SANS 2023 ICS Field Manual Vol 1-3 r3-1

ICS CYBERSECURITY
Field
Manual
VOL. 1 - 3
Author:
Dean Parsons
B.SC., GICSP, GRID, CISSP, GSLC, GCIA
Certified SANS Instructor
Critical Infrastructure & ICS Cybersecurity Leader
What to expect from these
ICS security field manuals
If you are new to industrial control system (ICS) security,

the SANS ICS Cybersecurity Field Manuals (volumes 1-3)
will get you up to speed quickly. They provide long-
lasting reference materials, free resources, and a
training path in control system security for you and your
teams. The three manuals consist of several sections and
focus on different aspects of ICS cyber defense.
Copyright © 2023 SANS Institute

Contents
VOLUME 1
Why it’s critical to protect critical infrastructure 2
Differences between IT and ICS security 4
Adapting IT security to protect ICS facilities 6
Safety is #1 in industrial control systems 12
Legacy, modernization, and industrial security 13
ICS cyber threat pool and landscape 14
ICS attack history at a glance 15
Control system engineering assets 17
Control system network levels 23
Epilogue to volume 1 24
VOLUME 2
Introduction to volume 2 26
Sliding scale of cybersecurity 27
Defining network visibility and active ICS defense 28
Establishing an ICS asset inventory 29
Industrial control network protocols 34
Defining network security monitoring for ICS 36
Setup of ICS network security monitoring 42
ICS network security monitoring in practice 45
Compatible tools for ICS network security monitoring 48
The active cyber defense cycle 50
Contents
VOLUME 3
Introduction to volume 3 55
Risk-based ICS vulnerability management 56
ICS patch prioritization: when and how 58
ICS incident response phases and objectives 61
Considerations for ICS incident response 64
ICS incident response specific roles and responsibilities 65
ICS incident response jump bag 66
When to initiate ICS incident response 67
ICS incident response must-haves 69
ICS incident response in practice 70
ICS connectivity: business benefits and cyber risk 71
Prioritize for safety 72
ICS security management choices 73
ICS security leadership pathways 74
The ICS security defender skillset recipe 75
ICS cybersecurity team roles 76
Key ICS management takeaways 78
The ICS community forum 80

The SANS ICS curriculum 81
110+ industrial control system abbreviations 83
ICS cybersecurity field manual
Volume 1
Why it’s critical to protect
critical infrastructure
Many ICSs operate critical infrastructure infrastructure systems.

that underpins our modern society. That In short, this interconnected,
infrastructure generates and distributes interdependent, and complex mix of
electricity to heat our homes and both legacy and modern computer
businesses, refines crude oil for fuel systems is responsible for an array
to run key manufacturing facilities and of critical processes in the physical
enable transportation, manufactures world. Unfortunately, adversaries are
foods for global consumption, and treats all too aware of our reliance on these
our drinking water and wastewater. systems and have been increasingly
Interacting with control systems is targeting them, which can cause serious
so commonplace we sometimes do not safety and environmental impacts. It is
even realize we are doing it. Flipping therefore imperative that these systems
on a light switch at home or the office, be protected by modern cybersecurity
pumping gas into the car, adjusting defenses that go beyond traditional
the thermostat, or pouring water information technology (IT) security.
from a tap are all daily activities that More complex critical infrastructure
rely on industrial control and critical examples include the generation,
transmission, and distribution of
electric power in a power grid system,
ICS SECURITY PRO TIP
critical manufacturing, oil and gas
The National Institute of Standards and
refineries and pipelines, and water
Technology defines ICS as systems “...
and wastewater management systems,
used to control industrial processes such
among many others.
as manufacturing, product handling,
production, and distribution. Industrial The Cybersecurity & Infrastructure
control systems include supervisory control Security Agency (CISA) lists 16 sectors
and data acquisition systems used to control deemed as critical infrastructure, as
geographically dispersed assets, as well shown in Figure 1.1
as distributed control systems and smaller
ICS systems must perform their tasks
control systems using programmable logic
to read, write, and change the state
controllers to control localized processes.”
of the physical world based on values
See csrc.nist.gov/glossary/term/industrial_
(referred to as “setpoints”) established
control_system
1 www.cisa.gov/critical-infrastructure-sectors
2 ICS CYBERSECURITY
Why it’s critical to protect critical infrastructure
Emergency Government Transportation

Communications Services Facilities Systems
Financial Information
Chemical Dams Services Technology
$
CRITICAL INFRASTRUCTURE SECTORS
Commercial Defense Food and Nuclear Reactors,

Facilities Industrial Base Agriculture Materials, and
Waste
Critical Energy Healthcare and Water and

Manufacturing Public Health Wastewater
Systems
Figure 1. Critical Infrastructure Sectors
by engineering teams to ensure a tanks, and a flow rate of water to be

smooth process that functions within treated in wastewater facilities (to
engineering and safety parameters. ensure that it is less than the settling
Examples of “sensing” physical world velocity of particles in primary
states in an industrial environment clarifier systems). Sensing these
are sensing the temperature related parameters or setpoints
in a combustion chamber in a can indicate that a state should be
petrochemical plant, the line voltage in changed, at which point operators
a power grid (through digital protection using Human Machine Interfaces
control relays to monitor for trips and (HMIs) adjust the physical processes
protect equipment), the pressure on by using digital equipment and
a gas pipeline or at a pump station, specialized engineering software.
water levels in water utility distribution
FIELD MANUAL Vol. 1 3

Differences between
IT and ICS security
A common misconception holds that IT security practices can be directly

applied to ICS environments. While there’s a wealth of knowledge available
to perform solid IT defense, a “copy and paste” of traditional IT security
into an ICS could have problematic or even devastating consequences.
For example, the principles of traditional incident response – Detection &
Identification, Containment, Eradication, Recovery, and Lessons Learned –
are still at play in ICS. However, for each step of the process, the safety and
reliability of operations needs to be considered in order to prioritize human
life and the protection of physical assets.
As stated by the U.S. Department of Homeland Security in a document
Career Development
Opportunity - ICS418
The SANS ICS418: ICS Security Essentials for

Managers course covers several main ICS security
topics and targets new and existing Operational
Technology/Industrial Control Systems (OT/ICSs)
security managers and leaders. Management topics
covered include ICS security and safety similarities,
OT and IT security differences, leveraging the
engineering safety culture, building ICS security
teams, and navigating IT/OT convergence for board
conversations.
4 ICS CYBERSECURITY
Differences between IT and ICS security
entitled Developing an Industrial

Control Systems Cybersecurity Incident
Response Capability: “Standard cyber The primary differences between IT and ICS/
incident remediation actions deployed OT security drive different considerations
for security incident response, safety,
in IT business systems may result in
cybersecurity controls, engineering,
ineffective and even disastrous results
support, system design, threat detection,
when applied to ICS cyber incidents if
and network architecture.
prior thought and planning specific to
operational ICS is not done.”2
environment and safety, cybersecurity
To put it in even starker terms, while controls, engineering support, system
cyber incidents in IT environments can design, threat detection, and network
lead to undesirable data impacts such architecture, among other critical
as the unavailability of critical business issues.
applications, data corruption, and data
loss, the impacts in ICS environments
range from the loss of visibility or
control of a physical process to the
manipulation of the physical process
by unauthorized users, which can
ultimately lead to serious personnel
safety risks, injury, or death.
While OT and industrial engineering

control system assets are often
compared to traditional IT assets,
the latter in fact focus on data at Career Development
rest or data in transit. In contrast, OT Opportunity - ICS410
and industrial systems monitor and The GIAC GICSP certification associated
manage data that drives real-time with the SANS ICS410: ICS/SCADA Security
system changes in the real world with Essentials course establishes technical
physical inputs and controlled physical knowledge and understanding across a
output actions. It is this primary diverse set of professionals who engineer
or support control systems and share
difference between IT and OT/ICS
responsibility for the security of these
that drives differing concerns related
environments.
to security incident response, the
2 www.cisa.gov/uscert/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_
incident_response_100609.pdf

Adapting IT security to
protect ICS facilities
IT focuses on the world of digital human life and the protection of

data, while ICS and OT focus on the physical assets.
world of physical safety. Therefore, IT
Let’s define several common IT
security must be adapted if it is to be
security defenses and review how they
used for ICS security. There’s a wealth
can be used or adapted to provide
of knowledge available to perform IT
effective cyber defenses for ICS facilities
defense, but for OT/ICS, each defensive
while supporting the safety and
step needs to consider the safety and
reliability of operations.
reliability of operations to prioritize
Career Development Opportunity - ICS418

The SANS ICS418: ICS Security Essentials for Managers course empowers new and established
ICS security managers from all areas to understand the differences between IT/OT from a
business, safety, and cyber risk management perspective.
6 ICS CYBERSECURITY
Adapting IT security to protect ICS facilities
VULNERABILITY SCANNING ENCRYPTION

Automating regular vulnerability scans Confidentiality of network traffic
on critical business services in IT is inside an ICS is less of a requirement
good practice, whereas vulnerability than it is in traditional IT business
scanning in ICS networks can have networks because the two have
unpredictable and undesirable largely different risk profiles
effects on safety. This is largely due regarding network traffic sniffing
to legacy systems that are unable to by unauthorized users. Encrypting
correctly process vulnerable scanning internal ICS traffic can also cause
applications at a technical level. unintended consequences when
dealing with legacy devices,
Active vulnerability scanning in
potentially low-bandwidth
ICS is best performed by testing in
networks, and many remote sites.
development and by using a phased
In addition, full-packet encryption
approach that involves engineering
will significantly devalue network
and safety teams. Less invasive
security monitoring (NSM) and ICS
methods include reviewing passive
active defense, leaving only 5-tuple
network captures, asset inventories,
or IPFIX packet information visible
configuration files, and firmware
to ICS defenders. Availability for
versions against threat intelligence and
secure authentication methodologies
vulnerability advisories to achieve ICS
for engineering devices for control
vulnerability assessments.
commands is improving and more
available in modern control networks.
The SANS ICS410: ICS/SCADA Security Essentials course, at

a technical level, compares the differences between IT and
OT/ICS across cybersecurity, safety, reliability, and support
in order to bridge knowledge for IT, OT, and engineering.
Students will complete numerous in-class technical labs
ranging from programming a fundamental programable
logic controller (PLC) to conducting HMI and investigating
attack vectors in OT/ICS.

PATCHING IN INDUSTRIAL extreme cases when patching is not

ENVIRONMENTS possible within NERC-CIP specified
Patching operating systems and software standards, an electricity utility adhering
is an effective security practice that to NERC-CIP could declare an exceptional
has been commonplace in business circumstance under which the case
networks for decades. There are special would have to be justified and formally
circumstances for ICS, where patching documented. Compensating controls
may not be feasible or possible within then could be used to reduce risk in some
a normally accepted timeframe without cases.
impacting safety or increasing the risk Many ICS vendors go to great lengths
to industrial processes. This could be to verify their software on common
the case with legacy equipment or operating systems not long after patch
critical infrastructure systems. However, notifications are released. This process
patching has become more acceptable in continues to improve across multiple
ICS environments in recent years given sectors. Thus, patching is becoming
the threat landscape, the availability of more of a positive and achievable part
patches, patch testing by ICS vendors, of active ICS defense and preventative
and the availability of standards such as maintenance from which facilities can
the North American Electric Reliability benefit. Remember, when evaluating
Corporation (NERC) standards for the patch advisories and vulnerability reports,
electricity utility sector. In cases where and to drive risk-based mitigation plans,
electricity utilities are following NERC it is best to follow a strategy of threat =
Critical Infrastructure Protection (CIP) capability of the adversary + intent of the
standards, patching is clear. Patching is adversary + opportunity for the adversary
not just nice to have – it is requirement to have an impact. Patch vulnerabilities
with strict criteria for identifying, that are applicable to your environment
reviewing, and applying patches. In are best applied using a phased,
controlled, and safe approach. When
Career Development patching is not feasible within a normally
Opportunity - ICS410 accepted timeframe, it is common to add
additional monitoring or compensating
SANS ICS410: ICS/SCADA Security
controls.
Essentials walks students through
the Purdue levels. Then, using the ICS ENDPOINT SECURITY FOR CONTROL
Network Reference Architecture model,
SYSTEM ASSETS
the course builds security enforcement
IT antivirus solutions have signature and
boundaries to illustrate traffic flows and
behavioral/heuristics-based engines for
security controls for modern ICS network
threat detection that commonly require
defenses in depth. See www.sans.org/
frequent Internet-based updates.
posters/control-systems-are-a-target/
Internet egress and ingress filtering
for industrial environments offer more
8 ICS CYBERSECURITY
protections but may not feasibly allow FIREWALLS AND NETWORK

frequent Internet connectivity. A false SEGMENTATION
positive in IT can disrupt business flow.
The proper use of firewalls is critical
A false positive in ICS could stop critical
in ICS for the same reasons as in IT.
systems, which in turn could cause an
Firewalls can be used for containment
unsafe physical situation for workers or
in incident response and as
environmental concerns.
chokepoints for NSM data collection,
Where industrial control systems segmenting network zones, and
are more static than traditional IT securely controlling traffic via access
environments, using application control lists. ICS firewalls should not
whitelisting endpoint protection allow any direct connections to or from
solutions and allowing only pre-approved the Internet. If remote access is needed
applications to execute drastically reduce for maintenance or support, it should be
the potential for malware to run, reduce implemented securely and carefully and
false positives, support safety, and in multiple layers, such as multi-factor
remove the need for frequent Internet- authentication, extremely strict access
based updates. control, and additional monitoring/
Antivirus on endpoint devices generally alerting.
does not currently include the protection An ICS network should generally not
and installation on engineering assets accept inbound connectivity. Control
such as controllers. Rather, endpoint networks benefit from deploying
protections are commonly limited to network intrusion detection systems
protect OT assets running traditional (IDSs) that do not drop traffic, rather
operating systems with engineering than running the risk of dropping
software installed. industrial process or safety commands
PURDUE LEVEL 4: Site’s Local Business Network (Non-ICS Networks)

