GICSP Encyclopedia v2.0
Crypto - Merkle-Hellman (Trapdoor) Knapsack
(1978) Unique approach to asymmetric crypto. Broken in 1982 - based on fixed weights.
RF Mesh Networks
(Day 4, Page 128)
TCP Flags (6 bits)
(In order) - Urgent (URG) - Acknowledgement (ACK) - Push (PSH) - Reset (RST) - Synchronize (SYN) - Finish (FIN) (Also two added bits at most significant position of the flags byte that is used for ECN - Explicit Congestion Notification)
WirelessHART Technical Details
- 2.4GHz ISM Band (Same as Wi-Fi but NOT Wi Fi) - Leverages IEEE 802.15.4 for PHY/MAC (Same as Zigbee) - Mesh network for "self-healing" - Channel hopping to allow to work in same area as 2.4GHz protocols
TCP Header Size
- 20 bytes
802.11x WiFi (1997)
- 802.11b = 11 [email protected] - 802.11a = 54 Mbps@ 5 GHz - 802.11g = 22/54 Mbps @ 2.4 GHz - 802.11n = 100+ Mbps @ 5 GHz - Large data packets supported through fragmentation at Layer 2
Zigbee
- 802.15.4 - Low cost cable replacement technology - Close to 100M nodes in 2012 - Honeywell = HVAC systems - Zigbee used for low power consumption and rely on long, multi-year battery life
Zigbee Security
- Accomodate security at MAC(2), Network (3) and Application (7) Layers - Relies on master keys set by mfg, installer or end-user - Generates link keys to encrypt traffic - Encryption Based on AES-CCM (128 bit block cipher) - Security optional - AES may be too resource intensive for lightweight devices (battery life vs security) - KillerBee = python-based framework by Joshua Wright for Zigbee and other 802.15.4 devices
IPSec - Protocols Used
- Authentication Header (AH) - Provides integrity, authentication and non-repudiation - Encapsulating Security Protocol (ESP) - Provides confidentiality/encryption and limited authentication
Bluetooth Security
- Authentication stars with user selecting PIN to authenticate other devices in the Bluetooth PICONET - BD_ADDR (Pronounce Bee Dee Adder) (MAC Address) - PIN+MAC = Security Keys - Some devices use fixed PINs - Sniffing risk when first pair (Day 4, Page 136)
Extensible Authentication Protocol (EAP)
- Authentication support for wireless - Different EAP types suitable for different environments -- considering clients, directory type, hardware
BOOTP/DHCP
- Automatically configures network interfaces and load operating systems via the network when they start up. - UDP Ports 67 and 68
Crypto - Classes of Ciphers
- Block Ciphers (usu in software) (Reusable keys, key management easier) - Stream Ciphers (usu in hardware) (Faster, keys only used once) (RC4 most common)
RTU vs PLC
- Both have array of I/O Connections (digital input, analog input, digital output) - Software/logic for operating on I/O for automation and safety - Different than PLC in some ways: -- Usually only runs simple autonomous programs -- More suitable for large geographical areas -- Differences are decreasing each day
Data Erasure Stages
- CLEARING (overwriting the data media for internal reuse) - PURGING (degaussing or overwriting for removal of equipment) - DESTRUCTION (physically destroying) (Krutz)
Wireless HART Security
- Can be configured with unique join keys for each device - Join key configured manually on field device maintenance port (wirelessly) - Successful encrypted join packet retrieves network key - Join can be restricted by key, manufacturer, and product name/tag - All payloads encrypted with unique session key per device - Rogue devices cannot spoof other devices because of unique keys - Cryptographic-based nonrepudiation to verify data came from the device
Safety - Process Hazard Analysis (PHA) Methods Include
- Checklist - What if? - What if?/Checklist - Hazard and Operability Study (HAZOPS) - Failure Mode and Effects Analysis AFTER the PHA if Team could not reach decision: - Layer of Protection Analysis (LOPA) - Fault Tree Analysis
BCP - Data Processing Continuity Planning Sites
- Cold Site (days to weeks to readiness) - Warm Site (Hours to days to readiness) - Hot Site (Minutes to hours to readiness) - Reciprocal Site - Multiple Data Centers (Minutes to hours to readiness) - Redundant sites (configured just like primary site) - Rolling Hot Sites
hping
- Command line-oriented TCP/IP packet assembler/analyzer - Works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows (Check "h" tab for more)
Cellular Backhauls
- Commonly used as a WAN because of low cost and universal availability - GSM vulnerabilities (vulnerable at PHY/MAC layer) - Private IP offered by some cell companies
UDP
- Connectionless, send and forget - Delivery not confirmed - No sequence numbers - Less protocol overhead (faster) - fewer packets - Smaller header
Physical Security - What ICS Devices Need Physical Protection?
- Controllers to include RTUs and Flow Computers etc. - I/O Found in junction boxes - I/O found on process equipment being sensed or actuated - Perimeter protection and locks - Available ports and diagnostic ports (physical, wireless, infrared)
DNP3
- DNP = Distributed Network Protocol - Mainly used by Electric, Gas and Water utilities - Originally developed by Westronic - Open standard - IEEE 1815-2010 Standard - Up to 65,000 devices per network - Event time stamping - RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via radio and modem. - Master-slave protocol - but Slave can report without request - Master (HMI, FEP) to Slave (RTU, PLC, IED) communication - Functions include send request, accept response, confirmation, time-outs, error recovery
DNP3
- DNP = Distributed Network Protocol - Mainly used by Electric, Gas and Water utilities - Originally developed by Westronic - Open standard - IEEE 1815-2010 Standard - Up to 65,000 devices per network - Event time stamping - RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via radio and modem. - Master-slave protocol - but Slave can report without request - Master (HMI, FEP) to Slave (RTU, PLC, IED) communication - Functions include send request, accept response, confirmation, time-outs, error recovery -Support pre-shared keys for authentication.
DNP3 Security Issues
- DNP traffic sent in plaintext - DNP3 connections susceptible to session hijacking, DoS - DNP3 does not provide authentication or authorization natively
DNP3 Security Issues
- DNP traffic sent in plaintext - DNP3 connections susceptible to session hijacking, DoS - DNP3 does not provide authentication or authorization natively Support pre-shared keys for authentication.
UDP Ports
- DNS (53) - Bootp/DHCP (67 and 68) - TFTP (69) - Network Time Protocol (NTP) (123) - NBT (137-139) - SNMP (161 and 162) - Network File Share (Unix) (2049) - Syslog (514) (TCP or UDP)
DNS Security Issues
- DNS responses traditionally NOT cryptographically signed - DNSSEC modify DNS to add support for cryptographically signed responses. (Alternative is DNSCurve) - TSIG (another DNS extension) add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations.
Physical Security -- Elements to consider
- Deter - Authorization - Detect - Identify - Respond
Security Awareness - Elements of Staff Training & Security Awareness (ISA)
- Develop training program - Provide procedure and facility training - Provide training for support personnel - Validate the training program (ensure personnel understand) - Revise the training program over time - Maintain employee training records (ISA Addressing Risk with CSMS/Security Policy, Organization and Assessment, Staff Training and Security Awareness)
Common Industrial Protocol (CIP)
- Developed by Rockwell Automation - Supported by Open DeviceNet Vendors Assn (ODVA) - Underlying protocol for: -- DeviceNet -- ControlNet -- Ethernet/IP - Designed to allow different networks to be used with a common protocol. - Since it is designed to be media and Data Link independent, it can run over existing TCP/IP networks and does not require safety gateways or specialized routing hardware.
