Eric Knapp is a globally recognized expert in industrial control systems cyber security and continues to drive the adoption of new security technology to promote safer and more reliable automation infrastructures. He first specialized in ICS cyber security while at Nitrosecurity, where he focused on threats against these environments. He was later responsible for the development and implementation of end-to-end ICS cyber security solutions for McAfee in his role as Global Director for Critical Infrastructure Markets. He is currently Director of Strategic Alliances for Wurldtech Security Technologies, where he continues to promote the advancement of embedded security technology to better protect SCADA, ICS and other connected, real-time devices. In addition to his work in information security, he is an award-winning author of fiction. He studied at the University of New Hampshire and the University of London.
As the sophistication of cyber-attacks increases, understanding how to defend critical infrastructure systems-energy production, water, gas, and other vital systems-becomes more important, and heavily mandated. Industrial Network Security, Second Edition arms you with the knowledge you need to understand the vulnerabilities of these distributed supervisory and control systems. The book examines the unique protocols and applications that are the foundation of industrial control systems, and provides clear guidelines for their protection. This how-to guide gives you thorough understanding of the unique challenges facing critical infrastructures, new guidelines and security measures for critical infrastructure protection, knowledge of new and evolving security tools, and pointers on SCADA protocols and security implementation. - All-new real-world examples of attacks against control systems, and more diagrams of systems- Expanded coverage of protocols such as 61850, Ethernet/IP, CIP, ISA-99, and the evolution to IEC62443- Expanded coverage of Smart Grid security- New coverage of signature-based detection, exploit-based vs. vulnerability-based detection, and signature reverse engineering
Cover 1
Title Page 4
Copyright Page 5
Contents 6
About the Author 16
Preface 18
Acknowledgments 20
Chapter 1 - Introduction 22
Information in this Chapter 22
Book Overview and Key Learning Points 22
Book Audience 23
Diagrams and Figures 23
The Smart Grid 24
How This Book is Organized 24
Chapter 2: About Industrial Networks 24
Chapter 3: Industrial Cyber Security, History, and Trends 25
Chapter 4: Introduction to ICS and Operations 25
Chapter 5: ICS Network Design and Architecture 25
Chapter 6: Industrial Network Protocols 25
Chapter 7: Hacking Industrial Systems 26
Chapter 8: Risk and Vulnerability Assessments 26
Chapter 9: Establishing Zones and Conduits 26
Chapter 10: Implementing security and access controls 26
Chapter 11: Exception, Anomaly, and Threat Detection 26
Chapter 12: Security Monitoring of Industrial Control Systems 27
Chapter 13: Standards and Regulations 27
Changes Made to the Second Edition 27
Conclusion 28
Chapter 2 - About Industrial Networks 30
Information in this Chapter 30
The Use of Terminology Within This Book 30
Attacks, Breaches, and Incidents: Malware, Exploits, and APTs 32
Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets 32
Security Controls and Security Countermeasures 33
Firewalls and Intrusion Prevention Systems 33
Industrial Control System 34
DCS or SCADA? 36
Industrial Networks 36
Industrial Protocols 36
Networks, Routable Networks, and Nonroutable Networks 39
Enterprise or Business Networks 41
Zones and Enclaves 43
Network Perimeters or “Electronic Security Perimeters” 45
Critical Infrastructure 47
Utilities 47
Nuclear Facilities 47
Bulk Electric 48
Smart Grid 49
Chemical Facilities 50
Common Industrial Security Recommendations 50
Identification of Critical Systems 50
Network Segmentation/Isolation of Systems 52
Defense in Depth 54
Access Control 55
Advanced Industrial Security Recommendations 56
Security Monitoring 57
Policy Whitelisting 57
Application Whitelisting 57
Common Misperceptions About Industrial Network Security 58
Assumptions Made in This Book 59
Summary 60
Chapter 3 - Industrial Cyber Security History and Trends 62
Information in this Chapter 62
Importance of Securing Industrial Networks 62
The Evolution of the Cyber Threat 65
APTs and Weaponized Malware 68
Night Dragon 70
Stuxnet 71
Advanced Persistent Threats and Cyber Warfare 71
Still to Come 71
Defending Against Modern Cyber Threats 72
The Insider 73
Hacktivism, Cyber Crime, Cyber Terrorism, and Cyber War 74
Summary 76
Chapter 4 - Introduction to Industrial Control Systems and Operations 80
Information in this Chapter 80
System Assets 80
Programmable Logic Controller 80
Ladder Diagrams 81
Sequential Function Charts 83
Remote Terminal Unit 84
Intelligent Electronic Device 85
Human–Machine Interface 85
Supervisory Workstations 88
Data Historian 88
Business Information Consoles and Dashboards 89
Other Assets 90
System Operations 91
Control Loops 91
Control Processes 93
Feedback Loops 94
Production Information Management 94
Business Information Management 95
Process Management 97
Safety Instrumented Systems 99
The Smart Grid 101
Network Architectures 103
Summary 103
Chapter 5 - Industrial Network Design and Architecture 106
Information in this Chapter 106
Introduction to Industrial Networking 108
Common Topologies 113
Network Segmentation 117
Higher Layer Segmentation 120
Physical vs. Logical Segmentation 125
Network Services 127
Wireless Networks 128
Remote Access 129
Performance Considerations 132
Latency and Jitter 132
Bandwidth and Throughput 133
Type of Service, Class of Service, and Quality of Service 133
Network Hops 134
Network Security Controls 134
Safety Instrumented Systems 135
Special Considerations 136
Wide Area Connectivity 136
Smart Grid Network Considerations 137
Advanced Metering Infrastructure 139
Summary 140
Chapter 6 - Industrial Network Protocols 142
Information in this Chapter 142
Overview of Industrial Network Protocols 142
Fieldbus Protocols 144
Modicon Communication Bus 144
What it Does 144
How it Works 144
Variants 147
Modbus RTU and Modbus ASCII 147
Modbus TCP 148
Modbus Plus or Modbus+ 148
Where it is Used 149
Security Concerns 150
Security Recommendations 150
Distributed Network Protocol 151
What it Does 153
How it Works 154
Secure DNP3 154
Where it is Used 157
Security Concerns 157
Security Recommendations 159
Process Fieldbus 160
Security Concerns 161
Security Recommendations 162
Industrial Ethernet Protocols 162
Ethernet Industrial Protocol 163
Security Concerns 165
Security Recommendations 165
PROFINET 167
Security Concerns 168
Security Recommendations 168
EtherCAT 168
Security Concerns 168
Security Recommendations 169
Ethernet POWERLINK 169
Security Concerns 170
Security Recommendations 170
SERCOS III 170
Security Concerns 171
Security Recommendations 171
Backend Protocols 171
Open process communications 171
What it Does 172
How it Works 173
Where it is Used 175
Security Concerns 176
Security Recommendations 177
Inter-Control Center Communications Protocol 178
What it Does 179
How it Works 179
Where it is Used 180
Security Concerns 180
Security Improvements Over Modbus and DNP 181
Security Recommendations 181
Advanced Metering Infrastructure and the Smart Grid 183
Security Concerns 185
Security Recommendations 185
Industrial Protocol Simulators 185
MODBUS 186
DNP3 / IEC 60870-5 186
OPC 186
ICCP / IEC 60870-6 (TASE.2) 186
Physical Hardware 187
Summary 187
Chapter 7 - Hacking Industrial Control Systems 192
Information in this Chapter 192
Motives and Consequences 192
Consequences of a Successful Cyber Incident 192
