Killing Time - SANS ICS Security Summit 2021

https://www.youtube.com/watch?v=2iV-KuGQtgU

In this talk we will look at some of the different kinds of time sources found in ICS environments (Windows Time, NTP, PTP, IRIG-B, etc.) and briefly discuss how industrial control system devices and applications like PLCs, PACs, Historians, and Alarm Systems use time. We will also discuss common network architectures that allow time sources to be accessible or time protocols like NTP to be passed through IDMZs and firewalls. In this final presentation of the day, we will walk through an attack demonstration targeting a local process through an NTP built in feature for sending a Kiss of Death packet – ultimately attacking the control system from within the control system.

• How to control NTP in OT network? Through L3 DMZ?
• Protocols
  • NTP v3 1~2ms - too slow for some OT
  • IEEE 1588 <1ms
• PLC time skew at different temperatures
• Kiss of Death (KOD) packet
  • Receive timestamp same as reference timestamp (1/1/1970)