ICS

Reposting a post from Manjunath Hiregange from GE Vernova (thanks Manjunath!).

Are you interested in learning more about industrial control system (ICS) security, but struggling to find practical training opportunities?

Look no further than GRFICS (Graphical Realism Framework for Industrial Control Simulations) – free and open-source framework.

๐–๐ข๐ญ๐ก ๐†๐‘๐…๐ˆ๐‚๐’, ๐ฒ๐จ๐ฎ ๐œ๐š๐ง ๐ฏ๐ข๐ซ๐ญ๐ฎ๐š๐ฅ๐ข๐ณ๐ž ๐ž๐ง๐ญ๐ข๐ซ๐ž ๐ˆ๐‚๐’ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค๐ฌ ๐š๐ง๐ ๐ฉ๐ซ๐š๐œ๐ญ๐ข๐œ๐ž ๐ž๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ข๐ง๐  ๐ฏ๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ ๐ฐ๐ก๐ข๐ฅ๐ž ๐ฌ๐ž๐ž๐ข๐ง๐  ๐ญ๐ก๐ž ๐ฉ๐ก๐ฒ๐ฌ๐ข๐œ๐š๐ฅ ๐ข๐ฆ๐ฉ๐š๐œ๐ญ ๐ข๐ง ๐š 3๐ƒ ๐ ๐š๐ฆ๐ž ๐ž๐ง๐ ๐ข๐ง๐ž.

The GRFICS framework is designed to virtualize entire ICS networks, including realistic ๐ฉ๐ก๐ฒ๐ฌ๐ข๐œ๐š๐ฅ ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐ฌ๐ข๐ฆ๐ฎ๐ฅ๐š๐ญ๐ข๐จ๐ง๐ฌ. While the initial version of GRFICS virtualizes a chemical process control network with a flat, un-segmented network architecture, the framework is modular and can be customized and expanded to include other types of ICS networks.

Here is a link to the 5 VMs: https://github.com/Fortiphyd/GRFICSv2
5 VirtualBox VMs (๐š 3๐ƒ ๐ฌ๐ข๐ฆ๐ฎ๐ฅ๐š๐ญ๐ข๐จ๐ง, ๐š ๐ฌ๐จ๐Ÿ๐ญ ๐๐‹๐‚, ๐š๐ง ๐‡๐Œ๐ˆ, ๐š ๐ฉ๐Ÿ๐ฌ๐ž๐ง๐ฌ๐ž ๐Ÿ๐ข๐ซ๐ž๐ฐ๐š๐ฅ๐ฅ, ๐š๐ง๐ ๐š ๐ฐ๐จ๐ซ๐ค๐ฌ๐ญ๐š๐ญ๐ข๐จ๐ง) communicating with each other on host-only virtual networks.

A video series walking through VM setup and example attacks is available on the Fortiphyd YouTube channel at https://www.youtube.com/playlist?list=PL2RSrzaDx0R670yPlYPqM51guk3bQjFG5

Read more

Hello All. During the last ICS Cybersecurity course I taught some of my students asked me to post some details about configuring an Allen Bradley Micro820 PLC. We use the Micro820 for our labs as it is great name-brand, low-cost PLC with onboard ethernet.ย  Sells for around $400 (not including the power supply)

The Micro820 programmable logic controllers (PLC) includes a nano-sized footprint and is designed for small standalone machine control and remote automation applications that require flexible communications and I/O capabilities. These controllers support up to 36 I/O points with many embedded features such as Ethernet, microSD slot for recipe and data log, and analog I/O. Furthermore, all the software and documentation needed to configure the PLC as well as create some initial programs (e.g., ladder logic, structured text, and/or function blocks) is available for download off Rockwell’s website.

Rockwell Software (CCW)

If youโ€™re just getting started, youโ€™ll need to install both RSLinx and Connected Components Workbench (CCW). RSLinx is installed automatically with CCW.ย  Do a search for Connected Components Workbench (CCW) Standard Edition.

