Open Platform for ICS Cybersecurity Research and Education

Matthew E. Luallen


The CybatiWorks open platform serves as an educational environment for cyber-physical systems. The living laboratory platform uses low cost I/O, embedded devices, virtual machines and authentic automation protocols for participant cybersecurity education. The platform incorporates the Raspberry PI, PiFace I/O, Elenco Snap-Circuits, Fischertechnik components and an ICS-ified Kali Linux called CybatiWorks-1 to allow participants to build, break and cybersecure small control environments. CYBATI has performed years of research to develop this platform and is making it available for early access, school sponsorship and integrated education via the Kickstarter project announced during the session.

Transcript of Open Platform for ICS Cybersecurity Research and Education

  • 1. Matthew E. Luallen

2. Agenda CybatiWorks-1 ICS Where did it come from? What is it and what are the goals? What are the components and possible learning outcomes? Where can you learn more? 3. Where did it come from? Built laboratory to achieve CCIE status in 1998-1999 Long time instructor for Cisco Systems and SANS Institute 802.11 wireless at substations in 2005 ICS cybersecurity conversion year 2006. NERC CIP / Transportation / Water control system control interpretation and integration world tour 2007-2010 Cybati formed to build education to expand workforce and family home turned in to living laboratory Back injury, healing and ICS cybersecurity education world tour 2011 today 4. What is it? The CybatiWorks scalable academic and professional control system and internet of things cybersecurity platform enables educational institutions, industrial asset owners / operators and supporting entities to quickly understand control system environments and cybersecurity risks. The portable and complete training platform has been validated by hundreds of industry practitioners and educators. 5. Community Edition Goals Targeted markets and participants Core competencies attained by participants Vulnerability identifying exercises / labs Mitigating control exercises / labs Living, hands-on, retainable laboratory environment 6. Customized, portable kit to augment the course content Control System Portable Laboratory and Research Kit (Allen Bradley MicroLogix and Siemens Programmable Logic Controllers) static trainer HMI, PLC, Manual Controls, CS Network, CYBATIFIED Backtrack CYBATI CICS Cybersecurity Industrial Edition Training Kit (version 1) 7. CYBATI CICS Cybersecurity Industrial Edition Training Kit (version 2) Similar to IPv5, CYBATIs version 2 training kit lasted for about 4 months Attempted several new designs of quick connect sensors, kinetic modeling and associated cybersecurity learning methods 8. Customized, portable kit to augment the course content Modifications Customizable I/O trainer Quick connect PLC I/O Phidget, Arduino and other 3-5 vdc sensors and actuators Schneider Electric, SEL, Siemens, Opto22, Koyo, Honeywell, Rockwell More protocols (AB PCCC, DNP3, Modbus, S7) Small scale environments CYBATI CICS Cybersecurity Industrial Edition Training Kit (version 3) 9. Accepted Conference Paper HICSS 46, January 2013 Developing a Critical Infrastructure and Control System Cybersecurity Curriculum Identifies student projects, successes, failures and path forward Copyright 2011-2014 CYBATI/ 9 10. Cybati Critical Infrastructure and Control System Cybersecurity Course Academic and Professional Educated over 1,000 participants 5-day hands-on course covering ICS/SCADA/Plant attack surface and mitigating controls Designed with a portable, living laboratory of real applications, hardware and protocols 85% rate of identifying new vulnerabilities during the course week 11. CYBATI CICS Cybersecurity Mastery Stations (version 1) WOPR Event Mission assignments Participant driven Skill assessment through risk identification and penetration 12. Reduced Cost Training Kit (Version 1) .NETduino Plus with 5v Solar Power Programmed in Visual Basic Partnered with Ludotronic Netduino PLC (serial) Traffic light model s/PLCNET24V.php 13. CybatiWorks ICS Cybersecurity Community Edition (Version 2) PLC/RTU hardware using a Raspberry PI with the PIFace I/O VMWare CybatiWorks-1 Image Kinetic models built with Elenco Snap- circuits (Traffic Lights) and Fischertechnik 14. CybatiWorks ICS Cybersecurity Community Edition (BETA) Demonstration Your Physical Computer with VMWare Software Your Physical Computer with VMWare Software cybatiWorks-1 Production VM cybatiWorks-1 Assess VM Trainer and Controller cybatiWorksPI Direct Connect Powered by single power cord connection (laptop) Single direct cable network connection Operates on participants workstation Participant builds, breaks and secures kinetic model 15. CybatiWorks-1 Virtual Machine List of the CYBATIFICATION process of KALI Linux Cmake, wine, italc and dependencies, PeakHMI demo, snap7, inkscape and dependencies, beef and dependencies (SQLlite & RVM w/ ruby), Rex Development Tools, python snap7, Modbus, snmp, openvas, Kautilya, binwalk, Mbrowse, modpoll, wireplay, PVBrowser, Modify source.list APT repository, bleachbit, scratc, usbip, sshfs, Update grub with 1 second boot time, /etc/gdm3/greeter.gsettings (login screen IMAGE), Background image for grub/splash and OS, Install bridge-utils, Update /etc/network/interfaces, msfupdate, /opt/CybatiWorks folder, ssh-key copying to RASPI, MdBus_H file in Rex, openzwave / required libudev-dev (Installed used hg clone), python-openzwave, Wine Gecko installer launched during PeakHMI help selection, Net-snmp, libperl-dev, mbrowse for SNMP, Mblogic, Libpcap-dev, libnet-dev, Arduino and Teensy rules, Metasploit cybati auxiliary modules, Migrate cybati labs folder , Updated /usr/share/nmap/nmap-services (port frequency and name) CybatiWorks-PI shortcuts CybatiWorks Labs folder - Industry whitepapers and presentations - Course logic and HMIs - Software, tools and scripts for laboratory exercises - Specific lab tools added (e.g. ICS protocol scanners, project file password recovery, ICS protocol MitM) 16. CybatiWorks-1 CybatiWorks Educational Platform Supported Learning Outcomes History of critical infrastructure and control systems Cyber-physical security risk management Vulnerability assessment and penetration testing Attack surface analysis Exploit code analysis Secure coding Logic analysis and physical I/O control Industrial and building automation protocols Engineering workstation and server operating systems HMI screens points, tags and design OLE for Process Control Cryptography Kinetic model analysis Wireless analysis Application security (e.g. web, database) Intrusion detection and visualization Incident response and active defense 17. CybatiWorks-1 Participants Professional Hands-on, retainable awareness to ICS risks and mitigating controls that can be implemented today Collegiate / High School Academic Prepare the next generation workforce for the hands-on skills necessary through academic instruction and exercises Children Empower children through turning their bedroom in to a living cyber-physical computing/electronics laboratory 18. CybatiWorks-1 Kinetic Models Traffic Light Robotic Arm Train Car Wash Manufacturing Line Amusement Park Pipeline Operations 19. CYBATI Enabling the Community The CybatiWorks ICS Cybersecurity Community Edition will be used in CYBATI courseware The kit scales up to the Industrial Edition Supporting video lectures will be provided to the community as part of the curriculum 20. Kickstarter Access Award Levels (Support, Early Access, Kits, Homeschooling/Community, Sponsor a School, Week long DL Class with Kits) Feel free to call or contact me directly at [email protected] 312.375.4715