Practical Industrial Cybersecurity

A PRACTICAL ROADMAP TO PROTECTING AGAINST CYBERATTACKS IN INDUSTRIAL ENVIRONMENTSIn Practical Industrial Cybersecurity: ICS, Industry 4.0, and IIoT, veteran electronics and computer security author Charles J. Brooks and electrical grid cybersecurity expert Philip Craig deliver an authoritative and robust discussion of how to meet modern industrial cybersecurity challenges. The book outlines the tools and techniques used by practitioners in the industry today, as well as the foundations of the professional cybersecurity skillset required to succeed on the SANS Global Industrial Cyber Security Professional (GICSP) exam. Full of hands-on explanations and practical guidance, this book also includes:

* Comprehensive coverage consistent with the National Institute of Standards and Technology guidelines for establishing secure industrial control systems (ICS)
* Rigorous explorations of ICS architecture, module and element hardening, security assessment, security governance, risk management, and more

Practical Industrial Cybersecurity is an indispensable read for anyone preparing for the Global Industrial Cyber Security Professional (GICSP) exam offered by the Global Information Assurance Certification (GIAC). It also belongs on the bookshelves of cybersecurity personnel at industrial process control and utility companies. Practical Industrial Cybersecurity provides key insights to the Purdue ANSI/ISA 95 Industrial Network Security reference model and how it is implemented from the production floor level to the Internet connection of the corporate network. It is a valuable tool for professionals already working in the ICS/Utility network environment, IT cybersecurity personnel transitioning to the OT network environment, and those looking for a rewarding entry point into the cybersecurity field. CHARLES J. BROOKS is the co-Owner and Vice President of Educational Technologies Group Inc and the co-Owner of eITPrep LLP. He oversees research and product development at those organizations and has authored several books, including the A+ Certification Training Guide and The Complete Introductory Computer Course. For the past eight years Charles has been lecturing and providing Instructor training for cybersecurity teachers throughout the U.S. and abroad. His latest projects have been associated with IT and OT cybersecurity courses and hands-on lab activities that include Cybersecurity Essentials — Concepts & Practices; Cybersecurity Essentials – Environments & Testing; and Industrial Network Cybersecurity.

PHILIP A. CRAIG JR is the founder of BlackByte Cyber Security, LLC, a consultancy formed to develop new cybersecurity tools and tactics for use in U.S Critical Infrastructure. He oversees research and product development for the U.S. Department of Energy (DOE), the Defense Advanced Research Projects Agency (DARPA), and the National Rural Electric Cooperative Association (NRECA), as well as providing expert knowledge in next generation signal isolation techniques to protect automated controls in energy generation, transmission, and distribution systems. Mr. Craig has authored regulation for both the Nuclear Regulatory Commission (NRC) and National Energy Reliability Corporation (NERC) and is an active cyber responder in federal partnerships for incident response. Introduction xxiii

CHAPTER 1 INDUSTRIAL CONTROL SYSTEMS 1

Introduction 2

Basic Process Control Systems 3

Closed- Loop Control Systems 5

Industrial Process Controllers 6

Supervisory Control and Data Acquisition Systems 20

System Telemetry 21

Utility Networks 23

OT/IT Network Integration 25

Industrial Safety and Protection Systems 28

Safety Instrument Systems 29

Review Questions 39

Exam Questions 41

CHAPTER 2 ICS ARCHITECTURE 43

Introduction 44

Network Transmission Media 45

Copper Cabling 45

Fiber- Optic Cabling 46

Industrial Network Media Standards 49

Ethernet Connectivity 52

External Network Communications 53

Transmission Media Vulnerabilities 55

Field Device Architecture 56

PLC I/O Sections 58

PLC Implementations 62

Industrial Sensors 63

Final Control Elements/Actuators 71

Relays 73

Process Units 76

Industrial Network Protocols 79

Common Industrial Protocols 79

EtherNet/IP Protocol 79

Modbus 80

ProfiNet/ProfiBus 81

Dnp3 82

Iccp 83

Opc 83

BACnet 83

Enterprise Network Protocols 84

Tcp/ip 84

Dynamic Host Configuration Protocol 89

Review Questions 90

Exam Questions 91

CHAPTER 3 SECURE ICS ARCHITECTURE 95

Introduction 96

Boundary Protection 97

Firewalls 98

Proxies 104

Security Topologies 105

Network Switches 106

Routers 108

Security Zoning Models 109

Flat Network Topologies 113

Network Segmentation 122

Controlling Intersegment Data Movement 128

Tunneling 128

Wireless Networking 129

Wireless Sensors 131

Wireless Gateways 134

Modems 135

Review Questions 137

Exam Questions 139

CHAPTER 4 ICS MODULE AND ELEMENT HARDENING 143

Introduction 145

Endpoint Security and Hardening 145

User Workstation Hardening 145

BIOS Security Subsystems 147

Additional Outer Perimeter Access Hardening 148

Mobile Device Protection 154

OS Security/Hardening 155

File System Security 156

Operating System Security Choices 160

Linux SystemV vs Systemd 160

Hardening Operating Systems 162

Common Operating System Security Tools 162

Virtualization 169

Application Software Security 172

Software Exploitation 172

Information Leakage 173

Applying Software Updates and Patches 174

Database Hardening 174

SQL Injection 175

Anti-Malware 177

Antivirus 178

Anti-spyware 178

Anti- Malware: Sanitization 181

Embedded Device Security 182

Meters 184

Network Hardening 189

OT/IT Network Security 189

Server Security 191

Hardening the Server OS 193

Logical Server Access Control 194

Hardening Network Connectivity Devices 196

Review Questions 201

Exam Questions 202

CHAPTER 5 CYBERSECURITY ESSENTIALS FOR ICS 205

Introduction 207

Basic Security Tenets 208

Confidentiality, Integrity, and Availability 208

Availability in ICS Networks 209

Nonrepudiation 210

Principle of Least Privilege 211

Separation of Duties 211

Vulnerability and Threat Identification 212

Nation- States 213

Cyberterrorists 213

Cybercriminals 214

Insider Threats 216

Events, Incidents, and Attacks 217

Threat Vectors 217

Weaponization 230

Delivery 230

Exploitation 231

Installation 232

Command and Control 233

Actions on Objectives 233

Attack Methods 234

Unauthorized Access 251

Cryptographics 260

Encryption 262

Digital Certificates 264

Public Key Infrastructure 264

Hashing 266

Resource Constraints 267

Review Questions 268

Exam Questions 268

CHAPTER 6 PHYSICAL SECURITY 271

Introduction 272

Infrastructure Security 273

Access Control 274

Physical Security Controls 276

Authentication Systems 278

Remote Access Monitoring and Automated Access Control Systems 286

Intrusion Detection and Reporting Systems 289

Security Controllers 290

Video Surveillance Systems 295

Cameras 297

IP Cameras 297

Pan- Tilt- Zoom Cameras 298

Physical Security for ICS 306

Industrial Processes/Generating Facilities 307

Control Center/Company Offices 307

Nerc Cip-006-1 309

Review Questions 311

Exam Questions 312

CHAPTER 7 ACCESS MANAGEMENT 315

Introduction 316

Access Control Models 317

Mandatory Access Control 317

Discretionary Access Control 318

Role- Based Access Control 318

Rule- Based Access Control 319

Attribute- Based Access Control 319

