Professional Documents
Culture Documents
SANS 2023 ICS Field Manual Vol3 v3
SANS 2023 ICS Field Manual Vol3 v3
SANS 2023 ICS Field Manual Vol3 v3
D
ICS C y b
EL
FI UAL
M AN Vol.
3
Author:
Dean Parsons
B.SC., GICSP, GRID, CISSP,
GSLC, GCIA
Certified SANS Instructor |
CEO ICS Defense Force Inc. &
ICS Cybersecurity Leader
Contents
ICS incident response in practice 19 system security for you and your teams. The three manuals
consist of several sections and focus on different aspects of
ICS connectivity: business benefits and cyber risk 20
ICS cyber defense.
Prioritize for safety 21
ICS security management choices 22
ICS security leadership pathways 23
The ICS security defender skillset recipe 24
ICS cybersecurity team roles 25
Key ICS management takeaways 27
Epilogue to Volume 3 28
The ICS community forum 29
The SANS ICS curriculum 30
1 https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02A
2 https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
ICS incident response adapts traditional incident response phases to suit engineering Traditional IT containment and so according to facility stakeholders
environments, prioritizes safety in every phase, and includes different multi-team eradication steps may cause more and engineering. ICS security must
stakeholders. ICS incident response stakeholders include engineering operators, damage to safety, engineering, continue to monitor and actively
external control system support vendors, government agencies, physical safety teams, and production than the threats defend against the incident. Only then
physical security teams, IT security, ICS security, etc., with direction from the owner/ themselves. Care must be given in this can the response team, in conjunction
operators of the ICS facilities. phase to apply deep knowledge of with applicable stakeholders, begin to
how threats impact control systems restore engineering systems to their
The objectives for each phase of an ICS-specific incident response⁵ include:
and what a possible response could normal operational state and regain full
mean for operations and safety during production of engineering operations
Phase 1: Prepare Phase 2: Identify and containment and eradication. at all levels of the Purdue Network
Have well-defined, well- Detect Threat Architecture.
Phase 5: Contain
communicated roles and Deploy ICS-specific network
Preserve operations through
responsibilities and trained ICS-specific visibility and threat identification
logical or physical changes
security defenders who understand techniques. These techniques are driven
in the control environment to further
engineering and can investigate control by consuming and applying sector-
reduce impacts to safety and control Career Development
systems-related cyber events. A cyber- specific threat intelligence across the
systems. ICS Security, Engineers, and Opportunity - ICS515
defensible position must be established ICS Cyber Kill Chain.⁶
Operator teams fight through the attack,
as part of a well-tested and regularly In the ICS515: ICS Visibility, Detection,
Phase 3: Acquire working together where evidence and
updated ICS-specific incident response and Response course, students explore
Evidence intelligence can be shared, and contain
plan. Technical ICS security teams numerous hands-on technical labs and
Fight through the attack the threat with as little disruption to
must ensure tools and skills are tested data sets from ICS ranges and equipment
while maintaining safety; acquiring key safety and operations as possible.
and ready to be deployed. This means with emulated attacks and real-world
network communications, endpoint, and
they should understand the industrial malware deployed in the ranges for a
engineering device logs; and making
protocols used, what normal ICS highly simulated experience detecting
evidence available for meaningful and
network communications look like, and and responding to control system
timely forensics analysis.
possess the ability to spot abnormalities threats. Students will also interact
in the traffic. with and keep a PLC, a physical kit
emulating electric system operations
at the generation, transmission, and
distribution level, and a virtual machine
set up as an HMI and engineering
5 https://www.sans.org/cyber-security-courses/ics-visibility-detection-response/
6 https://www.sans.org/white-papers/36297/ workstation (EWS).
Phase 7: Lessons
Learned
Phase 8: Share
Information Considerations for ICS
Similar to traditional IT
incident response, use this phase to
Share relevant tactical,
strategic, and operational threat
incident response
conduct and apply lessons learned intelligence and cybersecurity lessons
to improve response and restoration learned which might be of use for There is a common misconception where a utility may think they are too small to be
efforts for future incidents. defense in the larger ICS and critical a target of an ICS cyber attack or impactful cyber event. The reality is, however, that
infrastructure community. adversaries often target smaller facilities to develop and test attack methodologies
in preparation to attack their ultimate target environment. Small or large, all ICS
environments should have an industrial-grade incident response plan.
In particular, ICS-specific incident response phases must consider all unique aspects
Preparation & Planning
Containment
confidentiality, the integrity to trust
Legacy Systems
Considering Safety operations, and the availability of
Systems and devices that may not be
engineering devices.
eligible for patching or firmware updates
Figure 2: ICS Incident Response Phases or may only be available for infrequent Protecting Physical Assets
updates to internal operating systems, Control systems use physical
such as during a scheduled engineering components to change the physical
maintenance window. world. A cyber attack could result in
physical damage to engineering assets,
environmental impacts, and safety
implications such as injury or death.
timeline analysis. Advises the Teams prepared for physical Baseline images of critical ICS assets
Hardcopy ICS-specific incident
Incident Response Director on first aid, emergency response, response playbooks and Data acquisition tools – prioritize
available actions to reduce the evacuation strategies for network diagrams command-line tools and memory
impact on safety and operations. physical site safety, external
Network/converter Personal protective
communications or reporting, cables, (e.g., USB to serial) equipment (PPE) for safety
intelligence gathering and sharing,
and efforts beyond the site. Out-of-band communications,
Contact list for safety, engineering, (e.g., handheld radios on-site)
integrators, security, and emergency
response team
Offline malware Site-specific physical
analysis tools safety training certificates
(static, interactive,
automated)
7 https://youtu.be/ZR4Jy9K0AhI
Rapid yet thorough analysis of data acquired from critical assets and the ICS network gaining physical or logical access to crude oil distillation process or maintain
traffic to and from those assets, combined with knowledge of engineering operations, a network, system, or data without pipeline pressure.
will help teams determine when full industrial incident response must be performed. authorization, or introducing a cyber-
Manipulation of Control System
contaminant that could impact process
Use the following event conditions to help determine the potential risk to engineering, Operations
control views or controls.
understand where the attack is in the ICS Cyber Kill Chain, and when it is appropriate to The abuse of internal native system
shift to full industrial incident response. Exfiltration of Sensitive components or protocols such as HMI
Industrial System Information commands and ICS protocols such as
An ICS cyber incident exfiltrating EthernetIP, ModbusTCP, DNP3, 61850,
sensitive control system data could be OPC, etc. For example, DNP3 is used to
Manipulation used to cause harm. For example, ICS send unauthenticated “open breaker”
Loss of of control
Malicious code, field device ladder logic, control system commands to remote terminal unit (RTU)
visibility system
unauthorized configuration, or historian database field devices to open electric circuit
of control operations
access detected
process entries are copied off a network. This breakers and cut power.
is an indication of a follow-on (non-
Physical Damage to Assets or
immediate but potentially imminent)
Safety Concerns
targeted ICS cyber attack.
An ICS cyber incident affecting the
Loss of Control Process physical properties or integrity of
Escalation factors of ICS Visibility physical assets, or introducing a
Incident Response An ICS cyber incident affecting potential physical safety impact to
the ability to view the state of the plant operators, workers, and/or on-site
physical process. For example, a power visitors, contractors, etc.
generating facility is unable to view
the current system load or the current
Loss of power grid operating frequency to
Exfiltration process Physical damage
of sensitive maintain 60Hz.
controls to assets or
industrial safety concerns
system
information
While IT/OT convergence of both technology and workforce poses unique challenges, Successful ICS incident response requires a clear understanding of roles,
it can drive a more realistic ICS threat detection and response process. A converged responsibilities, physical safety, engineering protocols and process, network visibility,
incident response plan must consider available cybersecurity defenses in both detection, and forensics capabilities. Facilities benefit from a tested, safe, and
defensible cyber position. Consider the following when adapting traditional incident
environments and work to reduce the impact of attacks through IT into ICS, which is
response steps to suit industrial control environments:
a common vector adversaries leverage that has been observed time and again. This
more realistic process can provide early warning signs of an attack that could impact or Acquire forensics data from key ICS Examine the connectivity and
specifically target the industrial process. Incident response for ICS should consider the assets. isolation of legacy devices.
following: Triage quickly to understand the Develop countermeasures.
threat via static or automated Use indicator “hits” to scope
malware analysis. incident and related contamination.
The ICS-Specific Incident Response Plan
Collaborate with engineering staff Compare production and baselined
Conduct realistic ICS tabletop exercises driven by sector-specific control system
and senior management. configurations to detect tampering
threat intelligence or ICS gaps identified in your cybersecurity program or facility
Determine operational impacts. in controllers, etc.
to ensure your ICS-specific incident response plan meets the needs of an ICS cyber
Analyze the impact of any reliance Identify and apply lessons learned
attack.
on external vendors and IT. (e.g., correct gaps in evidence
Execute the Safe Cyber Position⁸ if acquisition, deploy additional
ICS-Specific Network Security Monitoring ICS network visibility, detection
applicable.
Ensure “plant floor” network visibility with ICS deep-packet inspection to drive capabilities, and determine whether
Present analysis and options
incident response or proactive threat hunting. Network visibility capabilities should threats are malware or human
(blocking C2 access, running ICS in
go beyond simply querying about indicators of compromise and also include adversaries).
manual mode, removing remote
capabilities to assist with analyzing threat tradecraft. access, etc.) to fight through the Apply lessons learned to the ICS
attack (contain/eradicate). incident response plan.
Trained ICS-Specific Security Defenders Contain threats while running
Trained ICS cybersecurity personnel must understand the nuances between operations. Career Development
traditional IT and ICS security, the ICS mission, safety, the engineering process, and Eradicate when it is safe for Opportunity - ICS612
ICS protocols and active defense procedures. operations. ICS612: ICS Cybersecurity In-Depth is an in-
Engineering systems include PLCs, RTUs, protection control relays, embedded HMIs,
SISs, distributed control systems (DCSs), solenoids, meters, field bus communications,
sensors, and actuators. For decades, these engineering devices and systems have
operated the critical infrastructure we rely on in isolation. And, while modern
connectivity into ICSs is becoming common and has led to increased data accessibility Prioritize for safety
across traditional IT and OT environments with several benefits, as detailed in the below
graphic, it also presents greater threats to security.
Significant risks to safety can occur if Did the organization select their
proritizing IT or traditional business focus based on what was most
systems over industrial control systems important for the safety of the people,
or if the ICS/OT security reporting environment, and organization overall?
structure fails to fully embrace the Today’s ICS incident response teams
differences between IT and ICS/OT. must understand the control system
processes, engineering, industrial
Consider, for instance, a security
protocols, safety factors, and ICS-
incident on the IT business email
Figure 4: Benefits of Modern ICS Connectivity specific cyber threats, and tailor
system and a security incident on the
incident response playbooks and risk
supervisory control and data acquisition
Enabling connectivity to previously isolated engineering environments results in management strategies accordingly.
(SCADA) system of a power grid
these environments now being exposed. Recent ICS attacks that take advantage of this occurring simultaneously. Which incident
increased ICS connectivity have been created and deployed by adversaries-for-hire and gets priority? What pace and rigor will
rogue nation-states which have the means and motivation to disrupt operations and the organization give to the priority
impact safety. The good news is, ICS/OT cybersecurity defense is totally achievable with
Career Development
incident? Specifically, what drives the
Opportunity - ICS418
an effective team and an ICS security approach to risk management! decision to manage these very different
risks? And, what are the related impacts The SANS ICS418: ICS Security Essentials
for Managers course includes an ICS
in these different environments?
attack history walkthrough for new and
existing ICS/OT security managers with
a major focus on lessons learned for
improved ICS risk management.
Technology and processes (even if automated) do not get us far in the defense As ICS cybersecurity roles and tasks emerge and evolve, ICS managers who are building
area without a trained and focused workforce. Human defenders—the people, our their teams should consider staffing for the following roles:
workforce—are those who use ICS security technologies, work with engineering, safety,
business, IT security, and other teams. These ICS defenders understand the ICS mission, Unique Systems OT vendors and/or integrators and
possible impacts, and engineering recovery. They understand the industrial process, ICS Cybersecurity Analyst law enforcement in safeguarding the
protocols, normal vs. abnormal engineering operations network traffic patterns, safety Acquire and manage the necessary physical control systems, including
with context, the commonly targeted assets in control systems, etc. Modern trained ICS resources, including leadership support, SISs, to reduce cyber attack impact
financial, and key security personnel and return operations to a trusted
cybersecurity staff understand the nuances between traditional IT and ICS security.
to support the ICS security mission, restoration point.
As ICS risk management leaders work to build their ICS security teams, they should safety goals, and objectives to maintain
ICS Cybersecurity Manager
consider the following ICS cybersecurity skillset recipe. For the team to be effective, reliability of engineering processes.
Possess knowledge of and experience
team members would do well to have the following skills and experience:
ICS Security Architect in IT and ICS/OT security, the tools to
Traditional IT
ICS Physical, Possess knowledge of and the ability address industry pressures to manage
Engineering Environmental
Cybersecurity
Knowledge Safety to address all aspects of the control cyber risk to prioritize the business
system architecture, best practice as well as the safety and reliability
Traditional IT Cybersecurity
security from ICS reference models of operations. ICS Cybersecurity
and network segmentation such as Managers must build and maintain
Purdue, and ICS410 SCADA Reference business relationships with engineering
ICS Engineering Knowledge
Architecture⁹ reference models. staff and executive stakeholders to
communicate and reduce cybersecurity
ICS Cybersecurity Incident
Physical, Environmental Safety Responder
risk to engineering operations. This role
requires a firm understanding of the
Detect, analyze, identify, respond to,
drivers and constraints of cyber-physical
contain, eradicate, and recover from
environments, technologies throughout
industrial cybersecurity incidents. A
Figure 6: ICS Cybersecurity Skillsets their organizations, ICS/OT security
key part of this role in the event of an
practitioners, and how to manage the
incident is working with engineering
processes.
teams and a variety of external ICS/
"The only defense against well-funded nation-state attacks on power systems
(and the rest of the critical infrastructure that keeps us and the economy alive
and free) are people with extraordinary cyber talent and skills." - Mike Assante
9 https://www.sans.org/posters/control-systems-are-a-target/
Maintain a defensible 5. Deploy ACDC specific to ICS. Empower technical ICS security staff to maintain
compliance program up to
NERC CIP standards the human-driven ICS/OT ACDC while leveraging sector-specific ICS/OT threat
intelligence. Staff should be dedicated, ICS/OT-trained security resources
ICS Visibility, Detection, and
Response who understand the engineering process well enough to determine if control
ICS515