 Hello everyone. Thank you for tuning into our talk. It takes a village students performing ICS security assessments. My name is Dennis Scar. I'm tenured faculty here at Everett Community College and I was also a member of the National Guard where we were performing handful of missions in different critical infrastructure and our unit even stood up training and trained other cyber operators on how to perform assessments in an ICS space. I took that experience and the lessons learned and rolled it into the fabric of a five-credit class here at Everett Community College and we're presenting on the first class to actually go through this experience and performing their very own mock ICS security assessment. Special thanks to all the volunteers at ICS Village. I know it takes a lot of work and effort to get things off the ground for these events and we appreciate the opportunity to share our story. Every year I would return to the DEF CON and spend a lot of time at the ICS Village. I really appreciated having access to the technology, the talks, culture and even the community involved with everything and when we had an opportunity to pursue a grant and you know possibly you know build up an ICS program, I immediately thought of those experiences that I had at DEF CON leading up to our pursuit of this program. So when the grant opportunity kind of came to our team, we're exploring a lot of different technologies in which we could possibly invest in and you know the typical stuff comes up like should we go cloud, server, more networking stuff and you know obviously cyber security is big and a lot of student interest is there in that space, but it took a nudge from my team to say hey, you do a lot of cool missions. You're doing all this ICS stuff like why don't we go there? So you know we did and I reached out to Tom Van Norman who's the co-founder of ICS Village and you know I said Tom, like what you guys have is extraordinary. What would it take to actually get that here on our campus? And we came with a plan, put in an offering and you know we were, I was thrilled. I was actually blown away that we actually had this opportunity and I'm very thankful for the state of Washington to actually provide that to our students. When we created the Assessing and Securing Control Systems class we wanted to make sure that we could have students from information technology, operational technology and business programs all funnel up into this class so we can have this cross-cut of culture all within the same class. In my experience with these assessments it really took those three areas to come together to understand you know not only how the business is how businesses function but how does the business processes map down to the information technology that technology supports those processes and then IT how does that actually relate to all your different operational technology down together and once you have those dependencies mapped and you understand how the whole system truly works that's when you can start looking at how to effectively apply security controls and find those crown jewels within an organization that require deeper layers of protection. All throughout the quarter students were working as a team to actually prepare briefings to a mock manufacturing group you know where they had to present different threats that happened in real time so when Oldsmar happened and the colonial pipeline we rolled that into the fabric of the class they had to actually kind of take what information was available to them and then present to a group in terms that they actually understand. So we built on those skill sets over the quarter and during the last week they were presented a company that actually you know enjoyed their presentations and hired them to assess their company and the company I created was a fantastic plastics it's a plastic mold injection company and they provide a product to a aerospace manufactured area and they also have DOD contracts. So students had seven primary tasks that they had to deliver on and in addition to you know working with the customer which was me through email they had to perform a physical assessment of this environment and then perform or give a presentation to the owner and the owner in this exercise was Tom Van Norman from ICS Village and they knew that they had to present to someone knowledgeable they didn't know that they had to present to the creator of the wall. Sharing their experience of this assessment are two students Chris and Alex who took a a big interest in ICS over the quarter and have have a lot to offer to the community. I'm proud of all of our students who are choosing to get their education on top of a pandemic right now but I really want to take a moment to have two of my students share their story. Hello my name is Chris Von Rabeton and this is Alex Vygovsky and I am a former student and graduated ever community college in winter of 2020 and I'm currently in North Pole Alaska so pardon the bad connection. I'm uh Justin Washington over here I'm Alex I'm a recent graduate at Ever Community College I closed out my time taking Dennis Skars ICS security class with Chris and I came back to Ever Community College just for that class. Yep the big capstone project that we did for that class was a mock security assessment that was enabled by an ICS security wall that we were able to acquire thanks to Tom Van Norman and Grimm and what it is is it's a piece of hardware that it's an all-in-one kind of ICS solution including the HMI the PLC and the actual in-out process towards the end which I guess was a plastic making device. Yeah well our teacher Dennis Skar he works with the Air Force National Guard and he created this capstone off of his actual experiences in the field and so he created this company like the fantastic plastics that has a DOD priority plastic mix and and so we were sent in to assess and secure the the company and the scope of our the scope of our assessment was having to do with the operational technology part of the network we did