Book Image

Industrial Cybersecurity - Second Edition

By : Pascal Ackerman

Book Image

Industrial Cybersecurity - Second Edition

By: Pascal Ackerman

Overview of this book

With Industrial Control Systems (ICS) expanding into traditional IT space and even into the cloud, the attack surface of ICS environments has increased significantly, making it crucial to recognize your ICS vulnerabilities and implement advanced techniques for monitoring and defending against rapidly evolving cyber threats to critical infrastructure. This second edition covers the updated Industrial Demilitarized Zone (IDMZ) architecture and shows you how to implement, verify, and monitor a holistic security program for your ICS environment. You'll begin by learning how to design security-oriented architecture that allows you to implement the tools, techniques, and activities covered in this book effectively and easily. You'll get to grips with the monitoring, tracking, and trending (visualizing) and procedures of ICS cybersecurity risks as well as understand the overall security program and posture/hygiene of the ICS environment. The book then introduces you to threat hunting principles, tools, and techniques to help you identify malicious activity successfully. Finally, you'll work with incident response and incident recovery tools and techniques in an ICS environment. By the end of this book, you'll have gained a solid understanding of industrial cybersecurity monitoring, assessments, incident response activities, as well as threat hunting.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Share Your Thoughts

Section 1: ICS Cybersecurity Fundamentals

Section 1: ICS Cybersecurity Fundamentals

Free Chapter

Chapter 1: Introduction and Recap of First Edition

Chapter 1: Introduction and Recap of First Edition

Industrial Cybersecurity – second edition

Recap of the first edition

What is an ICS?

Chapter 2: A Modern Look at the Industrial Control System Architecture

Chapter 2: A Modern Look at the Industrial Control System Architecture

Why proper architecture matters

Industrial control system architecture overview

Chapter 3: The Industrial Demilitarized Zone

Chapter 3: The Industrial Demilitarized Zone

What makes up an IDMZ design?

Example IDMZ broker-service solutions

Chapter 4: Designing the ICS Architecture with Security in Mind

Chapter 4: Designing the ICS Architecture with Security in Mind

Typical industrial network architecture designs

Designing for security

Security monitoring

Section 2:Industrial Cybersecurity – Security Monitoring

Section 2:Industrial Cybersecurity – Security Monitoring

Chapter 5: Introduction to Security Monitoring

Chapter 5: Introduction to Security Monitoring

Security incidents

Passive security monitoring

Active security monitoring

Threat-hunting exercises

Security monitoring data collection methods

Putting it all together – introducing SIEM systems

Chapter 6: Passive Security Monitoring

Chapter 6: Passive Security Monitoring

Technical requirements

Passive security monitoring explained

Security Information and Event Management – SIEM

Common passive security monitoring tools

Setting up and configuring Security Onion

Exercise 1 – Setting up and configuring Security Onion

Exercise 2 – Setting up and a configuring a pfSense firewall

Exercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)

Chapter 7: Active Security Monitoring

Chapter 7: Active Security Monitoring

Technical requirements

Understanding active security monitoring

Exercise 1 – Scanning network-connected devices

Exercise 2 – Manually inspecting an industrial computer

Chapter 8: Industrial Threat Intelligence

Chapter 8: Industrial Threat Intelligence

Technical requirements

Threat intelligence explained

Using threat information in industrial environments

Acquiring threat information

Creating threat intelligence data out of threat information

Exercise – Adding an AlienVault OTX threat feed to Security Onion

Chapter 9: Visualizing, Correlating, and Alerting

Chapter 9: Visualizing, Correlating, and Alerting

Technical requirements

Holistic cybersecurity monitoring

Exercise 1 – Using Wazuh to add Sysmon logging

Exercise 2 – Using Wazuh to add PowerShell Script Block Logging

Exercise 3 – Adding a Snort IDS to pfSense

Exercise 4 – Sending SilentDefense alerts to Security Onion syslog

Exercise 5 – Creating a pfSense firewall event dashboard in Kibana

Exercise 6 – Creating a breach detection dashboard in Kibana

Section 3:Industrial Cybersecurity – Threat Hunting

Section 3:Industrial Cybersecurity – Threat Hunting

Chapter 10: Threat Hunting

Chapter 10: Threat Hunting

What is threat hunting?

Threat hunting in ICS environments

What is needed to perform threat hunting exercises?

Threat hunting is about uncovering threats

Correlating events and alerts for threat hunting purposes

Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing

Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing

Forming the malware beaconing threat hunting hypothesis

Detection of beaconing behavior in the ICS environment

Investigating/forensics of suspicious endpoints

Using indicators of compromise to uncover additional suspect systems

Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications

Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications

Technical requirements

Forming the malicious or unwanted applications threat hunting hypothesis

Detection of malicious or unwanted applications in the ICS environment

Investigation and forensics of suspicious endpoints

Using discovered indicators of compromise to search the environment for additional suspect systems

Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections

Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections

Forming the suspicious external connections threat hunting hypothesis

Ingress network connections

Section 4:Industrial Cybersecurity – Security Assessments and Intel

Section 4:Industrial Cybersecurity – Security Assessments and Intel

Chapter 14: Different Types of Cybersecurity Assessments

Chapter 14: Different Types of Cybersecurity Assessments

Understanding the types of cybersecurity assessments

Risk assessments

Red team exercises

Blue team exercises

Penetration testing

How do ICS/OT security assessments differ from IT?

Chapter 15: Industrial Control System Risk Assessments

Chapter 15: Industrial Control System Risk Assessments

Chapter 16: Red Team/Blue Team Exercises

Chapter 16: Red Team/Blue Team Exercises

Red Team versus Blue Team versus pentesting

Red Team/Blue Team example exercise, attacking Company Z

Chapter 17: Penetration Testing ICS Environments

Chapter 17: Penetration Testing ICS Environments

Practical view of penetration testing

Why ICS environments are easy targets for attackers

Typical risks to an ICS environment

Modeling pentests around the ICS Kill Chain

Pentesting results allow us to prioritize cybersecurity efforts

Pentesting industrial environments requires caution

Exercise – performing an ICS-centric penetration test

Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment

Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment

Chapter 18: Incident Response for the ICS Environment

Chapter 18: Incident Response for the ICS Environment

What is an incident?

What is incident response?

Incident response processes

Incident response procedures

Example incident report form

Chapter 19: Lab Setup

Chapter 19: Lab Setup

Discussing the lab architecture

Details about the enterprise environment lab setup

Details about the industrial environment – lab setup

How to simulate (Chinese) attackers

Discussing the role of lab firewalls

How to install the malware for the lab environment

Configuring packet capturing for passive security tools

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Summary

In this chapter, we proved our hypothesis that suspicious external connections are going into the industrial zone. We landed at this conclusion by observing the interactions with industrial equipment from all connections into the industrial zone that were discovered over a 7-day period. We eliminated the legitimate connections by finding anomalies associated with a suspicious connection and investigated the suspicious system on the enterprise network to find the smoking gun, which came from the discovery of a connection into the enterprise system from a Chinese IP address out on the internet.

This concludes the Threat Hunting part of this book. The next chapter will be the first chapter of Section 4, Industrial Cybersecurity Assessment. That first chapter gives an introduction to the various assessment types that can help us to verify the effectiveness and correctness of our security program.