Mars Cheng is a threat researcher for TXOne Networks, blending a background and experience in both ICS/SCADA and Enterprise cybersecurity systems. Mars has directly contributed to more than 10 CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Mars was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat, HITB, HITCON, SecTor, ICS Cyber Security Conference USA and Asia, CLOUDSEC, and InfoSec Taiwan as well as other conferences and seminars related to the topics of ICS and IoT security. Mars is general coordinator of HITCON 2021 and was vice general coordinator of HITCON 2020.
In this research, we analyze 9 ICS protocols (5 public and 4 private) which are widely used in the critical infrastructure sectors of power, water, transportation, petroleum, and manufacturing. In each of these public and private ICS protocols, we found some common flaws which allow attackers to easily sniff unencrypted traffic and perform ICS protocol-centered attacks. These attacks include T833 - Modify Control Logic, T836 - Modify Parameter, T843 - Program Download, T856 - Spoof Reporting Message - Modbus/TCP and T855 - Unauthorized Command Message which map to MITRE ATT&CK for ICS. Attacker can be accomplished without the intruder needing to acquire authentication or authorization. Also, we provide 5 attack demos which across 1 public and 3 private protocols, to show how these common flaws will cause huge impacts such as T832 - Manipulation of View and T831 - Manipulation of Control to ICS. Finally, we demonstrate how to againist ICS network protocols attack.
This research will collect publicly leaked data and share some of the traps and fun that we found during the analysis. We will also share how we have conducted big data analysis on more than 10 billion pieces of data from 200 plus datasets, with a particular focus on the analysis of data leakage and password habits of Taiwan's 8 critical infrastructure service providers. Finally, based on the in-depth analysis of our data, we will try to provide prediction warnings to high-risk CI sectors and vendors that may be invaded due to information leakage, and finally advise how to perform prevention and mitigation measures.
This talk will share how we built an automated large-scale IoT threat hunting system, and will share a deep look into the overall threat situation and trends compiled from six target examples in the past year.