PMI

Bolt | Cybersecurity Testing

← Back to Videos

Transcript

Introduction to Bolt Cybersecurity Testing

Today, we’re going to be testing security functionality of the BOLT. The BOLT is a complex power cord recorder with a lot of communications capability, with WiFi, Bluetooth, USB. There’s a lot going on networking-wise in the BOLT, and we’re going to enlist the help of a consulting company that specializes in security testing to help guarantee the secure nature of the BOLT.

These requirements flow from NERC CIP requirements, and so we want to make sure it is secure in a utility environment. We have Darren Manners, and that will be conducting the tests for us.

Meet the Penetration Tester

So my name’s Darren Manners. I head up the offensive security operations at Intervision. My background is I’m an ex-chief petty officer in the Royal Navy, communications technician, or what you guys call cryptographic technicians.

I’m a SANS Cyber Guardian, SANS GSC, OSC, PCIC, CCIE Security, CISSP, CISA. I’ve got a ton of certifications, just say I enjoy what I do. I’m also the founder of Red Spy 365. My job is to penetrate security on devices or any kind of applications.

Enumeration and Reconnaissance Phase

We start off with enumeration reconnaissance. We go from the enumeration reconnaissance phase into the exploitations. So let’s see what we can find on this device.

Firstly, I’m gonna be doing enumeration and reconnaissance, trying to understand what port services, what protocols, and also what traffic we see going back and forth to the product. Once we understand that, then obviously we’re gonna start to move into the exploitation phase of what we do.

I’m always pleased to see that companies use penetration testers, being one myself. But that being said, it’s even better when we see them that they call us out constantly to test their products over and over again.

Moving Into Exploitation Testing

So what we’re doing now is we’re moving from the initial port scans and host scans, understanding the risks associated with those ports. Now we’ve moved into the wider side of things. So we’re now on the inside of the network. We’re now trying to identify, there’s a web host on there, we’re starting to work and test web application scans and running probably lots and lots of testing against that web application to ensure that there’s no vulnerabilities there.

Any vulnerabilities we’ll see, pretty much right now starts to look like hygiene, hygiene versus significant event. I don’t see a significant event.

Then once we’ve done that enumeration and reconnaissance and vulnerabilities, then we’ll start to look at, okay, what can we prise out of that? We’ll also take those vulnerabilities, look at threat intelligence to understand if anybody else is doing or what other people are doing with this.

But we can also start to understand, okay, let’s take a look at the unusual one we saw, which was our own protocol. Is there anything we can do with that protocol to update it, change it, exfiltrate it, compromise it? Anything we can do with protocols. With that being said, right now, I’m not really seeing a great deal. So I’m quite happy with what I see so far.

USB and Logic Flaw Testing

So, conducted a USB test, and I was looking for really logic flaws in the produce system. I didn’t see anything. Also intercepted the traffic between the USB. Didn’t see anything there either.

But of course, it’s all about the protocol and understand the protocol and trying to extract anything I can from that, as well as on the logic flaws within the system itself. Everything tested fine, so that looked good.

Summary of All Tests

So we tested the WiFi capability, we tested the USB, we tested the applications. We actually tested connecting up to the device and attacking, not just on the external WiFi, but on the internal device WiFi itself.

We’ve done that enumeration reconnaissance. We saw some ports open that were meant to be open. There was nothing unusual there. We also started to attack those ports and test those ports to see what else we could find. While we started to attack on the inside of the application, we didn’t see anything there. I mean, there was one or two minor pickups, but again, nothing what I would consider a significant event.

Conclusion

So we’ve completed the testing, and Darren has shown that the BOLT is secure in a utility environment. It will meet the NERC CIP security requirements and will function correctly in the utility network.

What's your power quality IQ? Quiz icon: blue brain inside a clear lightbulb Take the quiz and find out!