book

Industrial Cybersecurity - Second Edition

by Pascal Ackerman

October 2021

Intermediate to advanced

800 pages

17h 8m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your Thoughts
Industrial Cybersecurity – second editionRecap of the first editionWhat is an ICS?ICS functionsICS architectureThe Purdue model for ICSesIT and OT convergence and the associated benefits and risksExample attack on the Slumbertown papermillThe comprehensive risk management processThe DiD modelICS security program development Takeaway from the first editionSummary
Why proper architecture mattersIndustrial control system architecture overviewThe Enterprise ZoneThe Industrial Demilitarized ZoneThe Industrial ZoneThe hardware that's used to build the ICS environmentICS environment and architecture management Summary
The IDMZ Fundamental conceptIDMZ design processDesign changes due to an expanding ICS environmentWhat makes up an IDMZ design?The Enterprise ZoneIDMZ firewallsIDMZ switchesIDMZ broker servicesThe Industrial Zone – Level 3 Site OperationsExample IDMZ broker-service solutionsSummary
Typical industrial network architecture designsEvolution from standalone islands of automationDesigning for securityNetwork architecture with security in mindSecurity monitoringNetwork choke pointsLogging and alertingSummary
Security incidentsPassive security monitoringActive security monitoringThreat-hunting exercisesSecurity monitoring data collection methodsNetwork packet capturingEvent logsPutting it all together – introducing SIEM systemsSummary
Technical requirementsPassive security monitoring explainedNetwork packet sniffingCollection and correlation of event logs Host-based agents Security Information and Event Management – SIEMWhat is a SIEM solution?How does a SIEM solution work?Common passive security monitoring toolsNSM IDSEvent log collection and correlationSetting up and configuring Security OnionExercise 1 – Setting up and configuring Security OnionDeploying the Security Onion VMConfiguring Security Onion Deploying Wazuh agentsExercise 2 – Setting up and a configuring a pfSense firewallDeploying a pfSense VMConfiguring pfSenseExercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)Deploying the SilentDefense sensor and Command Center VMsConfiguration of the SilentDefense setupExample usages of the SilentDefense setupSummary

Technical requirementsUnderstanding active security monitoringNetwork scanningEndpoint inspection with host-based agentsManual endpoint inspection/verificationExercise 1 – Scanning network-connected devicesDangers of scanning in the ICS environmentNmapAssets scanInterrogating Windows machinesExploring ModbusGetting EtherNet/IP informationScanning Siemens S7 (iso-tsap)Manual vulnerability verificationScanning for vulnerabilitiesExercise 2 – Manually inspecting an industrial computerPulling Windows-based host informationConfigured usersSummary
Technical requirementsThreat intelligence explainedUsing threat information in industrial environmentsAcquiring threat informationYour own incidents and threat hunting effortsVendor reportsYour own honeypots Peers and sharing communitiesExternal/third-party free and paid-for feedsCreating threat intelligence data out of threat informationExercise – Adding an AlienVault OTX threat feed to Security OnionSummary
Technical requirementsHolistic cybersecurity monitoringNetwork traffic monitoringNetwork intrusion monitoringHost-based security monitoring Exercise 1 – Using Wazuh to add Sysmon loggingExercise 2 – Using Wazuh to add PowerShell Script Block LoggingExercise 3 – Adding a Snort IDS to pfSenseExercise 4 – Sending SilentDefense alerts to Security Onion syslogExercise 5 – Creating a pfSense firewall event dashboard in KibanaExercise 6 – Creating a breach detection dashboard in KibanaNIDS alertsZeek noticesZeek Intel logsSuspicious process and file creation Suspicious PowerShell commandsSuspicious egress connectionsSuspicious ingress connectionsFailed user login attemptsNew user creation and changes to user accountsDownloaded filesSilentDefense alertsFinishing up the dashboardSummary
What is threat hunting?Threat hunting in ICS environmentsWhat is needed to perform threat hunting exercises?Network traffic logsEndpoint OS and application event logsMaking modifications to PLC, HMI, and other control systems and equipmentTracking new and changed devices on the (industrial) networkNetwork services event logsSIEMNetwork packet capturesResearch, lookups, and comparison resourcesThreat hunting is about uncovering threatsCorrelating events and alerts for threat hunting purposesSummary
Forming the malware beaconing threat hunting hypothesisDetection of beaconing behavior in the ICS environmentMalware beaconing explainedData exfiltrationLegitimate application beaconingUsing Security Onion to detect beaconing behaviorUsing RITA to detect beaconing behaviorInvestigating/forensics of suspicious endpointsFinding the suspicious computerFind the beaconing process – netstatUpload executable to VirusTotalRudimentary inspection of the suspicious executable – malware analysis 101Using indicators of compromise to uncover additional suspect systems Discovered IOCs so farSearching for network-specific indicators of compromiseSearching for host-based indicators of compromiseSummary
Technical requirementsForming the malicious or unwanted applications threat hunting hypothesisDetection of malicious or unwanted applications in the ICS environmentComparing system snapshots to find artifacts Looking for application errors to find artifactsLooking for malicious network traffic to find artifactsComparing port scans to find artifactsInventorying currently running processes in the ICS environmentInventorying startup processes in the ICS environment Investigation and forensics of suspicious endpointsSecurely extracting the suspicious executablesUsing discovered indicators of compromise to search the environment for additional suspect systemsUsing YARA to find malicious executablesUsing file strings as an indicator of compromiseSummary
Forming the suspicious external connections threat hunting hypothesisIngress network connectionsMayhem from the internetAttacks originating from the enterprise networkSummary
Understanding the types of cybersecurity assessments Risk assessmentsAsset identificationSystem characterizationVulnerability identificationThreat modelingRisk calculationMitigation prioritization and planningRed team exercisesHow do red team exercises differ from penetration tests?Blue team exercisesPenetration testingHow do ICS/OT security assessments differ from IT?Summary
Red Team versus Blue Team versus pentestingPenetration-testing objective – get to the objective at any costRed Team exercise objective – emulate real-world adversary TTPsBlue Team objective – detect and respond to security incidents as quickly as possibleRed Team/Blue Team example exercise, attacking Company ZRed Team strategyBlue Team preparationThe attackSummary
Practical view of penetration testingWhy ICS environments are easy targets for attackersTypical risks to an ICS environmentModeling pentests around the ICS Kill ChainThe Cyber Kill Chain explainedThe Intrusion Kill ChainThe ICS Cyber Kill ChainPentest methodology based on the ICS Kill ChainPentesting results allow us to prioritize cybersecurity effortsPentesting industrial environments requires cautionCreating an approximation of the industrial environmentExercise – performing an ICS-centric penetration testPreparation workSetting up the test environmentPentest engagement step 1 – attacking the enterprise environmentPentest engagement step 2 – pivoting into the industrial environmentPentest engagement step 3 – attacking the industrial environmentTesting Level 3 Site OperationsTesting the lower layers Pentest engagement step 4 – reaching the objective of the attackSummary
What is an incident?What is incident response?Incident response processesIncident response preparation processIncident handling processIncident response proceduresIncident response preparation processIncident handling processExample incident report formSummary
Discussing the lab architectureThe lab hardwareThe lab softwareDetails about the enterprise environment lab setupENT-DCENT-SQL and ENT-IISENT-ClientsActive Directory/Windows domain setupDetails about the industrial environment – lab setupServersWorkstationsHMIsPLCs and automation equipmentActive Directory/Windows domain setupHow to simulate (Chinese) attackersDiscussing the role of lab firewallsHow to install the malware for the lab environmentConfiguring packet capturing for passive security tools Summary
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Overview

Industrial Cybersecurity, Second Edition, is the definitive guide for safeguarding your Industrial Control Systems (ICS) against modern cyber threats. With a focus on active and passive monitoring, incident response, and effective risk assessment, this comprehensive book enables IT/OT professionals to secure critical infrastructure effectively.

What this Book will help me do

Understand ICS-specific security architecture and design architecture for ICS networks with robust security.
Implement effective passive and active security monitoring techniques tailored to industrial environments.
Conduct thorough risk assessments and threat-hunting exercises to preemptively identify vulnerabilities and threats.
Execute well-defined incident response plans ensuring quick recovery and minimal disruption.
Leverage tools like the ELK Stack for visualizing security data and improving operational strategies.

Author(s)

Pascal Ackerman is an experienced cybersecurity professional specializing in ICS environments. With a career spanning decades, Pascal combines practical expertise with a passion for teaching and sharing knowledge, aiming to empower professionals and organizations to achieve top-notch cybersecurity. His hands-on experience in diverse industries provides real-world applicability to his guidance.

Who is it for?

This book is tailored for ICS security professionals looking to deepen their knowledge of cybersecurity specifically applied to industrial control systems. Beginners interested in the cybersecurity domain, particularly concerning ICS, will also find the material accessible and immensely beneficial. IT/OT experts transitioning or extending their expertise to industrial cybersecurity can rely on this comprehensive guide to enhance their skillset. It is also an invaluable resource for learners preparing for industry-standard ICS cybersecurity qualifications or certifications.