Context- Based Access Control 320

Key Security Components within Access Controls 320

Directory Services 321

Active Directory 321

Linux Directory Services 324

Application Runtime and Execution Control 326

User Access Management 326

Establishing User and Group Accounts 328

Group Account Security 330

Network Authentication Options 331

Establishing Resource Controls 332

ICS Access Control 334

Remote ICS Access Control 336

Access Control for Cloud Systems 340

Review Questions 343

Exam Questions 344

CHAPTER 8 ICS SECURITY GOVERNANCE AND RISK MANAGEMENT 347

Introduction 348

Security Policies and Procedure Development 348

Requirements 349

Exceptions and Exemptions 350

Standards 351

ICS Security Policies 356

Risk Management 357

Asset Identification 358

Risk Assessment 359

Risk Identification Vulnerability Assessment 362

Impact Assessment 363

ICS Risk Assessments 364

Risk Mitigation 366

Nerc Cip-008 367

Review Questions 369

Exam Questions 370

CHAPTER 9 ICS SECURITY ASSESSMENTS 373

Introduction 374

Security Assessments 374

ICS Device Testing 376

Vulnerability 376

Supply Chain 377

Communication Robustness Testing 382

Fuzzing 382

ICS Penetration Testing 384

The Pentest Process 385

Security Testing Tools 392

Packet Sniffers 392

Network Enumeration/Port Scanning 393

Port Scanning 395

Vulnerability Scanning 395

Review Questions 401

Exam Questions 402

CHAPTER 10 ICS SECURITY MONITORING AND INCIDENT RESPONSE 405

Introduction 407

ICS Lifecycle Challenges 408

Change Management 408

Establishing a Security Baseline 409

Change Management Documentation 411

Configuration Change Management 412

Controlling Patch Distribution and Installation for Systems 414

Monitoring 419

Event Monitoring 420

Network Monitoring 421

Security Monitoring 423

Logging and Auditing 424

Event Logging 425

Incident Management 433

The Incident Response Lifecycle 434

Preparation 435

Incident Response 442

Recovery 445

Post- Incident Activities 446

Review Questions 449

Exam Questions 450

CHAPTER 11 DISASTER RECOVERY AND BUSINESS CONTINUITY 453

Introduction 454

Business Continuity Plans 455

System Redundancy 455

Local Virtualized Storage 459

System Backup and Restoration 462

Backup Options 463

Backup Media Rotation 466

Securing Backup Media 467

Other BCP Considerations 467

Disaster Recovery 469

Planning 470

Documenting the Disaster Recovery Plan 472

The Disaster Response/Recovery Team 473

Nerc Cip-009-6 475

Review Questions 477

Exam Questions 478

APPENDIX A GICSP OBJECTIVE MAP 481

ICS410.1 ICS: Global Industrial Cybersecurity Professional (GICSP) Objectives 482

Overview 482

ICS410.2: Architecture and Field Devices 483

ICS410.3: Communications and Protocols 484

ICS410.4: Supervisory Systems 485

ICS410.5: Security Governance 485

APPENDIX B GLOSSARY 487

APPENDIX C STANDARDS AND REFERENCES 533

Reference Links 536

APPENDIX D REVIEW AND EXAM QUESTION ANSWERS 539

Chapter 1: Industrial Control Systems 540

Review Question Answers 540

Exam Question Answers 541

Chapter 2: ICS Architecture 542

Review Question Answers 542

Exam Question Answers 544

Chapter 3: Secure ICS Architecture 545

Review Question Answers 545

Exam Question Answers 547

Chapter 4: ICS Modules and Element Hardening 548

Review Question Answers 548

Exam Question Answers 550

Chapter 5: Cybersecurity Essentials for ICS 551

Review Question Answers 551

Exam Question Answers 553

Chapter 6: Physical Security 554

Review Question Answers 554

Exam Question Answers 556

Chapter 7: Access Management 556

Review Question Answers 556

Exam Question Answers 558

Chapter 8: ICS Security Governance and Risk Management 559

Review Question Answers 559

Exam Question Answers 560

Chapter 9: ICS Security Assessments 561

Review Question Answers 561

Exam Question Answers 563

Chapter 10: ICS Security Monitoring and Incident Response 564

Review Question Answers 564

Exam Question Answers 565

Chapter 11: Disaster Recovery and Business Continuity 567

Review Question Answers 567

Exam Question Answers 568

Index 571