Industrial network security : securing critical infrastructure networks for Smart Grid, SCADA, and other industrial control systems

As the sophistication of cyber-attacks increases, understanding how to defend critical infrastructure systems-energy production, water, gas, and other vital systems-becomes more important, and heavily mandated. Industrial Network Security, Second Edition arms you with the knowledge you need to under...

Full description

Saved in:
Bibliographic Details
Main Authors Knapp, Eric D, Langill, Joel Thomas
Format eBook Book
LanguageEnglish
Published Chantilly Syngress 2011
Elsevier Science & Technology Books
Edition2
Subjects
Computer security
Process control
Process control > Security measures
Security measures
Online AccessGet full text
ISBN1597496456
9781597496452
9780124201149
0124201148
DOI10.1016/B978-0-12-420114-9.00018-6

Cover

Table of Contents:
  • Replay Attacks -- Compromising the Human-Machine Interface -- Compromising the Engineering Workstation -- Blended Attacks -- Examples of Weaponized Industrial Cyber Threats -- Stuxnet -- Dissecting Stuxnet -- What it Does -- Lessons Learned -- Shamoon/DistTrack -- Flame/Flamer/Skywiper -- Attack Trends -- Evolving Vulnerabilities: The Adobe Exploits -- Industrial Application Layer Attacks -- Antisocial Networks: A New Playground for Malware -- Cannibalistic Mutant Underground Malware -- Dealing with an Infection -- Summary -- Chapter 8 - Risk and Vulnerability Assessments -- Information in this Chapter -- Cyber Security and Risk Management -- Why Risk Management is the Foundation of Cyber Security -- What is Risk? -- Standards and Best Practices for Risk Management -- Methodologies for Assessing Risk Within Industrial Control Systems -- Security Tests -- Security Audits -- Security and Vulnerability Assessments -- Establishing a Testing and Assessment Methodology -- Tailoring a Methodology for Industrial Networks -- Theoretical versus Physical Tests -- Online versus Offline Physical Tests -- System Characterization -- Data Collection -- Scanning of Industrial Networks -- Device Scanners -- Vulnerability Scanners -- Traffic Scanners -- Live Host Identification -- "Quiet" / "Friendly" Scanning Techniques -- Potentially "Noisy"/"Dangerous" Scanning Techniques -- Port Mirroring and Span Ports -- Command Line Tools -- Hardware and Software Inventory -- Data Flow Analysis -- Threat Identification -- Threat Actors/Sources -- Threat Vectors -- Threat Events -- Identification of Threats During Security Assessments -- Vulnerability Identification -- Vulnerability Scanning -- Configuration Auditing -- Vulnerability Prioritization -- Common Vulnerability Scoring System -- Risk Classification and Ranking -- Consequences and Impact
  • Security Monitoring -- Policy Whitelisting -- Application Whitelisting -- Common Misperceptions About Industrial Network Security -- Assumptions Made in This Book -- Summary -- Chapter 3 - Industrial Cyber Security History and Trends -- Information in this Chapter -- Importance of Securing Industrial Networks -- The Evolution of the Cyber Threat -- APTs and Weaponized Malware -- Night Dragon -- Stuxnet -- Advanced Persistent Threats and Cyber Warfare -- Still to Come -- Defending Against Modern Cyber Threats -- The Insider -- Hacktivism, Cyber Crime, Cyber Terrorism, and Cyber War -- Summary -- Chapter 4 - Introduction to Industrial Control Systems and Operations -- Information in this Chapter -- System Assets -- Programmable Logic Controller -- Ladder Diagrams -- Sequential Function Charts -- Remote Terminal Unit -- Intelligent Electronic Device -- Human-Machine Interface -- Supervisory Workstations -- Data Historian -- Business Information Consoles and Dashboards -- Other Assets -- System Operations -- Control Loops -- Control Processes -- Feedback Loops -- Production Information Management -- Business Information Management -- Process Management -- Safety Instrumented Systems -- The Smart Grid -- Network Architectures -- Summary -- Chapter 5 - Industrial Network Design and Architecture -- Information in this Chapter -- Introduction to Industrial Networking -- Common Topologies -- Network Segmentation -- Higher Layer Segmentation -- Physical vs. Logical Segmentation -- Network Services -- Wireless Networks -- Remote Access -- Performance Considerations -- Latency and Jitter -- Bandwidth and Throughput -- Type of Service, Class of Service, and Quality of Service -- Network Hops -- Network Security Controls -- Safety Instrumented Systems -- Special Considerations -- Wide Area Connectivity -- Smart Grid Network Considerations
  • How to Estimate Consequences and Likelihood -- Risk Ranking -- Risk Reduction and Mitigation -- Summary -- Chapter 9 - Establishing Zones and Conduits -- Information in this Chapter -- Security Zones and Conduits Explained -- Identifying and Classifying Security Zones and Conduits -- Recommended Security Zone Separation -- Network Connectivity -- Caution -- Control Loops -- Supervisory Controls -- Note -- Plant Level Control Processes -- Control Data Storage -- Trading Communications -- Remote Access -- Users and Roles -- Protocols -- Criticality -- Tip -- Tip -- Establishing Security Zones and Conduits -- Summary -- Chapter 10 - Implementing Security and Access Controls -- Information in this Chapter -- Network Segmentation -- Zones and Security Policy Development -- Using Zones within Security Device Configurations -- Implementing Network Security Controls -- Selecting Network Security Devices -- Implementing Network Security Devices -- Firewall Configuration Guidelines -- Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines -- Recommended IDS/IPS Rules -- Anomaly-Based Intrusion Detection -- Protocol Anomaly Detection -- Application and Protocol Monitoring in Industrial Networks -- Data Diodes and Unidirectional Gateways -- Implementing Host Security and Access Controls -- Selecting Host Cyber Security Systems -- Host Firewalls -- Host IDS -- Anti-virus -- Application Whitelisting -- External Controls -- Patch Management -- Patching as a form of Vulnerability Management -- Leave no Vulnerability Unturned -- Maintaining System Availability -- Comprehensive Predeployment Testing -- Automating the Process -- How Much Security is Enough? -- Summary -- Chapter 11 - Exception, Anomaly, and Threat Detection -- Information in this Chapter -- Exception Reporting -- Behavioral Anomaly Detection -- Measuring Baselines -- Anomaly Detection
  • Cover -- Title Page -- Copyright Page -- Contents -- About the Author -- Preface -- Acknowledgments -- Chapter 1 - Introduction -- Information in this Chapter -- Book Overview and Key Learning Points -- Book Audience -- Diagrams and Figures -- The Smart Grid -- How This Book is Organized -- Chapter 2: About Industrial Networks -- Chapter 3: Industrial Cyber Security, History, and Trends -- Chapter 4: Introduction to ICS and Operations -- Chapter 5: ICS Network Design and Architecture -- Chapter 6: Industrial Network Protocols -- Chapter 7: Hacking Industrial Systems -- Chapter 8: Risk and Vulnerability Assessments -- Chapter 9: Establishing Zones and Conduits -- Chapter 10: Implementing security and access controls -- Chapter 11: Exception, Anomaly, and Threat Detection -- Chapter 12: Security Monitoring of Industrial Control Systems -- Chapter 13: Standards and Regulations -- Changes Made to the Second Edition -- Conclusion -- Chapter 2 - About Industrial Networks -- Information in this Chapter -- The Use of Terminology Within This Book -- Attacks, Breaches, and Incidents: Malware, Exploits, and APTs -- Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets -- Security Controls and Security Countermeasures -- Firewalls and Intrusion Prevention Systems -- Industrial Control System -- DCS or SCADA? -- Industrial Networks -- Industrial Protocols -- Networks, Routable Networks, and Nonroutable Networks -- Enterprise or Business Networks -- Zones and Enclaves -- Network Perimeters or "Electronic Security Perimeters" -- Critical Infrastructure -- Utilities -- Nuclear Facilities -- Bulk Electric -- Smart Grid -- Chemical Facilities -- Common Industrial Security Recommendations -- Identification of Critical Systems -- Network Segmentation/Isolation of Systems -- Defense in Depth -- Access Control -- Advanced Industrial Security Recommendations
  • Analyzing IT vs. OT Metrics