Attacks on Field Components/PLCs
- Disrupting communications - Consume processes and resources - Changing the configuration for accessing the device - Re-boot the device - Modify the programming/set points - Change group settings - Manipulate the firmware (low-level machine code) - Modify applications on device
ICS Wireless Disadvantages
- DoS attacks are easier and "near impossible" to defend against - Network capture is possible regardless of RF frequency used or use of hopping technologies - Attacker has at least a limited ability to communicate on the wireless network (Security defenses should be focused on higher level network protocol because we should assume that most wireless protocols allow at least partial access to the MAC layer) (Day 4, Page 124)
RF Mesh/Microwave/ISM Band
- Don't expect security at PHY/MAC layer - PHY/MAC security not often included with proprietery wireless comms - Give preference to solutions that leverage encryption and authentication in upper layer protocols. - Frequency hopping and licensed RF bands should NOT be considered security defenses
ICS Wireless Advantage
- Drastically reduces costs for time/money due to no wires - Users can access network from anywhere - Mobility and connectivity - Usable in environments where wiring is difficult (e.g., factories, hospitals, assembly lines, etc.) - Temporary networks such as field technician laptops (Day 4, Page 122)
WiFi - Top Security Risks for All Wireless Protocols and Standards
- Eavesdropping - Masquerading - DoS - Rogue APs
Crypto - Stream Cipher
- Encrypts one bit of data at a time - Plaintext length = Ciphertext length (minus headers and checksum) - RC4 is most common (also A5/1, E0) - Very fast, becommin less popular due to management overhead and security concerns
Crypto - Block Cipher
- Encrypts one block of data at a time (Plaintext is padded to next block length) - Block length = key length - AES very common - also DES, 3DES, Blowfish
TCP
- Establishes connection BEFORE data transmission - Delivery confirmed - Packet sequence numbers - More protocol overhead (slower) - More packets for handshakes and ACK - Larger headers for session management
IDS Monitoring Devices
- Firewalls - IDS (e.g., SNORT) - Database Activity Monitors (DAMs) - Application monitors - Network Probes
DNS Look Up Zones
- Forward DNS = I know the Domain Name and want the IP Address - Reverse DNS = I know the IP address and want the Domain Name
Fieldbus
- General name for competing standards such as Profibus (German National Standard), FIP (French National Std), Foundation Field Bus.
Zone
- Grouping of Logical or Physical assets that share common security requirements - Has clear border - Security policy enforced by combination of mechanism at Zone edges and within the zone
HART
- Highway Addressable Remote Transducer Protocol - Serial-based like Modbus used over 4-20ma analog circuits
Wireless Masquerading
- Impersonate an authorized client or access point - Uses "Evil Twin" attack - Attacker changes MAC address
Backup Types
- Incremental Back Up - backs up only those filed modified since the previous backup of any sort. It does remove the archive attribute. - Differential Backup - Backs up all fielss that have been modified since the last FULL backup. It does not remove the archive attribute. - Full backup - Procedure that backs up all files, modified or not, and removes the archive attribute. (Harris)
What Needs to be Protected in an ICS Environment?
- Industrial networks (Upstream) - Fieldbus (Downstream) - Networking Equipment & Communications Bridges - Industrial protocols - Management protocols - RTOS (Real time operating systems)/Firmware - Network cards - System applications - Interfaces (RS-232, Wireless) - Field Devices - Engineering Workstations & Programs/Files - Diagnostic/Calibration Equipment - Remote Access Equipment - Safety/Protection systems (Day 4, Page 160)
TCP Sequence Numbers
- Initial Sequence Number (ISN) - ISN is random / semi-random for security reasons - Increase by 1 for each byte sent - If fills up then rolls over to 0 and continues
Safety Analysis - Parameters
- Inspection/Materials - Electrical - Safety/Loss Prevention - Environmental - Packaged Equipment
File Integrity Monitoring
- Is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline. - This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. - Other file attributes can also be used to monitor integrity. - Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. - Such monitoring can be performed randomly, at a defined polling interval, or in real-time. - EXAMPLE: Monitoring Server OS binaries to detect unapproved changes. - EXAMPLE: Tripwire
Common Industrial Protocol (CIP) -Safety Extension of
- Is the TUV-certified extension to the standard CIP protocol. - It extends the model by adding CIP Safety application layer functionality including integrity and prioritizing.
PLC Programming
- Ladder Logic - Function Block (vendor implementation dependent) - Structured Text (Difficult to troubleshoot) - Instruction List (similar to assembly language - not common in certain geographies) - Sequential Function Chart
Programming, PLC
- Ladder Logic - Function Block (vendor implementation dependent) - Structured Text (Difficult to troubleshoot) - Instruction List (similar to assembly language - not common in certain geographies) - Sequential Function Chart
VSAT Limitations
- Latency (measured in 100's of milliseconds) - Need good line of sight to satellite - Issues with animals, landslides, etc. - RF interference - Degradation of signal due to rain/weather - Lightening strikes cause damage - Signals impacted by extreme solar activity (Day 4, Page 126)
Group Policy Object Order
- Local Machine - Site - Domain - Individual Organizational Units (OUs) - A user or computer object can ONLY belong to a single site and a single domain at any one time.
Physical Security - Procedural Controls
- Log in books - Physical security policy - Physical security requirements signage - Visitor management program
Conduit
- Logical grouping of communications channels connecting 2 or more zones - share common security requirements - A particular type of security zone that groups communications that can be logically organized into a grouping of information flows WITHIN and EXTERNAL to a zone. - Can be trusted or untrusted - Can be physical or logical - No such thing as "subconduits"
Conduit
- Logical grouping of communications channels connecting 2 or more zones - share common security requirements - A particular type of security zone that groups communications that can be logically organized into a grouping of information flows WITHIN and EXTERNAL to a zone. - Can be trusted or untrusted - Can be physical or logical - No such thing as "subconduits" Required to be fully end-to-end secure
Microwave
- Loosely defined between 3GHz and 300GHz - As low as 300MHz - Understand specific frequency offered by vendor
Attack - Results of ICS Attack
- Mal-operating the process - change set points - damage ICS components - damage physical equipment - suppress safety system and protections - cause loss of view - block control - spoof operators - modify or even spoof input to logic
Crypto - Components of non-repudiation?
- Message signing (Digital signature = encrypted hash value of message) - Hashing Function
WiFi Networks - protecting
- Migrate from WEP > WPA > WPA2 - Use Strong Authentication mechanism like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Mutual authentication to mitigate MITM and masquerading attacks - Always require mutual authentication - Audit network installations for consistency in deployment and config - Delete default admin passwords, community strings, or HTTP-enabled config pages - Educate users on how to spot suspect activity on WiFi network
ITU Defined ISM Bands
- Most common in US is 915MHz Band (902-928 MHz) - Second most common in US is 433.92MHz - Most common band in Europe for proprietary traffic is 859 MHz
WirelessHART (IEC 62591) - Security enabled wireless version of HART
- Multi-vendor wireless standard (2007) - Designed for process field device networks - Wireless Industrial Technology Konsortium (WiTECK) (37 members) - 50-80% market share in wireless ICS
IDS
- Network Based IDS (NIDS) - Host Based IDS (HIDS) - Signature Based - Anomaly Based
Bluetooth (1998)
- No line of sight requirement - Supports data, voice, content-centric applications with Bluetooth Profiles - Up to 7 simultaneous connections
Disruptions - Types of
- Nondisaster - device malfunction - Disaster - entire facility unusable for a day - Catastrophe - destroys facility altogether (Harris)
OPC Specifications
- OPC Data Access (OPC DA) (OPC Classic) - OPC Alarms & Events - OPC Batch - OPC Data Exchange (OPC DX?) -OPC Historical Data Access (Historians) - OPC Security - OPC XML-DA - OPC UA - Unified Architecture
OPC Security Concerns
- OPC Servers can be a bridge for an attacker from one system to another - OPC's use of DCOM and RPC make it highly vulnerable to attack - Subject to the same vulnerabilities as OLE - OPC is rooted in the Windows OS and susceptible to attack thru exploitation of any vulnerability in the Windows OS - Because OPC is supported on Windows, many basic host security concerns apply - Possible to create rogue OPC server and use for DoS, info theft or inject of malicious code
OPC
- Object Linking and Embedding (OLE) for Process Control - 1996 by Industrial Automation Task Force - Based on MSFT DCOM, OLE, COM technologies - OPC Foundation (https://opcfoundation.org)
Unauthorized Access
- Occurs when user, legimate or unauthorized, accesses a resource that the user is not permitted to use. (FIPS 191) - Viewing private accounts, messages, files or resources when one has not been given permission from the owner to do so. Viewing confidential information without permission or qualifications can result in legal action. (Business Dictionary)
TCP Uses
- Offers flow control to handle network congestion - Allows for transmission of larger amounts of data per packet - Guaranteed delivery of transmitted data is more important than speed - Offers better protection agains spoofing attacks - Common TCP-based Protocols: FTP Data (20), FTP (Control (21)), SSH (22), Telnet (23), DNS (53), HTTP (80), HTTPS (443)
WiFi - Rogue Access Points
- Often installed with default settings and no security - Permits full access to a network for unauthorized user - Contributes to unauthorized info disclosure
Profibus
- Open standard defined by German DIN 19245 - Based on Token bus/floating master system - Three types of Profibus - FMS, DP, PA - FMS = Fieldbus Message Specification (general data acquisition) - DP = where fast communication is needed - PA = intrinsically safe devices - Supports RS-485 and IEC 1158-2 intrisically safe
Modbus
- Open standard/Royalty Free - 1979 by Modicon (Now Schneider) - Most widely used protocol (>7M nodes) - Modbus org since 2004 (www.modbus.org) - Serial - MODBUS ASCII - that operates on RS232, RS485, - - Ethernet (Modbus TCP) (Port 502) - Master-Slave Protocol -- Master polls each slave -- Slaves do not communicate with other Slaves -- Communicate to Master -- ONLY on request -- Modbus Encapsulation at Application Layer - Up to 247 Devices per network - Broadcast by sending a request to Address 0 (all Slaves listen and respond)
Crypto - Message Digest Properties
- Original message cannot be recreated from the message digest - Finding a message that produces a particular digest shouldn't be computationally feasible. - No two messages should produce the same message digest (i.e., collision) - The message digest should be calculated by using the entire contents of the original message - (Dummies)
Hotfix
- Originally, the term was used to describe a kind of fix that could be applied without stopping or restarting a service or system. - Microsoft usually uses the term to refer to a small update addressing a very specific issue.
Means of sanitizing media
- Overwrite (Orange Book = formatted 7 times before discard or reuse) (Krutz) - Degaussing - Destruction / Shredding
PING
- Packet Internet Groper - Determine if destination host is alive - Determine latency between two locations -- <10 ms = local LAN; 200 - 300 ms (or more) is WAN/Internet - Determine rate of packet loss - Some Security Concerns - Some Sites Block ICMP -- Covert data channel -- DoS attack -- Used to map a network
Group Policy Manages
- Password Policy - Lockout Policy - NTFS Permissions - User Rights - Event Logs - Registry Settings - IPSec Settings - Kerberos Policies - Audit Policies - Security Options - e.g., Auth protocols - Startup options and permissions on services
WiFi - Rogue Access Point Mitigation
- Perform rogue AP detection (e.g., Kismet with Wireshark) - Use mutual authentication wireless protocols like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Deploy 802.1x on wired network - Deploy wireless IDS - Deploy strong wireless LAN
Crypto - Where can encryption happen?
- Physical layer which is link encryption, or at the Application Layer which is end-to-end encryption.
ISO27001 Process Approach
- Plan - Do - Check - Act (aka PDCA)
Modbus TCP Port
- Port 502 - Encapsulation done at Application Layer
Safety Analysis - Team Members
- Process Engineering - Operations - Maintenance/Reliability - Instrumentation
802.11i
- Provides strong encryption, replay protection, integrity protection
Wireless DoS Attacks
- RF jamming techniqes/tools - Wireless technologies NOT using frequency hopping less susceptible -- but not impervious -- e.g., Bluetooth based on frequency hopping/spread spectrum - 802.11 spec does not include per packet authentication mechanism - Flaws in wi-fi card firmware
TCP - Receipt of Data
- Receiver puts byte's sequence number into field, increments by 1, sets ACK flag, sends back to sender. - The Acknowledgement number does NOT specify the last byte received...rather, it specifies the sequence number of the next byte the receiver expects. - If receiver acknowledges byte 100, it is implicitly acknowledgedging all preceeding bytes. - If some packets arrive out of order, the higher seq numbers are put "on hold" until all lower seq number bytes arrive. - If missing bytes never arrive, the sender times out waiting for them to be acknowledged and eventually sends them again starting after the last byte for which it received an ACK.
Field Controllers
- Responsible for collecting and processing I/O - Send process data to HMI - Send process commands from HMI to field controllers - Essentially embedded micro-processor devices - Have microprocessor and internal memory but no hard drive - Types of field controllers = RTU, IED, PLC
Ethernet/IP
- Rockwell Automation - Part of "Common Industrial Protocol" - Implicit Messaging - UDP - Port 2222 - Explicit Messaging - TCP - Port 44818
VPN Security Protocols
- SSL (most common) - IPSec - SSL/TLS - DTLS - Datagram Transport Layer Security - MPPE - Microsoft Point to Point Encryption - SSTP - Secure Socket Tunneling Protocol - MPVPN - Multipath VPN - SSH - Secure Shell
VSAT - Very Small Aperture Terminal
- Satellite - Industrial uses include: Well control and data acquisition, pipeline SCADA, electrical SCADA (T&D, AMI), wind farms, maritime applications (oil platforms, drilling ships, etc) - Provides voice and video applications - Uses Time Division Multiple Access. - Operates in several frequency ranges: C-Band (4-8 GHz), Ku-Band (12-18 GHz), Ka-Band (26.5-40 GHz) -- some overlap with WiMax. (Day 4, Page 126) - Configure for AC or DC power
Physical Security - Active Technical Controls
- Security Guards at access point - Door locks (special keys, man traps, biometrics, card readers) - Centralized guard staff monitoring multiple access points
DHCP Snooping (Switch-based)
- Security feature that acts like a firewall between untrusted hosts and trusted DHCP servers
Zone Characteristics
- Security policies - Asset Inventory (Physical, Logical, S/W, data) - Access Requirements and Controls - Threats & Vulnerabilities - Consequences of Security Breach - Authorized Technology - Change Management Process
Conduit Characteristics
- Security policies - Asset Inventory (Physical, Logical, S/W, data) - Access Requirements and Controls - Threats & Vulnerabilities - Consequences of Security Breach - Authorized Technology - Change Management Process *** Connected Zones (Distinguish between Conduit and Zone)
Traceroute
- Shows path a packet took to reach its destination - Can tell route's external router and therefore used to map network - A normal traceroute lists all routers - General Rule: All hosts on same network must go through the same external router and, potentially, the same F/W
Profibus
- Siemens - Operates via RS485 via twisted pair cabling, fiber optics or wireless - Profibus DP (Factory Automation) - Master Slave like Modbus - Profibus FMS (Multiple Masters, peer-to-peer) - Profibus PA (Process Automation) - for intrinsically safe apps
Wireless Eavesdropping
- Signal can be picked up for >300 feet - Use antennas (Pringles chip can) -- extend from 600 feet to several miles
Digital Protective Relay (DPR)
- Single Purpose - Microcontroller - Detects Faults in system - Reports to RTU - Example: Schweitzer Relays - Example of Intelligent End Device (IED)
Time - NTP Clock Strata
- Stratum 0 = Directly connected to Atomic Clock = Reference Clock, Not Available to the Public - Stratum 1 = Primary Time Servers - Only Strata 0 to 15 are valid - Stratum 16 = unsynchronized device
Crypto - Encrpytion Cipher Types
- Substitution (change a character or bit for another) - Transposition (scrambles characters or bits) (Harris)
BCP - Off-Site Storage Factors to Consider
- Survivability of off-site storage facility - Distance from off-site to data center/airports/alternate sites - Close enough that media retrieval doesn't take too long - Far enough away to not be caught in same disaster - Electronic vaulting - Remote Journaling (only moving the journal or transaction logs to offsite/not the actual files)
VLAN Hopping
- Switch spoofing - Double tagging (to avoid - do not put any hosts on VLAN1)
Crypto - Algorithm Types
- Symmetric (DES, 3DES, IDEA, Blowfish, Twofish, AES (Rijndael Block Cipher)) - Asymmetric (RSA, Elliptic Curve (ECC), Diffie-Hellman, El Gamal, DSS)
Crypto - Effective Cryptosystem Includes:
- The encryption and decription process is efficient for all possible keys within the cryptosystem's keyspace. - The cryptosystem is easy to use. - The strength of the cryptosystem depends on the secrecy of the keys, rather than the secrecy of the algorithm.
