PureLand Wastewater Treatment
Cyber Security Case Study
Company Summary
PureLand Wastewater Treatment Inc. (est. 2001) is a company providing years of experience in
all aspects of Wastewater Treatment with special emphasis on the Chemical Manufacturing and
Biological Fermentation industries. We are a flexible, responsive organization with a network of
resources to handle any size project. Each project is approached by utilizing our strong
sterilization and engineering skills while drawing on our background in Operations, Service,
Validation, and Quality to provide solutions for all of your Wastewater Treatment needs. We
provide personal attention to ensure customer satisfaction in all services and equipment we
supply.
Security Concerns
PureLand has special security concerns due to the highly toxic nature of some of the chemicals
they use to sterilize and treat wastewater streams for their customers. Although Physical Security
has always been on their radar and relatively strong, Cyber Security has not been something that
they were particularly concerned about. After all, the chemicals they use to do their work were
not proprietary so they had little concern about theft of intellectual property or trade secrets
being compromised.
All this changed recently when PureLand executives and operations folks were contacted by the
Department of Homeland Security (DHS) in regard to a particularly toxic chemical they use to
sanitize Wastewater in biologically hazardous processes-Chlorine Dioxide. DHS officials were
aware of their use of the chemical because of publicly available waste treatment permits
provided to PureLand by the EPA. As it turns out, Chlorine Dioxide is on the DHS Chemical
Facility Anti-Terrorism Standards (CFATS) list of chemicals of interest because of the risks
associated with chemical release or sabotage using this chemical. PureLand was aware Chlorine
Dioxide was a very dangerous chemical, but they had never considered Cyber Terrorism or theft
of the chemical for sabotage when completing prior risk assessments. The implications of this
were quite serious for PureLand, as they now are required by Federal law to comply with both
Physical and Cyber Security regulations related to their use of this chemical of interest. DHS
officials made PureLand aware of their obligations and informed them that they would be subject
to an audit by DHS within eighteen months that would assess their compliance with CFATS
regulations. If compliance was not achieved within 12 months of the initial audit, PureLand
would be subject to huge fines and penalties that could include closure of their facility.
PureLand Reaction
The PureLand Executives were quite alarmed by the news and immediately formed an internal
team to create a Cyber Security improvement and compliance plan. The team researched the
issue and reviewed the information provided by DHS around security standards. The first
objective was to use a tool provided by DHS to perform a Cyber Security Self Evaluation on
their computing systems. The hope was that by using this free tool, they could get some insight
on the most critical Cyber Security gaps that existed and potentially provide a road map on
where to focus their security improvement plan. A team of system administrators, security
professionals, and management representatives worked on the Cyber Security Self Evaluation
over a period of two days.
Cyber Security Self Evaluation Results
The results of the Self Evaluation were very disturbing for the entire team. The evaluation
reported varying levels of compliance from 0% to 100%, but it was very clear that they had their
work cut out for them. The leadership team met with the IT staff and their IT Security Analyst,
and it was decided that they didn’t have the internal staffing or appropriate skillset to implement
the needed security improvements within one year. The decision was made to hire an outside
consultant to help devise and implement a Cyber Security improvement plan that would achieve
these critical objectives:
1. Reduce their risk from Cyber Security incidents to an acceptable level
2. Achieve compliance with CFATS regulations
3. Minimize negative impacts to production and safety
Path Forward
As the outside consultant, it’s your job to lead the effort to create the Cyber Security
improvement plan per the objectives laid out in the accompanying document: Developing Cyber
Security Improvement Plan for Industrial Control System - Case Study.
You’ll focus your efforts by studying the PureLand Cyber Security Assessment which includes
various tables and charts indicating the areas of most concern. PureLand has contracted you to
provide two major deliverables for this contract:
1. Industrial Control System Cyber Security Improvement Plan (Detailed requirements
included in document – ICS security improvement case description)
2. Presentation to key stakeholders one week prior to formal plan presentation
PureLand Wastewater Compliance Audit
Objective
This assignment requires the students to answer questions as might be encountered while
undergoing a compliance audit regarding Department of Homeland Security Chemical Facility
Anti-Terrorism Standards (CFATS) regulations. The students will play the role of a Cyber Security
consultant being audited by a DHS compliance inspector.
Instructions for assignment
1. Find your assigned question from the table below
Student Name
Assigned Question
Name 1
2.1
Name 2
2.2
Name 3
2.3
Name 4
2.4
Name 5
2.5
Name 6
2.6
Name 7
2.7
2. Using the Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards
document for reference, research and write an answer for one of the following questions (assigned
to you based on a random draw) from a DHS inspector conducting a site inspection. Consult your
team members if you need help. After the team has compiled all their answers, get ready to be
audited by the instructor. You’ll have 20 minutes to research and write your answer.
2.1. What systems listed on your PureLand Network Diagram do you consider to be the most critical
systems? Why did you pick these systems as most critical?
2.2. What do you feel are the most important elements of a successful change management
process? How will you ensure that changes made to the Cyber systems at PureLand
Wastewater won’t lead to Cyber Security Incidents?
2.3. Is there currently any segregation of systems at PureLand based on criticality of the systems? If
yes, please explain the segregation strategy. If not, please explain what plans are being
developed to segregate assets on the network based on risk.
2.4. What methods are used or planned for implementation to manage passwords? Is there any
differentiation in how end user and privileged (e.g., system administrator) accounts are
managed?
2.5. Is there currently any Cyber Security awareness and training program in place at PureLand? If
yes, please explain the frequency and method of documenting completion. If not, please
explain what topics will be included in your awareness program and how you plan to document
and track compliance.
2.6. What kinds of technical controls are being used at PureLand to prevent malware attacks? What
additional controls are planned for implementation within the next 24 months?
2.7. If PureLand was aware of a Cyber Security incident taking place at their facility, what is the
protocol for responding to and reporting the incident?
2.8. What measures does PureLand take (or plan to take) to secure Safety Instrumented Systems to
prevent Cyber Security incidents from causing a catastrophic event?
2.9. Does PureLand have an up to date inventory of hardware connected to their network? What is
included in the inventory? Is PureLand aware of new devices being added to the network?
What technology is used to gain awareness of what devices are connected to the network?
2.10.What do you feel is the greater risk driver for PureLand Chemical theft or diversion or release
of the Chemical of Interest and why?
2.11.Provide some examples of areas you feel have physical security concerns related to cyber
assets along with brief explanations of why they have higher risk.
2.12.What are the requirements you will have for the person who will manage your cyber security
program?
2.13.Does PureLand use shared accounts for accessing computer systems? What are the risks
associated with use of shared accounts and how might you mitigate these risks?
2.14.Does PureLand use separation of duties as a security practice? What duties are separated or
planned to be separated and why?
2.15.What kinds of controls are in place to ensure access to devices or information is managed
appropriately? What processes are used or planned to manage changes to the workforce?
2.16.If PureLand had a Cyber Security Incident take place (for example, an APT penetration), who
would PureLand IT folks report the incident to internally and externally? How would they notify
the Department of Homeland Security?
PureLand Cyber Secrity Assessment
1/1/2014
Assessor: Luke Reissman
Disclaimer
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not
provide any warranties of any kind regarding any information contained within. In no event shall the United States
Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect,
special or consequential damages and including damages based on any negligence of the United States Government or
its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not
based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of,
or reliance upon the report.
The DHS does not endorse any commercial product or service, including the subject of the assessment or evaluation in
this report. Any reference to specific commercial products, processes, or services by trademark, manufacturer, or
otherwise, does not constitute or imply its endorsement, recommendation, or favoring by DHS.
The display of the DHS official seal or other DHS visual identities on this report shall not be interpreted to provide the
recipient organization authorization to use the official seal, insignia or other visual identities of the Department of
Homeland Security. The DHS seal, insignia, or other visual identities shall not be used in any manner to imply
endorsement of any commercial product or activity by DHS or the United States Government. Use of the DHS seal
without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DHS’s policies
governing usage of the seal.
The report is prepared and intended for internal use by the organization that made the request. The contents of this
report may be subject to government or private intellectual property rights. To request distribution of this report outside
the organization for which it was prepared, contact the CSET® Program Office. The contents of this report may be
reproduced or incorporated into other reports, but may not be modified without the prior express written permission of the
CSET® Program Office.
PureLand Cyber Secrity
Assessment
Page 2
Advisory
CSET is only one component of the overall cyber security picture and should be complemented with a robust cyber security program
within the organization. A self-assessment with CSET cannot reveal all types of security weaknesses, and should not be the sole
means of determining an organization’s security posture.
