EXERCISE 3

ICS IDENTIFICATION & CHARACTERIZATION

Name
Email
Course Number 210-22.1S
Course Time July 18-20, 2022
Semester On-Site
Submission Exercise 3
Due Date N/A
Instructor Joel Langill
Email [email protected]
Phone +1 (920) 594-0321
Office Hours N/A

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 1
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

This exercise consists of you completing the following:

 Read the lesson “Acme Manufacturing Company Architecture Overview”. This lesson
describes the system that will be used in this course, and includes an architecture
diagram, addresses, and credentials for use during the exercise.
 Read the lesson “ICS Identification and Characterization”. This lesson will provide the
instructions for each of the activities and where information is to be entered on the
following pages.
 To learn more about the physical process of collecting information to support the
security assessment, you can review the video “Asset Identification and System
Characterization – Data Collection Activities” included in this day’s section of the LMS.
This video will walk you through the details around the activities to be performed during
this exercise during an actual assessment.

Please be sure and complete the cover page with your full name and email address prior to
submission. Do not forget to submit your work when you have completed this assignment.
Please use only ZIP format for file compression when submitted (if needed).

(Note: problems may to occur if using Google Chrome as a browser where it tries to open links
in Google Docs. The "Docs PDF/PowerPoint Viewer (by Google)" extension must be disabled
or removed.)

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 2
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

SYSTEM IDENTIFICATION (HARDWARE INVENTORY)

Network: 172.16.100.0/24

IP Address MAC OUI Vendor / Supplier

172.16.100.50 00:50:56:01:00:11 VMware, Inc.
172.16.100.240 00:26:55:b8:f5:25 Hewlett Packard
172.16.100.254 00:17:8d:4c:13:3e Checkpoint Systems, Inc.

Network: 10.1.1.0/24

IP Address MAC OUI Vendor / Supplier

10.1.1.1 a4:ba:db:b8:ff:4d Dell Inc.
10.1.1.50 00:50:56:01:00:12 VMware, Inc.
10.1.1.60 a4:ba:db:ca:34:bf Dell Inc.
10.1.1.251 00:26:55:45:d7:3c Hewlett Packard
10.1.1.254 00:17:8d:4c:13:48 Checkpoint Systems, Inc.

Network: 192.168.1.0/24

IP Address MAC OUI Vendor / Supplier

192.168.1.1 00:30:de:89:5f:4c WAGO Kontakttechnik GmbH
192.168.1.50 00:50:56:01:00:10 VMware, Inc.
192.168.1.60 a4:ba:db:ca:34:c9 Dell Inc.
192.168.1.103 b8:27:eb:35:b2:2a Raspberry Pi Foundation
192.168.1.129 00:26:55:45:d7:32 Hewlett Packard

SYSTEM CHARACTERIZATION (SOFTWARE INVENTORY)

Do not forget to list the Windows Operating System name and build/version for each asset.
(It is not necessary to inventory the Linux computers used in the exercise for characterization.)

IP Address Software Version

198.168.1.60/24 Siemens Automation License Manager
Siemens Automation License Manager V5.2 +
SP1
NCM GPRS 64

SIMATIC Device Drivers

SIMATIC HMI License Manager Panel Plugin

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 3
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

IP Address Software Version

(x64)
SIMATIC NCM FWL 64

SIMATIC Device Drivers

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 4
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

IP Address Software Version

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 5
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

SYSTEM CHARACTERIZATION (COMMUNICATIONS / DATA FLOW)

The information obtained from the arp-scan (via Linux), arp (local on each Windows target) and
netstat (local on each Windows target) commands should be used to populate the following matrix
with TCP port numbers for each communication pair.

You do not need to list communications using the local “loopback” adapter on 127.0.0.1
It is not necessary to include any communications that exists within the same host (i.e. same source
and destination address).
It is not necessary to include the Linux computers used in the exercise for characterization.

Network: 10.1.1.0/24 Network: 192.168.1.0/24

DST DST
SR SRC
C 1 60 251 254 1 60 129

1
445- 1
58654

56601-
56481
60
135 60 -502
56602-
49155

251 129

254

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 6
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

FIREWALL ANALYSIS

eth0 – INTERNET
INBOUND OUTBOUND
Allow tcp 80 All any ip

eth1 – OFFICE
INBOUND OUTBOUND
Allow tcp 80 All any ip

eth2 - CONTROL
INBOUND OUTBOUND
Allow tcp 80 All any ip
Allow 10.1.1.0/24

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 7
 EXERCISE 3
ICS IDENTIFICATION & CHARACTERIZATION

Default Rule Implied Rule

210 660129468.docx
Threat, Vulnerability and Risk Assessments for Industrial Control Systems © 2012-2022 ICSCSI LLC
On-Site Page 8