Industrial Cybersecurity电子书

Title Page

Copyright

Industrial Cybersecurity

Credits

About the Author

About the Reviewers

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

Industrial Control Systems

An overview of an Industrial control system

The view function

The monitor function

The control function

The Industrial control system architecture

Programmable logic controllers

Human Machine Interface

Supervisory Control and Data Acquisition

Distributed control system

Safety instrumented system

The Purdue model for Industrial control systems

The enterprise zone

Level 5 - Enterprise network

Level 4 - Site business planning and logistics

Industrial Demilitarized Zone

The manufacturing zone

Level 3 - Site operations

Level 2 - Area supervisory control

Level 1 - Basic control

Level 0 - Process

Industrial control system communication media and protocols

Regular information technology network protocols

Process automation protocols

Industrial control system protocols

Building automation protocols

Automatic meter reading protocols

Communication protocols in the enterprise zone

Communication protocols in the Industrial zone

Summary

Insecure by Inheritance

Industrial control system history

Modbus and Modbus TCP/IP

Breaking Modbus

Using Python and Scapy to communicate over Modbus

Replaying captured Modbus packets

PROFINET

PROFINET packet replay attacks

S7 communication and the stop CPU vulnerability

EtherNet/IP and the Common Industrial Protocol

Shodan: The scariest search engine on the internet

Common IT protocols found in the ICS

HTTP

File Transfer Protocol

Telnet

Address Resolution Protocol

ICMP echo request

Summary

Anatomy of an ICS Attack Scenario

Setting the stage

The Slumbertown paper mill

Trouble in paradise

Building a virtual test network

Clicking our heels

What can the attacker do with their access?

The cyber kill chain

Phase two of the Slumbertown Mill ICS attack

Other attack scenarios

Summary

Industrial Control System Risk Assessment

Attacks, objectives, and consequences

Risk assessments

A risk assessment example

Step 1 - Asset identification and system characterization

Step 2 - Vulnerability identification and threat modeling

Discovering vulnerabilities

Threat modeling

Step 3 - Risk calculation and mitigation

Summary

The Purdue Model and a Converged Plantwide Ethernet

The Purdue Enterprise Reference Architecture

The Converged Plantwide Enterprise

The safety zone

Cell/area zones

Level 0 – The process

Level 1 – Basic control

Level 2 – Area supervisory control

The manufacturing zone

Level 3 – Site manufacturing operations and control

The enterprise zone

Level 4 – Site business planning and logistics

Level 5 – Enterprise

Level 3.5 – The Industrial Demilitarized Zone

The CPwE industrial network security framework

Summary

The Defense-in-depth Model

ICS security restrictions

How to go about defending an ICS?

The ICS is extremely defendable

The defense-in-depth model

Physical security

Network security

Computer security

Application security

Device security

Policies, procedures, and awareness

Summary

Physical ICS Security

The ICS security bubble analogy

Segregation exercise

Down to it – Physical security

Summary

ICS Network Security

Designing network architectures for security

Network segmentation

The Enterprise Zone

The Industrial Zone

Cell Area Zones

Level 3 site operations

The Industrial Demilitarized Zone

Communication conduits

Resiliency and redundancy

Architectural overview

Firewalls

Configuring the active-standby pair of firewalls

Security monitoring and logging

Network packet capturing

Event logging

Security information and event management

Firewall logs

Configuring the Cisco ASA firewall to send log data to the OSSIM server

Setting the syslog logging level for Cisco devices

Network intrusion detection logs

Why not intrusion prevention?

Configuring the Cisco Sourcefire IDS to send log data to the OSSIM server

Router and switch logs

Configuring Cisco IOS to log to the syslog service of the OSSIM server

Operating system logs

Collecting logs from a Windows system

Installing and configuring NXLog CE across your Windows hosts

Application logs

Reading an application log file with an HIDS agent on Windows

Network visibility

Summary

ICS Computer Security

Endpoint hardening

Narrowing the attack surface

Limiting the impact of a compromise

Microsoft Enhanced Mitigation Experience Toolkit

Configuring EMET for a Rockwell Automation application server

Microsoft AppLocker

Microsoft AppLocker configuration

Configuration and change management

Patch management

Configuring Microsoft Windows Server Update Services for the industrial zone

Configuring the Cisco ASA firewall

Creating the Windows Server Update Services server

Configuring Windows client computers to get updates from the WSUS server

Endpoint protection software

Host-based firewalls

Anti-malware software

Types of malware

Application whitelisting software

Application whitelisting versus blacklisting

How application whitelisting works

Symantec's Embedded Security: Critical system protection

Building the Symantec's Embedded Security: Critical System Protection management server

Monitoring and logging

Summary

ICS Application Security

Application security

Input validation vulnerabilities

Software tampering

Authentication vulnerabilities

Authorization vulnerabilities

Insecure configuration vulnerabilities

Session management vulnerabilities

Parameter manipulation vulnerabilities

Application security testing

OpenVAS security scan

ICS application patching

ICS secure SDLC

The definition of secure SDLC

Summary

ICS Device Security

ICS device hardening

ICS device patching

The ICS device life cycle

ICS device security considerations during the procurement phase

ICS device security considerations during the installation phase

ICS device security considerations during the operation phase

ICS device security considerations for decommissioning and disposal

Summary

The ICS Cybersecurity Program Development Process

The NIST Guide to Industrial control systems security

Obtaining senior management buy-in

Building and training a cross-functional team

Defining charter and scope

Defining ICS-specific security policies and procedures

Implementing an ICS security risk-management framework

Categorizing ICS systems and network assets

Selecting ICS security controls

Performing (initial) risk assessment

Implementing the security controls

The ICS security program development process

Security policies, standards, guidelines, and procedures

Defining ICS-specific security policies, standards, and procedures

Defining and inventorying the ICS assets

Performing an initial risk assessment on discovered ICS assets

The Slumbertown Paper Mill initial risk assessment

Defining and prioritizing mitigation activities

Defining and kicking off the security improvement cycle

Summary