WEBVTT 1 00:00:00.120 --> 00:00:03.680 Imagine a facility that powers your home, purifies your water, 2 00:00:04.280 --> 00:00:09.000 or manages critical infrastructure. What if it's digital defenses weren't 3 00:00:09.080 --> 00:00:10.800 quite as robust as they seem. 4 00:00:11.000 --> 00:00:12.480 Yeah, it's a pretty critical thought. 5 00:00:12.679 --> 00:00:16.079 Today we're taking a deep dive into the fascinating, definitely 6 00:00:16.199 --> 00:00:20.280 high stakes world of pen testing industrial control systems or 7 00:00:20.600 --> 00:00:24.760 icsm HM. And this isn't just about like standard IT computers. 8 00:00:24.839 --> 00:00:28.039 It's about the systems that literally make the world run. 9 00:00:28.120 --> 00:00:29.600 That's right, the physical stuff. 10 00:00:29.679 --> 00:00:32.439 Our main guide for this exploration is an Ethical Hackers 11 00:00:32.479 --> 00:00:37.039 Guide pen Testing Industrial Control Systems by Paul Smith. This book, 12 00:00:37.079 --> 00:00:41.479 it takes us on a journey through analyzing, compromising, mitigating, 13 00:00:41.799 --> 00:00:44.000 and securing these industrial processes. 14 00:00:44.079 --> 00:00:45.880 It draws on a lot of experience to in nearly 15 00:00:45.920 --> 00:00:49.359 twenty years in automation control and industrial cybersecurity. Plus we're 16 00:00:49.359 --> 00:00:52.159 pulling in insights from others like Dimitri Komenko, who has 17 00:00:52.200 --> 00:00:55.000 tons of experience in OTIS security for major companies. 18 00:00:55.039 --> 00:00:58.439 So our mission today is really to unpack the critical 19 00:00:58.479 --> 00:01:01.159 techniques ethical hackers used to test the security of these 20 00:01:01.240 --> 00:01:03.719 vital systems. We'll look at everything from setting up a 21 00:01:03.799 --> 00:01:06.439 virtual lab which is key, all the way to the 22 00:01:06.480 --> 00:01:10.040 real world implications if someone does manage a successful breach. 23 00:01:11.319 --> 00:01:13.280 We want to give you the essential nuggets you know, 24 00:01:13.359 --> 00:01:16.719 to understand this field quickly. Okay, let's unpack. 25 00:01:16.439 --> 00:01:20.400 This sounds good and it's a truly vital area because, 26 00:01:20.480 --> 00:01:23.840 like you said, these industrial control systems are the very 27 00:01:23.920 --> 00:01:27.560 backbone of our modern world, think energy grids, water utilities, 28 00:01:27.599 --> 00:01:32.400 advanced manufacturing plants right everywhere. Securing them isn't just about 29 00:01:32.480 --> 00:01:36.480 data protection in the traditional sense. It's fundamentally about ensuring 30 00:01:36.480 --> 00:01:41.519 the physical world functions safely, continuously. The stakes, frankly couldn't 31 00:01:41.560 --> 00:01:42.000 be higher. 32 00:01:42.079 --> 00:01:45.359 Absolutely, And the author Paul Smith, he actually got into 33 00:01:45.359 --> 00:01:48.200 this field by tackling what he called red herring problems. 34 00:01:48.239 --> 00:01:51.079 Oh yeah, like what well, things like weird measurement imbalances 35 00:01:51.159 --> 00:01:55.159 from flair sensor saturation or database migration mishaps that had 36 00:01:55.239 --> 00:01:56.560 unexpected knock got eifacts. 37 00:01:56.599 --> 00:01:59.680 Ah, okay, operational problems that turned out to have a cyber. 38 00:01:59.359 --> 00:02:03.280 Angle, exactly, real hands on issues that kind of nudged 39 00:02:03.359 --> 00:02:07.200 him into understanding the security side of these industrial systems. 40 00:02:07.200 --> 00:02:10.400 It really highlights how often the most critical vulnerabilities pop 41 00:02:10.479 --> 00:02:13.520 up in well, unexpected places. 42 00:02:13.639 --> 00:02:17.080 That's so true. And what's fascinating. Often the deepest vulnerabilities 43 00:02:17.159 --> 00:02:20.199 lie in areas that are completely overlooked. I often ask 44 00:02:20.280 --> 00:02:24.560 IT and OT teams this, who truly controls the virtualization 45 00:02:24.680 --> 00:02:27.680 server where your critical application lives, you know, the ESX 46 00:02:27.879 --> 00:02:29.879 host or whatever. Oh yeah, and then what is your 47 00:02:29.919 --> 00:02:33.879 total exposure if that core virtualization management system like v 48 00:02:34.039 --> 00:02:35.560 center gets compromised. 49 00:02:35.639 --> 00:02:37.319 I can imagine the looks on their faces. 50 00:02:37.439 --> 00:02:42.159 The answers are almost universally shocking, sometimes terrifying. It reveals 51 00:02:42.199 --> 00:02:47.759 these fundamental security gaps in even large, supposedly well resourced organizations. Wow, 52 00:02:47.960 --> 00:02:51.080 it's just a stark reminder of how interconnected everything is 53 00:02:51.479 --> 00:02:54.280 and how much can rely on a single, often quite 54 00:02:54.319 --> 00:02:55.400 vulnerable component. 55 00:02:55.680 --> 00:02:58.759 That is a chilling thought. So okay, given how complex 56 00:02:58.840 --> 00:03:02.000 and risky these line systems are, Yeah, what's the very 57 00:03:02.039 --> 00:03:04.560 first thing an ethical hacker does? You know, the non 58 00:03:04.560 --> 00:03:06.759 disruptive step to even start understanding them? 59 00:03:06.960 --> 00:03:10.120 Right? Well, the absolute first step is building a safe, 60 00:03:10.240 --> 00:03:13.759 contained environment. You obviously can't just start poking around critical 61 00:03:13.800 --> 00:03:16.800 infrastructure in the real world. Okay, so the book really 62 00:03:16.840 --> 00:03:20.800 emphasizes the importance of creating your own virtual lab. This 63 00:03:20.919 --> 00:03:24.080 deep dive isn't just theory it's about getting hands on experience, 64 00:03:24.199 --> 00:03:26.520 but without risking a real world incident. 65 00:03:26.719 --> 00:03:29.560 Okay, but how do you even begin to simulate something 66 00:03:29.639 --> 00:03:34.000 as complex as like an entire factory or power plant 67 00:03:34.000 --> 00:03:34.520 in a lab. 68 00:03:34.599 --> 00:03:38.560 Well, the foundation is virtualization. Using something like the VMware 69 00:03:38.919 --> 00:03:43.120 ESXi hypervisor lets you create a virtual supervisory, control and 70 00:03:43.199 --> 00:03:45.360 data acquisition environment, a SCATA. 