PKI - Rules for Keys and Key Management
- The key length should be long enough to provide the necessary level of protection. - Keys should be stored and transmitted by secure means. - Keys should be extremely random and use the full spectrum of the keyspace. - The key's lifetime should correspond with the sensitivity of the data it is protecting (more sensitive data = shorter key lifetime) - The more the key is used the shorter its lifetime should be - Keys should be backed up or escrowed in case of emergencies - Keys should be properly destroyed at end of life. (Harris)
IPSec Modes
- Transport Mode (Only data encrypted) - Tunnel Mode (entire packet encrypted) (Dummies)
DNS
- UDP Port 53
900 mHz (33 cm band)
- UHF Radio Spectrum - 902 MHz to 928 MHz - Unique to ITU Region 2 (Americas, Greenland, Pacific Islands) - One of newest radio bands - Propagation dependent upon line of sight (put repeaters on top of large hills) - Excellent building penetration (small wavelength)
WiFi - Wireless DoS Attack Mitigation
- Understand impact of a DoS attack against environment - Prepare response strategy - especially for attack against production network - Wireless IDS possible but not widely avail
Security Awareness Core Topic
- Understanding and complying with security policies and procedures
Socket
- Unique pair of ports - Source IP and Source Port connected to Dest IP and Dest Port
OPC-Aware Firewalls
- Use deep packet inspection - Validates OPC connection request message - Momentarily opens TCP Port specified by sender
Wireless Eavesdropping Mitigation
- Use strong encryption and authentication in lowest layer of protocol possible (at PHY/MAC if avail) - Use TKIP for WPA - prefer to use WPA2 (AES) - Encrypt at multiple layers - low and high - Design wireless network with minimal coverage area - Audit network with packet sniffer (Kismet, Wireshark)
VLAN
- Virtual Local Area Network (VLAN) - Partitions a Layer 2 Network into multiple distinct segments - Protocol IEEE 802.1Q (tag)
Software Installation Controls
- Whitelisting - all s/w is checked against a list approved by the org - Checksums - all s/w is checked to ensure code has not changed - Certificate - only s/w with signed certificates from trusted vendor is used - Path or domain - only s/w within a directory or domain can be installed - File extension - s/w with certain file extensions such as .bat cannot be installed
WiFi Protected Access (WPA) (2003)
- WiFi Alliance = interoperability testing for 802.11 h/w vendors, consumers - Uses TKIP (Temporal Key Integrity Protocol) - WPA2 (Preferred) - Vast improvement over WEP, requires Access Point and NIC replacement (AES-CCMP)
ISA100.11a (IEC 62734)
- Wireless Standard developed by ISA - Competes with WirelessHART - Uses 6LoWPAN to gain benefits of IPv6 - Used 802.15.4 and Direct Sequence Spread Spectrum (DSSS) for PHY layer - Uses Time Division Multiple Access (TDMA) and meshing topology for MAC layer - Removed requirement for secuirty keys - Offers support for asymmetric join methods and Over the Air device configuration
OPC Classic
- aka OPC DA, OPC DCOM - Dynamically assigns TCP Ports (Firewall problem) - Don't know in advance the ports - Can't define Firewall rules
ICCP
- client server communication - Transfers originate with request from Control Center to another Control Center that owns and manages data (Client - Server) - Cleartext protocol
DNS Cache Poisoning
- data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). - subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent.
TCP - Transmission Control Protocol
- most commonly used transport protocol today - Connection-oriented communications - Guaranteed packet delivery (additional overhead to track packet delivery) - Protocols based on TCP: HTTP, FTP, POP3
Configuration Management Column Headers
- part/model # - serial number - owner - custodian - tag # - location - description - notes
What can Firmware modifications do?
- perform unknown functions - lock out authorized persons - disable features - impact the program - physically alter the functions of the ports
Vulnerabilities of Controllers & Field Devices
- physical access - network access - remote access
ICS and TCP/IP Stack
- turn off IPv6 - Disable protocols not in use - Analyze network traffic to discover misconfigured devices - From Network Enforcement zones, deny unnecessary traffic and protocols.
WiFi Masquerade Mitigation
- use 802.1x (not very practical) - Use mutual authentication protocols like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Use SSL/TLS for passing sensitive info to web apps (e.g., HTTPS) - Educate users on dangers of clicking YES to digital certificate warnings - Attack tool = AirSnarf
RAID Level Descriptions
0 = Striping 1 = Mirroring 2 = Hamming Code Parity 3 = Byte Level Parity 4 = Block Level Parity 5 = Interleave Parity 7 = Single Virtual Disk
UDP Packet
04 89 00 35 00 2C AB B4 00 01 01 00 00 01 00 00 00 00 00 00 04 70 6F 70 64 02 69 78 06 6E 65 74 63 6F 6D 03 63 6F 6D 00 00 01 00 01
PKI - Four Basic Components
1) Certification Authority (CA) 2) Registration Authority - verify certificate contents for CA 3) Repository - distributes certificates 4) Archive - Long term storage of archived info from CA
PKI - 7 Key Management Issues
1) Key generation 2) Key distribution 3) Key installation 4) Key storage 5) Key change 6) Key control 7) Key disposal
CIP-007-1
1. Acceptance of Risk and tech feasibility 2. Test procedures 3. Mal soft prevent 4. Security status monitoring 5. disposal, redeploy 6. Cyber vulnerability assess 7. Doc review and maint
SDLC - NIST Software Development Lifecycle (SDLC)
1. Initiation 2. Development/Acquisition 3. Implementation/assessment 4. Operation/Maintenance 5. Disposal
Patch Management Program Recommendations (IT)
1. Inventory of all IT / OT assets. 2. Create patch and vulnerability group 3. Continuously monitor for vulnerabilities, remediations and threats 4. Prioritize patch application an use phased deployments as appropriate 5. Test patches before deployment 6. Deploy enterprise-wide automation patching solutions 7. Create a remediation database 8. Use auto updating applications as appropraite 9. Verify that vulnerabilities have been remediated. 10. Train staff on vulnerability monitoring and remediation techniques
OSI Model
1. Physical 2. Data Link 3. Network 4. Transport 5. Session 6. Presentation 7. Application (Please Do Not Throw Sausage Pizza Away)
Incident Handling Process
1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned
Incident Handling
1. Preparation, 2. Identification, 3. Containment, 4. Eradication, 5. Recovery, 6 Lesions Learned (May optionally add Wait and See step). Steps from DOE (Department of energy)
Software - Verifying Remediation
1. Verify that files or config settings the remediation was intended to correct have been changed as stated in the vendor's documentation. 2. Scan the host with a vulnerability scanner that is capable of detecting known vulnerabilities. 3. Verify whether the recommended patches were installed properly by reviewing patch logs 4. Employ exploit procedures or code and attempt to exploit the vulnerability (i.e., perform a penetration test)
Data link connector identifier
10 bit address identifier in a Frame Relay network (MAC Address equip in IP) . OSI Layer 2
Biometrics -- Acceptable Throughput Rate
10 per minute
Private Network Addressing
10.0.0.0 -> 10.255.255.255, 172.16.0.0 -> 172.32.255.255, 192.168.0.0 -> 192.168.255.255
Loopback Addresses
127.0.0.0 -> 127.0.0.8
TCP Connections
3 way handshake - SYN - SYN-ACK - ACK
IP Address
32 bit address(4 bytes) identifier id used to determine address and set by user. OSI Layer 3
Microwave Networks
3Ghz to 300Ghz Point to point
Recommended Computer Room Relative Humidity
40% - 60%
MAC Address
48 bit hexadecimal identifier set by manufacturer, first 12 hex values contain a vendor id code and is used on OSI Layer 2
TCP Packet
7E 21 45 00 00 4B 57 49 40 00 FA 06 85 77 C7 B6 78 0E CE D6 95 50 00 6E 04 9F 74 5B EE A2 59 9A 00 0E 50 18 24 00 E3 2A 00 00 2B 4F 4B 20 50 61 73 73 77 6F 72 64 20 72 65 71 75 69 72 65 64 20 66 6F 72 20 61 6C 65 78 75 72 2E 0D 0A 67 B2 7E
WiFi - WEP Security Issues
= wired equivalent privacy - Based on pre-shared secret common to all stations in same wireless network - Spec never included rotation of shared secret - Not easy to change shared secrets - Recover WEP key after collecting millions of packets - Tools used: WEPCrack, AirSnort, dwepcrack (Written for Linux or BSD systems) - New fast tools: wnet/reinj, WEPWedgie (<1hour)
Historian
A Control System Server that is a Target rich environment. Application authentication attacks, SQL injection attacks
Rogue DSL
A Digital Subscriber Line (DSL) modem installed on a corporate network in order to bypass firewalls and other security measures.
Network Interface Card (NIC)
A MAC address is uniquely allocated to this.
Safety - HAZOP - Hazard Operations - Hazard and Operability Study
A Qualitative Technique. Is a structured and systematic examination of a planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation. This technique was initially developed to analyze chemical process systems but has later been extended to other types of systems and also to complex operations and to use software to record deviation and consequence.
Redundant Control Server
A backup to the control server that maintains the current state of the control server at all times.
Data Historian
A centralized database supporting data analysis using statistical process control techniques.
Steady State
A characteristic of a condition, such as value, rate, periodicity, or amplitude, exhibiting only negligible change over an arbitrarily long period of time.
Network Interface Card (NIC)
A circuit board or card that is installed in a computer so that it can be connected to a network.
