Professional Documents
Culture Documents
ICS410 Poster
ICS410 Poster
ICS410 Poster
NETWORKS
to tackle our common challenges and share working solutions. Major Enforcement Boundary Major Enforcement Boundary Major Enforcement Boundary
PURDUE LEVEL 5: PURDUE LEVEL 4:
Enterprise Networks Business Networks
ICS
LEVEL 3: Control Center A LEVEL 3: Control Center B LEVEL 3: ICS Data Center
Corporate-level services used to support enterprise IT networks for business users at local sites. This level
ICS410: ICS/SCADA Security Essentials scalability supporting individual business units and includes business workstations, local file and print
Enterprise Major Enforcement Boundary Major Enforcement Boundary Major Enforcement Boundary
users. These systems are usually located in corporate servers, local phone systems, enterprise AD replicas,
Global Industrial Cyber Security Professional (GICSP) data centers, and can include servers providing connectivity to enterprise WAN, and possibly local WAN
SANS ICS CURRICULUM
enterprise AD, internal email, CRM systems, HR systems, Internet access. No system that can influence OT
document management systems, backup solutions, and processes should be in this level. Direct Internet access
ICS456: E
ssentials for NERC Critical enterprise SOC. should not extend below this level.
Infrastructure Protection
GIAC Critical Infrastructure Protection (GCIP) PURDUE LEVEL 3: PURDUE LEVEL 2:
Site-Wide Supervisory Local Supervisory
Major Enforcement Boundary
ICS515: ICS Active Defense & Incident Response Monitoring, supervisory, and operational support for
an entire site or region. This level can include master
Monitoring and supervisory control for a single process,
cell, line, or DCS solution. Isolate processes from one SCADA
servers, HMIs, alarm servers, analytic systems, or another, grouping by function, type, or risk. This level
LEVEL 4: Business Network
GIAC Response and Industrial Defense (GRID) WAN
historians if scoped for an entire site or region. Level includes HMIs, alarm servers, process analytic systems,
3 can (and should) be broken into multiple subnets, historians or control room if scoped for a single Major Enforcement Boundary
ICS612: ICS Cyber Security In-Depth grouped by function/role to simplify ACLs. If Active
Directory is needed, use a separate domain with no
process and not the site/region. Systems in this level
can leverage Active Directory in level 3 if needed. ICS DMZ
trust relationships. Use a subnet here for security
Major Enforcement Boundary
LEVEL 2: Local Supervisory LEVEL 2: Local Supervisory LEVEL 2: Local Supervisory LEVEL 2: Local Supervisory
SANS ICS
PLCs, control processors, programmable relays, RTUs, other field instrumentation. It may not be necessary to
and process-specific microcontrollers. Modern ICS distinguish between level 0 and 1.
solutions often obscure the lines between level 0 and 1.
LEVEL 1: Local Controllers LEVEL 1: Local Controllers LEVEL 1: Local Controllers LEVEL 1: Local Controllers
@SANSICS
LEVEL 0: Field Devices LEVEL 0: Field Devices LEVEL 0: Field Devices LEVEL 0: Field Devices
Free and open-source tools for ICS available at Safety Systems
Systems that are engineered for a specific protective function, attempting to prevent worse-case scenarios. Airgap/Enforcement Airgap/Enforcement Airgap/Enforcement Airgap/Enforcement
ControlThings.io This level includes all items identified in Level 0 and 1 with a dedicated purpose for a safety control function
such as acoustic monitoring, liquid chemistry monitoring, vibration monitoring, and emission monitoring. In Safety Systems Safety Systems Safety Systems Safety Systems
Poster was created by Justin Searle with support of the SANS ICS faculty. most safety systems there exists a control function that serves to protect the operation and personnel.
©2020 Justin Searle. All Rights Reserved.
This section is enlarged below
Major Enforcement Boundary between ICS DMZ and Enterprise Networks (business pulls from or pushes to ICS DMZ)
ICS DMZ – Level 3 to 4 ICS DMZ – Level 4 to 3 ICS DMZ – Cloud Access ICS DMZ – Remote Access
Major Enforcement Boundary between Control Networks and ICS DMZ (control pulls from or pushes to ICS DMZ)
Historian, and HMIs (per group/role) (per system) Operations (per vendor or group/role)
OPERATIONS/ICS NETWORKS
Minor Enforcement Boundary between Cell/Lines and Plant Supervisory (ACL on Router/Layer-3 Switch or Firewall)
PROCESS/DCS/CELL/LINE D
PROCESS/DCS/CELL/LINE B
PROCESS/DCS/CELL/LINE A
PROCESS/DCS/CELL/LINE C
Local Supervisory Local Supervisory Local Supervisory Local Supervisory
Information Leakage
modern ICS, providing attackers greater opportunities to capture,
backdoors, and adjustments to tactics as needed. These are campaigns that
block, and inject your traffic
happen over the course of months, and require system owners/operators to be
vigilant, recognizing when something is not right.
Social Engineering
Sensitive information is often placed on company websites and found by
attackers through search-engine queries (google hacking)
Org charts, business partners, vendors, ICS technologies, HR position
postings, engineer bios, and many other company details are often used in ICS Security Goal: ttackers have 20+ years worth of usable exploits since most ICS
A
software and operating systems are infrequently patched and are
the attacks to launch initial attacks involving social engineering
Systems may be directly exposed to the Internet without proper controls,
Ensure the safe, reliable, and secure operation of ICS used past vendor end of life dates
through accident or ignorance, making discovery and compromise trivial environments from procurement to retirement uilt-in host defenses and endpoint protection solutions are not
B
common in ICS, limiting visibility of attacks and compromises
Remote Access
ttackers leverage default usernames, weak passwords, and
A
outdated authentication mechanisms
mbedded devices like DCS controllers, PLCs, RTUs, IEDs and IIoT
E
Most remote access methods, including VPNs, can be identified by Nmap,
devices have few if any defenses
Shodan, and other tools
Supply Chain
Dial-up modems can be discovered with war-dialing, have few access
controls, and are near impossible to prevent denial-of-service attacks
Remote access methods are often implemented as a single step into
the ICS environment, failing at providing a remote access model with ICS infrastructures can be attacked through compromised vendors,
layered defenses contractors, or integrators
VPNs often allow applications and data on external machines to be used ICS hardware and software can be directly breached prior to arriving
inside ICS networks, risking the propagation of malware in the production environment
Physical Security
ICS perimeters can be compromised through existing connectivity between
business machines and ICS systems
Abnormal activity or unexplained errors hysical changes or alterations to ICS devices are often difficult
P
to detect