Major Enforcement Boundary between ICS DMZ and Enterprise Networks (business pulls from or pushes to ICS DMZ)
ICS DMZ - Level 3 to 4 ICS DMZ - Level 4 to 3 ICS DMZ - Cloud Access ICS DMZ - Remote Access
Major Enforcement Boundary between Control Networks and ICS DMZ (control pulls from or pushes to ICS DMZ)
PURDUE LEVEL 3: Master Servers, Workstations Testing/Staging Cybersecurity Jump Hosts

Site-Wide Supervisory Historian, and HMIs (per group/role) (per system) Operations (per vendor or group/role)
OPERATIONS/ICS NETWORKS
Minor Enforcement Boundary between Processes and Site-Wide Supervisory (ACL on Router/Layer-3 Switch or Firewall)
PURDUE LEVEL 2: PURDUE LEVEL 2: PURDUE LEVEL 2: PURDUE LEVEL 2:

Local Supervisory Local Supervisory Local Supervisory Local Supervisory
PROCESS/DCS/CELL/LINE D
PROCESS/DCS/CELL/LINE B
PROCESS/DCS/CELL/LINE A
PROCESS/DCS/CELL/LINE C

Local Controllers Local Controllers Local Controllers Local Controllers

Field Devices Field Devices Field Devices Field Devices
Air gap/Enforcement Air gap/Enforcement Air gap/Enforcement Air gap/Enforcement

Safety Systems Safety Systems Safety Systems Safety Systems
Figure 2. ICS410 SCADA Reference Model Illustrating Security Boundaries and Assets in Purdue Levels

from false positives, which are more drive an investigation without security
common with intrusion prevention introducing risk to operations. IDSs in
systems. any environment will require dedicated
ICS NETWORK SECURITY resources to frequently fine-tune and test
You may not realize it or have their rules based on changes and sector
system visibility to see it, but your threat intelligence in order to enable
organization’s ICS environments proactive ICS defense and threat hunting.
are a target for cyber attackers. ICS The volume of network traffic in industrial
automation, process control, access control networks is significantly less than
control devices, system accounts, and in IT environments, making the detection
asset information all have tremendous of malicious activity more manageable.
value to attackers.
NETWORK INTRUSION DETECTION

AND PREVENTION ICS SECURITY PRO TIP
All network inspection devices It is common and advisable for control
system designers to segment different
deployed to make decisions on ICS
control networks from each other.
traffic should be able to interpret ICS
This can be done by using enforcement
protocols and commands. As with boundaries to separate the Internet
antivirus solutions on endpoints, false and corporate business networks
positives and the potential disruption from control system networks, and by
segmenting the control network into
of control system operations can
levels aligning with a model such as the
occur in network inspection as well. Purdue network architecture model.
Thus, an IDS to provide alerts on
suspect network traffic on a control
network is more suitable than an
intrusion prevention system that
blocks network traffic. Detection over
prevention allows for alerting and
logging as well as the ability to actively
10 ICS CYBERSECURITY
COMPARING SECURITY CONTROLS AND ACTIONS

The table below defines just a few common IT security controls and reviews how
they can be used or adapted to provide effective cyber defenses for ICS facilities
while supporting the safety and reliability of operations.
Security Control IT Action ICS Action
Endpoint Signatures, Heuristics alerting; allowlisting

Protection heuristics-based – alerting, blocking unlearned
detections – applications
quarantine
Firewalls Segment – users, Segment from enterprise/IT and

servers Internet, align with Purdue levels
0-5
Network Intrusion Intrusion IDS, behavioral-anomaly detection

Detection prevention system – alerting
System/Intrusion (IPS)
Protection System
Vulnerability Regular interval, Tested in development, passive

Scanning automated where possible, run during
scheduled maintenance windows
Patching Monthly, Less frequent, legacy devices, less

streamlined process patch windows
Security Phishing, web, and IT security awareness + physical

Awareness data protections safety, transient devices,
architecture, engineering
Event Detection Windows event logs, Remote Terminal Unit (RTU)/

traditional endpoint PLC changes, ICS protocol
protection, URL abuse, Purdue boundary access
inspection, etc. detection, remote access by
vendors
Incident on Asset Wipe, patch, deploy Fight through attack: maintain

safety, contain, completely
eradicate during next engineering
maintenance window
Table 1: IT vs ICS Security Control Actions

Safety is #1 in industrial
control systems
Unlike IT incidents, ICS incidents can On-site physical safety is always

involve the potential loss or damage going to be top of mind, even above
of physical property or engineering cybersecurity. In fact, cybersecurity
assets, as well as safety risks to people supports safety. While on-site in a
and the environment. Thus, industrial facility, it is critical to follow the lead
incident response is a joint effort with of the safety team and the physical
security incident responders, engineers, safety protocols to ensure you and
operators, network architects, and your team remain physically safe. This
physical safety teams at facilities. is usually the first of the organization’s
core values. It means wearing personal
protective equipment (PPE), and many
ICS SECURITY PRO TIPS sites also require all visitors to have
completed safety training and show
- Cyber-kinetic attacks on control
certificates of completion before
systems or control system components
can manifest as direct or indirect
entering.
physical damage to engineering assets, Many ICS security programs leverage
in turn introducing environmental the physical engineering safety culture
impacts and possibly causing human
in an organization by drawing parallels
injury or death.
between physical safety and cyber
- The security mission in IT is to safety. Through presentations about
secure data at rest and in transit to security awareness, as an example, the
support Confidentiality, Integrity, and programs share industry case studies
Availability (CIA). The safety mission to illustrate how cyber attacks can
in ICS is to enable and secure physics
severely impact operations and how
in engineering processes that could,
cybersecurity protects the safety and
if compromised, render physical
reliability of engineering operations.
conditions unsafe for the environment
It is not uncommon for industrial
and people. The mission in ICS is safety,
engineering system and command
cybersecurity programs to reword cyber
integrity, and cyber-physical operational “security” as cyber “safety” in security
availability. In control systems, ICS awareness memos.
cybersecurity supports the safety and
reliability of operations.
Legacy, modernization,
and industrial security
ICSs were not always as connected or as broke the isolated or “air-gapped”

highly automated and complex as they model of the past, rendering industrial
are today. The systems were designed, control systems less isolated and more
built, tested, and deployed for a exposed to additional cyber risk.
particular purpose, enabling the control
More external connections were
system to operate in isolation, and ran
enabled for ICS to take advantage of
on proprietary protocols. This was all
their benefits, including reducing travel
done in an isolated network away from
costs by allowing external support
other networks, including the outside
personnel to access the environment(s)
world of IT business networks and the
for remote monitoring and control
Internet.
of industrial processes. Today, most
Over the years, advancements in control systems use modern TCP/
modern network technology and IP network stacks, modern network
equipment control systems have technologies, and a blend of traditional
resulted in a shift from an isolated technology and industrial protocols.
control environment for ICS to a However, many legacy systems still
more connected environment. This exist as part of critical subsystems
has brought about several business within control systems. In short, with
benefits such as cost savings, improved automation and its benefits also comes
efficiency, better safety management, increased risks.
and an improved view and control over
engineering processes. However, more
external connections also ultimately

ICS cyber threat
pool and landscape
With modernization of their systems The various threat groups and

and increased connectivity to the adversaries and their capabilities to
Internet and business networks, ICSs impact an organization are considered
have inherited IT-related security a threat pool. The yellow area in
vulnerabilities in addition to inherent Figure 3 represents the number of ICS
control system vulnerabilities, threat adversary groups capable of
widening the cyber threat pool. conducting ICS-specific attacks with
large likely impacts. The blue area
In general, the threat landscape for
represents the number of IT attacks
ICS is continually increasing. Cyber
that can impact control systems. As
attackers have skills that go beyond
threat groups continue to improve in
traditional IT intrusions and data
skill, sophistication, and the targeting
exfiltration techniques. They have set
of attacks, we will see both the yellow
their sights on OT and control systems,
and blue areas grow – in other words,
demonstrating an understanding of
there will be a continuous increase in
ICSs and an alarming ability to develop
ICS-specific attacks and in IT attacks
ICS-capable attack tools to gain access
that can impact ICSs. And as ICS facilities
and cause negative effects.
become more interconnected and reliant
on IT, we can expect to see more tools
and research designed to impact ICS
operations through IT attacks.
ICS Capable IT Attacks

Threat Actor Pool That Can
(ICS Specific Impact
Attacks) ICS
Actors, Tools, &

Skills Increasing
Figure 3. The Threat Pool: The Sunny Side Up Egg of Doom
ICS attack history at a glance
There is a general increasing trend in the

intent and capabilities of threat actors Career Development
to cause an impact in ICS environments.
Cyber-kinetic attacks on control systems The SANS ICS418: ICS Security Essentials
or their components can manifest as for Managers course includes an ICS
direct or indirect physical damage to attack history walkthrough for new and
existing ICS/OT security managers with
engineering assets, in turn introducing
a major focus on lessons learned for
environmental impacts and causing
improved ICS risk management.
human injury or death.
Low risk High risk
1990-2000
• Rarely
connected 2000-2010
• Limited • Ethernet mainstream IT
connectivity • Viruses surface and grow 2010-2020
via modems
• Ethernet limited ICS • Targeted ICS attacks
• Remote control
access to • Sophisticated,
• Increased ICS remote coordinated attacks on
non-critical
access safety, infrastructure
controls
• IT/OT convergence destruction
• Exposure
to some • Limited ICS attack • Blended multi-stage
nuisance interest attacks
cyber threats • Limited ICS controls over • Living off the ICS land
Ethernet • Ransomware impacting
ICS
• ICS cyber warfare
Figure 4. General ICS Risk Timeline 1990–2020

ICS attack history
Since 2010, there have been a number of high-profile, targeted attacks on ICSs
ranging from espionage to physical destruction of engineering assets, as shown
in Figure 5.
Stuxnet (2010) - Destructive TRISIS aka Triton aka Hatman

Malware (2017) - Disruptive Malware -
Specific target - Iran Natanz Attack on People and Safety
uranium enrichment facility, Control Systems
physical destruction, 0-days, PLC Targeted Safety Instrumented
rootkit System (SIS)
EKANS (2020) - Disruptive CRASHOVERRIDE (2016) aka

Malware - Ransomware Industroyer - Disruptive
Targeting ICS Processes Malware
Ransomware and additional Abused native ICS (IEC-104)
functionality to forcibly stop several protocol, scalable ICS-specific
running programs, including multiple framework (more than malware)
processes related to industrial
operations.
BlackEnergy (2015) - Espionage Havex (2014) - Espionage

Malware, Human Adversary - Malware
Interaction with Control System Living off the land, espionage
Used for access to Ukraine, only, abused OPC (deployed in
adversary used HMI to shut down many ICS sectors)
power
PIPEDREAM (2022)
A modular ICS attack
ICS SECURITY PRO TIPS
framework an adversary could
leverage to cause disruption, - Conduct a simple ICS Attack Tree exercise to
degradation, and possibly identify potential attack vectors. This can also
destruction of physical ICS help with ICS incident response exercises and
assets, with the capability pave the way for advanced ICS threat hunting for
to manipulate a wide variety more mature environments.
of ICS engineering software,
- MITRE ATT&CK for ICS is a practical framework
industrial controllers,
to describe the actions an adversary may take
attack ubiquitous industrial
while operating inside a control network. It
technologies, and abuse ICS
illustrates previously observed ICS attacks and
protocols, in nearly any ICS
shares knowledge on related attack tactics and
sector.
techniques, potential mitigations, impacts, the
Figure 5. Notable Attacks on malicious software used, etc. MITRE ATT&CK can
Industrial Control Systems since
2010 be found at
https://attack.mitre.org/techniques/ics/
16
Control system engineering assets
SUPERVISORY CONTROL AND DATA

Career Development
ACQUISITION (SCADA)
SCADA is a computerized system that is
capable of gathering and processing data - ICS410: ICS/SCADA Security Essentials is
and applying operational controls over an introduction to ICS security and SCADA
environments. It reviews critical ICS/OT
long distances. Its common uses include
engineering assets, network architecture,
power transmission and distribution
and engineering processes, as well as how
and pipeline systems in industrial engineering assets fit and work together,
environments. among other critical topics.
- The SANS ICS410: ICS/SCADA Security
Figure 6. General SCADA System Layout
course includes hands-on labs with a
Control Center fundamental PLC kit for each student to
use in class and take home for continued
HMI Engineering Data Historian
learning.
Workstations
Communications Control Server

Field Site 1
Routers (SCADA - MTU)
Switched Telephone,
Modem PLC
Leased Line or
Power Line Based
Communications Field Site 2
Radio Microwave or
Cellular WAN CARD IED
Field Site 3
Satellite
Modem
RTU
Wide Area Network

PROGRAMMABLE LOGIC CONTROLLERS

PLCs are solid-state devices that hold and run programmed logic instructions for
a control process. They are physically wired to various instrumented devices such
as sensors and actuators, including sensors that perceive physical states such as
temperature, vibration, fluid levels, pressure, humidity, etc., and actuators such as
solenoids, burners, compressors, pumps valves, breakers, etc. For example, the PLC and
its input/output modules could sense and communicate to a RTUs to physically open or
close breakers in a power system, energizing or de-energizing power to a region or city.
Controllers are said to “run the plant floor” in control system facilities.
Figure 7. Chassis with PLC and Input/Output Modules

Many ICS components can be placed into logic levels or groupings that align
with the Purdue Reference Model but can be further extended with the Network
Reference Architecture from the ICS410: ICS/SCADA Security Essentials course to
focus even more on security and secure enforcement boundaries.
SENSORS ACTUATORS
Sensor devices physically measure Actuators are mechanical devices
a quantity or physical state of and components attached at the
something, then convert the end of the industrial process that
measurements into an electrical or move and change elements in the
optical signal that other engineering physical world. They include but
devices can interpret and apply logic are not limited to valves, solenoids,
to in order to help change the state pumps, agitators, burners, switches,
in a control system environment relays, and compressors.
that ultimately affects and changes
DATA HISTORIAN
the physical world. For example,
sensors detect physical changes
such as temperature, humidity, Career Development
vibration, sound, pressure, etc. Opportunity - ICS410
The SANS ICS410: ICS/SCADA Security

Essentials course teaches about
ICS attack vectors, the attack tree
methodology, and the exploitation of
fundamental ICS system vulnerabilities,
while identifying critical ICS/OT assets.