  • Advanced Metering Infrastructure -- Summary -- Chapter 6 - Industrial Network Protocols -- Information in this Chapter -- Overview of Industrial Network Protocols -- Fieldbus Protocols -- Modicon Communication Bus -- What it Does -- How it Works -- Variants -- Modbus RTU and Modbus ASCII -- Modbus TCP -- Modbus Plus or Modbus+ -- Where it is Used -- Security Concerns -- Security Recommendations -- Distributed Network Protocol -- What it Does -- How it Works -- Secure DNP3 -- Where it is Used -- Security Concerns -- Security Recommendations -- Process Fieldbus -- Security Concerns -- Security Recommendations -- Industrial Ethernet Protocols -- Ethernet Industrial Protocol -- Security Concerns -- Security Recommendations -- PROFINET -- Security Concerns -- Security Recommendations -- EtherCAT -- Security Concerns -- Security Recommendations -- Ethernet POWERLINK -- Security Concerns -- Security Recommendations -- SERCOS III -- Security Concerns -- Security Recommendations -- Backend Protocols -- Open process communications -- What it Does -- How it Works -- Where it is Used -- Security Concerns -- Security Recommendations -- Inter-Control Center Communications Protocol -- What it Does -- How it Works -- Where it is Used -- Security Concerns -- Security Improvements Over Modbus and DNP -- Security Recommendations -- Advanced Metering Infrastructure and the Smart Grid -- Security Concerns -- Security Recommendations -- Industrial Protocol Simulators -- MODBUS -- DNP3 / IEC 60870-5 -- OPC -- ICCP / IEC 60870-6 (TASE.2) -- Physical Hardware -- Summary -- Chapter 7 - Hacking Industrial Control Systems -- Information in this Chapter -- Motives and Consequences -- Consequences of a Successful Cyber Incident -- Cyber Security and Safety -- Common Industrial Targets -- Common Attack Methods -- Man-in-the-Middle Attacks -- Denial-of-Service Attacks
  • Night Dragon -- APT and Cyber War -- The Advanced Persistent Threat -- Cyber War -- Emerging Trends in APT and Cyber War -- Still to Come -- Defending Against APT -- Responding to APT -- Summary -- Endnotes -- 4 Industrial Network Protocols -- Overview of Industrial Network Protocols -- Modbus -- What It Does -- How It Works -- Variants -- Where It Is Used -- Security Concerns -- Security Recommendations -- ICCP/TASE.2 -- What It Does -- How It Works -- Where It Is Used -- Security Concerns -- Security Improvements over Modbus -- Security Recommendations -- DNP3 -- What It Does -- How It Works -- Secure DNP3 -- Where It Is Used -- Security Concerns -- Security Recommendations -- OLE for Process Control -- What It Does -- How It Works -- OPC-UA and OPC-XI -- Where It Is Used -- Security Concerns -- Security Recommendations -- Other Industrial Network Protocols -- Ethernet/IP -- Profibus -- EtherCAT -- Ethernet Powerlink -- SERCOS III -- AMI and the Smart Grid -- Security Concerns -- Security Recommendations -- Summary -- Endnotes -- 5 How Industrial Networks Operate -- Control System Assets -- IEDs -- RTUs -- PLCs -- HMIs -- Supervisory Workstations -- Data Historians -- Business Information Consoles and Dashboards -- Other Assets -- Network Architectures -- Topologies Used -- Control System Operations -- Control Loops -- Control Processes -- Feedback Loops -- Business Information Management -- Control Process Management -- Smart Grid Operations -- Summary -- Endnotes -- 6 Vulnerability and Risk Assessment -- Basic Hacking Techniques -- The Attack Process -- Targeting an Industrial Network -- Threat Agents -- Accessing Industrial Networks -- The Business Network -- The SCADA DMZ -- The Control System -- Common Vulnerabilities -- The Smart Grid -- Determining Vulnerabilities -- Why Vulnerability Assessment Is Important
  • Vulnerability Assessment in Industrial Networks -- Vulnerability Scanning for Configuration Assurance -- Where to Perform VA Scans -- Cyber Security Evaluation Tool -- Vulnerability Management -- Patch Management -- Configuration Management -- Device Removal and Quarantine -- Summary -- Endnotes -- 7 Establishing Secure Enclaves -- Identifying Functional Groups -- Network Connectivity -- Control Loops -- Supervisory Controls -- Control Processes -- Control Data Storage -- Trading Communications -- Remote Access -- Users and Roles -- Protocols -- Criticality -- Using Functional Groups to Identify Enclaves -- Establishing Enclaves -- Identifying Enclave Perimeters -- Network Alterations -- Enclaves and Security Policy Development -- Enclaves and Security Device Configurations -- Securing Enclave Perimeters -- Selecting Perimeter Security Devices -- Implementing Perimeter Security Devices -- Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines -- Securing Enclave Interiors -- Selecting Interior Security Systems -- Summary -- Endnotes -- 8 Exception, Anomaly, and Threat Detection -- Exception Reporting -- Behavioral Anomaly Detection -- Measuring Baselines -- Anomaly Detection -- Behavioral Whitelisting -- User Whitelists -- Asset Whitelists -- Application Behavior Whitelists -- Threat Detection -- Event Correlation -- Correlating between IT and OT Systems -- Summary -- Endnotes -- 9 Monitoring Enclaves -- Determining What to Monitor -- Security Events -- Assets -- Configurations -- Applications -- Networks -- User Identities and Authentication -- Additional Context -- Behavior -- Successfully Monitoring Enclaves -- Log Collection -- Direct Monitoring -- Inferred Monitoring -- Information Collection and Management Tools (Log Management Systems, SIEMs) -- Monitoring Across Secure Boundaries -- Information Management -- Queries -- Reports
  • Alerts -- Incident Investigation and Response -- Log Storage and Retention -- Nonrepudiation -- Data Retention/Storage -- Data Availability -- Summary -- Endnotes -- 10 Standards and Regulations -- Common Standards and Regulations -- NERC CIP -- CFATS -- ISO/IEC 27002:2005 -- NRC Regulation 5.71 -- NIST SP 800-82 -- Mapping Industrial Network Security to Compliance -- Perimeter Security Controls -- Host Security Controls -- Security Monitoring Controls -- Mapping Compliance Controls to Network Security Functions -- Common Criteria and FIPS Standards -- Common Criteria -- FIPS 140-2 -- Summary -- Endnotes -- 11 Common Pitfalls and Mistakes -- Complacency -- Vulnerability Assessments vs. Zero-Days -- Real Security vs. Policy and Awareness -- The Air Gap Myth -- Misconfigurations -- Default Accounts and Passwords -- Lack of Outbound Security and Monitoring -- The Executive Override -- The Ronco Perimeter -- Compliance vs. Security -- Audit Fodder -- The "One Week Compliance Window" -- Scope and Scale -- Project-Limited Thinking -- Insufficiently Sized Security Controls -- Summary -- Endnotes -- Glossary -- Appendix A -- Modbus Organization -- DNP3 Users Group -- OPC Foundation -- Common Industrial Protocol/ODVA -- Appendix B -- North American Reliability Corporation (NERC) -- The United States Nuclear Regulatory Commission (NRC) -- United States Department of Homeland Security (DHS) -- International Standards Association (ISA) -- The International Standards Organization (ISO) and International Electrotechnical Commission (IEC) -- Appendix C -- Index
  • Front Cover -- Industrial Network Security -- Copyright Page -- Contents -- About the Author -- About the Technical Editor -- Foreword -- 1 Introduction -- Book Overview and Key Learning Points -- Book Audience -- Diagrams and Figures -- The Smart Grid -- How This Book Is Organized -- Chapter 2: About Industrial Networks -- Chapter 3: Introduction to Industrial Network Security -- Chapter 4: Industrial Network Protocols -- Chapter 5: How Industrial Networks Operate -- Chapter 6: Vulnerability and Risk Assessment -- Chapter 7: Establishing Secure Enclaves -- Chapter 8: Exception, Anomaly, and Threat Detection -- Chapter 9: Monitoring Enclaves -- Chapter 10: Standards and Regulations -- Chapter 11: Common Pitfalls and Mistakes -- Conclusion -- 2 About Industrial Networks -- Industrial Networks and Critical Infrastructure -- Critical Infrastructure -- Critical versus Noncritical Industrial Networks -- Relevant Standards and Organizations -- Homeland Security Presidential DirectiveSeven/HSPD-7 -- NIST Special Publications (800 Series) -- NERC CIP -- Nuclear Regulatory Commission -- Federal Information Security Management Act -- Chemical Facility Anti-Terrorism Standards -- ISA-99 -- ISO 27002 -- Common Industrial Security Recommendations -- Identification of Critical Systems -- Network Segmentation/Isolation of Systems -- Defense in Depth -- Access Control -- The Use of Terminology Within This Book -- Networks, Routable and Non-routable -- Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets -- Enclaves -- Electronic Security Perimeters -- Summary -- Endnotes -- 3 Introduction to Industrial Network Security -- The Importance of Securing Industrial Networks -- The Impact of Industrial Network Incidents -- Safety Controls -- Consequences of a Successful Cyber Incident -- Examples of Industrial Network Incidents -- Dissecting Stuxnet