Cyber Security and Safety 193
Common Industrial Targets 195
Common Attack Methods 207
Man-in-the-Middle Attacks 207
Denial-of-Service Attacks 208
Replay Attacks 209
Compromising the Human–Machine Interface 210
Compromising the Engineering Workstation 210
Blended Attacks 211
Examples of Weaponized Industrial Cyber Threats 211
Stuxnet 212
Dissecting Stuxnet 212
What it Does 213
Lessons Learned 214
Shamoon/DistTrack 216
Flame/Flamer/Skywiper 216
Attack Trends 217
Evolving Vulnerabilities: The Adobe Exploits 218
Industrial Application Layer Attacks 219
Antisocial Networks: A New Playground for Malware 221
Cannibalistic Mutant Underground Malware 223
Dealing with an Infection 224
Summary 226
Chapter 8 - Risk and Vulnerability Assessments 230
Information in this Chapter 230
Cyber Security and Risk Management 231
Why Risk Management is the Foundation of Cyber Security 231
What is Risk? 232
Standards and Best Practices for Risk Management 234
Methodologies for Assessing Risk Within Industrial Control Systems 237
Security Tests 237
Security Audits 239
Security and Vulnerability Assessments 239
Establishing a Testing and Assessment Methodology 240
Tailoring a Methodology for Industrial Networks 240
Theoretical versus Physical Tests 241
Online versus Offline Physical Tests 242
System Characterization 244
Data Collection 248
Scanning of Industrial Networks 249
Device Scanners 249
Vulnerability Scanners 250
Traffic Scanners 250
Live Host Identification 252
“Quiet” / “Friendly” Scanning Techniques 252
Potentially “Noisy”/“Dangerous” Scanning Techniques 253
Port Mirroring and Span Ports 253
Command Line Tools 255
Hardware and Software Inventory 260
Data Flow Analysis 261
Threat Identification 262
Threat Actors/Sources 262
Threat Vectors 264
Threat Events 264
Identification of Threats During Security Assessments 265
Vulnerability Identification 267
Vulnerability Scanning 269
Configuration Auditing 271
Vulnerability Prioritization 272
Common Vulnerability Scoring System 273
Risk Classification and Ranking 274
Consequences and Impact 274
How to Estimate Consequences and Likelihood 275
Risk Ranking 277
Risk Reduction and Mitigation 278
Summary 279
Chapter 9 - Establishing Zones and Conduits 282
Information in this Chapter 282
Security Zones and Conduits Explained 284
Identifying and Classifying Security Zones and Conduits 285
Recommended Security Zone Separation 286
Network Connectivity 287
Caution 287
Control Loops 288
Supervisory Controls 289
Note 289
Plant Level Control Processes 289
Control Data Storage 291
Trading Communications 292
Remote Access 293
Users and Roles 293
Protocols 295
Criticality 296
Tip 297
Tip 298
Establishing Security Zones and Conduits 298
Summary 300
Chapter 10 - Implementing Security and Access Controls 304
Information in this Chapter 304
Network Segmentation 308
Zones and Security Policy Development 309
Using Zones within Security Device Configurations 309
Implementing Network Security Controls 311
Selecting Network Security Devices 311
Implementing Network Security Devices 314
Firewall Configuration Guidelines 314
Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines 316
Recommended IDS/IPS Rules 322
Anomaly-Based Intrusion Detection 324
Protocol Anomaly Detection 326
Application and Protocol Monitoring in Industrial Networks 326
Data Diodes and Unidirectional Gateways 329
Implementing Host Security and Access Controls 330
Selecting Host Cyber Security Systems 332
Host Firewalls 334
Host IDS 334
Anti-virus 335
Application Whitelisting 335
External Controls 337
Patch Management 337
Patching as a form of Vulnerability Management 337
Leave no Vulnerability Unturned 338
Maintaining System Availability 338
Comprehensive Predeployment Testing 340
Automating the Process 340
How Much Security is Enough? 341
Summary 342