71 00:03:45.080 --> 00:03:47.039 Environment, like a digital twin sort. 72 00:03:46.879 --> 00:03:50.159 Of kind of, yeah, a scaled down but functional digital 73 00:03:50.280 --> 00:03:53.039 version of a real system. So inside this virtual world, 74 00:03:53.120 --> 00:03:56.360 you might spin up, say a nUbuntu server to act 75 00:03:56.400 --> 00:04:00.639 as a pseudo programmable logic controller a PLC, and maybe 76 00:04:00.680 --> 00:04:04.159 also as a PSEUDOSCATA server itself. Okay, Then you'd include 77 00:04:04.159 --> 00:04:07.520 a Windows engineering workstation because that's common in real environments, 78 00:04:07.560 --> 00:04:11.240 and critically a Kali Linux attack box that's your offensive toolkit. 79 00:04:11.599 --> 00:04:14.639 And the network inside the lab it's not just one 80 00:04:14.680 --> 00:04:17.360 flat network. Is that you try to mimic a real 81 00:04:17.439 --> 00:04:19.360 industrial setup exactly right. 82 00:04:19.399 --> 00:04:22.319 The setup often follows what's called a quasi perdue model. 83 00:04:22.759 --> 00:04:26.680 It's a theoretical framework, but it's all about segmenting the 84 00:04:26.720 --> 00:04:30.279 industrial network into different layers. Layers like from the top 85 00:04:30.360 --> 00:04:33.800 level enterprise it network down through control levels right down 86 00:04:33.839 --> 00:04:35.439 to the physical process layer. 87 00:04:35.560 --> 00:04:37.360 And why is that layering so important? 88 00:04:37.639 --> 00:04:41.079 Well, it's critical because it's designed to contain breaches. The 89 00:04:41.199 --> 00:04:44.160 idea is to prevent an attack that starts in the 90 00:04:44.160 --> 00:04:47.839 IT layer from immediately jumping down and impacting the critical 91 00:04:47.879 --> 00:04:51.839 physical processes below. So the lab lets you simulate and 92 00:04:51.920 --> 00:04:54.319 test those real world security boundaries. 93 00:04:54.560 --> 00:04:56.759 That makes sense. What's really clever, though, is how you 94 00:04:56.800 --> 00:04:58.920 bridge the virtual and the physical. Even with all this 95 00:04:59.040 --> 00:05:01.560 virtualization you made, real hardware comes into play. 96 00:05:01.720 --> 00:05:06.040 Yes, absolutely. For instance, a Coyo click PLC, specifically the 97 00:05:06.079 --> 00:05:10.079 co ten Ard model is a popular choice for labs. 98 00:05:10.120 --> 00:05:11.199 Why that one, It's. 99 00:05:11.079 --> 00:05:14.519 Relatively affordable, It has an Ethernet port for network comms, 100 00:05:14.920 --> 00:05:18.680 and the engineering software is free. Crucially, it lets you 101 00:05:18.800 --> 00:05:23.439 link your virtual processes to physical io like literally turning 102 00:05:23.439 --> 00:05:25.800 a light on and off exactly, you can wire up 103 00:05:25.839 --> 00:05:29.160 a light or a small motor. It provides that tangible 104 00:05:29.199 --> 00:05:32.319 feedback and gives you a much deeper understanding of how 105 00:05:32.360 --> 00:05:35.160 these commands translate into real world actions. 106 00:05:35.480 --> 00:05:38.639 That's fascinating. But even in these setup phases just getting 107 00:05:38.680 --> 00:05:42.240 the software and hardware ready, are there overlook vulnerabilities that 108 00:05:42.279 --> 00:05:45.600 ethical hackers find even before they start any active testing. 109 00:05:45.680 --> 00:05:48.600 Oh, absolutely, take the software for that Coyo click PLC 110 00:05:48.680 --> 00:05:51.560 the installation software. Something the book points out is that 111 00:05:51.759 --> 00:05:54.879 it often doesn't provide a cryptographic hash for a verification, 112 00:05:55.040 --> 00:05:58.199 you know, like an MD five or SAHA hash to 113 00:05:58.319 --> 00:05:59.720 check if the download is legit. 114 00:06:00.000 --> 00:06:01.839 Ah, okay, so you can't be sure you got the 115 00:06:01.839 --> 00:06:03.079 real software precisely. 116 00:06:03.160 --> 00:06:05.040 And this is a crucial detail because it opens the 117 00:06:05.079 --> 00:06:09.240 door to something called a watering hole attack. Watering hole, Yeah, 118 00:06:09.279 --> 00:06:13.519 an attacker could poison that software package, maybe alter it 119 00:06:13.560 --> 00:06:16.319 to include malware, and then host it on a compromise 120 00:06:16.399 --> 00:06:19.040 website that engineers might visit to download. 121 00:06:18.680 --> 00:06:19.959 It, like a supply chain attack. 122 00:06:20.000 --> 00:06:22.279 Almost exactly like that. We saw this kind of thing 123 00:06:22.319 --> 00:06:25.680 with solar winds. Right. The potential fallout from something like 124 00:06:25.720 --> 00:06:30.279 that happening in an industrial context it could be devastatingly wide. 125 00:06:30.560 --> 00:06:33.800 That's a significant warning. So, okay, before an ethical hacker 126 00:06:33.800 --> 00:06:37.120 even touches the network properly, they need to gather intelligence. 127 00:06:37.120 --> 00:06:38.800 How do they go about that? What's the process? 128 00:06:38.959 --> 00:06:44.160 Right? That's where open source intelligence or ostent becomes absolutely invaluable. 129 00:06:44.199 --> 00:06:49.800 It's all about finding publicly available information just googling. Well, yes, 130 00:06:49.920 --> 00:06:53.759 but it's more advanced. Ethical hackers use specific search techniques 131 00:06:53.839 --> 00:06:56.800 sometimes called Google dorking or Google hackings dorking. 132 00:06:57.000 --> 00:06:57.279 Yeah. 133 00:06:57.360 --> 00:07:02.000 It involves using specific commands within search and commands like siteineural, 134 00:07:02.120 --> 00:07:05.879 dot file type to filter results and glean sensitive details 135 00:07:05.920 --> 00:07:09.040 that are out there, publicly available but often overlooked. 136 00:07:09.199 --> 00:07:11.920 So for you, the listener, the key insight here isn't 137 00:07:11.959 --> 00:07:15.079 just knowing these tools exist. It's realizing that in the 138 00:07:15.360 --> 00:07:19.720 ICs world, what's publicly available can sometimes paint an alarmingly 139 00:07:19.800 --> 00:07:24.439 complete picture of critical infrastructure vulnerabilities long before an attacker 140 00:07:24.439 --> 00:07:25.720 even needs to type a command. 141 00:07:25.920 --> 00:07:28.600 That's it. You can easily build a profile of a 142 00:07:28.639 --> 00:07:33.480 target company, figure out its industry, maybe even identify specific 143 00:07:33.720 --> 00:07:38.360 ICs vendors. It uses like finding mentions of Schweitzer Engineering 144 00:07:38.439 --> 00:07:42.439 Laboratories or SEL, which is really common in the energy sector. 145 00:07:42.120 --> 00:07:44.720 And LinkedIn too that seems more professional networking. 146 00:07:44.879 --> 00:07:48.839 Oh, LinkedIn is an incredibly powerful ocent source. Think about it, 147 00:07:48.920 --> 00:07:51.439 over seven hundred and forty million users. 148 00:07:51.639 --> 00:07:52.040 Wow. 149 00:07:52.079 --> 00:07:56.240 You can quickly uncover company size, industry specific technologies mentioned 150 00:07:56.279 --> 00:07:59.639 in job descriptions or profiles, even find key employees by 151 00:07:59.639 --> 00:08:03.360 title or keyword searching for Stata engineer or maybe a 152 00:08:03.360 --> 00:08:06.160 specific vendor like televint administrator. 153 00:08:06.279 --> 00:08:09.480 It's basically a huge searchable database of corporate. 154 00:08:09.120 --> 00:08:13.360 Insights, exactly a gold mine of publicly available information for profiling. 155 00:08:13.519 --> 00:08:17.120 But okay, beyond general web searches and looking at people's jobs, 156 00:08:17.600 --> 00:08:21.360 what about finding the actual industrial devices themselves, the ones 157 00:08:21.399 --> 00:08:25.399 that might be, you know, directly exposed to the Internet. Ah. 158 00:08:25.519 --> 00:08:28.800 Right, that's where a specialized search engine like showdow dot 159 00:08:28.839 --> 00:08:32.679 io comes in. It offers a truly unique perspective. How So, 160 00:08:33.120 --> 00:08:36.279 showed in dot io calls itself the world's first search 161 00:08:36.320 --> 00:08:41.519 engine for Internet connected devices, and it's genuinely surprising, sometimes shocking, 162 00:08:41.639 --> 00:08:44.320 what it reveals. What kind of things, Well, it's not 163 00:08:44.399 --> 00:08:48.720 uncommon to find complete operator consoles, human machine interfaces, or 164 00:08:48.759 --> 00:08:54.080 even specific industrial tech like those coocli ckplcs we mentioned, 165 00:08:54.440 --> 00:08:57.200 just freely open accessible. 166 00:08:56.679 --> 00:08:59.399 From the Internet. Seriously, just out there. Yeah. 167 00:09:00.039 --> 00:09:02.799 I actually remember one engagement where showdown dot io led 168 00:09:02.840 --> 00:09:06.720 me straight to a company's Citrix VPN portal. Okay, from there, 169 00:09:06.759 --> 00:09:08.960 it took a bit of social engineering to get some credentials, 170 00:09:09.000 --> 00:09:12.480 but within no time I'd compromised one of their domain controllers. 171 00:09:12.600 --> 00:09:15.759 The whole engagement went remarkably smoothly. Really all starting from 172 00:09:15.759 --> 00:09:17.639 that one showdown discovery. 173 00:09:17.279 --> 00:09:20.679 That's an incredible headstart for an engagement. And beyond just 174 00:09:20.720 --> 00:09:25.440 finding exposed devices, I assume ethical hackers also check known 175 00:09:25.559 --> 00:09:27.559 vulnerability databases. 176 00:09:27.080 --> 00:09:32.000 Absolutely, places like EXPLOITDB and the National Vulnerability Database or MVD. 177 00:09:32.720 --> 00:09:36.600 These list known vulnerabilities, often with proof of concept code. 178 00:09:36.799 --> 00:09:39.200 So you find a piece of tech with showdan, then 179 00:09:39.279 --> 00:09:40.879 check if there's a known way to break it. 180 00:09:41.360 --> 00:09:45.120 Pretty much. For example, you might find an older Rockwell 181 00:09:45.200 --> 00:09:50.039 Scata exploit, say from twenty eighteen, documented with its CVE number. 182 00:09:50.440 --> 00:09:53.840 It'll detail the affected versions, maybe even give simple examples 183 00:09:53.879 --> 00:09:57.000 like cross site scripting payloads. It's all about associating the 184 00:09:57.039 --> 00:10:00.440 technology you discover with known flaws before you even start 185 00:10:00.480 --> 00:10:01.240 active testing. 186 00:10:01.399 --> 00:10:04.559 Okay, so that deeper connaissance is done. The next move 187 00:10:04.600 --> 00:10:06.879 I guess is to get inside the wire, but maybe 188 00:10:06.919 --> 00:10:09.159 without making too much noise initially exactly. 189 00:10:09.159 --> 00:10:13.080 Passive network monitoring becomes absolutely critical at this stage, listening 190 00:10:13.120 --> 00:10:13.840 before you talk. 191 00:10:14.240 --> 00:10:16.679 Essentially, how do they do that without messing up the 192 00:10:16.720 --> 00:10:18.720 live operational network. That seems tricky. 193 00:10:18.960 --> 00:10:22.039 Well, you use techniques like switch court analyzers often called 194 00:10:22.080 --> 00:10:26.879 span ports, or dedicated network test access points known as. 195 00:10:26.799 --> 00:10:28.679 Teppeece span in tippiece okay. 196 00:10:29.159 --> 00:10:32.360 These tools basically duplicate the network traffic and send a 197 00:10:32.399 --> 00:10:35.559 copy to your monitoring device. The crucial part is they 198 00:10:35.639 --> 00:10:38.759 do it without impacting the performance or operations of the 199 00:10:38.799 --> 00:10:40.480 actual live network. 200 00:10:40.519 --> 00:10:41.799 And why is that so important? 201 00:10:42.000 --> 00:10:46.480 It's vital because modern intrusion detection systems IDs, especially those 202 00:10:46.559 --> 00:10:51.399 designed for OT environments from vendors like Clarity, Nozomi Networks, Dragos, 203 00:10:52.759 --> 00:10:55.720 they heavily rely on these methods. They need to passively 204 00:10:55.840 --> 00:11:00.039 absorb data from the network to build awareness and detect threats. 205 00:11:00.080 --> 00:11:02.519 In the industrial cybersecurity space, They're. 206 00:11:02.360 --> 00:11:05.559 Constantly trying to understand all the different industrial protocol exactly. 207 00:11:05.559 --> 00:11:08.519 It's a constant evolution for these IDs systems. 208 00:11:08.120 --> 00:11:10.159 And the go to tool for actually looking at all 209 00:11:10.159 --> 00:11:14.440 that capture traffic is wire shark, the network engineer's best front. 210 00:11:14.679 --> 00:11:17.879 Absolutely, wire Shark is indispensable. It lets you capture and 211 00:11:17.919 --> 00:11:21.039 analyze literally all the bits of data moving through the network. 212 00:11:21.120 --> 00:11:22.080 How deep do you have to go? 213 00:11:22.399 --> 00:11:25.559 Well, a proper packet deep dive usually starts with understanding 214 00:11:25.600 --> 00:11:33.120 the OSI models layers you know, physical data, link, network, transport, session, presentation, application, 215 00:11:33.320 --> 00:11:36.279 go whole stack, all right. Understanding those layers is key 216 00:11:36.320 --> 00:11:41.159 because in ICs attacks often exploit vulnerabilities at very specific layers, 217 00:11:41.480 --> 00:11:44.600 maybe the application layer for protocols like modbus, so that 218 00:11:44.679 --> 00:11:47.000 layer by layer analysis is indispensable. 219 00:11:47.120 --> 00:11:51.159 And once you've captured that traffic, maybe from say publicly 220 00:11:51.159 --> 00:11:56.080 available packet captures PC keys from conferences like for SICS, 221 00:11:56.440 --> 00:11:59.120 you can use wire sharks silters to find those gold nuggets. 222 00:11:59.159 --> 00:12:01.679 Right, Oh, definitely Daine filtering the traffic and just finding 223 00:12:01.720 --> 00:12:04.559 admin dot admin or root dot root credentials sitting there 224 00:12:04.559 --> 00:12:07.799 in plaintext within HTTP basic authentication. 225 00:12:07.440 --> 00:12:09.759 Wow, easily decoded from bas sicxty. 226 00:12:09.440 --> 00:12:12.960 Four trivial, or maybe identifying an AKSIS network camera, finding 227 00:12:13.000 --> 00:12:15.919 its exact model and firmware version because it's advertising itself 228 00:12:16.000 --> 00:12:18.360 via FTP. Then you just take that info, cross reference 229 00:12:18.399 --> 00:12:19.759 it with EXPLOITDB, and. 230 00:12:19.759 --> 00:12:22.159 Bam you might have a known vulnerability ready to go. 231 00:12:22.600 --> 00:12:26.440 Exactly. It really demonstrates how surprisingly easy it can be 232 00:12:26.559 --> 00:12:29.440 to get critical information in a very short time just 233 00:12:29.480 --> 00:12:31.840 by passively listening to the network traffic. 234 00:12:32.200 --> 00:12:35.720 So that passive approach often yields a lot before you 235 00:12:35.799 --> 00:12:37.200 even need to actively. 236 00:12:36.799 --> 00:12:41.279 Interact significant results. Yeah, before any active scanning or interaction 237 00:12:41.440 --> 00:12:42.399 is even necessary. 238 00:12:42.519 --> 00:12:45.480 Okay, So once you've listened, you've done the recon, you 239 00:12:45.559 --> 00:12:48.039 kind of know what you're looking for. Then you're ready 240 00:12:48.080 --> 00:12:51.080 to start interacting with the industrial gear through active scanning. 241 00:12:51.279 --> 00:12:53.919 Right now, you start actively probing, but carefully. 242 00:12:54.039 --> 00:12:55.559 What tools are essential here? 243 00:12:55.720 --> 00:13:01.039 Well, NMP is foundational, still a cornerstone for port scannings, fingerprinting, 244 00:13:01.240 --> 00:13:05.639 identifying applications, and importantly, it has custom scripts specifically for 245 00:13:05.879 --> 00:13:08.919 ICs protocols that extend its capabilities significantly. 246 00:13:09.159 --> 00:13:10.559 Okay, MP's the classic. 247 00:13:10.600 --> 00:13:13.559 Any newer tools, Yeah, then you have newer, much faster 248 00:13:13.639 --> 00:13:16.519 tools like rust scan. It's often lauded for its speed, 249 00:13:16.559 --> 00:13:19.799 claims it can scan all sixty five thousand TCP ports 250 00:13:19.840 --> 00:13:21.120 in something like three seconds. 251 00:13:21.159 --> 00:13:25.759 Three seconds. That's incredibly fast. But does that speed come 252 00:13:25.799 --> 00:13:29.840 with a tradeoff, especially in these sensitive industrial environments. 253 00:13:29.879 --> 00:13:32.519 That is the critical question. Yes, there's a huge trade off. 254 00:13:32.840 --> 00:13:35.559 Rust scan speed generates a lot of network noise, and 255 00:13:35.600 --> 00:13:38.240 in my own experience, it can most certainly knock over 256 00:13:38.480 --> 00:13:43.559 sensitive legacy devices, old PLCs controllers, they just weren't designed 257 00:13:43.559 --> 00:13:44.919 for that kind of aggressive scanning. 258 00:13:45.159 --> 00:13:48.200 So a real world cautionary tale absolutely. 259 00:13:48.240 --> 00:13:51.000 In ICs pen testing, you have to be incredibly careful, 260 00:13:51.120 --> 00:13:54.200 much more so than standard IT PEN testing. You cannot 261 00:13:54.279 --> 00:13:58.879 inadvertently shut down production. IT demands this unique safety first mindset. 262 00:13:59.000 --> 00:14:01.799 Right makes sense. Now, what about web interfaces. Lots of 263 00:14:01.840 --> 00:14:05.559 SCATA systems have web front ends now like Ignition Scata yep. 264 00:14:05.639 --> 00:14:09.240 For those you'd use tools like gobuster or Fareroxbuster. They're 265 00:14:09.279 --> 00:14:13.320 designed for web enumeration and directory brute forcing trying to 266 00:14:13.320 --> 00:14:15.120 find hidden pages or directories. 267 00:14:15.399 --> 00:14:17.879 And I guess the wordless you use are crucial. 