Visit Rockwell’s site: https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx?crumb=112&refSoft=1&toggleState=&versions=57681

You will have to create an account and login to get access to the software.ย  The simply download the software:

  • IMPORTANT – if you are running Windows 10 or later (which you probably are), you will need to install .NET 3.5 or the install will not work. If you have issues installing .NET 3.5, then you may need a Windows 7 VM.
  • Run the .exe file (part 1) as an administrator to extract the .rar files (part 2)
  • Open the subdirectory that was created in part 9. It should contain a file named โ€œsetup.exe.โ€
  • Run โ€œsetup.exeโ€ as an administrator to install both RSLinx and CCW.
  • Unless you need one of the language packs (Chinese, Portuguese, French, Italian, German, or Spanish), I recommend installing the components/features which are selected by default.

Wiring the PLC

There are lots of ways to wire a PLC, and I have no idea which way is best for you. The method presented here is what I call โ€œPLC on a stick,โ€ which is exactly the way it sounds, except itโ€™s a rail and not a stick (but you can still use it to point at people).

Think of PLC on a stick as being analogous to a microcontroller experimenter board. It works really well for the cubicle experimenter or electronics enthusiast, not so well for those in need of a legit control panel.

Before routing wires, itโ€™s usually a good idea to put a little thought into the mechanical layout. I start with a piece of 35 mm DIN rail (say 12-18 inches) and then I find an arrangement that makes sense. For example:

Putting the power supply on the left makes sense to me because I like to visualize the input to the power supply on the left and the output on the right, but whatever works for you.

When I decide on a layout I start wiring stuff:

The terminal blocks provide a way to connect switches and indicators, but they arenโ€™t necessary:

Connecting to the Micro820 for the first time (via Ethernet)

Ethernet is probably the simplest of the two methods, since you need only an Ethernet cable. These instructions assume youโ€™re connecting to the Micro820 for the first time.

A new Micro820 will be configured for DHCP. This means all you have to do is ensure youโ€™re network adapter is also configured for DHCP and then open RSLinx. RSLinx should to the rest.

  • Power up the Micro820
  • Use an Ethernet cable to connect the Micro820 to you Windows machine
  • Open the โ€œNetwork Connectionsโ€ screen (Control Panel > Network and Sharing Center > Change adapter settings).
  • Right-click on the Ethernet adapter you used in step 2 and select โ€œProperties.โ€ (If youโ€™re not sure which adapter youโ€™re using, just unplug the Ethernet cable and plug it back in. The adapterโ€™s icon will change as you do so.)
  • In the โ€œLocal Area Connection Propertiesโ€ window, select โ€œInternet Protocol Version 4 (TCP/IPv4)โ€ and click โ€œProperties.โ€

  • Ensure โ€œObtain an IP address automaticallyโ€ is selected.

  • Click โ€œOKโ€ to close the โ€œInternet Protocol Version 4 (TCP/IPv4) Propertiesโ€ window.
  • Click โ€œCloseโ€ to close the โ€œLocal Area Connection Propertiesโ€ window.
  • To open RSLinx Classic Lite, hit the Windows key, type โ€œrslinx,โ€ and press the Enter key.
  • In the list on the left, expand the list item named โ€œAB_ETHIP-1, Ethernet.โ€

Read more

Microsoft has released a new open-source security tool to close gaps in threat analysis for industrial control systems and help address increased nation-state attacks on critical infrastructure.

The new tool, called ICSpector, is built on an open-source framework that facilitates the examination of industrial programmable logic controllers – a set of hardware and software components that are used for managing and controlling different operations within an industrial environment.

While PLCs are integral to industrial control systems and are used in water and power grid systems, analyzing them poses challenges because of a lack of adequate threat detection tools and a dearth of expertise in the sector, according to Microsoft. OT analysis often involves sorting through sensitive data collected from sensors and controllers, Microsoft said.

“One of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with because the PLCs are actively operating vital industrial process,” Microsoft said

Microsoft said the new tool, which is available on GitHub, can detect malicious modifications, extract the timestamp of the changes made to a system, and provide an overview of the execution flow of tasks within the system, the company said.

“Currently, the system supports three OT protocols: Siemens S7Comm, which is compatible with the S7-300/400 series, Rockwell RSLogix, using the Common Industrial Protocol, and Codesys V3,” the company said.

ICSpector: Microsoft ICS Forensics Framework can be downloaded from Github at: https://github.com/microsoft/ics-forensics-tools

Read more