Industrial Network Security - Eric D. Knapp, Joel Thomas Langill

Industrial Network Security (eBook)

Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems

Eric D. Knapp, Joel Thomas Langill (Autoren)

eBook Download: PDF | EPUB

2014 | 2. Auflage
460 Seiten
Elsevier Science (Verlag)
978-0-12-420184-2 (ISBN)

As the sophistication of cyber-attacks increases, understanding how to defend critical infrastructure systems-energy production, water, gas, and other vital systems-becomes more important, and heavily mandated. Industrial Network Security, Second Edition arms you with the knowledge you need to understand the vulnerabilities of these distributed supervisory and control systems. The book examines the unique protocols and applications that are the foundation of industrial control systems, and provides clear guidelines for their protection. This how-to guide gives you thorough understanding of the unique challenges facing critical infrastructures, new guidelines and security measures for critical infrastructure protection, knowledge of new and evolving security tools, and pointers on SCADA protocols and security implementation. - All-new real-world examples of attacks against control systems, and more diagrams of systems - Expanded coverage of protocols such as 61850, Ethernet/IP, CIP, ISA-99, and the evolution to IEC62443 - Expanded coverage of Smart Grid security - New coverage of signature-based detection, exploit-based vs. vulnerability-based detection, and signature reverse engineering

Eric Knapp is a globally recognized expert in industrial control systems cyber security and continues to drive the adoption of new security technology to promote safer and more reliable automation infrastructures. He first specialized in ICS cyber security while at Nitrosecurity, where he focused on threats against these environments. He was later responsible for the development and implementation of end-to-end ICS cyber security solutions for McAfee in his role as Global Director for Critical Infrastructure Markets. He is currently Director of Strategic Alliances for Wurldtech Security Technologies, where he continues to promote the advancement of embedded security technology to better protect SCADA, ICS and other connected, real-time devices. In addition to his work in information security, he is an award-winning author of fiction. He studied at the University of New Hampshire and the University of London.

Cover 1
Title Page 4
Copyright Page 5
Contents 6
About the Author 16
Preface 18
Acknowledgments 20
Chapter 1 - Introduction 22
Information in this Chapter 22
Book Overview and Key Learning Points 22
Book Audience 23
Diagrams and Figures 23
The Smart Grid 24
How This Book is Organized 24
Chapter 2: About Industrial Networks 24
Chapter 3: Industrial Cyber Security, History, and Trends 25
Chapter 4: Introduction to ICS and Operations 25
Chapter 5: ICS Network Design and Architecture 25
Chapter 6: Industrial Network Protocols 25
Chapter 7: Hacking Industrial Systems 26
Chapter 8: Risk and Vulnerability Assessments 26
Chapter 9: Establishing Zones and Conduits 26
Chapter 10: Implementing security and access controls 26
Chapter 11: Exception, Anomaly, and Threat Detection 26
Chapter 12: Security Monitoring of Industrial Control Systems 27
Chapter 13: Standards and Regulations 27
Changes Made to the Second Edition 27
Conclusion 28
Chapter 2 - About Industrial Networks 30
Information in this Chapter 30
The Use of Terminology Within This Book 30
Attacks, Breaches, and Incidents: Malware, Exploits, and APTs 32
Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets 32
Security Controls and Security Countermeasures 33
Firewalls and Intrusion Prevention Systems 33
Industrial Control System 34
DCS or SCADA? 36
Industrial Networks 36
Industrial Protocols 36
Networks, Routable Networks, and Nonroutable Networks 39
Enterprise or Business Networks 41
Zones and Enclaves 43
Network Perimeters or “Electronic Security Perimeters” 45
Critical Infrastructure 47
Utilities 47
Nuclear Facilities 47
Bulk Electric 48
Smart Grid 49
Chemical Facilities 50
Common Industrial Security Recommendations 50
Identification of Critical Systems 50
Network Segmentation/Isolation of Systems 52
Defense in Depth 54
Access Control 55
Advanced Industrial Security Recommendations 56
Security Monitoring 57
Policy Whitelisting 57
Application Whitelisting 57
Common Misperceptions About Industrial Network Security 58
Assumptions Made in This Book 59
Summary 60
Chapter 3 - Industrial Cyber Security History and Trends 62
Information in this Chapter 62
Importance of Securing Industrial Networks 62
The Evolution of the Cyber Threat 65
APTs and Weaponized Malware 68
Night Dragon 70
Stuxnet 71
Advanced Persistent Threats and Cyber Warfare 71
Still to Come 71
Defending Against Modern Cyber Threats 72
The Insider 73
Hacktivism, Cyber Crime, Cyber Terrorism, and Cyber War 74
Summary 76
Chapter 4 - Introduction to Industrial Control Systems and Operations 80
Information in this Chapter 80
System Assets 80
Programmable Logic Controller 80
Ladder Diagrams 81
Sequential Function Charts 83
Remote Terminal Unit 84
Intelligent Electronic Device 85
Human–Machine Interface 85
Supervisory Workstations 88
Data Historian 88
Business Information Consoles and Dashboards 89
Other Assets 90
System Operations 91
Control Loops 91
Control Processes 93
Feedback Loops 94
Production Information Management 94
Business Information Management 95
Process Management 97
Safety Instrumented Systems 99
The Smart Grid 101
Network Architectures 103
Summary 103
Chapter 5 - Industrial Network Design and Architecture 106
Information in this Chapter 106
Introduction to Industrial Networking 108
Common Topologies 113
Network Segmentation 117
Higher Layer Segmentation 120
Physical vs. Logical Segmentation 125
Network Services 127
Wireless Networks 128
Remote Access 129
Performance Considerations 132
Latency and Jitter 132
Bandwidth and Throughput 133
Type of Service, Class of Service, and Quality of Service 133
Network Hops 134
Network Security Controls 134
Safety Instrumented Systems 135
Special Considerations 136
Wide Area Connectivity 136
Smart Grid Network Considerations 137
Advanced Metering Infrastructure 139
Summary 140
Chapter 6 - Industrial Network Protocols 142
Information in this Chapter 142
Overview of Industrial Network Protocols 142
Fieldbus Protocols 144
Modicon Communication Bus 144
What it Does 144
How it Works 144
Variants 147
Modbus RTU and Modbus ASCII 147
Modbus TCP 148
Modbus Plus or Modbus+ 148
Where it is Used 149
Security Concerns 150
Security Recommendations 150
Distributed Network Protocol 151
What it Does 153
How it Works 154
Secure DNP3 154
Where it is Used 157
Security Concerns 157
Security Recommendations 159
Process Fieldbus 160
Security Concerns 161
Security Recommendations 162
Industrial Ethernet Protocols 162
Ethernet Industrial Protocol 163
Security Concerns 165
Security Recommendations 165
PROFINET 167
Security Concerns 168
Security Recommendations 168
EtherCAT 168
Security Concerns 168
Security Recommendations 169
Ethernet POWERLINK 169
Security Concerns 170
Security Recommendations 170
SERCOS III 170
Security Concerns 171
Security Recommendations 171
Backend Protocols 171
Open process communications 171
What it Does 172
How it Works 173
Where it is Used 175
Security Concerns 176
Security Recommendations 177
Inter-Control Center Communications Protocol 178
What it Does 179
How it Works 179
Where it is Used 180
Security Concerns 180
Security Improvements Over Modbus and DNP 181
Security Recommendations 181
Advanced Metering Infrastructure and the Smart Grid 183
Security Concerns 185
Security Recommendations 185
Industrial Protocol Simulators 185
MODBUS 186
DNP3 / IEC 60870-5 186
OPC 186
ICCP / IEC 60870-6 (TASE.2) 186
Physical Hardware 187
Summary 187
Chapter 7 - Hacking Industrial Control Systems 192
Information in this Chapter 192
Motives and Consequences 192
Consequences of a Successful Cyber Incident 192
Cyber Security and Safety 193
Common Industrial Targets 195
Common Attack Methods 207
Man-in-the-Middle Attacks 207
Denial-of-Service Attacks 208
Replay Attacks 209
Compromising the Human–Machine Interface 210
Compromising the Engineering Workstation 210
Blended Attacks 211
Examples of Weaponized Industrial Cyber Threats 211
Stuxnet 212
Dissecting Stuxnet 212
What it Does 213
Lessons Learned 214
Shamoon/DistTrack 216
Flame/Flamer/Skywiper 216
Attack Trends 217
Evolving Vulnerabilities: The Adobe Exploits 218
Industrial Application Layer Attacks 219
Antisocial Networks: A New Playground for Malware 221
Cannibalistic Mutant Underground Malware 223
Dealing with an Infection 224