The tool will not provide an architectural analysis of the network or a detailed network hardware/software configuration review. It is not a
risk analysis tool so it will not generate a complex risk assessment. CSET is not intended as a substitute for in depth analysis of control
system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a
holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should
also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production
systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety.
CSET assessments cannot be completed effectively by any one individual. A cross-functional team consisting of representatives from
operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject
matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to
effectively answer all the questions.
Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to
their sensitivity.
PureLand Cyber Secrity
Assessment
Page 3
TABLE OF CONTENTS
Table Of Contents .................................................................................................................. 4
Assessment Information ......................................................................................................... 5
Description Of Assessment .................................................................................................... 6
Executive Summary ............................................................................................................... 6
Standards Compliance .......................................................................................................... 7
Network Diagram ................................................................................................................... 8
Ranked Subject Areas ........................................................................................................... 9
PureLand Cyber Secrity
Assessment
Page 4
ASSESSMENT INFORMATION
Assessment Name:
PureLand Cyber Secrity Assessment
Assessment Date, (MM/DD/YYYY):
1/1/2014
Facility Name:
PureLand Wastewater Treatment Plant
City or Site Name:
Kalamazoo
State, Province or Region:
MI
Principal Assessor Name:
Luke Reissman
Assessor E-mail:
luke.x.reissman@wilmu.edu
Assessor Telephone:
302-555-1212
Additional Notes and Comments:
Contact(s):
PureLand Cyber Secrity
Assessment
Page 5
DESCRIPTION OF ASSESSMENT
Ficticious Cyber Security Self Evaluation
EXECUTIVE SUMMARY
Cyber terrorism is a real and growing threat. Standards and guides have been developed, vetted, and widely accepted to assist with
protection from cyber attacks. The Cyber Security Evaluation Tool (CSET) includes a selectable array of these standards for a tailored
assessment of cyber vulnerabilities. Once the standards were selected and the resulting question sets answered, the CSET created a
compliance summary, compiled variance statistics, ranked top areas of concern, and generated security recommendations.
PureLand Cyber Secrity
Assessment
Page 6
STANDARDS COMPLIANCE
PureLand Cyber Secrity
Assessment
Page 7
NETWORK DIAGRAM
PureLand Cyber Secrity
Assessment
Page 8
RANKED SUBJECT AREAS
This chart shows subject areas needing the most attention. Each bar represents the labeled subject area’s weighted contribution so
that the combined total always equals 100%. The weighted contribution includes the importance of both the question and the subject
area, as well as the percentage of missed questions in that subject area.
PureLand Cyber Secrity
Assessment
Page 9
PureLand Cyber Secrity
Assessment
Page 10
Industrial Network
Security
Securing Critical Infrastructure
Networks for Smart Grid,
SCADA, and Other Industrial
Control Systems
Second Edition
Page left intentionally blank
Industrial Network
Security
Securing Critical Infrastructure
Networks for Smart Grid,
SCADA, and Other Industrial
Control Systems
Second Edition
Eric D. Knapp
Joel Thomas Langill
Technical Editor
Raj Samani
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of Elsevier
Acquiring Editor: Chris Katsaropoulos
Editorial Project Manager: Benjamin Rearick
Project Manager: Surya Narayanan Jayachandran
Cover Designer: Maria Ines Cruz
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
© 2015 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or any information storage
and retrieval system, without permission in writing from the publisher. Details on how to
seek permission, further information about the Publisher’s permissions policies and our
arrangements with organizations such as the Copyright Clearance Center and the Copyright
Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by
the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research
and experience broaden our understanding, changes in research methods, professional
practices, or medical treatment may become necessary. Practitioners and researchers
must always rely on their own experience and knowledge in evaluating and using any
information, methods, compounds, or experiments described herein. In using such
information or methods they should be mindful of their own safety and the safety of
others, including parties for whom they have a professional responsibility. To the fullest
extent of the law, neither the Publisher nor the authors, contributors, or editors, assume
any liability for any injury and/or damage to persons or property as a matter of products
liability, negligence or otherwise, or from any use or operation of any methods, products,
instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application Submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-420114-9
For information on all Syngress publications visit our website at www.syngress.com.
Contents
About the Authors..................................................................................................... xv
Preface.....................................................................................................................xvii
Acknowledgments....................................................................................................xix
CHAPTER 1 Introduction.................................................................................. 1
Book Overview and Key Learning Points.............................................. 1
Book Audience........................................................................................ 2
Diagrams and Figures............................................................................. 2
The Smart Grid....................................................................................... 3
How This Book is Organized.................................................................. 3
Chapter 2: About Industrial Networks............................................. 3
Chapter 3: Industrial Cyber Security, History, and Trends............. 4
Chapter 4: Introduction to ICS and Operations............................... 4
Chapter 5: ICS Network Design and Architecture.......................... 4
Chapter 6: Industrial Network Protocols......................................... 4
Chapter 7: Hacking Industrial Systems........................................... 5
Chapter 8: Risk and Vulnerability Assessments.............................. 5
Chapter 9: Establishing Zones and Conduits................................... 5
Chapter 10: Implementing Security and Access Controls............... 5
Chapter 11: Exception, Anomaly, and Threat Detection................. 5
Chapter 12: Security Monitoring of Industrial Control
Systems............................................................................................ 6
Chapter 13: Standards and Regulations........................................... 6
Changes Made to the Second Edition.............................................. 6
Conclusion.............................................................................................. 7
CHAPTER 2 About Industrial Networks......................................................9
The Use of Terminology Within This Book........................................... 9
Attacks, Breaches, and Incidents:
Malware, Exploits, and APTs........................................................ 11
Assets, Critical Assets, Cyber Assets,
and Critical Cyber Assets.............................................................. 11
Security Controls and Security Countermeasures......................... 12
Firewalls and Intrusion Prevention Systems.................................. 12
Industrial Control System.............................................................. 13
DCS or SCADA?........................................................................... 15
Industrial Networks....................................................................... 15
v
vi
Contents
Industrial Protocols........................................................................ 15
Networks, Routable Networks, and Nonroutable Networks......... 18
Enterprise or Business Networks................................................... 20
Zones and Enclaves....................................................................... 22
Network Perimeters or “Electronic Security Perimeters”............. 24
Critical Infrastructure..................................................................... 26
Common Industrial Security Recommendations.................................. 29
Identification of Critical Systems.................................................. 29
Network Segmentation/Isolation of Systems................................. 31
Defense in Depth........................................................................... 33
Access Control............................................................................... 34
Advanced Industrial Security Recommendations................................. 35
Security Monitoring....................................................................... 36
Policy Whitelisting........................................................................ 36
Application Whitelisting................................................................ 36
Common Misperceptions About
Industrial Network Security.................................................................. 37
Assumptions Made in This Book.................................................. 38
Summary............................................................................................... 39
Endnotes................................................................................................ 39
CHAPTER 3 Industrial Cyber Security History
and Trends..................................................................................41
Importance of Securing Industrial Networks........................................ 41
The Evolution of the Cyber Threat....................................................... 44
APTs and Weaponized Malware................................................... 47
Still to Come.................................................................................. 50
Defending Against Modern Cyber Threats.................................... 51
Insider Threats...................................................................................... 52
Hacktivism, Cyber Crime, Cyber Terrorism, and Cyber War.............. 53
Summary............................................................................................... 55
Endnotes................................................................................................ 55
CHAPTER 4 Introduction to Industrial Control Systems
and Operations..........................................................................59
System Assets....................................................................................... 59
Programmable Logic Controller.................................................... 59
Remote Terminal Unit................................................................... 63
Intelligent Electronic Device......................................................... 64
Human–Machine Interface............................................................ 64
Contents
Supervisory Workstations.............................................................. 67
Data Historian................................................................................ 67
Business Information Consoles and Dashboards........................... 68
Other Assets................................................................................... 69
System Operations................................................................................ 70
Control Loops................................................................................ 70
Control Processes........................................................................... 72
Feedback Loops............................................................................. 73
Production Information Management............................................ 73
Business Information Management............................................... 74
Process Management............................................................................ 76
Safety Instrumented Systems................................................................ 78
The Smart Grid..................................................................................... 80
Network Architectures.......................................................................... 82
Summary............................................................................................... 82
Endnotes................................................................................................ 83
CHAPTER 5 Industrial Network Design and Architecture.................. 85
Introduction to Industrial Networking.................................................. 87
Common Topologies............................................................................. 92
Network Segmentation.......................................................................... 96
Higher Layer Segmentation........................................................... 99
Physical vs. Logical Segmentation.............................................. 104
Network Services................................................................................ 106
Wireless Networks.............................................................................. 107
Remote Access.................................................................................... 108
Performance Considerations............................................................... 111
Latency and Jitter......................................................................... 111
Bandwidth and Throughput......................................................... 112
Type of Service, Class of Service, and Quality of Service.......... 112
Network Hops.............................................................................. 113
Network Security Controls.......................................................... 113
Safety Instrumented Systems.............................................................. 114
Special Considerations........................................................................ 115
Wide Area Connectivity.............................................................. 115
Smart Grid Network Considerations........................................... 116
Advanced Metering Infrastructure............................................... 118
Summary............................................................................................. 119
Endnotes.............................................................................................. 119
vii
viii
Contents
CHAPTER 6 Industrial Network Protocols............................................. 121
Overview of Industrial Network Protocols......................................... 121
Fieldbus Protocols............................................................................... 123
Modicon Communication Bus..................................................... 123
Distributed Network Protocol...................................................... 130
Process Fieldbus.......................................................................... 139
Industrial Ethernet Protocols....................................................... 141
Ethernet Industrial Protocol......................................................... 142
PROFINET.................................................................................. 146
EtherCAT..................................................................................... 147
Ethernet POWERLINK............................................................... 148
SERCOS III................................................................................. 149
Backend Protocols.............................................................................. 150
Open Process Communications................................................... 150
Inter-Control Center Communications Protocol ......................... 157
