ICS410 2024 hide01.ir-unlocked.pdf

Full Transcript

ICS410 | ICS/SCADA SECURITY ESSENTIALS
GIAC Global Industrial Cyber Security Professional (GICSP)

410.1

ICS Overview.ir
01
de
hi

THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org

Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
© 2023 Justin Searle. All rights reserved to Justin Searle and/or SANS Institute.

PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY
BEFORE USING ANY OF THE COURSEWARE (DEFINED BELOW) ASSOCIATED WITH THE SANS INSTITUTE COURSE.
THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND THE ESCAL INSTITUTE OF
ADVANCED TECHNOLOGIES, INC. /DBA SANS INSTITUTE (“SANS INSTITUTE”) FOR THE COURSEWARE. BY
ACCESSING THE COURSEWARE, USER AGREES TO BE BOUND BY THE TERMS OF THIS CLA.

With this CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the
terms of this agreement. Courseware means all printed materials, including course books and lab workbooks, slides or notes,
as well as any digital or other media, audio and video recordings, virtual machines, software, technology, or data sets
distributed by SANS Institute to User for use in the SANS Institute course associated with the Courseware. User agrees that
the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes
any oral or written proposal, agreement or other communication relating to the subject matter of this CLA.

BY ACCESSING THE COURSEWARE, USER AGREES TO BE BOUND BY THE TERMS OF THIS CLA. USER FURTHER
AGREES THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT
INJURY TO SANS INSTITUTE, AND THAT SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION
(WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF.

If User does not agree to the terms of this CLA, User should not access the Courseware. User may return the Courseware to
SANS Institute for a refund, if applicable.

User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of
the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written
consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way,
shape, or form to any person or entity without the express written consent of SANS Institute.

If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable
from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this
Courseware..ir
SANS Institute may suspend and/or terminate User’s access to and require immediate return of any Courseware in connection
with any (i) material breaches or material violation of this CLA or general terms and conditions of use agreed to by User; (ii)
01

technical or security issues or problems caused by User that materially impact the business operations of SANS Institute or
other SANS Institute customers, or (iii) requests by law enforcement or government agencies.
de

SANS Institute acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in
this Courseware are the sole property of their respective trademark/registered/copyright owners, including:
hi

AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp,
Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini,
iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac,
Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina,
Safari, Siri, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and
iCloud are registered trademarks of Apple Inc.

PMP® and PMBOK® are registered trademarks of PMI.

SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission.

SIFT® is a registered trademark of Harbingers, LLC. Used with permission.

REMnux® is a registered trademark of Zeltser Security Crop. Used with permission.

VMware Workstation Pro®, VMWare Workstation Player®, VMWare Fusion®, and VMware Fusion Pro® are registered
trademarks of VMware, Inc. Used with permission.

Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA.

Courseware licensed to User under this Agreement may be subject to export laws and regulations of the United States of
America and other jurisdictions. User warrants he or she is not listed (i) on any sanction programs list maintained by the U.S.
Office of Foreign Assets Control within the U.S. Treasury Department (“OFAC”), or (ii) denied party list maintained by the U.S.
Bureau of Industry and Security within the U.S. Department of Commerce (“BIS”). User agrees to not allow access to any
Courseware to any person or entity in a U.S. embargoed country or in violation of a U.S. export control law or regulations.
User agrees to cooperate with SANS Institute as necessary for SANS Institute to comply with export requirements and
recordkeeping required by OFAC, BIS or other governmental agency.

All reference links are operational in the browser-based delivery of the electronic workbook.

ICS410_1_I01_02
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410.1

ICS Overview
ICS/SCADA SECURITY ESSENTIALS.ir
This area intentionally left blank.
01
de
hi

1
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 2

Table of Contents
Course Agenda 3
Lab 1.1: Learning from Peers 4
GICSP Overview 5
ICS Concepts 9
Controllers and Field Devices 21
Lab 1.2: Programming a PLC 33
Supervisory Levels 35
Lab 1.3: Programming an HMI 51
IT and OT Differences 53
Physical and Cybersecurity 62
Contacts and Resources 73.ir
This area intentionally left blank.
01
de
hi

2
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 Section 1: ICS Overview

Section 2: Architectures & Processes

Course Section 3: Communications & Protocols
Agenda Section 4: Supervisory Systems

Section 5: ICS Security Governance

Section 6: Capstone CTF.ir
This area intentionally left blank.
01
de
hi

3
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 Lab 1.1

Learning From Peers
If you still need to complete the Lab Setup Instructions to configure the ICS410 virtual machines on your laptop,
please do so now. This document was emailed to you in advance.
If your virtual machines are configured, please complete Lab 1.1 in your ICS410 Lab Workbook while you wait for
class to begin.

Refer to the lab workbook for instructions..ir
This area intentionally left blank.
01
de
hi

4
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 5

Course Roadmap Lab 1.1: Learning from Peers
GICSP Overview
Section 1: ICS Overview ICS Concepts
Controllers and Field Devices
Section 2: Architectures and Lab 1.2: Programming a PLC
Processes Supervisory Levels
Lab 1.3: Programming an HMI
Section 3: Communications and IT and OT Differences
Protocols Physical and Cybersecurity

Section 4: Supervisory Systems

Section 5: ICS Security
Governance

Section 6: Capstone CTF.ir
This area intentionally left blank.
01
de
hi

5
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 6

ICS410 and GICSP Goals

Goals of the ICS410 and the GICSP
− Bridge efforts of IT, OT, and cybersecurity professionals
− Focus on OT foundational knowledge
− Define architecture, design, management, risks, and controls
− Apply to a diverse set of OT industry sectors and applications

Global Industrial Cyber Security Professional (GICSP)
− Demonstrates a globally recognized level of competence
− Keep the operational environment safe, reliable, and resilient
− Achieve cybersecurity from ICS design through retirement
− Assure a level of security for critical infrastructure.ir
The ICS410 courseware has been developed to equip security professionals and control system engineers
with the knowledge and skills to safeguard our critical infrastructures. This course gives students the
01

essentials for conducting security work in industrial control system (ICS) environments. Students will
learn the language, the underlying theory, and the essential tools for ICS security in industrial settings
de

across a diverse set of industry sectors and applications. This course will introduce students to ICS and
provide the necessary information and learning to secure control systems while keeping the operational
hi

environment safe, reliable, and resilient.

