Book Image

Industrial Cybersecurity - Second Edition

By : Pascal Ackerman
Book Image

Industrial Cybersecurity - Second Edition

By: Pascal Ackerman

Overview of this book

With Industrial Control Systems (ICS) expanding into traditional IT space and even into the cloud, the attack surface of ICS environments has increased significantly, making it crucial to recognize your ICS vulnerabilities and implement advanced techniques for monitoring and defending against rapidly evolving cyber threats to critical infrastructure. This second edition covers the updated Industrial Demilitarized Zone (IDMZ) architecture and shows you how to implement, verify, and monitor a holistic security program for your ICS environment. You'll begin by learning how to design security-oriented architecture that allows you to implement the tools, techniques, and activities covered in this book effectively and easily. You'll get to grips with the monitoring, tracking, and trending (visualizing) and procedures of ICS cybersecurity risks as well as understand the overall security program and posture/hygiene of the ICS environment. The book then introduces you to threat hunting principles, tools, and techniques to help you identify malicious activity successfully. Finally, you'll work with incident response and incident recovery tools and techniques in an ICS environment. By the end of this book, you'll have gained a solid understanding of industrial cybersecurity monitoring, assessments, incident response activities, as well as threat hunting.

Related Content you might be interested in

Current Title:

Small book image
Industrial Cybersecurity - Second Edition
Pascal Ackerman
Oct, 2021 | 800 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2017 | 456 pages
Small book image
Pentesting Industrial Control Systems
Paul Smith
Dec, 2021 | 450 pages
Small book image
IoT and OT Security Handbook
Vasantha Lakshmi | Smita Jain
Mar, 2023 | 172 pages
Table of Contents (26 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: ICS Cybersecurity Fundamentals
Section 1: ICS Cybersecurity Fundamentals
Free Chapter
2
Chapter 1: Introduction and Recap of First Edition
Chapter 1: Introduction and Recap of First Edition
Industrial Cybersecurity – second edition
Recap of the first edition
What is an ICS?
Summary
3
Chapter 2: A Modern Look at the Industrial Control System Architecture
Chapter 2: A Modern Look at the Industrial Control System Architecture
Why proper architecture matters
Industrial control system architecture overview
Summary
4
Chapter 3: The Industrial Demilitarized Zone
Chapter 3: The Industrial Demilitarized Zone
The IDMZ
What makes up an IDMZ design?
Example IDMZ broker-service solutions
Summary
5
Chapter 4: Designing the ICS Architecture with Security in Mind
Chapter 4: Designing the ICS Architecture with Security in Mind
Typical industrial network architecture designs
Designing for security
Security monitoring
Summary
6
Section 2:Industrial Cybersecurity – Security Monitoring
Section 2:Industrial Cybersecurity – Security Monitoring
7
Chapter 5: Introduction to Security Monitoring
Chapter 5: Introduction to Security Monitoring
Security incidents
Passive security monitoring
Active security monitoring
Threat-hunting exercises
Security monitoring data collection methods
Putting it all together – introducing SIEM systems
Summary
8
Chapter 6: Passive Security Monitoring
Chapter 6: Passive Security Monitoring
Technical requirements
Passive security monitoring explained
Security Information and Event Management – SIEM
Common passive security monitoring tools
Setting up and configuring Security Onion
Exercise 1 – Setting up and configuring Security Onion
Exercise 2 – Setting up and a configuring a pfSense firewall
Exercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)
Summary
9
Chapter 7: Active Security Monitoring
Chapter 7: Active Security Monitoring
Technical requirements
Understanding active security monitoring
Exercise 1 – Scanning network-connected devices
Exercise 2 – Manually inspecting an industrial computer
Summary
10
Chapter 8: Industrial Threat Intelligence
Chapter 8: Industrial Threat Intelligence
Technical requirements
Threat intelligence explained
Using threat information in industrial environments
Acquiring threat information
Creating threat intelligence data out of threat information
Exercise – Adding an AlienVault OTX threat feed to Security Onion
Summary
11
Chapter 9: Visualizing, Correlating, and Alerting
Chapter 9: Visualizing, Correlating, and Alerting
Technical requirements
Holistic cybersecurity monitoring
Exercise 1 – Using Wazuh to add Sysmon logging
Exercise 2 – Using Wazuh to add PowerShell Script Block Logging
Exercise 3 – Adding a Snort IDS to pfSense
Exercise 4 – Sending SilentDefense alerts to Security Onion syslog
Exercise 5 – Creating a pfSense firewall event dashboard in Kibana
Exercise 6 – Creating a breach detection dashboard in Kibana
Summary
12
Section 3:Industrial Cybersecurity – Threat Hunting
Section 3:Industrial Cybersecurity – Threat Hunting
13
Chapter 10: Threat Hunting
Chapter 10: Threat Hunting
What is threat hunting?
Threat hunting in ICS environments
What is needed to perform threat hunting exercises?
Threat hunting is about uncovering threats
Correlating events and alerts for threat hunting purposes
Summary
14
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Forming the malware beaconing threat hunting hypothesis
Detection of beaconing behavior in the ICS environment
Investigating/forensics of suspicious endpoints
Using indicators of compromise to uncover additional suspect systems
Summary
15
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Technical requirements
Forming the malicious or unwanted applications threat hunting hypothesis
Detection of malicious or unwanted applications in the ICS environment
Investigation and forensics of suspicious endpoints
Using discovered indicators of compromise to search the environment for additional suspect systems
Summary
16
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Forming the suspicious external connections threat hunting hypothesis
Ingress network connections
Summary
17
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Section 4:Industrial Cybersecurity – Security Assessments and Intel
18
Chapter 14: Different Types of Cybersecurity Assessments
Chapter 14: Different Types of Cybersecurity Assessments
Understanding the types of cybersecurity assessments
Risk assessments
Red team exercises
Blue team exercises
Penetration testing
How do ICS/OT security assessments differ from IT?
Summary
19
Chapter 15: Industrial Control System Risk Assessments
Chapter 15: Industrial Control System Risk Assessments
20
Chapter 16: Red Team/Blue Team Exercises
Chapter 16: Red Team/Blue Team Exercises
Red Team versus Blue Team versus pentesting
Red Team/Blue Team example exercise, attacking Company Z
Summary
21
Chapter 17: Penetration Testing ICS Environments
Chapter 17: Penetration Testing ICS Environments
Practical view of penetration testing
Why ICS environments are easy targets for attackers
Typical risks to an ICS environment
Modeling pentests around the ICS Kill Chain
Pentesting results allow us to prioritize cybersecurity efforts
Pentesting industrial environments requires caution
Exercise – performing an ICS-centric penetration test
Summary
22
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
23
Chapter 18: Incident Response for the ICS Environment
Chapter 18: Incident Response for the ICS Environment
What is an incident?
What is incident response?
Incident response processes
Incident response procedures
Example incident report form
Summary
24
Chapter 19: Lab Setup
Chapter 19: Lab Setup
Discussing the lab architecture
Details about the enterprise environment lab setup
Details about the industrial environment – lab setup
How to simulate (Chinese) attackers
Discussing the role of lab firewalls
How to install the malware for the lab environment
Configuring packet capturing for passive security tools
Summary
Why subscribe?
25
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

