2024-09-05 –, Main track
We read regularly in the news that critical infrastructure or OT networks should be better secured. We learn about APTs attacking these networks, or the latest ICS zero day vulnerabilities demonstrated during Pwn2Own. Mostly advanced attacks, which could feel overwhelming and hard to defend against, but is this actually true? If we think a bit longer about this we can come up with the following questions:
- Are these actually the biggest threats to your OT environment you should be focusing on?
- Should we just accept OT networks are insecure and could be easily hacked?
- Or is there something that could be done to improve the security of these environments?
During this talk we will try to answer these question by combining threat intelligence and first hand security testing experience of OT environments and systems. We will share common vulnerabilities or configuration weaknesses and recommendations for improvements. Hopefully, after this talk you have the feeling not all is lost, and there is still a lot of room for improving the security of OT networks and systems.
Presentation outline:
- Introduction
- Why is OT different from IT?
- OT threats
- Targeted (critical infrastructure) vs non targeted (generic OT)
- Example threat scenarios:
- Ransomware
- (Preposition for) sabotage
- Supply chain and suppliers
- Internet connected OT devices and hacktivists
* Security testing OT
* Why is this different?
* Approach
* Common vulnerabilities and weaknesses
* Network design & security architecture
* Purdue model
* firewall configuration
* Virtualisation
* Switching infrastructure
* Windows systems
* Active Directory
* Vulnerabilities
* Hardening
* HMI, PLC, sensors and actuators
* Weak or default passwords
* Vulnerabilities
* Insecure protocols
* Conclusions & recommendations
* Questions
Erwin currently works as a CTI specialist at the Dutch government. In his previous life he was a penetration tester/red teamer for over 20 years. During these years tested a large variety of systems and networks and let complex assignments. Over the years he specialized in OT systems and networks, IoT devices and hardware hacking. He previously presented his OT research at the S4 conference, DEF CON, Hardwear.io and Hack in the Box.