WEBVTT 00:00.000 --> 00:02.595 >> ICS Protocols. 00:02.595 --> 00:04.140 The learning objectives for 00:04.140 --> 00:06.090 this lesson are to differentiate 00:06.090 --> 00:08.250 industrial control systems protocols 00:08.250 --> 00:11.220 and to explore ICS/SCADA usage by Sector. 00:11.220 --> 00:13.890 Let's get started. We're going 00:13.890 --> 00:16.095 to begin with the Controller Area Network. 00:16.095 --> 00:18.840 Cars have become more complex over the years and 00:18.840 --> 00:21.555 now with the introduction of unmanned aerial vehicles, 00:21.555 --> 00:23.400 we need something to help us control 00:23.400 --> 00:25.740 the complex systems within these vehicles. 00:25.740 --> 00:28.545 This is where the Controller Area Network comes in. 00:28.545 --> 00:31.680 These vehicles rely on electronics now that will 00:31.680 --> 00:34.605 help them to control their engine and power systems, 00:34.605 --> 00:36.210 the breaking and then landing for 00:36.210 --> 00:39.029 UAVs and the suspension instability. 00:39.029 --> 00:42.350 Each of these subsystems included 00:42.350 --> 00:45.995 in an electronic control unit known as an ECU. 00:45.995 --> 00:47.630 These ECUs are connected to 00:47.630 --> 00:50.915 one or more CAN bus serial communications buses. 00:50.915 --> 00:53.390 The Onboard Diagnostics or ODB-II to is 00:53.390 --> 00:54.500 a good example of this 00:54.500 --> 00:56.645 and if you look at the picture on the screen, 00:56.645 --> 00:59.120 this is an ODB-II connector that you can plug 00:59.120 --> 01:01.820 into the ODB-II port on your vehicle, 01:01.820 --> 01:04.400 plug the other end into your laptop or mobile device, 01:04.400 --> 01:05.990 and then you can download diagnostics 01:05.990 --> 01:08.100 information from your vehicle. 01:08.140 --> 01:11.450 But the bad thing about the Controller Area Network is 01:11.450 --> 01:14.210 that it operates in a way that's similar to Ethernet, 01:14.210 --> 01:15.730 but it has zero security. 01:15.730 --> 01:17.810 The ECUs will transmit their messages 01:17.810 --> 01:19.805 as a broadcast and because of this, 01:19.805 --> 01:21.200 all of the other ECU's on 01:21.200 --> 01:23.325 the same bus will receive the message. 01:23.325 --> 01:25.660 It also has no source addressing or message 01:25.660 --> 01:28.795 authentication and is susceptible to DoS attacks. 01:28.795 --> 01:30.430 To top all of this off, 01:30.430 --> 01:32.500 it's also usually accessible 01:32.500 --> 01:37.700 remotely via the vehicle cellular navigation system. 01:38.330 --> 01:42.775 Modbus. Operation Technology or OT networks, 01:42.775 --> 01:45.130 are all the parts of an ICS network, 01:45.130 --> 01:48.485 in contrast to a normal client-server network. 01:48.485 --> 01:51.490 Modbus is a protocol used on OT networks, 01:51.490 --> 01:54.130 and it allows control servers and SCADA devices 01:54.130 --> 01:57.445 to query and change the configurations of PLCs. 01:57.445 --> 02:00.025 Originally Modbus was a serial protocol 02:00.025 --> 02:02.020 known as Modbus RTU, 02:02.020 --> 02:03.895 but it has been modified to run on 02:03.895 --> 02:06.260 Ethernet and use TCP/IP. 02:06.260 --> 02:07.710 Other protocols include 02:07.710 --> 02:10.290 the Common Industrial Protocol or CIP, 02:10.290 --> 02:12.135 the Distributed Network Protocol or 02:12.135 --> 02:16.060 DNP3 and the Siemens S7 comms. 02:16.790 --> 02:20.200 Data Distribution Services or DDS. 02:20.200 --> 02:23.170 This enables the interoperability of networks for 02:23.170 --> 02:25.840 machines for the purposes of scalability, 02:25.840 --> 02:27.520 performance, and quality of service. 02:27.520 --> 02:30.504 It supports Cloud and on-prem scenarios, 02:30.504 --> 02:32.005 and it allows for 02:32.005 --> 02:35.780 automated orchestration of all connected components. 02:38.090 --> 02:41.785 Safety Instrumented Systems or SIS. 02:41.785 --> 02:44.620 These are composed of sensors, logic solvers, 02:44.620 --> 02:46.225 and final control elements, 02:46.225 --> 02:48.900 such as horns, flashing lights or sirens. 