Chapter 10ICS Security Monitoring and Incident Response

OBJECTIVES

Upon completion of this chapter, you should be able to:

Demonstrate the knowledge of Change Management:
- Baselines
- Equipment connections
- Configuration auditing
Demonstrate the knowledge of Distribution and Installation of Patches
Demonstrate the knowledge of Software Reloads and Firmware Management
Demonstrate the knowledge of event, network, and security monitoring:
- Event monitoring
- Network monitoring
- Security monitoring
Demonstrate the knowledge of logging:
- Event logging
- Network logging
- Security logging
- Knowledge of archiving logs
Demonstrate the knowledge of incident recognition and triage:
- Log analysis/event correlation
- Anomalous behavior
- Intrusion detection
- Egress monitoring
- IPS
Demonstrate the knowledge of incident response:
- Recording/reporting
- Forensic log analysis
- Containment
- Incident response team
- Root cause analysis
- Eradication/quarantine
Demonstrate the knowledge of incident remediation/recovery

Introduction

An organization's cybersecurity policy should contain several interdependent plans working together to address the following areas:

Configuration management
Patch management
Patch testing
Organization/local data backup/retrieval
Incident response
Disaster recovery

After the cybersecurity policy plan has been fully developed and implemented, it is important to periodically assess all of the components of the plan; review any change in system status, functionality, design, ...

Get Practical Industrial Cybersecurity now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Industrial Cybersecurity by Charles J. Brooks, Philip A. Craig Jr.

Chapter 10ICS Security Monitoring and Incident Response

Introduction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly