Red Teaming: The Physical Intrusion of IoT (ICS/SCADA)

we're going to be going again welcome back this praying resort of prep strategies all right how about that so I'm going to try and do this without a microphone because that's the way I feel more comfortable if you all can't hear me in the back we're going to go so ready strategies is a threat replication company assessing our clients physical and information security posture through the use of real world real world threat Packers and the an adversary has the capability of putting their hands on your cyber infrastructures that any previously established electronics or blocks or raloo so if your physical security fails your cyber security fails so what I've just described is what we call closed access and what somebody

here might call physical penetration testing physical read commute all the same thing but it's always live and covert we can't operate any other way otherwise it doesn't work we work with or without cyber support but our the way we work best is always enabling cyber so we are a subset to cyber I don't ever want to pretend that we're the big game in town we're this secondary guy or menu item on a cyber show but I think as I go through this you'll see that we run a pretty good set the reason the basic reason with a bunch of cyber people in there you probably know this that when you do a red team event you don't always

get access to the clients network right away they work remotely they can't always get in my way and so they do sometimes they get assumed to access notional access and that is just reach around the defenses and they plug in and to continue with their assessment which has been fine for a lot of years the trouble is is that's not the way the adversary does business and CEO is boards of directors are coming to that understanding then go to know what we paid you to go from your mom's basement to our cyber history you didn't do that so you know what's what's our return well why don't you attack us here and that's where we've

done so what we want to do I said that if you can put a cyber or physical operator close access operator physical hands-on cyber infrastructure any previously established electronic roadblocks are removed that's how we enable cyber and we see an increase in physical vulnerabilities in the industrial control system world a lot of it in this IOT in fact most of this is IOT and loaded into that and I'm talking about power production oil and gas water treatment when you name a transportation it's all over the place and they started innocently enough they really did I'm going to use an oil refinery as an example I've never been to one but that's not this cool picture

on the Internet and when we built our first one there weren't any computers or a bunch of man out there we're in hard hats I mean are they've been wearing hard hats and their eternity wheels and lifted updates and move an oil from point A to point B this is an unhackable system it it computer bowls around and we put one computer in a central location and this does a lot of great things we increase efficiency we reduce the amount of people we have to have in the field which means we're reducing costs accidents profits go up everybody's happy it's unhackable for the most part I mean probably a lot of dudes on the whole

planet knew how to operate this thing it was physically protected it was in one location it was unique everybody knew that Bob and Jane were the only two that were allowed to touch it so it was I'm going to say unhackable then we introduced the internet and this is great I mean the Internet's awesome I got no problem with it and we want to connect that to our standalone system over on our oil refinery well now we are increasing the attack surface right referred attack surface already today we increase the attack surface because for every ability that there is for a good data breach this oil refinery there's also an ability for a bad data region

finally we are introducing now the and things to our ICS and this really dramatically is increasing our attack surface so I said attack surface other people have said attack surface let me see if I can expound on that a little bit for you what we've done is we took that computer that perfect situation and we introduced it was there trying to be nobody to gently the left I mean it was it was perfect and then we introduced the internet but was still even connected immediately to our computer and so it's still aircraft there was no way to throw electrons in it and connect with this then we connect them and we've eliminated our air now so that security

measure is gone that's what I'm talking about increasing our attack service he was never meant to be networked ever at any time there is this very old same alone system it speaks an old language and it still today is doing its job really well these ICS consistance or not they're not bad but were connected and all the cool hip kids on the outside and they talk a different language and when they try and mishmash defenses with one another it doesn't work for well real levels and so our attack surface goes up finally the industrial Internet of Things is what I've heard most recently and what we're doing to various example is we've taken the refrigerator example

it communicates through your home network to your phone and tells you that you're low on milk the industrial internet things internet extinct is taking dozens or hundreds of these same physical things sending them all throughout our oil refinery example and when physical things in that maseri can go up in detention they're not uniquely more remember though the computer I told you it was unique and so people protected it now all the sudden with hundreds of things out there that happen reveal which means an adversary can gain access to it and they said it received that right that's the whole point they need to communicate if they send and receive data that an adversary also has

the ability to upload bad mojo to that thing and affect the entire system and the way I see that is like an ecosystem but it's not like a good ecosystem like a naturally occurring one that could go on for thousands of years and have lots of natural defenses there's redundant in some cases this ecosystem it's hurting and jerky and we're adding to it every day its defenses are not up we don't understand it completely and when we can violate it on the outside certainly the inside that becomes much more vulnerable I'd like to give you an example of the way a close access operator so we're still talking about physical I don't ever want to get away

from that we're close access operator and a cyber operators work together work well together in this scenario and so it works like this Siraj it is to get in to assist in campus area after the building one access the building to so we go to our cyber partners and we're saying if you guys are inside the network art is right you go yes sure are we so here's some keywords with us to run those against the network no problem we get it back and what we see is an Excel spreadsheet that is changed regularly it's meant for security personnel and it is not right protected so we inject our names onto this spreadsheet and push it

back into the machine and hope that it's there when we show up on side of the fuse additionally through some open source intelligence we find the bags that we think that they're using at this place it's a nice high-res image thank goodness and we're able to copy that image we make our own bags before before we ever leave the office and so when we show up the next month we've got a fake badge that we present to the - okay he checks us against the roster and we're on it and so we're inside what's written we need to head to building one it's manufacturing facility and we noticed you can coming in and out there using

the RFID that Gardi pageants back I create the for the Internet of Things but this day they use the practice you guys probably use them a lot and they're an open communication we're able to scan these and then clone them with the cloned IP card were able to gain access to this building we got a little lucky on this one and we hit 100% access that doesn't say everything manufacturing all administration and even something that didn't tell us about a critical components storage area that this patch lettuce inches so very much hit a home run as we're on now we leave that building and now we need to get into the second building this one proves

to be a little bit more difficult because as we walk up to the front door that there's a security guard didn't anticipate and so this isn't the time where you turn and run this is how are you I don't see what happens and the hand just their badge this guy and he checks against the roster and if it happens it's the same roster that we've manipulated thirty days earlier and now we're inside so we're pretty proud of ourselves we've made it inside this place Patrol is is that the only room we have access to is the break room because every other doors cycle lock it's got those push button guys on so after a Snickers bar and a diet coke we find

somebody in the hallway and we social engineer that person has them introduced up to someone inside the locked door and there's about five of them in there and after about 15 minutes they're our friends they log us into their air-gap system we get onto the box and jet malware simulated power and now with integrity we can go to our client and show access electronic access from point A to point B because we enabled cyber so what I just described was a pretty good at clot racing between the physical and soccer guys and we do every time we work together it's a it's a pretty chummy relationship and I just it is I don't get why it doesn't exist

in the corporate world on the defensive side everywhere we go I see lots of animosity so if I change for a day this is the way things work on the CEO and I point to this system and I say all things information belong to you and I might have to explain to the system two things information does not just reside on computer networks it resides in people's heads and on whiteboards and on sticky notes and in file cabinets we are not paperless it does not just recited networks the other thing is without information we don't have a company information is the lifeblood of the company period dot somebody later will say it and I really find that

people are the lifeblood of the company and I'm here to tell you they're not I mean I get AMA people and my wife the people we've got three beautiful people of our own and it did people but if we run our company into the ground because we're not protecting our the chemical makeup of our new paint or the barbecue sauce or maybe we're professional organization we're not protecting our clients data then we don't have our company if you don't have a company then what's the use of people we can employ informations that's what I tell my system and then I say you have physical and cyber guys and you need to go forward and defend one team one fight