What this book covers

Chapter 1, Introduction and Recap of the First Edition, will be a recap of the first edition of this book. We will set the stage for the rest of the book and cover important concepts, tools, and techniques so that you can follow along with this second edition of the book.

Chapter 2, A Modern Look at the Industrial Control System Architecture, takes an overview of ICS security, explaining how I implement plant-wide architectures with some years of experience under my belt. The chapter will cover new concepts, techniques, and best practice recommendations

Chapter 3, The Industrial Demilitarized Zone, is where I will discuss an updated IDMZ design that is the result of years of refinement, updating and adjusting the design to business needs, and revising and updating industry best practice recommendations.

Chapter 4, Designing the ICS Architecture with Security in Mind, is where I will outline key concepts, techniques, tools, and methodologies around designing for security. How to architect a network so that it allows the easy implementation of security techniques, tools, and concepts will be discussed in the rest of the book.

Chapter 5, Introduction to Security Monitoring, is where we will discuss the ins and outs of cybersecurity monitoring as it pertains to the ICS environment. I will present the three main types of cybersecurity monitoring, passive, active, and threat hunting, which are explained in detail throughout the rest of the book.

Chapter 6, Passive Security Monitoring, is where we will look at the tools, techniques, activities, and procedures involved in passively monitoring industrial cybersecurity posture.

Chapter 7, Active Security Monitoring, looks at tools, techniques, activities, and procedures involved in actively monitoring industrial cybersecurity posture.

Chapter 8, Industrial Threat Intelligence, looks at tools, techniques, and activities that help to add threat intelligence to our security monitoring activities. Threat intelligence will be explained and common techniques and tools to acquire and assemble intelligence will be discussed.

Chapter 9, Visualizing, Correlating, and Alerting, explores how to combine all the gathered information and data, discussed in the previous chapters, into an interactive visualization, correlation, and alerting dashboard, built around the immensely popular ELK (Elasticsearch, Kibana, Logstash) stack, which is part of the Security Onion appliance.

Chapter 10, Threat Hunting, is a general introduction to threat hunting principles, tools, techniques, and methodology. This chapter will revisit Security Onion and how to use it for threat hunting exercises.

Chapter 11, Threat Hunt Scenario 1 – Malware Beaconing, presents the first threat hunt use case, where we suspect malware beaconing or data is being exfiltrated from our systems, and so we will use logs, events, data, and other information to prove the hunch and show the what, where, how, and who behind the attack.

Chapter 12, Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications, presents the second threat hunt use case, built around the assumption that there is executable code running on assets on the ICS network that is performing malicious actions (malware) or is just using up (wasting) resources. These would be Potentially Unwanted Programs (PUPs), such as spyware, bitcoin miners, and so on.

Chapter 13, Threat Hunt Scenario 3 – Suspicious External Connections, presents a third threat hunt use case: we suspect that external entities are connecting to our systems. We will use logs, events, data, and other information to prove the hunch and show the what, where, how, and who behind things.

Chapter 14, Different Types of Cybersecurity Assessments, outlines the types of security assessments that exist to help you assess the risk to an ICS environment.

Chapter 15, Industrial Control System Risk Assessments, will detail the tools, techniques, methodologies, and activities used in performing risk assessments for an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 16, Red Team/Blue Team Exercises, will detail the tools, techniques, methodologies, and activities used in performing red team and blue team exercises in an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 17, Penetration Testing ICS Environments, will detail the tools, techniques, methodologies, and activities used in performing penetration testing activities in an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 18, Incident Response for the ICS Environment, takes you through the phases, activities, and processes of incident response as it relates to the industrial environment:

  • Preparation
  • Identification
  • Containment
  • Investigation
  • Eradication
  • Recovery
  • Follow-up

Chapter 19, Lab Setup, will help you set up a lab environment to be used for the exercises in the book.

Previous Section
Next Section