Preface Chapter 1: Industrial Control Systems An overview of an Industrial control system The view function The monitor function The control function The Industrial control system architecture Programmable logic controllers Human Machine Interface Supervisory Control and Data Acquisition Distributed control system Safety instrumented system The Purdue model for Industrial control systems The enterprise zone Level 5 - Enterprise network Level 4 - Site business planning and logistics Industrial Demilitarized Zone The manufacturing zone Level 3 - Site operations Level 2 - Area supervisory control Level 1 - Basic control Level 0 - Process Industrial control system communication media and protocols Regular information technology network protocols Process automation protocols Industrial control system protocols Building automation protocols Automatic meter reading protocols Communication protocols in the enterprise zone Communication protocols in the Industrial zone Summary Chapter 2: Insecure by Inheritance Industrial control system history Modbus and Modbus TCP/IP Breaking Modbus Using Python and Scapy to communicate over Modbus Replaying captured Modbus packets PROFINET PROFINET packet replay attacks $7 communication and the stop CPU vulnerability EtherNet/IP and the Common Industrial Protocol Shodan: The scariest search engine on the internet Common IT protocols found in the ICS HTTP File Transfer Protocol Telnet Address Resolution Protocol ICMP echo request Summary Chapter 3: Anatomy of an ICS Attack Scenario Setting the stage The Slumbertown paper mill Trouble in paradise Building a virtual test network Clicking our heels What can the attacker do with their access The cyber kill chain Phase two of the Slumbertown Mill ICS attack Other attack scenarios Summary Chapter 4: Industrial Control System Risk Assessment Attacks, objectives, and consequences Risk assessments A risk assessment example Step 1 - Asset identification and system characterization Step 2 - Vulnerability identification and threat modeling Discovering vulnerabilities Threat modeling Step 3 - Risk calculation and mitigation Summary Chapter 5: The Purdue Model and a Converged Plantwide Ethernet The Purdue Enterprise Reference Architecture The Converged Plantwide Enterprise The safety zone Cell/area zones Level 0 - The process Level 1 - Basic control Level 2 - Area supervisory control The manufacturing zone Level 3 - Site manufacturing operations and control The enterprise zone Level 4 - Site business planning and logistics Level 5 - Enterprise Level 3.5 - The Industrial Demilitarized Zone The CPwE industrial network security framework Summary Chapter 6: The Defense-in-depth Model ICS security restrictions How to go about defending an ICS The ICS is extremely defendable The defense-in-depth model Physical security Network security Computer security Application security Device security Policies, procedures, and awareness Summary Chapter 7: Physical ICS Security The ICS security bubble analogy Segregation exercise Down to it - Physical security Summary Chapter 8: ICS Network Security Designing network architectures for security Network segmentation The Enterprise Zone The Industrial Zone Cell Area Zones Level 3 site operations The Industrial Demilitarized Zone Communication conduits Resiliency and redundancy Architectural overview Firewalls Configuring the active-standby pair of firewalls Security monitoring and logging Network packet capturing Event logging Security information and event management Firewall logs Configuring the Cisco ASA firewall to send log data to the OSSIM server Setting the syslog logging level for Cisco devices Network intrusion detection logs Why not intrusion prevention Configuring the Cisco Sourcefire IDS to send log data to the OSSIM server Router and switch logs Configuring Cisco lOS to log to the syslog service of the OSSIM server Operating system logs Collecting logs from a Windows system Installing and configuring NXLog CE across your Windows hosts Application logs Reading an application log file with an HIDS agent on Windows Network visibility Summary Chapter 9: ICS Computer Security Endpoint hardening Narrowing the attack surface Limiting the impact of a compromise Microsoft Enhanced Mitigation Experience Toolkit Configuring EMET for a Rockwell Automation application server Microsoft AppLocker Microsoft AppLocker configuration Configuration and change management Patch management Configuring Microsoft Windows Server Update Services for the industrial zone Configuring the Cisco ASA firewall Creating the Windows Server Update Services server Configuring Windows client computers to get updates from the WSUS server Endpoint protection software Host-based firewalls Anti-malware software Types of malware Application whitelisting software Application whitelisting versus blacklisting How application whitelisting works Symantec's Embedded Security: Critical system protection Building the Symantec's Embedded Security: Critical System Protection management server Monitoring and logging Summary Chapter 10: ICS Application Security Application security Input validation vulnerabilities Software tampering Authentication vulnerabilities Authorization vulnerabilities Insecure configuration vulnerabilities Session management vulnerabilities Parameter manipulation vulnerabilities Application security testing OpenVAS security scan ICS application patching ICS secure SDLC The definition of secure SDLC Summary Chapter 11: ICS Device Security ICS device hardening ICS device patching The ICS device life cycle ICS device security considerations during the procurement phase ICS device security considerations during the installation phase ICS device security considerations during the operation phase ICS device security considerations for decommissioning and disposal Summary Chapter 12: The ICS Cybersecurity Program Development Process The NIST Guide to Industrial control systems security Obtaining senior management buy-in Building and training a cross-functional team Defining charter and scope Defining ICS-specific security policies and procedures Implementing an ICS security risk-management framework Categorizing ICS systems and network assets Selecting ICS security controls Performing (initial) risk assessment Implementing the security controls The ICS security program development process Security policies, standards, guidelines, and procedures Defining ICS-specific security policies, standards, and procedures Defining and inventorying the ICS assets Performing an initial risk assessment on discovered ICS assets The Slumbertown Paper Mill initial risk assessment Defining and prioritizing mitigation activities Defining and kicking off the security improvement cycle Summary Index