all the time information is the key I'd also like to say to all the systems that your your swords your cloud doesn't exist nobody keeps any information in clouds I won't go into the and that in the other cloud but we can't keep data up there our information is always kept a hundred percent of the time and physical locations always always always which means somebody's in charge of protecting that physical location and I don't think the people that are in charge of that understand the magnitude of the data is being stored I just don't think they get do they understand how important air-conditioning units are to server farm or the backup generators or the fuel source to make all that work or

the insider threat to get us somebody might have illegitimate access network taxes inside the building or all of the RFID cards there's less vulnerable outside of our facility they're worried about parking lot violations and active shooter scenarios again upon this video those are important thing is I wanted ultimate I just want to dealt with over here my primary focus has got to the information desk don't be do self assessments I mean don't we look at ourselves ago our we doing a good job we doing a bad job then what's the kid well yeah we do self assessments and when you go home tonight I dare you to call your baby open you can't beat yourself up you are not

capable of it I don't think self assessments work they're inherently flawed to succeed we break our own arms patent our back spot what a good job we've done meanwhile we lost 500 billion dollars to corporate espionage last year what kind of a job are we doing an information protection it's terrible somebody just got bring stuff now because we're doing a good job of self assessment you need to bring in a third party that you trust some with good credentials to look at you on his physical and on a cyber side and absolutely beat you up and then step back very setec we got to teach we don't just kick people in the teeth and lead

we kick you in the teeth and we do I get up this is how we did it this is how you could be better and we'll be back in three months and we'll try it again it's office essence so I want to give you an example of one that seems to be going in the right direction it's an exercise military exercise called winning in towns and the gist is this it's red bad guys vs. blue the good guys very small force against the United States military and like all good Wars they don't just start shooting bullets on the first day there should be some dialogue and some pointing fingers and name-calling and some of that kind

of stuff and so it starts the blue forces American military issues the red team their conditions of surrender their oh no thanks we're not surrendering the blue team shuts off their communications you know little bits at a time and said i we have contingencies for that and writers and flashlights at the end the runway to launch planes there's way to get around this stuff however remember I said you know fire bullets on the first day this guy did the kind of run in this exercise did you said we're going to attack on the first day we're not just going to attack a little bit we're going to tack a lot cruise missiles and small boat attacks into the harbors at the end

of the first day red winds up taking 16 shifts and killing 20,000 servicemembers thank you this an exercise we're able to reset pull back and what should happen here very if you're still in the room education right we ought to be able to go I what happened you know me get together we talk about we did Drive what we did wrong and so they move forward to the next day the next day but it's day one of the war again right so the same kind of thing happens except that all of the missiles get shot down this time all of a sudden boost defenses are up and now all Reds communications everything everything electronic is dead they're

told to move by the magic exercise God's forces off of a beach so that blue horses can land home let make it a pretty clear that all blue is doing there's cheating they're gaming the system it's a self assessment they're not calling their baby ugly and not allowing this red team to do their job and so when you wind up with morale okay very for us the end result is you guess what we've got right now or to use it to statistic about who's got breach since the last time I said it somebody else just got breached we're phone ability we're vulnerable to attack or food breach at any moment despite all these great efforts we're

putting in alright now we went from good to bad this is going to go from that good can't afford a football analogy why close access wise it's physical component I told you to sprinkle it over stuff it's everywhere around you I still think we see it maybe the same way that I see it so the Chiefs are preparing to do battle on Sunday it's Monday threat to practice facility there's 11 men on the field and they're running their offices in the office and there's an assistant coach at the clipboard and it's their self-assessment and the offense is running just 11 guys right and it does all look the wide receiver made a great route there and the quarterback in them

and the running back they did the great sweep they're the left and them tight end in the office or the wide receiver they're down blocking Drake he's making all these check boxes and he goes up to the head coach CEO and he said our team is running our offense perfectly exactly as we've drawn it up we are going to be great on something so hey that's just malarkey right because we have no idea what the defense is going to look like because they didn't do this which is of course what they really do that she's got a practice squad and they emulate the adversary in a real world environment and they practice all week long against it so they are truly as