268 00:14:17.600 --> 00:14:20.559 Are absolutely critical. I always stress this. You are only 269 00:14:20.559 --> 00:14:23.679 as good as your word list, especially for finding industrial 270 00:14:23.720 --> 00:14:27.559 specific paths that standard weblists might miss, things like status can, 271 00:14:27.600 --> 00:14:31.159 fig reports, alarms. Finding those hidden resources can be key. 272 00:14:31.320 --> 00:14:34.720 Okay, tools aside, What's really crucial you mentioned earlier is 273 00:14:34.799 --> 00:14:36.399 speaking in the language of ICs. 274 00:14:36.559 --> 00:14:36.879 Yeah. 275 00:14:36.960 --> 00:14:39.159 Understanding the actual industrial protocols. 276 00:14:39.240 --> 00:14:42.279 Yes, this is non negotiable for any ethical hacker in 277 00:14:42.279 --> 00:14:45.600 this space. You have to understand how these devices talk 278 00:14:45.639 --> 00:14:49.720 to each other. Modbus, for example, is ubiquitous. It's relatively simple. 279 00:14:49.879 --> 00:14:53.320 Uses function codes over TCP port five oh two to 280 00:14:53.440 --> 00:14:56.320 read or write data to devices. 281 00:14:55.919 --> 00:14:57.000 Like function code five. 282 00:14:57.200 --> 00:14:59.720 Right, function code five rights to a single one bit 283 00:15:00.559 --> 00:15:03.000 think of it like flipping a digital light switch, read 284 00:15:03.000 --> 00:15:06.159 coil status as function code one, read holding registers is three, 285 00:15:06.279 --> 00:15:08.720 and so on. Simple but powerful. 286 00:15:08.879 --> 00:15:11.360 And then there's ethernet T more common in North. 287 00:15:11.200 --> 00:15:14.279 America, that's right widely adopted here. It's powered by the 288 00:15:14.320 --> 00:15:17.759 Common Industrial Protocol or CIP. A key part of it 289 00:15:17.840 --> 00:15:19.279 is the identity object. 290 00:15:19.360 --> 00:15:19.879 What's in that. 291 00:15:20.080 --> 00:15:24.039 It contains crucial device information, vendor ID, product board serial number, 292 00:15:24.080 --> 00:15:26.879 even the product name like maybe seventeen fifty six L 293 00:15:27.000 --> 00:15:30.399 five to five a ogi x five five five five 294 00:15:30.440 --> 00:15:33.159 for a rock Well controller. It's like the device's digital 295 00:15:33.240 --> 00:15:33.720 name plate. 296 00:15:33.840 --> 00:15:36.519 And you can actually interact with these directly, like send commands. 297 00:15:36.799 --> 00:15:39.960 Oh yeah, you can learn how simple scripting commands, maybe 298 00:15:40.080 --> 00:15:43.480 using Python libraries can directly interact with say that code 299 00:15:43.480 --> 00:15:47.039 click plc we talked about. Yeah, you can energize specific. 300 00:15:46.519 --> 00:15:49.000 Coils, turning the lights on and off from your script. 301 00:15:48.720 --> 00:15:52.759 Exactly turn physical outputs on and all off. But this 302 00:15:52.840 --> 00:15:56.600 leads us straight to a critical warning, the absolute importance 303 00:15:56.600 --> 00:16:02.399 of having clear, well defined rules of engagement, because you 304 00:16:02.480 --> 00:16:05.879 must never, and I really mean never, just randomly push 305 00:16:06.000 --> 00:16:10.039 data to coils or registers unless you are explicitly authorized 306 00:16:10.080 --> 00:16:11.200 and know exactly what you're doing. 307 00:16:11.279 --> 00:16:11.840 What could happen. 308 00:16:11.919 --> 00:16:15.600 You could easily inadvertently shut down production lines, maybe entire 309 00:16:15.679 --> 00:16:18.519 process trains, and this could have the adverse effect of 310 00:16:18.559 --> 00:16:21.759 creating a massive loss of revenue for your customer, or worse, 311 00:16:21.919 --> 00:16:25.559 create an unsafe condition. The physical impact is immediate and 312 00:16:25.600 --> 00:16:26.440 can be severe. 313 00:16:26.960 --> 00:16:29.639 That's a very stark reminder of the responsibility involved here, 314 00:16:30.039 --> 00:16:34.039 huge physical and financial impact potential. Okay, shifting gear slightly. 315 00:16:34.440 --> 00:16:38.360 Modern ICs environments, they're rarely totally isolated anymore, are they? 316 00:16:38.559 --> 00:16:38.720 No? 317 00:16:38.799 --> 00:16:38.879 Not. 318 00:16:39.039 --> 00:16:42.320 Usually they often connect to the corporate IT networks. This 319 00:16:42.440 --> 00:16:45.320 creates what we call a converged network. 320 00:16:45.039 --> 00:16:48.200 And that opens up entirely new attack vectors right from 321 00:16:48.200 --> 00:16:50.360 the IT side into the OT side. 322 00:16:50.440 --> 00:16:54.279 Precisely, so, to simulate this realistically in the lab, the 323 00:16:54.279 --> 00:16:57.519 book shows how you'd add elements like Windows twenty nineteen, 324 00:16:57.600 --> 00:17:02.200 domain controller running active directory DNS DHCP, and maybe a 325 00:17:02.240 --> 00:17:05.799 standard Windows ten workstation, just like you'd find in a 326 00:17:05.799 --> 00:17:06.720 corporate environment. 327 00:17:06.960 --> 00:17:09.440 So now the attacker might try to compromise the corporate 328 00:17:09.480 --> 00:17:10.079 side first. 329 00:17:10.240 --> 00:17:13.680 Often, yes, once an ethical hacker gets a foothold in 330 00:17:13.720 --> 00:17:17.640 that corporate network, active directory attacks become a primary focus. 331 00:17:18.200 --> 00:17:20.759 There's a whole suite of tools and techniques. 332 00:17:20.519 --> 00:17:21.319 Like what well. 333 00:17:21.519 --> 00:17:24.960 Tools like curb root can enumerate valid ad user names 334 00:17:25.000 --> 00:17:28.799 by sending curbero's requests. Then there are kerber roasting attacks. 335 00:17:29.039 --> 00:17:30.359 Kerber roasting. Yeah. 336 00:17:30.400 --> 00:17:33.680 An attacker, even with just a regular low privileged user account, 337 00:17:33.799 --> 00:17:37.240 can request service tickets for accounts associated with service principal 338 00:17:37.279 --> 00:17:40.319 names SPNs. The ticket they get back contains a hash 339 00:17:40.359 --> 00:17:41.680 of the service account's. 340 00:17:41.319 --> 00:17:43.160 Password, which they can then try to crack. 341 00:17:42.960 --> 00:17:46.480 Offline exactly, maybe revealing the password for an account like 342 00:17:46.480 --> 00:17:47.279 operator three. 343 00:17:47.599 --> 00:17:50.279 And what about NTLM hashes? Are those still relevant? 344 00:17:50.359 --> 00:17:54.920 Oh? Definitely. Tools like Responder are brilliant at capturing NTLM hashes. 345 00:17:55.279 --> 00:17:58.640 They work by poisoning local network name resolution services things 346 00:17:58.680 --> 00:18:04.480 like LLM and r NBTNS sometimes DNSM DNS. When a 347 00:18:04.519 --> 00:18:07.440 machine tries to connect to a non existent share, Responder 348 00:18:07.559 --> 00:18:08.920 tricks it into sending. 349 00:18:08.599 --> 00:18:10.559 Its hash and you can crack those two. 350 00:18:10.559 --> 00:18:14.119 Yes, often leading to cracked credentials like say Operator one 351 00:18:14.119 --> 00:18:17.359 dot password one. Once you have valid credentials, getting a 352 00:18:17.359 --> 00:18:20.160 foothold or getting shells is the next objective. 353 00:18:20.200 --> 00:18:21.039 HOTI get shells. 354 00:18:21.119 --> 00:18:24.359 Tools like evil WinRM are great for getting interactive command 355 00:18:24.359 --> 00:18:28.759 shells over Windows Remote management and PowerShell payloads are super 356 00:18:28.759 --> 00:18:32.480 common for delivering reverse shells where the compromise machine connects 357 00:18:32.480 --> 00:18:35.359 back out to the attacker's listening machine gives you control. Right, 358 00:18:35.720 --> 00:18:37.799 And here's a bit of practical wisdom from the field. 359 00:18:38.079 --> 00:18:40.640 Two is one and one is none, meaning if you 360 00:18:40.680 --> 00:18:43.440 only have one shell one way into a system, you 361 00:18:43.440 --> 00:18:46.240 don't really have reliable access. What if it drops? You 362 00:18:46.279 --> 00:18:49.000 always need a backup plan, a second shell or method 363 00:18:49.039 --> 00:18:52.319 in case your primary session gets lost or detected and severed. 364 00:18:52.599 --> 00:18:55.440 Okay, smart, So after getting that initial shell, the goal 365 00:18:55.480 --> 00:18:57.720 becomes privileged escalation right, moving. 366 00:18:57.599 --> 00:19:00.599 Up the ladder exactly, moving from that less privileged account 367 00:19:00.599 --> 00:19:03.960 like Operator one up to maybe a local system administrator 368 00:19:04.440 --> 00:19:07.079 or the ultimate goal, domain administrator. 369 00:19:07.240 --> 00:19:08.680 What tools help there? I've heard of. 370 00:19:08.680 --> 00:19:13.720 Mimicats, ah, mimicats. It's a legendary tool, primarily famous for 371 00:19:13.759 --> 00:19:17.880 its ability to dump credentials, passwords, hashes, Carberos tickets directly 372 00:19:17.920 --> 00:19:21.119 from memory on a compromised Windows system. So you might 373 00:19:21.200 --> 00:19:25.000 run it as Operator one and find higher privileged credentials. 374 00:19:24.720 --> 00:19:26.920 And you can use those dumped Carberos tickets. 375 00:19:27.079 --> 00:19:31.480 Yes for pass the ticket or PTT attacks. You basically 376 00:19:31.519 --> 00:19:34.519 inject a captured ticket into your current session to impersonate 377 00:19:34.519 --> 00:19:37.880 another user, maybe an administrator. This can sometimes lead to 378 00:19:37.920 --> 00:19:42.880 achieving a golden ticket, the master key. Essentially, Yeah, a 379 00:19:42.960 --> 00:19:47.640 forged Carbrero's ticket granting ticket that gives you domain admin persistence, 380 00:19:47.759 --> 00:19:50.920 letting you create tickets for almost any user or service. 381 00:19:51.279 --> 00:19:54.079 It's like having the master key to the entire active 382 00:19:54.119 --> 00:19:54.880 directory domain. 383 00:19:55.119 --> 00:19:58.799 Wow. Any tools to help find these escalation paths? Yeah? 384 00:19:58.960 --> 00:20:02.160 Tools led windps are great. They automate the discovery process, 385 00:20:02.680 --> 00:20:07.720 scanning the system for common misconfigurations, vulnerable services, stored credentials, 386 00:20:08.440 --> 00:20:11.160 anything that could lead to higher privileges on Windows. 387 00:20:11.279 --> 00:20:14.200 Okay, so you've got Domaine admin maybe on the IT side, 388 00:20:14.279 --> 00:20:16.559 but the real prize is the OT network. How do 389 00:20:16.599 --> 00:20:19.920 you get from IT to OT? Especially if there are firewalls? 390 00:20:20.000 --> 00:20:23.319 Right, that's the next major hurdle pivoting through firewalls. You 391 00:20:23.359 --> 00:20:26.319 need to bridge the gap techniques like using proxy chains 392 00:20:26.319 --> 00:20:29.880 to tunnel traffic, standard SSH tunneling if SSH is available, 393 00:20:30.160 --> 00:20:31.160 or tools like Chisel. 394 00:20:31.319 --> 00:20:31.680 Chisel. 395 00:20:31.839 --> 00:20:33.759 Yeah, Chisel is a fantastic tool. It works as a 396 00:20:33.799 --> 00:20:37.279 TCPUUDP tunnel, often used to set up a reverse sec 397 00:20:37.359 --> 00:20:40.920 case proxy, the compromise machine inside connects out to the attacker, 398 00:20:41.000 --> 00:20:44.400 creating a tunnel back in effectively bypassing firewall rules that 399 00:20:44.480 --> 00:20:45.960 might block inbound connections. 400 00:20:46.279 --> 00:20:50.039 And sometimes finding SSH open can be a surprise for 401 00:20:50.119 --> 00:20:50.720 the defenders. 402 00:20:51.119 --> 00:20:55.839 Definitely. I've had stories, real anecdotes where security managers were 403 00:20:55.960 --> 00:20:59.319 genuinely shocked to discover SSH was active and enabled, even 404 00:20:59.359 --> 00:21:04.079 on servers and they're supposedly pure Windows based environments. Finding 405 00:21:04.119 --> 00:21:08.200 that allows attackers to establish tunnels that completely bypass network 406 00:21:08.240 --> 00:21:11.160 segmentation and get deep into the industrial network. 407 00:21:11.279 --> 00:21:14.319 So that brings us to a common weakness credential reuse. 408 00:21:14.400 --> 00:21:18.680 Oh, it's a massive pitfall. Many organizations suffer from widespread 409 00:21:18.720 --> 00:21:22.440 credential reuse across both IT and OT systems. If you 410 00:21:22.519 --> 00:21:26.160 find credentials on a domain connected system on the IT side. 411 00:21:26.039 --> 00:21:27.960 There's a good chance they work on the OT side too. 412 00:21:27.880 --> 00:21:28.920 A very high likelihood. 