Data historian is the database system for control system process information,
trending data about the process, and other critical information. For example, a data
historian in an electricity generation facility will likely store electricity demand
from industry and residential customers, but also the rate at which power is being
generated, thus revealing data about how to improve the process. As another
example, a pharmaceutical process might store information in the data historian
about the number of different substances needed to create a vaccine and the rate at
which a batch is being produced. A data historian is an asset that may have trusted
connections to both IT and ICS. An adversary could abuse this trusted asset to pivot
from a compromised asset in IT to the control network. In addition, data stored in this
database could be highly sensitive and sought after by adversaries to learn about the
industrial process and/or to steal intellectual property from the database.
Figure 8. A Typical Data Historian Tracking and Storing Process Trending Data
on a City’s Power Grid System
ENGINEERING WORKSTATION
An engineering workstation is usually a laptop or power desktop workstation that
is used with engineering software to view, manage, and program network devices,
PLCs, RTUs, and other field devices at the lower levels of an entire facility operation.
The codes to “run the plant floor” are commonly stored on this device, which usually
has full access to change plant floor programming. From here, an adversary can
reprogram and update controllers in operation.
Figure 9. Typical Engineering Workstation Software Used to Program and Change PLCs

HUMAN MACHINE INTERFACE

An HMI is a graphical interface used to interact with, change, and control the physical
process at a local or remote facility. Operators use the HMI to view and acknowledge
system alarms and safety conditions and to monitor whether production is operating as
expected. HMIs can run on traditional operating systems on OT assets or on embedded
devices closer to the process in a facility such as on touch-screen panels. From an HMI,
an adversary can directly interact with the process and manipulate it.
Inertia
Figure 10. Typical HMI Used by Engineering Operators to

View, Change, and Control Industrial Processes
Control system network levels
Many ICS components can be categorized into the following zones of systems based on
levels from the Purdue Reference Architecture. 3
Level 5 - Internet, Cloud Services
Level 4 - Enterprise IT Systems

Career Development
Level 3 - ICS Plant Site SCADA Controls Opportunity - ICS410
Level 2 - HMI, Engineering Workstation The SANS ICS410: ICS/SCADA Security

Essentials course walks students through
Level 1 - Process Control, Field Devices
technical labs that critique and improve ICS
Level 0 - Sensors, Hardware Actuators network architecture and system designs.
Supervisory Level
Redundant Engineering
Control Servers Main HMI Data Historian Workstation
Field Level
Machine Modem
HMI
Single Loop
Controller Modem
Pressure Programmable Logic Process Controller
Sensor Controller (PLC) Controller
HMI I/O sensor actuator

Motion Control Proximity
Network Sensors
I/O Computer
Modem
Servo Light DC Servo
Drives Tower Drive
Variable Modem Modem
Freq Drive
Motor Remote Access
Motor Solenoid
Pressure
Valve
Photo Regulator
Pressure Fieldbus
Motor Eye Servo
Solenoid Regulator Valve Pressure
Valve AC Drive Sensor
Temp
Logic Control Sensor Fieldbus
Figure 11. Levels of an ICS Network with Key Components4
3 en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture
4 nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Epilogue to volume 1
This volume has shown us that there and face-to-face cyber discussions
are different approaches to IT and ICS literally on the plant floor are also very
security, and that’s ok! While some effective at getting everyone involved
parts of traditional IT security can help in recognizing that cyber safety
guide the community, a direct “copy- supports the security and reliability of
paste” of them is not recommended operations.
for ICS. Elements of IT security for
As we saw in Figure 5, in recent years
OT/ICS should be adopted for ICS
the world has witnessed a number
security where it makes sense, all the
of specific targeted ICS attacks,
while making adjustments as needed
including Stuxnet, Havex, Blackenergy,
and always prioritizing human life,
CRASHOVERRIDE, the TRISIS/TRITON
the reliability of operations, and the
- the world’s first publicly disclosed
protection of physical assets.
attack on safety instrumented systems,
Given the volume and sophistication and the most recent ICS scalable attack
of threats to ICS, the IT/OT convergence framework, PIPEDREAM. Attacks against
movement works well for end-to- critical infrastructure increasingly
end security event correlation from impact our daily lives. Through all of the
IT through to ICS. The convergence targeted ICS attacks, we must not lose
of these IT and OT groups should be sight that IT-related malware such as
embraced as part of efforts to achieve Ransomware and Cryptomining, while
an active defense strategy with not designed to physically damage an
network security monitoring and active ICS, have also caused disruptions and
threat hunting. Physical site inspection downtime if running in an ICS.
ICS cybersecurity
field manual
Volume 2

Introduction to volume 2
The consequences of modern ICS cyber Volume 2 of the ICS Cybersecurity

attacks can include but are not limited Field Manual provides insight into the
to widespread power grid blackouts, active cyber defense cycle, presents
failure or physical destruction of critical effective ways to establish an ICS asset
engineering equipment, massive business inventory and obtain network visibility
financial losses, paralysis of smart to apply NSM through data collection,
city emergency infrastructure in large network traffic analysis, and network
municipalities, human injury or death, threat detection. It also serves as a
and possibly devastating environmental resource for budget-constrained ICS
impacts. ICS intrusions will continue to security programs to leverage no-
occur and likely increase in their severity cost or low-cost tools as they start
and range of consequences across their journey to mature efforts to
multiple critical infrastructure sectors. protect control systems and critical
However, managing control system cyber infrastructure.
risk and effectively applying tactical ICS
defenses is achievable!
ICS418 ICS Security Leadership

Simulation Game - Industrial
Cyber42
SANS has extended the Cyber42 Leadership
Simulation Game to the ICS418 course as
Industrial Cyber42 (https://www.sans.org/
blog/cyber42). Students participate in
various ICS risk-based and management
decision scenarios to protect a control
system using their risk management skills.
The object of the game is to finish with the
highest safety culture score.
Sliding scale of
cybersecurity
The Sliding Scale of Cybersecurity can be used to categorize the security maturity,
actions, and investments that build a cybersecurity program.¹ The scale has five
progressive categories: Architecture, Passive Defense, Active Defense, Intelligence, and
Offense. Each category builds on the previous one to make the upcoming categories
stronger. Architecture is a foundational and affordable starting point to which there
is high return on investment and from which all following categories of the scale will
benefit. Each category in the scale is described below.
Passive Active
Architecture Intelligence Offense
Defense Defense
Figure 1: Sliding Scale of Cybersecurity
1. Architecture. The planning, establishment, and maintenance of systems with security

and reliability as the priority, including the supply chain, patching, and network
architecture.
2. Passive Defense. Systems added to Architecture that do not require consistent
human interaction and provide reliable defense or insight into a subset of less-
advanced threats.
3. Active Defense. The process of human analysis consistently involved in proactive
defense. It involves using ICS-specific tools, monitoring for, actively responding to,
and learning from adversaries internal to the control networks.
4. Intelligence. Collecting data, exploiting collected data, and processing it into
information, obtaining or adding
context, and producing actionable
Career Development
threat intelligence to inform proactive
defense.
The SANS ICS515: ICS Visibility, Detection,
5. Offense. Partaking in legal
and Response course teaches students all
countermeasures and self-defense
steps of the Active Cyber Defense Cycle
actions against the adversary. through hands-on technical labs and
1 For more information, see the SANS White real-world industrial attack scenarios and
Paper, The Sliding Scale of Cybersecurity, related lessons learned.
available here: www.sans.org/white-
papers/36240/

Defining network visibility
and active ICS defense
ICS security managers must support ICS security managers must map
their teams to lead them to success. existing technical ICS security controls to
This means positioning team members the sliding scale. They can start maturing
and technologies, at a minimum, in their OT/ICS cybersecurity program with
an Active Defense position within the the Architecture and Passive Defense
Sliding Scale of Cybersecurity. Active categories, then move to the Active
cyber defense for control systems Defense category by documenting a
involves trained ICS analysts leveraging control system asset inventory as a best
technology and ICS-specific knowledge practice.
and protocols to monitor, respond to,
Tactical ICS security team members
and learn from threats targeting control
must ensure that the tools deployed in
networks. In parallel, ICS defenders
control system environments are “ICS-
and risk managers must work with
aware” – that is, they are specifically
engineering teams to define incident
designed or adapted to suit ICS for both
response processes, outcomes, and
endpoint and network defense. For
recovery steps, as safety is prioritized
example, network IDSs must be capable
above all else.
of deep packet inspection and perform
complete ICS protocol packet dissection.
Career Development
The SANS ICS418: ICS Security Essentials

for Managers course includes an ICS attack
history walkthrough for new and existing
ICS/OT security managers, with a focus
on lessons learned to improve ICS risk
management and reporting to the board.
Establishing an ICS
asset inventory
It is difficult to protect a control environment and keep engineering operations

resilient without knowing which engineering assets are in production and
which assets are deemed critical. An established ICS asset inventory of OT
and engineering assets will improve the ICS security program’s vulnerability
management, network security monitoring, and incident response scenarios.
The common methodologies to establish and maintain an inventory are physical
inspection, configuration analysis, active scanning, and passive network traffic
analysis. These methods can refine an existing asset inventory or be used to
build and maintain an inventory.
Physical Inspection: This involves Configuration Analysis: A review of

physically walking through configuration settings may require
industrial facilities, documenting access to many controls system
the hardware seen in racks and and network devices. Switch and
network cabinets, inspecting the firewall configurations can reveal IP
software and protocols used, and MAC address pairings through
and taking other proactive steps. Address Resolution Protocol (ARP)
Physical inspection is time- tables to indicate devices allowed
consuming and expensive if it or denied access to the network.
involves traveling to remote sites. Traffic and port information at
Some potential physical risk exists, a quintuple level could reveal
so PPE will be required at sites. general protocols in use. Collection
and interpretation of configuration
settings from ICS
systems PLCs, RTUs, and intelligent
electronic devices (IEDs) can also
be used to generate a holistic
inventory of hardware, software,
and firmware installed on these
devices.

Establishing an ICS asset inventory
Active Scanning: This is intrusive We can see several benefits when

to ICS operations and an unnatural combining asset inventory methods. In
representation of network the above example, physical inspection
communications. However, this takes advantage of face-to-face security
method of asset identification is awareness discussions on-site with
very fast and can provide detailed engineering, safety, and operational
information about devices, teams. This goes a long way when the
services, etc. It should be tested teams need to perform ICS incident
in a development environment response in the field but rely on
prior to scanning any production engineering staff to help with forensic
environment. data acquisition, log collection and/
Passive Network Traffic Analysis: or engineering network changes during
Nonintrusive to industrial operations, containment, or threat eradication,
this analysis can provide an accurate for example. Passive control system
representation of natural control network traffic captures are safer and
system network communications. It quicker and can create or verify an
can provide a visual network diagram existing inventory. They provide network
that can be printed and used for data to analyze when performing threat
engineering troubleshooting and ICS hunting or threat detection exercises.
incident response. Where feasible
and for best results, it is beneficial A PRACTICAL EXAMPLE TO AN ICS
(though not always possible) to ASSET INVENTORY
capture and analyze network traffic The steps below are an example of
during different modes of operation a practical approach to an ICS asset
(startup, normal operations, and inventory that combines both physical
emergency modes). and passive network traffic capture.
Each asset inventory method poses

different risks to operations and takes Physical Configuration
different times to complete. Tactical ICS Inspection Analysis
Time to complete
defenders and engineering staff must

work together to weigh the risk versus
time and related returns on investment
for each method. Methods can be Passive Traf fic Active Scanning
Analysis
combined based on the ICS security
program maturity and budget. For
example, performing physical inspection Risk to operations
and augmenting it with passive control
Figure 2: Asset Inventory Method Analysis
system network traffic capture and
analysis can be highly effective in a
maturing program.
1. Start by reviewing any already-created network diagrams

and engineering documentation such as “as-built
documents.”
2. Use an encrypted laptop with at least a basic spreadsheet
application to start cataloging and storing ICS asset
information during a physical site walk through, as seen
below in Table 1: Sample Asset Inventory Attributes.
3. Augment physical inspection with passive network packet captures on critical
network segments that host critical ICS assets by using either a SPAN or mirrored
port configuration off a fully managed switch or hardware TAP.
4. Ensure field device configurations are backed up during an incident and securely
stored for later comparison to detect whether an unauthorized change occurred
and reload trusted configurations and project files (controller logic), if needed.
5. At a minimum, record attributes from the commonly targeted critical assets such
as data historians, HMIs, PLCs, RTUs, engineering workstations, core network
devices, and active safety instrumented systems.
Table 1: Sample Asset Inventory Attributes
Sample Asset Inventory Attributes

Site location
Facility type
Asset type and ID tag
Asset location room, cabinet, rack
Description of asset function for operations
Impact to operations if assets are unavailable
IP and MAC address
Network protocols used
Model, manufacturer, serial number
Firmware version for controllers and related modules, chassis information
Applications installed on critical assets with versions
Assets deemed critical – data historians, HMIs, primary controllers, control system
network switches
Project files and configuration (last change date, secure storage location, etc.)
Dependencies – systems, networks, other assets, etc.
Primary and secondary contact for asset

Native tools, discovery protocols, and several packet filters on passively collected
traffic captures can be used to safely discover host information and engineering system
commands to understand normal control operations.
For example, Link Layer Discovery Protocol (LLDP) is a vendor-neutral Layer 2 discovery
protocol and can be used to identify network assets and their capabilities.
Identify LLDP compatible systems, their names, and network capabilities:
tshark -Y lldp -T fields -e lldp.tlv.system.name -e lldp.tlv.system.desc -e lldp.tlv.

system_cap -r <ICS-Network_file.pcap> | sort | uniq
ARP is a tool available in common operating systems to reveal ARP cache to show IP
and MAC address pairings. You can find asset IP and MAC addresses from ARP tables:
Linux: arp -an

Windows: arp /a
Switches/Firewalls: show arp
Device network status can reveal connections and their related IP addresses on an
asset:
Linux: netstat -an

Windows: netstat /an

The SANS ICS515: ICS Visibility, Detection, and Response course provides students with an
industrial-grade lab kit, walks them through its operation, and explores attack vectors and
defenses of power generation, transmission, and distribution systems. Students keep the kit
for further learning after the course is finished. The course material applies to all ICS critical
infrastructure sectors.
MAINTAINING AN ICS ASSET Secure: Use standard data

INVENTORY protection and security practices,
To maintain a long-term inventory, best including authentication and
practice is that it be in an established network segmentation, to protect
digital, searchable, scalable, and secure this sensitive data.
database. Having a formal inventory Searchable: Index all fields to
in such a database, combined with enable quick searching across
sector-specific threat intelligence, inventories for all sites.
provides a quick view of the risk surface
of vulnerable or targeted assets. It Scalable: Ensure that site
also helps with engineering device inventories can be updated or
lifecycle management, that is, system expanded and backed up regularly.
restarts and recovery procedures It is important to securely store field

that can incorporate identifying device configuration and production
system dependencies for streamlined logic (project files) for engineering
restoration. recovery purposes. In addition, these
The asset inventory is incredibly files should be hashed for easy
valuable to engineering asset owners comparison to detect changes in
and a target of adversaries. The ICS production and known trusted backup
asset inventory can be safeguarded by files. The files can be used for the
storing it in a digital database that is restoration of engineering systems
secure, searchable, and scalable. to a trusted restore point in recovery

actions.

Industrial control
network protocols
ICS security defenders must know

ModbusTCP
and understand the protocols
Port: TCP 502
and engineering commands in use
tshark/Wireshark filter “mbtcp”
at their networks, how they are
Application: The TCP version of the
used, and which ones are used
serial protocol Modbus is an open
under different facility operating
industrial protocol standard, the de
conditions. This requires obtaining
facto standard, commonly used to
and protecting network traffic flow
communicate with IP-connected field
to and from critical devices such as
devices to and from HMIs and IEDs
but not limited to, PLCs, HMIs, Open
across several industrial sectors,
Platform Communications (OPC)
including the electricity sector and
servers, data historians, RTUs, and
many others.
SISs.
Several tools can be used to

obtain and analyze commands
on the network in the various
ICS protocols. To start, a budget-
constrained facility can use
common tools such as tshark or
Wireshark until such time when
a more scalable solution can be Career Development
deployed. Opportunity - ICS456
There are many industrial The SANS ICS456: Essentials for NERC
protocols. The following are Critical Infrastructure Protection course

addresses the role of the Federal
several tshark and Wireshark
Energy Regulatory Commission (FERC),
filters to concentrate on when
NERC, and regional entities, provides
analyzing commands in industrial
multiple approaches for identifying and
networks to help with engineering
categorizing bulk electric system (BES)
troubleshooting as well as security
Cyber Systems, and helps asset owners
initiatives across multiple ICS determine the requirements applicable to
sectors. specific implementations.
Industrial control network protocols
Building Automation Controls Distributed Network Protocol

(BACnet) Version 3 (DNP3)
Port: UDP 47808 Port: TCP 20000
tshark/Wireshark filter “bacnet” tshark/Wireshark filter “dnp3”
Application: The BACnet protocol enables Application: distributed network
communications for building automation protocol 3 (DNP3) is commonly seen
and controls for heating ventilation air in water and electricity sectors and
conditioning systems. occasionally in gas pipeline operations.
It is used for communications between
Open Platform Communications (OPC)
control centers and field devices such
Port: <several>, sometimes TCP 135, DCE/
as RTUs or IEDs.
RPC ports
tshark/Wireshark filter “opcua” or IEC 60870-5-104
“dcerpc” Port: TCP 2404, 2405
Application: OPC can be implemented tshark/Wireshark filter “iec60870_104”
in several ways to determine the ports Application: The IEC 60870-5-104
used. Observing Distributed Computing protocol is commonly used in the
Environment/Remote Procedure Call electricity sector to monitor power
(DCE/RPC) traffic can help identify if systems. It can restart devices and
OPC is in use. OPC is used to enable modify set points in the field, such as
communications from different vendor directly interacting with RTUs.
devices in a vendor-neutral way.
IEC 61850
EtherNetIP/CIP Port:102
Port: UDP 2222, TCP 44818 tshark/Wireshark filter “goose”
tshark/Wireshark filter “enip” Application: IEC 61850 is a
Application: EtherNetIP/CIP is commonly communications protocol commonly
observed in manufacturing facilities on used for communications with IEDs at
both UDP and TCP. UDP is used for I/O electricity substations.
data transfers, while TCP is used for set
points to be set or read.

The SANS ICS515: ICS Visibility, Detection, and Response course leverages
native protocols in control networks to help safely identify assets, perform
threat detection, and understand threats that may be “living off the land.”

Defining network security
monitoring for ICS
NSM is a human-driven, proactive,

and repeatable process of collection,
detection, and analysis. While not
specific to ICS, NSM excels in control
system networks because the
COLLECTION
environment is usually more static and ANALYSIS
has far fewer users than in traditional
information technology environments.
ICS NSM is most effective with an
established ICS asset inventory and
deep knowledge of ICS protocols for
proactive threat detection methods DETECTION
that drive industrial incident response
to reduce impacts to operations and Figure 3: ICS Network Security Monitoring Process
the safety of people, the environment,
and physical engineering devices.
ICS NETWORK SECURITY MONITORING – COLLECTION

A properly segmented ICS network following the SCADA reference architecture
from the SANS ICS410 course has enforcement boundaries that naturally
create chokepoints for network traffic collection.² A properly segmented ICS
network also provides control points for containment in industrial incident response. ICS
NSM collection should be conducted at levels 0-3 of the Purdue Model for ICS Security at
a minimum for full packet captures. This includes the communications to and from the
HMIs, PLCs, RTUs, and other intelligent electronic devices. Common network collection
points could be on the edge of internal zone industrial firewalls or on core control
network switches. Fully managed network switches can be used to passively collect
data via SPAN configuration. Alternatively, a dedicated hardware TAP device may also be
used for network traffic collection. The two main types of TAP devices for network-based
collections are described on the next page.
2 Information on SANS ICS410 is available at

www.sans.org/cyber-security-courses/ics-scada-cyber-security-essentials/
Defining network security monitoring for ICS
5-Tuple Capture: This consists of ICS ASPECT –

five attributes in a TCP/IP network COLLECTION
connection: Collect the 5-tuple data at
a minimum at north/south firewalls
1. Source IP address
at the perimeter of the ICS network(s)
2. Destination IP address to help identify malicious remote
3. Source port connections, network pivoting from IT

network into the ICS networks through
4. Destination port trusted connections, and adversary
5. Protocol observed command and control (C2) connections.
Full-Packet Capture: This includes the Collect full-packet captures inside

5-tuple data as well as the full-packet the control network from the ICS DMZ
payload of network communications. down to Level 1 or 0 of the Purdue
For example, the query and response model as east/west traffic to ensure
data used in ModbusTCP has the industrial protocol commands and
industrial commands, function codes, data streams are captured for analysis,
and other artifacts available for baselining, and threat detection.
security defenders and engineering Beyond security events, ICS NSM,
staff to analyze using this approach. also known as ICS network visibility,
Even files transferred across a network can uncover general networking and
will be present in the packet stream. engineering system misconfigurations
Full-packet capture can consume or errors which improve overall
significantly more storage space than industrial network efficiency, safety,
just capturing 5-tuple data, but it has and resilience.
far more value. Full-packet capture
can drive proactive threat detection, ICS NETWORK
SECURITY MONITORING
inform ICS incident response
– DETECTION
processes and threat analysis,
Network detection is about
and assist with networking and
discovering potentially malicious and/
engineering troubleshooting.
or abnormal activity. These activities
include unusual inbound or outbound
connections, network events linked to
known indicators of compromise (such
as IP addresses), and other network
anomalies observed through the NSM
collection phase that do not align with
what is expected on the network from
an engineering perspective.

To start network detection in ICS on a limited budget, facilities can leverage sector-
specific ICS threat intelligence using freely available tools such as tcpreplay, Snort,
Zeek, and Suricata with built-in or added ICS rulesets/dissectors. Known IP addresses
associated with attack campaigns can be used in a search across network 5-tuple or
full-packet captures. The pseudo rules and logic detailed below can be expanded or
changed to suit an organization’s control network, tools deployed, and general setup.
ICS ASPECT – DETECTION

An IDS is preferred for threat detection in ICS environments over an IPS.
IDS is also preferred to prioritize safety – that is, to reduce false positive
detections that could cause legitimate control commands to be blocked if
detected by an IPS and that may cause operational and safety disruptions. The NSM
Detection phase is primarily about understanding what is “normal” for the industrial
operations to be better at spotting “abnormal” activity. For example, with engineering
knowledge and through analysis of normal operations, expected function codes, other
operations and elements, and anonymous activity can be discovered. Using these tools
and filters are a great start when developing an ICS NSM program.
Pseudo rules and logic:
Replay packet captures against a listening network IDS such as Snort to alert to known
threats:
sudo tcpreplay --intf1=<nic_for_snort > --mbps=topspeed <ICS-Network_file.pcap>
Alert on communications to PLC that is not HMI:
alert tcp !$Modbus_HMI any -> $Modbus_PLC any (msg:“TCP comms to PLC which is not
the HMI”;)
Alert on possible recon scan or mapping using ModbusTCP on a network that does not
use it:
alert tcp any any -> any 502 (msg:“Scan or usage of ModbusTCP on network without
it”;)
Alert on possible TCP connection to known malicious command and control server:
alert tcp any any -> <evil_C2_ip> any (msg:“Connection attempt to known evil C2 IP
address”;)
ICS NETWORK SECURITY and attempts to perform DNS name

MONITORING – ANALYSIS resolution, which can help with asset
A triggered detection identification. Each IP address and
rule, such as a match on associated ports should be recorded
a malicious IP address from ongoing and analyzed to identify all active
attack campaign, will lead to the NSM assets for legitimate operation.
Analysis phase. It is important to know
which assets on the network are critical
Wireshark:
for safety and operations. This makes
Wireshark > Statistics >
it easier to identify anomalous network Conversations
connections around critical assets to
Provides statistics about
determine when ICS incident response
conversations in the traffic between
should be performed. The tshark or
devices, displayed as IP addresses.
Wireshark filters discussed below can
Information such as the start, stop,
be expanded or changed to suit the
and duration of the conversations is
hunt for malicious network activity.
notable. The devices communicating,
ICS ASPECT – ANALYSIS protocols in use, and their
ICS environments have far communication pattern should
less connectivity to the be noted. A single device having
Internet and use far fewer conversations with multiple devices
encrypted communications than in could indicate an HMI.
traditional IT environments. ICS attacks
Wireshark:
can abuse legitimate engineering
Wireshark > Statistics > Protocol
software and native industrial control Hierarchy
protocols.
Provides statistics about observed
Information, assets, protocols, protocols on the network. Protocols
files, and commands from the control are displayed in a tree layout with
network can be discovered and bar graphs indicating the percent
analyzed by the following tools and of the protocol seen in an overall
filters. capture. The list should be recorded
to determine which protocols are
Wireshark: needed and expected for operations.
Wireshark > Statistics > Endpoints Legitimate protocols could be abused
Provides statistics about logical in attack scenarios, so it is important
addresses on the network, including to record and analyze protocol
the asset IP and MAC addresses. patterns and source and investigate
Displays number of packets, total and validate devices sending
bytes, bytes received and transmitted, commands to field devices.

Wireshark:
Career Development
Wireshark > Export Objects > <type> >
Save Opportunity - ICS515
Can be used to extract files from a packet The SANS ICS515: ICS Visibility,
capture. File hashes can be obtained Detection, and Response course
then searched against threat intelligence walks through each phase of the
or malware databases. Or files can be Active Cyber Defense Cycle with
executed in an isolated malware analysis in-depth hands-on technical labs

to conduct threat detection in
sandbox to determine threat behaviors to
control systems.
develop defensive countermeasures.
General network statistics about logical addresses on the network:
tshark -qz ip_hosts,tree -r <ICS-Network_file.pcap>
Asset names from NetBIOS communications:
tshark -Y nbns -T fields -e nbns.name -r <ICS-Network_file.pcap> | sort | uniq
Asset names from DNS that could be assets performing Internet checks:
tshark -T fields -e ip.src -e dns.qry.name -Y ‘dns.flags.response eq 0’ -r <ICS-

Network_file.pcap> | sort | uniq
Traffic going to external addresses by internal source IP to external IP:
tshark -T fields -e ip.src -e ip.dst -r <ICS-Network_file.pcap> ‘not ip.dst in

{192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}’ | sort | uniq
Encrypted communications, less common in ICS, which could be covert channels:
tshark -Y ssl -T fields -e ip.src -e ip.dst -e tcp.port -e _ws.col.Info -r <ICS-

Network_file.pcap> | sort | uniq
Protocols in use on the control network:
tshark -T fields -e frame.protocols -r <ICS-Network_file.pcap> | sort | uniq | cut

-d : -f 2-20
IP addresses of devices having ModbusTCP conversations:
tshark -Y mbtcp -T fields -e ip.dst -e ip.src -r <ICS-Network_file.pcap> | sort | uniq
All ModbusTCP function codes in use on the control network:
tshark -Y mbtcp -T fields -e _ws.col.Info -r <ICS-Network_file.pcap> | sort |

uniq | cut -d ‘:’ -f 5,6 | sort | uniq
All DNP3 function codes in use and IP addresses using them:
tshark -n -Y dnp3 -T fields -e ip.src -e ip.dst -e dnp3.al.func -e _ws.col.Info -r

<ICS-Network_file.pcap> | sort | uniq
IP addresses of devices using BACnet and BACnet control commands:
tshark -Y bacnet -T fields -e ip.src -e ip.dst -e bacnet.control -e _ws.col.Info -r

Possible HTTP downloads, including filename and uniform resource identifier

(URI):
tshark -n -T fields -e http.request.method -e http.host -e http.request.uri -r

Export data for analysis – HTTP downloads, including filename and URI:
tshark -r <ICS-Network_file.pcap> --export-objects http,<OutputDir> | sort |

uniq
Export data for analysis – SMB file transfers, including filename and file data:
tshark -r <ICS-Network_file.pcap> --export-objects smb,<OutputDir>
Files transferred via server message block (SMB) with remote hostname,
account name, file(s) accessed:
tshark -n -Y ‘frame.number == 189’ -T fields -e smb2.filename -e smb2.tree -e

smb2.acct -e smb2.host -r <ICS-Network_file.pcap>
ICS security defenders must know what is normal in the ICS environment, which
network protocols are expected in different control system states, and what
commands inside ICS protocols can read and change physical outputs in the
field.

Setup of ICS network
security monitoring
Two main approaches can be used to ensure NSM collection is established, as follows:
1. Network hardware TAPs

2. Network SPAN configuration
Each approach has pros and cons which should be considered by ICS security and
engineering teams before deployment.
Network TAP: This is a purpose-built

hardware device installed in-line in
a network that copies all network
traffic. Its installation requires a
network outage and should always
be configured to allow traffic to flow
through the device in the event
of a failure, otherwise it could
impede legitimate control network
communication. TAP installations in
industrial control environments are
usually added as a task as part of
an engineering maintenance window
when operations are scheduled to be
down. Figure 4 shows an example TAP
configuration. Figure 4: TAP Configuration Example
Setup of ICS network security monitoring
Network SPAN: Also known as port

mirroring, a SPAN configuration may
be available on already-deployed fully
managed switches in more modern
control networks. No network outage
is required to implement a SPAN
configuration. SPAN configurations can
also be phased in based on existing
network segments and Virtual LAN
configurations to reduce risk during
implementation – that is, to ensure that
switch CPU and memory can handle the
SPAN configuration and traffic load as it
copies inbound and outbound packets to
its configured mirror port. Figure 5 shows
an example SPAN configuration Figure 5: SPAN Configuration Example
TAP vs. SPAN: The decision on which method is best to use for NSM collection in ICS
may depend on budget, engineering maintenance schedules, existing technology, and
existing and upgradable network architecture. The pros and cons of a hardware TAP and
SPAN configuration are illustrated in the table on the next page.
The SANS ICS515: ICS Visibility, Detection, and Response course walks through each phase of
the Active Cyber Defense Cycle with in-depth hands-on technical labs to perform ICS network
monitoring and prepare for incident response.

Setup of ICS network security monitoring
Table 2: TAP and SPAN Pros and Cons
NSM Collection
Pros Cons
Method
TAP Hardware Capture also includes network ICS network outage

errors – malformed packets, etc. required
Dedicated hardware – TAP is more Additional hardware
challenging to compromise than a required
switch SPAN configuration
SPAN Deploys on existing fully managed May miss or drop

Configuration switches using a phased-in mirrored packets if
approach switch is overloaded
No ICS network outage required May not capture
network error
communications
SPAN Configuration Example: Commands differ across switch manufacturers. The

example below shows pseudo commands for setting up a SPAN configuration on a fully
managed switch to create a local SPAN session 1 to monitor bi-directional traffic from
port 1 to port 2, and to verify that the change is applied. The minor port is port 2, where
bi-directional traffic is copied, thus creating the network collection needed to perform
effective detection. To be most effective, data should first be collected from critical
segments that see control system traffic and engineering commands around critical
assets. Once a threat is found, it will lead to ICS incident response.
# monitor session 1 source interface gigabitethernet1/1 both
# monitor session 1 destination interface gigabitethernet1/2
# show monitor all
ICS network security
monitoring in practice
ICS Network Security Wireshark can be used to start ICS

Monitoring Collection NSM collection with a network card in
Platform promiscuous mode. For detection and
ICS NSM collection should first be analysis, Wireshark, which has several
implemented in phases around the built-in packet dissectors for common
most critical and vulnerable ICS/ industrial protocols, is extremely
OT assets in the most important helpful in determining the assets,
IP-connected engineering networks. protocols in use, and communication
Collection should be scaled one patterns in an industrial environment.
network segment at a time.
Collected data should be sifted for
indicators of compromise starting with Career Development
IP addresses. Sector-specific threat Opportunity - ICS515
intel can be used to drive searches
SANS ICS515: ICS Visibility, Detection,
across an established inventory
and Response is a technical course for
database to identify vulnerabilities in
ICS incident response team leaders,
targeted assets that could be flagged
ICS/OT and engineering staff, IT security
for proactive defense changes.
professionals, and Security Operations
Control network traffic can be Center leaders and analysts. Students
collected by purpose-built ICS NSM execute every step of the active cyber
technology. Alternatively, the no-cost defense cycle and complete the course
Linux Security Onion distribution on with an ICS-specific challenge on the
a laptop with external storage and final day.
built-in tools such as tcpdump or

ICS network security monitoring in practice
Passive ICS Network Traffic Capture Window

Passive control network capture times could be as short as several hours for point-
in-time assessments or threat hunts. This depends on the collection objective,
storage, size of the control environment, and current engineering operating states.
Point-in-time assessment for full-packet captures is commonly between 1 and 24
hours.
Control System Network Capture Considerations

The control system could be in several operational states, which can affect network
collection output. If the system is in a safe-shutdown, maintenance, or emergency
procedure, devices that do not normally communicate will be visible, and the more
active devices may be invisible. The most effective captures will occur during the
industrial process start-up and normal operations.
The NSM collection, detection, and analysis phases should be started and
repeated while the above methods are applied across the three phases to prioritize
the safety and reliability of ICS operations. Deeper engineering knowledge is
required for more specific ICS protection. High confidence indicator of compromise
matches and the discovery of anomalous network patterns will call industrial
incident response steps into action.
STAGE 1: ICS THREAT DETECTION CONCEPTS FOR 5-TUPLE
Unusual spikes
in traf fic
Top talker IP
addresses
1 Devices talking that

should not be
Matches on known
malicious IPs
Figure 6: Stage 1 - ICS Threat Detection Concepts for 5-Tuple
ICS network security monitoring in practice
STAGE 2: ICS THREAT DETECTION CONCEPTS FOR

FULL-CAPTURE PACKET ANALYSIS
Are there files moving

across the net work?
2 Signs of unexpected
encr yption
Newly registered devices

on the net work
Figure 7: Stage 2 - ICS Threat Detection Concepts for Full-Capture Packet Analysis
STAGE 3: ICS THREAT DETECTION BASED ON ICS BEHAVIOR
Abnormal ICS protocols or

command pat terns
3 Unexpected remote
access to HMI
Connection at tempts to
Internet addresses
Figure 8: Stage 3 - ICS Threat Detection Based on ICS Behavior

Compatible tools for ICS
network security monitoring
Many low-cost or no-cost open-source Tcpreplay: Command line network

tools are available to help organizations tool to play packet capture files (pcap)
start their ICS security program against a network interface card. Used
journey and to mature and deploy ICS in conjunction with Snort, or similar
NSM capabilities. Specific ICS-trained IDS systems, to sift through network
defenders can leverage several tools communications for known malicious
that have built-in or ICS-specific activity and test custom ICS network
features or plugins – a good place to threat signatures.
start when there is a limited budget.
Wireshark: Graphical user interface
Security Onion: Open-source Linux packet analysis tool with built-in
platform designed for intrusion dissectors for many common industrial
detection, network security monitoring, protocols. Also has capabilities to
and event log management and analysis, extract file objects from packet
with many supporting tools built in. captures.
Snort: IDS with many ICS-specific

pre-processes built in to help detect
ICS vulnerabilities and attack traffic in
control networks. Newly created ICS
plugins are often available.
Compatible tools for ICS network security monitoring
Tshark: Command line packet NetworkMiner: A protocol-aware

analysis tool supporting Wireshark network tool. A no-cost version is
filters with many of the same available that can extract objects
capabilities but can be scripted from packet captures such as
or used in conjunction with other credentials and several file types.
command line tools such as sort,
Zeek: A powerful open-source
uniq, awk, seed, great, strings, etc.
IDS and NSM scripting framework
GRASSMARLIN: An open-source tool for Linux. It has some ICS
network mapping tool created by capabilities built in and can be
the National Security Agency’s expanded further with additional ICS
Information Assurance Directorate plugins from the community. Zeek
specifically for ICS network packet also has features such as network
captures. Outputs information flow analysis and others.
about devices, control network
communications, and data extracted
on the industrial protocols in use.
GRASSMARLIN can also output a
primitive network diagram from a
live network collection from a TAP or
output offline traffic captured from
a SPAN configuration into pcap files.

The active cyber
defense cycle
The repeatable active cyber defense

cycle guides a team through proactive
monitoring as a best practice in today’s
ICS threat landscape. The cycle has five
phases, as shown in Figure 9.
1. Threat Intelligence Consumption:

Cyber threat intel is refined
information with context on cyber
threats and threat groups that
defenders can leverage to detect,
scope, or prevent the same or similar Figure 9: The Active Cyber Defense Cycle
https://www.sans.org/white-papers/36240/
attacks previously observed.
2. Visibility: Increasing visibility can enhance technical and situational awareness

of control system traffic and security. This means having a formal asset inventory
and at least a passive view of the ICS network, and using technology that can
dissect and properly interpret specific industrial protocols in network traffic
streams.
3. Threat Detection: Detecting threats requires the capability to leverage

technology that sifts through data for malicious signs of attack attempts or
intruder entry.
4. Incident Response: Successful incident response requires being prepared

to execute quick triage and adapt incident response steps specific to control
systems while maintaining safety.
5. Threat and Environment Manipulation: To make the environment less habitable

for threat actors, defenders need to know how to change the threat during the
attack or change the control system. A threat is defined as a malware capability
introduced by a threat actor or as human threat actors using legitimate
operational software or protocols with malicious intent to cause negative
impacts.
The active cyber defense cycle

The SANS ICS515: ICS Visibility, Detection, and Response course and the related GIAC
Response and Industrial Defense (GRID) certification are a must-have for ICS/SCADA/OT
and IT professionals who want to demonstrate their knowledge of active cyber defense
strategies specific to industrial control system networks and environments. It is common
for professionals working or looking to work or consult in these areas to earn their GRID
certification.
NSM excels in control system ICS NSM is especially important in

environments due to the more static the case of adversaries living off the
nature of ICS networks compared with land, where it is unlikely that antivirus
IT enterprise networks. The active agents, even allowing for listing features
cyber defense cycle makes clear the designed specifically for ICS, would
benefits of ICS NSM in today’s threat detect the abuse of legitimate control
landscape. It leverages ICS NSM by system functions, including the abuse of
increasing knowledge of the control legitimate ICS/OT network protocols and
system, collecting data, analyzing engineering software.
data for threats, and executing ICS-
specific incident response. However,
the active cyber defense cycle and ICS
NSM – what can be called the “network
visibility” of control environments –
are not only about security. They also
directly support engineering tasks
such as communication, command, and Career Development
integration troubleshooting, all of which
support safety for facilities and their The SANS ICS418: ICS Security Essentials
workers. for Managers course empowers new and
established ICS security managers from
all areas to understand the differences
between IT and ICS/OT, prioritize safety,
build and maintain strong relationships,
build teams, and effectively manage ICS/
OT cyber risk.

Adversaries continue to evolve their ICS security managers looking to

attack tradecraft using traditional IT improve ICS risk management and the
malware and extending the attack range resilience of their ICS security program
with knowledge of how to abuse ICS must first establish an official asset
systems. This “living off the land” attack inventory with the methodologies
approach has them abusing native described in this manual. They must
commands and software. In their wake, then leverage and mature the program
adversaries leave serious financial, to an active defense position. The
brand, and operational impacts, with objective is to ensure that security
potential catastrophic consequences controls are in place specifically
for operating environments, the safety for industrial control systems, with
of people, cities, regions, and countries ICS network and engineering device
who run and rely on them. visibility. Security team members must
possess the ICS-knowledge required
for rapid ICS incident triage and the
recovery of engineering devices to
trusted restore points.
Career Development

for Managers two-day course prepares new
and experienced managers and leaders
responsible for ICS/OT security. Students
complete many in-class leadership drills and
real-world management-level ICS security
scenarios in an online leadership simulation
game across both days.
ICS security defenders looking to improve tactical ICS security must obtain and
continue to grow their knowledge of cybersecurity and engineering operations
(including protocols and commands) while prioritizing safety and administrating
modern security tools specifically designed or tuned for ICS environments. A main
focus should be on performing the repeatable steps of the active cyber defense cycle
while leveraging ICS network visibility, packet captures and analysis, and hunt for
threats proactively in the network.
ICS facilities owners and operators will do well to consider these top takeaways to
kick-start or mature their ICS cybersecurity program:
Continue to prioritize safety as #1
Embrace ICS and IT security differences
Establish a secure and searchable ICS asset Inventory
Enable ICS network security monitoring
Deploy the Active Cyber Defense Cycle for technical teams
Align priorities against the Sliding Scale of Cyber Security

ICS cybersecurity
field manual
Volume 3
Introduction to volume 3
ICS ATTACKS, CONSEQUENCES, failure to monitor and safely shut down

AND RESPONSE an over-pressurized gas pipeline.
ICS/OT facilities are seeing novel The ICS/OT security environment
attack methods leading to incidents requires different technical and security
not commonly seen in enterprise IT management skills and technologies
networks. Traditional enterprise IT outside of traditional IT enterprise risk
cyber attacks often focus on internal IT management and incident response.
systems and can include compromise The mission and risk surfaces alone
of digital information (including set ICS/OT incident response and risk
data deletion), business system management apart from traditional IT
configuration changes, business system security.
downtime, information leakage, or data
This is why ICS-specific incident
breaches. Compromises of ICSs are far
response processes and plans must
different. ICS attacks can affect the
be multi-team initiatives, created,
safety of people and the environment.
exercised, and maintained by ICS-specific
ICS incidents can cause physical
cyber skilled defenders. Patching and
changes which lead to catastrophic
vulnerability management must also be
consequences. Consider, for example,
adapted for ICS management.
the potential consequences of a
compromised SIS PLC resulting in a