Chapter 11 - Exception, Anomaly, and Threat Detection 344
Information in this Chapter 344
Exception Reporting 345
Behavioral Anomaly Detection 347
Measuring Baselines 348
Anomaly Detection 351
Analyzing IT vs. OT Metrics 353
Anomaly Detection Tools 353
Behavioral Whitelisting 354
User Whitelists 355
Asset Whitelists 356
Application Behavior Whitelists 358
Examples of Beneficial Whitelists 359
Smart-Lists 359
Threat Detection 361
Event Correlation 362
Data Enrichment 364
Normalization 365
Cross-Source Correlation 366
Tiered Correlation 367
Correlating Between IT and OT Systems 368
Summary 370
Chapter 12 - Security Monitoring of Industrial Control Systems 372
Information in this Chapter 372
Determining what to Monitor 373
Security Events 374
Assets 377
Configurations 379
Applications 381
Networks 382
User Identities and Authentication 383
Additional Context 386
Behavior 386
Successfully Monitoring Security Zones 388
Log Collection 389
Direct Monitoring 389
Inferred Monitoring 390
Information Collection and Management Tools 393
Syslog Aggregation and Log Search 393
Log Management Systems 393
Security Information and Event Management Systems 393
Data Historians 395
Monitoring Across Secure Boundaries 397
Information Management 397
Queries 398
Reports 400
Alerts 402
Incident Investigation and Response 402
Log Storage and Retention 403
Nonrepudiation 403
Data Retention/Storage 403
Data Availability 405
Summary 406
Chapter 13 - Standards and Regulations 408
Information in This Chapter 408
Common Standards and Regulations 409
NERC CIP 410
CFATS 410
ISO/IEC 27002 411
NRC Regulation 5.71 411
NIST SP 800-82 413
ISA/IEC-62443 413
ISA 62443 Group 1: “General” 413
ISA 62443 Group 2: “Policies and Procedures” 414
ISA 62443 Group 3: “System” 414
ISA 62443 Group 4: “Component” 415
Mapping Industrial Network Security to Compliance 416
Industry Best Practices for Conducting ICS Assessments 416
Department of Homeland Security (USA) / Centre for Protection of National Infrastructure (UK) 417
National Security Agency (USA) 418
American Petroleum Institute (USA) / National Petrochemical and Refiners Association (USA) 418
Institute for Security and Open Methodologies (Spain) 419
Common Criteria and FIPS Standards 419
Common Criteria 419
FIPS 140-2 421
Summary 421
Appendix A - Protocol Resources 430
Modbus Organization 430
DNP3 Users Group 430
OPC Foundation 431
Common Industrial Protocol (CIP) / Open Device Vendor Association (ODVA) 431
Profibus / Profinet International (PI) 431
Appendix B - Standards Organizations 432
North American Reliability Corporation (NERC) 432
The United States Nuclear Regulatory Commission (NRC) 432
NRC Title 10 CFR 73.54 433
NRC RG 5.71 433
United States Department of Homeland Security 433
Chemical Facilities Anti-Terrorism Standard (CFATS) 433
CFATS Risk-Based Performance Standards (RBPS) 433
International Society of Automation (ISA) 434
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 434
Appendix C - NIST Security Guidelines 436
National Institute of Standards and Technology, Special Publications 800 Series 436
Glossary 438
Index 446
About Industrial Networks
Abstract
An introduction to industrial networking and the unique qualities of industrial network cyber security.
Keywords
The use of terminology within this book
Note
Note
Attacks, breaches, and incidents: malware, exploits, and APTs
Assets, critical assets, cyber assets, and critical cyber assets
Erscheint lt. Verlag | 9.12.2014 |
---|---|
Sprache | englisch |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
Informatik ► Office Programme ► Outlook | |
ISBN-10 | 0-12-420184-9 / 0124201849 |
ISBN-13 | 978-0-12-420184-2 / 9780124201842 |
Haben Sie eine Frage zum Produkt? |
Größe: 19,0 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
Größe: 11,1 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich