Index
A
Address resolution protocol (ARP),
228
Adobe portable document format (PDF) expolits,
197
Advanced metering infrastructure (AMI),
80,
81,
118,
162
security recommendations,
164
Advanced persistent diligence,
51
defense-in-depth (DiD) approach,
51
Advanced persistent threats (APTs), , ,
47,
48,
191
digital communication, and,
42,
43
mechanisms used by commercial SIEMs,
381
NRC RG 5.71 standard,
381
American national standards institute (ANSI),
390,
412
American petroleum institute (API),
398
ANSI/ISA 84.00.01 standards,
210
Antivirus software (AVS),
224
Antivirus techniques,
315
Application behavior whitelists,
337
examples in enterprise networks,
337
examples in industrial networks,
337
Application data monitors,
305
Application-layer firewall,
131
Application monitoring tools,
338
Applications session details, from an application monitor,
360
critical cyber assets (CCA),
11,
12
critical digital asset,
16
inventory and documentation,
223
Attack surface,
Attack vectors, ,
Automatic generation control (AGC) system,
174
Automation systems, , ,
42,
80,
187
B
inter-control center protocol (ICCP),
122
object linking and embedding for process control (OPC),
122
Baselines, measuring of,
327
behavioural blueprint,
333
Basic process control system (BPCS),
78,
115
Battelle energy alliance (BEA),
304
Behavioral anomaly detection,
326
Behavioral whitelisting,
333
Beneficial whitelists, examples of,
338,
339
Black hat, information security conferences,
213
Blacklist security mechanisms,
339
Business information consoles,
68
Business information management systems (BIMS),
75
Business intelligence management,
74
C
Cannibalistic mutant underground malware,
202
Carrier sense multiple access (CSMA),
143
Centre for the protection of national infrastructure (CPNI),
396
Certes networks enforcement point (CEP),
369
Certified information systems security professional (CISSP) certification,
CFATS risk-based performance standards (RBPS),
412
Class of service (CoS),
112
Closed-circuit television (CCTV) systems,
69
Code of federal regulations (CFR),
392,
411
Collision domain (CD),
143
windows XP professional,
234
Commercial off-the-shelf (COTS) technologies,
121
Common criteria’s framework,
399
evaluation assurance level (EAL),
399
protection profiles (PP),
399
security assurance requirements (SARs),
399
security functional requirements (SFRs),
399
security target (ST),
399
Common event expression framework,
344
Common event format (CEF),
345
Common vulnerabilities and exposures (CVE),
247
Common vulnerability scoring system (CVSS),
53,
252
environmental metric,
252
Communication channels,
261
Communication flow
represented as connections,
89
represented as sessions,
88
Component object model (COM),
150
Computer forensics tool testing (CFTT),
204
Computer integrated manufacturing (CIM),
261
Concurrent time domain multiple access (CTDMA),
143
Conditional formatting feature,
256,
257
Configuration auditing,
250
Configuration management (CM),
358
Configuration monitoring,
358
Content management system (CMS),
363
Control and information protocol (CIP),
142,
143
security recommendations,
144
Control data storage,
270
data historian system,
270,
271
network attached storage (NAS) devices,
270
storage area networks (SAN),
270
Controller area network (CAN),
142
supervisory controls,
268
Control processes, ,
72,
76
Control systems
assets,
Critical cyber asset (CCA),
12
Critical infrastructure, , ,
26
critical systems and assets,
26
homeland security presidential directive seven (HSPD-7),
26
Critical infrastructure protection (CIP),
12,
286,
387
Critical national infrastructures,
26
homeland security presidential directive seven (HSPD-7),
26
Cross-source correlation,
345,
346
Cyber asset whitelists,
335,
336
espionage
sobotage
Cyber-attacks, common methods of,
186
denial-of-service attacks,
187
engineering workstation, compromising the,
189
exploitation of functionality,
186
exploitation of vulnerabilities,
186
human–machine interface (HMI), compromising the,
189
man-in-the-middle attacks,
186
Cyber-attacks, industrial targets of,
174,
175
access control system,
175
analyzer management system,
175
asset management system,
175
condition monitoring system,
175
identity and access management (IAM) server,
174
industrial applications,
174
web-based applications, use of,
196
critical infrastructure,
10
electronic security perimeter (ESP),
10
guidelines,
industrial control systems,
10
North American Electric Reliability Corporation (NERC) CIP regulations,
19
operational security,
210
procurement language,
334
Cyber security evaluation tool (CSET),
220–222
Cyber-threat,
Cyber threat, evolution of,
44
marconi wireless telegraph system,
44
D
Dashboards utilizing technologies,
75
Database activity monitors (DAMs),
368
hardware and software inventory,
227
industrial networks scanning,
227
Data diodes and unidirectional gateways,
308,
309
fiber-optic connection,
308
contextual information collection,
344
log management system based scrutiny,
344
unidirectional gateway,
75
Data link layer segmentation,
100
Data monitoring methods,
352
Deep packet inspection,
113
Deep-packet inspection (DPI),
291–293
Deep packet inspection (DPI) system,
13
DEFCON, information security conferences,
213
Demilitarized zone (DMZ),
23,
286
Denial-of-service attacks,
187
Loss of Control (LoC),
187
Department of energy (DoE),
304
Department of Homeland Security (DHS),
334,
387,
396
Distributed component object model (DCOM),
150
Distributed control system (DCS), ,
14,
15,
219
Distributed network protocol (DNP),
130
industrial network architecture, within,
137
security recommendations,
138
Domain name system (DNS),
235
DREAD model, consequence estimation,
254,
255
vendor reference architecture, in,
95
Dynamic host configuration protocol (DHCP),
235,
344
Dynamic trunking protocol (DTP),
102
E
Electromagnetic interference (EFI),
130
Electronic security perimeter (ESP),
10
North American Electric Reliability Corporation (NERC) CIP regulations,
24
permieter, definition of,
24
Energy management systems (EMS),
118
Engineering workstation (EWS),
189
Enterprise security,
security recommendations,
148
Ethernet, ,
88,
94,
96,
121,
127,
141,
144,
148,
161,
230
implementation, real-time methods,
142
Ethernet industrial protocol,
142
control and information protocol (CIP),
142
EtherNet/IP zone protection,
145
security recommendations,
144
Ethernet/IP protocol, exploitation of,
199
control processing unit (CPU) crashing,
199
device boot code, dumping of,
199
Ethernet network design,
90
security recommendations,
149
Ethernet, redundancy in,
90
vendor reference architecture,
90
European Union Agency for Network and Information Security (ENISA),
214,
387
correlation rules comparing,
341
event streams, analysis of,
341
Exception reporting, ,
324,
325
Exploitation of functionality,
198
F
False positives, definition of,
354
Federal Energy Regulatory Commission (FERC),
388,
411
Federal information processing standards (FIPS),
388,
399,
405
Federal information security management act (FISMA),
38,
388
distributed network protocol (DNP3),
122
Modicon communication bus (Modbus),
122,
123
File integrity monitoring (FIM),
358
FIPS 140-2 standards,
405
configuration guidelines,
293,
296
Forum of Incident Response and Security Teams (FIRST),
252
basic process control,
266
control data storage,
266
peer-to-peer control processes,
266
supervisory controls,
266
trading communications,
266
G
Gaphical user interface (GUI),
76
General client interface (GCI),
108
Graphical user interfaces (GUIs),
14
H
Hacking methodologies,
Hardware and software inventory,
239
HART communication protocol,
108
Hazards and operability analysis (HAZOP),
210
Higher layer segmentation,
99
Home energy management systems (HEMS),
80
Homeland security presidential directive seven (HSPD-7),
26
Host cyber security systems,
311
Host security and access controls, implementing of,
309
security information and event management systems,
316
I
ICS application software,
334
Idaho national lab (INL),
304
Identity and access management (IAM),
272,
334,
364
oracle identity management,
364
securonix identity matcher,
364
Identity and authorization management (IAM) systems,
218
microsoft active directory,
218
IDS/IPS configuration guidelines,
295,
300
IDS/IPS rules, recommended,
301
IEC 61508/61511 standards,
210
Indsutrial control system (ICS) architectures,
Indsutrial control system (ICS) designs,
Industrial activity reports,
379,
380
Industrial application layer attacks,
198
Industrial applications,
198
data historians support multiple methods,
75
Industrial assets security,
41
Industrial automation and control system (IACS),
14,
392
Industrial Control System Cyber Emergency Response Team (ICS-CERT),
191,
220
Industrial control systems (ICS), , ,
11,
14,
41,
387
deployment errors,
distributed control system (DCS),
14
errors of complacency,
fundamentals,
graphical user interfaces (GUIs),
14
human–machine interfaces (HMIs),
14
misconfigurations,
mistakes,
network design,
operational aspects of,
52
operations,
pitfalls,
process control system (PCS),
14
protocols, modified
safety instrumented system (SIS),
14
supervisory control and data acquisition (SCADA) system,
14
Industrial cyber security, ,
Industrial firewall implementation,
Industrial network cyber security,
Industrial networking, ,
87
Internet protocol (IP) based,
87
Industrial network protocols, ,
75,
121
CIP,
Foundation fieldbus HSE, ,
ICCP,
Profibus,
Profinet,
Wireless HART,
Zigbee,
business networks, comparison between,
88
components availability,
220
data communication integrity,
220
functional demarcation,
82
industrial control systems (ICS), components of,
59
Industrial network security,
41
2010 Black Hat USA conference,
44
Red Tiger Security, research by,
43
regulatory compliance standards,
Industrial network security, documents of,
412
ANSI/ISA-99.00.01-2007,
412
ANSI/ISA-99.02.01-2009,
412
ANSI/ISA-TR99.00.01-2007,
412
Industrial network security mapping,
395
compensating controls, use of,
396
Industrial network security, misperceptions of,
36
Industrial networks scanning,
228
network mapper (nmap),
228
wireshark dissectors,
230
microsoft message analyzer,
231
vulnerability scanners,
229
Industrial network tuning,
355
Industrial protocol (IP),
338
filtering,
Industrial protocols, ,
16
open systems interconnection (OSI) model,
17
Industrial protocols, history-oriented,
75
OPC historical data access (OPC-HDA),
75
Industrial protocol simulators,
164
distributed network protocol 3 (DNP3),
165
inter-control center communications protocol (ICCP),
165
object linking and embedding (OLE) for process control (OPC),
165
Industrial security recommendations,
29
critical systems, identification of,
29
critical assets, NRC’s logical map for,
30
functional zones, topological layers of,
37
open systems interconnection (OSI) model,
37
subnetworks, topological layers of,
37
systems, isolation of,
31
demilitarized zones (DMZs), functional,
31
functional groups, separation of,
32
service segmentation methods,
32
Industrial security recommendations, advanced,
35
application whitelisting,
36
Industrial systems
Industrial systems risks,
210
on-site control systems engineer,
210
package equipment supplier,
210
people’s liberation army unit 61398,
210
vendor site support specialist,
210
Information collection and management tools,
370
log management systems,
372,
373
security information and event management systems,
372,
374
splunk security operation center,
373,
375
Information security,
Institute for Security and Open Methodologies,
398
Integrated control systems,
319
Intelligent electronic devices (IEDs),
64,
98,
268,
352
Inter-control center communications protocol (ICCP),
157
industrial control system (ICS)-aware intrusion protection system,
162
industrial network architecture, within,
160
security recommendations,
160
International Electrotechnical Commission (IEC),
158,
390,
413
International Organization for Standardization (ISO),
211,
214,
387
International Society of Automation,
388
International Standards Association (ISA),
412
International Standards Organization (ISO),
413
Internet control message protocol (ICMP),
228
Internet protocol (IP),
Intrusion detection system (IDS),
13,
353,
405
Intrusion prevention systems (IPS),
13
ISA-62443 security standards,
275
ISA-62443 zone and conduit model,
22
ISO/IEC 27002 standard,
390
IT/OT metrics, analysis of,
332
IT/OT systems correlation,
347,
348
J
Java database connectivity (JDBC),
75
K
Keyboard video mouse (KVM) switching system,
68
Key performance indicator (KPI),
210
L
Layer 2 network segmentation,
105
Layer 4-7 segmentation,
100
Lightweight directory access protocol (LDAP),
334,
363
Liquefied natural gas (LNG),
388
Live host identification,
231
Logical network boundaries,
266
Logical segmentation,
104,
105
Log storage and retention,
382,
383
write once read many (WORM) drives, use of,
382
M
social networking, and,
200
Malware infection, dealing with,
203
disk images, cloning of,
203
engineer-detected malware, reversing of,
203
safe and reliable manufacturing process,
203
Malware infections, advanced,
204
Malware, weaponized,
47,
48
Man-in-the-middle (MitM) cyber attacks,
174,
186
Master boot record (MBR),
225
Master terminal unit (MTU),
63
Meter data management system (MDMS),
118
Microsoft active directory,
363
Microsoft baseline security analyzer (MBSA),
249
Modbus Plus (Modbus+),
126,
127
cisco discovery protocol,
356
internet control Message protocol,
356
internet group management protocol,
356
internet protocol version 6,
356
link layer discovery protocol,
356
link-layer multicast name resolution,
356
web services discovery protocol,
356
windows NetBIOS traffic,
356
Modicon communication bus (Modbus),
122–125
application layer messaging protocol,
123
industrial network architecture, within,
128
modbus protocol transaction,
125
protocol data units (PDUs),
123
authentication, lack of,
129
broadcast suppression, lack of,
129
message checksum, lack of,
129
security recommendations,
129
Monitoring user identities,
362
N
National Institute of Standards and Technology (NIST),
214,
387,
392
National Petrochemical and Refiners Association (NPRA),
398
National Security Agency,
397
National Vulnerability Database (NVD),
247
Network attached storage (NAS),
270
Network behavior anomaly detection (NBAD),
326,
365
Network diagrams,
Network layer segmentation,
100
Network management systems (NMSs),
75
Networks
functional groups, definition of,
268
network segmentation,
266
access control lists (ACLs),
263
traffic, analysis of,
113
application monitors,
290
industrial protocol filters,
290
network whitelisting devices,
290
local control networks,
98
plant control networks,
98
supervisory control networks,
98
identity and access management (IAM),
106
principle of least route,
106
Network statistics commands,
236
process identification (PID),
236
Next-generation firewalls (NGFW),
52
command and control (C2) servers,
49
remote administration toolkits (RATs),
49
NIST SP 800-82 standard,
392
Nmap scripting engine (NSE),
228
Nonroutable networks,
18,
19
Normalization process,
343
North American Electric Reliability Corporation (NERC),
12,
276,
286,
387
North American Electric Reliability Corporation Critical Infrastructure Protection,
351
North American Reliability Corporation,
411
North American Reliability Corporation Critical Infrastructure Protection (NERC CIP),
411
reliability standards,
389
critical infrastructure security,
389
NRC regulation 5.71 standard,
392
Nuclear Regulatory Commission (NRC),
262,
288,
387
O
Object linking and embedding (OLE),
150
Object linking and embedding database (OLEDB),
75
Object linking and embedding (OLE) for process control (OPC),
150–152,
157
client–server communications,
153
industrial control system (ICS)-aware intrusion protection system,
157
industrial network architecture, within,
154
legacy authentication services,
156
OPC server integrity,
156
security recommendations,
156
On-site control system engineer,
212
Open database connectivity (ODBC),
75
Open information security foundation (OISF),
298
Open source intelligence (OSINT),
46
Open source security information management (OSSIM),
370,
377
Open-source security testing methodology manual (OSSTMM),
398
Open source vulnerability database (OSVDB),
53
Open-source vulnerability database (OSVDB),
247
Operational technology (OT),
352
P
security conduit establishment,
317
vulnerability management,
316,
318
Patch management strategy,
303
PDFSee Portable document format (PDF)
Penetration testing tools
Penetration testing utilities,
44
Physical-layer controls,
104
Physical layer segmentation,
100
Physical-layer separation,
104
Physical segmentation,
104
Physical separation of systems,
104
Plant level control processes,
268,
270
Plant safety design, protection layers,
79
Port’s VLAN ID (PVID),
96
Predeployment testing,
319
Principle of least privilege,
107,
261
Principle of least route,
107,
261
integrated control systems,
319
Process control system (PCS),
14,
26,
78
Process fieldbus (PROFIBUS),
139
fieldbus message specification (FMS),
139
security recommendations,
141
Process hazard analysis (PHA),
210
Production information management,
73
PROFIBUS isochronous real time (IRT),
146
security recommendations,
147
Programmable logic controllers (PLCs),
59,
98,
352
operational flow diagram,
63
sequential function charts (SFC),
62
Programmable logic relays (PLRs),
59
Protocol anomaly detection,
305
Protocol data units (PDU),
337
Protocol monitoring, in industrial networks,
305
application data monitors,
305
industrial security devices,
305,
306
secure crossing zenwall access control module,
305
tofino security appliance,
305
Protocols, device uses in industrial networks,
274,
275
Purdue reference model,
45
Purpose-built network,
107
Q
Quality function deployment (QFD),
256
Quality of service (QoS),
112
event correlation editor,
378,
379
user activity filtration,
378
R
Real-life vulnerabilities,
Regulatory compliance standards,
CFATS,
CIP,
ISA 62443,
ISO /IEC 27002:2005,
NERC,
NIST 800-53,
NIST 800-82,
NRC RG 5.71,
Regulatory guide (RG),
412
Relational database management system (RDBMS),
68
Reliability standards,
388
application layer firewalls,
272
end-point policy enforcement,
272
external conduit zones,
272
industrial control systems (ICS), and,
108
point-to-point authorization,
272
trusted conduit zones,
272
Remote access servers (RAS),
272
Remote access toolkit (RAT),
190
Remote administration toolkits (RATs),
49
Remote procedure calls (RPC),
85
Repository for industrial security incidents (RISI),
45
Repository of industrial security incidents (RISI),
53
Risk assessment,
Risk assessment methodologies,
215,
216
Risk-based performance standards (RBPS),
389
metric 8.2.1 standard,
389
Risk-based performance standards (RBPSs),
412
Risk classification and ranking,
253
estimation strategies,
254
operational security,
213
security flaws identification,
211
vulnerabilities identification,
211
ROC800L liquid hydrocarbon remote controller,
65
Role-based access control (RBAC),
273
Routable networks,
18,
19
Rule-less detection systems,
304
S
principle of least privilege,
115
probability of failure on demand (PFD),
114
safety integrity level (SIL),
114
Safety integrity level (SIL),
275
Secure development lifecycle (SDLC),
395
Secure distributed network protocol 3 (DNP3),
133–135
Security
assessment,
device configurations,
288
information management,
376
achieved security level,
276
capability security level,
276
foundation requirements (FR),
276
requirement enhancements (RE),
276
system requirements (SR),
276
target security level,
276
vulnerability assessments,
218
physical access to assets,
264
communication assets assigning,
278
security conduits documentation,
279
technology, allowing of,
278
vulnerabilities evaluation,
279
anomaly detection systems,
111
attack vectors, minimizing of,
110
demilitarized zone (DMZ) security,
110
network-based security control, deployment of,
110
principle of least privilege,
110
secured application server,
110
security information and event management systems (SIEMs),
110
Security device event exchange protocol (SDEE),
369
Security information and event management systems (SIEMs), ,
75,
288,
326
Security policy development,
288
vulnerabilities, discovering of,
216
Security vulnerability assessment (SVA),
398
Segregation methodologies,
97
Sequential function charts (SFC),
62
SERCOSSee Serial real-time communications system (SERCOS)
Serial real-time communications system III (SERCOS III),
149
security recommendations,
150
Service level agreements (SLA),
216
Shallow packet inspection,
291
Shamoon, components of,
195
Situational awareness,
Skywiper, modules in,
195,
196
deployment, components of,
80
expanding attack surfaces,
117
security recommendations,
164
Social engineering toolkit (SET),
198,
201
sites, industrial networks,
200
Software development lifecycle (SDL),
254
Standards and practices committee 99 (SP99),
392
Statistical process control (SPC),
73,
327
Statistical quality control (SQC),
73,
327
Storage area networks (SAN),
270
Structured query language (SQL),
377
lessons learned from,
193,
194
Supervisory control and data acquisition (SCADA), ,
Supervisory controls,
268,
269
human–machine interface (HMI),
268
Supervisory workstation,
67
control system components
human–machine interfaces (HMIs),
59
intelligent electronic device (IED),
59
programmable logic controllers (PLCs),
59
remote terminal units (RTUs),
59,
63
field components
System availability management,
317
System characterization,
223
business information management,
74
production information management,
73
T
TASE.2See Inter-control center communications protocol (TASE.2)
Telecontrol application service element (TASE),
158
Testing and assessment methodology establishment,
219
Theoretical assessment tests,
220
online
versus offline,
221,
223
white box
versus black box,
222,
223
local privileges elevation,
340
persistent access, creating of,
340
track covering leaving indicators,
340
Threat identification,
241,
242
system characterization,
241
Tofino industrial security appliance,
355
Tofino security appliance,
305
Trading communications,
271
Inter-control center communication protocol (ICCP),
271
Triangle microworks communication protocol test harness,
165
Trojanized ICS software,
313
Type of service (ToS),
112,
314
U
Unified compliance framework (UCF),
396
Unified threat management (UTM),
290
United States Department of Homeland Security (DHS),
412
United States Nuclear Regulatory Commission (NRC),
411
US Department of Homeland Security (DHS),
43,
220,
222
V
Variable frequency drives (VFD),
191
Variable-length subnet masking (VLSM),
287
ethernet packet header,
267
dynamic trunking protocol (DTP),
102
Vulnerability assessments, ,
218
Vulnerability identification,
246,
247
man-in-themiddle (MitM) attacks,
246
Vulnerability management,
316,
318
Vulnerability prioritization,
251
Vulnerability scanners,
246
Vulnerability scanning,
246
aggressiveness control,
249
W
Waterfall security, protocol support,
308,
310
Weaponized industrial cyber threats,
190
Wide area connectivity,
115
Wide area network (WAN),
115
Window Management Instrumentation Command-line (WMIC),
236
Windows event collector,
356
Windows File Protection (WFP),
358
Windows management instrumentation (WMI),
236,
356
Wireless access point (WAP),
283
Wireless industrial networking,
108
Wireless mesh topologies,
94
industrial control systems (ICS) architectures, and,
108
technologies,
X
Z
demilitarized zone (DMZ),
286
Zones
based on protocol use,
275
demilitarized zone (DMZ),
23
Zone segmentation,
86,
97
industrial control systems (ICS), and,
86