02:48.900 --> 02:51.515 It's designed to return an industrial process to 02:51.515 --> 02:54.980 a safe state after preset conditions have occurred. 02:54.980 --> 02:57.680 The goal is to monitor industrial processes for 02:57.680 --> 03:00.080 possible dangerous conditions and reduce 03:00.080 --> 03:01.775 the impact of an emergency event 03:01.775 --> 03:03.620 by taking defined actions. 03:03.620 --> 03:04.910 An example of this would be 03:04.910 --> 03:06.830 an assembly line where maybe the rate of 03:06.830 --> 03:08.660 speed is going too high or 03:08.660 --> 03:10.880 a temperature has raised to an unsafe level. 03:10.880 --> 03:12.590 This would trigger events 03:12.590 --> 03:14.450 such as stopping the assembly line 03:14.450 --> 03:16.400 or turning off the machines that are getting 03:16.400 --> 03:19.120 too hot and then also sounding an alarm. 03:19.120 --> 03:23.820 ICS/SCADA usage by Sector. 03:23.820 --> 03:25.640 We'll begin with the energy sector, 03:25.640 --> 03:27.920 which is power generation and distribution, 03:27.920 --> 03:30.665 and also includes the oil and gas industry. 03:30.665 --> 03:32.420 To make it more confusing, 03:32.420 --> 03:34.610 it could also include public utilities like water, 03:34.610 --> 03:37.310 sewage, and public transportation networks. 03:37.310 --> 03:40.625 Industrial sector is the mining 03:40.625 --> 03:43.505 of raw materials and includes the refining, 03:43.505 --> 03:46.234 which uses high heat and pressure furnaces, 03:46.234 --> 03:49.710 presses, centrifuges, and pumps. 03:50.330 --> 03:53.870 Manufacturing is the creation and the assembling 03:53.870 --> 03:57.335 of components to make final finished products. 03:57.335 --> 04:00.859 Automated production systems would include forges, 04:00.859 --> 04:02.795 meals, and assembly lines. 04:02.795 --> 04:04.610 The logistics sector is about 04:04.610 --> 04:06.395 movement of materials and goods. 04:06.395 --> 04:08.915 It will use embedded devices to help control 04:08.915 --> 04:10.255 automated transport and lift 04:10.255 --> 04:13.575 systems and sensors for component tracking. 04:13.575 --> 04:16.980 Facilities management sector would be HVAC, 04:16.980 --> 04:18.990 lighting, and security systems. 04:18.990 --> 04:20.695 Finally, we have healthcare which 04:20.695 --> 04:22.315 aids in patient tracking, 04:22.315 --> 04:24.310 medical equipment and supplies, 04:24.310 --> 04:25.330 but it could also include 04:25.330 --> 04:27.890 environmental controls like HVAC. 04:29.060 --> 04:32.760 ICS and SCADA security. 04:32.760 --> 04:36.760 ICS and SCADA systems are often referred to as 04:36.760 --> 04:39.040 defenseless systems and this is because 04:39.040 --> 04:41.710 that over the years as they were developed and improved, 04:41.710 --> 04:44.680 no thought was given to security at any level. 04:44.680 --> 04:46.180 The other problem is though, 04:46.180 --> 04:47.890 is that these are embedded in 04:47.890 --> 04:50.385 the critical areas of national infrastructure. 04:50.385 --> 04:54.315 Attacks on these could bring about real-world impacts. 04:54.315 --> 04:56.660 Because of this, ICS/SCADA system and 04:56.660 --> 04:59.075 it should be isolated via air-gapping. 04:59.075 --> 05:01.640 You could also use change control to help detect 05:01.640 --> 05:05.010 any unauthorized access to these devices. 05:06.370 --> 05:09.260 Let's talk about some real-world impacts 05:09.260 --> 05:10.685 that we've already seen. 05:10.685 --> 05:14.585 In 2007, Estonia was under cyber attack from Russia. 05:14.585 --> 05:16.835 They used a large DDoS attack, 05:16.835 --> 05:18.170 but it also brought down 05:18.170 --> 05:21.125 critical infrastructure like banking and transportation. 05:21.125 --> 05:24.160 Then in 2015, APT Sandworm, 05:24.160 --> 05:26.710 which is a Russian APT, 05:26.710 --> 05:29.165 attacked the power grid for Ukraine. 05:29.165 --> 05:30.950 It brought down the power for more than 05:30.950 --> 05:34.270 230,000 people and it lasted for more than six hours. 