Book Image

Industrial Cybersecurity - Second Edition

By : Pascal Ackerman
Book Image

Industrial Cybersecurity - Second Edition

By: Pascal Ackerman

Overview of this book

With Industrial Control Systems (ICS) expanding into traditional IT space and even into the cloud, the attack surface of ICS environments has increased significantly, making it crucial to recognize your ICS vulnerabilities and implement advanced techniques for monitoring and defending against rapidly evolving cyber threats to critical infrastructure. This second edition covers the updated Industrial Demilitarized Zone (IDMZ) architecture and shows you how to implement, verify, and monitor a holistic security program for your ICS environment. You'll begin by learning how to design security-oriented architecture that allows you to implement the tools, techniques, and activities covered in this book effectively and easily. You'll get to grips with the monitoring, tracking, and trending (visualizing) and procedures of ICS cybersecurity risks as well as understand the overall security program and posture/hygiene of the ICS environment. The book then introduces you to threat hunting principles, tools, and techniques to help you identify malicious activity successfully. Finally, you'll work with incident response and incident recovery tools and techniques in an ICS environment. By the end of this book, you'll have gained a solid understanding of industrial cybersecurity monitoring, assessments, incident response activities, as well as threat hunting.
Table of Contents (26 chapters)
Section 1: ICS Cybersecurity Fundamentals
Section 2:Industrial Cybersecurity – Security Monitoring
Section 3:Industrial Cybersecurity – Threat Hunting
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Chapter 15: Industrial Control System Risk Assessments
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment

Security monitoring data collection methods

As we discussed earlier, security monitoring is about detecting security incidents by looking at security-related data that is coming out of our ICS environment. But how do we get to that data and where does it come from? There are two main ways security monitoring applications can collect relevant data—namely, by recording packets on the network (packet capturing) and collecting event logs generated by the operating system, network, and automation devices, or the software and applications we are trying to protect (such as a web server log or switch log), or the security applications we use to protect or monitor the endpoint (such as an antivirus application generating events for discovered malware or a network intrusion detection system (IDS) sending System Logging Protocol (syslog) messages for anomalies). Security monitoring solutions often use a combination of these two collection methods to aggregate the necessary data, to help...