Control Loop
A combination of field devices and control functions arranged so that a control variable is compared to a set point and returns to the process in the form of a manipulated variable.
Certification
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Trojan Horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Worm
A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.
Application Server
A computer responsible for hosting applications to user workstations.
Router
A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.
Workstation
A computer used for tasks such as programming, engineering, and design.
Remote Terminal Unit (RTU)
A computer with radio interfacing used in remote situations where communications via wire is unavailable. Usually used to communicate with remote field equipment. PLCs with radio communication capabilities are also used in place of RTUs.
Separation of Duties
A concept that ensures no single individual has complete authority and control of a critical system or process. (Dummies)
Buffer Overflow
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Resource Starvation
A condition where a computer process cannot be supported by available computer resources. Resource starvation can occur due to the lack of computer resources or the existence of multiple processes that are competing for the same computer resources.
Single Loop Controller
A controller that controls a very small process or a critical process.
Point-to-Point Protocol (PPP)
A data link protocol used to establish a direct connection between two nodes for connection authentication, transmission encryption, and compression.
Light Tower
A device containing a series of indicator lights and an embedded controller used to indicate the state of a process based on an input signal.
Alarm
A device or function that signals the existence of an abnormal condition by making an audible or visible discrete change, or both, so as to attract attention to that condition.
Controller
A device or program that operates automatically to regulate a controlled variable.
Industrial Control System (ICS)
A device or set of devices that managed commands directs or regulates the behaviour or other devices or system, bridges cyber to physical, a device that can influence the real world
Protocol Analyzer
A device or software application that enables the user to analyze the performance of network data so as to ensure that the network and its associated hardware/software are operating within network specifications.
Wireless Device
A device that can connect to a manufacturing system via radio or infrared waves to typically collect/monitor data, but also in cases to modify control set points.
Printer
A device that converts digital data to human-readable text on a paper medium.
Sensor
A device that produces a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow)
Pressure Regulator
A device used to control the pressure of a gas or liquid.
Modem
A device used to convert serial digital data from a transmitting terminal to a signal suitable for transmission over a telephone channel to reconvert the transmitted signal to serial digital data for the receiving terminal.
Fieldbus
A digital, serial, multi-drop, two-way data bus or communication path or link between low-level industrial field equipment such as sensors, transducers, actuators, local controllers, and even control room devices. Use of fieldbus technologies eliminates the need of point-to-point wiring between the controller and each device. A protocol is used to define messages over the fieldbus network with each message identifying a particular sensor on the network.
User Datagram Protocol (UDP)
A fast and efficient protocol without the overhead of error checking. Perfect for real-time data, multimedia, VOIP
Input/Output (I/O)
A general term for the equipment that is used to communicate with a computer as well as the data involved in the communications.
Supervisory Control and Data Acquisition (SCADA)
A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.
Distributed Plant
A geographically distributed factory that is accessible through the Internet by an enterprise.
Local Area Network (LAN)
A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network. Machine Controller A control system/motion network that electronically synchronizes drives within a machine system instead of relying on synchronization via mechanical linkage.
Trapdoor (aka Backdoor)
A hidden entry point into a system or application that is usually triggered by a certain command or keyboard sequence. (Harris)
Virus
A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Photo Eye
A light sensitive sensor utilizing photoelectric control that converts a light signal into an electrical signal, ultimately producing a binary signal based on an interruption of a light beam.
Access Control List (ACL)
A list of Access Control Entries (ACE) that identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. two types: a discretionary access control list (DACL) and a system access control list (SACL) .
Fiber Distributed Data Interface (FDDI)
A logical network architecture similar to a Token Ring, except two rings are used for redundancy. Data on the two rings travel in opposite directions. Only one ring is used a time, the other ring is only used at a time as the other ring is for redundancy. Often the physical network architecture is also a ring rather than a star.
Attack - Social Engineering
A low tech attack method that employs techniques such as dumpster diving and shoulder surfing. (Dummies) A practice of obtaining confidential information by manipulation of legitimate users (ISA)
Control Algorithm
A mathematical representation of the control action to be performed.
Access Control List (ACL)
A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources.
Role Based Access Control (RBAC)
A method of implementing discretionary access controls in which access decisions are based on group membership, according to organization or functional roles.
Local Group Policy (LGP)
A more basic version of a Group Policy for standalone, nondomain machines for applying environmental changes.
Nondeterministic
A network attribute that does not guarantee new data will arrive within a predefined timeframe, and typically has a frame size that varies. Example: IEEE 802 standard Ethernet
Deterministic
A network attribute that guarantees new data will arrive within a predefined interval and a predictable packet size. Ex. Asynchronous Transfer Modules (ATM)
Address Resolution Protocol (ARP)
A network protocol used to determine a MAC address based on the IP Address.
Reverse Address Resolution Protocol (RARP)
A network protocol used to determine an IP address based on the MAC Address.
Remote Authentication Dial In User Service (RADIUS)
A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. Credentials are sent to a Remote Access Server (RAS) using link-layer.
Proximity Sensor
A non-contact sensor with the ability to detect the presence of a target within a specified range.
IPSec - What is Security Association (SA) in IPSec
A one-way connection. You need a minimum of two for two-way communications. (Dummies)
Patch
A patch is a small piece of software that is used to correct a problem with a software program or an operating system. Patches are often called "fixes."
Unauthorized Access
A person gains logical or physical access without permission to a network, system, application, data, or other resource.
Wide Area Network (WAN)
A physical or logical network that provides data communications to a larger number of independent users than are usually served by a local area network (LAN) and that is usually spread over a larger geographic area than that of a LAN.
Actuator
A pneumatic, hydraulic, or electrically powered device that supplies force and motion so as to position a valve's closure member at or between the open or closed position.
Least Privilege
A principle requiring that a subject is granted only the minimum privilges necessary to perform an assigned task. (Dummies)
Data Manipulation
A process of altering register data so as to change output status, without altering the ladder program. (www.toolingu.com)
Baseline
A process that identifies a consistent basis for an organization's security architecture, taking into account system-specific parameters, such as different operating systems. (Dummies) A minimum level of security necessary throughout the organization (CISA)
Batch Process
A process that leads to the production of finite quantities of material by subjecting quantities of input materials to an ordered set of processing activities over a finite time using one or more pieces of equipment.
Continuous Process
A process that operates on the basis of continuous flow, as opposed to batch, intermittent, or sequenced operations.
Key Logger
A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.
Process Controller
A proprietary computer system, typically rack-mounted, that processes sensor input, executes control algorithms, and computes actuator outputs.
SQL Server
A relational database management system developed by Microsoft whose primary function is to store and retrieve data.
Database
A repository of information that usually holds plantwide information including process data, recipes, personnel data, and financial data.
Virtual Private Network (VPN)
A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.
Router Flapping
A router that transmits routing updates alternately advertising a destination network first via one route, then via a different route.
Intrusion Detection System (IDS)
A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.
Temperature Sensor
A sensor system that produces an electrical signal related to its temperature and, as a consequence, senses the temperature of its surrounding medium.
Pressure Sensor
A sensor system that produces an electrical signal related to the pressure acting on it by its surrounding medium. [28] Pressure sensors can also use differential pressure to obtain level and flow measurements.
DMZ
A separation between two trust zones in the ISA-99/Perdue architecture
Domain Controller
A server responsible for managing domain information, such as login identification and passwords.
Control Server
A server that hosts the supervisory control system, typically a commercially available application for DCS or SCADA system.
Nonrepudiation
A service that ensures that the sender cannot later falsely deny sending a message and the receiver cannot deny receiving the message. (Harris)
Group Policy Objects (GPOs)
A set of Windows environment configurations that is transmitted to a machine using Active Directory
Object Linking and Embedding (OLE) for Process Control (OPC)
A set of open standards developed to promote interoperability between disparate field devices, automation/control, and business systems.
Standard
A set of requirements or framework that provides guidance on what must be done to support the policy. Differs amongst BU. Specific for business use.
Protocol
A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems.
Baseline Configuration
A set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. Used as a basis for future builds, releases, and/or changes. (NIST)
Programmable Logic Controller (PLC)
A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.
Protocol Stack
A specific set of protocols for communications on a network. Example: Communicating with a web page requires Ethernet,TCP/IP, HTTP, or HTTPS
System Access Control Lists (SACLs)
A specific type of Access Control List (ACL) that enables administrators to log attempts to access a secured object like NTFS files, printers and registry entries.
Discretionary Access Control List (DACL)
A specific type of Access Control List (ACL) that identifies the trustees that are allowed or denied access to a securable object.
Extensible Markup Language (XML)
A specification for a generic syntax to mark data with simple, human-readable tags, enabling the definition, transmission, validation, and interpretation of data between applications and between organizations.
Simple Network Management Protocol (SNMP)
A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor and map network availability, performance, and error rates. To work with SNMP, network devices utilize a distributed data store called the Management Information Base (MIB). All SNMP-compliant devices contain a MIB which supplies the pertinent attributes of a device. Some attributes are fixed or "hard-coded" in the MIB, while others are dynamic values calculated by agent software running on the device.
Procedure
A step by step process to accomplish the end goal. If Standards are documents identifying what needs to be done then procedures are the How they are done.
Password
A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.
Field Site
A subsystem that is identified by physical, geographical, or logical segmentation within the ICS. A field site may contain RTUs, PLCs, actuators, sensors, HMIs, and associated communications.
Control System
A system in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. Control systems include SCADA, DCS, PLCs and other types of industrial measurement and control systems.
SCADA
A system operating with coded signals over communication channels so as to provide control of remote equipment (using typically one communication channel per remote station).
Intrusion Prevention System (IPS)
A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.
Enterprise Resource Planning (ERP) System
A system that integrates enterprise-wide information including human resources, financials, manufacturing, and distribution as well as connects the organization to its customers and suppliers.
Safety Instrumented System (SIS)
A system that is composed of sensors, logic solvers, and final control elements whose purpose is to take the process to a safe state when predetermined conditions are violated. Other terms commonly used include emergency shutdown system (ESS), safety shutdown system (SSD), and safety interlock system (SIS).
Manufacturing Execution System (MES)
A system that uses network computing to automate production control and process automation. By downloading recipes and work schedules and uploading production results, a MES bridges the gap between business and plant-floor or process-control systems.
Supervisory Control
A term that is used to imply that the output of a controller or computer program is used as input to other controllers.
Account expiration
A time limit that is applied to the life of an account, so that it can be used only for a predetermined period of time. (MSFT)
Attack - Man-in-the-Middle (MITM)
A type of attack in which an attacker intercepts messages between two parties and forwards a modified version of the orginal message. (Dummies)
Variable Frequency Drive (VFD)
A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.
DC Servo Drive
A type of drive that works specifically with servo motors. It transmits commands to the motor and receives feedback from the servo motor resolver or encoder.
Discrete Process
A type of process where a specified quantity of material moves as a unit (part or group of parts) between work stations and each unit maintains its unique identity.
ATM Cell
A unit of data transported over an Asynchronous Transfer Modules (ATM) Network, is of a constant size (53 bytes, 48 contain the payload) to facilitate Quality of Service (QoS)
Solenoid Valve
A valve actuated by an electric coil. A solenoid valve typically has two states: open and closed.
Asynchronous Transfer Modules (ATM)
A very high speed, relatively expensive alternative and seldom used method for sending signals over a wire. Connection-oriented, Deterministic, uses a fixed frame size of 53 bytes (unlike Ethernet). Typically used to interconnect networks over large distances that require a high-speed backbone.
Disaster Recovery Plan (DRP)
A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.
Backup Solutions
ARCServe, Backup Exec and NetBackup, Ultabac, EMC Networker, Backup Express, CommVault Archive, OmniBack II, Data Protector
Man-in-the-Middle Attacks
ARP Spoofing to insure traffic passes through their machine and can be intercepted or manipulated
Remote Desktop Services Application Virtualization
Ability to host individual application on an RDP server. To an end user the application will appear to be running locally but is actually running on and patched by a remote server.
ACL
Access Control List
Remote Access
Access by users (or information systems) communicating external to an information system security perimeter.
Mandatory Access Control (MAC)
Access model based on security clearance of subject and classification attributes of object. Type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.
IPv4
Accommodates 4.2 billion unique 32-bit addresses
Binary Disk Image Solutions
Acronis and Symantec Ghost
Devices
Actuate things in order to process Stuff
SQL Injection
Adding escape characters to input fields in order to execute undesired SQL commands
ARP
Address Resolution Protocol
Wired WAN Technology
All examples of this technology Dedicated Lines, Frame Relays, MPLS, ISDN, DSL, Cable Modems
RF Mesh Networks
Allow each participating device (or node) to route data to other devices. Commonly used in wireless networks where there are: - Large number of devices - Devices have problems all seeing a central access point - A more flexible, "self-healing" network is preferred - Latency is less of a concern.
User Account
Allows a user to authenticate to system services and be granted authorization to access them; however, authentication does not imply authorization.
AC
Alternating Current
AGA
American Gas Association
API
American Petroleum Institute
Permanent Virtual Circuit (PVC)
An Asynchronous Transfer Modules (ATM) shared communications channel (circuit) that is configured in advance, Usually manually.
Switched Virtual Circuit (SVC)
An Asynchronous Transfer Modules (ATM) shared communications channel (circuit) that is configured in automatically on the fly using a signaling protocol.
LDAP - Lightweight Directory Access Protocol
An Internet Protocol (IP) and data storage model that supports authentication and directory functions. It is a remote access authentication protocol. Vendors = Microsoft Active Directory, CA eTrust Directory, Apache Directory Server, Novell eDirectory, IBM SecureWay and Tivoli Directory Server, Sun Directlry Server. OpenLDAP and tinyldap open source versions.
Servo Valve
An actuated valve whose position is controlled using a servo actuator.
Configuration Item (CI)
An aggregation of Information System components that is designated for configuration management and treated as a single entity in the configuration management process.
Protected Enclaves
An approach to defence-in-depth that involves segmenting your network using multiple VPNs, VLAN segmentation, switches, or firewalls to separate out networks. Reducing the exposure of a system can greatly reduce risk. Restricting access to critical segments.
Uniform Protection
An approach to defence-in-depth that treats all systems as equally important. Most common approach taken. Firewall, VPN, antivirus, patching etc.
Information Centric
An approach to defence-in-depth that you identify critical assets and provide layered protection. Network -> Host -> Application -> Information. Thoroughly checking the data leaving your network.
Attack - Directory Traversal
An attack aimed at extracting information from a web application's directory.
Attack - Denial of Service (DoS)
An attack on a system or network with the intention of making the system or network unavailable for use. (Dummies) In the context of ICS, can refer to loss of process function, not just loss of data communictions. (ISA)
Attack
An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.
Social Engineering
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
Relays
An electrically operated switch. Complicated to configure cumbersome and expensive
Relay
An electromechanical device that completes or interrupts an electrical circuit by physically moving conductive contacts. The resultant motion can be coupled to another mechanism such as a valve or breaker.
Insider
An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization.
Control Center
An equipment structure or group of structures from which a process is measured, controlled, and/or monitored.
Valve
An in-line device in a fluid-flow system that can interrupt flow, regulate the rate of flow, or divert flow to another branch of the system.
Set Point
An input variable that sets the desired value of the controlled variable. This variable may be manually set, automatically set, or programmed.
Read Only Domain Controllers (RODCs)
An installation of a Domain Controller in a remote branch location where there are no trusted IT personnel to maintain it.
Operating System
An integrated collection of service routines for supervising the sequencing of programs by a computer. An operating system may perform the functions of input/output control, resource scheduling, and data management. It provides application programs with the fundamental commands for controlling the computer.
Firewall
An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).
Incident
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional.
Lightweight Directory Access Protocol (LDAP)
An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network
Enterprise
An organization that coordinates the operation of one or more processing sites.
Disturbance
An undesired change in a variable being applied to a system that tends to adversely affect the value of a controlled variable.
Backdoor
An undocumented way of gaining access to a computer system. A backdoor is a potential security risk.
Maintenance
Any act that either prevents the failure or malfunction of equipment or restores its operating capability.
Threat
Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Intelligent Electronic Device (IED)
Any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers).
Modbus TCP Encapsulation
Application Layer Port 502
Authentication Bypass
Application fails to properly authenticate a user
Mobile Devices / BYOD
Application should be fully understood
BitLocker
Apply encryption on Drive, USB flash drives and SD card and allows decryption key to live on a smart card. Added in Windows 7.
Guideline
Approaches and practices to achieve the items identified in Standards. Provides methods for supporting what needs to be done. Meant to be best practice document, but not mandatory. Can change regularly
Crypt0 - RSA
Asymmetric key algorithm based on factoring prime numbers.
Elevation of Privilege (EoP)
Attack method that exploits software / service privileges to gain additional priviledges in a system
Shamoon
Attack on Saudi Aramco used for cyber espionage, once completed it destroyed the machines boot sector. wiped the network.