413 00:21:29.000 --> 00:21:29.240 Yes. 414 00:21:29.559 --> 00:21:32.119 I worked in engagement once where a domain service account, 415 00:21:32.200 --> 00:21:34.519 which should have been disabled after setting up some new computers, 416 00:21:34.640 --> 00:21:37.759 was actually still active and had privileges across many machines, 417 00:21:37.799 --> 00:21:39.599 including some in the OT zone. 418 00:21:39.720 --> 00:21:40.480 What did that give you? 419 00:21:40.839 --> 00:21:44.319 It granted access to analyze basically every user and machine 420 00:21:44.359 --> 00:21:47.839 in the domain, and ultimately that path led directly to 421 00:21:47.960 --> 00:21:52.240 controlling a distributed control system a DCS. It just highlights 422 00:21:52.240 --> 00:21:55.920 how one single point of failure in credential management can 423 00:21:56.039 --> 00:21:57.559 cascade catastrophically. 424 00:21:57.680 --> 00:22:00.519 That's the ultimate goal, right, getting access to those SCAT user. 425 00:22:00.359 --> 00:22:05.039 Interface often, yes, leveraging those compromise credentials, maybe that operator 426 00:22:05.039 --> 00:22:07.400 one dot password one we found earlier, to log straight 427 00:22:07.440 --> 00:22:10.440 into the ignition SCATA, UI or whatever hm I they're using. 428 00:22:10.519 --> 00:22:14.400 And once you're in, once inside, documentation is crucial. You 429 00:22:14.440 --> 00:22:18.200 need to figure out exactly what processes the SCATA system controls, 430 00:22:18.440 --> 00:22:22.079 what are its network connections, what specific equipment doesn't manage? 431 00:22:22.279 --> 00:22:24.759 Build that complete situational awareness. 432 00:22:25.000 --> 00:22:26.960 But that warning again, yes. 433 00:22:26.839 --> 00:22:29.400 Absolutely have to reiterate it. Just because you can gain 434 00:22:29.440 --> 00:22:31.880 this level of access, maybe see the controls to shut 435 00:22:31.920 --> 00:22:34.480 down a process does not mean you should ever implement 436 00:22:34.559 --> 00:22:38.400 or change anything without explicit written permission in the ROE, 437 00:22:39.200 --> 00:22:42.480 these types of unauthorized actions can absolutely land you in 438 00:22:42.519 --> 00:22:45.359 prison or worse cause a real world disaster. 439 00:22:45.680 --> 00:22:48.759 Understood, It's not just UI access though, right, can you 440 00:22:48.799 --> 00:22:50.559 get deeper like script access? 441 00:22:50.720 --> 00:22:54.880 Definitely? Sometimes you find misconfigured services like an FTP server, 442 00:22:55.000 --> 00:22:58.119 maybe running on the SCATA machine itself. Perhaps it allows 443 00:22:58.160 --> 00:23:01.440 anonymous access, or maybe the credential you found work and 444 00:23:01.480 --> 00:23:03.640 it has right permissions to the web directory. 445 00:23:04.000 --> 00:23:06.240 Ah, so you could upload a webshell exactly. 446 00:23:06.319 --> 00:23:09.480 You could upload a simple PHP webshell. Then you set 447 00:23:09.519 --> 00:23:12.200 up a netcat listener back on your Collie Lenox attack 448 00:23:12.279 --> 00:23:15.079 box brows to the webshell you uploaded. 449 00:23:14.759 --> 00:23:16.160 And it connects back BINGO. 450 00:23:16.559 --> 00:23:19.839 It triggers the shell, providing a full reverse command shell 451 00:23:19.920 --> 00:23:23.039 back to your listener. Now you likely have OS level 452 00:23:23.079 --> 00:23:27.240 access on the SCATA server itself, potentially granting full access 453 00:23:27.240 --> 00:23:29.880 to the network from top to bottom, depending on its connectivity. 454 00:23:29.960 --> 00:23:33.160 Okay, so the PENTIS phase is done. You've potentially gained 455 00:23:33.200 --> 00:23:36.799 significant access. What's the critical final step? How do you 456 00:23:36.839 --> 00:23:37.559 close the loop? 457 00:23:37.759 --> 00:23:41.319 The final step is the comprehensive report and providing actionable 458 00:23:41.359 --> 00:23:45.400 mitigation recommendations. The PENTIS report is really the core deliverable. 459 00:23:45.519 --> 00:23:46.440 What goes into it. 460 00:23:46.440 --> 00:23:50.119 It needs to clearly communicate where the security gaps are 461 00:23:50.319 --> 00:23:53.240 and how you leverage them to gain access. It's usually 462 00:23:53.279 --> 00:23:56.960 a structured document covering the attack vectors used, the likelihood 463 00:23:57.000 --> 00:24:00.480 and impact of the findings, the complexity and any existing 464 00:24:00.480 --> 00:24:03.400 security controls that failed or were bypassed. 465 00:24:02.839 --> 00:24:05.039 And tying it back to business impact is key. 466 00:24:05.000 --> 00:24:08.839 Right, Absolutely, The impact analysis has to tie everything together, 467 00:24:09.000 --> 00:24:13.119 the lateral movement, the privileged escalation back to tangible business risk. 468 00:24:13.480 --> 00:24:16.200 For instance, demonstrating that you could gain access to the 469 00:24:16.240 --> 00:24:20.480 scata UI and realistically lock every user out and shut 470 00:24:20.519 --> 00:24:23.880 down the entire system. That's a critical finding any organization 471 00:24:23.960 --> 00:24:25.640 needs to take extremely seriously. 472 00:24:26.000 --> 00:24:27.680 You mentioned physical impact earlier. 473 00:24:28.079 --> 00:24:30.640 Any examples, Yeah, I recall a story happened in the 474 00:24:30.680 --> 00:24:33.920 northern part of Canada. An engineering team apparently switched the 475 00:24:33.920 --> 00:24:38.799 configurations on two critical controllers by mistake, a simple human error. 476 00:24:39.079 --> 00:24:41.480 It led to a large compressor blowing its seals and 477 00:24:41.519 --> 00:24:46.079 a vital pump cavitating, basically destroying itself millions of dollars 478 00:24:46.119 --> 00:24:50.039 in damage and loss production from a simple control configuration mistake. 