|
| 1 | +# OT Security Lab: UIUC CS 460 / ECE 419 - Security Laboratory |
| 2 | + |
| 3 | +Welcome to the second OT Security Lab for UIUC course CS 460 / EC419 - Security |
| 4 | +Laboratory in December 2024. |
| 5 | + |
| 6 | +This lab has three separate modules, each building on the previous one, in |
| 7 | +separate branches. Modules 1 and 2 rely on wind farm controller infrastructure |
| 8 | +containers present in this branch to be deployed and connected to the Tailscale |
| 9 | +Tailnet used for this lab. Instructions for deploying the wind farm controller |
| 10 | +infrastructure follow the Tailscale setup instructions below. |
| 11 | + |
| 12 | +## Tailscale Setup |
| 13 | + |
| 14 | +The lab leader must set up the Tailscale infrastructure for lab participants to |
| 15 | +join the wind farm. Access the [Tailscale |
| 16 | +administration](https://login.tailscale.com/admin/) interface via a browser. |
| 17 | + |
| 18 | +### Access Control: Edit tagOwners |
| 19 | + |
| 20 | +The Tailscale authentication keys that will be used by lab participants will |
| 21 | +include tags to support lab activities. In order to associate tags with |
| 22 | +authentication keys, edit the access controls policy file by browsing to the |
| 23 | +[Access controls] (https://login.tailscale.com/admin/acls/file) tab and then |
| 24 | +clicking `Edit file`. |
| 25 | + |
| 26 | +<p align="center"> |
| 27 | + <img src="images/06-edit_ac-file.png" /> |
| 28 | +</p> |
| 29 | + |
| 30 | +Under the `"tagOwners"` key, add the following (see lines 8-12): |
| 31 | + |
| 32 | +``` |
| 33 | +"tagOwners": { |
| 34 | + "tag:wind-farm": ["autogroup:admin"], |
| 35 | + "tag:wind-farm-turbine": ["autogroup:admin"], |
| 36 | + "tag:wind-farm-ctlr": ["autogroup:admin"], |
| 37 | +}, |
| 38 | +``` |
| 39 | + |
| 40 | +### Generate Authentication Keys |
| 41 | + |
| 42 | +Click the `Settings` tab and access the |
| 43 | +[Keys](https://login.tailscale.com/admin/settings/keys) on the left menu. |
| 44 | + |
| 45 | +<p align="center"> |
| 46 | + <img src="images/01-manage_keys.png" /> |
| 47 | +</p> |
| 48 | + |
| 49 | +Your browser window should look like the above image. |
| 50 | + |
| 51 | +Generate authentication keys for the Wind Farm Controller and Wind Turbine(s) by |
| 52 | +clicking the `Generate auth key…` button. Create two keys matching the provided |
| 53 | +images. Note the unique Description and Tags for each key. |
| 54 | + |
| 55 | +> [!WARNING] |
| 56 | +> Copy each key generated and store for later use in the Gitpod URLs. |
| 57 | +
|
| 58 | +<p align="center"> |
| 59 | + <img src="images/04-copy_keys.png" /> |
| 60 | +</p> |
| 61 | + |
| 62 | +> [!CAUTION] |
| 63 | +> You will not be able to access the key in its entirety again. |
| 64 | +
|
| 65 | +#### Key for Farm Controller |
| 66 | + |
| 67 | +<p align="center"> |
| 68 | + <img src="images/02-controller_key.png" /> |
| 69 | +</p> |
| 70 | + |
| 71 | +#### Key for Turbine Containers |
| 72 | + |
| 73 | +<p align="center"> |
| 74 | + <img src="images/03-turbine_key.png" /> |
| 75 | +</p> |
| 76 | + |
| 77 | +### Verify the Keys |
| 78 | + |
| 79 | +Click the carrot to the left of each key to confirm it has the correct tags for |
| 80 | +the key description. The carrot for the top key in the image below is extended |
| 81 | +to show its tags. |
| 82 | + |
| 83 | +<p align="center"> |
| 84 | + <img src="images/05-verify_keys.png" /> |
| 85 | +</p> |
| 86 | + |
| 87 | +### Access Control: Update ACLs |
| 88 | + |
| 89 | +Edit the access controls policy file again by browsing to the [Access |
| 90 | +controls](https://login.tailscale.com/admin/acls/file) tab and then clicking |
| 91 | +`Edit file`. |
| 92 | + |
| 93 | +Under the `"acls"` key, add the following rule (lines 25-29): |
| 94 | + |
| 95 | +``` |
| 96 | +{ |
| 97 | + "action": "accept", |
| 98 | + "src": ["tag:wind-farm"], |
| 99 | + "dst": ["tag:wind-farm:*"], |
| 100 | +}, |
| 101 | +``` |
| 102 | + |
| 103 | +> [!NOTE] |
| 104 | +> The above ACL allows any device authenticated to Tailscale with an |
| 105 | +> authorization key tagged `wind-farm` to talk to any other device authenticated |
| 106 | +> with a `wind-farm` on any port. Since both of the authorization keys generated |
| 107 | +> above include the more general `wind-farm` tag, any device using those keys to |
| 108 | +> authenticate with will be able to talk to each other. |
| 109 | +
|
| 110 | +## Wind Controller Setup |
| 111 | + |
| 112 | +In addition to setting up the Tailscale infrastructure as described above, the |
| 113 | +lab leader must also deploy the wind farm controller infrastructure for the lab |
| 114 | +participants to connect their wind turbines to (over Tailscale). |
| 115 | + |
| 116 | +To deploy the wind farm controller infrastructure, create a Gitpod account (if |
| 117 | +needed) and deploy the wind farm controller's Gitpod workspace using the |
| 118 | +following URL, replacing `{{FIX_ME}}` with the Farm Controller Tailscale |
| 119 | +authorization key created above. |
| 120 | + |
| 121 | +https://gitpod.io/#HOSTNAME=farm-ctlr,OTSIM_TAILSCALE_AUTHKEY={{FIX_ME}}/https://github.com/ITI/ICS_Virtualization_Testbed-wind_farm/tree/main |
| 122 | + |
| 123 | +## Lab Participants |
| 124 | + |
| 125 | +To start, create a Gitpod account (if needed) and deploy the initial Gitpod |
| 126 | +workspace using the following URL. |
| 127 | + |
| 128 | +https://gitpod.io/#https://github.com/ITI/ICS_Virtualization_Testbed-wind_farm/tree/module-0 |
| 129 | + |
| 130 | +Follow the README instructions in the workspace. |
| 131 | + |
| 132 | +> [!NOTE] |
| 133 | +> Beginning with module-0, the URLs at the bottom of each README need updating |
| 134 | +> for each student. Replace `{{FIX_ME}}` after `HOSTNAME` with the student’s |
| 135 | +> turbine identifier (e.g., `wtg-01`). Replace `{{FIX_ME}}` after |
| 136 | +> `OTSIM_TAILSCALE_AUTHKEY` with the Turbine key copied and stored when |
| 137 | +> generated. |
0 commit comments