not deal with the business side though in the scenario there was elements of the business network as well that I think were critical as you know it's important to kind of tie those two networks together because you know the air gap is not a reality in 2021 that's my kind of favorite quote now but what we did is we we mapped out all the relevant network devices you know every every single critical device and service and data on the on the network and we were able to scan for vulnerabilities that were had the potential to impact those elements that are most critical to the system right yeah we had actual physical access to this wall on the campus and so come in hook the laptop into the switch and have access to the network and took us it took me a little bit till I figured I had to change the IP address to be on the actual network but from there we were using a net discover and wire shark to do passive scans to like try to see what was out there on the network and since OT really doesn't like in-map we actually got signed off to actually be allowed to use in-map to start pinging actively pinging and actively scanning for vulnerabilities and what was on the network and then we used grass marlin to just get a really good map of everything and after we had our map we were allowed to take the next step in the assessment and get a foothold into the network and start playing around with what was on the network yeah not so much trying to break anything but just see what was on there right it was really great fun seeing you run the python script that then made the water tank start to go haywire yeah that was pretty good good time what we'll use in the the pie modbus discovery script and so being able to see the registers for the plcs and everything and like watching them change i'm like oh that's what controls this thing let me change use a different script and change that register like put the the water output the maximum and watching then it's being like what the heck was that and then other plc is like oh i'm going to change the register numbers on this and having the entire wall shut down well lucked out that i mean this this thing is well made it's just a few buttons button presses and it's back up and running but just like realizing like okay this is something you could do to like effectively like shut down a business if this was in real life and then doing the edercap dos attack on the hmi and like locking out the ability to change the controls and like this is like this is something we're seeing nowadays and like we can actually visually see like and be right there when this kind of stuff happens and like okay now we see how these people are getting in and doing these attacks yeah so there's a there's a huge kind of exploration based element to this exercise it's something that you don't get with a something like a sim or a vm which is you know a lot of my previous security classes were based around those kinds of exercises this was very much a you get to go in and you and there's like the whole network out there for you to to explore and to to work with and but but do you also do it in a very controlled and organized manner this is based off of denises time with the national guard and the air force he's been doing security assessments with them for 10 years i believe he was involved with the 2016 elections he did some security assessments relate into that i believe to voting system hardening all right yep and so he was able to bring a lot of his experience into this exercise and was able to build a highly kind of modular you know project that it's it's it was all up to kind of the students to to make with it what they will and one of the kind of big takeaways that i personally got out of it was having to deal with teams and working with the time crunch element because you know when you're doing a security assessment professionally you're not doing it by yourself you're working as a part of a team and you have to you have to know how to divide roles up and how to kind of tackle the challenges that you're faced with in a logical manner and that's kind of what denis helped us with but there was no hand holding involved it was a very much kind of sink or swim kind of situation which and he always says this you learn you really learn the most when you're going through something hard like he that's when the best learning happens right is when you're struggling right because if you're no pain no gain as they say yeah and yeah like when you're you're you're actually doing this assessment like we were an actual like red team and like you don't in those kind of experiences you don't have somebody behind you going oh you did that right or like this is how you get to that like we actually had to troubleshoot and figure this stuff out and but also staying within scope of our like objectives objectives and our SOD and all that stuff right you had to get authorization to be able to do certain things I remember when we wanted to try using default credentials to get into some of the network devices that's something you had to get authorization to do which again is that's how it would be in in the real world you know you can a business might not want you accessing a certain you know documents so it was highly effective as an exercise in that sense and again if you if you think about it this is how security assessments go in the real world every network is going to be different for me I'm actually working with a an aerospace manufacturer currently myself and so we're constantly dealing with these principles almost all the data that we work with is highly controlled it's called CUI controlled unclassified information department of defense is one of our clients so it's if we don't if we fail to protect the data and the confidentiality of that data it's it could mean huge fines for us or loss of face it certainly we can lose customers because of that with with our assessment we were primarily working with you know all all that I just mentioned that was part of it and then the really exciting stuff