Cybersecurity of Industrial Systems

Jean-Marie Flaus is Professor at the University of Grenoble, France, and teaches in several engineering schools. He is an expert on the cybersecurity of industrial systems and conducts research at the G-SCOP laboratory, in collaboration with INERIS and large companies.

• Foreword xiiiIntroduction xixChapter 1. Components of an Industrial Control System 11.1. Introduction 11.1.1. Definition: automated and cyber-physical systems 11.1.2. Definition: Information System (IS) 11.1.3. Definition: industrial IS or ICS 21.1.4. Definition: IT and OT system 41.1.5. Definition: SCADA 41.1.6. Definition: Distributed Control Systems (DCS) 51.1.7. Definition: Industrial Internet of Things (IIOT) 51.1.8. Different types of ICS 61.2. From the birth of the PLC to the SCADA system 61.3. Programmable logic controller (PLC) 81.4. RTU, master terminal unit and intelligent electronic device 121.5. Programmable Automation Controller 131.6. Industrial PC 131.7. Safety instrumented systems 131.8. Human–machine interface (HMI) 151.9. Historians 171.10. Programming and parameter setting stations 171.11. Industrial Internet of Things (IIoT) 181.12. Network equipment 191.12.1. Switch and hub 191.12.2. Router and gateway 201.12.3. Firewall 201.12.4. IoT gateway 201.13. Data processing platform 211.14. Lifecycle of an ICS 22Chapter 2. Architecture and Communication in an Industrial Control System 252.1. Network architecture 252.1.1. Purdue model and CIM model 262.1.2. Architecture of the Industrial Internet of Things 292.2. Different types of communication networks 312.2.1. Topology 312.2.2. Types of networks 332.2.3. Virtual private network 342.2.4. OSI model 342.3. Transport networks 352.3.1. Ethernet 352.3.2. Wi-Fi 362.3.3. The IEEE 802.15.1 (Bluetooth) standard 362.3.4. IEEE 802.15.4 networks 372.3.5. LPWAN networks 382.3.6. Cellular networks 382.4. Internet protocols 392.4.1. The Internet protocol 392.4.2. Transmission Control Protocol 392.4.3. Unified Datagram Protocol (UDP) 422.4.4. Address Resolution Protocol (ARP) 422.4.5. Internet Control Message Protocol (ICMP) 422.4.6. The IPv6 protocol 432.5. Industrial protocols 432.5.1. Introduction 432.5.2. Modbus 452.5.3. Profibus and Profinet 462.5.4. Actuator/sensor interface 472.5.5. Highway Addressable Remote Transducer 482.5.6. DNP3 and IEC 60870 482.5.7. The CAN bus 492.5.8. Ethernet/IP and Common Industrial Protocol (CIP) 492.5.9. OLE for Process Control (OPC) 512.5.10. Other protocols 522.6. IoT protocols 522.6.1. 6LowPAN 532.6.2. Message Queuing Telemetry Transport 532.6.3. CoAP 542.6.4. Other protocols 54Chapter 3. IT Security 573.1. Security objectives 573.1.1. The AIC criteria 573.1.2. The different levels of IT security 613.2. Differences between IT and OT systems 643.2.1. The functionalities 643.2.2. The technology 653.2.3. System lifecycle 663.2.4. Security management 673.2.5. IT/OT convergence 683.2.6. Summary 683.3. Risk components 703.3.1. Asset and impact 703.3.2. Threats 713.3.3. Attacks 713.3.4. Vulnerabilities 723.3.5. Definition of risk 733.3.6. Scenarios and impact 743.3.7. Risk measurement 753.4. Risk analysis and treatment process 773.4.1. Principle 773.4.2. Acceptance of risk 793.4.3. Risk reduction 793.5. Principle of defense in depth 803.6. IT security management 823.7. Risk treatment process 853.8. Governance and security policy for IT systems 863.8.1. Governance 863.8.2. Security policy 873.9. Security management of industrial systems 88Chapter 4. Threats and Attacks to ICS 914.1. General principle of an attack 914.2. Sources of threats 954.3. Attack vectors 984.4. Main categories of malware 994.4.1. Virus/worms 1004.4.2. Trojan horse 1004.4.3. Logical bomb 1014.4.4. Rootkit 1014.4.5. Spyware 1014.4.6. Back doors 1014.4.7. Botnet 1024.4.8. Ransomware 1034.5. Attacks on equipment and applications 1034.5.1. Buffer overflow and integer overflow 1034.5.2. Attack by brute force 1044.5.3. Attack via a zero day flaw 1054.5.4. Side-channel attacks 1054.5.5. Attacks specific to ICS equipment 1064.5.6. Attacks on IIoT systems 1074.6. Site attacks and via websites 1084.7. Network attacks 1094.7.1. Man-in-the-middle 1094.7.2. Denial of service 1104.7.3. Network and port scanning 1114.7.4. Replay attack 1124.8. Physical attacks 1124.9. Attacks using the human factor 1134.9.1. Social engineering 1134.9.2. Internal fraud 1144.10. History of attacks on ICS 1144.11. Some statistics 119Chapter 5. Vulnerabilities of ICS 1215.1. Introduction 1215.2. Generic approach to vulnerability research 1225.3. Attack surface 1245.4. Vulnerabilities of SCADA industrial systems 1265.5. Vulnerabilities of IoT industrial systems 1285.6. Systematic analysis of vulnerabilities 1305.7. Practical tools to analyze technical vulnerability 1365.7.1. Databases and information sources 1375.7.2. Pentest tools 1375.7.3. Search engines 139Chapter 6. Standards, Guides and Regulatory Aspects 1416.1. Introduction 1416.2. ISO 27000 family 1426.3. NIST framework and guides 1446.3.1. NIST Cyber Security Framework 1446.3.2. The guides 1456.4. Distribution and production of electrical energy 1486.4.1. NERC CIP 1486.4.2. IEC 62351 1506.4.3. IEEE 1686 1516.5. Nuclear industry 1516.5.1. The IAEA technical guide 1516.5.2. IEC 62645 1526.6. Transportation 1536.6.1. Vehicles 1536.6.2. Aeronautics 1536.7. Other standards. 1546.7.1. National Information Security Standards 1546.7.2. Operating safety standards 1546.8. ANSSI’s approach 1556.9. Good practices for securing industrial Internet of Things equipment 1596.9.1. Trust base (root of trust) 1606.9.2. Identity management (endpoint identity) 1616.9.3. Secure boot 1616.9.4. Cryptographic services 1616.9.5. Secure communications 1626.9.6. Equipment configuration and management 1626.9.7. Activity dashboard and event management by a SIEM 1626.10. Legislative and regulatory aspects 163Chapter 7. The Approach Proposed by Standard 62443 1677.1. Presentation 1677.2. IACS lifecycle and security stakeholders 1697.3. Structure of the IEC 62443 standard 1707.4. General idea of the proposed approach 1727.5. Basics of the standard 1747.5.1. Fundamental requirements 1747.5.2. Security Levels (SL) 1777.5.3. Zones and conduits 1807.5.4. Maturity level 1827.5.5. Protection level 1837.6. Risk analysis 1847.6.1. General approach 1857.6.2. Detailed risk analysis 1867.6.3. Determination of SL-T 1877.6.4. Countermeasures 1887.7. Security management 1897.8. Assessment of the level of protection 1907.9. Implementation of the IEC 62443 standard 1917.9.1. Certification 1917.9.2. Service providers and integrators 1927.9.3. IACS Operators 192Chapter 8. Functional Safety and Cybersecurity 1938.1. Introduction 1938.1.1. Components of operational safety 1938.1.2. SIS and SIL levels 1988.2. IEC 61508 standard and its derivatives 2008.3. Alignment of safety and security 2038.4. Risk analysis methods used in operational safety 2048.4.1. Preliminary hazard analysis 2048.4.2. Failure Mode and Effects Analysis 2058.4.3. HAZOP 2078.4.4. Layer Of Protection Analysis 2088.4.5. Fault trees and bowtie diagrams 210Chapter 9. Risk Assessment Methods 2139.1. Introduction 2139.2. General principle of a risk analysis 2149.2.1. General information 2149.2.2. Setting the context 2179.2.3. Risk identification 2189.2.4. Estimation of the level of risk 2199.2.5. Risk assessment and treatment 2199.2.6. Tailor-made approach and ICS 2219.3. EBIOS method 2219.3.1. Workshop 1: framing and security base 2229.3.2. Workshop 2: sources of risk 2269.3.3. Workshop 3: study of strategic scenarios 2279.3.4. Workshop 4: study of operational scenarios 2299.3.5. Workshop 5: risk treatment 2309.3.6. Implementation for ICS 2339.4. Attack trees 2349.5. Cyber PHA and cyber HAZOP 2369.5.1. Principle 2369.5.2. Cyber PHA 2399.5.3. Cyber HAZOP 2439.6. Bowtie cyber diagram 2459.7. Risk analysis of IIoT systems 246Chapter 10. Methods and Tools to Secure ICS 24910.1. Identification of assets 24910.2. Architecture security 25310.2.1. Presentation 25310.2.2. Secure architecture 25410.2.3. Partitioning into zones 25510.3. Firewall 25710.4. Data diode 26010.5. Intrusion detection system 26110.5.1. Principle of operation 26110.5.2. Detection methods 26410.5.3. Intrusion detection based on a process model 26710.6. Security incident and event monitoring 26810.7. Secure element 270Chapter 11. Implementation of the ICS Cybersecurity Management Approach 27311.1. Introduction 27311.1.1. Organization of the process 27311.1.2. Technical, human and organizational aspects 27511.1.3. Different levels of implementation and maturity 27511.2. Simplified process 27611.3. Detailed approach 27711.4. Inventory of assets 27911.4.1. Mapping 27911.4.2. Documentation management 27911.5. Risk assessment 28011.6. Governance and ISMS 28111.6.1. Governance of the ICS and its enviroment 28111.6.2. ISMS for ICS 28111.7. Definition of the security policy and procedures 28211.8. Securing human aspects 28311.9. Physical security 28411.10. Network security 28511.11. Securing exchanges by removable media 28511.12. Securing machines 28511.12.1. Securing workstations and servers 28511.12.2. Securing engineering stations 28611.12.3. Securing PLCs 28611.12.4. Securing IIoT equipment 28711.12.5. Securing network equipment 28711.12.6. Antivirus 28711.13. Data security and configuration 28811.14. Securing logical accesses 28911.15. Securing supplier and service provider interactions 29011.16. Incident detection 29111.16.1. Logging and alerts 29111.16.2. Intrusion detection system 29111.16.3. Centralization of events (SIEM) 29111.17. Security monitoring 29111.17.1. Updating mapping and documentation 29111.17.2. Security patch management 29111.17.3. Audit of the facility 29211.18. Incident handling 29211.19. Recovery 29311.19.1. Backup 29311.19.2. Business continuity plan 29411.20. Cybersecurity and lifecycle 294Appendix 1 295Appendix 2 303Appendix 3 309Appendix 4 329Appendix 5 355Appendix 6 361List of acronyms and abbreviations 363References 367Index 377