IC37 IEC62443 Flashcards
Scope
Determine the parameters of what is included in the assessment how it is performed.
Scope include
- IDENTIFY Requirement
- Specify Devices
- Select Collection Method
- Document
Key Components of Scope
- System Description
- Asset Inventory
- Criticality Assessment.
- System Architecture Design.
- Document Data flow
- Network Diagram .
Cybersecurity Vulnerability Assessment
defines, identify, and classifies the security vulnerabilities in industrial control system and its related network infra
Cybersecurity Vulnerability Assessment is
-Critical step in evaluating cyber risk
- Evaluate the IACS design, implementation, configuration, operation and management.
- Determines the adequacy of security measures and identify security deficiencies
Benefits of Cybersecurity risk assessment
- determine what plants/processes need to address and what order.
- Definition of threats, vulnerabilities, and consequences so they can be mitigated. - this is very time consuming.
- Design and apply countermeasures to reduce risk.
- Prioritize mitigation activities and resources.
- Evaluate countermeasures of effectiveness versus cost and complexity.
Cyber Risk Assessment Process
- Identify System under consideration.
- Conduct high-level cyber risk assessment.
- Partition the SUC into zones and conduits.
- perform detailed cybersecurity risk assessment for each zone and conduit.
- Document security requirement assumption and constrains.
for each zone and conduit you will need to run
IEC 62443-3-3
Detailed risk assessment process, this is section 5 of the detailed risk assessment. just an FYI, this include:
- Identify Threats
- Identify Vulnerabilities
- Determine consequences and Impact.
- Determine Likelihood
- Calculate unmitigated Cyber risk
- Determine Security Level target.
- Consider Existing Countermeasures.
- Reevaluate likelihood and impact.
- Calculate residual risk
- All risk mitigated or below tolerable risk
- Document the results.
You need Documentation to prove what you did `
Documents in general should be
- Revised
- Amended
- Reviewed,
- Approved.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@22
Review for the Design Chapter
remember the 4 T of Managing risk
- Tolerate - risk organizations are willing to take.
- Transfer - insurance.
- Terminate - block the risk
- Treat. - reduce the lielihood
Five D’s of treating Risk.
- Deter
- Detect
- Delay
- Deny
- Defeat.
Remember firewalls
block unauthorized access of firewall. Network and Host firewalls.
IDS are either
NIDS or HID -
- pre-defined rules signatures
- Anomaly - behavior
Remote access
Huge Operational Benefits
High Risk.
with ease huge operation benefits and high risk….
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Monitoring and Management
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
identify component of asset inventory
identify system harden
Asset Inventory
Maintain a list of database of all IACS and SCADA hardware - physical and virtual.
Asset inventory done through
- Documentation and site survey. this could take long time if the company is around for a long time.
- tools also can be used.-
if you use automations tools ensure that
- they don’t impact system availability or integrity
- introduced security Vulnerability.
Hardware include all
servers, computers, workstations, smart phones., PLC, DCS, VFD, RTU, etc, serial routable devices.
you will need to have record of
- Asset ID
Device Type
Function
Network interfaces.
Network Addresses
Manufacture
Model
Serial Number
Operation system and version
Firmware Version,
Physical location
Notes.
Device system name
VM all details needs to be documents - do not forget about this.
- all software- application, databases, firmware, operation system, patch process.
anything with ethernet and serial communication. routable serial. modbus, serial, profibus
Asset inventory for Software is also important. this should include
operation systems.
applications.
database
firmware.
Asset inventory tools are are either:
NETWORK MANAGEMNET TOOLS
SOFTWARE ASSET MANAGEMENT SAM TOOLS
CONFIGURATION MANAGEMENT TOOLS
Network Management tools.
- SolarWinds, OPenNMS, Siemens SNM, MOXa
software asset management SAM tools
- IT Asset tool, Microsoft system center.
Configuration Management Tools.
- Rockwell Asset center
PAS integrity
MDT autosave
System Hardening
the process of security a system by reducing its attack surface. this include
- Remove unnecessary software —
-Remote user accounts. —
-Enforce strong access control - multifactor authentication is important - Disable or remove services. this is important
-Install security patches. patches are also important.
which device can be hardened
any configurable device can be hardened. such as operation ystem, database, applications. managed switches, routers, firewalls, modems., PLCm IED, VFD.
operation system hardening - where to go? OS HARDEINING Very IMPORTANT
- NIST SP 800-123
Microsoft Security Guides
CIS security Benchmarks.
Disa STIGS,
Automation suppliers
REMEMNER 800-123 IS OS HARDENING —
Basic Step to secure operation system. OS
- Patches and update the OS
- Remove or disable services, application and network protocols.
configure access controls.
configure OS user authentication.
install and configuration additional security control
test the security of the OS, ‘
list of unnecessary softwares:
- Remove games.
- unused devicers.
- messaging services.
unused internet
software compliers
unused protocols.
Device Hardening Guidance DEVICE HARDENING 800-82
NIST SP 800-82
Always look for vendors.
HARDENING DEVICES INCLUDE
PLCs
MOTOROS AND DRIVES
I?O
HMI
Sensors
IEDs
Flow Computers.
Hardening of devices are
-disable program changes.
-install vendor firmware update
-compare file hash
-shutdown unused network interface.
-default password
-enable logging
-disable unused protocols.
-restrict remote access.
- protectet with ICS
-disable services not used.
- restict remote access.
Network Hardening NSA CISCO NIST
SANS
SECURITY CONFIGURATION CHECKLISTS
three functional planes of a network
- Management - IOS - SSH SNMP
- Control - EIGRP, BGP, OSPF
- Data actual data/
Network Hardening best practices
install firmware updates.
compare hash files
shutdown unused physical interfaces.
enable configuration access control
change and encrypt password
use snmp3
restict remote management
use secure protocols.
shutdown unused ervices.
enable logging.
ACCESS CONTROL
Policies, Procedures and technical controls that govern the use of system resources.
Access control ensure system only accessible to authorized users, programs, process and other systems.
ACCESS CONTROL ENFORCE the following:
separation of duties
least privilege
system notification.
previous login
concurrent session
session locking
unsuccessful login attempts
least privilege.
session termination
Access control involve
establishing.
activating
modifying
reviewing
disabling
removing accounts.
Access control best practices
- Develop access control policy to establish appropriate logical and physical rules
- segregate data with high sensitivity.
employ multiple authentication - make use of centralized identify
- use organization units.
use always multifactor authentications
something you know
something you have
something you are.
remote access
technology made it so easy.
VPN appliance is a network device enhanced with security features known as secure socket layer SSL.
A network using public telecommunication infrastructure such as internet and provide remote networks or computes with secure access to another network.
VPN security employs
- IPSec Internet protocol security
SSL\TLS transport layer security
DTLS datagram transport layer
MPPE microsoft point to point encyption
SSTP secure socket tunneling protocol
MPVPN
SSH
firewall evelotion into all inclusive security products. NGFW-
firewall
VPN
content filtering
load balancing
vpn
antispam
data
Type of VPNs
Site to site to vpn
VPN gateway.
VPN best practise
- require the use of corporate owned laptops
-provide remote access users with secure bootable image
-no vpn split should be allowed
-change tcp port for something
-monitor and log all remote access sessions. - encrypt all communications.
- configure modems for maximum security
- restirct remote connections to special machines.
Secure Remote Access Examples
Read only access
One way Reporting
Limited data exchange
Employee and vendor remote maintenance and troubleshooting
Full remote operations.
Antimalware Management
malware related incident are number one cause of cyber related production losses and upsets in process control systems.
Viruses can impact control systems. user mix deployment.
All major plc and DCS vendor support firewall.
Always recommend using mix solutions
Antivirus scanning at the control system firewall
Automatic updating for non critical system or systems with approved update schemes.
Manual scheduled updates for more difficult system.
Whitelisting
BENEFITS
Smaller and more efficient
Does not require sig-nature update
can ensure critical files and approved.
zero day protection.
ISSUES:
Agnostic to malware
can block software updates
Blacklisting
BENEFITS
Can define malicious software behavior
ISSUED:
Number of known bad signatures are large and growing.
Require frequent update.
False positive can block critical files.
no protection against zero day attack
Whitelisting mean
Allow known Good
blacklisting
blocking known bad
Anti-Virus Management
Application Control
Identify entitlement, privilege, or access based approval
Protect memory so application in memory cannot be changed.
Change Control
Extend application control to include file integrity monitoring for non executable.
ALWAYS KEEP Systems up to date because it is critical to protection
Patching
patch should be analyized for each device.
Installed and verified on test system
backup should be done before patch is installed.
Document all changes.
PATCH MANAGEMENT LIFECYCLE - it is continuous process
- Information Gathering
- Monitoring & Evaluation
- Patch Testing
- Patch Deployment
- Verification and Reporting
Patch Management Best Practice
- Establish and Maintain inventory for all updatable electronic devices.
- Determine regular schedule and what is available
- Test deployment of patches in manner that reflect production environment
- Schedule qualified patches for installation at next available opportunity
- Update records at planned interval
- periodically identify security vulnerabilities.
- Implement paches or equivalent counter measures.
PLC Backup and Configuration Management - (BACKUP AN Recovery)
Restoration Time - how much time required- is redundancy required.
Backup Interval - how often the backup should run
Backup Management - how many duplicates required in case of damage.
Media Storage - keep media and license keys in safe area,
Responsible party - what department is responsible
Review and Update plan - review and update BCP when system change.
System backup best practices
check for redundancy real time? near realtrimen?
data center? hot warm, cold?
point- in time snapshot automated or manual?
maintain version control.
automate the backup
protect backups.
System backup types?
Redundant systems.
= physical or virtual
= Pcs
= Hardware/software
= Network
Point in time snapshots.
= pc code, apps, image, partitions, files, and config.
= PLc code, apps, and config
= Data base
= network devices. config
`Backup and Recovery best practices
Establish backup and restore policies.
Document procedures and ensure they are repeatable.
All devices with configuration should be backed up
Backup are performed automatiacally on staggered schedule
Onsite and offisite storage of backup
Periodic testing of backup
periodic trsting of restore.
Change Management
the objective of change management is to minimalize RISK to safety and downtime by ensuring that request for change are
recorded,
evaluated,
autherized.
prioritized,
planned,,
tested,
implemented,
documented and
reviewed.
in controlled and consistent manner.
Remember that Vulnrability and Patch Management must also follow the same change management process.
ISA 62443-2-1 secrion 4.3 and 4.3.2
Typial IACS changed that require management of change
- Changes to equipment and system on ICS architecture diagram
Change of IT equipment and other services.
Any changes.
Change requests conftain inforamtion required in assessing the goals and cot wnd risk associated with change
Descirption of the change
benefit of applying the change
cost and risk of not applying the change
cost associated with the change
risk assessment of the change
priority of the change.
change in industrial facilities and processes is
Critical to safety.
Remember that change has to be done by MULTI-DISCIPLIONARY TEAM….
Change Management priority examples
- IMMEDIATE - Life is at risk, significant los of revenue - Imediate action is required.
- HIGH - Severely affecting safety systems or impacting the ability of production.
- MEDIUM - no server impact but things will need to be fixed prior the next schedule.
- LOW Changes can be taken care of in the next schedule.
Information and Document Management Best Practices
- Lifecycle document management process should be eveloped.
information classification is required.
Control system information such as design information
physical security
protection of personnel, hardware, program, networks and data from physical circumstances and events.
Asset inventory tools are
Network Management Tools
Management Tools known as SAM
Configuration Management tools
Three function planes of data are
Management,
Control
Data
System Hardening
System hardening is the process of securing a system by reducing its attack serfuce.
Access Control
is the policies, procedures, technical controls that govern the use of system resources to ensure the system can be accessed by authorized user, program and othe sysyems.
Detection tools @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
What does security monitoring and detection entail???
detecting abnormal activity.
Network inrusion detection
Host intrusion detection
Monitoring logs
Periodic testing and auditing.
Detection techniques??
Signature against black list
Behavior against beh avior
Anomaly again knowing good. white list
diffferences
best solution for zero day exploit is BEHAVIOR
Best solution for known exploit is Signature
Best solution for insider threat? Anomaly.
Anomaly detection include
- DATA HOARDING
- GEO Graphic location
- time versus data
-service traffic. - host data loss
User Observation for Abnormal System Behavior
anything that can trigger changes such as?
CPU usage
protocol blocked
patch changes
system shutdown
lockedout account
logs and clear logs.
Cababilities of host inrusion systems are ?
Log analysis
policy enforcment
event colleration
Alerting
rootkit detection
integrity checking
LIDS are
log based Intrusion detection system
LIDS
LIDS is normally part of the SIEM
All intrusion detection system needs the following
Testing / Auditing / Adjustment as part of CSMS
testing should be established by policy
audit by third party tester
adjust based on new threats.
IMPORTANT————-
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@2
this chapter will be talking about
- incident response lifecycle.
- aspect of incident response planning
- incident management.
incident prevention
- four phases of forensic
three C of incident Analysis.
Incident response lifecycle include?
1- PLANNING
2- INCIDENT PREVENTION
3- DETECTION
4- CONTAINMENT
5- REMEDIATION
6- RECOVERY and RESTORATION
7- POST INCIDENT Analysis and forensic.
1 - PHASE ONE IS PLANNING
in this phase we assemble CYBER SECURITY INSIDENT RESPONSE TEAM CSIRT the team consist of engineers. managers.
in this phase we need to have clear written operation procedure. and response checklist.
2- INCIDENT PREVNTION techniques….
IACS asset management
system hardening
access control
remote access
malware prevention
system backups
change management
information & documentation
physical security
and you will need vendor interaction.
Incident Analysis 3C’s
Calm - dont panic
Cool intense discussion
Collected. list and think critcally.
INCIDENT MANAGEMENT include
Detection
Response tools
Categorization
Containment
Remediation
Recovery and restoration.
important
3- INCIDENET DETECTION
how to detect the incident
Automated detection tools
Reporting
Detection by observing traffic, CPU, USAGE
4- INCIDENT CONTAINMENET
How to contain an incident.
isolate the system?
remove the effected device
remove?
protect?
this should be documented.
5- REMEDIATION
fix the source of the problem
close unauthorized path
remove malware.
etc.
in this phase you may want to work with the asset owner and data owner.
6- Recovery and Restoration
Establish contingency plans
patch and maintain all bakcup systems.
verify failover systems.
establish plan to run segmenet in isolation.
test backups.
establish and run acceptance test.
this also include defining procedure to provide for the tests and declare the IACS fully operational.
7- Once you are done there is another phase called…. POST INCICENT ANALYSIS and FORENSIC
the idea of this phase is to gain understanding of how it happen and how why.
forensic process is as follow: CEAR
Collection
Examination
Analysis
Reporting
1 - Collection phase
time is important
secure senstive date
preserver the scene
protect the evidence
2- Examination
Establish check list
identify the key people and personeen.
identify normal and abnormal operating.
identify requirement
identify remote access.
identify any protections.
conduct interview
operation personnel can give you alot of insight.
3- Analysis.
conduct packet analyzer, network analyzer, and packet sniffer.
check cabling and wiring as well!
know how identify any alarms. HMI alarm view alarms.
windows event logs can also be configured.
- Reporting
preserve forensic data
keep detailed notes and report and dont rely on memory
detected computers.
INCIDENT REPONSE PLANNING INCLUDES::::
overview goals and objective.
incident description
incident detection.
incident notification
incident analysis
response action.
communication
forensics.
Incident response plan include
incident analysis
incident descirption
fornsic.
Network Hardening best practices
install firmware updates.
compare hash files
shutdown unused physical interfaces.
enable configuration access control
change and encrypt password
use snmp3
restict remote management
use secure protocols.
shutdown unused ervices.
enable logging.