Summary 226
Chapter 8 - Risk and Vulnerability Assessments 230
Information in this Chapter 230
Cyber Security and Risk Management 231
Why Risk Management is the Foundation of Cyber Security 231
What is Risk? 232
Standards and Best Practices for Risk Management 234
Methodologies for Assessing Risk Within Industrial Control Systems 237
Security Tests 237
Security Audits 239
Security and Vulnerability Assessments 239
Establishing a Testing and Assessment Methodology 240
Tailoring a Methodology for Industrial Networks 240
Theoretical versus Physical Tests 241
Online versus Offline Physical Tests 242
System Characterization 244
Data Collection 248
Scanning of Industrial Networks 249
Device Scanners 249
Vulnerability Scanners 250
Traffic Scanners 250
Live Host Identification 252
“Quiet” / “Friendly” Scanning Techniques 252
Potentially “Noisy”/“Dangerous” Scanning Techniques 253
Port Mirroring and Span Ports 253
Command Line Tools 255
Hardware and Software Inventory 260
Data Flow Analysis 261
Threat Identification 262
Threat Actors/Sources 262
Threat Vectors 264
Threat Events 264
Identification of Threats During Security Assessments 265
Vulnerability Identification 267
Vulnerability Scanning 269
Configuration Auditing 271
Vulnerability Prioritization 272
Common Vulnerability Scoring System 273
Risk Classification and Ranking 274
Consequences and Impact 274
How to Estimate Consequences and Likelihood 275
Risk Ranking 277
Risk Reduction and Mitigation 278
Summary 279
Chapter 9 - Establishing Zones and Conduits 282
Information in this Chapter 282
Security Zones and Conduits Explained 284
Identifying and Classifying Security Zones and Conduits 285
Recommended Security Zone Separation 286
Network Connectivity 287
Caution 287
Control Loops 288
Supervisory Controls 289
Note 289
Plant Level Control Processes 289
Control Data Storage 291
Trading Communications 292
Remote Access 293
Users and Roles 293
Protocols 295
Criticality 296
Tip 297
Tip 298
Establishing Security Zones and Conduits 298
Summary 300
Chapter 10 - Implementing Security and Access Controls 304
Information in this Chapter 304
Network Segmentation 308
Zones and Security Policy Development 309
Using Zones within Security Device Configurations 309
Implementing Network Security Controls 311
Selecting Network Security Devices 311
Implementing Network Security Devices 314
Firewall Configuration Guidelines 314
Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines 316
Recommended IDS/IPS Rules 322
Anomaly-Based Intrusion Detection 324
Protocol Anomaly Detection 326
Application and Protocol Monitoring in Industrial Networks 326
Data Diodes and Unidirectional Gateways 329
Implementing Host Security and Access Controls 330
Selecting Host Cyber Security Systems 332
Host Firewalls 334
Host IDS 334
Anti-virus 335
Application Whitelisting 335
External Controls 337
Patch Management 337
Patching as a form of Vulnerability Management 337
Leave no Vulnerability Unturned 338
Maintaining System Availability 338
Comprehensive Predeployment Testing 340
Automating the Process 340
How Much Security is Enough? 341
Summary 342
Chapter 11 - Exception, Anomaly, and Threat Detection 344
Information in this Chapter 344
Exception Reporting 345
Behavioral Anomaly Detection 347
Measuring Baselines 348
Anomaly Detection 351
Analyzing IT vs. OT Metrics 353
Anomaly Detection Tools 353
Behavioral Whitelisting 354
User Whitelists 355
Asset Whitelists 356
Application Behavior Whitelists 358
Examples of Beneficial Whitelists 359
Smart-Lists 359
Threat Detection 361
Event Correlation 362
Data Enrichment 364
Normalization 365
Cross-Source Correlation 366
Tiered Correlation 367
Correlating Between IT and OT Systems 368
Summary 370
Chapter 12 - Security Monitoring of Industrial Control Systems 372
Information in this Chapter 372
Determining what to Monitor 373
Security Events 374
Assets 377
Configurations 379
Applications 381
Networks 382
User Identities and Authentication 383
Additional Context 386
Behavior 386
Successfully Monitoring Security Zones 388
Log Collection 389
Direct Monitoring 389
Inferred Monitoring 390
Information Collection and Management Tools 393
Syslog Aggregation and Log Search 393
Log Management Systems 393
Security Information and Event Management Systems 393
Data Historians 395
Monitoring Across Secure Boundaries 397
Information Management 397
Queries 398
Reports 400
Alerts 402
Incident Investigation and Response 402
Log Storage and Retention 403
Nonrepudiation 403
Data Retention/Storage 403
Data Availability 405
Summary 406
Chapter 13 - Standards and Regulations 408
Information in This Chapter 408
Common Standards and Regulations 409
NERC CIP 410
CFATS 410
ISO/IEC 27002 411
NRC Regulation 5.71 411
NIST SP 800-82 413
ISA/IEC-62443 413
ISA 62443 Group 1: “General” 413
ISA 62443 Group 2: “Policies and Procedures” 414
ISA 62443 Group 3: “System” 414
ISA 62443 Group 4: “Component” 415
Mapping Industrial Network Security to Compliance 416
Industry Best Practices for Conducting ICS Assessments 416
Department of Homeland Security (USA) / Centre for Protection of National Infrastructure (UK) 417
National Security Agency (USA) 418
American Petroleum Institute (USA) / National Petrochemical and Refiners Association (USA) 418
Institute for Security and Open Methodologies (Spain) 419
Common Criteria and FIPS Standards 419
Common Criteria 419
FIPS 140-2 421
Summary 421
Appendix A - Protocol Resources 430
Modbus Organization 430
DNP3 Users Group 430
OPC Foundation 431
Common Industrial Protocol (CIP) / Open Device Vendor Association (ODVA) 431
Profibus / Profinet International (PI) 431
Appendix B - Standards Organizations 432
North American Reliability Corporation (NERC) 432
The United States Nuclear Regulatory Commission (NRC) 432
NRC Title 10 CFR 73.54 433
NRC RG 5.71 433
United States Department of Homeland Security 433
Chemical Facilities Anti-Terrorism Standard (CFATS) 433
CFATS Risk-Based Performance Standards (RBPS) 433
International Society of Automation (ISA) 434
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 434
Appendix C - NIST Security Guidelines 436
National Institute of Standards and Technology, Special Publications 800 Series 436
Glossary 438
Index 446

