Resources to Learn About ICS Security

I had an interesting conversation with a colleague yesterday.  He called to ask for some advice on ways to advance his career in the industrial controls security space.  He held a Certified Information Systems Security Professional (CISSP) certificate and a Masters in Information Security.  However, he was frustrated on determining ways to move ahead in ICS security.

As I considered his questions I realized that a person who can advance in the areas of industrial controls security is someone with factory or process plant experience, and understanding of basic controls theory, and a solid understanding of factory/process plant operations and maintenance.  These are very fundamental to one understanding the causes and effects of ICS security.

CLASSROOM / ONLINE TRAINING

Besides the “floor” experience, an individual interested in ICS security probably needs some formal training on the key aspects of ICS security you don’t learn when studying for your CISSP.  My recommendations include:

ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.

·         ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.

·    SANS ICS 410: ICS/SCADA Security Essentials: If you take the course, you’ll essentially have the necessary training to pass the SANS GICSP – Global Industrial Cyber Security Professional certification.  The details on the 5-day class are located here.  Of note, you don’t need to take the course but can instead pay to take the test.

·    ISA Cybersecurity Training:  The International Society for Automation (ISA) offers a series of four different classes covering ICS security.  These class titles include:

o    Industrial Networking and Security (TS12)

o    Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C)

o    Using the ANSI/ISA99 Standard to Secure Your Control System (IC32)

o    Assessing the Cybersecurity of New or Existing IACS Systems (IC33)

o    IACS Cybersecurity Design & Implementation (IC34), and

o    IACS Cybersecurity Operations & Maintenance (IC37)

As I understand, each course has an associated certificate (not certification) with each class which you can receive after you satisfactorily pass a written test.

Overall, the ISA training has come a long way and should help with understanding practical ICS security.

You can find out more information regarding the ISA classes here.

READING RECOMMENDATIONS

In regards to reading, I’d highly recommend the following documents to read and establish your baseline knowledge of ICS security. 

• Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 R2:  Even though this is issued by the National Institute of Standards and Technology (NIST) it is a decent “textbook” prepared to give the reader a comprehensive view of ICS and the security issues associated with “operational technology (OT).”  I’d recommend the student read this document before moving ahead to any of the training above.  By the way, this is free.
  
• An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity, SANS:  This document is a high-level introduction to industrial controls, control theory, the history of industrial controls and a history of the security issues affecting ICS – including the infamous Stuxnet.  This information will be very helpful to the reader as they progress through the courses above and in their work.  Again, another resource available at no charge.
  
• Industrial Network Security, by Eric D. Knapp and Joel Thomas Langill, Syngress Press:  Although a $40 investment, this book offers excellent information on ICS and ICS security you will not normally see in the resources above or in other books written on SCADA security.  Messrs. Knapp and Langill provide excellent, real-world perspective on ICS security.  So, if you’re serious about your ICS security training, I strongly recommend you get this book and read/study it.

I’ve been lucky in my past 45+ years of work where I’ve operated power plants, evaluated various factories, and had a chance to practice “practical ICS security.”  Fortunately, my background has given me the tools to advance in this area but I’ve also taken advantage of the resources above.

### END ###

A Month-Long View of Industrial Controls Security Training

For the past four weeks I have been immersed in Industrial Controls Systems (ICS ) security training.  My journey began on March 12th where I spent five days in the SANS ICS training in Orlando followed by about 15 hours of web-based ICS training from ICS-CERT then two days in Burbank, California attending the ISA training on the ANSI/ISA-62443 Standards.  (By the way, the 62443 standard used to be called the ISA99 standard.)

What I'd like to do is offer a view of these different training options to give you a sense of why some professionals will need this training and how the ICS-CERT training can be especially helpful for managers and supervisors overseeing work on ICS.  Also, I'll let you know about free training that does not require travel or substantial resources.

Why am I Taking These Classes?

Right now my employer -- Securicon -- is focusing on industrial control security and the SANS certification program -- GICSP - discussed later -- may be a key cert to have in the company for future work at some select global energy/oil/gas companies.  Secondly, one vendor we work with has asked us to complete the ISA training on the ISA-62443 standards.  Therefore, I'm the designated player for the company and have been sent to these courses - not that I'm complaining!  I love this stuff and I'm up for another security certification in this domain.

SANS ICS410 ICS/SCADA Security Essentials (~$4,395 + $599 for GICSP test)

This course is offered in a classroom (and now as an online option) by SANS.  I was privileged to be in a class in Orlando with about 57 other students from literally around the globe.  The instructor was Mr. Justin Searle who is by far one of the best IT security instructors I have ever experienced as either a student or co-instructor.

The course runs for five consecutive days with class beginning at 9 AM and ending at 5 PM with breaks and a lunch in between.  The days were broken down into the following:

• Day 1 - Industrial Control Systems (ICS) Overview
• Day 2 - ICS Attack Surface
• Day 3 - Defending ICS Servers and Workstations
• Day 4 - Defending ICS Networks and Devices
• Day 5 - ICS Governance and Resources 

Each day some hands-on exercises were included.  

At the end of the training you receive a certificate of completion; however, the true goal for myself and many others is to pass the Global Industrial Controls Security Professional (GICSP) certification from SANS.

The GICSP certification involves a separate test which requires the student pass with a minimum passing score of 69%.  I hope to take this test before the end of April.

For more details on the GICSP and the class please go to these links:  GICSP, ICS410, SANS ICS Security.

ISA - Using the ANSI/ISA-62443 Standards to Secure Your Control System (~$1,510)

I just finished this course on April 2nd in Burbank, CA.  The class is a two-day event and this recent course was taught by Mr. John Cusimano -- again, another very good and knowledgeable instructor.  The class size was very conducive to open dialogue with the instructor and other students.

The focus of these two days was on the following key topics:

Day 1:

• Introduction to Control Systems Security and ISA/IEC62443 Standards
• Terminology, Concepts, Models and Metrics
• Networking Basics (Do you know your OSI Model??)
• Network Security Basics

Day 2:

• Creating an ICS Security Management Program
• Designing/Validating Secure Systems
• Developing Secure Products and Systems

And like the SANS Course, some hands-on exercises were included using tools such as Wireshark and the command line (e.g., Netstat -a).

Upon completion of this test you are eligible to take a proctored test called the ISA99 Exam.  Passing this test will give you the ISA99 certificate from ISA that demonstrates your knowledge and capabilities with the ISA standards used to secure industrial control systems.

For more information you can go the ISA Cybersecurity site.

I hope to take this test before the end of April.

ICS-CERT Online Training -- Excellent Resource! (Free)

Finally, for my "spare time" between the SANS and ISA training I've been working on two courses offered at no charge by the US Department of Homeland Security ICS-CERT organization.

The two courses are both web-based and only require that you register with the Training Portal.

The first class I took was 100W - Operational Security (OPSEC) for Control Systems.  This is a one-hour on-line class that is focused on ways to protect your industrial control systems by being cautious about releasing network information outside the company or to those who don't have a need to know.  The course also addresses phishing attacks, etc.  You get a certificate "...suitable for framing..." at the end of the course.

The second course -- which I highly recommend to executives, managers, supervisors and engineers interested in learning more about ICS security -- was 210W - Cybersecurity for Industrial Control Systems.  This course was excellent and took about 15-20 hours to complete.  

There are 10 separate modules that are listed below:

• Differences in Deployments of ICS
• Influence of Common IT Components on ICS
• Common ICS Components
• Cybersecurity within IT and ICS Domains
• Cybersecurity Risk
• Current Trends (Threats)
• Current Trends (Vulnerabilities)
• Determining the Impacts of a Cybersecurity Incident
• Attack Methodologies in IT and ICS
• Mapping IT Defense-in-Depth Security Solutions for ICS (longest but best module!)

Again, this training does not require any money but only requires your time to take the modules (which you can stagger over time).

Conclusion

ICS security continues to get focus from the industry and government.  That is why SANS, ISA and ICS-CERT are continuing to bring in training modules for a broad range of players from journeymen electricians to utility executives.  Take advantage of the training -- at least the free classes -- so you better understand how to best defend your Industrial Control systems.

###

Industrial Control Security -- More Awareness Needed

I am an active reader of various blogs, e-magazines, websites, etc. regarding industrial control system (ICS) security.  This week I came across a rather disturbing survey that indicates more work is needed in the ICS security domain to raise awareness of the availability of useful ICS security resources.

This week I was looking at Control Engineering e-magazine and noted that they had a survey on ICS security.  The question posed was:

Do you follow cyber security resources to check for security vulnerabilities in the devices in your industrial networks, such as PLCs, RTUs, Ethernet switches, HMIs, DCSs, etc.?

The poll result is shown in the graphic below and you can add your own vote at Link.

What disturbs me about the poll results is the majority of those responding to this unscientific survey have "...no idea such a resource was available."  This tells me that the ICS security community needs to do more work publicizing its resources in order to help the field engineers make their ICS systems more secure.

So, to help in this regard, here are some resources you will find extremely useful in helping to better understand the current ICS security vulnerabilities and how to better defend your ICS networks:

Excellent "Textbooks" and Desk References:

• NIST 800-82, Guide to Industrial Controls Systems Security Rev. 1 (Free)
• Industrial Network Security by Eric D. Knapp
• ENISA Protecting Industrial Control Systems (Free)
• ICS-CERT Recommended Practices (Free)
• ICS-CERT List of ICS-Related Standards and Practices (Free)

Excellent Resources on ICS Security Vulnerabilities, Protective Actions

• ICS-CERT Advisories **
• ICS-CERT Alerts **
• ICS-CERT Monitor Newsletters ** 
• ICS-CERT Joint Security Awareness Reports (JSARs) **
• SCADAHacker.com
• National SCADA Test Bed (NSTB)
• SANS ICS
• Tofino Security
• Digital Bond

** ICS-CERT encourages U.S. asset owners and operators to join the Control Systems compartment of the US-CERT secure portal. Send your name, e-mail address, and company affiliation to ics-cert@hq.dhs.gov.

What Else?

There are many other resources that include vendor notifications and alerts as well as other resources from standards organizations such as ISA but the above list of links is an excellent starting point for you to gather references and subscribe to data feeds from ICS-CERT.

Overall, though, it is our job in the Security Community to help everyone realize what resources exist in the world to provide guidance on securing critical infrastructure and industrial control systems.

###

SANS White Paper -- Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites

Our friend Mike Assante -- formerly of Idaho National Labs/National SCADA Test Bed, NERC, and now with SANS -- has coauthored an interesting and informative white paper on responses to physical breaches of unmanned critical infrastructure sites. The cover is shown below.

The whitepaper can be located at: http://tinyurl.com/ldfnzxq

One of the most interesting graphics in the paper (Appendix A, Page 12) is a collection of photos showing the ways/means of the miscreants to tap into the systems with such tools as keystroke loggers, etc.  The page is shown below to whet your appetite for this paper.

Nicely done and "attaboys" to Mike Assante, Scott D. Swartz and the SANS ICS team!

Also, my good friend Andy Bochman wrote about this at his Smart Grid Security Blog.  Thanks, Andy!!

####################