Advanced Metering Infrastructure and the Smart Grid...................... 162
Security Concerns........................................................................ 164
Security Recommendations......................................................... 164
Industrial Protocol Simulators............................................................ 164
Modbus........................................................................................ 165
DNP3 / IEC 60870-5................................................................... 165
OPC.............................................................................................. 165
ICCP / IEC 60870-6 (TASE.2).................................................... 165
Physical Hardware....................................................................... 166
Summary............................................................................................. 166
Endnotes.............................................................................................. 166
CHAPTER 7 Hacking Industrial Control Systems................................ 171
Motives and Consequences................................................................. 171
Consequences of a Successful Cyber Incident............................ 171
Cyber Security and Safety........................................................... 172
Common Industrial Targets................................................................ 174
Common Attack Methods................................................................... 186
Man-in-the-Middle Attacks......................................................... 186
Denial-of-Service Attacks........................................................... 187
Replay Attacks............................................................................. 188
Compromising the Human–Machine Interface........................... 189
Compromising the Engineering Workstation.............................. 189
Blended Attacks........................................................................... 190
Contents
Examples of Weaponized Industrial Cyber Threats........................... 190
Stuxnet......................................................................................... 191
Shamoon/DistTrack..................................................................... 195
Flame/Flamer/Skywiper.............................................................. 195
Attack Trends...................................................................................... 196
Evolving Vulnerabilities: The Adobe Exploits............................ 197
Industrial Application Layer Attacks........................................... 198
Antisocial Networks: A New Playground for Malware.............. 200
Dealing with an Infection.................................................................... 203
Summary............................................................................................. 205
Endnotes.............................................................................................. 206
CHAPTER 8 Risk and Vulnerability Assessments............................... 209
Cyber Security and Risk Management............................................... 210
Why Risk Management is the Foundation
of Cyber Security......................................................................... 210
What is Risk?............................................................................... 211
Standards and Best Practices for Risk Management................... 213
Methodologies for Assessing Risk Within Industrial
Control Systems.................................................................................. 216
Security Tests............................................................................... 216
Establishing a Testing and Assessment Methodology................. 219
System Characterization..................................................................... 223
Data Collection............................................................................ 227
Scanning of Industrial Networks................................................. 228
Threat Identification............................................................................ 241
Threat Actors/Sources................................................................. 241
Threat Vectors............................................................................. 243
Threat Events............................................................................... 243
Identification of Threats During Security Assessments............... 244
Vulnerability Identification................................................................. 246
Vulnerability Scanning................................................................ 248
Configuration Auditing................................................................ 250
Vulnerability Prioritization.......................................................... 251
Risk Classification and Ranking......................................................... 253
Consequences and Impact............................................................ 253
How to Estimate Consequences and Likelihood......................... 254
Risk Ranking............................................................................... 256
Risk Reduction and Mitigation........................................................... 257
Summary............................................................................................. 258
Endnotes.............................................................................................. 259
ix
x
Contents
CHAPTER 9 Establishing Zones and Conduits..................................... 261
Security Zones and Conduits Explained............................................. 263
Identifying and Classifying Security Zones and Conduits................. 264
Recommended Security Zone Separation........................................... 265
Network Connectivity.................................................................. 266
Control Loops.............................................................................. 267
Supervisory Controls................................................................... 268
Plant Level Control Processes..................................................... 268
Control Data Storage................................................................... 270
Trading Communications............................................................ 271
Remote Access............................................................................. 272
Users and Roles........................................................................... 272
Protocols...................................................................................... 274
Criticality..................................................................................... 275
Establishing Security Zones and Conduits......................................... 277
Summary............................................................................................. 279
Endnotes.............................................................................................. 280
CHAPTER 10 Implementing Security
and Access Controls............................................................. 283
Network Segmentation........................................................................ 287
Zones and Security Policy Development..................................... 288
Using Zones within Security Device Configurations.................. 288
Implementing Network Security Controls.......................................... 290
Selecting Network Security Devices........................................... 290
Implementing Network Security Devices.................................... 293
Implementing Host Security and Access Controls............................. 309
Selecting Host Cyber Security Systems...................................... 311
External Controls......................................................................... 316
Patch Management....................................................................... 316
How Much Security is Enough?......................................................... 320
Summary............................................................................................. 321
Endnotes.............................................................................................. 321
CHAPTER 11 Exception, Anomaly, and Threat Detection................... 323
Exception Reporting........................................................................... 324
Behavioral Anomaly Detection........................................................... 326
Measuring Baselines.................................................................... 327
Anomaly Detection...................................................................... 330
Behavioral Whitelisting...................................................................... 333
User Whitelists............................................................................. 334
Contents
Asset Whitelists........................................................................... 335
Application Behavior Whitelists.................................................. 337
Threat Detection.................................................................................. 340
Event Correlation......................................................................... 341
Correlating Between IT and OT Systems.................................... 347
Summary............................................................................................. 349
Endnotes.............................................................................................. 349
CHAPTER 12 Security Monitoring of Industrial
Control Systems......................................................................351
Determining what to Monitor............................................................. 352
Security Events............................................................................ 353
Assets........................................................................................... 356
Configurations.............................................................................. 358
Applications................................................................................. 360
Networks...................................................................................... 361
User Identities and Authentication.............................................. 362
Additional Context....................................................................... 365
Behavior....................................................................................... 365
Successfully Monitoring Security Zones............................................ 367
Log Collection............................................................................. 368
Direct Monitoring........................................................................ 368
Inferred Monitoring..................................................................... 369
Information Collection and Management Tools.......................... 372
Monitoring Across Secure Boundaries........................................ 376
Information Management.................................................................... 376
Queries......................................................................................... 377
Reports......................................................................................... 379
Alerts............................................................................................ 381
Incident Investigation and Response........................................... 381
Log Storage and Retention.................................................................. 382
Nonrepudiation............................................................................ 382
Data Retention/Storage................................................................ 382
Data Availability.......................................................................... 384
Summary............................................................................................. 385
Endnotes.............................................................................................. 385
CHAPTER 13 Standards and Regulations................................................387
Common Standards and Regulations.................................................. 388
NERC CIP................................................................................... 389
CFATS......................................................................................... 389
xi
xii
Contents
ISO/IEC 27002............................................................................ 390
NRC Regulation 5.71................................................................... 390
NIST SP 800-82........................................................................... 392
ISA/IEC-62443................................................................................... 392
ISA 62443 Group 1: “General”................................................... 392
ISA 62443 Group 2: “Policies and Procedures”.......................... 393
ISA 62443 Group 3: “System”.................................................... 393
ISA 62443 Group 4: “Component”............................................. 394
Mapping Industrial Network Security to Compliance........................ 395
Industry Best Practices for Conducting ICS Assessments.................. 395
Department of Homeland Security (USA) /
Centre for Protection of National Infrastructure (UK)................ 396
National Security Agency (USA)................................................ 397
American Petroleum Institute (USA) / National
Petrochemical and Refiners Association (USA).......................... 397
Institute for Security and Open Methodologies (Spain).............. 398
Common Criteria and FIPS Standards................................................ 398
Common Criteria......................................................................... 398
FIPS 140-2................................................................................... 400
Summary............................................................................................. 400
Endnotes.............................................................................................. 406
Appendix A
Protocol Resources............................................................... 409
Modbus Organization.......................................................................... 409
DNP3 Users Group............................................................................. 409
OPC Foundation.................................................................................410
Common Industrial Protocol (CIP) / Open Device
Vendor Association (ODVA)............................................................. 410
PROFIBUS & PROFINET International (PI)������������������������������������ 410
Appendix B
Standards Organizations..................................................... 411
North American Reliability Corporation (NERC).............................. 411
The United States Nuclear Regulatory
Commission (NRC)............................................................................ 411
NRC Title 10 CFR 73.54............................................................. 412
NRC RG 5.71............................................................................... 412
United States Department of Homeland Security............................... 412
Chemical Facilities Anti-Terrorism Standard (CFATS).............. 412
CFATS Risk-Based Performance Standards (RBPS).................. 412
International Society of Automation (ISA)......................................... 413
International Organization for Standardization (ISO)
and International Electrotechnical Commission (IEC)....................... 413
Contents
Appendix C
NIST Security Guidelines.................................................... 415
National Institute of Standards and Technology,
Special Publications 800 Series.......................................................... 415
Glossary����������������������������������������������������������������������������������� 417
Endnotes.............................................................................................. 424
Index���������������������������������������������������������������������������������������� 425
xiii
Page left intentionally blank
About the Authors
Eric D. Knapp is a recognized expert in industrial control systems (ICS) cyber
security. He is the original author of “Industrial Network Security: Securing Critical
Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control
Systems (First Edition)” and the coauthor of “Applied Cyber Security for Smart Grids.”
