As discussed in an earlier blog, attendees of S4x14 wanted to interact with ICS devices they may not have seen before, or even in some case just wanted more practice with devices they know quite well. It also allowed people from the novice to the advanced to have unrestricted access to the systems at times. I would like to believe that at some point in time almost every attendee stopped by or was on the ICS Village network over the course of the conference. With a record number of attendees to utilize the networks and space laid out, there were many interesting things that were observed on the ICS Village networks that are noteworthy.
Default credentials were configured on devices all throughout the network. In fact there was a machine on the corporate zone that had a set of credentials that matched the host name of the machine. Once this was compromised you would have root access to the box that could then could in turn affect other systems within the different zones. One of the ICS Village participants pointed out to us in the Village a few times that a machine was easily compromised and you could achieve root access, As described in by Fukumori-san in his post over at f-secure.jp, this and many other default credentials and known exploits that were prevalent on the ICS Village, a situation often seen on real ICS networks. He was able to find almost every issue that we placed into the network from the basic attacks, to the more advanced issues. Congratulations to Fukumori-san on the great job in the ICS Village.
After doing assessments of ICS equipment for the past 5 years, it was expected that there would be some issues with the devices around the ICS Village. In typical Control System fashion, some crashed and required a reboot almost every day. The devices were likely crashing due to frequent scanning and exploitation attempts. Digital Bond did check periodically during the conference to ensure the devices where up and responding to give the attendees the most amount of time possible with the network devices. If something other than a normal ping caused the issues we should be able to determine the type of attack from the packet captures that were performed by Checkpoint and Tenable. If you performed an attack that you would like to be put in touch with a vendor or any other contacts feel free to reach out to myself or anyone else here at Digital Bond to coordinate.
During my presentation at S4x14, I discussed that I had placed a rogue device into a PLC that is referred to as PLCPwn. As a test of the ability to hide in plain sight of well-trained professionals, I placed the PLC with the PLCPwn in the ICS Village and left it all week-long. Other than a few people who helped with the project or help with the ICS Village, no one knew it was there and what its purpose was. As a further point we kept the door off the Ethernet Module to show the parts of the PLCPwn in the open. To my knowledge no one questioned the device and its purpose, which stresses the point that as with the PowerPwn, most people will not notice something that looks like it belongs there. The PLCPwn was also available via the network, however there was some precautions that were taken to make it less noticeable on the network.
Once again thank you for everyone who participated in using the ICS Village this year. If it was not for the sponsors and the volunteers it would not have happened. If you have any feedback on things you would like to see changed or comments about what you liked about the ICS Village this year, please leave a comment, or contact myself directly.