Risk-based ICS
vulnerability management
Many identified ICS vulnerabilities, if to the HMI from the Internet. The
exploited, provide adversaries with legitimate HMI application that runs
capabilities similar to features inherent the water treatment facility was
in control systems. ICS attacks have used to manipulate water treatment
been observed where adversaries are operations that could have led to severe
“living off the land,” i.e., abusing systems consequences. Using the HMI, the
and industry protocols native in ICS attacker increased the level of sodium
environments to turn the control system hydroxide. That is the main ingredient in
against itself. drain cleaner, which was changed from
100 parts per million to 11,100 parts
Living off the land was first observed
per million. Very dangerous levels that
in 2014 with the HAVEX¹ malware attack
would have been toxic for residents
and more recently with the tailored
if it reached their homes. Human
CRASHOVERRIDE² ICS-specific framework
engineering operations staff noticed the
targeting electric power grids. It is
incident and restored the processes to
becoming a very common attack trait
normal operations without incident.
and will likely be well into the future.
In the 2021 Oldsmar water treatment

facility cyber attack, no software or
engineering equipment vulnerabilities
where exploited. Rather, the attacker
gained unauthorized access directly
1 https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02A
2 https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
Risk-based ICS vulnerability management
The Oldsmar event draws

attention to the importance of Career Development
vulnerability management and Opportunity - ICS456
protecting ICSs, starting with their
SANS ICS456: Essentials for NERC
external services and Internet
Critical Infrastructure Protection
facing access. Common Open-
course empowers students with
Source Intelligence (OSINT) ICS
knowledge of the what and how of
exercises could be used to uncover
the version 5/6/7 standards. The
vulnerabilities from the view of an course addresses the role of the FERC,
Internet-based attack.³ NERC, and Regional Entities, provides
Living off the land attacks have multiple approaches for identifying
and categorizing BES Cyber Systems,
evolved even further in 2022 with
and helps asset owners determine the
the discovery of the PIPEDREAM
requirements applicable to specific
malware. “PIPEDREAM is a collection
implementations.
of utilities that includes tools for
reconnaissance, manipulation,
and disruption of PLCs, as well
as tools for intrusion operations Due to the number of legacy
against Windows devices. At the devices and software in ICSs, ICS
highest level, the PLC-related patching is important, especially as
components of PIPEDREAM provide the number of legacy devices and
the adversary with an interface for software grows. Yet, there is more to
manipulating the targeted devices. patching in ICSs than gathering and
Tools in PIPEDREAM can scan for pushing packages. The best return on
new devices, brute force passwords investment is a risk-based approach,
and sever connections, and crash considering the ICS risk surface
the target device.”⁴ compared to the IT risk surface.
3 https://www.sans.org/blog/sans-ics-site-visit-plan/
4 https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf
ICS patch prioritization:
when and how
Patching prioritization in ICSs is reliability. ICS defenders should utilize

different than in IT environments given scheduled engineering maintenance
the different risk surfaces and attack windows to push approved security
vectors unique to control system patches once a subset have been
environments. Changes to an ICS’s evaluated and selected.
hardware, software, and configurations
To prioritize ICS patching, ICS
include but are not limited to device
defenders should monitor and leverage
firmware updates, embedded hardware
the data in vendor security advisories.
upgrades or replacements, setpoint
These advisories provide Common
changes, instrumentation calibrations,
Vulnerability Scoring System (CVSS)
controller logic changes, and of course
measures which should be used to
patching. However, patching is not
help assess risk and prioritize patching.
solely about mitigating cybersecurity
However, CVSS measures are only part
vulnerabilities. Engineering changes are
of the ICS patching risk assessment
also driven by system and command
prioritization. If the “big picture” of ICS-
integrity enhancements, safety changes,
specific context and ICS attack vectors
and process improvement engineering
are not considered, patching efforts
feature sets.
may cause unnecessary impact and/or
Many ICS vendors release engineering inadequately reduce the risk surface,
system patches to fix bugs, thereby and unnecessarily impede operations
improving the stability of equipment and and/or safety.
software, system safety, and operational
ICS patch prioritization: when and how
ICS defenders should prioritize ICS defenders must identify and

vulnerability management based prioritize mitigating vulnerabilities that
on risk and patch a subset of give adversaries specific capabilities
vulnerabilities during scheduled like:
engineering maintenance windows. Access to the control networks
Risks should be prioritized based on where ICS commands could be
the following considerations: injected.
Having a reliable ICS asset
Unauthorized and/or unrestricted
inventory to understand the risk
remote access.
surface to operations.
Publicly available exploit kits
Knowing which assets in the
targeting critical engineering
environment are vulnerable.
assets.
Leveraging sector-specific threat
intelligence to understand
commonly observed tactics and
techniques.
Knowing the architecture and how

to place assets in control networks’
enforcement zones. Career Development
Understanding the potential for an
adversary to gain access through
ICS410: ICS/SCADA Security
existing and properly configured
Essentials provides a foundational
firewalls, such as logging into the
set of standardized skills
HMI, engineering workstation, or
and knowledge for industrial
data historian.
cybersecurity professionals. This
Knowing the criticality of vulnerable course is designed to ensure that
assets to engineering operations. the workforce involved in supporting
Placing importance of patching and defending industrial control
or mitigating vulnerabilities systems is trained to keep the
that provide attackers remote operational environment safe,
network access if exploited and secure, and resilient against current
if vulnerabilities have associated and emerging cyber threats.

publicly available exploit kits.

ICS patch prioritization: when and how
A patch decision tree can be used to help prioritize ICS security patches. It is important to
put particular emphasis on the Analyze Risk assessment step. See the following graphic for
an example of the Department of Homeland Security’s control system patch decision tree.
Figure 1: Department of Homeland Security ICS Patch Decision Tree
ICS incident response
phases and objectives
ICS incident response adapts traditional incident response phases to suit engineering
environments, prioritizes safety in every phase, and includes different multi-team
stakeholders. ICS incident response stakeholders include engineering operators,
external control system support vendors, government agencies, physical safety teams,
physical security teams, IT security, ICS security, etc., with direction from the owner/
operators of the ICS facilities.
The objectives for each phase of an ICS-specific incident response⁵ include:
Phase 1: Prepare Phase 2: Identify and

Have well-defined, well- Detect Threat
communicated roles and Deploy ICS-specific
responsibilities and trained network visibility and
ICS-specific security defenders who threat identification techniques. These
understand engineering and can techniques are driven by consuming
investigate control systems-related and applying sector-specific threat
cyber events. A cyber-defensible intelligence across the ICS Cyber Kill
position must be established as part Chain.⁶
of a well-tested and regularly updated
Phase 3: Acquire
ICS-specific incident response plan.
Evidence
Technical ICS security teams must
Fight through the attack while
ensure tools and skills are tested and
maintaining safety; acquiring
ready to be deployed. This means
key network communications, endpoint,
they should understand the industrial
and engineering device logs; and making
protocols used, what normal ICS network
evidence available for meaningful and
communications look like, and possess
timely forensics analysis.
the ability to spot abnormalities in the
traffic.
5 https://www.sans.org/cyber-security-courses/ics-visibility-detection-response/
6 https://www.sans.org/white-papers/36297/

ICS incident response phases and objectives
Phase 4: ICS Time Phase 6: Eradicate

Critical Analysis and Recover
Continue to fight In this phase, the
through the attack and threat or threats are
maintain safety while conducting eliminated from the environment(s)
time critical analysis. Traditional IT when it is safe to do so according
containment and eradication steps to facility stakeholders and
may cause more damage to safety, engineering. ICS security must
engineering, and production than continue to monitor and actively
the threats themselves. Care must defend against the incident. Only
be given in this phase to apply deep then can the response team,
knowledge of how threats impact in conjunction with applicable
control systems and what a possible stakeholders, begin to restore
response could mean for operations engineering systems to their normal
and safety during containment and operational state and regain
eradication. full production of engineering
operations at all levels of the Purdue
Network Architecture.
Phase 5: Contain
Preserve operations
through logical or physical Career Development
changes in the control Opportunity - ICS515
environment to further
In the ICS515: ICS Visibility, Detection,
reduce impacts to safety and control
and Response course, students explore
systems. ICS Security, Engineers,
numerous hands-on technical labs and
and Operator teams fight through
data sets from ICS ranges and equipment
the attack, working together where
with emulated attacks and real-world
evidence and intelligence can be
malware deployed in the ranges for a
shared, and contain the threat with
highly simulated experience detecting
as little disruption to safety and
and responding to control system threats.
operations as possible.
Students will also interact with and keep
a PLC, a physical kit emulating electric
system operations at the generation,
transmission, and distribution level, and
a virtual machine set up as an HMI and
engineering workstation.
ICS incident response phases and objectives
Phase 7: Lessons Phase 8: Share

Learned Information
Similar to traditional IT Share relevant tactical,
incident response, use strategic, and operational threat
this phase to conduct and apply intelligence and cybersecurity lessons
lessons learned to improve response learned which might be of use for
and restoration efforts for future defense in the larger ICS and critical
incidents. infrastructure community.
Preparation & Planning
Information Sharing Detection & Indentification
Lessons Learned Evidence Acquisition
Eradication & Recovery Time Critical Analysis

Considering Safety
Containment
Considering Safety
Figure 2: ICS Incident Response Phases

Considerations for ICS
incident response
There is a common misconception where a utility may think they are too small to be
a target of an ICS cyber attack or impactful cyber event. The reality is, however, that
adversaries often target smaller facilities to develop and test attack methodologies
in preparation to attack their ultimate target environment. Small or large, all ICS
environments should have an industrial-grade incident response plan.
In particular, ICS-specific incident response phases must consider all unique aspects
and objectives of industrial control systems, as described below.
Unique Systems Non-Traditional Operating

Nontraditional systems with industrial Systems
and proprietary setups, forensic logging Purpose-built, embedded, and/or
capabilities, and protocols. proprietary operating systems common
to control environments where many
Reliance on External Vendor
traditional security defenses are not
Support
effective or applicable.
External engineering teams may require
special secure remote access for Personnel Safety
engineering support and may manage The most important goal of control
and be responsible for restoration systems is not confidentiality, integrity,
copies of PLC logic, setpoints, IED or availability, but safety. Only after
configurations, etc. safety has been addressed does
the incident response team address
Legacy Systems
confidentiality, the integrity to trust
Systems and devices that may not be
operations, and the availability of
eligible for patching or firmware updates
engineering devices.
or may only be available for infrequent
updates to internal operating systems, Protecting Physical Assets
such as during a scheduled engineering Control systems use physical
maintenance window. components to change the physical
world. A cyber attack could result in
physical damage to engineering assets,
environmental impacts, and safety
implications such as injury or death.
ICS incident response specific
roles and responsibilities
Many aspects of incident response need to be coordinated, planned, and

regularly exercised. These incident response tasks are most effectively
completed when subdivided by specific roles, which may include:
Incident Response Director/ Incident Handlers

ICS Security Team Manager Cybersecurity and ICS field and
Interfaces with the executive technical personnel who may be
leadership team on an incident’s required to make environment and
status, resources, impacts, and asset changes. They handle evidence
options to maintain safety and acquisition, scope threats and
operations. infections, and undertake analyses,
among other tasks.
Lead Responder
Guides incident response personnel Fire and Security, Safety,
and quick triage/impact timeline Law Enforcement,
analysis. Advises the Incident Governments
Response Director on available Teams prepared for physical first
actions to reduce the impact on aid, emergency response, evacuation
safety and operations. strategies for physical site safety,
external communications or
reporting, intelligence gathering and
sharing, and efforts beyond the site.

ICS incident response jump bag
The objective in industrial environments during a cyber incident is to maintain safety

and operations and fight through the attack. To ensure incident response readiness,
having a jump bag is essential.⁷ Using the tools in the incident response jump bag in
conjunction with knowledge of the affected control systems, and how they are used for
engineering processes, allows an ICS cyber defender to quickly analyze, understand, and
triage threats and impacts. Once the incident is analyzed and understood, the analysis,
which includes response options that minimize loss of control, loss of visibility of ICS,
and ensure safety, is provided to facility owners to choose and implement.
ICS jump bags should be portable (e.g., in rolling, protective cases), available at all
critical sites, and/or deployed with the incident response teams as they conduct on-site
response. Essential ICS incident response jump bag items include:
Laptops with Security Onion, REMnux, Forensically clean USBs and external drives
SIFT, or RELICS from SANS ICS515
Log, packet analysis, and timeline tools
Approved digital camera
(no photo metadata)
Hashes of field device logic/
configuration files
CD-ROM drives and discs
Baseline images of critical ICS assets
Hardcopy ICS-specific incident
response playbooks and network
Data acquisition tools – prioritize
diagrams
command-line tools and memory
Network/converter cables,
PPE for safety
(e.g., USB to serial)
Out-of-band communications,
Contact list for safety, engineering, (e.g., handheld radios on-site)
integrators, security, and emergency
response team
Offline malware Site-specific physical
analysis tools safety training certificates
(static, interactive,
automated)
7 https://youtu.be/ZR4Jy9K0AhI
When to initiate ICS
incident response
Rapid yet thorough analysis of data acquired from critical assets and the ICS network
traffic to and from those assets, combined with knowledge of engineering operations,
will help teams determine when full industrial incident response must be performed.
Use the following event conditions to help determine the potential risk to engineering,
understand where the attack is in the ICS Cyber Kill Chain, and when it is appropriate to
shift to full industrial incident response.
Manipulation
Loss of of control
Malicious code,
visibility system
unauthorized
of control operations
access detected
process
Escalation factors of ICS

Incident Response
Loss of
Exfiltration process Physical damage
of sensitive controls to assets or safety
industrial concerns
system
information
Figure 3: Event Conditions

When to initiate ICS incident response
Unique Systems Loss of Process Controls

Malicious Code, Unauthorized An ICS cyber incident affecting the
Access Detected ability to change the state of the
Installation or execution of malicious physical process. For example, an oil
software. For example, an adversary refinery is unable to safely shut down
gaining physical or logical access to its crude oil distillation process or
a network, system, or data without maintain pipeline pressure.
authorization, or introducing a
Manipulation of Control
cyber-contaminant that could impact
System Operations
process control views or controls.
The abuse of internal native system
Exfiltration of Sensitive components or protocols such as HMI
Industrial System Information commands and ICS protocols such as
An ICS cyber incident exfiltrating EthernetIP, ModbusTCP, DNP3, 61850,
sensitive control system data could OPC, etc. For example, DNP3 is used to
be used to cause harm. For example, send unauthenticated “open breaker”
ICS field device ladder logic, control commands to RTU field devices to
system configuration, or historian open electric circuit breakers and cut
database entries are copied off a power.
network. This is an indication of
Physical Damage to Assets or
a follow-on (non-immediate but
Safety Concerns
potentially imminent) targeted ICS
An ICS cyber incident affecting the
cyber attack.
physical properties or integrity of
Loss of Control Process physical assets, or introducing a
Visibility potential physical safety impact to
An ICS cyber incident affecting plant operators, workers, and/or on-
the ability to view the state of the site visitors, contractors, etc.
physical process. For example, a power
generating facility is unable to view
the current system load or the current
power grid operating frequency to
maintain 60Hz.
must-haves
While IT/OT convergence of both technology and workforce poses unique challenges,
it can drive a more realistic ICS threat detection and response process. A converged
incident response plan must consider available cybersecurity defenses in both
environments and work to reduce the impact of attacks through IT into ICS, which is
a common vector adversaries leverage that has been observed time and again. This
more realistic process can provide early warning signs of an attack that could impact or
specifically target the industrial process. Incident response for ICS should consider the
following:
The ICS-Specific incident response plan

Conduct realistic ICS tabletop exercises driven by sector-specific control system
threat intelligence or ICS gaps identified in your cybersecurity program or
facility to ensure your ICS-specific Incident Response Plan meets the needs of
an ICS cyber attack.
ICS-Specific Network Security Monitoring

Ensure “plant floor” network visibility with ICS deep-packet inspection to drive
incident response or proactive threat hunting. Network visibility capabilities
should go beyond simply querying about indicators of compromise and also
include capabilities to assist with analyzing threat tradecraft.
Trained ICS-Specific Security Defenders

Trained ICS cybersecurity personnel must understand the nuances between
traditional IT and ICS security, the ICS mission, safety, the engineering process,
and ICS protocols and active defense procedures.

in practice
Successful ICS incident response requires a clear understanding of roles,

responsibilities, physical safety, engineering protocols and process, network visibility,
detection, and forensics capabilities. Facilities benefit from a tested, safe, and
defensible cyber position. Consider the following when adapting traditional incident
response steps to suit industrial control environments:
Acquire forensics data from key Develop countermeasures.

ICS assets. Use indicator “hits” to scope
Triage quickly to understand the incident and related contamination.
threat via static or automated Compare production and baselined
malware analysis. configurations to detect tampering
Collaborate with engineering staff in controllers, etc.
and senior management. Identify and apply lessons learned
Determine operational impacts. (e.g., correct gaps in evidence
Analyze the impact of any reliance on acquisition, deploy additional
external vendors and IT. ICS network visibility, detection
capabilities, and determine whether
Execute the Safe Cyber Position if
threats are malware or human
applicable.
adversaries).
Present analysis and options (blocking
Apply lessons learned to the ICS
C2 access, running ICS in manual
incident response plan.
mode, removing remote access, etc.)
to fight through the attack (contain/
eradicate).
Contain threats while running
Career Development
operations.
Eradicate when it is safe for
operations. ICS612: ICS Cybersecurity In-Depth
Conduct regularly scheduled ICS is an in-classroom lab setup that

incident response tabletop moves students through a variety
exercises. of advanced, technical, hands-on
Examine the connectivity and exercises that demonstrate how
isolation of legacy devices. an adversary can attack a poorly
architected ICS and how defenders
can secure and manage the
environment.
ICS connectivity: business
benefits and cyber risk
Engineering systems include PLCs, RTUs, protection control relays, embedded HMIs,
SISs, distributed control systems (DCSs), solenoids, meters, field bus communications,
sensors, and actuators. For decades, these engineering devices and systems have
operated the critical infrastructure we rely on in isolation. And, while modern
connectivity into ICSs is becoming common and has led to increased data accessibility
across traditional IT and OT environments with several benefits, as detailed in the
below graphic, it also presents greater threats to security.
Figure 4: Benefits of Modern ICS Connectivity
Enabling connectivity to previously isolated engineering environments results in

these environments now being exposed. Recent ICS attacks that take advantage of this
increased ICS connectivity have been created and deployed by adversaries-for-hire and
rogue nation-states which have the means and motivation to disrupt operations and
impact safety. The good news is ICS/OT cybersecurity defense is totally achievable with
an effective team and an ICS security approach to risk management!

Prioritize for safety
Significant risks to safety can occur if Did the organization select their
prioritizing IT or traditional business focus based on what was most
systems over industrial control systems important for the safety of the people,
or if the ICS/OT security reporting environment, and organization overall?
structure fails to fully embrace the Today’s ICS incident response teams
differences between IT and ICS/OT. must understand the control system
processes, engineering, industrial
Consider, for instance, a security
protocols, safety factors, and ICS-
incident on the IT business email
specific cyber threats, and tailor
system and a security incident on the
incident response playbooks and risk
SCADA system of a power grid occurring
management strategies accordingly.
simultaneously. Which incident gets
priority? What pace and rigor will
the organization give to the priority
incident? Specifically, what drives the Career Development
decision to manage these very different Opportunity - ICS418
risks? And what are the related impacts
in these different environments?
for Managers course includes an ICS
attack history walkthrough for new and
existing ICS/OT security managers with
a major focus on lessons learned for
improved ICS risk management.
ICS security
management choices
ICS-specific technologies, threat detection methods, and unique incident

response considerations are essential in building and maintaining an effective
long-term ICS program. However, the most critical components of responding
to an ICS incident are the dedicated people specifically trained in ICS incident
response.
As managers we get to choose Career Development

many things about our ICS/OT Opportunity - ICS418
cybersecurity program. We get ICS418: ICS Security Essentials for
to choose our team, the best Managers. SANS has extended the
technologies, and our processes. Cyber42 Leadership Simulation game
What we do not get to choose is (https://www.sans.org/blog/cyber42) to
if we are a target. The adversary ICS418 as Industrial Cyber42. Students

participate in various ICS risk-based and
does that.
management level decision scenarios to
protect a control system using their risk
management skills where the object of the
game is to finish with the highest safety
culture score.

ICS security leadership pathways
Common roles that lead to managing ICS/OT cyber risk include:
Manager asked to "Step Over”

IT Security Manager is assigned the responsibility of ICS cyber risk and must
build and maintain a sustainable ICS security program.
Practitioner in the field asked to "Step Up”

ICS, IT, or engineering team member steps up to an ICS Security Manager
position to build and maintain a sustainable ICS security program.
ICS Manager “In Place”

An existing ICS manager responsible for ICS security practitioner direct reports
and works to build and maintain a sustainable ICS security program.
Manager
asked to Career Development
"Step Over" Opportunity - ICS418
Manager The SANS ICS418: ICS

"In Place" Security Essentials for
Managers course empowers
new and established ICS
ICS security managers from all
418 areas to understand the
differences between IT and
ICS/OT, to prioritize safety,
build and maintain strong
relationships, build teams,
effectively manage ICS/OT
cyber risk, and effectively
Practitioner to Manager
report to applicable
"Step Up"
stakeholders.
Figure 5: Leadership Pathways
The ICS security defender
skillset recipe
Technology and processes (even if automated) do not get us far in the defense area
without a trained and focused workforce. Human defenders—the people, our workforce—
are those who use ICS security technologies, work with engineering, safety, business,
IT security, and other teams. These ICS defenders understand the ICS mission, possible
impacts, and engineering recovery. They understand the industrial process, protocols,
normal vs. abnormal engineering operations network traffic patterns, safety with
context, the commonly targeted assets in control systems, etc. Modern trained ICS
cybersecurity staff understand the nuances between traditional IT and ICS security.
As ICS risk management leaders work to build their ICS security teams, they should
consider the following ICS cybersecurity skillset recipe. For the team to be effective,
team members would do well to have the following skills and experience:
ICS Physical,
Traditional IT
Engineering Environmental
Cybersecurity
Knowledge Safety
Traditional IT Cybersecurity
ICS Engineering Knowledge
Physical, Environmental Safety
Figure 6: ICS Cybersecurity Skillsets
"The only defense against well-funded nation-state attacks on power systems (and
the rest of the critical infrastructure that keeps us and the economy alive and free)
are people with extraordinary cyber talent and skills." - Mike Assante

ICS cybersecurity team roles
As ICS cybersecurity roles and tasks emerge and evolve, ICS managers who are building
their teams should consider staffing for the following roles:
Unique Systems physical control systems, including

ICS Cybersecurity Analyst SISs, to reduce cyber attack impact
Acquire and manage the necessary and return operations to a trusted
resources, including leadership support, restoration point.
financial, and key security personnel
ICS Cybersecurity Manager
to support the ICS security mission,
Possess knowledge of and experience
safety goals, and objectives to maintain
in IT and ICS/OT security, the tools to
reliability of engineering processes.
address industry pressures to manage
ICS Security Architect cyber risk to prioritize the business
Possess knowledge of and the ability as well as the safety and reliability
to address all aspects of the control of operations. ICS cybersecurity
system architecture, best practice managers must build and maintain
security from ICS reference models business relationships with engineering
and network segmentation such as staff and executive stakeholders to
Purdue, and ICS410 SCADA Reference communicate and reduce cybersecurity
Architecture⁹ reference models. risk to engineering operations. This
role requires a firm understanding of
ICS Cybersecurity Incident
the drivers and constraints of cyber-
Responder
physical environments, technologies
Detect, analyze, identify, respond to,
throughout their organizations, ICS/
contain, eradicate, and recover from
OT security practitioners, and how to
industrial cybersecurity incidents. A
manage the processes.
key part of this role in the event of an
incident is working with engineering
teams and a variety of external ICS/
OT vendors and/or integrators and
law enforcement in safeguarding the
9 https://www.sans.org/posters/control-systems-are-a-target/
ICS cybersecurity team roles
Process Control Engineer

Design, test, troubleshoot, and oversee the implementation of new engineering
processes. In plants with established control systems, engineers may design and
install retrofits to existing systems and troubleshoot engineering hardware, embedded
systems, control system software, and engineering/instrumentation problems in a
manner that also preserves the cybersecurity integrity of the engineering system
signals, sensing, commands, and control environment.
The following graphic details proposed roles and maps them to the SANS courses
most applicable to the role. It is important to note that roles will likely grow and require
additional knowledge.
Common roles that lead to managing ICS/OT cyber risk include:
ICS ICS ICS Security ICS Process

Security Security Incident Security Control
FOUNDATIONAL Analyst Architect Responder Manager Engineering
ICS/SCADA Security Essentials
Gain foundational
ICS410
skills to protect critical

infrastructure from cyber
threats
MANAGEMENT
ICS/SCADA Security Essentials
for Managers
Manage the people, processes,
ICS418
and technologies for OT cyber

risk programs
TACTICAL
Essentials for NERC Critical
Infrastructure Protection
ICS456
Maintain a defensible
compliance program up
to NERC CIP standards
ICS Visibility, Detection,

and Response
ICS515
Monitor threats,
perform incident
response, and enhance
network security
ADVANCED
ICS Cybersecurity In-Depth
Identify threats in a real-world
ICS612
ICS environment to protect

against adversary attacks
Figure 7: ICS Role to SANS Course Matrix

Key ICS management
takeaways
1. Safety Is No. 1. In control system environments, safety is the top priority.

Cybersecurity and other functions support safe and reliable operations.
For example, tools like IDSs are preferred due to side effects of false
positives in IPSs, which render an unsafe condition that could hurt or kill
people.
2. Embrace IT and ICS differences. Understand and embrace the differences

between IT and ICS by prioritizing the ICS business mission to secure
and enable physics and engineering controls that monitor for and make
physical changes in the real world that are safe for people and the
environment.
3. ICS/OT asset inventory. A prerequisite for ICS active defense is a formal

ICS/OT asset inventory. The four main methodologies of creating an ICS
asset inventory (physical inspection, configuration analysis, passive traffic
analysis, and active scanning) can be combined for increased accuracy
while prioritizing safety.
4. Enable active defense. Ensure the Active Cyber Defense Cycle (ACDC)10
has a strong foundation by implementing ICS/OT-specific architecture
(align with the Purdue and SANS ICS410 SCADA Architecture models to
start), then implement passive defenses to prepare for Active Defense on
the Sliding Scale of Cybersecurity.¹¹
5. Deploy ACDC specific to ICS. Empower technical ICS security staff to

maintain the human-driven ICS/OT ACDC while leveraging sector-specific
ICS/OT threat intelligence. Staff should be dedicated, ICS/OT-trained
security resources who understand the engineering process well enough
to determine if control network activity is anomalous or malicious in
nature.
6. Validate the ICS/OT incident response plan. Validate and gain the
benefits of conducting regularly scheduled, specific ICS/OT incident
response plan TTXs and apply related lessons learned.
10 https://www.sans.org/white-papers/36297/
11 “The Sliding Scale of Cyber Security,” Sept 1, 2015, www.sans.org/white-papers/36240/
This volume details an approach for ICS incident response, the skillsets and people
needed to “fight through the attack,” the need for quick analysis and triage with
engineering knowledge, the right ICS tooling, an understanding of the protocols
(engineering device communications), and the unique aspects of engineering and jump
bag equipment.
Most importantly, this volume explains why, even though technologies and plans are
crucial to ICS cyber defense, the human defenders are the most critical piece of the
puzzle. We are reminded that, with the right teams and team leaders, “ICS Defense Is
Doable” and required to protect the critical infrastructure we rely on daily.

The ICS community forum
You are invited to participate in the FREE ICS RESOURCES: CHEAT

SANS ICS Community Forum, where ICS SHEETS, POSTERS, AND MORE!
professionals discuss current security Introduction to ICS Security
events, share tips, ask questions, and ▶ Defining what industrial control systems
are, why they are vital, and the unique
connect with others passionate about
challenges of securing them.
securing our critical infrastructure. Don’t
The ICS Site Visit Plan
miss an important community event, a
▶ Maximize your efforts to identify critical
great job opportunity, or the latest free assets during on-site ICS visits.
resources authored by the SANS ICS ICS418: ICS Security Essentials for
practitioner faculty. Managers: Step Up, Step Over, In Place
▶ This blog describes the newest offering
https://ics-community.sans.org/ from SANS targeted specifically to
managers involved in keeping industrial
control systems safe.
Protect Control Systems and Critical

News and updates Infrastructure with GRID
ics.sans.org
▶ GIAC Response and Industrial Defense
Join the SANS ICS (GRID) is a must-have certification for
Community Forum ICS/SCADA/OT professionals.
ics-community.sans.org/signup
Guidance on defining the differences
Free and open-source between cybersecurity defense
tools for ICS
methodologies, security controls, safety,
ControlThings.io
impacts, skill sets, and the security
Join the conversation missions for ICS/OT compared to traditional
@SANSICS IT security.
Thought leadership ▶ The Differences between ICS/OT and IT
SANS ICS security
Insights and demos Additional free resources for the ICS/OT

SANS ICS Security community, including webcasts, blogs, white
papers, and more, can be found at:
▶ https://www.sans.org/industrial-control-
systems-security/
SANS ICS curriculum
SANS has joined forces with industry ICS515: ICS Visibility,

leaders and experts to strengthen Detection, and
the cybersecurity of industrial control Response
systems and operational technology. Helps deconstruct ICS
The initiative is equipping security cyber attacks, leverage
professionals and control system an active defense to identify and counter
engineers with the security awareness, threats in your ICS, and use incident
work-specific knowledge, practitioner response procedures to maintain the
resources, and hands-on technical safety and reliability of operations.
skills they need to secure automation https://www.sans.org/cyber-security-
and control system networks and courses/ics-visibility-detection-
critical infrastructure. response/
ICS410: ICS/SCADA Security Essentials
Provides an
understanding of
industrial control
system components,
purposes, Career Development
Opportunity -
deployments, significant drivers, and
ICS GIAC Certifications
constraints. Includes hands-on lab
learning experiences to control system - ICS attackers are honing their skills
attack surfaces, methods, and tools. and plotting their attacks. We can up
our defensive skills to counter them
https://www.sans.org/cyber-security-
and protect critical infrastructure that
courses/ics-scada-cyber-security-
supports our modern way of life.
essentials/
- ICS GIAC certified professionals have
demonstrated they have the skills to
help protect critical infrastructure
from a technical and/or strategic level.

SANS ICS curriculum
ICS456: Essentials ICS418: ICS Security Essentials

for NERC Critical for Managers
Infrastructure Fills the identified gap among leaders
Protection working across critical infrastructure
Empowers students and operational technology
with knowledge of the “what” and the environments. The course equips ICS
“how” of the NERC CIP standards. The managers with the experience and
course provides multiple approaches tools to address the business and
to identify and categorize BES cyber industry pressures to manage cyber
systems and help determine the threats and defenses in a way that
requirements applicable to specific prioritizes the business as well as the
implementations. It also covers safety and reliability of ICS operations.
implementation strategies with a ICS leaders will leave the course with
balanced practitioner approach to a firm understanding of the drivers
cybersecurity benefits, as well as and constraints in cyber-physical
regulatory compliance. environments and will gain a nuanced
https://www.sans.org/cyber-security- understanding of how to manage the
courses/essentials-for-nerc-critical- people, processes, and technologies
infrastructure-protection/ across their organizations. ICS418
empowers both new and established
ICS612: ICS Cybersecurity In-Depth
ICS security managers.
Provides advanced coverage of
security concepts primarily driven
courses/ics-security-essentials-
by applied learning with hands-on
managers/
labs. The in-classroom environment
simulates a real-world factory and
the labs move students through a
variety of exercises that demonstrate
how an attacker can compromise an
ICS environment and how defenders
can better secure and manage that
environment.
courses/ics-cyber-security-in-depth/
110+ industrial control system
abbreviations for easy reference
ACDC - Active Cyber Defense Cycle DDoS - Distributed Denial-of-Service

ACL - Access Control List DFIR - Digital Forensics and Incident Response
AD - Active Directory DHCP - Dynamic Host Configuration Protocol
AGC - Automatic Generation Control DMZ - Demilitarized Zone
AM - Amplitude Modulation DNP - Distributed Network Protocol
ANSI - American National Standards DNP3 - Distributed Network Protocol 3
Institute
EEPROM - Electrically Erasable Programmable
AP - Access Point Read-Only Memory
APT - Advanced Persistent Threat EMS - Energy Management System
ARP - Address Resolution Protocol EMT - Electro Magnetic Transmission
BACnet - Building Automation and Control ERT - Embedded Device Robustness Testing
Network
ESD - Emergency Shutdown Systems
BE2 - BlackEnergy2
FAT - Factory Acceptance Test
BE3 - BlackEnergy3
FERC - Federal Energy Regulatory Commission
BES - Bulk Electric System
FEP - Front-End Processor
BGAN - Broadband Global Area Network
FIP - Factory Instrumentation Protocol
BLE - Bluetooth Low Energy
FM - Frequency Modulation
BMS - Building Management System
GNSS - Global Navigation Satellite Systems
BPF - Berkeley Packet Filter
GPO - Group Policy Object
C&C - Command-and-Control
GPS - Global Positioning System
C2 - Command-and-Control
GRID - GIAC Response and Industrial Defense
CANbus - Controlled Area Network Bus
HART - Highway Addressable Remote
CART - Complete, Accurate, Relevant, and Transducer
Timely
HAZOP - HAZard and OPerability
CI - Critical Infrastructure
HIDS - Host Intrusion Detection System
CIA - Confidentiality, Integrity, and
Availability HMI - Human Machine Interface
CIP - Common Industrial Protocol HVAC - Heating, Ventilation, and Air
Conditioning
CIP - Critical Infrastructure Protection
I/O - Input/Output
CISA - Cybersecurity & Infrastructure
Security Agency IACS - Industrial Automation and Control
Systems
CSIRT - Computer Security Incident
Response Team ICCP - inter-control center communications
protocol
CTI - cyber threat intelligence
ICS - Industrial Control System
CVSS - Common Vulnerability Scoring
System IDS - Intrusion Detection systems
DCE - Distributed Computer Environment IED - Intelligent Electronic Device
DCS - Distributed Control System IIoT - Industrial Internet of Things
FIELD MANUAL Vol. 1 - 3 83

Top 110+ industrial control system abbreviations for easy reference
IoC - Indicators of Compromise PV - Process Value/Variable

IPC - Inter Process Communication RDP - Remote Desktop Protocol
IPFIX - IP Flow Information Export RPC - Remote Procedure Call
IPS - Intrusion Prevention System RT - Real-Time
IPv4 - Internet Protocol Version 4 RTOS - Real-Time Operating Systems
IPv6 - Internet Protocol Version 6 RTU - Remote Terminal (Telemetry) Unit
IR - Incident Response SAT - Site Acceptance Test
IRP - Incident Response Plan SCADA - Supervisory Control and Data
Acquisition
IRT - Isochronous Real-Time
SIEM - Security Information Event
ISACs - Information Sharing and Analysis Management
Centres
SIF - Safety Instrumented Functions
ISC - SANS Internet Storm Center
SIL - Safety Integrity Level
ISM - Industrial, Scientific, and Medical
SIS - Safety Instrumented System
IT - Information Technology
SMB - Server Message Block
LAN - Local Area Network
SPAN - Switched Port Analyzer
LAPS - Local Administrator Password
Solution ST - Structured Text
LD - Ladder Diagram (or Ladder Logic) STIX - Structured Threat Information
eXpression
LDAP - Lightweight Directory Access
Protocol TAP - Test Access Point
LLDP - Link Layer Discovery Protocol TAXII - Trusted Automated eXchange of
Indicator Information
LoS - Line-of-Sight
TCP - Transmission Control Protocol
LotL - Living-off-the-Land
TEM - Threat and Environment
MAC - Media Access Control Manipulation
NERC - North American Electric Reliability TTP - Tactics, Techniques, and Procedures
Corporation
TTX - Tabletop Exercise
NSM - Network Security Monitoring
UA - Unified Architecture
NSTB - National SCADA Test Bed Program
UAC - User Account Control
NTP - Network Time Protocol
UDP - User Datagram Protocol
OLE - Object Linking and Embedding
URI - Uniform Resource Identifier
OPC - Open Platform Communications
VSAT - Very Small Aperture Terminal
OSHA - Occupational Safety and Health
Administration VLAN - Virtual Local Area Network
OSI - Open Systems Interconnect VM - Virtual Machine
OSINT - Open-Source Intelligence WAN - Wide Area Network
OT - Operational Technology WLAN - Wireless Local Area Network
pcap - Packet Capture Files
PERA - Purdue Enterprise Reference
Architecture
PLC - Programmable Logic Controller
PPE - Personal Protective Equipment
ABOUT THE AUTHOR
Dean Parsons
B.SC., GICSP, GRID, CISSP, GSLC, GCIA
CEO ICS Defense Force Inc. | Certified ICS SANS Instructor

ICS/OT Cyber Defense Leader
Dean is the CEO and Principal Consultant of ICS Defense Force and brings 20+ years of
technical and management experience to the classroom. He has worked in both Information
Technology and Industrial Control System Cyber Defense in critical infrastructure sectors such
as telecommunications; electricity generation, transmission, and distribution; and oil and gas
refineries, storage, and distribution.
Dean is an ambassador for defending industrial systems and an advocate for the safety,
reliability, and cyber protection of critical infrastructure. His mission as an instructor is to
empower each of his students, and he earnestly preaches that “ICS Defense is Do-able!”
Over the course of his career, Dean’s accomplishments include establishing entire ICS
security programs for critical infrastructure sectors, successfully containing and eradicating
malware and ransomware infections in electricity generation and manufacturing control
networks, performing malware analysis triage and ICS digital forensics, building converged
IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric
substations, oil and gas refineries, manufacturing, and telecommunications networks. A SANS
Certified Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response and is co-
author of ICS418: ICS Security Essentials for Managers. Dean is a member of the SANS GIAC
Advisory Board and holds many cybersecurity professional certifications including the GICSP,
GRID, GSLC, and GCIA, as well as the CISSP®. He is a proud native of Newfoundland where he
lives with him family.
ACKNOWLEDGEMENTS
Dean would like to thank the following individuals and teams for their continued support,
for being leaders, mentors, and dear friends in this amazing and necessary community, and
working relentlessly to further the protection of critical infrastructure.
Tim Conway, Rob M. Lee, Jeff Shearer, Mark Bristow, Ted Gutierrez, Mike Assante, Justin Searle,
Lauren Ashy, Lisa Peterson, the entire SANS ICS Team, and Yoda. Thank you for treating me as
family, supporting my efforts, and handing me a blue lightsaber.

SANS 2023 ICS Field Manual Vol 1-3 r3-1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SANS 2023 ICS Field Manual Vol 1-3 r3-1

Uploaded by

Copyright:

Available Formats

ICS CYBERSECURITY

If you are new to industrial control system (ICS) security,

Copyright © 2023 SANS Institute

The ICS community forum 80

Many ICSs operate critical infrastructure infrastructure systems.

Emergency Government Transportation

CRITICAL INFRASTRUCTURE SECTORS

Commercial Defense Food and Nuclear Reactors,

Critical Energy Healthcare and Water and

Figure 1. Critical Infrastructure Sectors

by engineering teams to ensure a tanks, and a flow rate of water to be

FIELD MANUAL Vol. 1 3

A common misconception holds that IT security practices can be directly

As stated by the U.S. Department of Homeland Security in a document

The SANS ICS418: ICS Security Essentials for

entitled Developing an Industrial

While OT and industrial engineering

FIELD MANUAL Vol. 1 5

IT focuses on the world of digital human life and the protection of

Career Development Opportunity - ICS418

VULNERABILITY SCANNING ENCRYPTION

Career Development Opportunity - ICS410

The SANS ICS410: ICS/SCADA Security Essentials course, at

FIELD MANUAL Vol. 1 7

PATCHING IN INDUSTRIAL extreme cases when patching is not

protections but may not feasibly allow FIREWALLS AND NETWORK

Antivirus on endpoint devices generally alerting.

PURDUE LEVEL 4: Site’s Local Business Network (Non-ICS Networks)

PURDUE LEVEL 3: Master Servers, Workstations Testing/Staging Cybersecurity Jump Hosts

PURDUE LEVEL 2: PURDUE LEVEL 2: PURDUE LEVEL 2: PURDUE LEVEL 2:

PURDUE LEVEL 1: PURDUE LEVEL 1: PURDUE LEVEL 1: PURDUE LEVEL 1:

PURDUE LEVEL 0: PURDUE LEVEL 0: PURDUE LEVEL 0: PURDUE LEVEL 0:

Air gap/Enforcement Air gap/Enforcement Air gap/Enforcement Air gap/Enforcement

FIELD MANUAL Vol. 1 9

ICS NETWORK SECURITY resources to frequently fine-tune and test

organization’s ICS environments proactive ICS defense and threat hunting.

automation, process control, access control networks is significantly less than

control devices, system accounts, and in IT environments, making the detection

asset information all have tremendous of malicious activity more manageable.

NETWORK INTRUSION DETECTION

COMPARING SECURITY CONTROLS AND ACTIONS

Security Control IT Action ICS Action

Endpoint Signatures, Heuristics alerting; allowlisting

Firewalls Segment – users, Segment from enterprise/IT and

Network Intrusion Intrusion IDS, behavioral-anomaly detection

Vulnerability Regular interval, Tested in development, passive

Patching Monthly, Less frequent, legacy devices, less

Security Phishing, web, and IT security awareness + physical

Event Detection Windows event logs, Remote Terminal Unit (RTU)/

Incident on Asset Wipe, patch, deploy Fight through attack: maintain

Table 1: IT vs ICS Security Control Actions

FIELD MANUAL Vol. 1 11

Unlike IT incidents, ICS incidents can On-site physical safety is always

ICSs were not always as connected or as broke the isolated or “air-gapped”

FIELD MANUAL Vol. 1 13

With modernization of their systems The various threat groups and

ICS Capable IT Attacks

Actors, Tools, &

Figure 3. The Threat Pool: The Sunny Side Up Egg of Doom

There is a general increasing trend in the

Low risk High risk

Figure 4. General ICS Risk Timeline 1990–2020

FIELD MANUAL Vol. 1 15

Stuxnet (2010) - Destructive TRISIS aka Triton aka Hatman