ICS/OT Vulnerabilities


Industrial control systems/operational technologies (ICS/OT) systems are in our lives. Whether we’re using water, electricity, gas at our home or manufacturing automobiles in factories we relay on those systems. Protecting ICS/OT is not an easy task, however there are certain things that can be done to make attackers’ job harder. Let’s take a look a specific Siemens vulnerability. Last year Siemens issued an update to a year-old product vulnerability warning for its SIMATIC S7-300 and S7-400 families of programmable logic controllers (PLCs)—industrial control systems used to remotely monitor and operate manufacturing equipment. The alert, originally issued in December of 2016, was updated last year to include another version of the S7-400 line. The Department of Homeland Security pushed out an alert through the Industrial Control Systems Computer Emergency Response Team (ICS-CERT). The systems in both device families are vulnerable to remote attacks that could allow someone to obtain login credentials to the system or reset it into a “defect” mode, shutting down the controller—essentially executing a denial-of-service attack on whatever equipment it is attached to. It is pretty scary right? However there are more than thousands of Siemens product that are connected to the Internet based on my research.

Some of those organizations have deployed honeypot, specifically conpot i.e. University of Maryland. However that doesn’t change the fact that there are more than thousand vulnerable Siemens PLCs that are connected to the Internet.


Disconnecting those equipment from Internet will be the right move. Then scheduling downtime and updating the firmware will remove the vulnerability completely.

If Cyber Security Was A Soccer Game

Your red team players will be midfielders like Ramires or Kante. They play both side of the game; attack and defense very well. People usually think their attacking skills but that’s so 90s. Modern red team players should be very good at blue teaming too!

Your incident response team will be like Manuel Neuer, they are good saver but their foot are not bad too! They will defend as much as they can but at least have some understanding of exploits (even though they may not know how to develop them)

Your cyber security awareness team will be like Christian Ronaldo. They will be in the news but also work so hard to be in those news!

Your architects will be like Messi. They will not only have knowledge about cyber security but have a talent that will help them to understand and analyze the overall cybersecurity landscape in your company easily and naturally.

Your security engineers will be like Dani Alves. They will integrate security solutions to defend your company but they will be very fast to implement them.

Your security managers will be like Cuneyt Cakir. They will be fair to their employees and know the rules of the game perfectly!

Now you’re wondering where CISO sits in this picture. Let me tell you, they will not be in the field. The best CISOs are the ones who motivate their people, provide support and necessary tools for them to do their job. So they are the FANS.



It is very hard to protect your control systems if you don’t know what to protect. Even though you may have idea about what you have, the visibility problem goes beyond asset management issues. You need to have visibility not only in OS, firmware, software but also in network communications in the environment. On top of that you cannot use regular IT tools i.e. nmap to scan your control systems safely. You need to use passive methodologies that are safe for the control environments.


GRASSMARLIN is an open-source software tool that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA) and Industrial Control System (ICS) hosts on IP-based networks. GRASSMARLIN uses a variety of sources to generate this data, including PCAP files, router and switch configuration files, CAM tables, and live network packet captures. The tool can automatically determine the available networks and generate the network topology as well as visualize the communication between hosts.

GRASSMARLIN is not an analysis tool. GRASSMARLIN exists to facilitate further analysis by a system administrator, auditor, or other individual. The focus is not on drawing conclusions from data, but on organizing large sums of data to allow people to quickly make informed decisions.

Supported Platforms

Microsoft Windows (64-bit 7, 8, and 10)
Fedora (23)
Ubuntu (14.04, 15.10, and Security Onion)
Kali 2.0
CentOS (6, 7)
Debian (8)

How To Set Up

I used Kali to install the tool. You can download debian .deb package and install it by following command:

$dpkg -i FileName.deb

After you install it you can open it


After grassmarlin starts we will see its beautiful interface:)

The Logical Graph shows Nodes for distinct IP addresses with Edges representing packets sent between them. This graph is built from packet metadata, normally provided through Pcap or Bro2Conn files.

GrassMarlin has a poweful fingerprinting function:

Let’s import some ICS pcaps. We can use File->Import File feature. You can find some examples of ICS packets at



We can group the nodes by network, country, MAC, Manufacturer, MODBUS Role etc…


We can click View->Logical Nodes Report and get the asset inventory  as a CSV file:


Grassmarlin provides a way for us to get visibility into ICS environments. We can know asset types, communication protocols, end points’ relationships etc… Next step should be analyzing this traffic in snort, or Kibana to find out any malicious activity in the network.


How To Use DD On Windows Systems

DD is a forensic imaging tool. It’s been around for quite a while and sometimes is referred to as GNU dd. It is a command line program that accepts certain arguments to control its imaging functionality. If not used wisely you can accidentally destroy the media that you are trying to duplicate. So, it must be used with caution. When done correctly it creates raw image files that can then be further used by other forensic tools such as ENCase and FTK.

To get a copy of the dd utility for windows go to: http://www.chrysocome.net/downloads/dd-0.5.zip. It’s a free program distributed under a GPL (General Public License).

Then you can unzip the download onto your desktop or whichever directory you prefer.

For my demonstration, I created a couple of test partitions and then used the dd utility to do a volume copy of one partition to another. So I created a “G:” and  a “H:”.

Each partition had the exact same space for my first attempt but for my second attempt I gave the H partition an extra 1GB. Any time you wish to create an image using dd you need to make sure your output file storage area has enough capacity for the copy.

From there you open a command prompt as administrator. This requirement is most likely dictated by the security configuration of your PC so it may not be necessary depending on your security settings.

Navigate to the directory containing the unzipped dd executable.

After that you can use dd –list to get a list of the devices on your computer.

The basic structure of dd is:

dd if= of= bs=

Where “if” is your input file, “of” is your output file, and “bs” is your block size.

You can use null inputs such as /dev/zero to write zeros to a partition. This effectively wipes that partition or drive.

One note on block size. 512 Bytes is as low as it goes. The lower the block size the slower it takes so if you plan on copying a large drive the lower block size might dramatically increase the time it takes. A lower block size will be more accurate. You can chose sizes such as 512, 1024, 2048, 4096.

For my example I simply copied one partition to another.

This should have effectively copied one directory to another.

I repeated the process extending the size of the H: partition to 3GB and instead created an image with the dd command.

This worked as expected.

dd is an easy to user tool and provides effective imaging of a drive or partition bit-by-bit.

Two Factor Authentication: How To Secure Facebook Accounts

We discussed securing Google, Microsoft and Yahoo! and Twitter accounts. Today we discuss securing Facebook accounts.

1. Logged into Facebook with your username and password

2. On the top right of the webpage, click on the dropdown arrow to select “settings”

3. On the left top end, select “security”

4. Click on “login approvals.” Note: Make sure your cellphone number is added to your account

5. Check “Require a login code to access my account from unknown browsers”

6. Click on “get codes”

7. Enter your password

8. You will received an automated message

9. Enter the code to confirm your login approvals

Two Factor Authentication: How To Secure Twitter Accounts

We discussed securing Google, Microsoft and Yahoo! accounts. Now we will go through securing Twitter accounts.

  1. Login into account and go to setting.

  1. Select security and privacy and add your phone number.


  1. Add your phone number. Select caption continue.

  1. To verify your Phone Number the code is sent to your phone.
  2. You need to enter the code which activates your phone.

  1. From now onward whenever you login you twitter account beside your password you need to enter the code that is sent to your mobile device via sms.


  1. This way your 2 factor authentication is set up on your account.


Two Factor Authentication: How To Secure Yahoo! Accounts

We discussed securing gmail and hotmail accounts. We now will secure Yahoo! accounts. First login into your Yahoo! account then click on account info on the top right of the page, select the account security tag, and the toggle two-step verification.



After toggling two-step verification a window pops up. Select your country and enter in your mobile number and then either select ‘Send SMS’ or ‘Call Me’. For the purpose of this assignment I will go with ‘Send SMS’.


Enter the verification code that you are sent.



Two Factor Authentication: How To Secure Microsoft Accounts

We discussed securing Google accounts before. You can reach that content from here. The following walk-through illustrates how to install two-factor authentication for a Hotmail account.  These instructions assume you have the following: an Android smart phone and an alternate email address registered with your Hotmail account.  If you don’t then don’t fret, continue up to Step 3 then follow the on screen instructions.

Step 1:  Go to https://account.microsoft.com/proofs/Manage and sign in to your account.  Once signed in, click on the ‘Set up two-step verification’ link.


Step 2:  Click next.


Step 3:  Select a method to verify your identity.  (If you don’t have an alternate email address or Android, select the method that best fits your needs.)

Step 4:  Download and install the ‘Microsoft account’ app onto your smart phone.


Step 5:  Open the app and follow the on screen instructions to sign in to your account.  After signing in, you will be asked to verify your identity by having a security code emailed to your alternate email address.















Step 6:  Back on the website, select ‘Next’ to complete the setup.  Optionally, you can proceed further to create an app password for use on any devices that do not accept security codes.

The next time you or someone else tries to log into your account from another device, an alert will be sent to your phone to verify the login is authorized.  If not, reject the attempt.

Additional Resources

Microsoft FAQ: http://windows.microsoft.com/en-us/windows/two-step-verification-faq


Two Factor Authentication: How To Secure Your Google Accounts

  • You will first need to log-in to your Gmail account.
  • Click on your profile picture near the top right corner and a box with a few options will appear. You will need to click on the blue button named “My Account”.


  • A new tab will open with different kinds of options for your account. You will need to click on the “Sign-in & security” option.


  • Under “Sign-in & security” there is an option named “Signing in to Google”. You will need to click that link next.


  • Under the section “Signing in to Google” you need to click on the link option “2-Step Verification”


  • You will now be taken somewhere to begin the set up process. You will need to click the blue button named “Start setup”

  • You will be told to re-enter your password to continue with the set up process

  • The first step of the set up process would be to enter a valid phone number to be able to be sent the codes. You will also need to choose how to receive the codes they will be sending you for verification.


  • After you have entered the phone number a code will be sent to that number that you provided

  • The third step will ask if you trust the computer you are using to set up the two step verification. Leave the box checked if you do and if you don’t then make sure to uncheck the box.

The last step will just need you to confirm that you would like to turn on the 2-step verification.


  • After confirming you will be sent an email that tells you that you have successfully turned on the 2-step verification. The set up process is now done and no more steps need to be taken.