Professional Documents
Culture Documents
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Industrial Cyber Security For Dummies®, Belden/Tripwire Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030‐5774
www.wiley.com
Copyright © 2017 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written
permission of the Publisher. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011,
fax (201) 748‐6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. Belden and the Belden logo are registered trademarks of Belden, Inc.
Tripwire and the Tripwire logo are registered trademarks of Tripwire, Inc. All other trademarks are
the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product
or vendor mentioned in this book.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department in
the U.S. at 877‐409‐4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub.
For information about licensing the For Dummies brand for products or services, contact Branded
Rights&Licenses@Wiley.com.
ISBN 978-1-119-40357-9 (pbk); ISBN 978‐1‐119‐40359‐3 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publisher’s Acknowledgments
We’re proud of this book and of the people who worked on it. For details on how to create
a custom For Dummies book for your business or organization, contact info@dummies.
biz or visit www.wiley.com/go/custompub. For details on licensing the For Dummies
brand for products or services, contact BrandedRights&Licenses@Wiley.com.
Some of the people who helped bring this book to market include the following:
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
2 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
When we offer something that can save you time and effort,
we toss this icon in to highlight it.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Understanding the
Industrial Cyber Security
Landscape
In This Chapter
▶▶Understanding industrial cyber security and cyber threats
▶▶Introducing control systems
▶▶Considering critical infrastructure
▶▶Determining responsibility
Defining Industrial
Cyber Security
Traditional industrial and critical infrastructure organizations
had no Internet as we know it today. Perimeter defense typi-
cally meant physical security — gates, fences, barriers, and
guards. Control systems and plant networks were specialized,
and built for reliability and automation. Communications were
proprietary, not designed for IP‐based standards like Ethernet
and TCP/IP. Firewall technology didn’t exist and wasn’t seen
as necessary. A demilitarized zone (DMZ) separation between
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
4 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Industrial Cyber Security Landscape 5
To better understand cyber threats, consider a real‐world
example. In April 2016, the Michigan Board of Water and Light
(BWL) was infected with a variant of ransomware that was
contained in a malicious attachment an employee inadver-
tently opened. The malware spread quickly and encrypted
files on other computers throughout BWL and ultimately
caused a shutdown of the utility. BWL worked to rid itself
of the infection from its business systems with the help of
authorities and for a total cost of approximately $2.4 million.
Understanding Industrial
Control Systems
Industrial control systems (ICS) are technologies and systems
that monitor and control the actual operation of physical
equipment and plant process automation and production.
ICS are process‐ and event‐driven and run real‐time software
applications or operate devices with embedded software.
These specialized systems exist throughout global industrial
automation and critical infrastructures. Effectively applying
principles of classic IT cyber security to these complex sys-
tems can be difficult or problematic.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
6 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
Understanding Critical
Infrastructure
In addition to ICS, cyber security also must consider critical
infrastructure. In 2013, Presidential Policy Directive/PPD21
designated 16 critical infrastructure sectors “whose assets,
systems, and networks, whether physical or virtual, are
considered so vital to the United States that their disruption
or destruction would have a debilitating effect on security,
national economic security, national public health or safety,
or any combination thereof.” The directive’s goal was “to
advance a national policy to strengthen and maintain secure,
functioning, and resilient critical infrastructure.” U.S. critical
infrastructure sectors include
✓✓Chemical
✓✓Commercial facilities
✓✓Communications
✓✓Critical manufacturing
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Industrial Cyber Security Landscape 7
✓✓Dams
✓✓Defense industrial base
✓✓Emergency services
✓✓Energy
✓✓Financial services
✓✓Food and agriculture
✓✓Government facilities
✓✓Healthcare and public health
✓✓Information technology
✓✓Nuclear reactors, materials, and waste
✓✓Sector‐specific agencies
✓✓Transportation systems
✓✓Water and wastewater systems
Assigning Responsibility
So who’s to blame for security breaches? Who’s responsible
for industrial cyber security? The subject has become a bit
blurry. We can call it IT‐OT convergence, or blame it on the
Industrial Internet of Things (IIoT), or use the new label pre-
ferred by some analysts, pervasively connected devices. The
fact is, the line between the IT and OT domains used to be
very clear, but it isn’t any longer.
Purdue Model for Control Hierarchy logical framework. Source: SANS Institute ( www.sans.org/reading‐
room/whitepapers/ICS/secure‐architecture‐industrial‐control‐systems‐36327)
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
Table 1-2 (continued)
Security Topic Information Technology (IT) Control Systems (ICS)
Patch Easily defined; enterprise‐ Long timeline to successful patch
management wide; remote and installation; OEM‐specific; may
automated “break” ICS functionality; asset
owners required to define accept-
able risk.
Technology Two to three years; multiple Ten to twenty years; usually same
support vendors; ubiquitous vendor over time; product end‐of‐
lifetime upgrades life creates new security concerns
Testing and Use modern methods; Tune testing to the system; modern
audit methods systems usually resilient methods can be inappropriate;
and robust to handle equipment may be susceptible to
assessment methods failure during testing
Change Regular and scheduled; Strategic scheduling; nontrivial
management aligned with minimum‐use process because of the impact on
periods production
Asset Common and performed Performed only when obligated;
classification annually; results drive accurate inventories uncommon
expenditure for nonvital assets, disconnect
between asset value and appropri-
ate countermeasures
Incident Easily developed and Focused on system resumption
response and deployed; some regulatory activities; forensics procedures
forensics requirements; embedded in immature (beyond event re‐
technology creation); requires good IT/ICS
relationships
Physical and Can range from poor (office Usually excellent for critical areas;
environmental systems) to excellent (criti- maturity varies for site facilities
security cal IT operations systems) based on criticality and culture
Secure Integral part of the Historically not an integral part of
systems development process the development process; vendors
development are maturing but at slower rate
than IT; core/flagship ICS solutions
difficult to retrofit with security
Security Definitive regulatory over- Specific regulatory guidance
compliance sight depending on sector depending on sector (and not all
(and not all sectors) sectors)
Source: U.S. Department of Homeland Security National Cybersecurity and Communications
Integration Center (NCCIC) and Industrial Control Systems Cyber Emergency Response Team
(ICS‐CERT), Recommended Practice: Improving Industrial Cyber Security with Defense In‐Depth
Strategies (September 2016).
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
Understanding an Industrial
Cyber Attack
In This Chapter
▶▶Understanding how cyber attacks happen
▶▶Considering a real‐world industrial incident
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Understanding an Industrial Cyber Attack 13
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
It’s easy to believe “it could never happen to us.” But as you
review the basic security control mechanisms that were weak
or not present, you may not realize similar risks are likely
present in your own environment. Maybe it wouldn’t be a
stretch to catch your OT engineers or contractors charging
their phones or tablets on your PLC or human‐machine inter-
face USB ports, or allowing a contractor or family member
wireless access from the hidden router in the back room.
Most security practitioners recommend taking a risk‐based
approach to evaluating your site through a third‐party cyber
security assessment.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
Using Defensive Strategies
to Secure ICS
In This Chapter
▶▶Understanding the importance of an ICS security risk assessment
▶▶Seeing why defense‐in‐depth layers are necessary
▶▶Considering five critical industrial security controls to give you an
85 percent risk reduction
▶▶Finding the right cyber security partner
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
Applying Defense‐in‐Depth
Strategies
Defense‐in‐depth is a term that comes from historic military
engagements where defensive layers were strategically placed
as barriers to halt or impede adversaries. The defenses
slowed the attackers’ advance, and gave the defenders time
to deploy countermeasures. Applying the same strategy to
industrial cyber security delivers the capability to detect and
respond to the intrusion in a way that limits the impact.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Using Defensive Strategies to Secure ICS 17
The Department of Homeland Security has a list of defense‐
in‐depth strategy elements to consider for your environment.
You can find the detailed descriptions at https://ics‐cert.
us‐cert.gov/sites/default/files/recommended_
practices/NCCIC_ICS‐CERT_Defense_in_Depth_2016_
S508C.pdf.
✓✓U.S. Department of Defense
✓✓National Security Agency (NSA)
✓✓SANS Institute
✓✓Center for Internet Security (CIS)
✓✓U.S. State Department
✓✓Center for Strategic and International Studies (CSIS)
✓✓United Kingdom’s Centre for the Protection of National
Infrastructure (CPNI)
✓✓Idaho National Lab (home of the National SCADA testbed
for the U.S. Department of Energy)
✓✓Members of the Central Intelligence Agency (CIA) and an
illustrious and informed international consortium
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
Although the top 20 controls are important, the top five con-
trols are generally considered to be vital and are also compo-
nents of nearly all other standards given their foundational
nature. The top five CIS Critical Security Controls (CSC) are
The CIS Controls are cumulative. Ideally, you would start with
#1, then go to #2 and so on, up to #20 if applicable. However,
another aspect of this framework is its flexibility. Many organi-
zations begin with the control that they know they need first.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Using Defensive Strategies to Secure ICS 19
The full CIS document is available for download at https://
www.cisecurity.org/critical‐controls/Library.
cfm. You may notice its IT and enterprise roots, but many of
the controls are applicable to industrial networks, endpoints,
and control systems. And remember, CIS calls these the Top
Five — the truly foundational short list that can deliver an
85 percent risk reduction for most organizations.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
Ten Ways to Improve Your
Industrial Cyber Security
In This Chapter
▶▶Ten important things to remember
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22 Industrial Cyber Security For Dummies, Belden/Tripwire Special Edition
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.