In part 1 of this article, we covered the various standards and guidelines that are available to inform the design and operation of Industrial Control System Cybersecurity. We also provided links to a variety of free training resources in both general cybersecurity and ICS cybersecurity.
Free training courses and snazzy certificates are great, but the best way to learn is by doing. Luckily, many of the most popular cybersecurity tools are free and open source. In a matter of minutes, a motivated student can download a state-of-the-art tool and begin exploring!
Great PLC Hacking Demo
Before we get into the tools, I wanted to share this amazing video with you. It’s on the long side (37 minutes), but it is a live demonstration of hacking a SCADA network, including spoofing the HMI and taking control of the PLC. It is breathtaking.
Hopefully that video provides motivation to learn hands-on skills and protect your systems!
Hands-on Learning with Security Tools
An excellent place to get started with hands-on learning is at SecTools.org. This site lists and reviews the top 125 network security tools available today, along with links to download.
For this post, I will just highlight a few of the most popular tools that are relevant to typical ICS security concerns. Several of these tools are covered in popular (and expensive) commercial ICS cybersecurity courses. All of these tools are free and open source and can be safely installed and run on a home PC for testing and learning. Don’t install them on your ICS network until you know what you are doing, and don’t test your IT department’s servers without permission. ?
- Snort is a free and open source network intrusion detection system that can perform real-time traffic analysis, packet logging, content searching, and more.
- Intro Video: Using Snort
- Training: Secure Networked System with Firewall and IDS (Coursera)
- Metasploit is a free software framework for identifying security vulnerabilities and performing penetration testing.
- Intro Video: Metasploit for Beginners
- Training: Hacking and Patching (Coursera)
- Wireshark is a free network packet analyzer
- Intro Video: The Complete Wireshark Course
- Training: Digital Networks Essentials (EdX)
- Spiderfoot is a free and open source “footprinting” tool that gathers data from public sources to profile a target prior to penetration testing.
- Intro Video: Spiderfoot
- Sometimes called “Google for Hackers”, Shodan is a search engine that lets users search for specific types of computers, such as PLCs.
- Intro Video: Shodan Search Engine Tutorial
For the more adventurous, many of the most popular security tools have been pre-packaged in the Kali Linux distribution, which provides an ideal platform for exploring cybersecurity and penetration testing.
A recent NIST report states that the U.S. needs immediate and sustained improvements in its cybersecurity workforce. In a separate report, it notes that there is a consensus that cybersecurity competitions (aka wargames) will play a key role in raising the bar for cybersecurity skills. In an appendix, the report lists a large number of such competitions already available to students and professionals.
In this post, we will just give a taste of what’s available by highlighting a few free online cybersecurity games:
- TargetedAttacks – An interactive video cybersecurity choose-your-own-adventure suitable for beginners. A sample of TargetedAttacks is shown in the embedded video below.
- Cyber Storm – Department of Homeland Security’s (DHS) biennial exercise with over 1000 players.
- OverTheWire – Unix console-based challenges that teach Bash, cryptography, and more. Multiple levels suitable for beginner to advanced
- CaptureTheFlag365 – Build and defend your own virtual servers while attacking others
- HackThisSite – Complete hacking challenges in a safe and legal environment
- CyberCompEx – Provides links to other cyber competitions
Unlike the traditional world of ICS, where technology changes on a generational cycle, the world of cybersecurity is continually evolving. One of the reasons there are so many guidelines is that the guidance needs to be updated every few months to keep up with the ingenuity of the attackers. Unlike the SIS world, we are not dealing with random (or systematic!) failures, but rather with the willful action of humans seeking to do us harm. It is bound to be more dynamic than the sterile SIS world of statistical failure rates and probabilities. But today these two worlds are intersecting, so something’s gotta give.
That about wraps it up. As always, thanks for reading. I will be back next time with some more “normal” SIS stuff, so don’t get scared off by all the cyber mumbo jumbo! Until next time…