ICS and SCADA Security Secrets and Solutions
Clint Bodungen, Bryan L. Singer, Aaron Shbeeb, Kyle Wilhoit, Stephen Hilt
At a Glance
Part I Setting the Stage: Putting ICS Penetration Testing in Context
1 Introduction to Industrial Control Systems [in]Security
2 ICS Risk Assessment
3 Actionable ICS Threat Intelligence through Threat Modeling
Part II Hacking Industrial Control Systems
4 ICS Hacking (Penetration Testing) Strategies
5 Hacking ICS Protocols
6 Hacking ICS Devices and Applications
7 ICS “Zero-Day” Vulnerability Research
8 ICS Malware
Part III Putting It All Together: Risk Mitigation
9 ICS Security Standards Primer
10 ICS Risk Mitigation Strategies
Part IV Appendixes
A Glossary of Acronyms and Abbreviations
B Glossary of Terminology
C ICS Risk Assessment and Penetration Testing Methodology
Flowcharts
Index
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
4.00 USD |
|---|---|
Pages
| 592 p |
File Size
|
12,797 KB |
File Type
|
PDF format |
ISBN
| 978-1-25-958972-0 |
Copyright
| 2017 by McGraw-Hill Education |
Clint Bodungen (Houston, Texas)
Clint Bodungen is a Senior Critical Infrastructure Security Researcher with
Kaspersky Lab. He has more than 20 years of experience in the “cyber” security
industry, specializing in risk assessment, penetration testing, and vulnerability
research. More than half of his 20 years in the industry has been focused
exclusively on industrial control systems. He has been programming and
“hacking” computers since the age of 11 and has been developing applications
and tools for Unix/Linux since the mid-1990s. He began his professional career
serving in the United States Air Force as his unit’s Computer Systems Security
Officer (CSSO) and OPSEC Manager, and holds a degree in Industrial Design
Technology. He found his passion for threat research and systems testing while
working for Symantec and testing their IDS applications. He was introduced to
ICS in 2003 when he was hired by an industrial automation consulting firm to
help a major oil & gas company secure their SCADA system. Since then, Clint
has led ICS risk assessment and penetration testing projects for many of the
country’s top energy organizations, and he continues his efforts in vulnerability
research in collaboration with ICS vendors. He has developed and taught dozens
of ICS security training courses and is a frequent presenter at ICS cybersecurity conferences.
Bryan L. Singer, CISSP, CAP (Montevallo, Alabama)
Bryan Singer is a principal investigator with Kenexis Security Corporation,
specializing primarily in industrial control systems and SCADA security and is
an industry-recognized industrial security expert. He began his professional
career with the U.S. Army as a paratrooper and intelligence analyst. Since then,
Bryan has designed, developed, and implemented large-scale industrial
networks, cybersecurity architectures, and conducted penetration tests and
cybersecurity assessments worldwide across various critical infrastructure fields,
including power, oil & gas, food & beverage, nuclear, automotive, chemical, and
pharmaceutical operations. In 2002, he became the founding chairman of the
ISA-99/62443 standard, which he led until 2012. His areas of technical expertise
are in software development, reverse engineering, forensics, network design,
penetration testing, and conducting cybersecurity vulnerability assessments.
Bryan lives in Montevallo, Alabama, and is a frequent author, speaker, and
contributor to the ICS security field.
Aaron Shbeeb (Houston, Texas)
Aaron Shbeeb became interested in programming and computer security in his
early teenage years. He graduated from The Ohio State University with a
bachelor’s of science degree in computer science engineering. He has worked for
over a decade in programming and/or security jobs and has focused strongly on
secure programming practices. Since 2008, he has worked as a penetration tester
and security researcher focusing on ICS/SCADA systems, both professionally and personally.
Stephen Hilt (Chattanooga, Tennessee)
Stephen Hilt has been in information security and ICS security for over 10 years.
With a bachelor’s degree from Southern Illinois University, he started working
for a large power utility in the United States. There, Stephen gained an extensive
background in security network engineering, incident response, forensics,
assessments, and penetration testing. He then began focusing on ICS
assessments and NERC CIP assessments. With that experience, Stephen then
moved on to working as an ICS security consultant and researcher for one of the
foremost ICS security consulting groups in the world, Digital Bond. In 2014 and
2015, Stephen was acknowledged for having one of the top coolest hacks by
Dark Reading. He has also published numerous ICS-specific Nmap scripts to
identify ICS protocols via native commands. Stephen, as a Trend Micro Sr.
Threat Researcher, continues ICS research and diving into other areas of advanced research.
Kyle Wilhoit (Festus, Missouri)
Kyle Wilhoit is a Sr. Threat Researcher at Trend Micro, where he focuses on
hunting badness on the Internet. Prior to Trend Micro, he was a hunter at
FireEye, focusing on nation-state actors. If Kyle isn’t traveling around the globe,
you can find him in his hometown of St. Louis.
About the Contributor and Technical Editor
W. Stuart Bailey (Houston, Texas), CISSP, GICSP, is an IT security
professional with over 17 years of experience in both corporate and industrial
control systems networks. Stuart started his career in healthcare, working for a
large clinic system and Baylor College of Medicine in the Texas Medical Center,
where he held various positions on the networking, server, and security teams.
Stuart then moved on to upstream oil & gas at Noble Energy, where he
established the control systems security program, and he discovered his passion
for industrial control systems security. He currently is on the security team for a
major public utility in Texas. Stuart’s extensive experience includes designing
and conducting onsite security assessments for oil and gas exploration and
production facilities, both onshore and offshore, designing control systems
incident response plans, establishing ICS policies and procedures, establishing
security awareness training, consulting on new ICS projects, and evaluating and
deploying new ICS software and hardware.
About the Series Editor
Joel Scambray is a Principal at Cigital, a leading software security consulting
firm established in 1992. He has helped Fortune 500–class organizations address
information security challenges for over 20 years as a consultant, author, and
speaker; business leader; and entrepreneur. He is widely recognized as co-author
of the Hacking Exposed™ book series, and has worked/consulted for companies
including Microsoft, Foundstone, Amazon, Costco, Softcard, and Ernst & Young.
Table of Contents
Acknowledgments
Introduction
Part I Setting the Stage: Putting ICS Penetration Testing in Context
CASE STUDY, PART 1: Recipe for Disaster
1 Introduction to Industrial Control Systems [In]Security
Cyberphysical Systems: The Rise of the Machines
New Vectors to Old Threats
The Consequences: What Could Happen?
Understanding Realistic Threats and Risks to ICS
Overview of Industrial Control Systems
View
Monitor
Control
Purdue Reference Model for ICS
Types of Common Control Systems, Devices, and
Components
Summary
References for Further Reading
2 ICS Risk Assessment
ICS Risk Assessment Primer
The Elusive ICS “Risk Metric”
Risk Assessment Standards
What Should an ICS Risk Assessment Evaluate and Measure?
ICS Risk Assessment Process Overview
ICS Risk Assessment Process Steps
Stage 1: System Identification & Characterization
Stage 2: Vulnerability Identification & Threat Modeling
Next Steps
Summary
References for Further Reading
3 Actionable ICS Threat Intelligence through Threat Modeling
Threat Information vs. Threat Intelligence
Threat Modeling: Turning ICS Threat Information into
“Actionable” Threat Intelligence
The ICS Kill Chain
The ICS Threat Modeling Process
Information Collection
Summary
References for Further Reading
CASE STUDY, PART 2: The Emergence of a Threat
Part II Hacking Industrial Control Systems
CASE STUDY, PART 3: A Way In
4 ICS Hacking (Penetration Testing) Strategies
The Purpose of a Penetration Test
Black Box, White Box, Gray Box
Special Considerations: ICS Penetration Testing Is Not IT
Penetration Testing
Setting Up a Lab
Sampling “Like” Configured Systems
Virtualization
Equipment
Rules of Engagement
Using Risk Scenarios
ICS Penetration-Testing Strategies
Reconnaissance (“Footprinting”)
External Testing
Pivoting
Thinking Outside of the Network: Asymmetric and
Alternative Attack Vectors
Internal Testing: On the ICS Network
Summary
Resources for Further Reading
5 Hacking ICS Protocols
Modbus
EtherNet/IP
DNP3
Siemens S7comms
BACnet
Other Protocols
Protocol Hacking Countermeasures
Summary
References for Further Reading
6 Hacking ICS Devices and Applications
Exploiting Vulnerabilities in Software
Some Basic Principles
Buffer Overflows
Integer Bugs: Overflows, Underflows, Trunction, and Sign
Mismatches
Pointer Manipulation
Exploiting Format Strings
Directory Traversal
DLL Hijacking
Cross-Site Scripting
Cross-Site Request Forgery (CSRF)
Exploiting Hard-Coded Values
Brute-Force
All Software Has Bugs
Summary
References for Further Reading
7 ICS “Zero-Day” Vulnerability Research
Thinking Like a Hacker
Step 1: Select Target
Step 2: Study the Documentation
Step 3: List and Prioritize Accessible Interfaces
Step 4: Analyze/Test Each Interface
Fuzzing
Static Binary Analysis
Dynamic Binary Analysis
Step 5: Exploit Vulnerabilities
Putting It All Together: MicroLogix Case Study
Research Preparation
Before Diving In
Creating a Custom Firmware
Summary
References for Further Reading
Tools
General References
8 ICS Malware
ICS Malware Primer
Dropper
Rootkits
Viruses
Adware and Spyware
Worms
Trojan Horses
Ransomware
Infection Vectors
Analyzing ICS Malware
Lab Environment
Summary
References for Further Reading
CASE STUDY, PART 4: Foothold
Part III Putting It All Together: Risk Mitigation
CASE STUDY, PART 5: How Will It End?
9 ICS Security Standards Primer
Compliance vs. Security
Common ICS Cybersecurity Standards
NIST SP 800-82
ISA/IEC 62443 (formerly ISA-99)
NERC CIP
API 1164
CFATS
NRC Regulations 5.71
General Cybersecurity Standards
NIST Cybersecurity Framework
ISO/IEC 27002:2013
Summary
References for Further Reading
10 ICS Risk Mitigation Strategies
Addressing Risk
Special ICS Risk Factors
Confidentiality, Integrity, and Availability (CIA)
Defense-in-Depth
Safety
General ICS Risk Mitigation Considerations
ICS Network Considerations
ICS Host-Based Considerations
ICS Physical Access Considerations
Exploits, Threats, and Vulnerabilities
Eliminating Exploits
Eliminating Threats
Eliminating Vulnerabilities
Additional ICS Risk Mitigation Considerations
System Integration Issues
Compliance vs. Security
Insurance
Honeypots
The Risk Mitigation Process
Integrating the Risk Assessment Steps
Integrating the Risk Scenarios
Performing a Cost-Benefit Analysis
Establishing the Risk Mitigation Strategy
Summary
References for Further Reading
Part IV Appendixes
A Glossary of Acronyms and Abbreviations
B Glossary of Terminology
C ICS Risk Assessment and Penetration Testing Methodology
Flowcharts
Bookscreen
Introduction
Hacking Exposed™—Industrial Strength Make no mistake about it, this book follows in the same spirit as the rest of the Hacking Exposed™ series. Whether you call it penetration testing (aka
pentesting), ethical hacking, or red team testing, this book explores
cybersecurity (as the subject has come to be known, like it or not) from an
offensive perspective. In this edition, however, we are examining industrial
control system (ICS) cybersecurity, or in-security as the case may be.
What This Book Is and What This Book Isn’t
Whether it’s being used as a guide to ICS penetration testing or for offline threat
modeling, this book aims to arm readers with the type of “offensive” knowledge
that the bad guys already possess, so readers’ risk management efforts are more
accurate and cost-effective. We use the term management here because
mitigating the risk might not always be the best choice. In some instances, the
optimal (or only) solution may be to just reduce, accept, or transfer the risk.
Pentesting is often required by several industrial security standards and
should be a part of every risk management program, but our intent here is not to
provide “compliance” guidance related to specific ICS cybersecurity standards.
This book is also not meant to serve as an inclusive guide to ICS risk
mitigation/management techniques. As already mentioned, several publications
have been written from those perspectives, so there is no need to replicate those
guides yet again. Instead, the mitigation techniques and countermeasures we will
discuss are specifically related to the attacks and strategies mentioned in this book.
We will discuss many of the technical details and exploitation techniques of
several ICS vulnerabilities with publicly disclosed CVEs and ICS-CERT
advisories. However, before ICS vendors and other members of the industrial
communities begin to get too upset, we should mention that we will not be
disclosing any zero-day (undisclosed) vulnerabilities or exploits. Everything
discussed in this book can already be found in the public domain in some form
or another. What we will be doing is dissecting and examining several of these
CVEs and ICS-CERT advisories in further detail in order to demonstrate how to
perform pentesting, vulnerability research, and threat modeling as specifically
applied to ICS devices, applications, and environments.
This book is also not meant to be a comprehensive introduction to ICS or
general pentesting. We will provide supporting information where we feel it is
functionally necessary and contextually appropriate, however, or point you in the
right direction in the event you do need supplemental instruction or information.
For example, a portion of the reader base might not have a working knowledge
of ICS environments, so we do provide a high-level baseline introduction to ICS
at a depth that supports the rest of the context of this book. (Those who already
have a solid understanding of ICS will probably want to skip that information.)
Similarly, there may also be a portion of readers who are not familiar with the
fundamentals of penetration testing. There are a plethora of resources already
available on various traditional pentesting disciplines all the way from
introductory to advanced (such as the other Hacking Exposed™ titles).
Our overall goal is to focus on the ICS-specific details related to the topics
covered throughout this book. Rest assured; for those who are seeking further
details and guidance that are outside the scope of this book, we will provide
information, links, and references for further reading where appropriate.
Who Should Read This Book
This book should serve as a valuable resource to a variety of audiences
interested in ICS cybersecurity, but it is ultimately intended for those who are
interested in the technical details surrounding ICS-specific vulnerabilities,
threats/threat modeling, and pentesting techniques. This group could include
• Penetration testers tasked with ICS-specific pentesting projects or looking to add ICS pentesting techniques to their skillset
• Cybersecurity analysts tasked with monitoring ICS networks
• ICS cybersecurity threat intelligence analysts
• Vulnerability researchers embarking on ICS-related devices and applications
• Cybersecurity product developers working on products that will apply to ICS devices, applications, and networks
• ICS vendors
• General cybersecurity enthusiasts and aspiring penetration testers looking to add ICS penetration testing to their skillset Other groups who this book will appeal to are
• ICS asset owners and managers who are responsible for hiring a team to
conduct a pentest on their systems
• ICS asset owners and managers in charge of an ICS security team
Although this group may not need to know all of the technical details of ICS
pentesting, they should have a general understanding of ICS cybersecurity
threats and pentesting techniques.