My thoughts on my recent SANS SCADA training

If the guys a Red Tiger Security wanted to kick my brain into black hat mode - they succeeded!  I’ve just gotten back from a 5-day ‘boot camp’ style SCADA security class hosted by SANS in Houston, TX.  SANS actually hosted two similar courses - a more generalized SCADA Security training with an introduction to pentesting, and a much more focused SCADA pentesting course.  Looking back I should have taken the pentesting course, but based on the SANS website description I thought it would be beyond my abilities.

Day 1 consisted of introductions, a high-level overview of SCADA and ICS systems, followed by an in-depth discussion of different vendors, protocols, and devices.  Most of this was not news to me.  We did get to flip some lights on and off using ModScan32.  Day 2 was a hands-off review of different wireless technologies (802.11, Zigbee, etc.) followed by a high level overview of pentesting, red/blue teams, and reconnaissance.  Day 3 drilled into detailed pentesting methodology such as information gathering, utilizing the Kali Linux toolkit, and similar topics.  Day 4 covered how to actually perform a buffer overflow attack - this was fun, even if the software was several years old.  It was scary just how easy overflow attacks are to implement once they are discovered.  Day 5 covered defensive strategies we all know and love, along with several newer technologies such as data diodes, app whitelisting, network topologies, etc.

The guys from Red Tiger did a great job with their presentations and hands on labs.  They were always around to lend a hand, and were more than willing to say “I’m not really sure what you did wrong - try poking this and see what it does.”  I have to give some props to my classmate Brian V from Symantec for giving me a hand ‘dorking’ around.

I do have a bit of constructive criticism however.  The venue, The Westin Houston, Memorial City, was an amazing hotel with one major drawback…it sits directly beside I-10 with constant traffic.  Being from north of East Bumf**k as I am, I had a hard time dealing with the constant noise all night.  Perhaps if I had turned down my ‘free’ upgrade to an awesome suite the noise would have been better.  The Westin is also about 12 miles from the Downtown district of Houston, where most of sights are to be seen.  Unfortunately their shuttle service only runs in a 3 mile radius.  Those issues and price aside, the hotel amenities were exceptional.

The course content was excellent but geared towards someone with a good technical background but without a SCADA and/or security background.  Even when covering something I already knew, I found at least a few tidbits of new information.  I was disappointed there was no coverage of DNPv3 but plenty of ModBus coverage, so I really don’t know the specific issues of that protocol at the moment.  There were points during the presentations that felt a bit like scare tactics but considering the nature of ICS systems (especially electrical SCADA), you can never be too careful.

Aside from the information, the best outcome for me was the change in mindset and introduction to penetration testing.  While you can farm out a good pentest, you know your systems better than anyone else.  I think any company would find value in a self-run penetration test attempting to exploit known holes, as well as finding new ones.

All in all, I give the Red Tiger guys an A on this training and hope to find my way into some additional SANS training this year.

(Originally posted 6/18/13 at http://normesysadmin.blogspot.com/2013/06/my-thoughts-on-my-recent-sans-scada.html - moved 6/14/16)