Preface

By applying a variety of tools, techniques, and technologies, in this book, we will visualize and track security posture and identify threats in an Industrial Control System (ICS) environment. Industrial Cybersecurity, Second Edition looks at implementing a comprehensive and solid security program for the ICS environment and should be read by those who are new to industrial security or are extending their industrial security posture.

With IT industries expanding to the cloud, cyberattacks have increased significantly. Understanding your control system’s vulnerabilities and learning techniques to defend critical infrastructure systems from cyber threats is becoming increasingly important.

You will begin this book by looking at how to design for security and exploring how to create an architecture that allows all the tools, techniques, and activities discussed in the book to be implemented effectively and easily. You will also learn about activities, tools, procedures, and concepts around the monitoring, tracking, and trending (visualizing) of ICS cybersecurity risks, as well as learning about the overall security program and posture/hygiene. You will also be introduced to threat hunting principles, tools, techniques, and methodology. Toward the end of the book, you will work with incident response and incident recovery tools, techniques, activities, and procedures as they relate to the ICS environment.

By the end of the book, you will be adept at industrial cybersecurity monitoring, assessments, incident response activities, and threat hunting.

Who this book is for

If you are an ICS security professional or are ICS cybersecurity-curious and want to ensure a robust ICS environment for your (critical infrastructure) systems, or if you want to extend/improve/monitor/validate your ICS cybersecurity posture, then this book is for you. Information Technology as well as Operational Technology (IT/OT) professionals interested in getting into the ICS cybersecurity monitoring domain or who are looking for additional/supporting learning material for a variety of industry-leading cybersecurity certifications will also find this book useful.

What this book covers

Chapter 1, Introduction and Recap of the First Edition, will be a recap of the first edition of this book. We will set the stage for the rest of the book and cover important concepts, tools, and techniques so that you can follow along with this second edition of the book.

Chapter 2, A Modern Look at the Industrial Control System Architecture, takes an overview of ICS security, explaining how I implement plant-wide architectures with some years of experience under my belt. The chapter will cover new concepts, techniques, and best practice recommendations

Chapter 3, The Industrial Demilitarized Zone, is where I will discuss an updated IDMZ design that is the result of years of refinement, updating and adjusting the design to business needs, and revising and updating industry best practice recommendations.

Chapter 4, Designing the ICS Architecture with Security in Mind, is where I will outline key concepts, techniques, tools, and methodologies around designing for security. How to architect a network so that it allows the easy implementation of security techniques, tools, and concepts will be discussed in the rest of the book.

Chapter 5, Introduction to Security Monitoring, is where we will discuss the ins and outs of cybersecurity monitoring as it pertains to the ICS environment. I will present the three main types of cybersecurity monitoring, passive, active, and threat hunting, which are explained in detail throughout the rest of the book.

Chapter 6, Passive Security Monitoring, is where we will look at the tools, techniques, activities, and procedures involved in passively monitoring industrial cybersecurity posture.

Chapter 7, Active Security Monitoring, looks at tools, techniques, activities, and procedures involved in actively monitoring industrial cybersecurity posture.

Chapter 8, Industrial Threat Intelligence, looks at tools, techniques, and activities that help to add threat intelligence to our security monitoring activities. Threat intelligence will be explained and common techniques and tools to acquire and assemble intelligence will be discussed.

Chapter 9, Visualizing, Correlating, and Alerting, explores how to combine all the gathered information and data, discussed in the previous chapters, into an interactive visualization, correlation, and alerting dashboard, built around the immensely popular ELK (Elasticsearch, Kibana, Logstash) stack, which is part of the Security Onion appliance.

Chapter 10, Threat Hunting, is a general introduction to threat hunting principles, tools, techniques, and methodology. This chapter will revisit Security Onion and how to use it for threat hunting exercises.

Chapter 11, Threat Hunt Scenario 1 – Malware Beaconing, presents the first threat hunt use case, where we suspect malware beaconing or data is being exfiltrated from our systems, and so we will use logs, events, data, and other information to prove the hunch and show the what, where, how, and who behind the attack.

Chapter 12, Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications, presents the second threat hunt use case, built around the assumption that there is executable code running on assets on the ICS network that is performing malicious actions (malware) or is just using up (wasting) resources. These would be Potentially Unwanted Programs (PUPs), such as spyware, bitcoin miners, and so on.

Chapter 13, Threat Hunt Scenario 3 – Suspicious External Connections, presents a third threat hunt use case: we suspect that external entities are connecting to our systems. We will use logs, events, data, and other information to prove the hunch and show the what, where, how, and who behind things.

Chapter 14, Different Types of Cybersecurity Assessments, outlines the types of security assessments that exist to help you assess the risk to an ICS environment.

Chapter 15, Industrial Control System Risk Assessments, will detail the tools, techniques, methodologies, and activities used in performing risk assessments for an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 16, Red Team/Blue Team Exercises, will detail the tools, techniques, methodologies, and activities used in performing red team and blue team exercises in an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 17, Penetration Testing ICS Environments, will detail the tools, techniques, methodologies, and activities used in performing penetration testing activities in an ICS environment. You will get hands-on experience with the most common tools and software used during assessment activities.

Chapter 18, Incident Response for the ICS Environment, takes you through the phases, activities, and processes of incident response as it relates to the industrial environment:

• Preparation
• Identification
• Containment
• Investigation
• Eradication
• Recovery
• Follow-up

Chapter 19, Lab Setup, will help you set up a lab environment to be used for the exercises in the book.

To get the most out of this book

To get the most out of this book, you should have an interest in industrial cybersecurity and in security monitoring in general. Apart from that, all relevant technical concepts are discussed in detail throughout the book so no technical prerequisites are necessary.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781800202092_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “We can see Snort detected the response from testmyids.ca (104.31.77.72) as being malicious.”

A block of code is set as follows:

sd.aler_rt Feb 15 2021 16:46:11

sd.alert_category NetworkAttack

sd.alert_message NMAP Scan detecte

sd.alert_name nmap_scan

sd.alert_number 11

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

  <localfile>

    <location>Microsoft-Windows-Sysmon/Operational</location>

    <log_format>eventchannel</log_format>

  </localfile>

Any command-line input or output is written as follows:

idstools:

  config:

    ruleset: ‘ETOPEN’

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “Navigate to the Home | Host | Sysmon dashboard and view the event logs at the bottom of the dashboard screen.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Industrial Cybersecurity - Second Edition, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.