6
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 7

History of ICS410 and GICSP

Original Steering Committee Original Objections Provided to SANS
− Shell − Architecture
− ABB − Assessments
− Configuration and Change Management
− Emerson
− Log Collection and Management
− British Petroleum
− Business Continuity
− KPMG
− Incident Management
− Wurldtech (now GE) − Information Risk and Security Management
− Chevron − Physical Security
− Saudi Aramco − Industrial Control Systems
− Invensys (now Schneider) − System Hardening
− Pacific Gas and Electric − Cybersecurity Essentials
− SANS-GIAC − Access Management
− Rockwell Automation.ir
This area intentionally left blank.
01
de
hi

7
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 8

GICSP Details
The Test
− 75 multiple-choice, 7 CyberLive items
− Open book, open notes, no electronics
− 3-hour exam, ~71% score is passing
− 2 practice tests included with the exam

Preparation
− Official ICS410 index file in DOCX format
− YouTube Playlist (https://ics410.org/giac-prep)

Scheduling
− Registration details emailed 7–10 days after end of course
− Must take within 120 days
− In person at Pearson VUE test centers or online with ProctorU

Maintenance
− Renewal fee every 4 years, includes latest copy of course books
− Retake test or spend CPEs.ir
For more information on GICSP certification, please visit:
01
https://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp
Test delivery is computer-based and proctored by Pearson VUE at over 3,400 global testing centers.
de

Certification is valid for 4 years; continuing professional education requirements are consistent with
hi

GIAC standards.
References:
https://www.giac.org/certifications/renewal
https://ics410.org/giac-prep

8
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 9

Course Roadmap Lab 1.1: Learning from Peers
GICSP Overview
Section 1: ICS Overview ICS Concepts
Controllers and Field Devices
Section 2: Architectures and Lab 1.2: Programming a PLC
Processes Supervisory Levels
Lab 1.3: Programming an HMI
Section 3: Communications and IT and OT Differences
Protocols Physical and Cybersecurity

Section 4: Supervisory Systems

Section 5: ICS Security
Governance

Section 6: Capstone CTF.ir
This area intentionally left blank.
01
de
hi

9
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 10

ICS Concepts

Control systems and their processes, professions, and industries.ir
This area intentionally left blank.
01
de
hi

10
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 11

What Is a Control System?

A device, or set of devices, that manages, commands, directs, or regulates the
behavior of other devices or systems
− A device that can influence the "real world"
− A system that bridges cyber-to-physical

Simple example: Thermostats in our homes
− Keep temperatures at desired temperatures
− Turn on/off furnace and air conditioners
− What can an attacker do if he gains control of this?

Industrial control systems (ICS)
− Exponentially larger
− More complex
− More dangerous.ir
Control systems are defined here as "a device, or set of devices, that manages, commands, directs, or
regulates the behavior of other devices or systems." This can take a variety of shapes, from a large
01

chemical processing plant to the system controlling your gas furnace at home. The system takes a set of
input data from its devices (such as a thermostat), performs logic on that data (the temperature is 70⁰F
de

when it should be 72⁰F), and activates components to affect that sensor data (I'll turn on the fireplace, so it
heats back up to 72⁰F).
hi

This is a gross simplification, but for example, what kind of logic is required to be energy efficient, so the
heat of the house isn't constantly bouncing between 72⁰F and 68⁰F as the furnace kicks on and off again?
Or, what if the temperature sensor fails and reports the room to be 0⁰F when it is really 78⁰F? What kind of
mechanisms are in place to handle this?
What happens if the thermostat is IP-based, and an attacker manages to fool the system into thinking it's
70⁰F when it's really 5⁰F?
Simply put, a control system gathers information and then performs a function based on established
parameters and/or information it received. ICS can vary in size and complexity based upon the process it
is responsible for monitoring and controlling. ICS can be found in very specific applications (e.g., found
on a small skid-mounted system) or manage something as large as a multiple-unit generation facility or oil
refinery.
By the end of this course, you'll be familiar with the concepts that drive these questions and the
mechanisms by which they are answered.
You will understand the common drivers for ICS technology: Reliability, efficiency, safety, and ease of
use.
Reference:
ISA-62443.01.01 definitions, https://std.iec.ch/glossary
11
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 12

Functional Roles of Control Systems

Dealing with Complexity

Simplify system to basic functions
All control systems and ICS map to
this basic model
Which systems/devices map to
these functional roles?
Which functions have inputs that
can be attacked?
A single malicious packet to the
controller....ir
The logic diagram shown displays typical inputs and outputs to the various control system components as
well as typical operations that are performed by the various components. Industrial control systems can
01

be very complex, so it is always best to first try mapping each system and device to its basic functional
role in the process. The diagram above shows these basic functional roles, and how they interact with
de

each other.
hi

Control systems can be very difficult and costly to replace and adjust. This is one of the reasons why
security in this space is lagging behind. Refreshing a control system is something done very rarely. It is
not unusual for a system to remain in place for 20+ years without many changes.
General size of points monitored or controlled:
Small: 1–2 Workstations, 1–2 Controllers, 0–599 points
Medium: 3–8 Workstations, 3–8 Controllers, 600–1,499 points
Large: 8+ Workstations, 8+ Controllers, 1,500+ points

12
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 13

Basic ICS Process Models
Discrete Processes
− Specified quantity of material moves as a unit between stations
− Each unit maintains its unique identity
− Robotic assembly can be characterized as discrete process control
− Picture: stamping license plates and metal components

Batch Process
− Specific quantities of raw materials are combined in specific ways
− Produce an intermediate or end result
− Production of food, beverages, and medicine are batch processes
− Picture: production of adhesives and glues

Continuous Processes
− Variables that are smooth and uninterrupted in time
− Production of fuels, chemicals, and plastics are continuous processes
− Picture: chlorine chemical and fuel production.ir
We will review the four main ICS process models (discrete, batch, continuous, and hybrid). These models
have general definitions and are the basic precept for the type of process to be instrumented, monitored,
01

and controlled by an ICS.
de
hi

13
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 14

ICS Hybrid Processes

Many ICS process are a combination of these basic types
− We call these hybrid processes
− Tend to be hierarchical
− Can have multiple controllers
− Often seen in manufacturing lines/cells

We usually defend at this level
− Most ICS processes are a collection of smaller processes
− Easiest to wrap security around collections of inter-dependent processes

Adding defenses inside of processes is difficult
− More likely to cause latency or jitter
− Can create additional failure points
− Can usually only be done when first purchased/created.ir
Hybrid systems are generally understood as reactive systems that intermix discrete and continuous
components. Hybrid control systems are typically found when continuous processes interact with or are
01

supervised by sequential machines. A hybrid process model allows the controller to optimize the process
based on many variables that may change the efficiency of the process at any given moment. Examples of
de

such systems include flexible manufacturing and chemical process control systems, interconnected power
systems, intelligent vehicle highway systems, and air traffic management systems.
hi

14
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 15

Purdue Enterprise Reference Architecture (PERA)

One of the first reference architectures for
industrial control networks
− 4: Business network (not a control network)
− 3: Plant-wide control network
− 2: Individual process/cell/line supervisory
− 1: Individual process/cell/line controllers
− 0: Individual process/cell/line sensors and
actuators

Original source for many later reference
architectures
− ISA-95
− ISA-99 which became ISA/IEC 62443
− ICS410 Reference Model.ir
The Purdue Enterprise Reference Architecture (PERA) was one of the first reference architectures for ICS
networks. It was designed by a public/private consortium made up of individuals from the industry and
01

Purdue University. This effort was led by Theodore J. Williams, a professor of chemical and electrical
engineering programs at Purdue. This model has become very popular for designing ICS networks and has
de

been adopted and expanded by later reference models.
hi

The Purdue model suggests dividing your systems into five different levels, numbered zero through four.
There will be separate groupings of level 0-2 for each process, manufacturing cell, or manufacturing line.
Level 0 is the lowest level, representing the physical process and containing the immediate sensors and
actuators that make up that grouping’s process. Level 1 contains the controllers for that grouping’s
process. Level 2 contains the local supervisory systems specific to each groupings process. Above the
process groupings will be a plant-wide or region-wide Level 3, which contains supervisory systems that
direct all process groupings for that site or that region. Level 3 also contains the operations support,
containing systems that support operations but that are not directly involved with the real-time execution
of the process. And finally, Level 4 represents the business side of the organization related to ICS. As we
will see later, the modern evolution of the Purdue model often contains a Level 5 that, while not shown
above, represents the enterprise support for all enterprise business units.
Image Source:
https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture

15
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 16

ISA/IEC 62443 Published and Proposed Standards.ir
Industrial Automation and Control Systems (IACS) is the ISA's preferred term for ICS.
01
Buying a PDF copy of all the published ISA/IEC 62443 standards can be a very expensive experience
with each selling for $200-350 for a single copy per person. However, by becoming a student member of
de

ISA for ~$10/yr. or a professional member of ISA for ~$130/yr., you can gain browser-only access to all
the ISA standards for free, including ISA/IED 62443. Once you pay your annual membership fee, visit
hi

the following link and search for "62443" to access the standards.
https://www.isa.org/standards-and-publications/isa-standards/member-access-to-standards/
Reference:
https://www.isa.org/isa99/

16
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 17

Roles Used Throughout the Course
Individual roles
− Process Engineer: Designs and optimizes
− Field Technician: Maintains and repairs
− Programmer: Writes control logic and other software
− Operator: Manages and controls process

Organizational roles
− Owner/Operators: Purchase and use the system
Bear primary responsibility for safe operation and meeting regulations
− Vendors: Manufacture equipment and software
ABB, Alstom, Areva, Emerson, GE, Hitachi, Honeywell, Mitsubishi, Rockwell Automation,
Schneider Electric, SEL, Siemens, Yokogawa, etc.
− Integrators: Design, configure, test, train, and refresh
Often provided by vendors or partners of vendors
− Government: Implement guidance and regulation
Primary goal is to safeguard the public good
Examples: NERC CIP, NIST, ENISA
In some instances, are owner/operators as well.ir
People are used to filling in parts of the process that cannot be automated. From a security perspective,
people provide an excellent attack surface. We will cover this deeper as the course continues. These
01

traditional roles must be empowered and equipped to integrate with information technology and
cybersecurity roles to tackle the challenges of complexity, change, and cyber threats.
de

Asset owner/operators use control systems as a part of their business. Owner/operators come in many
hi

shapes and sizes, from small mom-and-pop shops to large multinational corporations. Asset owners and
operators must work with vendors and integrators to design and build systems that are efficient and meet
government regulations. In recent years, security has become more prominent in the public eye and has
received increased scrutiny from government regulators. Asset owners and operators currently bear the
burden of making sure security is built into the systems they operate.
Vendors design and build the components used in control systems, such as Programmable Logic
Controllers (PLCs) and HMIs. Many vendors work with specific hardware platforms and often will certify
products to run on specific models, with specific configurations, and with firmware. Many vendors have
several different product lines and have millions upon millions of lines in their codebases.
Integrators have the job of selecting, creating, and configuring control systems: This can be a long and
arduous process involving many hours. Integrators also provide training and support, ongoing control,
integration, and automation collaboration, and handle legacy migration and replacement. Legacy
migration can take as much time as the rest of them.
The government is itself an asset owner/operator, as it uses a great number of control systems that do
everything from printing money to controlling weapons systems. The government is also responsible for
creating and enforcing regulations regarding the safe and continued operation of critical facilities.

17
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 18

Industries Reliant on ICS
Factory automation segments: Process industry segments:
− Aerospace and defense − Cement and glass
− Automotive − Chemical and petrochemical
− Electrical electronics and semiconductors − Food and beverage
− Machinery − Metals (production)
− Fabricated metals − Pharmaceuticals
− Furniture and wood products − Pulp and paper
− Plastics and rubber − Textiles
− Medical products − Waste and water

Energy industry segments: Service industry segments:
− Electric power − Retail
Generation − Wholesale
Transmission − Transportation
Distribution Trains and train yards
− Oil and gas Ships and ports
Exploration and production Aviation and airports
Pipeline − Logistics
Refining.ir
There are many types of industries that rely on ICS, including:
01
Factory automation segments: Aerospace and defense, automotive, electrical electronics and
semiconductors, machinery, fabricated metals, furniture and wood products, plastics and rubber, and
de

medical products.
Process industry segments: Cement and glass, chemical and petrochemical, food and beverage, metals
hi

(production), pharmaceuticals, pulp and paper, textiles, and waste and water.
Energy sector: Most nations describe an energy sector that includes all elements: Oil, gas, electricity,
and nuclear. Other nations break them into electric power and oil and gas. The European Union defines
energy sector with an exclusion of nuclear assets. The US has a very complex definition that combines
oil, gas, and electric but excludes commercial nuclear power plants and hydro facilities and dams.
Newer definitions are beginning to call out renewable energy technologies as its own subcategory in
Energy (e.g., wind farms, solar plants, etc.) Energy sector components are typically highly dependent
on other energy sector infrastructure components for the transportation of primary fuels (oil, gas, coal)
or for the transportation and storage of energy products being delivered to users. Oil and gas
infrastructures are highly dependent on global shipping infrastructure.
Service industry segments: Retail, wholesale (e.g., Walmart), transportation (trains, ships, airports,
etc.), and logistics.

18
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 19

Critical Infrastructure

Many ICS industries are often labeled as critical infrastructure
− Increased responsibility
− Increased regulation
− Also means you face nation-state actors...

Definitions vary around the world but include:
− Physical and electronic assets of infrastructure
− Communications that enable infrastructure
− Consequences that could impact public safety, economic security, and defense

European Union, India, and US definitions in notes.ir
European Union: "Critical infrastructure is an asset or system which is essential for the maintenance of
vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural
01

disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for
the security of the EU and the well-being of its citizens." The European Commission – Office of Home
de

Affairs further says: "The European Programme for Critical Infrastructure Protection (EPCIP) sets the
overall framework for activities aimed at improving the protection of critical infrastructure in Europe,
hi

across all EU States, and in all relevant sectors of economic activity. The threats to which the programme
aims to respond are not only confined to terrorism, but also include criminal activities, natural disasters,
and other causes of accidents. In short, it seeks to provide an all-hazards cross-sectoral approach. The
EPCIP is supported by regular exchanges of information between EU States in the frame of the CIP
Contact Points meetings."
The government of India has designated the National Critical Information Infrastructure Protection Centre
(NCIIPC) of the National Technical Research Organisation (NTRO) as the nodal agency.
The US Department of Homeland Security: "Critical infrastructure consists of the assets, systems, and
networks—whether physical or virtual—so vital to the United States that their incapacitation or
destruction would have a debilitating effect on security, national economic security, public health or
safety, or any combination thereof." This is further defined by Presidential Policy Directive 21 (PPD-21).
References:
https://www.dhs.gov/cisa/critical-infrastructure-sectors
https://ec.europa.eu/home-affairs/what-we-do/policies/counter-terrorism/protection_en
https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-
coordination/security-of-critical-infrastructure-act-2018
https://sso.agc.gov.sg/Acts-Supp/9-2018/Published/20180312?DocDate=20180312

19
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 20

Summary

Module takeaways
− The Purdue levels are incredibly important to memorize
Purdue Level 4: Business network (not a control network)
Purdue Level 3: Plant-wide control network
Purdue Level 2: Individual process/cell/line supervisory
Purdue Level 1: Individual process/cell/line controllers
Purdue Level 0: Individual process/cell/line sensors and actuators
− Overcome complexity by mapping components to function model
− Look for the cyber communication inputs
That is where attackers attack
That is where we need to place defenses.ir
This area intentionally left blank.
01
de
hi

20
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 21

Course Roadmap Lab 1.1: Learning from Peers
GICSP Overview
Section 1: ICS Overview ICS Concepts
Controllers and Field Devices
Section 2: Architectures and Lab 1.2: Programming a PLC
Processes Supervisory Levels
Lab 1.3: Programming an HMI
Section 3: Communications and IT and OT Differences
Protocols Physical and Cybersecurity

Section 4: Supervisory Systems

Section 5: ICS Security
Governance

Section 6: Capstone CTF.ir
This area intentionally left blank.
01
de
hi

21
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 22

Controllers and Field Devices

Controllers, the field devices they connect to, and everything in between.
Understanding processes and programming controllers..ir
This area intentionally left blank.
01
de
hi

22
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 23

DCS Controller

The Distributed Control System (DCS) was
introduced in 1975
− Pre-engineered complete solutions
− Cooperatively control complex processes within a
large site or plant
− Customizable using standards and templates
− Often leverages proprietary interconnects and
protocols

DCS is usually used in complex processes that
are common among many owner/operators
− Oil and gas
− Electricity generation
− Chemicals and pharmaceuticals
− Food and beverage
− Steel, cement, and paper production.ir
The DCS was introduced in 1975 and largely came about due to the increased availability of computers
and the proliferation of microprocessors in the world of process control. A typical DCS consists of
01

functionally and/or geographically distributed digital controllers.
de

A DCS typically uses custom-designed controllers, proprietary interconnection protocols, and
communication protocols. The DCS units are found in Purdue level 1 and can connect directly to physical
hi

equipment, such as switches, pumps, and valves in Purdue level 0, and to an HMI in Purdue level 2.
DCSs are dedicated systems typically used to control manufacturing processes that are continuous or
batch-oriented, such as oil refining, petrochemicals, central station power generation, fertilizers,
pharmaceuticals, food and beverage manufacturing, cement production, steelmaking, and papermaking.
DCSs are connected to sensors and actuators to control the flow of materials through the plant. Modern
DCSs also support neural networks and fuzzy applications.
DCSs are usually designed with redundant processors to enhance the reliability of the control system.
Most systems come with canned displays and configuration software that enables the end user to set up
the control system without a lot of low-level programming. This allows the user to better focus on the
application rather than the equipment, although a lot of system knowledge and skill is still required to
support the hardware and software as well as the applications.
Energy extraction, production, and delivery relies upon various types of ICS to extract, collect, transport,
and produce petroleum-based products. An oil refinery, for example, will use large-site DCS and specific
field control and SIS to monitor and manage individual units and stages in the process of refining
petroleum.

23
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 24

Programmable Logic Controller (PLC)

PLCs were created as a competing solution to DCS
− Increase flexibility and customization, decrease proprietary lock-in
− https://ics410.org/plc-vs-dcs
− Today, many vendors offer both DCS solutions and standalone PLCs

General-purpose controller for real-time mechanical processes
− Programmable by the engineer
− Resistant to physical stress
− Expandable I/O for customizable
sensors and actuators
− Deterministic logic, often built
using state machine models.ir
The picture shows an Allen-Bradley PLC. You can see the multiple modules that we'll discuss next.
01
As we discussed, the logic for running an automated process isn't present on the HMI. That's left up to the
PLC to do. PLCs are physically hardened real-time computers. That means a couple of things. First, these
de

components are tested against extreme physical conditions such as very high temperatures, very low
temperatures, physical vibrations, electromagnetic interference, or all of the above, plus more. This is one
hi

of the reasons the equipment is expensive relative to the processing capabilities. Second, a PLC has to
read inputs and respond by adjusting outputs directly. This process has to be real-time or unintended
behavior may occur, resulting in a problem or, in the worst case, personal injury. Considering ICS security,
an attack that causes a PLC to be unable to respond in real-time can be very effective. We'll go into more
detail on this later.
A PLC will take a given set of inputs that it uses to calculate what state to set its outputs in. Modular PLCs
have expansion modules to allow for more I/O connections. The processor in the PLC will scan through
the set of inputs (sometimes called an "I/O Image Table") and use the programmed logic to set the
necessary outputs.
A practical example: In a chemical process, a PLC may be used to automate the task of mixing chemical
batches. At one stage in the process, the PLC needs to pump two chemicals into a mixer. Sensors
indicating the tank level, temperature, or other sensors are used as inputs. Actuators (in this case, our
chemical pumps) are the outputs, which are turned on in order to pump chemicals into the mixing tank
until the inputs indicate the tank level is high enough.
For more information on how modern PLCs and DCS controllers differ, see:
https://ics410.org/plc-vs-dcs

24
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 25

Basics of Controller Logic

Variables (called tags) refer to inputs, outputs, internal states
− Setpoint (SP): desired state or input measurement to maintain
− Process Value (PV): controller input or sensor value
− Error (E): difference between SP and PV
− Manipulated Variable (MV): controller outputs or actuator value

Example of water faucet with both hot and cold water valves
− 2 setpoints: SP for temperature and SP for flow
− 2 sensors: PV for temperature and PV for current flow
− 2 actuators: MV for cold water valve and MV for hot water valve
− 2 error conditions: E for temperature and E for flow.ir
Control loop theory is used for calculating and controlling an environment or process based on feedback.
PID (Proportional, Integral, and Derivative) controller theory is used to optimize tuning. We'll use the
01

classic water faucet example:
de

An example control loop is used to control the water temperature from a faucet. The hot and cold faucet
valves are adjusted, and a person touches the water to measure the temperature. Based on the error, he
hi

continues to adjust it until the process settles on the desired value.

In control loop terms:
Process Variable (PV): Water temperature
Manipulated Variable (MV): Valve position for each faucet, two total
Setpoint (SP): The desired temperature (lukewarm, hot, cold, etc.)
Error (E): The temperature difference between PV and SP

The process seems simple at first, but a lot of room exists for tuning.

25
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 26

Measuring Error Conditions

Errors need to incorporate time for optimal performance
− Measure integral (duration of error) as PV changes
− Predict derivative (rate of change) as PV approaches SP

Proportional (size of error)

Integral (duration of error)

Derivative (rate of change).ir
This is a broad topic in itself, but we'll broach it here. The three parts to the PID algorithm:
01
Proportional Term: Proportional to the current error value. This is the part that most reflects change
based on error. If this is cranked up too high, there will be large adjustments in response to small errors.
de

The reverse is also true. Think of this as the current error. This contributes most of the output change
based on error.
hi

Integral Term: Duration of the error, not just how far off it is. Think of this as the historic error.
Derivative Term: Slope of error over time multiplied by the derivative gain. The point is to slow the
rate of change of output and to reduce the overshoot. Think of this as the future error.
Loop tuning is the discovery and experimentation of optimal parameters for a given loop. Manipulation of
the three terms and their weights is done to discover the ideal process control.
PID tuning is a non-trivial problem but results in important gains for a process. You don't want your home
furnace oscillating constantly between hot and cold. It would be much preferred if the furnace sat in a 1–
2-degree range constantly, at least while you are awake and at home. Further tuning exists in time slices:
Your house could let itself get colder while you are away at work and warm up when you are expected to
return.
Reference:
https://benrobotics.wordpress.com

26
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 27

Starting to Define Your Logic

Fuzzy logic cares about degrees of truth
− Truth value between 0 and 1 for various factors
− Fuzzy logic used to determine final logic
− Similar to pseudocode in IT

Consider the following cold/hot faucet logic:
− IF flow is too low (PV < SP),
THEN increase hot AND cold water valves
− IF flow is too high (PV > SP),
THEN decrease hot AND cold water valves
− IF temperature is too low (PV < SP)
THEN increase hot water valve AND decrease cold water valve
− IF temperature is too high (PV > SP),
THEN decrease hot water valve AND increase cold water valve.ir
Fuzzy logic is a term for taking logic statements and distilling them down in order to control machinery.
Fuzzy logic can also use linguistic variables for configuring a system.
01

The logic is easy for a person to read and identify what the system is supposed to do. These logic
de

statements are translated into fuzzy logic for mathematical evaluation.
In doing so, values may have a degree of truth that may be between 0 and 1, rather than simply true (1) or
hi

false (0). For instance, referring to the temperature of a room, the assessment of the statement, "The room
is too hot," might vary. If the expected temperature is 70⁰F and the current temperature is 71⁰F, that's a
small degree of truth for the statement, as opposed to the room temperature being 92⁰F, which is very true.

27
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 28

Programming Final Logic

PLCs use visual programming
methods
− Engineers are experts in many fields
− PLCs are one of many tools they use

IEC61131-3 defines five
programming
approaches for controllers:
− Ladder Logic Diagram (LL or LD)
− Function Block Diagram (FBD)
− Sequential Function Chart (SFC)
− Instruction List (IL) note: deprecated
in version 3
− Structured Text (ST or STX).ir
Since PLCs are general-purpose controllers, they can use several programming methods. Many of these
are highly visual and are borrowed from other professions. The IEC61131-3 standard recommends that
01

PLCs support the following programming methods:
de

Ladder Logic Diagram (LL or LD): This method comes from the electrical engineering profession and
is based on electrical relay logic diagrams. It is one of the most commonly used methods to program
hi

PLCs but is limited in the complexity it can represent.
Function Block Diagram (FBD): This method comes from the electronics engineering profession and is
based on boolean logic operators such as AND, OR, and XOR commonly found in diagrams describing
embedded circuit boards.
Sequential Function Chart (SFC): This method comes from the process automation world and uses
sequences of functions stringed together to create a flow of chained events. It can leverage multiple
decision points to form complex branches of events for execution.
Structured Text (ST or STX): This method comes from the computer programming profession and is
the same method used by IT to program software and firmware for computer systems. In PLCs, the
language used is often based on C or similar. Many non-PLC controllers are programmed this way by
the vendor and do not let engineers change the logic and only allow engineers to modify the
configurations and calibrations.
Instruction List (IL): This method also comes from the computer programming profession and
leverages a lower-level language similar to assembly. This method has been deprecated from version 3
of IEC 61131 and is not considered a type of ST.

Each PLC will have different options based on the programming software provided by the PLC’s vendor.
Some vendors support all five methods, while others only support one or two.

28
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 29

Field Devices

Controllers are wired to various instrumented devices
− Sensors: Temperature, humidity, vibration, sound, pressure, etc.
− Actuators: Valves, solenoids, pumps, agitators, burners, compressors, etc.

Communication to these devices is referred to as I/O (input/output)
− Basic I/O: Single digital or analog lines
− Smart I/O: Fieldbus protocols over specialized networks

Lines can blur between controllers and field devices
− Smart sensors and actuators have built-in logic
− They may have their own basic field device below them.ir
Instrumented devices are all of the devices that are ultimately responsible for monitoring, measuring, or
controlling the bits and pieces of an industrial system or process.
01

Sensors can be important pieces of a control system. Many ICS configurations will either directly control
de

these types of environmental qualities or otherwise depend on them being at a certain level.
An HVAC, for example, exists to control the temperature, humidity, and other factors for a given spatial
hi

area. Having a sensor network collecting data and making it available to the controller is needed to
complete that task.
Other types of ICS may depend on an environmental factor being at a certain level. For example, a
chemical process may require a room temperature between 60⁰F and 70⁰F. The HVAC (a separate control
system) is responsible for controlling that temperature, but the chemical process also requires sensors to
identify if the proper conditions for execution are met.
Among the actuators, these devices could be valves, switches, level monitors, pumps, compressors, levers,
pressure sensors, thermocouples, etc. Communication with a hardware device is generally referred to as
I/O. The I/O could be digital or analog, and its physical connectivity could be one of many options—we'll
discuss this in a few minutes.

29
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 30

Basic I/O

Basic Discrete (digital) I/O
− Voltage present or not present on a wire
− Sensors: Switches, object positioning, state, etc...
− Actuators: Alarms, stepper motors, relays, pumps, lights, etc...
− Represented in logic as single binary bit (0/1) or Boolean values (True/False)

Basic Analog I/O
− Value is a range of voltage (0–5 V, 0–24 V) or current (4–20 mA) of a signal
− Sensors: dials, temperature, pressure, flow, speed, etc...
− Actuators: valves, variable speed motors, mixers, burners, etc...
− Represented in logic as 8/16/32/64-bit integers (410) or floating points (4.10).ir
Digital I/O is an input or output where the specified value is communicated as simple on-or-off signals.
Common examples of digital I/O include relays, switches, and status reporting.
01

Analog I/O is an input or output where the specified value is communicated by varying the voltage or
de

current of a signal. Common examples of analog I/O include temperature, pressure, flow, or speed
measurements.
hi

30
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 31

Smart I/O with Fieldbus Protocols

Sometimes our controllers are connected to other controllers, or to smart sensors and
actuators
− Smart I/O is often performed through protocols classified as fieldbus
− Fieldbus protocols like HART can use traditional 4-20mA analog lines
− Most fieldbus protocols use standard or proprietary serial buses

The RS standards are very common, now maintained by TIA
− TIA-232: Point-to-point serial for 2 devices/systems
− TIA-422: Multi-device bus, with single transmitter device/system
− TIA-485: Multi-device bus, with multiple transmitter devices/systems

Modern fieldbus protocols can also be
− Directly on top of Ethernet
− Integrated into TCP/IP
− Fieldbus protocols will be discussed in more detail later in the course.ir
References:
01
HART Protocol – https://en.wikipedia.org/wiki/Highway_Addressable_Remote_Transducer_Protocol
TIA – https://en.wikipedia.org/wiki/Telecommunications_Industry_Association
de

TIA-232 – https://en.wikipedia.org/wiki/RS-232
TIA-422 – https://en.wikipedia.org/wiki/RS-422
hi

TIA-485 – https://en.wikipedia.org/wiki/RS-485

31
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 32

Smart Field Devices

Smart field devices have various names
− Intelligent Electronic Devices (IED)
− Industrial Internet of Things (IIoT)

Examples
− Digital protective relay (DPR)
− Phasor measurement unit (PMU)
− Smart meters

Smart field devices compared to controllers
− More limited purpose and function
− Usually microcontroller-based
− Contains its own control logic that cannot be changed.ir
Smart field devices (also known as IEDs or IIoTs in some industries) are special field devices that are
primarily used in the electric power industry. They usually are limited in their purpose or function, unlike
01

the general-purpose PLCs and RTUs. Smart field devices contain their own control logic and are usually
microcontroller-based. Examples from the electric power industry include digital protective relays (DRPs)
de

and phasor measurement units (PMUs).
hi

A digital protective relay (DPR) is a device containing a microcontroller with the specific purpose of
measuring voltages and currents to determine whether a fault in the system exists. A DPR is an example of
an IED, which is any end device that has that kind of capability. RTUs may be configured to communicate
with end devices to collect status information for reporting back to the supervisory system.
Synchrophasors measure voltages and currents at principal intersecting locations (critical substations) on a
power grid and can output accurately timestamped voltage and current phasors. Because these phasors are
truly synchronized, a synchronized comparison of two quantities is possible in real-time. These
comparisons can be used to assess system conditions, such as frequency changes, MWs, MVARs, kVolts,
etc. The monitored points are preselected through various studies to make extremely accurate phase angle
measurements to indicate shifts in the system (grid) stability. In North America, the phasor data is
collected either on-site or at centralized locations using Phasor Data Concentrator technologies. The data
is then transmitted to a regional monitoring system that is maintained by the local independent system
operator (ISO). These ISOs will monitor phasor data from individual PMUs or from as many as 150
PMUs—this monitoring provides an accurate means of establishing controls for power flow from multiple
energy generation sources (nuclear, coal, wind, etc.).
Industrial Internet of Things (IIoT) is more of a marketing term than a concrete category of devices. But
some common features usually (but not always) seen in products labeled IIoT are a large number of
simple devices, usually relatively inexpensive, often using wireless communications, and probably
controlled centrally from a management server or cloud solution. An example of IIoT devices in the
Electricity sector are Smart Meters.
32
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 Lab 1.2

Programming a PLC
Using your ICS410 Windows 10 Enterprise VM, we will be programming our Velocio Ace 11 PLC
to control a chemical mixing process.

Refer to the lab workbook for instructions..ir
This area intentionally left blank.
01
de
hi

33
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 34

Summary

Module takeaways
− There are many types of controllers, not always clearly defined
DCSs are custom designed for a plant
PLCs, can be programmed and reprogrammed with different process logic by the engineer
Smart field devices can also be considered controllers, but not reprogrammable
IIoT and IED are types of smart field devices
− Controllers talk to field devices via basic I/O or fieldbus protocols
Sensors allow controllers to measure elements of the process
Actuators provide a means for controllers to change the process
When controllers receive input and make decisions is often critical.ir
This area intentionally left blank.
01
de
hi

34
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 35

Course Roadmap Lab 1.1: Learning from Peers
GICSP Overview
Section 1: ICS Overview ICS Concepts
Controllers and Field Devices
Section 2: Architectures and Lab 1.2: Programming a PLC
Processes Supervisory Levels
Lab 1.3: Programming an HMI
Section 3: Communications and IT and OT Differences
Protocols Physical and Cybersecurity

Section 4: Supervisory Systems

Section 5: ICS Security
Governance

Section 6: Capstone CTF.ir
This area intentionally left blank.
01
de
hi

35
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 36

Supervisory Levels

Supervisory via HMIs, Historians, and Alarm Servers
Specialized applications for special purposes
Management servers provide control system management.ir
This area intentionally left blank.
01
de
hi

36
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 37

Supervisory Systems at Level 2 and 3

Several different systems can be used to monitor and control the ICS processes.
− Human Machine Interfaces (HMIs)
− Historians
− Alarm Servers
− Engineering Workstations

These supervisor systems may exist in both Purdue Levels 2 and 3.
− Purdue Level 2 for supervisory systems for each process, manufacturing line, or
manufacturing cell
− Purdue Level 3 for plant-wide or regional-wide supervisory.ir
This area intentionally left blank.
01
de
hi

37
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 38

Human Machine Interfaces (HMIs)

Presents process data to human
operator
− Visual model created by integrator
− Displays alerts for operators
− Manual control of the process
Despite the seeming importance,
this is an optional component
− Control systems can be designed
without HMIs
− Some control systems can function
for limited amounts of time
− Can be a great defense to
disconnect compromised HMIs
− Disconnection can impact safety
and reliability if Engineer doesn't
design the system for this.ir
The Human Machine Interface is what most people think of first when considering a control system (much
like your grandmother who brings her flat-screen monitor in to get a virus removed and leaves the tower at
01

home). This is the GUI for the process, and yes, most of them look that old (it's a recurring theme you'll
see throughout the class).
de

The HMI is usually organized as a model diagram of the process. If you are looking at a chemical system,
hi

the screen is going to contain pump icons, tanks and levels, flow indicators, and agitator indicators to let
the operator know what's happening with the process. This diagram was created by the process integrator
or operator when the system was being assembled.
Additionally, an HMI is responsible for displaying important information to the operator. If a chemical
tank is about to overflow, for example, the operator probably knew about that immediately (in addition to
the system exacting safety logic and automatically shutting down pumps).
By the description, one would think the HMI is a primary component of a control system, but that's not
necessarily true. The HMI is an optional component that just makes things easier. We'll discuss where
later, but the logic for the automated process itself (such as which pumps to turn on when, how long to
mix the chemicals, etc.) is located elsewhere in other components. The HMI exists to collect data from
other components and display it to the operator. This way, if the HMI fails, the process can continue.
What the HMI may be indispensable for, however, is for manual control of the process. Manual controls
may exist on individual components, but it is not uncommon for ICSs to be very large or to have
components in remote locations that make actually visiting the devices problematic.
Reference:
https://www.aveva.com/en/solutions/operations/wonderware/

38
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 39

Historians

Servers that store event logs and history of controller tag values
− Useful for engineers to troubleshoot and optimize processes
− Could have traditional GUIs, web interfaces, and API access
− Underlying technology can be based on
No-SQL databases
Graphing databases
Relational database (SQL)
Basic file servers and almost anything else you can imagine

Business often needs access to historian data for financial purposes
− A significant driver of connectivity between the business and control networks
− Businesses use data for billing, sales, regulation, metrics, etc.….ir
Most of the vendors that create controllers also offer their own historians. These historians can be based
on a large number of different underlying technologies, so don't make assumptions here. In complex
01

control systems like the electric grid, higher-level aggregate historians are used to gather all the
information from lower-level historians and systems. Of these higher-level historians, PI Historian, from
de

OSI Soft, is one of the most popular.
hi

Data in a historian can usually be displayed and analyzed through a GUI, web interface, or set of APIs.
The data in the historian may be displayed as a simple, time-ordered log or as a trend graph.

39
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 40

Alarm Servers

An alarm informs operators of an abnormal event or condition
Alarms may be visual, audible, or digital
Annunciator panels aid in locating problem.ir
An alarm is how an operator is informed of any event or condition that must be brought to their attention.
Alarms might be communicated to an operator with an audible noise or by a visual indication on either an
01

HMI or a dedicated annunciator panel.
de

In most ICS environments, alarms will occur regularly and could indicate something that is a significant
error, or they could simply indicate that something has a small issue or has been disabled for maintenance.
hi

Most ICSs will categorize and prioritize alarms so that operators can easily tell which alarms should be
reviewed first.

40
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 41

Engineering / Operator / Technician Workstations

Workstations and/or laptops with software for
the specific job function

Engineering workstations are the largest target
− Primarily used for making changes
− Often have greater access to ICS than operator or
technician workstations

Workstations often contain
− Device management software
− Project files for those devices
− Runtime libraries that software uses.ir
An engineering workstation is a computer used to make changes or perform maintenance on industrial
control systems. The engineering workstation is usually dedicated to the task; however, it could also be
01

used as an operator workstation.
de

In many environments, due to the tasks that must be performed (reconfiguration of ICS as opposed to
monitor and control), the engineering workstation may have greater application or network rights than
hi

other devices in an ICS network. It's imperative that the engineering workstation be protected equally to
other ICS assets on a control network.
"The engineering workstation is usually a high-end very reliable computing platform designed for
configuration, maintenance and diagnostics of the control system applications and other control system
equipment. The system is usually made up of redundant hard disk drives, high speed network interface,
reliable CPUs, performance graphics hardware, and applications that provide configuration and
monitoring tools to perform control system application development, compilation and distribution of
system modifications." – US DHS ICS-CERT

41
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 42

Project Files

Project files contain
− Details of control system
− Network architectures
− Configurations
− Logic and parameters
− Tag to I/O associations

These are major targets for attackers
− Example: It is believed Stuxnet was created from
Iranian project files.ir
Telvent, which is owned by Schneider Electric, told customers in a letter that on September 10, it learned
of the breach into its network. The attackers installed malicious software on the network and also accessed
01

project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the
breach.
de

References:
hi

https://www.wired.com/2012/09/scada-vendor-telvent-hacked/
https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-
telvent/

42
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 43

Management Servers

Most large and complex ICSes are systems of systems
− Management server monitoring and controller lower controllers
− Usually sit in Purdue Level 3

Each industry has specialized names for these systems
− Manufacturing: Manufacturing Execution System (MES)
− Electricity industry: Energy Management System (EMS)
− Building Automation: Building Management System (BMS)
− Train Control & Management System (TCMS)
− Turbine Control Systems (TCS).ir
An energy management system (EMS) is a computer-based system used to monitor, control, and optimize
the performance of the generation, transmission, and distribution systems. Energy management systems
01

are also often commonly used by individual commercial entities to monitor, measure, and control their
electrical building loads. Energy management systems can be used to centrally control devices like HVAC
de

units and lighting systems across multiple locations, such as retail, grocery, and restaurant sites. Energy
management systems can also provide metering, submetering, and monitoring functions that allow the
hi

facility and building managers to gather data and insight that allows them to make more informed
decisions about energy activities across their sites.
A Building Management System (BMS) is a computer-based control system installed in buildings. It
controls and monitors the building's mechanical and electrical equipment, such as ventilation, lighting,
power systems, fire systems, and security systems. A BMS consists of software and hardware. The
software program can be proprietary using such protocols as C-bus, Profibus, and so on. Vendors are also
producing BMSs that integrate using internet protocols and open standards such as DeviceNet, SOAP,
XML, BACnet, LonWorks, and Modbus.
Building Management Systems are most commonly implemented in large projects with extensive
mechanical, electrical, and plumbing systems. Systems linked to a BMS typically represent 40% of a
building's energy usage; if lighting is included, this number approaches 70%. BMSs are a critical
component to managing energy demand. Improperly configured BMSs are believed to account for 20% of
building energy usage, or approximately 8% of total energy usage in the US.
In addition to controlling the building's internal environment, BMSs are sometimes linked to access
control (turnstiles and access doors controlling who is allowed access and egress to the building) or other
security systems, such as closed-circuit television (CCTV) and motion detectors. Fire alarm systems and
elevators are also sometimes linked to a BMS for monitoring. In case a fire is detected, then only the fire
alarm panel could shut off dampers in the ventilation system to stop smoke spreading and send all the
elevators to the ground floor and park them to prevent people from using them in the event of a fire.
43
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 44

Analytic Applications

Many ICS industries generate analytics from process datasets
− Some sold as a commercial solution by various vendors
− Some custom created in-house

Example: Contingency analysis applications
− Identify potentially harmful parts of the process
− Monitor events, thresholds, configurations
− Take actions such as tripping breakers, opening/closing valves, and sounding alarms
− Example: State estimators in power industry.ir
Contingency analysis is the process where potentially harmful events, thresholds, or configurations are
identified so that contingent actions may be taken if the criteria are met.
01

Actions that may be taken could include:
de

Tripping breakers
Opening/closing valves
hi

Sounding alarms

44
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 45

Putting It All Together

Purdue
Level 3

Purdue
Level 2

Purdue
Level 1

Purdue
Level 0.ir
NIST definition: DCSs are used to control industrial processes such as electric power generation, oil
refineries, water, and wastewater treatment, as well as chemical, food, and automotive production. DCSs
01

are integrated as a control architecture containing a supervisory level of control overseeing multiple,
integrated subsystems that are responsible for controlling the details of a localized process. Product and
de

process control are usually achieved by deploying feedback or feed-forward control loops whereby key
product and/or process conditions are automatically maintained around a desired setpoint.
hi

To accomplish the desired product and/or process tolerance around a specified setpoint, specific PLCs are
employed in the field and proportional, integral, and/or derivative settings on the PLC are tuned to provide
the desired tolerance as well as the rate of self-correction during process upsets. DCSs are used
extensively in process-based industries.
The slide shows example DCS architecture and components. Note the logical groupings of field-level
components, supervisory-level components, and corporate or business devices.
Image Source: NIST SP800-82
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

45
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 46

Site SCADA vs. Regional SCADA

SCADA is a term that varies in use between different ICS industries
− Site SCADA: Manufacturing industries often use the term for their site-wide
supervisory systems that sit in Purdue level 3
− Regional SCADA: Electricity, oil, gas, and water industries use the term for regional
supervisory and control that typically span large geographic distances
− The same vendors often sell the same solutions to both groups

Standard features of both Site SCADA and Regional SCADA
− SCADA technologies are usually TCP/IP based
− SCADA solutions tend to be more vendor neutral with standardized protocols
− Both are usually considered Purdue level 3.ir
Regional SCADA systems historically distinguish themselves from other ICSs by being large-scale
processes that can include multiple sites and large distances. These processes include industrial,
01

infrastructure, and facility-based processes, as described below:
de

Industrial processes include those of manufacturing, production, power generation, fabrication, and
refining, and may run in continuous, batch, repetitive, or discrete modes.
hi

Infrastructure processes may be public or private and include water treatment and distribution,
wastewater collection and treatment, oil and gas pipelines, electrical power transmission and
distribution, wind farms, civil defense siren systems, and large communication systems.

46
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 47

Example of Regional SCADA Scalability

Midcontinent Independent System Operator, Inc. (MISO)
− Non-profit, member-based organization
− Administer wholesale electricity markets
− Does not own any generation, transmission, or distribution assets
− Reliability Coordinator for their members
− Provides wide-area reliability over their region

MISO coordinates electric utilities
− 15 states and 1 Canadian province
− Serving 45 million customers
− 190 GW of generation
− 68,000 miles of transmission lines
− 296,915 SCADA data points.ir
The Midcontinent Independent System Operator, Inc. (MISO) is a not-for-profit, member-based
organization administering wholesale electricity markets that provide their customers with valued service,
01

reliable, cost-effective systems and operations, dependable and transparent prices, open access to markets,
and planning for long-term efficiency. From a Bulk Electric System perspective, MISO does not own any
de

generation, transmission, or distribution assets. MISO acts as the Reliability Coordinator for their
members and provides the wide-area reliability view over their region. To perform this task MISO has
hi

connectivity and receives real-time data points from member electric system networks. This data is used
in contingency analysis, state estimation, simulation studies, outage scheduling, and transmission planning
activities. Communications from member companies to MISO typically occur over ICCP Inter-Control
Center Communications Protocol, which will be discussed later in the course.
References:
https://www.misoenergy.org
https://www.misoenergy.org/markets-and-operations/real-time--market-data/real-time-displays

47
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 48

Remote Terminal Unit (RTU)

Embedded devices that pass data
between the management server
(MTU) and field devices, acting as a
− Router: passing TCP/IP traffic
− Gateway: converting protocols
− Controller: managing local processes

RTUs different from PLCs in some
ways
− Usually only found in Regional SCADA
− Runs more simplistic logic than PLCs
− Differences are decreasing each day.ir
Above is an image of a remote terminal unit (RTU). RTUs come in a variety of sizes and capabilities.
Most RTUs are cabinet mounted with hardwired points to interface with field devices.
01

An RTU is installed to report local system information and otherwise communicate with the upstream
de

supervisory system. In a Distributed Control System, you may have many separate automated process
areas. For example, a typical power company will have a central supervisory system where operators sit
hi

on an HMI and each substation will be connected to the central system by utilizing RTUs. RTUs need to
communicate with the central system and potentially with Intelligent Electronic Devices (IEDs). This
communication is typically done via serial (RS-232 or RS-485), fiber, or wireless comms like cellular
networks. Communications are covered in more detail in another module.
Like a PLC, an RTU has an array of input/output connections. These could be digital inputs (like a sensor
detecting the closed/open state of a container), analog inputs (such as temperature data), or digital outputs
(like an electric relay).
Though generally "dumber" than a PLC, RTUs usually run simple autonomous programs to provide
redundancy and safety. For example, an RTU at a power substation will have logic to change the behavior
when a technician is working on a particular line and has manually disabled a line. This prevents someone
at the operator console from closing a relay while technicians are performing maintenance, thus avoiding
injury.
RTUs are more suitable for large geographical areas. They utilize wireless communications (e.g., cellular
networks) to communicate back to the supervisory system. PLCs are generally more suited for a local
control system that exists all in one location and uses physical media for communications. More recently,
however, the line has been blurring. The extreme drop in microcontroller prices has caused the two
devices to share more and more qualities.
Image Source: goo.gl/DeuMkv

48
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 49

Regional SCADA Connectivity.ir
Regional SCADA can span large geographic areas. RTUs may send telemetry data over various
communication channels, including cellular, telephone/modem, microwave, serial, Ethernet, or other radio
01

communications. These communications may have to travel over many miles (such as equipment on an oil
pipeline, disparate power substations, or ocean drilling operations). This communication may be disrupted
de

or sporadic. If you wish to communicate with a field device that uses a modem to dial into the main
system, for instance, you may have to wait for it to initiate the communications, resulting in limited
hi

windows of opportunity, or you may consider implementing a modem with call back or dial back security
features that allow for initiated requests and some security benefits. Weather may also affect
communication ability, causing temporary disruption or a long-term outage requiring a technician to travel
out to the equipment site.
Image Source: NIST SP800-82
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

49
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 50

Timing/Cycles and System Size

Describing a specific control system at a high level can be misleading.
− Most are a system of systems with multiple levels of control
− Each layer has different expectations for data updates
− Knowing this information can help you determine appropriate security controls

ICS Component Common Tag Update Rates
Regional SCADA 1 second to 1 minute
Site SCADA 50ms to 1 second
Controllers 1ms to 50ms
Field Devices sub-1ms.ir
It is difficult to compare and generalize industrial systems, but we can consider key attributes such as the
timing cycle, scan rate, or SCADA polling rate that is acceptable or the number of components or I/O
01

points to provide a general description. Systems will be configured to collect a signal at some scan/polling
rate; the system could store the results of every scan/poll and perform necessary calculations and monitor
de

state, value, and/or trends. For example, a control engineer will select an appropriate sampling rate for a
control loop to give proper control.
hi

Timing/cycles describe the control system application and give someone an immediate idea of what type
of process is being monitored and controlled. Regional SCADA systems describe control systems that
span over wide geographic areas. SCADA systems need to acquire data by having the RTUs or PLCs scan
or poll the connected field inputs of wide-area networks. The data collected is completed during an
acceptable time cycle and can be configured based on the number of points, the amount of data, and the
communication rates available across channels. The SCADA engineer will select an appropriate polling
rate for the system. It is very common for electric power SCADA systems to select a 1- to 3-second
polling rate.
Distributed Control Systems (DCS) can cover a complex or plant facility and can typically take advantage
of higher-speed communications and local networks. They can achieve much faster scan/polling rates.
Some control applications, such as motor controls, can require very fast cycles (e.g., in the millisecond
range).
Scan rates for instrument readings need to be supported by the hardware and are determined by the
application of what is being monitored and controlled. Hardware will often determine the maximum
allowable scan rate, and the process will require a desired scan rate or acceptable range. Warning: We
don't like generalizations, but they are made to provide descriptions of things. Not all systems will fit
general definitions. It is important to note that reliable distinctions between RTUs, PLCs, and terms to
describe control systems have faded. Newer technologies have blurred the lines of existing terminology.

50
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 Lab 1.3

Programming an HMI
Using your ICS410 Windows 10 Enterprise VM, we will create an HMI for the PLC process we
created in the last lab. But before we do that, we will reprogram our Velocio Ace 11 PLC with a
slightly modified version of our program to ensure all of our PLCs are running the same logic.

Refer to the lab workbook for instructions..ir
This area intentionally left blank.
01
de
hi

51
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 52

Summary

Module takeaways:
− Most ICSs have several layers of control: From management server, to supervisory, to
controllers, to field devices

− Difference between Site SCADA and Regional SCADA
It is usually considered Purdue Level 3 in both scenarios
It is usually TCP/IP based using industry standard protocols

− From a cybersecurity perspective, SCADA is more exposed
In Site SCADA, it is the first system attackers usually access
In Regional SCADA, weak points are WAN providers and unmanned stations
Network defenses can aid us in both.ir
This area intentionally left blank.
01
de
hi

52
Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit
 ICS410 | ICS/SCADA Security Essentials 53

Course Roadmap Lab 1.1: Learning from Peers
GICSP Overview
Section 1: ICS Overview ICS Concepts
Controllers and Field Devices
Section 2: Architectures and Lab 1.2: Programming a PLC
Processes Supervisory Levels