The Journey of ICS Project Files - Visibility and Forensics to Explotiablity presented at ICSCyberSecurityConference 2020

by Nadav Erez,

Summary : The first challenge a CISO faces when securing the OT network is creating a comprehensive, accurate, and up-to-date asset inventory. Many ICS asset inventory methods are in use today, but the most reliable and user-friendly method involves importing project files from the ICS environment’s engineering software.ICS engineering project files, which are usually already centered in one backup server, contain a comprehensive list of shop floor devices, but extracting this information from these project files isn’t always as straightforward as it may sound. While some ICS software vendors offer simple import-export functionality supporting standardized file types such as CSV, others use binary, proprietary formats that can only be interpreted using vendor-specific software.In an effort to offer visibility into proprietary OT project file types, our researchers have identified some common features—and more importantly, common security flaws—in these files.During this presentation, we will discuss:The types of proprietary files we encounteredThe critical role of these files for incident response teamsThe collection of forensic data from these filesCommon security issues we found in the project files and corresponding softwareMitigations for addressing the risk posed by malicious project files