March 5, 2021 | Virtual
How organizations prepare their IT and OT teams for security incidents is often dependent on what techniques and tools are available. Teams can use the latest solutions to increase the identification, containment, and eradication of suspicious or malicious activities and overall improve response times and reduce recovery efforts.
This forum will explore various ICS topics, ranging from logic controllers (PLCs) to distributed controls systems (DCSs), through invited speakers while showcasing current capabilities available today. Presentations will focus on case studies and thought leadership using specific examples relevant to the industry as we know it.
Presentation by Ron Brash
A tale of two wireless RTUS – sinking titanic and ransoming it
As a technical follow up to Ron’s SANS Oil & Gas session – a tale of the lost RTUs, I am going to discuss how a Software Bill of Materials (SBOM) for two commonly used cellular Remote Terminal Units (RTUs) resulted in disclosures using merely their firmware to guide a research process to “sink the titanic”. But! Why stop there?
Well, recently, there has been some small-scale ransomware attacks targeting relatively commodity Network Area Storage (NAS) devices such as those by QNAP or NetGear, and so I thought it would be fitting to see how a ransomware strategy plays into a threat scenario with often directly connected remote devices often seen on Shodan. Using the same target devices, I will use their “sinking” to my advantage, and leverage that information to build malicious firmware, access functionality on hardware using a low-cost probe/logic analyzer, and look towards the future – ransoming an embedded ICS device. It may not be a complete greenfield strategy, but it might be among the first to be explored in a public scenario.
Attendees should walk away with an understanding of:
- How the research target was selected, and how an SBOM lead to this further research
- How to scope hardware and begin the process using a scope or serial adapter to find an entrance
- How firmware was created and uploaded to the research targets
- How ransoming is a definitive possibility when dealing with embedded systems
- And some observations about reducing risks in this scenario for OEMs and & asset owners