Author's Posts

Reposting a post from Manjunath Hiregange from GE Vernova (thanks Manjunath!).

Are you interested in learning more about industrial control system (ICS) security, but struggling to find practical training opportunities?

Look no further than GRFICS (Graphical Realism Framework for Industrial Control Simulations) – free and open-source framework.

๐–๐ข๐ญ๐ก ๐†๐‘๐…๐ˆ๐‚๐’, ๐ฒ๐จ๐ฎ ๐œ๐š๐ง ๐ฏ๐ข๐ซ๐ญ๐ฎ๐š๐ฅ๐ข๐ณ๐ž ๐ž๐ง๐ญ๐ข๐ซ๐ž ๐ˆ๐‚๐’ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค๐ฌ ๐š๐ง๐ ๐ฉ๐ซ๐š๐œ๐ญ๐ข๐œ๐ž ๐ž๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ข๐ง๐  ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ฐ๐ก๐ข๐ฅ๐ž ๐ฌ๐ž๐ž๐ข๐ง๐  ๐ญ๐ก๐ž ๐ฉ๐ก๐ฒ๐ฌ๐ข๐œ๐š๐ฅ ๐ข๐ฆ๐ฉ๐š๐œ๐ญ ๐ข๐ง ๐š 3๐ƒ ๐ ๐š๐ฆ๐ž ๐ž๐ง๐ ๐ข๐ง๐ž.

The GRFICS framework is designed to virtualize entire ICS networks, including realistic ๐ฉ๐ก๐ฒ๐ฌ๐ข๐œ๐š๐ฅ ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐ฌ๐ข๐ฆ๐ฎ๐ฅ๐š๐ญ๐ข๐จ๐ง๐ฌ. While the initial version of GRFICS virtualizes a chemical process control network with a flat, un-segmented network architecture, the framework is modular and can be customized and expanded to include other types of ICS networks.

Here is a link to the 5 VMs: https://github.com/Fortiphyd/GRFICSv2
5 VirtualBox VMs (๐š 3๐ƒ ๐ฌ๐ข๐ฆ๐ฎ๐ฅ๐š๐ญ๐ข๐จ๐ง, ๐š ๐ฌ๐จ๐Ÿ๐ญ ๐๐‹๐‚, ๐š๐ง ๐‡๐Œ๐ˆ, ๐š ๐ฉ๐Ÿ๐ฌ๐ž๐ง๐ฌ๐ž ๐Ÿ๐ข๐ซ๐ž๐ฐ๐š๐ฅ๐ฅ, ๐š๐ง๐ ๐š ๐ฐ๐จ๐ซ๐ค๐ฌ๐ญ๐š๐ญ๐ข๐จ๐ง) communicating with each other on host-only virtual networks.

A video series walking through VM setup and example attacks is available on the Fortiphyd YouTube channel at https://www.youtube.com/playlist?list=PL2RSrzaDx0R670yPlYPqM51guk3bQjFG5

Read more

No one wants to see a blue screen on a Friday morning!

Not sure if folks are following the news, but a major bug has been identified with CrowdStrike Falcon stemming from a bad update. It is causing blue screens in Windows. Here is a statement from George Kurtz, CEO:

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure theyโ€™re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

There is a manual workaround, which is scriptable:

  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  • Locate the file matching ‘C-0000029*.sys’, and delete it.
  • Boot the system normally.

Just when we thought this was bad enough… Microsoft had an Azure outage. Looks like Azure Central US was down for hours. But had global impacts. Airlines and other major customers all over the world we impacted. some in India reverted to checking in passengers manually in excel spreadsheets. Also affected M365.

“We experienced a Storage incident in Central US which had downstream impact to a number of Azure services. This is currently mitigated; however, we are still in the process of validating recovery to a small percentage of those downstream services. This was communicated to affected customers via the Service Health dashboard in the Azure portal. We are also aware of an issue impacting Virtual Machines running Windows, running the CrowdStrike Falcon agent, which may encounter a bug check (BSOD) and get stuck in a restarting state. While this is an external dependency, we are currently investigating potential options for Azure customers to mitigate and will be providing updates via the status page here: https://azure.status.microsoft/en-gb/status/ as well as our Azure portal, where possible.”

Good luck everyone!

Read more

Hello All. During the last ICS Cybersecurity course I taught some of my students asked me to post some details about configuring an Allen Bradley Micro820 PLC. We use the Micro820 for our labs as it is great name-brand, low-cost PLC with onboard ethernet.ย  Sells for around $400 (not including the power supply)

The Micro820 programmable logic controllers (PLC) includes a nano-sized footprint and is designed for small standalone machine control and remote automation applications that require flexible communications and I/O capabilities. These controllers support up to 36 I/O points with many embedded features such as Ethernet, microSD slot for recipe and data log, and analog I/O. Furthermore, all the software and documentation needed to configure the PLC as well as create some initial programs (e.g., ladder logic, structured text, and/or function blocks) is available for download off Rockwell’s website.

Rockwell Software (CCW)

If youโ€™re just getting started, youโ€™ll need to install both RSLinx and Connected Components Workbench (CCW). RSLinx is installed automatically with CCW.ย  Do a search for Connected Components Workbench (CCW) Standard Edition.

Visit Rockwell’s site: https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx?crumb=112&refSoft=1&toggleState=&versions=57681

You will have to create an account and login to get access to the software.ย  The simply download the software:

  • IMPORTANT – if you are running Windows 10 or later (which you probably are), you will need to install .NET 3.5 or the install will not work. If you have issues installing .NET 3.5, then you may need a Windows 7 VM.
  • Run the .exe file (part 1) as an administrator to extract the .rar files (part 2)
  • Open the subdirectory that was created in part 9. It should contain a file named โ€œsetup.exe.โ€
  • Run โ€œsetup.exeโ€ as an administrator to install both RSLinx and CCW.
  • Unless you need one of the language packs (Chinese, Portuguese, French, Italian, German, or Spanish), I recommend installing the components/features which are selected by default.

Wiring the PLC

There are lots of ways to wire a PLC, and I have no idea which way is best for you. The method presented here is what I call โ€œPLC on a stick,โ€ which is exactly the way it sounds, except itโ€™s a rail and not a stick (but you can still use it to point at people).

Think of PLC on a stick as being analogous to a microcontroller experimenter board. It works really well for the cubicle experimenter or electronics enthusiast, not so well for those in need of a legit control panel.

Before routing wires, itโ€™s usually a good idea to put a little thought into the mechanical layout. I start with a piece of 35 mm DIN rail (say 12-18 inches) and then I find an arrangement that makes sense. For example:

Putting the power supply on the left makes sense to me because I like to visualize the input to the power supply on the left and the output on the right, but whatever works for you.

When I decide on a layout I start wiring stuff:

The terminal blocks provide a way to connect switches and indicators, but they arenโ€™t necessary:

Connecting to the Micro820 for the first time (via Ethernet)

Ethernet is probably the simplest of the two methods, since you need only an Ethernet cable. These instructions assume youโ€™re connecting to the Micro820 for the first time.

A new Micro820 will be configured for DHCP. This means all you have to do is ensure youโ€™re network adapter is also configured for DHCP and then open RSLinx. RSLinx should to the rest.

  • Power up the Micro820
  • Use an Ethernet cable to connect the Micro820 to you Windows machine
  • Open the โ€œNetwork Connectionsโ€ screen (Control Panel > Network and Sharing Center > Change adapter settings).
  • Right-click on the Ethernet adapter you used in step 2 and select โ€œProperties.โ€ (If youโ€™re not sure which adapter youโ€™re using, just unplug the Ethernet cable and plug it back in. The adapterโ€™s icon will change as you do so.)
  • In the โ€œLocal Area Connection Propertiesโ€ window, select โ€œInternet Protocol Version 4 (TCP/IPv4)โ€ and click โ€œProperties.โ€

  • Ensure โ€œObtain an IP address automaticallyโ€ is selected.

  • Click โ€œOKโ€ to close the โ€œInternet Protocol Version 4 (TCP/IPv4) Propertiesโ€ window.
  • Click โ€œCloseโ€ to close the โ€œLocal Area Connection Propertiesโ€ window.
  • To open RSLinx Classic Lite, hit the Windows key, type โ€œrslinx,โ€ and press the Enter key.
  • In the list on the left, expand the list item named โ€œAB_ETHIP-1, Ethernet.โ€

Read more