05:34.270 --> 05:36.510 These are already direct attacks 05:36.510 --> 05:38.630 on infrastructure that is impacting 05:38.630 --> 05:43.715 people directly. Instructor side note. 05:43.715 --> 05:46.970 This is completely off of this particular topic, 05:46.970 --> 05:48.800 but dealing with things to help you 05:48.800 --> 05:51.395 understand how you can also use 05:51.395 --> 05:53.810 similar devices in your own life to help 05:53.810 --> 05:56.170 you just understand things in a different way, 05:56.170 --> 05:58.010 but you could get Raspberry Pi's 05:58.010 --> 05:59.930 and use them for different projects. 05:59.930 --> 06:01.250 For example, you could build 06:01.250 --> 06:04.010 your own temperature sensor or a motion sensor. 06:04.010 --> 06:06.080 A lot of people have set them up for 06:06.080 --> 06:08.360 weather stations or airplane tracking, 06:08.360 --> 06:10.115 building their own security systems. 06:10.115 --> 06:12.020 One thing is you could build a Pihole, 06:12.020 --> 06:14.435 which is a free software that can be installed on there. 06:14.435 --> 06:15.680 They will block ads and 06:15.680 --> 06:17.300 malicious websites on your network. 06:17.300 --> 06:18.980 Then another fun project is 06:18.980 --> 06:21.050 a penetration testing drop box. 06:21.050 --> 06:25.130 But the point is, is that Raspberry Pi's are infinitely 06:25.130 --> 06:27.230 usable and there are so many people that have used them 06:27.230 --> 06:29.630 for different projects that if you have an idea, 06:29.630 --> 06:31.670 chances are someone else has already done it, 06:31.670 --> 06:33.370 and that will help you get a good start, 06:33.370 --> 06:36.440 but the devices are so useful because 06:36.440 --> 06:39.720 of the variety of sensors that are available for them, 06:39.720 --> 06:41.330 what's already built into the devices 06:41.330 --> 06:42.740 themselves and they're very 06:42.740 --> 06:44.510 inexpensive when you can get them. 06:44.510 --> 06:48.050 In 2022, the supply chain issues are 06:48.050 --> 06:49.910 causing these have become hard to get that 06:49.910 --> 06:52.205 supposed to be eased up by the end of the year, 06:52.205 --> 06:54.770 and they've slowly started to trickle back in, 06:54.770 --> 06:56.450 but you can pick up one of these devices for 06:56.450 --> 06:58.490 less than 50 bucks and use them for 06:58.490 --> 07:01.620 so many things and they are a lot of fun to work with. 07:02.330 --> 07:05.090 Let's summarize. We went over 07:05.090 --> 07:07.190 the Controller Area Network or the CAN. 07:07.190 --> 07:09.200 We also discussed Modbus and 07:09.200 --> 07:11.570 the Data Distribution Service or DDS. 07:11.570 --> 07:16.385 We discussed the Safety Instrumented Systems or SIS, 07:16.385 --> 07:19.235 and ICS/SCADA usage in various sectors. 07:19.235 --> 07:21.465 Let's do some example questions. 07:21.465 --> 07:24.815 Question 1, this is composed of sensors, 07:24.815 --> 07:26.510 logic servers, and devices 07:26.510 --> 07:28.445 such as horns and flashing lights. 07:28.445 --> 07:31.130 It is designed to return industrial processes to 07:31.130 --> 07:35.070 a safe state after certain conditions are detected. 07:35.420 --> 07:38.730 Safety Instrumented Systems. 07:38.730 --> 07:41.990 Question 2, ICS/SCADA systems 07:41.990 --> 07:45.330 should use this technique to secure systems. 07:45.700 --> 07:48.670 Air-gapping or isolation. 07:48.670 --> 07:52.250 Question 3, cars and UAVs use these to 07:52.250 --> 07:53.630 manage the multitude of 07:53.630 --> 07:55.985 complex systems it takes to operate them, 07:55.985 --> 07:57.575 such as their braking, 07:57.575 --> 08:00.810 landing, engine control and suspension systems. 08:01.400 --> 08:04.170 Controller Area Network. 08:04.170 --> 08:05.995 Finally, Question 4. 08:05.995 --> 08:08.285 This is a protocol originally designed as 08:08.285 --> 08:13.170 a serial protocol that is used on OT networks. 08:13.510 --> 08:16.430 Modbus. I hope this lesson 08:16.430 --> 08:19.290 was useful for you, and I'll see you in the next one.