Eric has held senior technology positions at NitroSecurity, McAfee, Wurldtech, and
Honeywell, where he has consistently focused on the advancement of end-to-end ICS
cyber security in order to promote safer and more reliable automation infrastructures.
Eric has over 20 years of experience in Information Technology, specializing in cyber
security analytics, threat, and risk management techniques and applied Ethernet
protocols in both enterprise and industrial networks.
In addition to his work in information security, Eric is an award-winning fiction
author. He studied English and Writing at the University of New Hampshire and the
University of London, and holds a degree in communications.
Joel Thomas Langill brings a unique perspective to operational security with decades of experience in industrial automation and control. He has deployed ICS solutions covering most major industry sectors globally encompassing most generations
of automated control. He has been directly involved in automation solutions spanning feasibility, budgeting, front-end engineering design, detailed design, system integration, commissioning, support and legacy system migration.
Joel is currently an independent consultant providing services to ICS suppliers,
end-users, system integrators, and governmental agencies worldwide. Joel founded
the popular ICS security website SCADAhacker.com offering visitors resources in
understanding, evaluating, and securing control systems. He developed a specialized
training curriculum that focuses on applied cyber security and defenses for industrial
systems. His website and social networks extends to readers in over 100 countries
globally.
Joel serves on the Board of Advisors for Scada Fence Ltd., and is an ICS research focal point to corporations and CERT organizations around the world. He is
a voting member of the ISA99 committee, and has published numerous reports on
ICS-related campaigns including Heartbleed, Dragonfly, and Black Energy. He is
a graduate of the University of Illinois–Champaign with a BS (University Honors/
Bronze Tablet) in Electrical Engineering.
He can be found on Twitter @SCADAhacker
xv
Page left intentionally blank
Preface
I would like to thank you for purchasing the second edition of “Industrial Network
Security,” especially if you are one of the many supporters of the first edition.
When the second edition was announced, many people asked me, “why a second
edition?” and even more followed that up with, “and why a coauthor?” These questions are harder to answer than you would think.
When I wrote the first edition, I set a very high standard for myself and did everything that I could do at the time to create the best book possible. While the first
edition was well received, I’ve gained more experience and knowledge since then,
and the industry has advanced. The threat is now better understood, thanks to an
increasing trend in industrial cyber security research. Unfortunately, there has also
been an increase in the development of new exploits, and there have been an increasing number of large-scale incidents. In short, there is a lot more to talk about.
However, I did not want to just update the first edition.
One of the biggest problems with industrial cyber security is that it spans two
domains of specialized knowledge: Information Technology (IT) and Operational
Technology (OT). Some things that come naturally to an IT veteran are hard for
an OT person to grasp. Some things that an OT guru takes for granted seem odd
to an IT pro. There are two separate perspectives, two separate lifetimes of experience, and two separate lexicons of “tech speak.” A new breed of industrial cyber
security professional is slowly emerging, but even among this minority there are
clear factions—we know who we are—who have strong opinions about disclosures,
or regulations, or particular methods or technologies, and take hard stances against
those with opposing beliefs.
What I have seen, however, is that when our differences materialize as conflict, it
becomes a barrier to good cyber security. When people come together and work cooperatively, the incongruences and misperceptions quickly fade. Everything becomes
easier, and good cyber security is almost inevitable. In the second edition, I wanted
to address this fundamental challenge.
Not easy.
My background is in IT, and although I’ve worked in industrial cyber security for
a long time, it is impossible to alter my core perspectives. The only way I could get
an additional perspective into the book was to put my manuscript where my mouth
is, and write the second edition in cooperation with another author.
Enter Joel Thomas Langill. Joel, aka the SCADA Hacker, brought a lot of
extremely valuable perspective to the second edition. Where my background is
mostly in IT, his is mostly in OT; where my research tends to focus on emerging
technology and countermeasures, Joel is more grounded in the real world, and
has refined cyber security planning, assessment, and mitigation techniques over
years in the field. We had a common goal, and a lot of common beliefs, but very
different perspectives.
Joel and I kept each other honest, and shared new ways of looking at very common issues. It resulted in the refinement of the original text, and the addition of over
xvii
xviii
Preface
40,000 words of new material, including several new chapters (for those who are not
familiar with publishing, that is almost enough to make a whole new book).
It was not always easy. Just as IT and OT clash within industry, our perspectives
sometimes turned discussions into arguments. However, we almost always came to
the conclusion that we were actually saying the same things. We simply used terminology differently, and we saw certain problems through different lenses. Neither of
us was wrong, but our idea of what was “right” did not always match up 100%. But
we worked through it.
Through compromise and cooperation, what is left on the pages of this book
should be more beneficial to more people—IT or OT, Technologist or Policy Maker, Security Researcher or CISO. Our hope is that the second edition of Industrial
Network Security will provide a common frame of reference that will help bring
the industry a little bit closer together. And if you read something that you do not
agree with, we welcome you to give us your unique perspective. Joel Thomas
Langill, Eric D. Knapp, and Raj Samani can be reached on twitter at @scadahacker, @ericdknapp, and @Raj_Samani, respectively, and we look forward to
continuing the discussion online.
Best Regards,
Eric D. Knapp
Acknowledgments
We, the authors, would like to thank our technical editor Raj Samani and the good
folks at Syngress, Chris Katsaropoulos, and Ben Rearick, and to all of you who contributed feedback and guidance along the way.
We would also like to acknowledge those who created the wealth of standards,
guidelines and reference materials from both industry and governments, as well as
the growing list of security researchers, analysts, technicians, scholars, vendors, operators, integrators, instigators, consultants, spooks, and hackers who have helped to
improve industrial cyber security in their own way – without an active industry of
smart and dedicated people, we would have little to write about.
We would like to thank our online supporters who follow @CyberGridBook,
@EricDKnapp, @SCADAhacker, and @Raj_Samani.
Of course, some people need to be acknowledged personally:
Joel would like to acknowledge his life partner and soul mate Terri Luckett who
has never left his side, and who has supported his passion and devotion to helping
users protect their manufacturing assets from cyber threats. He would also like to
acknowledge his first coach and mentor Keatron Evans who saw the fire in his eyes
and helped him get started in the field of operational security, and Eric Byres who
continues to be not only a friend, but one whom I depend on as a trusted colleague
and advisor. He also would like to acknowledge all those that have supported his
efforts and have helped him realize a vision that one person can make a positive
impact on so many others.
Eric would like to acknowledge his wife Maureen, and the dogs, cats, horse, donkeys, sheep, etc. on “the farm” that keep him grounded and sane … not to mention
self-sustaining should the lights ever go out. In an industry that is inseparably tied to
malicious intent, he has found that having a home full of love, understanding, and patience is truly the best medicine. He would also like to thank his dear friends Ayman
Al-Issa, Raj Samani, Jennifer Byrne, Mohan Ramanathan, and so many others who
have helped him so much along the way.
And finally, we would both like to thank all of our readers; without the success of
the first edition, the second edition would never have been possible.
xix
Page left intentionally blank
CHAPTER
Introduction
1
INFORMATION IN THIS CHAPTER
• Book Overview and Key Learning Points
• Book Audience
• Diagrams and Figures
• The Smart Grid
• How This Book Is Organized
• Changes Made to the Second Addition
BOOK OVERVIEW AND KEY LEARNING POINTS
This book attempts to define an approach to industrial network security that
considers the unique network, protocol, and application characteristics of an
Industrial Control System (ICS), while also taking into consideration a variety of common compliance controls. For the purposes of this book, a common
definition of ICS will be used in lieu of the more specific Supervisory Control
and Data Acquisition (SCADA) or Distributed Control System (DCS) terms.
Note that these and many other specialized terms are used extensively throughout the book. While we have made an effort to define them all, an extensive
glossary has also been included to provide a quick reference if needed. If a term
is included in the glossary, it will be printed in bold type the first time that it is
used.
Although many of the techniques described herein—and much of the general guidance provided by regulatory standards organizations—are built upon
common enterprise security methods, references and readily available information security tools, there is little information available about how these apply to
an industrial network. This book attempts to rectify this by providing deployment
and configuration guidance where possible, and by identifying why security
controls should be implemented, where they should be implemented, how they
should be implemented, and how they should be used.
1
2
CHAPTER 1 Introduction
BOOK AUDIENCE
To adequately discuss industrial network security, the basics of two very different
systems need to be understood: the Ethernet and Internet Protocol (IP) networking
communications used ubiquitously in the enterprise, and the control and fieldbus
protocols used to manage and/or operate automation systems.
As a result, this book possesses a bifurcated audience. For the plant operator with
an advanced engineering degree and decades of programming experience for process
controllers, the basics of industrial network protocols in Chapter 4 have been presented within the context of security in an attempt to not only provide value to such
a reader, but also to get that reader thinking about the subtle implications of cyber
security. For the information security analyst with a Certified Information Systems
Security Professional (CISSP) certification, basic information security practices have
been provided within the new context of an ICS.
There is an interesting dichotomy between the two that provides a further challenge. Enterprise security typically strives to protect digital information by securing the users and hosts on a network, while at the same time enabling the broad
range of open communication services required within modern business. Industrial
control systems, on the other hand, strive for the efficiency and reliability of a
single, often fine-tuned system, while always addressing the safety of the personnel, plant, and environment in which they operate. Only by giving the necessary
consideration to both sides can the true objective be achieved—a secure industrial
network architecture that supports safe and reliable operation while also providing
business value to the larger enterprise. This latter concept is referred to as “operational integrity.”
To further complicate matters, there is a third audience—the compliance officer who is mandated with meeting either certain regulatory standards or internal
policies and procedures in order to survive an audit with minimal penalties and/or
fines. Compliance continues to drive information security budgets, and therefore
the broader scope of industrial networks must also be narrowed on occasion to the
energy industries, where (at least in the United States) electrical energy, nuclear
energy, oil and gas, and chemical are tightly regulated. Compliance controls are
discussed in this book solely within the context of implementing cyber security
controls. The recommendations given are intended to improve security and should
not be interpreted as advice concerning successful compliance management.
DIAGRAMS AND FIGURES
The network diagrams used throughout this book have been intentionally simplified and have been designed to be as generic as possible while adequately representing ICS architectures and their industrial networks across a very wide range
of systems and suppliers. As a result, the diagrams will undoubtedly differ from
real ICS designs and may exclude details specific to one particular industry while
How this book is organized
including details that are specific to another. Their purpose is to provide a high-level
understanding of the specific industrial network security controls being discussed.
THE SMART GRID
Although the smart grid is of major concern and interest, for the most part it is treated
as any other industrial network within this book, with specific considerations being
made only when necessary (such as when considering available attack vectors). As
a result, there are many security considerations specific to the smart grid that are
unfortunately not included. This is partly to maintain focus on the more ubiquitous
ICS security requirements; partly due to the relative immaturity of smart grid security and partly due to the specialized and complex nature of these systems. Although
this means that specific measures for securing synchrophasers, meters, and so on, are
not provided, the guidance and overall approach to security that is provided herein
is certainly applicable to smart grid networks. For more in-depth reading on smart
grid network security, consider Applied Cyber Security and the Smart Grid by Eric
D. Knapp and Raj Samani (ISBN: 978-1-59749-998-9, Syngress).
HOW THIS BOOK IS ORGANIZED
This book is divided into a total of 13 chapters, followed by three appendices guiding
the reader where to find additional information and resources about industrial protocols, standards and regulations, and relevant security guidelines and best practices
(such as NIST, ChemITC, and ISA).
The chapters begin with an introduction to industrial networking, and what a
cyber-attack against an industrial control systems might represent in terms of potential risks and consequences, followed by details of how industrial networks can be
assessed, secured, and monitored in order to obtain the strongest possible security,
and conclude with a detailed discussion of various compliance controls and how
those specific controls map back to network security practices.
It is not necessary to read this book cover to cover, in order. The book is intended
to offer insight and recommendations that relate to both specific security goals as
well as the cyclical nature of the security process. That is, if faced with performing a
security assessment on an industrial network, begin with Chapter 8; every effort has
been made to refer the reader to other relevant chapters where additional knowledge
may be necessary.
CHAPTER 2: ABOUT INDUSTRIAL NETWORKS
In this chapter, there is a brief primer of industrial control systems, industrial networks, critical infrastructure, common cyber security guidelines, and other terminology specific to the lexicon of industrial cyber security. The goal of this chapter is to
3
4
CHAPTER 1 Introduction
provide a baseline of information from which topics can be explored in more detail in
the following chapters (there is also an extensive Glossary included to cover the abundance of new acronyms and terms used in industrial control networks). Chapter 2 also
covers some of the basic misperceptions about industrial cyber security, in an attempt
to rectify any misunderstandings prior to the more detailed discussions that will follow.
CHAPTER 3: INDUSTRIAL CYBER SECURITY, HISTORY, AND TRENDS
Chapter 3 is a primer for industrial cyber security. It introduces industrial network
cyber security in terms of its history and evolution, by examining the interrelations
between “general” networking, industrial networking, and potentially critical infrastructures. Chapter 3 covers the importance of securing industrial networks, discusses the impact of a successful industrial attack, and provides examples of real
historical incidents—including a discussion of the Advanced Persistent Threat and
the implications of cyber war.
CHAPTER 4: INTRODUCTION TO ICS AND OPERATIONS
It is impossible to understand how to adequately secure an industrial control environment without first understanding the fundamentals of ICSs and operations. These
systems use specialized devices, applications, and protocols because they perform
functions that are different than enterprise networks, with different requirements, operational priorities, and security considerations. Chapter 4 discusses control system
assets, operations, protocol basics, how control processes are managed, and common
systems and applications with special emphasis on smart grid operations.
CHAPTER 5: ICS NETWORK DESIGN AND ARCHITECTURE
Industrial networks are built from a combination of Ethernet and IP networks (to
interconnect general computing systems and servers) and at least one real-time network or fieldbus (to connect devices and process systems). These networks are typically nested deep within the enterprise architecture, offering some implied layers of
protection against external threats. In recent years, the deployment of remote access
and wireless networks within industrial systems have offered new entry points into
these internal networks. Chapter 5 provides an overview of some of the more common industrial network designs and architectures, the potential risk they present,
and some of the methods that can be used to select appropriate technologies and
strengthen these critical industrial systems.
CHAPTER 6: INDUSTRIAL NETWORK PROTOCOLS
This chapter focuses on industrial network protocols, including Modbus, DNP3,
OPC, ICCP, CIP, Foundation Fieldbus HSE, Wireless HART, Profinet and
Profibus, and others. This chapter will also introduce vendor-proprietary industrial
protocols, and the implications they have in securing industrial networks. The basics
How this book is organized
of protocol operation, frame format, and security considerations are provided for
each, with security recommendations being made where applicable. Where properly
disclosed vulnerabilities or exploits are available, examples are provided to illustrate
the importance of securing industrial communications.
CHAPTER 7: HACKING INDUSTRIAL SYSTEMS
Understanding effective cyber security requires a basic understanding of the threats
that exist. Chapter 7 provides a high-level overview of common attack methodologies, and how industrial networks present a unique attack surface with common
attack vectors to many critical areas.
CHAPTER 8: RISK AND VULNERABILITY ASSESSMENTS
Industrial control systems are often more susceptible to a cyber-attack, yet they are
also more difficult to patch due to the extreme uptime and reliability requirements of
operational systems. Chapter 8 focuses on risk and vulnerability assessment strategies that specifically address the unique challenges of assessing risk in industrial
networks, in order to better understand—and therefore reduce—the vulnerabilities
and threats facing these real-time systems.
CHAPTER 9: ESTABLISHING ZONES AND CONDUITS
A strong cyber security strategy requires the isolation of devices into securable
groups. Chapter 9 looks at how to separate functional groups and where functional
boundaries should be implemented, using the Zone and Conduit model originated by
the Purdue Research Foundation in 1989 and later adapted by ISA 99 (now known
as ISA/IEC 62443).
CHAPTER 10: IMPLEMENTING SECURITY AND ACCESS CONTROLS
Once the industrial architecture has been appropriately divided into defined zones
and the associated communication conduits between these zones, it is necessary to
deploy appropriate security controls to enforce network security. Chapter 10 discusses the vital activity of network segmentation and how network- and host-based
security controls are implemented.
CHAPTER 11: EXCEPTION, ANOMALY, AND THREAT DETECTION
Awareness is the prerequisite of action, according to the common definition of situational awareness. Awareness in turn requires an ability to monitor for and detect
threats. In this chapter, several contributing factors to obtaining situational awareness are discussed, including how to use anomaly detection, exception reporting, and
information correlation for the purposes of threat detection and risk management.
5
6
CHAPTER 1 Introduction
CHAPTER 12: SECURITY MONITORING OF INDUSTRIAL CONTROL
SYSTEMS
Completing the cycle of situational awareness requires further understanding and
analysis of the threat indicators that you have learned how to detect in Chapter 11.
Chapter 12 discusses how obtaining and analyzing broader sets of information can
help you better understand what is happening, and make better decisions. This
includes recommendations of what to monitor, why, and how. Information management strategies—including log and event collection, direct monitoring, and correlation using security information and event management (SIEM)—are discussed,
including guidance on data collection, retention, and management.
CHAPTER 13: STANDARDS AND REGULATIONS
There are many regulatory compliance standards applicable to industrial network security, and most consist of a wide range of procedural controls that are not easily resolved using information technology. On top of this, there is an emergence of a large
number of industrial standards that attempt to tailor many of the general-purpose IT
standards to the uniqueness of ICS architectures. There are common cyber security
controls (with often subtle but important variations), however, which reinforce the
recommendations put forth in this book. Chapter 13 attempts to map those cyber
security–related controls from some common standards—including NERC CIP,
CFATS, NIST 800-53, ISO/IEC 27002:2005, ISA 62443, NRC RG 5.71, and NIST
800-82—to the security recommendations made within this book, making it easier
for security analysts to understand the motivations of compliance officers, while
compliance officers are able to see the security concerns behind individual controls.
CHANGES MADE TO THE SECOND EDITION
For readers of the Industrial Network Security, Securing Critical Infrastructure Networks for Smart grid, SCADA and Other Industrial Control Systems, First Edition,
you will find new and updated content throughout the book. However, the largest
changes that have been made include the following:
•
•
•
•
Revised diagrams, designed to provide a more accurate representation of
industrial systems so that the lessons within the book can be more easily applied
in real life.
Better organization of topics, including major revisions to introductory chapters
that are intended to provide a more effective introduction of topics.
The separation of “hacking methodologies” and “risk and vulnerability
assessment” into two chapters, expanding each to provide significantly more
detail to each very important subject.
The inclusion of wireless networking technologies and how they are applied to
industrial networks, including important differences between general-purpose
IT and specific ICS technology requirements.
How this book is organized
•
•
Much greater depth on the subjects of industrial firewall implementation and
industrial protocol filtering—important technologies that were in their infancy
during the first edition but are now commercially available.
The inclusion of real-life vulnerabilities, exploits, and defensive techniques
throughout the book to provide a more realistic context around each topic, while
also proving the reality of the threat against critical infrastructure.
CONCLUSION
Writing the first edition of this book was an education, an experience, and a challenge. In the months of research and writing, several historic moments occurred concerning ICS security, including the first ICS-targeted cyber weapon—Stuxnet. At the
time, Stuxnet was the most sophisticated cyber-attack to date. Since then, its complexity and sophistication have been surpassed more than once, and the frequency of
new threats continues to rise. There is a growing number of attacks, more relevant
cyber security research (from both blackhats and whitehats), and new evidence of
Advanced Persistent Threats, cyber espionage, nation-based cyber privacy concerns,
and other socio-political concerns on what seems like a daily basis. It is for this
reason that Eric D. Knapp (the original author) joined forces with Joel Langill, aka
“SCADAhacker,” for the second edition.
Hopefully, this book will be both informative and enjoyable, and it will facilitate
the increasingly urgent need to strengthen the security of our industrial networks and
automation systems. Even though the attacks themselves will continue to evolve, the
methods provided herein should help to prepare against the inevitable advancement
of industrial network threat.
A Note from Author Eric D. Knapp. Those readers who are familiar with my
works will know that I have an ongoing agreement with Raj Samani, the technical
editor of this book—if either of us mention a certain well-known cyber-attack by
name we must donate $5 as a penance. While this is a rule that I try to live by, this
book predates that agreement and it did not seem fair or appropriate to remove all
mention of that incident. So, the pages herein are exempt. In fact, the incident-thatshall-not-be-named is mentioned twice in this chapter alone; sadly, no one will be
getting $10.
7
Page left intentionally blank
CHAPTER
About Industrial Networks
2
INFORMATION IN THIS CHAPTER
• The Use of Terminology Within This Book
• Common Industrial Security Recommendations
• Advanced Industrial Security Recommendations
• Common Misperceptions About Industrial Network Security
It is important to understand some of the terms used when discussing industrial
networking and industrial control systems, as well as the basics of how industrial net
works are architected and how they operate before attempting to secure an industrial network and its interconnected systems. It is also important to understand
some of the common security recommendations deployed in business networks,
and why they may or may not be truly suitable for effective industrial network
cyber security.
What is an industrial network? Because of a rapidly evolving socio-political landscape, the terminology of industrial networking has become blurred. Terms such as
“critical infrastructure,” “APT,” “SCADA,” and “Smart Grid” are used freely and often incorrectly. It can be confusing to discuss them in general terms not only because
of the diversity of the industrial networks themselves, but also the markets they serve.
Many regulatory agencies and commissions have also been formed to help secure
different industrial networks for different industry sectors—each introducing their
own specific nomenclatures and terminology.
This chapter will attempt to provide a baseline for industrial network cyber security, introducing the reader to some of the common terminology, issues, and security
recommendations that will be discussed throughout the remainder of this book.
THE USE OF TERMINOLOGY WITHIN THIS BOOK
The authors have witnessed many discussions on industrial cyber security fall apart
due to disagreements over terminology. There is a good deal of terminology specific
to both cyber security and to industrial control systems that will be used throughout
this book. Some readers may be cyber security experts who are unfamiliar with industrial control systems, while others may be industrial system professionals who
are unfamiliar with cyber security. For this reason, a conscientious effort has been
9
10
CHAPTER 2 About industrial networks
made by the authors to convey the basics of both disciplines, and to accommodate
both types of readers.
Some of the terms that will be used extensively include the following:
•
•
•
•
•
•
•
•
Assets (including whether they are physical or logical assets, and if they are
classified as cyber assets, critical assets, and critical cyber assets)
Enclaves, Zones, and Conduits
Enterprise or Business Networks
Industrial Control Systems: DCS, PCS, SIS, SCADA
Industrial Networks
Industrial Protocols
Network Perimeter or Electronic Security Perimeter (ESP)
Critical Infrastructure.
Some cyber security terms that will be addressed include the following:
•
•
•
•
•
•
Attacks
Breaches
Incidents and Exploits
Vulnerabilities
Risk
Security Measures, Security Controls, or Countermeasures.
These will be given some cursory attention here, as a foundation for the following chapters. There are many more specialized terms that will be used, and
so an extensive glossary has been provided at the back of this book. The first
time a term is used, it will be printed in bold to indicate that it is available in the
glossary.
