ICS Packet Analysis Workshop

The course has two sections.  The first section explains control system functions to IT/IS people.  This includes PLC design and operation and why things are they way they are today in ICS network environments.  It also includes basic information on how to identify ABB, Honeywell, Emerson, Telvent, Siemens, Rockwell and BACNet network connections.  It also explains in great detail, the Modbus and DNP3 protocols and how to manually decode them.  The second section has three labs which take the student through decoding the Modbus protocol, detailed Wireshark analysis techniques and then running an automated NSM tool.

Lab 1: Use Wireshark to sharpen your network analysis skills on SMB, DNS and Modbus protocols.  You will learn how to manually decode a couple of Modbus messages.  Two anonymized pcaps are included in the lab for the students to analyze from the real world.

Lab 2: Use Wireshark, a Modbus PLC Simulator and Metasploit to simulate attacks.  The student first generates some traffic from Metasploit on their own machine (I provide a VM of Kali on a USB stick).  I provide the wireless link and a windows machine with a Modbus PLC Simulator (https://sites.google.com/site/plcsimulator/).  The students connect to the wireless and send data to the PLC simulator from Metasploit and collect it on Wireshark.  The students then identify what the Modubs client and Schneider Stop/Start PLC modules actually do to the Modbus system on a byte level. The student will also learn about the attack modules in Metasploit for Rockwell and Siemens systems during this lab.

Lab 3: Use an NSM tool to automate most of the analysis on the same pcaps they generated before as well as run a pre-made pcap to review the indicators moving across the network such as logins, file operations and DNS operations.

The students need to have a laptop with Wireshark running and Kali Linux running.

A USB stick is provided with the following information:

– Training Slidedeck in PDF format
– 2 PCAPS to manually analyze in wireshark
– PDF of Berkeley Packet Filtering format explanation
ICS-CERT Year in Review reports for 2015 and 2016
– PDF of Metasploit Cheat Sheet from SANS
– PDF of NIST 800-82 and Cybersecurity Framework for ICS
– Kali Linux VM download for VMWare, VirtualBox and Hyper-V

Your Instructor – Dennis Murphy – BIO:
Designing, installing and maintaining process automation networks is where I started my career 25 years ago. Most of my experience with SCADA systems was integrating data between the IT and OT networks. In 2005, I realized how security was more of an afterthought in my work and I shifted my focus to securing ICS networks. Now I am turning into a network security monitoring (NSM) professional and using this technology to help ICS engineers understand the impacts their design decisions have on the security of control system networks. I focus on providing practical solutions to meet national critical infrastructure cyber security requirements. My main interest is in bridging the gap between the information technology (IT) security requirements and operational technology (OT) security requirements. Those requirements are not synchronized and causes much confusion and heartache in the industry.

There are only 40 seats available! Workshop tickets are free, but you most have an event ticket as well to participate in the workshops. The workshop ticket reserves your seat. Individuals who arrive 15 minutes after the class start time will have their seat will be released. 

Get your tickets here: https://bsidesorlando2018.eventbrite.com