book

Industrial Cybersecurity - Second Edition

Name: Industrial Cybersecurity - Second Edition
Author: Pascal Ackerman
ISBN: 9781800202092

by Pascal Ackerman

October 2021

Intermediate to advanced

800 pages

17h 8m

English

Packt Publishing

Read now

Unlock full access

Industrial Cybersecurity Second Edition
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your Thoughts
Section 1: ICS Cybersecurity Fundamentals
Chapter 1: Introduction and Recap of First Edition
Industrial Cybersecurity – second editionRecap of the first editionWhat is an ICS?ICS functionsICS architectureThe Purdue model for ICSesIT and OT convergence and the associated benefits and risksExample attack on the Slumbertown papermillThe comprehensive risk management processThe DiD modelICS security program development Takeaway from the first editionSummary
Chapter 2: A Modern Look at the Industrial Control System Architecture
Why proper architecture mattersIndustrial control system architecture overviewThe Enterprise ZoneThe Industrial Demilitarized ZoneThe Industrial ZoneThe hardware that's used to build the ICS environmentICS environment and architecture management Summary
Chapter 3: The Industrial Demilitarized Zone
The IDMZ Fundamental conceptIDMZ design processDesign changes due to an expanding ICS environmentWhat makes up an IDMZ design?The Enterprise ZoneIDMZ firewallsIDMZ switchesIDMZ broker servicesThe Industrial Zone – Level 3 Site OperationsExample IDMZ broker-service solutionsSummary
Chapter 4: Designing the ICS Architecture with Security in Mind
Typical industrial network architecture designsEvolution from standalone islands of automationDesigning for securityNetwork architecture with security in mindSecurity monitoringNetwork choke pointsLogging and alertingSummary
Section 2:Industrial Cybersecurity – Security Monitoring
Chapter 5: Introduction to Security Monitoring
Security incidentsPassive security monitoringActive security monitoringThreat-hunting exercisesSecurity monitoring data collection methodsNetwork packet capturingEvent logsPutting it all together – introducing SIEM systemsSummary
Chapter 6: Passive Security Monitoring
Technical requirementsPassive security monitoring explainedNetwork packet sniffingCollection and correlation of event logs Host-based agents Security Information and Event Management – SIEMWhat is a SIEM solution?How does a SIEM solution work?Common passive security monitoring toolsNSM IDSEvent log collection and correlationSetting up and configuring Security OnionExercise 1 – Setting up and configuring Security OnionDeploying the Security Onion VMConfiguring Security Onion Deploying Wazuh agentsExercise 2 – Setting up and a configuring a pfSense firewallDeploying a pfSense VMConfiguring pfSenseExercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)Deploying the SilentDefense sensor and Command Center VMsConfiguration of the SilentDefense setupExample usages of the SilentDefense setupSummary

Chapter 7: Active Security Monitoring
Technical requirementsUnderstanding active security monitoringNetwork scanningEndpoint inspection with host-based agentsManual endpoint inspection/verificationExercise 1 – Scanning network-connected devicesDangers of scanning in the ICS environmentNmapAssets scanInterrogating Windows machinesExploring ModbusGetting EtherNet/IP informationScanning Siemens S7 (iso-tsap)Manual vulnerability verificationScanning for vulnerabilitiesExercise 2 – Manually inspecting an industrial computerPulling Windows-based host informationConfigured usersSummary
Chapter 8: Industrial Threat Intelligence
Technical requirementsThreat intelligence explainedUsing threat information in industrial environmentsAcquiring threat informationYour own incidents and threat hunting effortsVendor reportsYour own honeypots Peers and sharing communitiesExternal/third-party free and paid-for feedsCreating threat intelligence data out of threat informationExercise – Adding an AlienVault OTX threat feed to Security OnionSummary
Chapter 9: Visualizing, Correlating, and Alerting
Technical requirementsHolistic cybersecurity monitoringNetwork traffic monitoringNetwork intrusion monitoringHost-based security monitoring Exercise 1 – Using Wazuh to add Sysmon loggingExercise 2 – Using Wazuh to add PowerShell Script Block LoggingExercise 3 – Adding a Snort IDS to pfSenseExercise 4 – Sending SilentDefense alerts to Security Onion syslogExercise 5 – Creating a pfSense firewall event dashboard in KibanaExercise 6 – Creating a breach detection dashboard in KibanaNIDS alertsZeek noticesZeek Intel logsSuspicious process and file creation Suspicious PowerShell commandsSuspicious egress connectionsSuspicious ingress connectionsFailed user login attemptsNew user creation and changes to user accountsDownloaded filesSilentDefense alertsFinishing up the dashboardSummary
Section 3:Industrial Cybersecurity – Threat Hunting
Chapter 10: Threat Hunting
What is threat hunting?Threat hunting in ICS environmentsWhat is needed to perform threat hunting exercises?Network traffic logsEndpoint OS and application event logsMaking modifications to PLC, HMI, and other control systems and equipmentTracking new and changed devices on the (industrial) networkNetwork services event logsSIEMNetwork packet capturesResearch, lookups, and comparison resourcesThreat hunting is about uncovering threatsCorrelating events and alerts for threat hunting purposesSummary
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Forming the malware beaconing threat hunting hypothesisDetection of beaconing behavior in the ICS environmentMalware beaconing explainedData exfiltrationLegitimate application beaconingUsing Security Onion to detect beaconing behaviorUsing RITA to detect beaconing behaviorInvestigating/forensics of suspicious endpointsFinding the suspicious computerFind the beaconing process – netstatUpload executable to VirusTotalRudimentary inspection of the suspicious executable – malware analysis 101Using indicators of compromise to uncover additional suspect systems Discovered IOCs so farSearching for network-specific indicators of compromiseSearching for host-based indicators of compromiseSummary
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Technical requirementsForming the malicious or unwanted applications threat hunting hypothesisDetection of malicious or unwanted applications in the ICS environmentComparing system snapshots to find artifacts Looking for application errors to find artifactsLooking for malicious network traffic to find artifactsComparing port scans to find artifactsInventorying currently running processes in the ICS environmentInventorying startup processes in the ICS environment Investigation and forensics of suspicious endpointsSecurely extracting the suspicious executablesUsing discovered indicators of compromise to search the environment for additional suspect systemsUsing YARA to find malicious executablesUsing file strings as an indicator of compromiseSummary
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Forming the suspicious external connections threat hunting hypothesisIngress network connectionsMayhem from the internetAttacks originating from the enterprise networkSummary
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Chapter 14: Different Types of Cybersecurity Assessments
Understanding the types of cybersecurity assessments Risk assessmentsAsset identificationSystem characterizationVulnerability identificationThreat modelingRisk calculationMitigation prioritization and planningRed team exercisesHow do red team exercises differ from penetration tests?Blue team exercisesPenetration testingHow do ICS/OT security assessments differ from IT?Summary
Chapter 15: Industrial Control System Risk Assessments
Chapter 16: Red Team/Blue Team Exercises
Red Team versus Blue Team versus pentestingPenetration-testing objective – get to the objective at any costRed Team exercise objective – emulate real-world adversary TTPsBlue Team objective – detect and respond to security incidents as quickly as possibleRed Team/Blue Team example exercise, attacking Company ZRed Team strategyBlue Team preparationThe attackSummary
Chapter 17: Penetration Testing ICS Environments
Practical view of penetration testingWhy ICS environments are easy targets for attackersTypical risks to an ICS environmentModeling pentests around the ICS Kill ChainThe Cyber Kill Chain explainedThe Intrusion Kill ChainThe ICS Cyber Kill ChainPentest methodology based on the ICS Kill ChainPentesting results allow us to prioritize cybersecurity effortsPentesting industrial environments requires cautionCreating an approximation of the industrial environmentExercise – performing an ICS-centric penetration testPreparation workSetting up the test environmentPentest engagement step 1 – attacking the enterprise environmentPentest engagement step 2 – pivoting into the industrial environmentPentest engagement step 3 – attacking the industrial environmentTesting Level 3 Site OperationsTesting the lower layers Pentest engagement step 4 – reaching the objective of the attackSummary
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
Chapter 18: Incident Response for the ICS Environment
What is an incident?What is incident response?Incident response processesIncident response preparation processIncident handling processIncident response proceduresIncident response preparation processIncident handling processExample incident report formSummary
Chapter 19: Lab Setup
Discussing the lab architectureThe lab hardwareThe lab softwareDetails about the enterprise environment lab setupENT-DCENT-SQL and ENT-IISENT-ClientsActive Directory/Windows domain setupDetails about the industrial environment – lab setupServersWorkstationsHMIsPLCs and automation equipmentActive Directory/Windows domain setupHow to simulate (Chinese) attackersDiscussing the role of lab firewallsHow to install the malware for the lab environmentConfiguring packet capturing for passive security tools Summary
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Overview

Industrial Cybersecurity, Second Edition, is the definitive guide for safeguarding your Industrial Control Systems (ICS) against modern cyber threats. With a focus on active and passive monitoring, incident response, and effective risk assessment, this comprehensive book enables IT/OT professionals to secure critical infrastructure effectively.

What this Book will help me do

Understand ICS-specific security architecture and design architecture for ICS networks with robust security.
Implement effective passive and active security monitoring techniques tailored to industrial environments.
Conduct thorough risk assessments and threat-hunting exercises to preemptively identify vulnerabilities and threats.
Execute well-defined incident response plans ensuring quick recovery and minimal disruption.
Leverage tools like the ELK Stack for visualizing security data and improving operational strategies.

Author(s)

Pascal Ackerman is an experienced cybersecurity professional specializing in ICS environments. With a career spanning decades, Pascal combines practical expertise with a passion for teaching and sharing knowledge, aiming to empower professionals and organizations to achieve top-notch cybersecurity. His hands-on experience in diverse industries provides real-world applicability to his guidance.

Who is it for?

This book is tailored for ICS security professionals looking to deepen their knowledge of cybersecurity specifically applied to industrial control systems. Beginners interested in the cybersecurity domain, particularly concerning ICS, will also find the material accessible and immensely beneficial. IT/OT experts transitioning or extending their expertise to industrial cybersecurity can rely on this comprehensive guide to enhance their skillset. It is also an invaluable resource for learners preparing for industry-standard ICS cybersecurity qualifications or certifications.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781800202092

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills