Read an Excerpt

Industrial Network Security

SYNGRESS

Chapter One

INFORMATION IN THIS CHAPTER:

• Book Overview and Key Learning Points

• Book Audience

• Diagrams and Figures

• The Smart Grid

• How This Book Is Organized

BOOK OVERVIEW AND KEY LEARNING POINTS

This book attempts to define an approach to industrial network security that considers the unique network, protocol, and application characteristics of an industrial control system, while also taking into consideration a variety of common compliance controls.

Although many of the techniques described herein—and much of the general guidance provided by regulatory standards organizations—are built upon common enterprise security methods and reference readily available information security tools, there is little information available about how to implement these methods. This book attempts to rectify this by providing deployment and configuration guidance where possible, and by identifying why security controls should be implemented, where they should implemented, how they should be implemented, and how they should be used.

BOOK AUDIENCE

To adequately discuss industrial network security, the basics of two very different systems need to be understood: the Ethernet and Transmission Control Protocol/ Internet Protocol (TCP/IP) networking communications used ubiquitously in the enterprise, and the SCADA and field bus protocols used to manage and/or operate industrial automated systems.

As a result, this book possesses a bifurcated audience. For the plant operator with an advanced electrical engineering degree and a decade of logic programming for Modbus controllers, the basics of industrial network protocols in Chapter 4 have been presented within the context of security in an attempt to not only provide value to such a reader, but also to get that reader thinking about the subtle implications of cyber security. For the information security analyst with a Certified Information Systems Security Professional (CISSP) certification, basic information security practices have been provided within the new context of an industrial control system.

There is an interesting dichotomy between the two that provides a further challenge. Enterprise security typically strives to secure the users and hosts on a network while at the same time enables the broad range of open communication services required within modern business. Industrial control systems, on the other hand, strive for the efficiency and reliability of a single, often fine-tuned system. Only by giving the necessary consideration to both sides can the true objective be achieved: a secure industrial network that supports reliable operation while also providing business value to the larger enterprise.

To further complicate matters, there is a third audience: the compliance officer who is mandated with meeting certain regulatory standards in order to survive an audit with minimal penalties and/or fines. Compliance continues to drive information security budgets, and therefore the broader scope of industrial networks must also be narrowed on occasion to the energy industries, where (at least in the United States) electrical energy, nuclear energy, oil, and gas are tightly regulated. Compliance controls are discussed in this book solely within the context of implementing cyber security controls. The recommendations given are intended to improve security and should not be interpreted as advice concerning successful compliance management.

DIAGRAMS AND FIGURES

The network diagrams used throughout this book have been intentionally simplified and have been designed to be as generic as possible while adequately representing industrial networks across a very wide range of industrial systems. As a result, the diagrams will undoubtedly differ from real industrial network designs and may exclude details specific to one particular industry while including details that are specific to another. However, they will provide a high-level understanding of the specific industrial network security controls being discussed.

THE SMART GRID

Although the smart grid is of major concern and interest, for the most part it is treated as any other industrial network within this book, with specific considerations being made only when necessary (such as when considering available attack vectors). As a result, there are many security considerations specific to the smart grid that are unfortunately not included. This is partly to maintain focus on the more ubiquitous ICS and SCADA security requirement, partly due to the relative immaturity of smart grid security and partly due to the specialized and complex nature of these systems. Although this means that specific measures for securing synchrophasers, meters, etc. are not provided, the guidance and overall approach to security that is provided herein is certainly applicable to smart grid networks. For more in-depth reading on smart grid network security, consider Securing the Smart Grid: Next Generation Power Grid Security by Tony Flick and Justin Morehouse (ISBN: 978-1-59749-570-7, Syngress).

HOW THIS BOOK IS ORGANIZED

This book is divided into a total of eleven chapters, followed by three appendices guiding the reader where to find additional information and resources about industrial protocols, standards and regulations, and relevant NIST security guidelines. An extensive glossary is also provided to accommodate the wealth of both information security and industrial networking terms and acronyms used throughout the book.

The chapters begin with an introduction to industrial networking, and what a cyber attack against an industrial control systems might represent in terms of potential risks and consequences, followed by details of how industrial networks can be assessed, secured, and monitored in order to obtain the strongest possible security, and conclude with a detailed discussion of various compliance controls, and how those specific controls map back to network security practices.

It is not necessary to read this book cover to cover, in order. The book is intended to offer insight and recommendations that relate to both specific security goals as well as the cyclical nature of the security process. That is, if faced with performing a vulnerability assessment on an industrial control network, begin with Chapter 6; every effort has been made to refer the reader to other relevant chapters where additional knowledge may be necessary.

Chapter 2: About Industrial Networks

In this chapter, there is a brief introduction to industrial networks as they relate to "critical infrastructure," those infrastructures upon which our society, industry, and way of life depend. The dependencies of critical infrastructures upon industrial control systems lead naturally to a discussion of the many standards, regulations, guidance documents, and policies that have been implemented globally to protect these systems. In addition, the chapter introduces the reader to the most basic premises of industrial security.

Of particular note, Chapter 2 also discusses the use of terminology within the book as it relates to the many applications of industrial networks (again, there is also an extensive Glossary included to cover the abundance of new acronyms and terms used in industrial control networks).

Chapter 3: Introduction to Industrial Network Security

Chapter 3 introduces industrial networks in terms of cyber security, by examining the interrelations between "general" networking, industrial networking, and potentially critical infrastructures. Chapter 3 covers the importance of securing industrial networks, discusses the impact of a successful industrial attack, and provides examples of real incidents—including a discussion of the Advanced Persistent Threat and the implications of cyber war.

Chapter 4: Industrial Network Protocols

This chapter focuses on industrial network protocols, including Modbus, DNP3, OPC, ICCP, and others in both their native/original fieldbus form or in modernized TCP/IP or real-time Ethernet implementations. The basics of protocol operation, frame format, and security considerations are provided for each, with security recommendations being made where applicable.

Chapter 5: How Industrial Networks Operate

Industrial networks use specialized protocols because they perform functions that are different than enterprise networks, with different requirements and different security considerations. Chapter 5 discusses control system assets, network architectures, control system operations, and how control processes are managed, with special emphasis on smart grid operations.

Chapter 6: Vulnerability and Risk Assessment

Strong security requires a proper assessment of vulnerabilities and risk, which in turn requires that security analysts think like an attacker. Chapter 6 provides a high-level overview of common attack methodologies, and how industrial networks present a unique attack surface with common attack vectors to many critical areas. Chapter 6 also discusses vulnerability assessment and patch management strategies.

Chapter 7: Establishing Secure Enclaves

A strong "defense in depth" strategy requires the isolation of functional groups into securable "enclaves." Chapter 7 looks at how to separate functional groups and where enclave boundaries should be implemented. Specifics are then provided on how to secure both the perimeter and the interior of enclaves, including common security products, methods, and policies that may be implemented.

Chapter 8: Exception, Anomaly, and Threat Detection

Awareness is the perquisite of action, according to the common definition of situational awareness. In this chapter, several contributing factors to obtaining situational awareness are discussed, including how to use anomaly detection, exception reporting, and information correlation for the purposes of threat and risk detection.

Chapter 9: Monitoring Enclaves

Before situational awareness can be achieved, however, a necessary body of information must be obtained. This chapter includes recommendations of what to monitor, why, and how. Information management strategies—including log and event collection, direct monitoring, and security information and event management (SIEM)—are discussed, including guidance on data collection, retention, and management.

Chapter 10: Standards and Regulations

There are many regulatory compliance standards applicable to industrial network security, and most consist of a wide range of procedural controls that aren't easily resolved using information technology. There are common cyber security controls (with often subtle but importance variations), however, which reinforce the recommendations put forth in this book. Chapter 10 attempts to map those cyber security– related controls from some common standards—including NERC CIP, CFATS, ISO/IEC 27002:2005, NRC RG 5.71, and NIST 800-82—to the security recommendations made within this book, making it easier for security analysts to understand the motivations of compliance officers, while compliance officers are able to see the security concerns behind individual controls.

Chapter 11: Common Pitfalls and Mistakes

Industrial control systems are highly vulnerable, and often with high consequence. In this chapter, some common pitfalls and mistakes are highlighted—including errors of complacency, common misconfigurations, and deployment errors—as by highlighting the pitfalls and mistakes, it is easier to avoid repeating those mistakes.

CONCLUSION

Writing this book has been an education, an experience, and a challenge. In the months of research and writing, several historic moments have occurred concerning Industrial Control Systems security, including the first ICS-targeted cyber weapon, and one of the most sophisticated cyber attacks to date. The growing number of attacks, new evidence of Advanced Persistent Threats, and a wave of new SCADA-and ICS-specific vulnerabilities are just the tip of the proverbial iceberg.

Hopefully, this book will be both informative and enjoyable, and it will facilitate the increasingly urgent need to strengthen the security of our industrial networks and SCADA systems. Even though the attacks themselves will continue to evolve, the methods provided herein should help to prepare against the inevitable advancement of industrial network threat.

(Continues...)

---

Excerpted from Industrial Network Security by Eric Knapp Copyright © 2011 by Elsevier Inc. . Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---