Birthday Attack
Attack on hashing functions through brute force. The attacker tries to find two messages with the same hashing value.
Physical Attacks
Attack vector that trumps logical, leverage remote device physical access to gain access to other devices on a network
Firmware Attacks
Attack vector that uses computer chips that can be analyze for keys, find vulnerabilities, re-upload malicious code to device
Fragmentation Attacks
Attack which breaks malicious code execution across multiple IP packets which makes it difficult for IDS systems to detect. Other attacks will split packets and provide illogical and contradictory offsets which can cause a router to crash or enter an abnormal state. Another form of this attack will send thousands of initial fragments but never the rest and cause the IP stack buffer to overflow.
Active Directory (AD)
Authenticates and authorizes all users on a Windows domain network. Assigns security policies and installs or updates software.
AIC
Availability, Integrity, Confidentiality
Interface Identification
Based on the MAC address of the IPv6 NIC device. Last 64 bits (8 bytes)
Internet Protocol (IP)
Basis for all communication on the Internet. Core routing protocol that performs transmission of packets and defines addressing scheme. Relies on Upper layer protocols to handle guaranteed delivery, sequencing etc. OSI Layer 3
Patch Management
Bigfix, Shavlik, GFI ...
Change Control Board (CCB)
Board that ensures changes to policy are made within control parameters as part of configuration management process.
Physical Incidents
Break-ins unauthorized access to cyber assets
IP Tables
Built in Linux stateful firewall with NAT capability
BCP
Business Continuity Plan
Level 4
Business Unit or Site Specific Network (Plant network) in ISA-99/Perdue Architecture - Local site enterprise data
PCAP
Can capture data if it is transmitted in clear text or if control over system sending/receiving traffic
Wireless
Cellular, Mesh, Licensed Radio (330mhz-512mhz), Unlicensed (902mhz-928mhz), Microwave, Satellite uplink
CPU
Central Processing Unit
Multi-station Access Unit (MAU)
Central device in a Token Ring network which passes the Token from device to device serially in order and in a one-way direction.
CPNI
Centre for the Protection of National Infrastructure
VSAT Security Challenges
Challenges: - Disturbance of Line of Sight Alignment - Weather - Extreme Solar - Relies upon power source - link jamming/interception - lightning (Day 4, Page 127)
Configuration Auditing
Check that: - Change was recorded correctly and work matched the Request for Change (RFC) - Change had appropriate risk level - Configuration items updated appropriately - Documentation updated (CISCO)
CIDX
Chemical Industry Data Exchange
CIH Virus
Chernobyl Virus - deletes data on April 26th each year
wecutil.exe
Command line tool to manage the Windows Event Collector Utility.
SECEDIT
Command line version of Security Configuration and Analysis (SCA) tool. Compare a system against a template and produce a log file. Security Policy Verification.
OSI PI
Commercial Historian software. Most popular historian on the market today.
COTS
Commercial Off-the-Shelf
Metasploit Meterpreter
Common Buffer Overflow payload that provides a shell and diagnostic information
CVE
Common Vulnerabilities and Exposures
Cyber Attack Indications
Comms bogged down, unexplained connections, comms links loss, inexplicable behavior of control systems, new items
Front End Processing (FEP)
Communicates to multiple RTUS using multiple languages provides a single Modbus interface for all devices
ICCP (Inter-Control Center Communications
Communication between electrical operators (ISOs) or utilities. No auth, No encryption. IEC 60870-6 / TASE.2
CSE
Communications Security Establishment
Inter-Control Center Communications Protocol (ICCP)
Communications technology that provides status information between control systems typically owned by different parties.
CSRC
Computer Security Resource Center
CIA
Confidentiality, Integrity, Availability
syslog.conf
Configuration file used by Linux system logger daemon. Selectors (Facility,Log Level) on left and Actions on right.
Group Policy Objects (GPOs)
Configuration scripts stored in Active Directory (AD). Processed in the following order 1. Local 2. Site 3. Domain 4. Organizational Unit (OU)
Subnet ID
Configured according to the IPv6 needs of an organization. Middle 16 bits (2 bytes). For flat IPv6 networks this can usually be 0000 (aka ::)
Safety Instrumented System (SIS)
Consists of an engineered set of hardware and software controls which are especially used on critical process systems where life safety, environmental or finanacial damange can occur.
Cryptosystem
Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.
Windows XP Mitigation
Consult ICS vendors. Modernize hardware if possible. Update OS to final patch levels. System hardening. Additional Controls. Develop Testing capability. Virtualization.
CSSC
Control System Security Center
Information Leakage
Control Systems on Internet, Port Scan, Google Search Hacks, SHODAN searches
Level 1
Control devices in the ISA-99/Perdue architecture - PLC/Controllers, Tag lists mappings, set points, firmware, system applications, memory with data tables, logic/instructions, point information, device configurations
Crypto - Encryption
Conversion of plaintext to ciphertext through the use of a cryptographic algroithm. (FIPS 185)
Virtual LAN (VLAN)
Creates separation of a network using software in the Switch rather than hardware (additional physical switches). Can segment a network regardless of the network port used on a switch. Help to control the visibility of systems on a network.
Google Hacking
Creative searches in google to find exposed systems
CIP
Critical Infrastructure Protection
CMVP
Cryptographic Module Validation Program
Encryption
Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called "decryption", which is a transformation that restores encrypted data to its original state.
Cryptography vs Cryptanalysis
Cryptography = Science of encrypting and decrypting written communications. Cryptanalysis = process of trying to decrypt encrypted data WITHOUT the key or breaking the encryption.
Policy Governance
Culture of compliance, Compliance Controls, Policies must be reviewed and updated
CRPA
Cyber Risk Preparedness Assessments - put on but ES-ISCA
Discretionary Access Control
DAC is an acronym for
Procurement Language Tool Kit
DHS - Designed to for asking technology companies security questions when purchasing equipment
DHS CSET
DHS Cyber Security Evaluation Tool (CSET) accessing control systems and it systems
Entropy
Data pattern used to find encryption keys. Asymmetric keys have high levels of this.
Historians
Data warehouse for ICS
Geographic Information System (GIS)
Database containing Global Positioning System (GPS) information and maps or charts of assets.
DMZ
Demilitarized Zone
DoS
Denial of Service
DOE
Department of Energy
DHS
Department of Homeland Security
ICS-CERT
Department of Homeland Security (DHS) NCCIC Industrial Control Systems Cyber Emergency Response Team
Setpoints
Desired process output that a control system will aim to reach.
Malware Capabilities
Destroy data, leak info, backdoor access, etc. etc.
Cyber Risk Preparedness Assessments (CRPA)
Detect Cyber Attacks, Prevent Cyber Attacks, Respond to Cyber Attacks, Managed Electronic Systems, Communicate and Coordinate, Communicate and coordinate with local and federal authorities.
INL Developed Sophia
Detect good vs bad vs unknown traffic on ICS networks
Ping
Determine if destination is online, determine latency of destination, determine rate of packet loss
Physical Security Elements
Deterrence, Delay, Authorization, Detection and ID, Response
Remote Diagnostics
Diagnostics activities conducted by individuals communicating external to an information system security perimeter.
Bandolier
Digital Bond Nessus compliance plugins for ICS specific components
Portelage
Digital Bonds project based on OSI PI that correlates security events using PI Advanced Computing Engine (ACE)
DPR (Digital Protective Relay)
Digital Protective Relay - Microcontroller measuring voltages and currents
DRP
Disaster Recovery Plan
Stuxnet
Discovered June 2010, Targeted Iran's nuclear facilities, several zero day exploits, usb keys, impacted data integrity of devices
Physical Security Threats
Disgruntled Employees, Thieves, Espionage, Terrorism
Traceroute
Displays the path a packet took to its destination. Can be used to map a network. Uses a combination of TTL and ICMP replies to map out a network route.
DCOM
Distributed Component Object Model
DCS
Distributed Control System(s)
DETL
Distributed Energy Technology Laboratory
DNP
Distributed Network Protocol
IPv6 Addressing
Divided into 3 portions Network Prefix (48bits) - defines organization, Subnet ID (16bits) - Internal to organization, Interface ID (64bits) - Defined by MAC Address
ISA-99 (Perdue Architecture)
Division of ICS network into 5 Levels
Business Impact Analysis (BIA)
Documents what a the disruptive event might have on a corporation
Crypto - End-to-End Encryption
Does not encrypt the header and trailers and therefore does not need to be decrypted at each hop.