was actually disrupting the the the hardware itself which but that would be on the operational technology side of you know and like for me this class really like being able to be working with the first ICS wall in higher education in the country or even in the world really like it so solidified like okay cyber security is the way I want to go so I'm like currently enrolled in sands so I can get that bachelor's degree in cyber security and like looking at pathways that I can take in cyber security now it's like ICS is one of them and it's like I wouldn't even think of doing that without this class and so being able to just work with this actual thing instead of like oh here let me do the point a to point b like follow the instructions and the simulation it's like having this actual physical thing that you know see how the little things you do affect everything and being like okay I can do these things now how do I protect against these things yeah well what you're saying really really hits home for me because I was very new to it even when I started the program here so I had to learn the hardware and the networking principles like from from the ground up and then it was only when I started getting comfortable with that that I started even getting interested in security and again those earlier classes they were all dealing with just very rigid simulations very kind of clunky vms and I never had a chance to really like stroke that fire to really become invested and interested I mean I wanted to but what really did it was this exercise with the wall like that's what that's when it clicked like you actually have to do the thing to know you know if you enjoy doing the thing or you know maybe you don't but we both do yeah yeah I'd done the ics village uh hack the plant plant planet ctf and gotten third and it and I was like oh cool I I know my stuff and then I get a chance to work at wall like there is so much to learn absolutely it it's it's just mind boggling and so cool that we got to have this chance to be like the first ones on the doorstep of this expanding field of like because ics is just so in the news right now and exploding and like we get a chance to actually work with this stuff so it totally like sets it us up for like our future and doing these doing assessments and doing red team and blue teaming and all that stuff and we we need to build the workforce when it comes to um security experts and here in washington especially I mean there's we have such a big aerospace industry which is you know like what I described with what I do it's it's extremely important to be able to have the skills and to know how to prioritize security from the from the ground up so it's it's not only is ever community college the first place to kind of do an exercise like this and have the wall that type of hardware we're also in a state that really it's the best place to um to kind of begin to build that workforce up because we need we need people who understand this stuff and who've experienced it you know for real not just not you can get a lot from a book you know but there's no substantive experience yeah so that's looking like hard time so we want to thank defcon the ics village we want to thank dentists for being an awesome teacher and tom van normen for getting us the wall and that's with and thank you everyone thank you alex thank you alex and chris for sharing your experience it's been a pleasure having me in class and I hope to see you in the control system security community in the future maybe you will be presenting by yourself at defcon in a couple years so with that you know you know that was what we were able to do with our initial investment but we were even more fortunate to get another round of funding from washington state to get even more products to expand this to the even the next level and now we have you know individual trainers with a plc where they can perform a handful of exercises whether they're programming or just network exploitation traffic analysis you kind of name it we're kind of building this stuff as we go you know the newest version of grim's advanced trainers where they have their own firewall switch plc and a esxi server under the hood you know we have you know these will be part of our competitions as well as workshops and our classes you know here at everett we teach you know servers networking help desk traditional it stuff and we're going to be working to actually incorporate these into all of our classes so you know students aren't just getting like an ics class like they're getting exposure to it as throughout the entire program and are getting away from the traditional it stuff so this goes great but how about you do those same kind of concepts on a fortinet and see how that kind of works out and you know moving right along our 15 foot wall here the latest addition is a building automation system here with the latest and greatest allen bradley plc some some kind of newer equipment you know we got rf rfid a new hmi and a very very sweet wrapped server that's hosting our ctf server in here so what this element adds to our program is you know obviously there's new technology new network protocols that we get to interact with here but you know this is also built into our college level capture the flag competition it was also developed by grim so what this round of funding provided us is a high school level and college level ctf where students are actually you know interacting with all of our technologies to to unlock different challenges here and kind of stay tuned for nets in the works so thank you for turning into our talk thank you to all the volunteers at the ics village and if you're interested in knowing more or getting involved we're always looking for industry support mentors feedback speakers you know you kind of name it i i love having that loop of industry built into our classes and make sure that what i'm teaching isn't out of date obsolete or out of step with industry best practices are um thank you very much and have a great def con