ready as they can be with Sunday ropes laughter our military's been doing red teaming this physical part of red team for decades when was the last time American fighter pilots were engaged in meaningful air-to-air combat by meeting fly meetings lots of planes the answer is Vietnam so more than 40 years ago as last time we have lots of planes in the air doing lot to air-to-air combat yet every year at Nellis Air Force flight base at an exercise called red flag we spend millions of dollars in thousands of hours practicing perfecting air-to-air combat why because we believe that our nation is best served when we have a strong Air Force air superiority defending our nation and our forces overseas we know

that the adversary --it we do good solid battle against them and the reason why is the air force very back end of Vietnam they looked at their numbers and it just popped out at them it's just really easy and unfortunately it happened too late and they saw that if a fighter pilot was able to get 10 combat sorties in they became dramatically more survivable and so they get up those sorties in this controlled environment it's still fighting it's still flying it's still dangerous but we've eliminated life or death right these eliminated bullets actually flying through the air but everything else is real why don't we employed this this very real this very kind of edge of your

seat kind of exercising inside Corporate America we're losing we're losing right now we've got to try something different what I'm advocating for is a holistic approach a complete approach so that we combine everything together and attack our our clients our blue forces with a complete adversary and not just a portion of an adversary now I get that the physical force of there is is offensive to people and I think we have to be that way you have to scare somebody you've got to make it personal it's offensive to see somebody in your workspace in your desk floor if you're they got a hold of the magic beans the secret recipe they've got a hold of

something that's very special to you and your company or maybe to just your purse and that makes you feel good and that's a whole and when you've got a hook you can do what Barry if you're still in the room educated you can educate because in the end of all of this what we should be doing on this red side is educating I presume to be kicking people in the teeth and just leave them that shouldn't be part of the game we got to kick them in the teeth come up and say all right this is what we did this is how we did it let's get better and then we back off and let them kill themselves we need to

configure the human brain the same way that we do with this with computers there's got a lot of time a lot of money configuring computers to make sure that they are running at an optimal defense are we spending divided amount of time and effort with the human brain I don't think that we are all right so these are my take away this could be my last slide these are all free and take pictures or write them down hit you'll find that they're not very complicated and please christeta it downstairs don't think that you need to spend money to get better that's security you just don't and here's some proof positive proof positive security as a

whole is a mindset and we do that by training and showing them showing people where they're horrible security as a whole of the mindset and we could take away I really believe this I think that security devices of all types physical and electronic they're like up there like a weight or blankets maybe they're like blankets over the top of us and where we're suffocating by them because they're protecting us we don't have to do anything we'd never have to look up above the blanket because it's all taken care of and it's just crap that is not the case we're still getting breached 500 billion dollars last year somebody just got breached again just now so the

blankets aren't working so what I'm saying is just get our heads up put it on a swivel figuratively it literally and I think we can get rid of a lot of the extraneous crap that comes with c15 Charlie's Angels security information is the key to everything for a company we've all gotten focused in the same area you can't beat yourself up find yourself a reputable third-party to come in and beat you up for you this is the way you get a real test people are unsuspecting that's the whole point the employees don't know what's going on it's in a live environment and a great great way to get a real understanding about mature situation is

finally and absolutely the biggest one here do not forsake your security for convenience every place we've ever been there too and we've looked at their policies and procedures they're really they're pretty good if they're followed the policies and procedures can be damn good but this is the problem if somebody thinks that their little pigs for the bridges I don't think that I want to follow that policy that procedure so it's a boss someone and the person below them says well she's not going to do it but I'm not going to do it and down and down and down until what you got is a group of apathetic folks regard security and then an adversary it'll just walk in

the front door and get their hands on cyber infrastructures or what I said this hands-on cyber infrastructure when you previously established electronic roadblocks were removed because if your physical security fails your cyber security fail i'm brandon rosario the president and founder of red strategies and that's my free steaks appreciate you

or structure alright everybody think ready for you talk there