479 00:24:50.559 --> 00:24:54.559 It just vividly underscores the immense physical and financial consequences 480 00:24:54.599 --> 00:24:58.240 of messing with control level settings, whether intentionally or accidentally. 481 00:24:58.359 --> 00:25:03.680 That's terrifying. How can defenders the blue teams better understand 482 00:25:03.759 --> 00:25:04.759 these kinds of attacks? 483 00:25:05.000 --> 00:25:09.480 The AIRIATT and CK framework, especially the one for ICs, 484 00:25:09.559 --> 00:25:13.440 is invaluable here. It provides a really great visual representation 485 00:25:13.519 --> 00:25:17.319 of adversarial tactics, techniques and procedures or TTPs. 486 00:25:17.519 --> 00:25:18.119 How does it help? 487 00:25:18.400 --> 00:25:21.720 It helps blue teams understand the specific methods attackers use, 488 00:25:21.839 --> 00:25:25.519 like using valid accounts for lateral movement or exploiting remote services. 489 00:25:25.960 --> 00:25:29.240 And importantly, it links these techniques to potential mitigations and 490 00:25:29.319 --> 00:25:32.400 detection strategies. It gives them a structured way to think 491 00:25:32.400 --> 00:25:33.119 about defense. 492 00:25:33.599 --> 00:25:37.000 And finally, what about actual technological defenses? What should companies 493 00:25:37.039 --> 00:25:37.799 be putting in place? 494 00:25:38.160 --> 00:25:41.680 Well, industrial firewalls are a key component products like the 495 00:25:41.720 --> 00:25:44.960 Cisco ISA three thousand for example. They often integrate with 496 00:25:45.039 --> 00:25:49.720 broader security ecosystems like Cisco ISIC or Cybervision. What they 497 00:25:49.720 --> 00:25:53.160 do They can enforce segmentation, control traffic flow based on 498 00:25:53.160 --> 00:25:57.559 industrial protocols, and sometimes even automatically quarantine new or suspicious 499 00:25:57.559 --> 00:26:01.400 devices found on the network or push specific security policies 500 00:26:01.480 --> 00:26:05.400 using security group tags or sgts. This can cause immense 501 00:26:05.400 --> 00:26:08.640 frustration for pentesters who suddenly find their access roots blocked 502 00:26:08.680 --> 00:26:09.880 mid engagement. 503 00:26:09.559 --> 00:26:12.599 And intrusion detection systems the IDs we mentioned earlier. 504 00:26:12.680 --> 00:26:16.599 Yes, companies like Drago's Clarity and Nozomi Networks are leaders 505 00:26:16.640 --> 00:26:20.599 in the OTIDS space. They deploy sensors often connected via 506 00:26:20.640 --> 00:26:24.319 those SPAN ports or T texts, specifically designed to understand 507 00:26:24.359 --> 00:26:26.960 industrial protocols and baseline normal behavior. 508 00:26:27.000 --> 00:26:27.759 What did they detect? 509 00:26:27.839 --> 00:26:31.519 They look for anomalies new MS or IP addresses, appearing 510 00:26:31.799 --> 00:26:37.160 unusual protocol usage, unexpected communication paths between zones, connections to 511 00:26:37.279 --> 00:26:41.000 known malicious ips. If a company lacks ot specific IDs, 512 00:26:41.039 --> 00:26:43.839 it's almost always a top recommendation and appentest report. 513 00:26:44.200 --> 00:26:46.680 It sounds like a constant arms race for the vendors 514 00:26:46.720 --> 00:26:47.799 to keep up with protocols. 515 00:26:47.880 --> 00:26:51.480 It really is an ongoing arms race for protocol dissectors 516 00:26:51.559 --> 00:26:55.839 to understand and protect against threats targeting every possible industrial 517 00:26:55.839 --> 00:26:56.839 communication method. 518 00:26:57.000 --> 00:27:00.920 Wow, what a journey we've really ventured through the intricate 519 00:27:00.960 --> 00:27:04.759 world of pen testing industrial control system They covered a lot, yeah, 520 00:27:04.759 --> 00:27:08.920 from those foundational lab setups and passive reconnaissance all the 521 00:27:08.960 --> 00:27:13.440 way through active exploitation, privileged escalation and navigating that delicate 522 00:27:13.559 --> 00:27:17.720 ITOT convergence. We've seen our curiosity, when it's combined with 523 00:27:17.720 --> 00:27:22.440 specific tools and techniques, can uncover really critical vulnerabilities in 524 00:27:22.480 --> 00:27:24.960 the systems that manage our most essential services. 525 00:27:25.400 --> 00:27:27.720 And I think this deep dive has hopefully shown you, 526 00:27:27.920 --> 00:27:31.759 the listener, that securing these environments really demands a unique 527 00:27:31.799 --> 00:27:35.640 blend of skills. It's it knowledge, but it's also deep 528 00:27:35.759 --> 00:27:38.319 operational technology understanding. 529 00:27:37.960 --> 00:27:39.400 Not just one or the other exactly. 530 00:27:39.480 --> 00:27:42.440 It's an ongoing challenge, maybe even an arms race that 531 00:27:42.640 --> 00:27:46.480 requires continuous learning and crucially, a deep appreciation for the 532 00:27:46.480 --> 00:27:49.759 potential physical impact of purely digital actions. 533 00:27:50.160 --> 00:27:54.119 Right, hopefully you now have a much more comprehensive understanding 534 00:27:54.599 --> 00:27:58.279 of the ethical hacker's mindset when they approach this high 535 00:27:58.359 --> 00:27:59.119 stakes domain. 536 00:27:59.319 --> 00:27:59.920 That's the goal. 537 00:28:00.400 --> 00:28:02.400 So what does this all mean for you? There's a 538 00:28:02.440 --> 00:28:04.839 quote from Walt Disney. He once said, there's really no 539 00:28:04.960 --> 00:28:08.119 secret about our approach. We keep moving forward, opening up 540 00:28:08.160 --> 00:28:11.279 new doors and doing new things because we're curious, and 541 00:28:11.359 --> 00:28:15.279 curiosity keeps leading us down new paths. We're always exploring 542 00:28:15.279 --> 00:28:16.119 and experimenting. 543 00:28:16.160 --> 00:28:17.680 I like that curiosity. 544 00:28:17.880 --> 00:28:21.480 In a world that's increasingly reliant on these connected industrial systems, 545 00:28:21.920 --> 00:28:25.039 how will your curiosity lead you to explore and maybe 546 00:28:25.079 --> 00:28:28.799 help secure the hidden paths of our critical infrastructure.