Ultra Intelligence & Communications

RSA 2017 Recap of the ICS Sandbox

February 21st, 2017 / By

The 2017 RSA Conference wrapped up this week in San Francisco and wow, what a show! The sheer size and scale of the event was absolutely jaw dropping. It’s hard to find the words to do it justice. Organizers estimated that 40,000-50,000 people attended the show and considering the size, RSA does a great job with the organization of the event and providing an impressive experience overall.

Once again, RSA featured the “Sandbox,” an area dedicated to providing hands on, interactive experiences for various emerging technologies. This year the Sandbox was located in the Marriott Marquis and featured IoT devices and the famous SANS Netwars in addition to Industrial Control Systems (ICS). This is the 3rd year running that the show has demonstrated the ICS Sandbox. Primarily organized by Tom VanNorman of Counterhack, the ICS Sandbox was a showcase of different industrial control technologies, interconnected in a typical ICS network configuration to help educate the world on OT cybersecurity.

I was honored to be involved with the ICS Sandbox this year, my first at RSA. Numerous sponsors contributed including Ultra Electronics, 3eTI and others. This participation allowed the demo to showcase an array of industrial cybersecurity solutions on a live ICS network.

Ultra Electronics, 3eTI CyberFence was deployed in two sections of the ICS network providing inline protection and monitoring for two different zones as shown in this diagram. The Firewall and DPI enforcement was used to demonstrate access controls that could monitor, validate and restrict only normal ModbusTCP and Ethernet/IP commands simultaneously, to/from the zone end devices. In addition, the new SPAN port feature was used to feed the network monitoring tools that also were on display.

In addition to the live demonstrations on display in the Sandbox, there was a series of presentations performed over the two days.

I co-presented the topic on ‘IIoT Vulnerabilities, where do they lie?’ with Tom VanNorman. In this presentation, we first covered 2016 vulnerability metrics provided from ICS CERT (that will be available to the public soon). We then proceeded with some live demonstrations showing simple concepts such as unauthorized commands, man-in-the-middle attack and malicious USB drive/keyboard crossing the air-gap. We concluded with a proof of concept whereby we used Twitter as a C2 (Command and control) server to issue malicious commands into the demo ICS via hash tags such as #KillPLC.

The compromised host was configured to look at both mine and Tom’s Twitter accounts. When it observed a command, it would perform that task with very little delay. We reverse-engineered the command to stop the PLC CPU, which was tied to the #KillPLC hash tag. The controller used for this demonstration was wired to a closed-loop temperature control (heater) inside a 3D printed water tower. For added effect, the water tower had a smoke generator inside it. We concluded with some general suggestions and basic steps to help protect these insecure-by-design systems we rely upon in our daily lives.

This was all the more poignant with new stories this week regarding the proof of concept of ransomware on ICS, exposed cyber infrastructure report and a conviction of an insider who attacked an ICS system.

The attendance for the ICS Sandbox was impressive over the 2.5 days; well over 1,000 people stopped by to interact and ask questions. The ICS Sandbox was also honored by a visit from Adi Shamir who is one of three RSA founders.

The event concluded with College Day. Students from various educational institutions were invited to observe the Sandbox.

I urge anyone who didn’t attend RSA this year to plan for it in 2018. It was an educational and fascinating experience; you won’t be disappointed.