Book Image

Industrial Cybersecurity - Second Edition

By : Pascal Ackerman
Book Image

Industrial Cybersecurity - Second Edition

By: Pascal Ackerman

Overview of this book

With Industrial Control Systems (ICS) expanding into traditional IT space and even into the cloud, the attack surface of ICS environments has increased significantly, making it crucial to recognize your ICS vulnerabilities and implement advanced techniques for monitoring and defending against rapidly evolving cyber threats to critical infrastructure. This second edition covers the updated Industrial Demilitarized Zone (IDMZ) architecture and shows you how to implement, verify, and monitor a holistic security program for your ICS environment. You'll begin by learning how to design security-oriented architecture that allows you to implement the tools, techniques, and activities covered in this book effectively and easily. You'll get to grips with the monitoring, tracking, and trending (visualizing) and procedures of ICS cybersecurity risks as well as understand the overall security program and posture/hygiene of the ICS environment. The book then introduces you to threat hunting principles, tools, and techniques to help you identify malicious activity successfully. Finally, you'll work with incident response and incident recovery tools and techniques in an ICS environment. By the end of this book, you'll have gained a solid understanding of industrial cybersecurity monitoring, assessments, incident response activities, as well as threat hunting.

Related Content you might be interested in

Current Title:

Small book image
Industrial Cybersecurity - Second Edition
Pascal Ackerman
Oct, 2021 | 800 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2017 | 456 pages
Small book image
Pentesting Industrial Control Systems
Paul Smith
Dec, 2021 | 450 pages
Small book image
IoT and OT Security Handbook
Vasantha Lakshmi | Smita Jain
Mar, 2023 | 172 pages
Table of Contents (26 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: ICS Cybersecurity Fundamentals
Section 1: ICS Cybersecurity Fundamentals
Free Chapter
2
Chapter 1: Introduction and Recap of First Edition
Chapter 1: Introduction and Recap of First Edition
Industrial Cybersecurity – second edition
Recap of the first edition
What is an ICS?
Summary
3
Chapter 2: A Modern Look at the Industrial Control System Architecture
Chapter 2: A Modern Look at the Industrial Control System Architecture
Why proper architecture matters
Industrial control system architecture overview
Summary
4
Chapter 3: The Industrial Demilitarized Zone
Chapter 3: The Industrial Demilitarized Zone
The IDMZ
What makes up an IDMZ design?
Example IDMZ broker-service solutions
Summary
5
Chapter 4: Designing the ICS Architecture with Security in Mind
Chapter 4: Designing the ICS Architecture with Security in Mind
Typical industrial network architecture designs
Designing for security
Security monitoring
Summary
6
Section 2:Industrial Cybersecurity – Security Monitoring
Section 2:Industrial Cybersecurity – Security Monitoring
7
Chapter 5: Introduction to Security Monitoring
Chapter 5: Introduction to Security Monitoring
Security incidents
Passive security monitoring
Active security monitoring
Threat-hunting exercises
Security monitoring data collection methods
Putting it all together – introducing SIEM systems
Summary
8
Chapter 6: Passive Security Monitoring
Chapter 6: Passive Security Monitoring
Technical requirements
Passive security monitoring explained
Security Information and Event Management – SIEM
Common passive security monitoring tools
Setting up and configuring Security Onion
Exercise 1 – Setting up and configuring Security Onion
Exercise 2 – Setting up and a configuring a pfSense firewall
Exercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)
Summary
9
Chapter 7: Active Security Monitoring
Chapter 7: Active Security Monitoring
Technical requirements
Understanding active security monitoring
Exercise 1 – Scanning network-connected devices
Exercise 2 – Manually inspecting an industrial computer
Summary
10
Chapter 8: Industrial Threat Intelligence
Chapter 8: Industrial Threat Intelligence
Technical requirements
Threat intelligence explained
Using threat information in industrial environments
Acquiring threat information
Creating threat intelligence data out of threat information
Exercise – Adding an AlienVault OTX threat feed to Security Onion
Summary
11
Chapter 9: Visualizing, Correlating, and Alerting
Chapter 9: Visualizing, Correlating, and Alerting
Technical requirements
Holistic cybersecurity monitoring
Exercise 1 – Using Wazuh to add Sysmon logging
Exercise 2 – Using Wazuh to add PowerShell Script Block Logging
Exercise 3 – Adding a Snort IDS to pfSense
Exercise 4 – Sending SilentDefense alerts to Security Onion syslog
Exercise 5 – Creating a pfSense firewall event dashboard in Kibana
Exercise 6 – Creating a breach detection dashboard in Kibana
Summary
12
Section 3:Industrial Cybersecurity – Threat Hunting
Section 3:Industrial Cybersecurity – Threat Hunting
13
Chapter 10: Threat Hunting
Chapter 10: Threat Hunting
What is threat hunting?
Threat hunting in ICS environments
What is needed to perform threat hunting exercises?
Threat hunting is about uncovering threats
Correlating events and alerts for threat hunting purposes
Summary
14
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Forming the malware beaconing threat hunting hypothesis
Detection of beaconing behavior in the ICS environment
Investigating/forensics of suspicious endpoints
Using indicators of compromise to uncover additional suspect systems
Summary
15
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Technical requirements
Forming the malicious or unwanted applications threat hunting hypothesis
Detection of malicious or unwanted applications in the ICS environment
Investigation and forensics of suspicious endpoints
Using discovered indicators of compromise to search the environment for additional suspect systems
Summary
16
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Forming the suspicious external connections threat hunting hypothesis
Ingress network connections
Summary
17
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Section 4:Industrial Cybersecurity – Security Assessments and Intel
18
Chapter 14: Different Types of Cybersecurity Assessments
Chapter 14: Different Types of Cybersecurity Assessments
Understanding the types of cybersecurity assessments
Risk assessments
Red team exercises
Blue team exercises
Penetration testing
How do ICS/OT security assessments differ from IT?
Summary
19
Chapter 15: Industrial Control System Risk Assessments
Chapter 15: Industrial Control System Risk Assessments
20
Chapter 16: Red Team/Blue Team Exercises
Chapter 16: Red Team/Blue Team Exercises
Red Team versus Blue Team versus pentesting
Red Team/Blue Team example exercise, attacking Company Z
Summary
21
Chapter 17: Penetration Testing ICS Environments
Chapter 17: Penetration Testing ICS Environments
Practical view of penetration testing
Why ICS environments are easy targets for attackers
Typical risks to an ICS environment
Modeling pentests around the ICS Kill Chain
Pentesting results allow us to prioritize cybersecurity efforts
Pentesting industrial environments requires caution
Exercise – performing an ICS-centric penetration test
Summary
22
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
23
Chapter 18: Incident Response for the ICS Environment
Chapter 18: Incident Response for the ICS Environment
What is an incident?
What is incident response?
Incident response processes
Incident response procedures
Example incident report form
Summary
24
Chapter 19: Lab Setup
Chapter 19: Lab Setup
Discussing the lab architecture
Details about the enterprise environment lab setup
Details about the industrial environment – lab setup
How to simulate (Chinese) attackers
Discussing the role of lab firewalls
How to install the malware for the lab environment
Configuring packet capturing for passive security tools
Summary
Why subscribe?
25
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “We can see Snort detected the response from testmyids.ca (104.31.77.72) as being malicious.”

A block of code is set as follows:

sd.aler_rt			Feb 15 2021 16:46:11
sd.alert_category	NetworkAttack
sd.alert_message		NMAP Scan detecte
sd.alert_name		nmap_scan
sd.alert_number		11

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

  <localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>

Any command-line input or output is written as follows:

idstools:
  config:
    ruleset: ‘ETOPEN’

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “Navigate to the Home | Host | Sysmon dashboard and view the event logs at the bottom of the dashboard screen.”

Tips or important notes

Appear like this.

Previous Section
Next Section