NOTE
The book title “Industrial Network Security: Securing Critical Infrastructure Networks for Smart
Grid, SCADA, and Other Industrial Control Systems” was chosen because this text discusses all
of these terms to some extent. “Industrial cyber security” is a topic relevant to many industries,
each of which differ significantly in terms of design, architecture, and operation. An effective discussion of cyber security must acknowledge these differences; however, it is impossible to cover
every nuance of DCS, SCADA, Smart Grids, critical manufacturing, and so on. This book will
focus on the commonalities among these industries, providing a basic understanding of industrial
automation, and the constituent systems, subsystems, and devices that are used. Every effort will
also be made to refer to all industrial automation and control systems (DCS, PCS, SCADA, etc.) as
simply industrial control systems or just ICS. It is also important to understand that industrial
networks are one link in a much larger chain comprising fieldbus networks, process control networks, supervisory networks, business networks, remote access networks, and any number of specialized applications, services and communications infrastructures that may all be interconnected
and therefore must be assessed and secured within the context of cyber security. A Smart Grid, a
petroleum refinery, and a city skyscraper may all utilize ICS, yet each represents unique variations
in terms of size, complexity, and risk. All are built using the same technologies and principles making the cyber security concerns of each similar and the fundamentals of industrial cyber security
equally applicable.
The use of terminology within this book
NOTE
This book does not go into extensive detail on the architecture of Smart Grids due to the complexity
of these systems. Please consult the book “Applied Cyber Security and the Smart Grid”1 if more
detail on Smart Grid architecture and its associated cyber security is desired.
ATTACKS, BREACHES, AND INCIDENTS:
MALWARE, EXPLOITS, AND APTs
The reason that you are reading a book titled “Industrial Network Security” is likely
because you are interested in, if not concerned about, unauthorized access to and
potentially hazardous or mischievous usage of equipment connected to an industrial network. This could be a deliberate action by an individual or organization, a
government-backed act of cyber war, the side effect of a computer virus that just
happened to spread from a business network to an ICS server, the unintended consequence of a faulty network card or—for all we know—the result of some astrological alignment of the sun, planets, and stars (aka “solar flares”). While there are
subtle differences in the terms “incident” and “attack”—mostly to do with intent,
motivation, and attribution—this book does not intend to dwell on these subtleties.
The focus in this book is how an attack (or breach, or exploit, or incident) might
occur, and subsequently how to best protect the industrial network and the connected
ICS components against undesirable consequences that result from this action. Did
the action result in some outcome—operational, health, safety or environment—that
must be reported to a federal agency according to some regulatory legislation? Did it
originate from another country? Was it a simple virus or a persistent rootkit? Could
it be achieved with free tools available on the Internet, or did it require the resources
of a state-backed cyber espionage group? Do such groups even exist? The authors of
this book think that these are all great questions, but ones best served by some other
book. These terms may therefore be used rather interchangeably herein.
ASSETS, CRITICAL ASSETS, CYBER ASSETS,
AND CRITICAL CYBER ASSETS
An asset is simply a term for a component that is used within an industrial control
system. Assets are often “physical,” such as a workstation, server, network switch,
or PLC. Physical assets also include the large quantity of sensors and actuators used
to control an industrial process or plant. There are also “logical” assets that represent
what is contained within the physical asset, such as a process graphic, a database,
a logic program, a firewall rule set, or firmware. When you think about it, cyber
security is usually focused on the protection of “logical” assets and not the “physical”
assets that contain them. Physical security is that which tends to focus more on
the protection of a physical asset. Security from a general point-of-view can therefore
effectively protect a “logical” asset, a “physical” asset, or both. This will become
more obvious as we develop the concept of security controls or countermeasures
later in this book.
11
12
CHAPTER 2 About industrial networks
The Critical Infrastructure Protection (CIP) standard by the North American
Electric Reliability Corporation (NERC) through version 4 has defined a “critical
cyber asset” or “CCA” as any device that uses a routable protocol to communicate
outside the electronic security perimeter (ESP), uses a routable protocol within a
control center, or is dial-up accessible.2 This changed in version 5 of the standard by
shifting from an individual asset approach, to one that addresses groupings of CCAs
called bulk electric system (BES) cyber “systems.”3 This approach represents a fundamental shift from addressing security at the component or asset level, to a more
holistic or system-based one.
A broad and more generic definition of “asset” is used in this book, where any component—physical or logical; critical or otherwise—is simply referred to as an “asset.”
This is because most ICS components today, even those designed for extremely basic
functionality, are likely to contain a commercial microprocessor with both embedded
and user-programmable code that most likely contains some inherent communication
capability. History has proven that even single-purpose, fixed-function devices can
be the targets, or even the source of a cyber-attack, by specifically exploiting weaknesses in a single component within the device (See Chapter 3, “Industrial Cyber
Security History and Trends”). Many devices ranging from ICS servers to PLCs to
motor drives have been impacted in complex cyber-attacks—as was the case during
the 2010 outbreak of Stuxnet (see “Examples of Advanced Industrial Cyber Threats”
in Chapter 7, “Hacking Industrial Control Systems”). Regardless of whether a device
is classified as an “asset” for regulatory purposes or not, they will all be considered
accordingly in the context of cyber security.
SECURITY CONTROLS AND SECURITY COUNTERMEASURES
The term “security controls” and “security countermeasures” are often used, especially when discussing compliance controls, guidelines, or recommendations. They
simply refer to a method of enforcing cyber security—either through the use of a
specific product or technology, a security plan or policy, or other mechanism for
establishing and enforcing cyber security—in order to reduce risk.
FIREWALLS AND INTRUSION PREVENTION SYSTEMS
While there are many other security products available—some of which are highly
relevant to industrial networks—none have been so broadly used to describe products
with such highly differing sets of capabilities. The most basic “firewall” must be able
to filter network traffic in at least one direction, based on at least one criterion, such
as IP address or communication service port. A firewall may or may not also be able
to track the “state” of a particular communication session, understanding what is a
new “request” versus what is a “response” to a prior request.
A “deep packet inspection” (DPI) system is a device that can decode network
traffic and look at the contents or payload of that traffic. Deep packet inspection is
The use of terminology within this book
typically used by intrusion detection systems (IDS), intrusion prevention systems
(IPS), advanced firewalls and many other specialized cyber security products to detect signs of attack. Intrusion Detection Systems can detect and alert, but do not
block or reject bad traffic. Intrusion Prevention Systems can block traffic. Industrial
networks support high availability making most general IPS appliances less common
on critical networks; IPS is more often applied at upper-level networks where high
availability (typically >99.99%) is not such a high priority. The result is that good
advice can lead to inadequate results, simply through the use of overused terms when
making recommendations.
NOTE
Most modern intrusion prevention systems can be used as intrusion detection systems by configuring the IPS to alert on threat detection, but not to drop traffic. Because of this the term “IPS” is now
commonly used to refer to both IDS and IPS. One way to think about IDS and IPS is that an IPS
device that is deployed in-line (a “bump in the wire”) is more capable of “preventing” an intrusion
by dropping suspect packets, while an IPS deployed out-of-band (e.g. on a span port) can be thought
of as an IDS, because it is monitoring mirrored network traffic, and can detect threats but is less able
to prevent them. It may be the same make and model of network security device, but the way it is
configured and deployed indicates whether it is a “passive” IDS or an “active” IPS.
Consider that the most basic definition of a firewall, given earlier, fails to provide
the basic functionality recommended by NIST and other organizations, which advise
filtering traffic on both the source and destination IP address and the associated service
port, bidirectionally. At the same time, many modern firewalls are able to do much
more—looking at whole application sessions rather than isolated network packets, by
filtering application contents, and then enforcing filter rules that are sometimes highly
complex. These unified threat management (UTM) appliances are becoming more
common in protecting both industrial and business networks from today’s advanced
threats. Deploying a “firewall” may be inadequate for some installations while highly
capable at others, depending upon the specific capabilities of the “firewall” and the
particular threat that it is designed to protect the underlying system against. The various network-based cyber security controls that are available and relevant to industrial
networks are examined in detail in Chapter 10, “Implementing Security and Access
Controls” and Chapter 11, “Exception, Anomaly and Threat Detection.”
INDUSTRIAL CONTROL SYSTEM
An industrial control system (ICS) is a broad class of automation systems used to
provide control and monitoring functionality in manufacturing and industrial facilities. An ICS actually is the aggregate of a variety of system types including process
control systems (PCS), distributed control systems (DCS), supervisory control and
data acquisition (SCADA) systems, safety instrumented systems (SIS), and many
others. A more detailed definition will be provided in Chapter 4, “Introduction to
Industrial Control Systems and Operations.”
13
14
CHAPTER 2 About industrial networks
Figure 2.1 is a simplified representation of an ICS consisting of two controllers
and a series of inputs and outputs connecting to burners, valves, gauges, motors, and
so on that all work in a tightly integrated manner to perform an automated task.
The task is controlled by an application or logic running inside the controller, with
local panels or human–machine interfaces (HMIs) used to provide a “view” into the
controller allowing the operator to see values and make changes to how the controller is operating. The ICS typically includes toolkits for creating the process logic
that defines the task, as well as toolkits for building custom operator interfaces or
graphical user interfaces (GUIs) implemented on the HMI. As the task executes, the
results are recorded in a database called an Historian (see Chapter 4, “Introduction to
Industrial control Systems and Operations” for more information and detail on how
such a system operates).
FIGURE 2.1 Sample industrial automation and control system.
The use of terminology within this book
DCS OR SCADA?
Originally, there were significant differences between the architectures of a DCS
versus that of a SCADA system. As technology evolved, these differences have diminished, and there can often be a blur between whether a particular ICS is in fact
classified as DCS or SCADA. Both systems are designed to monitor (reading data
and presenting it to a human operator and possibly to other applications, such as historians and advanced control applications) and to control (defining parameters and
executing instructions) manufacturing or industrial equipment. These system architectures vary by vendor, but all typically include the applications and tools necessary
to generate, test, deploy, monitor, and control an automated process. These systems
are multifaceted tools, meaning that a workstation might be used for purely supervisory (read only) purposes by a quality inspector, while another may be used to
optimize process logic and write new programs for a controller, while yet a third may
be used as a centralized user interface to control a process that requires more human
intervention, effectively giving the workstation the role of the HMI.
It should be noted that ICSs are often referred to in the media simply as “SCADA,”
which is both inaccurate and misleading. Looking at this another way, a SCADA system
is in fact an ICS, but not all ICSs are SCADA! The authors hope to help clarify this
confusion in Chapter 4, “Introduction to Industrial Control Systems and Operations.”
INDUSTRIAL NETWORKS
The various assets that comprise an ICS are interconnected over an Industrial Network. While the ICS represented in Figure 2.1 is accurate, in a real deployment the
management and supervision of the ICS will be separated from the controls and
the automation system itself. Figure 2.2 shows how an ICS is actually part of a much
larger architecture, consisting of plant areas that contain common and shared applications, area-specific control devices, and associated field equipment, all interconnected
via a variety of network devices and servers. In large or distributed architectures, there
will be a degree of local and remote monitoring and control that is required (i.e. in the
plant), as well as centralized monitoring and control (i.e. in the control room). This
is covered in detail in Chapter 5, “Industrial Network Design and Architecture.” For
now it is sufficient to understand that the specialized systems that comprise an ICS
are interconnected, and this connectivity is what we refer to as an Industrial Network.
INDUSTRIAL PROTOCOLS
Most ICS architectures utilize one or more specialized protocols that may include
vendor-specific proprietary protocols (such as Honeywell CDA, General Electric
SRTP or Siemens S7, and many others) or nonproprietary and/or licensed protocols
including OPC, Modbus, DNP3, ICCP, CIP, PROFIBUS, and others. Many of these
were originally designed for serial communications, but have been adapted to operate over standard Ethernet link layer using the Internet Protocol with both UDP and
15
16
CHAPTER 2 About industrial networks
FIGURE 2.2 Sample network connectivity of an industrial control system.
TCP transports, and are now widely deployed over a variety of common network
infrastructures. Because most of these protocols operate at the application layer, they
can be accurately (and often are) referred to as applications. They are referred to as
protocols in this book to separate them from the software applications that utilize
them—such as DCS, SCADA, EMS, historians, and other systems.
The use of terminology within this book
THE OPEN SYSTEMS INTERCONNECTION (OSI) MODEL
The OSI model defines and standardizes the function of how a computing system interacts with a
network. Each of seven layers is dependent upon and also serves the layers above and below it, so
that information from an Application (defined at the topmost or Application Layer) can be consistently packaged and delivered over a variety of physical networks (defined by the bottommost or
Physical Layer). When one computer wants to talk to another on a network, it must step through
each layer: Data obtained from applications (Layer 7) are presented to the network (Layer 6) in
defined sessions (Layer 5), using an established transport method (Layer 4), which in turn uses
a networking protocol to address and route the data (Layer 3) over an established link (Layer 2)
using a physical transmission mechanism (Layer 1). At the destination, the process is reversed in
order to deliver the data to the receiving application. With the ubiquity of the Internet Protocol, a
similar model called the TCP/IP Model is often used to simplify these layers. In the TCP/IP model,
layers 5 through 7 (which all involve the representation and management of application data), and
layers 1 and 2 (which define the interface with the physical network) are consolidated into a single
Application Layer and Network Interface Layer. In this book we will reference the OSI model in
order to provide a more specific indication of what step of the network communication process we
are referring to (Figure 2.3).
Because these protocols were not designed for use in broadly accessible or public networks, cyber security was seen as compensating control and not an inherent
requirement. Now, many years later, this translates to a lack of robustness that makes
the protocols easily accessed—and in turn they can be easily broken, manipulated,
or otherwise exploited. Some are proprietary protocols (or open protocols with many
proprietary extensions, such as Modbus-PEMEX), and as such they have benefited
for some time by the phenomena of “security by obscurity.” This is clearly no longer
FIGURE 2.3 The OSI and TCP/IP models.
17
18
CHAPTER 2 About industrial networks
the case with the broader availability of information on the World Wide Web, combined with an increasing trend of industry-focused cyber security research. Many
of the concerns about industrial systems and critical infrastructure stem from the
growing number of disclosed vulnerabilities within these protocols. One disturbing
observation is that in the few years following the Stuxnet attack, many researchers
have found numerous vulnerabilities with open protocol standards and the systems
that utilize them. Little attention has been given to the potential problem of vulnerabilities in the proprietary products that are often times too cost prohibitive for traditional researchers to procure and analyze. These proprietary systems and protocols
are at the core of most critical industry, and represent the greatest risk should they be
compromised. See Chapter 6, “Industrial Network Protocols” and Chapter 7, “Hacking Industrial Systems” for more detail on these protocols, how they function, and
how they can/have been compromised.
NETWORKS, ROUTABLE NETWORKS, AND NONROUTABLE NETWORKS
The differentiation between Routable and Nonroutable networks is becoming less
common as industrial communications become more ubiquitously deployed over IP.
A “nonroutable” network refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, DNP3, fieldbus, and other networks. They
are still networks—they interconnect devices and provide a communication path between digital devices, and in many cases are designed for remote command and control. A “routable” network typically means a network utilizing the Internet Protocol
(TCP/IP or UDP/IP), although other routable protocols, such as AppleTalk, DECnet,
Novell IPX, and other legacy networking protocols certainly apply. “Routable” networks also include routable variants of early “nonroutable” ICS protocols that have
been modified to operate over TCP/IP, such as Modbus over TCP/IP, Modbus/
TCP, and DNP3 over TCP/UDP. ICCP represents a unique case in that it is a relatively new protocol developed in the early 1990s, which allows both a point-to-point
version and a wide-area routed configuration.
Routable and nonroutable networks would generally interconnect at the demarcation between the Control and Supervisory Control networks, although in some cases
(depending upon the specific industrial network protocols used) the two networks
overlap. This is illustrated in Figure 2.4 and is discussed in more depth in Chapter 5,
“Industrial Control System Network Design and Architecture” and Chapter 6, “Industrial Network Protocols.”
These terms were popularized through NERC CIP regulations, which implies
that a routable interface can be easily accessed by the network either locally or
remotely (via adjacent or public networks) and therefore requires special cyber
security consideration; and inversely that nonroutable networks are “safer” from
a network-based cyber-attack. This is misleading and can prevent the development
of a strong cyber security posture. Today, it should be assumed that all industrial
systems are connected either directly or indirectly to a “routable” network, whether
or not they are connected via a routable protocol. Although areas of industrial
The use of terminology within this book
FIGURE 2.4 Routable and Nonroutable areas within an industrial control system.
networks may still be connected using serial or bus networks that operate via
specific proprietary protocols, these areas can be accessed via other interconnected
systems that reside on a larger IP network. For example, a PLC may connect to
discrete I/O over legacy fieldbus connections. If considered in isolation, this would
be a nonroutable network. However, if the PLC also contains an Ethernet uplink
to connect to a centralized ICS system, the PLC can be accessed via that network
and then manipulated to alter communications on the “nonroutable” connections.
To further complicate things, many devices have remote access capabilities, such
19
20
CHAPTER 2 About industrial networks
as modems, infrared receivers, radio or other connectivity options that may not
be considered “routable�...
Purchase answer to see full
attachment