Chapter 2

About Industrial Networks

Abstract

An introduction to industrial networking and the unique qualities of industrial network cyber security.

Keywords

industrial security requirements

common recommendations

terminology

Information in this chapter

• The Use of Terminology Within This Book

• Common Industrial Security Recommendations

• Advanced Industrial Security Recommendations

• Common Misperceptions About Industrial Network Security

It is important to understand some of the terms used when discussing industrial networking and industrial control systems, as well as the basics of how industrial networks are architected and how they operate before attempting to secure an industrial network and its interconnected systems. It is also important to understand some of the common security recommendations deployed in business networks, and why they may or may not be truly suitable for effective industrial network cyber security.

What is an industrial network? Because of a rapidly evolving socio-political landscape, the terminology of industrial networking has become blurred. Terms such as “critical infrastructure,” “APT,” “SCADA,” and “Smart Grid” are used freely and often incorrectly. It can be confusing to discuss them in general terms not only because of the diversity of the industrial networks themselves, but also the markets they serve. Many regulatory agencies and commissions have also been formed to help secure different industrial networks for different industry sectors—each introducing their own specific nomenclatures and terminology.

This chapter will attempt to provide a baseline for industrial network cyber security, introducing the reader to some of the common terminology, issues, and security recommendations that will be discussed throughout the remainder of this book.

The use of terminology within this book

The authors have witnessed many discussions on industrial cyber security fall apart due to disagreements over terminology. There is a good deal of terminology specific to both cyber security and to industrial control systems that will be used throughout this book. Some readers may be cyber security experts who are unfamiliar with industrial control systems, while others may be industrial system professionals who are unfamiliar with cyber security. For this reason, a conscientious effort has been made by the authors to convey the basics of both disciplines, and to accommodate both types of readers.

Some of the terms that will be used extensively include the following:

• Assets (including whether they are physical or logical assets, and if they are classified as cyber assets, critical assets, and critical cyber assets)

• Enclaves, Zones, and Conduits

• Enterprise or Business Networks

• Industrial Control Systems: DCS, PCS, SIS, SCADA

• Industrial Networks

• Industrial Protocols

• Network Perimeter or Electronic Security Perimeter (ESP)

• Critical Infrastructure.

Some cyber security terms that will be addressed include the following:

• Attacks

• Breaches

• Incidents and Exploits

• Vulnerabilities

• Risk

• Security Measures, Security Controls, or Countermeasures.

These will be given some cursory attention here, as a foundation for the following chapters. There are many more specialized terms that will be used, and so an extensive glossary has been provided at the back of this book. The first time a term is used, it will be printed in bold to indicate that it is available in the glossary.

Note

The book title “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems” was chosen because this text discusses all of these terms to some extent. “Industrial cyber security” is a topic relevant to many industries, each of which differ significantly in terms of design, architecture, and operation. An effective discussion of cyber security must acknowledge these differences; however, it is impossible to cover every nuance of DCS, SCADA, Smart Grids, critical manufacturing, and so on. This book will focus on the commonalities among these industries, providing a basic understanding of industrial automation, and the constituent systems, subsystems, and devices that are used. Every effort will also be made to refer to all industrial automation and control systems (DCS, PCS, SCADA, etc.) as simply industrial control systems or just ICS. It is also important to understand that industrial networks are one link in a much larger chain comprising fieldbus networks, process control networks, supervisory networks, business networks, remote access networks, and any number of specialized applications, services and communications infrastructures that may all be interconnected and therefore must be assessed and secured within the context of cyber security. A Smart Grid, a petroleum refinery, and a city skyscraper may all utilize ICS, yet each represents unique variations in terms of size, complexity, and risk. All are built using the same technologies and principles making the cyber security concerns of each similar and the fundamentals of industrial cyber security equally applicable.

Note

This book does not go into extensive detail on the architecture of Smart Grids due to the complexity of these systems. Please consult the book “Applied Cyber Security and the Smart Grid”1 if more detail on Smart Grid architecture and its associated cyber security is desired.

Attacks, breaches, and incidents: malware, exploits, and APTs

The reason that you are reading a book titled “Industrial Network Security” is likely because you are interested in, if not concerned about, unauthorized access to and potentially hazardous or mischievous usage of equipment connected to an industrial network. This could be a deliberate action by an individual or organization, a government-backed act of cyber war, the side effect of a computer virus that just happened to spread from a business network to an ICS server, the unintended consequence of a faulty network card or—for all we know—the result of some astrological alignment of the sun, planets, and stars (aka “solar flares”). While there are subtle differences in the terms “incident” and “attack”—mostly to do with intent, motivation, and attribution—this book does not intend to dwell on these subtleties. The focus in this book is how an attack (or breach, or exploit, or incident) might occur, and subsequently how to best protect the industrial network and the connected ICS components against undesirable consequences that result from this action. Did the action result in some outcome—operational, health, safety or environment—that must be reported to a federal agency according to some regulatory legislation? Did it originate from another country? Was it a simple virus or a persistent rootkit? Could it be achieved with free tools available on the Internet, or did it require the resources of a state-backed cyber espionage group? Do such groups even exist? The authors of this book think that these are all great questions, but ones best served by some other book. These terms may therefore be used rather interchangeably herein.

Assets, critical assets, cyber assets, and critical cyber assets

An asset is simply a term for a component that is used within an industrial control system. Assets are often “physical,” such as a workstation, server, network switch, or PLC. Physical assets also include the large quantity of sensors and actuators used to control an industrial process or plant. There are also “logical” assets that represent what is contained within the physical asset, such as a process graphic, a database, a logic program, a firewall rule set, or firmware. When you think about it, cyber security is usually focused on the protection of “logical” assets and not the “physical” assets that contain them. Physical security is that which tends to focus more on the protection of a physical asset. Security from a general point-of-view can therefore effectively protect a “logical” asset, a “physical” asset, or both. This will become more obvious as we develop the concept of security controls or countermeasures later in this book.

The Critical Infrastructure Protection (CIP) standard by the North American Electric Reliability Corporation (NERC) through version 4 has defined a “critical cyber asset” or “CCA” as any device that uses a routable protocol to communicate outside the electronic security perimeter (ESP), uses a routable protocol within a control center, or is dial-up accessible.2 This changed in version 5 of the standard by shifting from an individual asset approach, to one that addresses...

Erscheint lt. Verlag	9.12.2014
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
Themenwelt	Informatik ► Office Programme ► Outlook
ISBN-10	0-12-420184-9 / 0124201849
ISBN-13	978-0-12-420184-2 / 9780124201842

Haben Sie eine Frage zum Produkt?

PDF (Adobe DRM)
Größe: 19,0 MB

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

EPUB (Adobe DRM)
Größe: 11,1 MB

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.