Professional Documents
Culture Documents
SANS 2023 ICS Field Manual Vol 1-3 r3-1
SANS 2023 ICS Field Manual Vol 1-3 r3-1
Field
Manual
VOL. 1 - 3
Author:
Dean Parsons
B.SC., GICSP, GRID, CISSP, GSLC, GCIA
Certified SANS Instructor
Critical Infrastructure & ICS Cybersecurity Leader
What to expect from these
ICS security field manuals
VOLUME 1
Why it’s critical to protect critical infrastructure 2
Differences between IT and ICS security 4
Adapting IT security to protect ICS facilities 6
Safety is #1 in industrial control systems 12
Legacy, modernization, and industrial security 13
ICS cyber threat pool and landscape 14
ICS attack history at a glance 15
Control system engineering assets 17
Control system network levels 23
Epilogue to volume 1 24
VOLUME 2
Introduction to volume 2 26
Sliding scale of cybersecurity 27
Defining network visibility and active ICS defense 28
Establishing an ICS asset inventory 29
Industrial control network protocols 34
Defining network security monitoring for ICS 36
Setup of ICS network security monitoring 42
ICS network security monitoring in practice 45
Compatible tools for ICS network security monitoring 48
The active cyber defense cycle 50
Epilogue to volume 2 52
Contents
VOLUME 3
Introduction to volume 3 55
Risk-based ICS vulnerability management 56
ICS patch prioritization: when and how 58
ICS incident response phases and objectives 61
Considerations for ICS incident response 64
ICS incident response specific roles and responsibilities 65
ICS incident response jump bag 66
When to initiate ICS incident response 67
ICS incident response must-haves 69
ICS incident response in practice 70
ICS connectivity: business benefits and cyber risk 71
Prioritize for safety 72
ICS security management choices 73
ICS security leadership pathways 74
The ICS security defender skillset recipe 75
ICS cybersecurity team roles 76
Key ICS management takeaways 78
Epilogue to volume 3 79
Volume 1
Why it’s critical to protect
critical infrastructure
1 www.cisa.gov/critical-infrastructure-sectors
2 ICS CYBERSECURITY
Why it’s critical to protect critical infrastructure
Financial Information
Chemical Dams Services Technology
$
Career Development
Opportunity - ICS418
4 ICS CYBERSECURITY
Differences between IT and ICS security
2 www.cisa.gov/uscert/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_
incident_response_100609.pdf
6 ICS CYBERSECURITY
Adapting IT security to protect ICS facilities
does not currently include the protection An ICS network should generally not
and installation on engineering assets accept inbound connectivity. Control
such as controllers. Rather, endpoint networks benefit from deploying
protections are commonly limited to network intrusion detection systems
protect OT assets running traditional (IDSs) that do not drop traffic, rather
operating systems with engineering than running the risk of dropping
software installed. industrial process or safety commands
Minor Enforcement Boundary between Processes and Site-Wide Supervisory (ACL on Router/Layer-3 Switch or Firewall)
PROCESS/DCS/CELL/LINE C
Figure 2. ICS410 SCADA Reference Model Illustrating Security Boundaries and Assets in Purdue Levels
from false positives, which are more drive an investigation without security
common with intrusion prevention introducing risk to operations. IDSs in
systems. any environment will require dedicated
You may not realize it or have their rules based on changes and sector
system visibility to see it, but your threat intelligence in order to enable
are a target for cyber attackers. ICS The volume of network traffic in industrial
value to attackers.
10 ICS CYBERSECURITY
Adapting IT security to protect ICS facilities
12 ICS CYBERSECURITY
Legacy, modernization,
and industrial security
14 ICS CYBERSECURITY
ICS attack history at a glance
direct or indirect physical damage to attack history walkthrough for new and
existing ICS/OT security managers with
engineering assets, in turn introducing
a major focus on lessons learned for
environmental impacts and causing
improved ICS risk management.
human injury or death.
1990-2000
• Rarely
connected 2000-2010
• Limited • Ethernet mainstream IT
connectivity • Viruses surface and grow 2010-2020
via modems
• Ethernet limited ICS • Targeted ICS attacks
• Remote control
access to • Sophisticated,
• Increased ICS remote coordinated attacks on
non-critical
access safety, infrastructure
controls
• IT/OT convergence destruction
• Exposure
to some • Limited ICS attack • Blended multi-stage
nuisance interest attacks
cyber threats • Limited ICS controls over • Living off the ICS land
Ethernet • Ransomware impacting
ICS
• ICS cyber warfare
Since 2010, there have been a number of high-profile, targeted attacks on ICSs
ranging from espionage to physical destruction of engineering assets, as shown
in Figure 5.
PIPEDREAM (2022)
A modular ICS attack
ICS SECURITY PRO TIPS
framework an adversary could
leverage to cause disruption, - Conduct a simple ICS Attack Tree exercise to
degradation, and possibly identify potential attack vectors. This can also
destruction of physical ICS help with ICS incident response exercises and
assets, with the capability pave the way for advanced ICS threat hunting for
to manipulate a wide variety more mature environments.
of ICS engineering software,
- MITRE ATT&CK for ICS is a practical framework
industrial controllers,
to describe the actions an adversary may take
attack ubiquitous industrial
while operating inside a control network. It
technologies, and abuse ICS
illustrates previously observed ICS attacks and
protocols, in nearly any ICS
shares knowledge on related attack tactics and
sector.
techniques, potential mitigations, impacts, the
Figure 5. Notable Attacks on malicious software used, etc. MITRE ATT&CK can
Industrial Control Systems since
2010 be found at
https://attack.mitre.org/techniques/ics/
16
Control system engineering assets
and applying operational controls over an introduction to ICS security and SCADA
environments. It reviews critical ICS/OT
long distances. Its common uses include
engineering assets, network architecture,
power transmission and distribution
and engineering processes, as well as how
and pipeline systems in industrial engineering assets fit and work together,
environments. among other critical topics.
- The SANS ICS410: ICS/SCADA Security
Figure 6. General SCADA System Layout
course includes hands-on labs with a
Control Center fundamental PLC kit for each student to
use in class and take home for continued
HMI Engineering Data Historian
learning.
Workstations
Switched Telephone,
Modem PLC
Leased Line or
Power Line Based
Communications Field Site 2
Radio Microwave or
Cellular WAN CARD IED
Field Site 3
Satellite
Modem
RTU
Wide Area Network
18 ICS CYBERSECURITY
Control system engineering assets
SENSORS ACTUATORS
Sensor devices physically measure Actuators are mechanical devices
a quantity or physical state of and components attached at the
something, then convert the end of the industrial process that
measurements into an electrical or move and change elements in the
optical signal that other engineering physical world. They include but
devices can interpret and apply logic are not limited to valves, solenoids,
to in order to help change the state pumps, agitators, burners, switches,
in a control system environment relays, and compressors.
that ultimately affects and changes
DATA HISTORIAN
the physical world. For example,
sensors detect physical changes
such as temperature, humidity, Career Development
vibration, sound, pressure, etc. Opportunity - ICS410
Data historian is the database system for control system process information,
trending data about the process, and other critical information. For example, a data
historian in an electricity generation facility will likely store electricity demand
from industry and residential customers, but also the rate at which power is being
generated, thus revealing data about how to improve the process. As another
example, a pharmaceutical process might store information in the data historian
about the number of different substances needed to create a vaccine and the rate at
which a batch is being produced. A data historian is an asset that may have trusted
connections to both IT and ICS. An adversary could abuse this trusted asset to pivot
from a compromised asset in IT to the control network. In addition, data stored in this
database could be highly sensitive and sought after by adversaries to learn about the
industrial process and/or to steal intellectual property from the database.
Figure 8. A Typical Data Historian Tracking and Storing Process Trending Data
on a City’s Power Grid System
20 ICS CYBERSECURITY
Control system engineering assets
ENGINEERING WORKSTATION
An engineering workstation is usually a laptop or power desktop workstation that
is used with engineering software to view, manage, and program network devices,
PLCs, RTUs, and other field devices at the lower levels of an entire facility operation.
The codes to “run the plant floor” are commonly stored on this device, which usually
has full access to change plant floor programming. From here, an adversary can
reprogram and update controllers in operation.
Figure 9. Typical Engineering Workstation Software Used to Program and Change PLCs
Inertia
22 ICS CYBERSECURITY
Control system network levels
Many ICS components can be categorized into the following zones of systems based on
levels from the Purdue Reference Architecture. 3
Supervisory Level
Redundant Engineering
Control Servers Main HMI Data Historian Workstation
Field Level
Machine Modem
HMI
Single Loop
Controller Modem
Pressure Programmable Logic Process Controller
Sensor Controller (PLC) Controller
3 en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture
4 nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
This volume has shown us that there and face-to-face cyber discussions
are different approaches to IT and ICS literally on the plant floor are also very
security, and that’s ok! While some effective at getting everyone involved
parts of traditional IT security can help in recognizing that cyber safety
guide the community, a direct “copy- supports the security and reliability of
paste” of them is not recommended operations.
for ICS. Elements of IT security for
As we saw in Figure 5, in recent years
OT/ICS should be adopted for ICS
the world has witnessed a number
security where it makes sense, all the
of specific targeted ICS attacks,
while making adjustments as needed
including Stuxnet, Havex, Blackenergy,
and always prioritizing human life,
CRASHOVERRIDE, the TRISIS/TRITON
the reliability of operations, and the
- the world’s first publicly disclosed
protection of physical assets.
attack on safety instrumented systems,
Given the volume and sophistication and the most recent ICS scalable attack
of threats to ICS, the IT/OT convergence framework, PIPEDREAM. Attacks against
movement works well for end-to- critical infrastructure increasingly
end security event correlation from impact our daily lives. Through all of the
IT through to ICS. The convergence targeted ICS attacks, we must not lose
of these IT and OT groups should be sight that IT-related malware such as
embraced as part of efforts to achieve Ransomware and Cryptomining, while
an active defense strategy with not designed to physically damage an
network security monitoring and active ICS, have also caused disruptions and
threat hunting. Physical site inspection downtime if running in an ICS.
24 ICS CYBERSECURITY
ICS cybersecurity
field manual
Volume 2
26 ICS CYBERSECURITY
Sliding scale of
cybersecurity
The Sliding Scale of Cybersecurity can be used to categorize the security maturity,
actions, and investments that build a cybersecurity program.¹ The scale has five
progressive categories: Architecture, Passive Defense, Active Defense, Intelligence, and
Offense. Each category builds on the previous one to make the upcoming categories
stronger. Architecture is a foundational and affordable starting point to which there
is high return on investment and from which all following categories of the scale will
benefit. Each category in the scale is described below.
Passive Active
Architecture Intelligence Offense
Defense Defense
ICS security managers must support ICS security managers must map
their teams to lead them to success. existing technical ICS security controls to
This means positioning team members the sliding scale. They can start maturing
and technologies, at a minimum, in their OT/ICS cybersecurity program with
an Active Defense position within the the Architecture and Passive Defense
Sliding Scale of Cybersecurity. Active categories, then move to the Active
cyber defense for control systems Defense category by documenting a
involves trained ICS analysts leveraging control system asset inventory as a best
technology and ICS-specific knowledge practice.
and protocols to monitor, respond to,
Tactical ICS security team members
and learn from threats targeting control
must ensure that the tools deployed in
networks. In parallel, ICS defenders
control system environments are “ICS-
and risk managers must work with
aware” – that is, they are specifically
engineering teams to define incident
designed or adapted to suit ICS for both
response processes, outcomes, and
endpoint and network defense. For
recovery steps, as safety is prioritized
example, network IDSs must be capable
above all else.
of deep packet inspection and perform
complete ICS protocol packet dissection.
Career Development
Opportunity - ICS418
28 ICS CYBERSECURITY
Establishing an ICS
asset inventory
Native tools, discovery protocols, and several packet filters on passively collected
traffic captures can be used to safely discover host information and engineering system
commands to understand normal control operations.
For example, Link Layer Discovery Protocol (LLDP) is a vendor-neutral Layer 2 discovery
protocol and can be used to identify network assets and their capabilities.
Identify LLDP compatible systems, their names, and network capabilities:
ARP is a tool available in common operating systems to reveal ARP cache to show IP
and MAC address pairings. You can find asset IP and MAC addresses from ARP tables:
Device network status can reveal connections and their related IP addresses on an
asset:
32 ICS CYBERSECURITY
Establishing an ICS asset inventory
and a target of adversaries. The ICS production and known trusted backup
asset inventory can be safeguarded by files. The files can be used for the
There are many industrial The SANS ICS456: Essentials for NERC
34 ICS CYBERSECURITY
Industrial control network protocols
36 ICS CYBERSECURITY
Defining network security monitoring for ICS
To start network detection in ICS on a limited budget, facilities can leverage sector-
specific ICS threat intelligence using freely available tools such as tcpreplay, Snort,
Zeek, and Suricata with built-in or added ICS rulesets/dissectors. Known IP addresses
associated with attack campaigns can be used in a search across network 5-tuple or
full-packet captures. The pseudo rules and logic detailed below can be expanded or
changed to suit an organization’s control network, tools deployed, and general setup.
Replay packet captures against a listening network IDS such as Snort to alert to known
threats:
alert tcp !$Modbus_HMI any -> $Modbus_PLC any (msg:“TCP comms to PLC which is not
the HMI”;)
Alert on possible recon scan or mapping using ModbusTCP on a network that does not
use it:
alert tcp any any -> any 502 (msg:“Scan or usage of ModbusTCP on network without
it”;)
Alert on possible TCP connection to known malicious command and control server:
alert tcp any any -> <evil_C2_ip> any (msg:“Connection attempt to known evil C2 IP
address”;)
38 ICS CYBERSECURITY
Defining network security monitoring for ICS
Can be used to extract files from a packet The SANS ICS515: ICS Visibility,
capture. File hashes can be obtained Detection, and Response course
then searched against threat intelligence walks through each phase of the
or malware databases. Or files can be Active Cyber Defense Cycle with
Asset names from DNS that could be assets performing Internet checks:
40 ICS CYBERSECURITY
All ModbusTCP function codes in use on the control network:
Export data for analysis – HTTP downloads, including filename and URI:
Export data for analysis – SMB file transfers, including filename and file data:
Files transferred via server message block (SMB) with remote hostname,
account name, file(s) accessed:
ICS security defenders must know what is normal in the ICS environment, which
network protocols are expected in different control system states, and what
commands inside ICS protocols can read and change physical outputs in the
field.
Two main approaches can be used to ensure NSM collection is established, as follows:
Each approach has pros and cons which should be considered by ICS security and
engineering teams before deployment.
42 ICS CYBERSECURITY
Setup of ICS network security monitoring
TAP vs. SPAN: The decision on which method is best to use for NSM collection in ICS
may depend on budget, engineering maintenance schedules, existing technology, and
existing and upgradable network architecture. The pros and cons of a hardware TAP and
SPAN configuration are illustrated in the table on the next page.
The SANS ICS515: ICS Visibility, Detection, and Response course walks through each phase of
the Active Cyber Defense Cycle with in-depth hands-on technical labs to perform ICS network
monitoring and prepare for incident response.
NSM Collection
Pros Cons
Method
44 ICS CYBERSECURITY
ICS network security
monitoring in practice
The NSM collection, detection, and analysis phases should be started and
repeated while the above methods are applied across the three phases to prioritize
the safety and reliability of ICS operations. Deeper engineering knowledge is
required for more specific ICS protection. High confidence indicator of compromise
matches and the discovery of anomalous network patterns will call industrial
incident response steps into action.
Unusual spikes
in traf fic
Top talker IP
addresses
Matches on known
malicious IPs
46 ICS CYBERSECURITY
ICS network security monitoring in practice
2 Signs of unexpected
encr yption
Figure 7: Stage 2 - ICS Threat Detection Concepts for Full-Capture Packet Analysis
3 Unexpected remote
access to HMI
Connection at tempts to
Internet addresses
48 ICS CYBERSECURITY
Compatible tools for ICS network security monitoring
Career Development
Opportunity - ICS418
52 ICS CYBERSECURITY
Epilogue to volume 2
ICS security defenders looking to improve tactical ICS security must obtain and
continue to grow their knowledge of cybersecurity and engineering operations
(including protocols and commands) while prioritizing safety and administrating
modern security tools specifically designed or tuned for ICS environments. A main
focus should be on performing the repeatable steps of the active cyber defense cycle
while leveraging ICS network visibility, packet captures and analysis, and hunt for
threats proactively in the network.
ICS facilities owners and operators will do well to consider these top takeaways to
kick-start or mature their ICS cybersecurity program:
Volume 3
54 ICS CYBERSECURITY
Introduction to volume 3
Many identified ICS vulnerabilities, if to the HMI from the Internet. The
exploited, provide adversaries with legitimate HMI application that runs
capabilities similar to features inherent the water treatment facility was
in control systems. ICS attacks have used to manipulate water treatment
been observed where adversaries are operations that could have led to severe
“living off the land,” i.e., abusing systems consequences. Using the HMI, the
and industry protocols native in ICS attacker increased the level of sodium
environments to turn the control system hydroxide. That is the main ingredient in
against itself. drain cleaner, which was changed from
100 parts per million to 11,100 parts
Living off the land was first observed
per million. Very dangerous levels that
in 2014 with the HAVEX¹ malware attack
would have been toxic for residents
and more recently with the tailored
if it reached their homes. Human
CRASHOVERRIDE² ICS-specific framework
engineering operations staff noticed the
targeting electric power grids. It is
incident and restored the processes to
becoming a very common attack trait
normal operations without incident.
and will likely be well into the future.
1 https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02A
2 https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
56 ICS CYBERSECURITY
Risk-based ICS vulnerability management
Living off the land attacks have multiple approaches for identifying
and categorizing BES Cyber Systems,
evolved even further in 2022 with
and helps asset owners determine the
the discovery of the PIPEDREAM
requirements applicable to specific
malware. “PIPEDREAM is a collection
implementations.
of utilities that includes tools for
reconnaissance, manipulation,
and disruption of PLCs, as well
as tools for intrusion operations Due to the number of legacy
against Windows devices. At the devices and software in ICSs, ICS
highest level, the PLC-related patching is important, especially as
components of PIPEDREAM provide the number of legacy devices and
the adversary with an interface for software grows. Yet, there is more to
manipulating the targeted devices. patching in ICSs than gathering and
Tools in PIPEDREAM can scan for pushing packages. The best return on
new devices, brute force passwords investment is a risk-based approach,
and sever connections, and crash considering the ICS risk surface
the target device.”⁴ compared to the IT risk surface.
3 https://www.sans.org/blog/sans-ics-site-visit-plan/
4 https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf
FIELD MANUAL Vol. 3 57
ICS patch prioritization:
when and how
58 ICS CYBERSECURITY
ICS patch prioritization: when and how
A patch decision tree can be used to help prioritize ICS security patches. It is important to
put particular emphasis on the Analyze Risk assessment step. See the following graphic for
an example of the Department of Homeland Security’s control system patch decision tree.
60 ICS CYBERSECURITY
ICS incident response
phases and objectives
ICS incident response adapts traditional incident response phases to suit engineering
environments, prioritizes safety in every phase, and includes different multi-team
stakeholders. ICS incident response stakeholders include engineering operators,
external control system support vendors, government agencies, physical safety teams,
physical security teams, IT security, ICS security, etc., with direction from the owner/
operators of the ICS facilities.
The objectives for each phase of an ICS-specific incident response⁵ include:
5 https://www.sans.org/cyber-security-courses/ics-visibility-detection-response/
6 https://www.sans.org/white-papers/36297/
62 ICS CYBERSECURITY
ICS incident response phases and objectives
Containment
Considering Safety
There is a common misconception where a utility may think they are too small to be
a target of an ICS cyber attack or impactful cyber event. The reality is, however, that
adversaries often target smaller facilities to develop and test attack methodologies
in preparation to attack their ultimate target environment. Small or large, all ICS
environments should have an industrial-grade incident response plan.
In particular, ICS-specific incident response phases must consider all unique aspects
and objectives of industrial control systems, as described below.
64 ICS CYBERSECURITY
ICS incident response specific
roles and responsibilities
Laptops with Security Onion, REMnux, Forensically clean USBs and external drives
SIFT, or RELICS from SANS ICS515
Log, packet analysis, and timeline tools
Approved digital camera
(no photo metadata)
Hashes of field device logic/
configuration files
CD-ROM drives and discs
Baseline images of critical ICS assets
Hardcopy ICS-specific incident
response playbooks and network
Data acquisition tools – prioritize
diagrams
command-line tools and memory
Network/converter cables,
PPE for safety
(e.g., USB to serial)
Out-of-band communications,
Contact list for safety, engineering, (e.g., handheld radios on-site)
integrators, security, and emergency
response team
Offline malware Site-specific physical
analysis tools safety training certificates
(static, interactive,
automated)
7 https://youtu.be/ZR4Jy9K0AhI
66 ICS CYBERSECURITY
When to initiate ICS
incident response
Rapid yet thorough analysis of data acquired from critical assets and the ICS network
traffic to and from those assets, combined with knowledge of engineering operations,
will help teams determine when full industrial incident response must be performed.
Use the following event conditions to help determine the potential risk to engineering,
understand where the attack is in the ICS Cyber Kill Chain, and when it is appropriate to
shift to full industrial incident response.
Manipulation
Loss of of control
Malicious code,
visibility system
unauthorized
of control operations
access detected
process
Loss of
Exfiltration process Physical damage
of sensitive controls to assets or safety
industrial concerns
system
information
68 ICS CYBERSECURITY
ICS incident response
must-haves
While IT/OT convergence of both technology and workforce poses unique challenges,
it can drive a more realistic ICS threat detection and response process. A converged
incident response plan must consider available cybersecurity defenses in both
environments and work to reduce the impact of attacks through IT into ICS, which is
a common vector adversaries leverage that has been observed time and again. This
more realistic process can provide early warning signs of an attack that could impact or
specifically target the industrial process. Incident response for ICS should consider the
following:
70 ICS CYBERSECURITY
ICS connectivity: business
benefits and cyber risk
Engineering systems include PLCs, RTUs, protection control relays, embedded HMIs,
SISs, distributed control systems (DCSs), solenoids, meters, field bus communications,
sensors, and actuators. For decades, these engineering devices and systems have
operated the critical infrastructure we rely on in isolation. And, while modern
connectivity into ICSs is becoming common and has led to increased data accessibility
across traditional IT and OT environments with several benefits, as detailed in the
below graphic, it also presents greater threats to security.
Significant risks to safety can occur if Did the organization select their
prioritizing IT or traditional business focus based on what was most
systems over industrial control systems important for the safety of the people,
or if the ICS/OT security reporting environment, and organization overall?
structure fails to fully embrace the Today’s ICS incident response teams
differences between IT and ICS/OT. must understand the control system
processes, engineering, industrial
Consider, for instance, a security
protocols, safety factors, and ICS-
incident on the IT business email
specific cyber threats, and tailor
system and a security incident on the
incident response playbooks and risk
SCADA system of a power grid occurring
management strategies accordingly.
simultaneously. Which incident gets
priority? What pace and rigor will
the organization give to the priority
incident? Specifically, what drives the Career Development
decision to manage these very different Opportunity - ICS418
risks? And what are the related impacts
The SANS ICS418: ICS Security Essentials
in these different environments?
for Managers course includes an ICS
attack history walkthrough for new and
existing ICS/OT security managers with
a major focus on lessons learned for
improved ICS risk management.
72 ICS CYBERSECURITY
ICS security
management choices
Manager
asked to Career Development
"Step Over" Opportunity - ICS418
74 ICS CYBERSECURITY
The ICS security defender
skillset recipe
Technology and processes (even if automated) do not get us far in the defense area
without a trained and focused workforce. Human defenders—the people, our workforce—
are those who use ICS security technologies, work with engineering, safety, business,
IT security, and other teams. These ICS defenders understand the ICS mission, possible
impacts, and engineering recovery. They understand the industrial process, protocols,
normal vs. abnormal engineering operations network traffic patterns, safety with
context, the commonly targeted assets in control systems, etc. Modern trained ICS
cybersecurity staff understand the nuances between traditional IT and ICS security.
As ICS risk management leaders work to build their ICS security teams, they should
consider the following ICS cybersecurity skillset recipe. For the team to be effective,
team members would do well to have the following skills and experience:
ICS Physical,
Traditional IT
Engineering Environmental
Cybersecurity
Knowledge Safety
Traditional IT Cybersecurity
"The only defense against well-funded nation-state attacks on power systems (and
the rest of the critical infrastructure that keeps us and the economy alive and free)
are people with extraordinary cyber talent and skills." - Mike Assante
As ICS cybersecurity roles and tasks emerge and evolve, ICS managers who are building
their teams should consider staffing for the following roles:
9 https://www.sans.org/posters/control-systems-are-a-target/
76 ICS CYBERSECURITY
ICS cybersecurity team roles
MANAGEMENT
ICS/SCADA Security Essentials
for Managers
Manage the people, processes,
ICS418
TACTICAL
Essentials for NERC Critical
Infrastructure Protection
ICS456
Maintain a defensible
compliance program up
to NERC CIP standards
Monitor threats,
perform incident
response, and enhance
network security
ADVANCED
ICS Cybersecurity In-Depth
Identify threats in a real-world
ICS612
4. Enable active defense. Ensure the Active Cyber Defense Cycle (ACDC)10
has a strong foundation by implementing ICS/OT-specific architecture
(align with the Purdue and SANS ICS410 SCADA Architecture models to
start), then implement passive defenses to prepare for Active Defense on
the Sliding Scale of Cybersecurity.¹¹
6. Validate the ICS/OT incident response plan. Validate and gain the
benefits of conducting regularly scheduled, specific ICS/OT incident
response plan TTXs and apply related lessons learned.
10 https://www.sans.org/white-papers/36297/
11 “The Sliding Scale of Cyber Security,” Sept 1, 2015, www.sans.org/white-papers/36240/
78 ICS CYBERSECURITY
Epilogue to volume 3
This volume details an approach for ICS incident response, the skillsets and people
needed to “fight through the attack,” the need for quick analysis and triage with
engineering knowledge, the right ICS tooling, an understanding of the protocols
(engineering device communications), and the unique aspects of engineering and jump
bag equipment.
Most importantly, this volume explains why, even though technologies and plans are
crucial to ICS cyber defense, the human defenders are the most critical piece of the
puzzle. We are reminded that, with the right teams and team leaders, “ICS Defense Is
Doable” and required to protect the critical infrastructure we rely on daily.
80 ICS CYBERSECURITY
SANS ICS curriculum
82 ICS CYBERSECURITY
110+ industrial control system
abbreviations for easy reference
84 ICS CYBERSECURITY
ABOUT THE AUTHOR
Dean Parsons
B.SC., GICSP, GRID, CISSP, GSLC, GCIA
Dean is the CEO and Principal Consultant of ICS Defense Force and brings 20+ years of
technical and management experience to the classroom. He has worked in both Information
Technology and Industrial Control System Cyber Defense in critical infrastructure sectors such
as telecommunications; electricity generation, transmission, and distribution; and oil and gas
refineries, storage, and distribution.
Dean is an ambassador for defending industrial systems and an advocate for the safety,
reliability, and cyber protection of critical infrastructure. His mission as an instructor is to
empower each of his students, and he earnestly preaches that “ICS Defense is Do-able!”
Over the course of his career, Dean’s accomplishments include establishing entire ICS
security programs for critical infrastructure sectors, successfully containing and eradicating
malware and ransomware infections in electricity generation and manufacturing control
networks, performing malware analysis triage and ICS digital forensics, building converged
IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric
substations, oil and gas refineries, manufacturing, and telecommunications networks. A SANS
Certified Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response and is co-
author of ICS418: ICS Security Essentials for Managers. Dean is a member of the SANS GIAC
Advisory Board and holds many cybersecurity professional certifications including the GICSP,
GRID, GSLC, and GCIA, as well as the CISSP®. He is a proud native of Newfoundland where he
lives with him family.
ACKNOWLEDGEMENTS
Dean would like to thank the following individuals and teams for their continued support,
for being leaders, mentors, and dear friends in this amazing and necessary community, and
working relentlessly to further the protection of critical infrastructure.
Tim Conway, Rob M. Lee, Jeff Shearer, Mark Bristow, Ted Gutierrez, Mike Assante, Justin Searle,
Lauren Ashy, Lisa Peterson, the entire SANS ICS Team, and Yoda. Thank you for treating me as
family, supporting my efforts, and handing me a blue lightsaber.