Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Industrial Cybersecurity
  • Toc
  • feedback
Industrial Cybersecurity

Industrial Cybersecurity

By : Pascal Ackerman
4.6 (12)
close
Industrial Cybersecurity

Industrial Cybersecurity

4.6 (12)
By: Pascal Ackerman

Overview of this book

With Industrial Control Systems (ICS) expanding into traditional IT space and even into the cloud, the attack surface of ICS environments has increased significantly, making it crucial to recognize your ICS vulnerabilities and implement advanced techniques for monitoring and defending against rapidly evolving cyber threats to critical infrastructure. This second edition covers the updated Industrial Demilitarized Zone (IDMZ) architecture and shows you how to implement, verify, and monitor a holistic security program for your ICS environment. You'll begin by learning how to design security-oriented architecture that allows you to implement the tools, techniques, and activities covered in this book effectively and easily. You'll get to grips with the monitoring, tracking, and trending (visualizing) and procedures of ICS cybersecurity risks as well as understand the overall security program and posture/hygiene of the ICS environment. The book then introduces you to threat hunting principles, tools, and techniques to help you identify malicious activity successfully. Finally, you'll work with incident response and incident recovery tools and techniques in an ICS environment. By the end of this book, you'll have gained a solid understanding of industrial cybersecurity monitoring, assessments, incident response activities, as well as threat hunting.
Table of Contents (26 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: ICS Cybersecurity Fundamentals
Section 1: ICS Cybersecurity Fundamentals
Free Chapter
2
Chapter 1: Introduction and Recap of First Edition
Chapter 1: Introduction and Recap of First Edition
Industrial Cybersecurity – second edition
Recap of the first edition
What is an ICS?
Summary
3
Chapter 2: A Modern Look at the Industrial Control System Architecture
Chapter 2: A Modern Look at the Industrial Control System Architecture
Why proper architecture matters
Industrial control system architecture overview
Summary
4
Chapter 3: The Industrial Demilitarized Zone
Chapter 3: The Industrial Demilitarized Zone
The IDMZ
What makes up an IDMZ design?
Example IDMZ broker-service solutions
Summary
5
Chapter 4: Designing the ICS Architecture with Security in Mind
Chapter 4: Designing the ICS Architecture with Security in Mind
Typical industrial network architecture designs
Designing for security
Security monitoring
Summary
6
Section 2:Industrial Cybersecurity – Security Monitoring
Section 2:Industrial Cybersecurity – Security Monitoring
7
Chapter 5: Introduction to Security Monitoring
Chapter 5: Introduction to Security Monitoring
Security incidents
Passive security monitoring
Active security monitoring
Threat-hunting exercises
Security monitoring data collection methods
Putting it all together – introducing SIEM systems
Summary
8
Chapter 6: Passive Security Monitoring
Chapter 6: Passive Security Monitoring
Technical requirements
Passive security monitoring explained
Security Information and Event Management – SIEM
Common passive security monitoring tools
Setting up and configuring Security Onion
Exercise 1 – Setting up and configuring Security Onion
Exercise 2 – Setting up and a configuring a pfSense firewall
Exercise 3 – Setting up, configuring, and using Forescout's eyeInsight (formerly known as SilentDefense)
Summary
9
Chapter 7: Active Security Monitoring
Chapter 7: Active Security Monitoring
Technical requirements
Understanding active security monitoring
Exercise 1 – Scanning network-connected devices
Exercise 2 – Manually inspecting an industrial computer
Summary
10
Chapter 8: Industrial Threat Intelligence
Chapter 8: Industrial Threat Intelligence
Technical requirements
Threat intelligence explained
Using threat information in industrial environments
Acquiring threat information
Creating threat intelligence data out of threat information
Exercise – Adding an AlienVault OTX threat feed to Security Onion
Summary
11
Chapter 9: Visualizing, Correlating, and Alerting
Chapter 9: Visualizing, Correlating, and Alerting
Technical requirements
Holistic cybersecurity monitoring
Exercise 1 – Using Wazuh to add Sysmon logging
Exercise 2 – Using Wazuh to add PowerShell Script Block Logging
Exercise 3 – Adding a Snort IDS to pfSense
Exercise 4 – Sending SilentDefense alerts to Security Onion syslog
Exercise 5 – Creating a pfSense firewall event dashboard in Kibana
Exercise 6 – Creating a breach detection dashboard in Kibana
Summary
12
Section 3:Industrial Cybersecurity – Threat Hunting
Section 3:Industrial Cybersecurity – Threat Hunting
13
Chapter 10: Threat Hunting
Chapter 10: Threat Hunting
What is threat hunting?
Threat hunting in ICS environments
What is needed to perform threat hunting exercises?
Threat hunting is about uncovering threats
Correlating events and alerts for threat hunting purposes
Summary
14
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Chapter 11: Threat Hunt Scenario 1 – Malware Beaconing
Forming the malware beaconing threat hunting hypothesis
Detection of beaconing behavior in the ICS environment
Investigating/forensics of suspicious endpoints
Using indicators of compromise to uncover additional suspect systems
Summary
15
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
chevron up
Chapter 12: Threat Hunt Scenario 2 – Finding Malware and Unwanted Applications
Technical requirements
Forming the malicious or unwanted applications threat hunting hypothesis
Detection of malicious or unwanted applications in the ICS environment
Investigation and forensics of suspicious endpoints
Using discovered indicators of compromise to search the environment for additional suspect systems
Summary
16
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Chapter 13: Threat Hunt Scenario 3 – Suspicious External Connections
Forming the suspicious external connections threat hunting hypothesis
Ingress network connections
Summary
17
Section 4:Industrial Cybersecurity – Security Assessments and Intel
Section 4:Industrial Cybersecurity – Security Assessments and Intel
18
Chapter 14: Different Types of Cybersecurity Assessments
Chapter 14: Different Types of Cybersecurity Assessments
Understanding the types of cybersecurity assessments
Risk assessments
Red team exercises
Blue team exercises
Penetration testing
How do ICS/OT security assessments differ from IT?
Summary
19
Chapter 15: Industrial Control System Risk Assessments
Chapter 15: Industrial Control System Risk Assessments
20
Chapter 16: Red Team/Blue Team Exercises
Chapter 16: Red Team/Blue Team Exercises
Red Team versus Blue Team versus pentesting
Red Team/Blue Team example exercise, attacking Company Z
Summary
21
Chapter 17: Penetration Testing ICS Environments
Chapter 17: Penetration Testing ICS Environments
Practical view of penetration testing
Why ICS environments are easy targets for attackers
Typical risks to an ICS environment
Modeling pentests around the ICS Kill Chain
Pentesting results allow us to prioritize cybersecurity efforts
Pentesting industrial environments requires caution
Exercise – performing an ICS-centric penetration test
Summary
22
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
Section 5:Industrial Cybersecurity – Incident Response for the ICS Environment
23
Chapter 18: Incident Response for the ICS Environment
Chapter 18: Incident Response for the ICS Environment
What is an incident?
What is incident response?
Incident response processes
Incident response procedures
Example incident report form
Summary
24
Chapter 19: Lab Setup
Chapter 19: Lab Setup
Discussing the lab architecture
Details about the enterprise environment lab setup
Details about the industrial environment – lab setup
How to simulate (Chinese) attackers
Discussing the role of lab firewalls
How to install the malware for the lab environment
Configuring packet capturing for passive security tools
Summary
Why subscribe?
25
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Detection of malicious or unwanted applications in the ICS environment

So, how do we go about finding malicious or unwanted code in our environment? Typically, the answer would be to find what is running right now and compare the findings against a known good state, a baseline. To give you an example of this method, we will now run a comparison between a baseline file and a current snapshot for Workstation12 in the lab. If you recall from Chapter 7, Active Security Monitoring, in the Assets scan section, we discovered an unusual open port (12345) on that workstation.

Comparing system snapshots to find artifacts

In Chapter 7, Active Security Monitoring, Exercise 2 – Manual inspection of industrial computers, we saw how we can pull system state snapshots from our end devices using msinfo32.exe and netstat. The following example shows how if we had a known good baseline copy of these snapshots, we could compare them against a current, freshly pulled snapshot. A convenient...

End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete