type of traffic is flowing (UDP 44818 – E/IP) What device seems to be a router/firewall (192.168.0.1) The LMS password as we happened to intercept an HTTP packet from

Valueline to LMS that contained password (‘phoenix’) Could intercept/modify any unencrypted data - Stuxnet

Recommendations: Incorporate software or switch that monitors ARP activity Encrypt traffic - Use HTTPS where possible


Encrypt traffic Use HTTPS where possible

3. Port Scanning (learning cont.)

Time


3. Port Scanning (learning)

What did we learn?What ports are open on each deviceat po ts a e ope o eac de ce

– TCP– UDP

Potentially exploit known vulnerabilities Potentially exploit known vulnerabilities & back doors

Recommendations: Use a firewall when possible Use logging to notify you of port scan’s


Use logging to notify you of port scan s

4. DoS Attack

Time


4. DoS Attack 192.168.0.100

PC (HMI)Master

LANWAN192.168.0.200


Internet

LANWAN

Lean Managed

Switch

PC

192.168.0.11.2.3.4

Perimeter

PLCSlave


192.168.0.102

4. Denial Of Service attack

What did we learn?With information we collected by learning the network, we can

now break it Network adapters (particularly on Industrial devices) can be

overwhelmed if you send excessive packets This can manifest in many devastating ways – preventing

legitimate communications and in some cases locking up the device requiring power cycle or losing its program

Recommendations: Use Firewalls to control/restrict accessUse Firewalls to control/restrict access Use managed switches with bandwidth limitation or routers to

prevent excess traffic Enable monitors/logging to watch and automatically notify of


Enable monitors/logging to watch and automatically notify of dangerous traffic levels

Control the ‘inside’

Prevent unnecessary access to industrial devices/networkUse a firewall to control traffic rulesUse a firewall to control traffic rulesBe careful of open ports and ‘backdoors’Ensure adequate encryption when using wireless (WPA2) & q yp g ( )

long, unusual pass phraseRestrict USB drive usage

B f l f i f t d i t l PC’ Vi T jBe careful of infected internal PC’s – a Virus or Trojan can run on the inside ‘inside job’, cause havoc and send information out Its claimed 60-70% of all security breaches are carried out

by insiders


5. Outside Port Scan and DoS

Time


5. Outside Port Scan and DoS 192.168.0.100

PC (HMI)Master

LANWAN

192.168.0.101Internet

LANWAN

Lean Managed

SwitchPort forwardUDP44818 to 4481844818 OPEN

192.168.0.11.2.3.4

RouterUDP44818 to 4481844818 OPEN

Perimeter

PLCSlave

Att ki



5. Outside Port Scan and DoS

What did we learn? Simple port scans on public IP address uncover open/unrestricted ports

– 448181 open The public network is constantly being scanned by scripts looking for

open ports/backdoors Not only can we learn from the outside but can cause damage also Don’t rely on ‘Security by Obscurity’ and don’t assume that somebody

else has it covered

Recommendations: Don’t open ports without due care - Use VPN instead!p p Set firewall rules to restrict any open access Enable monitors/logging to watch and automatically notify of unknown

traffic or dangerous traffic levels


g

6. WIFI cracking (on the outside)

Time


6. Gaining access through WIFI crack

What did we learn? WIFI packets are transmitted over the air for all to see Using specialist tools its easy to intercept 802.11 network traffic and get

enough ‘samples’ to decipher a WEP encrypted keyword. Which can then be used to gain access to the network from afar.

WPA b b h d t b t i bit ti d th f WPA can be breached too but requires a bit more time and the use of rainbow tables or brute force A wireless network could also be jammed rather than penetrated

Some recommendations: Some recommendations: Only use wireless if truly necessary and be aware of consequences Use the highest level of encryption available (min WPA2 for WIFI) Disable SSID broadcasting Disable SSID broadcasting Use long, complex passphrases when possible Use an Intrusion Detection System (IDS) and logging Segment wireless networks and place behind firewalls


Segment wireless networks and place behind firewalls

The solution?Partial

mGuard Industrial Router, Firewall and VPN

There

Internet

There

Here


Here

Our demonstration scenario 192.168.0.100

PC (HMI)Master

LANWAN192.168.0.200


Internet

LANWAN

Lean Managed

Switch

PC

192.168.0.11.2.3.4

Router

Perimeter

PLCSlave


192.168.0.102

How would mGuard help in this instance?

Stealth mode – drop in solution (no changes required to existing devices IP’s, default gateway) – least intrusive to g , g y)existing network.

LeanLean Managed

Switch

192.168.0.200

PLCSlave

Rules



Stateful Firewall – define rules of access – allow only legitimate access to those who need it. Locked down to gthose who don’t and all other ports are blocked (potential vulnerabilities or backdoors). Keeps track of connections to prevent illegitimate traffic (spoofed)prevent illegitimate traffic (spoofed).


Firewall cont.

NOTE use of a firewall is a common recommendation by the US CERT for posted vulnerabilitiesp


How could we prevent this attack?

Extra Control – Device to check packet consistency to block malformed packets (checksum, packet size), regulate p ( , p ), guse of PING’s, regulate TCP connectionsSometimes used to hack a device



DoS flooding prevention – Restrict number of incoming SYN requests (prevent SYN flood), further ICMP and ARP q (p ),control



Logging and notification – Local logging, remote logging using SYSLOG, SNMP trapsg , p


6. Inside DoS Attack with mGuard protectionprotection

Time


6. DoS Attack with mGuard 192.168.0.100

PC (HMI)Master

LANWAN192.168.0.200


Internet

LANWAN

Lean Managed

Switch

PC

192.168.0.11.2.3.4

PLCSlave

Perimeter


192.168.0.102

6. Denial Of Service attack with mGuard

What did we learn? The mGuard can easily be dropped into an existing network Firewall rules are quick and easy to add and allow to define

control in either direction based upon IP, Port and MAC The mGuard prevents the attack from getting to the target device

(PLC) whilst allowing legitimate communications to continue The PLC continues to operate as expected during the attack The SYSLOG suggests something untoward is happening as our gg g pp g

signal for attention


Other Remote connectivity solutions

Dial up modem – Analog linesCellular modem – GSM/GPRSCellular modem GSM/GPRSSatellite3rd party hosted connection – Citrix, GoToMyPC, Webexp y yVPN TunnelingOthers? – dedicated circuits (leased line, T1, T3 etc)

?? LocalRemote


3rd party hosted connection

Typically remote desktop type solution thus requires PCUsing a service provided by a 3rd party & special software. TheUsing a service provided by a 3rd party & special software. The

3rd party acts as a middle man for remote connectionsRequires all necessary software and LICENSES to be installed

t PCon remote PCPotential for security vulnerability as data is publicLink is owned and maintained by 3rd party, therefore becomingLink is owned and maintained by 3 party, therefore becoming

reliant upon themTypically ongoing cost – monthly fee’sSlower than direct connection as traffic has to travel to 3rd party

data center and then on to destinationCan be relatively slow under limited bandwidth conditions as


Can be relatively slow under limited bandwidth conditions as streaming live GUI information

VPN tunneling

Virtual Private Network connection between VPN routers using encrypted authentication and encrypted data transferg yp ypProvides complete network access as if you were physically

connected to the remote networkProvides very secure network access across public networkTypically used across the internet to provide secure tunnelRequires higher level networking/security knowledgeRequires higher level networking/security knowledgeCan be connected directly to Internet. If behind another

router (ie on private network) a NAT rule or port forward ( p ) pwould be required.Fast data transfer (70mpbs is possible with mGuard)


VPN continued

Different types of VPN – open standards IPsec – Internet Protocol Security – end to endsec te et otoco Secu ty e d to e d SSL – Secure Socket Layer - require log in via browser PPTP – Point to Point Tunneling Protocol – Mature technology

L2TP L 2 T li P t l M t t h l L2TP – Layer 2 Tunneling Protocol – Mature technologySecurity - Ability to encrypt traffic traversing internet,

authentication to only allow exchanges between approved y g ppdevices and ability to prevent message alteration Authentication - recommend X.509 certificates

E ti d h hi 3DES AES SHA1 t Encryption and hashing - 3DES, AES, SHA1 etc Firewall

mGuard Ports – UDP 500 & 4500 but can encapsulate in


pTCP also

VPN scenario 1 (Remote mGuard receive VPN connection)

This will require IT interaction at each installed location. The IT department will need to ensure that they provide the following:

A t ti IP dd f th G d WAN t A static IP address for the mGuard WAN port An internet connection to the mGuard WAN port (through corp network,

DMZ, cable modem etc) Knowledge of the company’s public IP address for the incoming Knowledge of the company s public IP address for the incoming

connection (or DynDNS name if public address is not static). Ensure that the VPN traffic to the public IP address is either port

forwarded or NAT’d to the mGuard IP WAN address and the firewall is opened for these ports.

IT Involvement required hereRules:

Rules:

Initiator

Receiver

FirewallInternet

Remote (machine) network

Company Network

OR

Firewall

S/W clientports UDP 500 & 4500


Flow of initiated traffic

VPN Scenario 2 (Remote mGuard initiate VPN connection –RECOMMENDED when possible!)p )

Heavily reduce the amount of IT interaction required at the remote end (i.e. Your customer’s customer) ( )Take advantage of looser outbound firewall rulesUse CMD button to initiate tunnel ‘home’Can now use DHCP for the WAN IP at the remote end

IT Involvement required here

Rules:Initiator

Receiver


InternetFirewall

Company Network

Firewall


Rules:


VPN Scenario 2 continued

Does not necessarily require connection to be physically connected to receiving mGuard ie for when ‘on the road’gCompatible with any IPSec VPN client – software/hardwareHub and Spoke model S/W client ORInitiator

Rules:Up to

250 VPNs


InternetFirewall

Company Network

Firewall


Rules:ReceiverInitiator


The clock is ticking…

Cybersecurity Act of 2012


Summary - Prevention is better than cure

Many industrial devices are vulnerable…not just AB MLX 1100 An Air gap is a good line of defense if possible but not complete Adopt a defense in depth strategy employing various layers of security Keep an inventory of networked devices and watch for

vulnerabilities/updatesI l t l 1 it l ti l k bl l t h bl t Implement layer 1 security solutions, lockable panels, patch cables etc.. Use updated AV/Spyware and ensure any PC’s are routinely

patched/updatedWhen interconnecting devices/panels use a firewallWhen interconnecting devices/panels use a firewall Isolate industrial devices and restrict network access to only those that

need it (access control) Consider specialist firewall functions (DoS prevention CIFS monitoring) Consider specialist firewall functions (DoS prevention, CIFS monitoring) VLAN’s and MAC filtering can be used to provide some defense using

managed switches Change default passwords and use ‘strong’ passwords


Change default passwords and use strong passwords


Use VPN for ALL remote connections Restrict use of USB jump drives (disable PC autorun feature, consider

t d j d i d ’t ll ’ ti k)encrypted jump drives, don’t allow anyone’s stick) Restrict/prevent web access to internet from control network Try to use HTTPS exclusively when using passwords/secure webpages

C id i t k l i SNMP Al t I t i d t ti Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?When using wireless always encrypt with minimum of WPA2 for WIFI

Be aware of smartphone vulnerabilities and their place in SCADA Be aware of smartphone vulnerabilities and their place in SCADA Implement authentication/authorization policy including how to handle

access credentials for former employee’s/contractors Security is not a one and done solution continuously evolving Security is not a one and done solution – continuously evolving

standards, new vulnerabilities – someone has to stay on top of things Security is also more than just a one product solution – it’s a way of life Security requires behavioral diligence from EVERYONE


Security requires behavioral diligence from EVERYONE


Take ownership, don’t assume it is already covered – ask questions Take advantage of online resources Talk to a specialist and consider getting a vulnerability assessment Educate all employees Evaluate your system conceptually using the free US CERT - CSET tool

( i k l i )(risk analysis) Devise a cyber security policy – what are your security goals? Devise a response/recovery plan to any potential events and have

secure backups of all critical codesecure backups of all critical code


The Phoenix Contact productsLayer 2 Layer 3

Function

SFN Unmanaged

Switches

UnmanagedSwitches

Lean ManagedSwitch

Managed Compact Switch

Modular ManagedSwitch

Smart ManagedCompact Switch

(gigabit)

mGuard Router

Port Flexibility Fixed: 5,8 Fixed: 5,8,16 Up to 8 ports Fixed 16 ports Mix Cable Types & Expand to 24 ports Fixed 8 ports Lan/WanExpand to 24 ports

Security Functions No No No Yes Yes Yes Yes

Message Filtering No No Yes Yes Yes Yes Yes

Redundancy No No Yes Yes Yes Yes N/A

Diagnostics HW (LED, Alarm Contact*)

HW (LED, Alarm Contact)

HW + SW (Web, SNMP)

HW + SW (Web, SNMP)

HW + SW (Web, SNMP)

HW + SW (Web, SNMP) Yes

Application Distributed Panels Distributed Panels Central Panels Central or

Distributed Panels Central Panels Central or Distributed Panels

Security, remote access or NAT


Panels Distributed Panels Distributed Panels access or NAT

Thank You – Questions?

Distrust and caution are the parents of security - Benjamin Franklin

62 | Presentation | Matt Cowell | ASE Central | 25 April 201212:00

Online Resources

www.us-cert.gov http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

www.isa.orgwww.nist.gov

h i t twww.phoenixcontact.com http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf


Tools

WiresharkNMAPCain and AbelColasoft Packet Builder

C l ft MACColasoft MAC scannerBrutus

Backtrack 4 OSEttercapKismet – AirPCAP or DroneBeEFMetasploit


Metasploit