Problem with proprietary protocols
Does not mean they are inherently less secure -- only that they pose a security unknown.
DNS
Domain Name System
Organizational Unit (OU)
Domain controller group
File Replication Service (FRS)
Domains master replicate scripts to each other using FRS
EPRI
Electric Power Research Institute
ISA-12
Electrical Equipment for Hazardous Locations
ES-ISAC
Electrical sector Information Sharing and Analysis Center
Central Access Policies (CAP)
Enable organizations to centrally deploy and manage authorization policies that include conditional expressions that use user groups, user claims, device claims, and resource properties.
Crypto - Link Encryption
Encrypts the entire packet including headers and trailers and has to be decrypted at each hop.
EMS
Energy Management System
Domain Name System Security Extensions (DNSSEC)
Enhanced security specifications for Domain Name System (DNS) provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Level 5
Enterprise Business Network in ISA-99/Perdue architecture - Enterprise business data
ERP
Enterprise Resource Planning
Monolithic Kernel
Entire OS working in Kernel space, high level interface, lots of software over hardware.
Field Device
Equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications.
Crypto - Work Factor
Estimated time, effort, and resources necessary to break a cryptosystem.
Industrial Ethernet
Ethernet with rugged connectors and temp ranges / TCP/IP more common today
Extended Unique Identifier (EUI)
Expanded 64 bit version of the 48-bit MAC address used at the end of an IPv6 address. First 3 octets of MAC, constant FF:FE, last 3 bytes of the MAC
CANVAS
Exploit tool kit framework
xinetd
Extended internet services daemon performs security checks before key network services are started on demand. Fend of DOS and port scans.
EAP
Extensible Authentication Protocol
XML
Extensible Markup Language
Closing a TCP Session
FIN - ACK - FIN - ACK or abrupt closure: RST/ACK
File Transfer Protocol (FTP)
FTP is an Internet standard for transferring files over the Internet. FTP programs and utilities are used to upload and download Web pages, graphics, and other files between local media and a remote server which allows FTP access.
Server Manager
Feature that groups Windows Server components into modular roles and features which can be easily added and removed using a GUI. Important for removing superfluous services.
FERC
Federal Energy Regulatory Commission - Electrical Sales and Distribution and natural gas and pipelines
FIPS
Federal Information Processing Standards
FISMA
Federal Information Security Management Act
FTP
File Transfer Protocol
Reasons to Attack ICS
Financial, Corporate espionage, Terrorism, Nation State, Hacktivist, Education, Misguided ethical hacking
Non-directed Worm
Find their way into ICS systems by chance and high infection rates / Leading cause of incidents in ICS environments
Network Prefix
First 48 bits (6 bytes) of Ipv6 addresses, Address portion that is allocated to organizations that need to address IPv6 clients.
Network Identifier (NET_ID)
First part of an IP Address
Duqu
First varient found of Stuxnet with cyber espionage payload
Guest Account
For users who don't have a permanent account on your computer or domain. It allows people to use your computer without having access to personal files. Per MSFT cannot install software or hardware, change settings, or create a password. (MSFT)
Security Plan
Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
Project Shine
Found ICS devices in 2012 - 1 Million internet connected devices
NMAP
Free Port Scanner: sudo nmap -p- -A 192.168.1.20
Group Policy -- Application
GPOs are Automatically Applied: - At boot up - At login - 90 - 120 Minutes
Human Machine Interface (HMI)
GUI for process / model diagram / Displays alerts and alarms
GPS
Global Positioning System
Physical and Safety Control
Govern people, processes and technologies to attain safety and security
GAO
Government Accountability Office
TCP -- Closing a TCP Session
Graceful Closure 1. Send FIN to other machine 2. Respond with ACK 3. Respond with FIN 4. Send ACK Abrupt Closure (aka "aborting a connection") 1. RST send
CIS Hardening Guide
Group of worlds Security experts got together to create a guide for securing Windows, Linux, IOS, VMware etc. and published it for free.
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Physical Security Controls
Guns and Gates / Procedural Logs, policy, signage, visitor management
UNIX
HP-UX, AIX are this OS
Remote Code Execution
Hacking technique that takes advantage of exposed Remote Procedure Call (RPC) services
Bus Snooping
Hacking technique that uses Chip-off capture of data in motion.
EEPROM Hacking
Hacking technique that uses Data dumping from EEPROMs
Hyper-V
Hardware accelerated operating system virtualization feature built into Server 2008 and higher.
HVAC
Heating, Ventilation, and Air Conditioning
Domain Name System (DNS)
Hierarchical distributed naming system for computers, services, or any resource connected to a network. Associates Domain names to IPs.
Cable Modems
High speed offering from cable companies can be installed on existing cable networks and provides a low cost internet access.
Digital Subscriber Line (DSL)
High speed offering from telephone companies can be installed on existing phone networks and provides a low cost internet access.
Policy
High-level corporate supported document that details business goals and objectives. Applies to EVERYONE. Nonperformance results in disciplinary action. Goal orientated. Supported by Standards, Guidelines and Procedures.
ICS Databases
Historians, wide use of excel, GIS Servers, Memory databases, Alarm Databases, Security Databases, Project Databases with SCADA/DCS application
HSPD
Homeland Security Presidential Directive
HMI
Human-Machine Interface
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
Sensor Networks
I/O Racks Distributed. Insure proper process conditions
Mainframes
IBM System Z, DEC are this type of system
Defence in Depth
ICS Security posture which creates multiple levels of protective layers.
IEC Standards
IEC 15408 Common Criteria IEC 60870 ICCP IEC 61508 Safety Std - SIL IEC 61511 SIS for Process Ind IEC 62351 DNP3 IEC 62591 Wireless HART
Threats to ICS
INTERNAL (Employee) - Inappropriate behavior - Disgruntled employee - Accidental EXTERNAL OPPORTUNISTIC (NON-DIRECTED) - Script Kiddies - Recreational Hackers - Virus writers EXTERNAL DELIBERATE (DIRECTED) - Criminal groups - Activists - Terrorists - Nation State (ISA 99 Student Notebook page 53)
Class B Networks
IP Class that has a Network Identifier (NET_ID) of 16 bits
Class C Networks
IP Class that has a Network Identifier (NET_ID) of 24 bits.
Class A Networks
IP Class that has a Network Identifier (NET_ID) of 8 bits
Time To Live (TTL)
IP header that tells how many hops a packet is allowed to take before reaching its destination. At the last hop the Router may send an ICMP Destination Unreachable packet back. Guards against routing loops
Strict Source Routing
IP protocol header option that allows sender to specify the exact route a packet should take to its destination.
Loose Source Routing
IP protocol header option that allows the specification of a list of routers a packet should pass through, but it may also pass through other routers if required.
2002::
IPv6 Network Prefix for IPv6-to-IPv4 gateway networks
2001::
IPv6 Network Prefix for large ISP inter-domain routing
fe80::
IPv6 Network Prefix for local networks
ff00::
IPv6 Network Prefix for multicast traffic
INL
Idaho National Laboratory
Wireless DoS
Identify frequencies used, generate noise to take down channels
Crypto - What does SSL/TLS do?
Implements Confidentiality, Integrity and Authentication ABOVE the Transport Layer.
Distributed Control System (DCS)
In a control system, refers to control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit.
Manipulated Variable
In a process that is intended to regulate some condition, a quantity or a condition that the control alters to initiate a change in the value of the regulated condition.
Least Privilege Principle
In information security, computer science, and other fields, this principle requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
Hot Wash
Incident response exercise after Acton lesions learned
Exercise Narrative
Incident response exercise backstory
Inject
Incident response exercise event delivered to the players
GridEx
Incident response exercise focused on Electrical Grid for Bulk Power Systems. Open for all NERC registered entities
Real Time
Incident response exercise inject time delta that corresponds to actual time line
Master Facilitator
Incident response exercise lead planner
Master Scenario Event List (MSEL)
Incident response exercise matrix that outlines entire exercise
White Cell
Incident response exercise player that role plays
Moves
Incident response exercise series or collection of injects (events)
Table Top Exercise (TTX)
Incident response exercise that does not involve live systems or hands on activities
Service Pack
Includes multiple, tested fixes and addressed a wide variety of OS bugs.
Security Audit
Independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
IAONA
Industrial Automation Open Networking Association
ICS
Industrial Control System(s)
ISID
Industrial Security Incident Database
Boot Record Infector
Infects boot record of computer so that it is loaded into memory on computer startup
Access Control Models
Information Flow Non Interference Confidentiality of Stored Information - Bell-LaPadula (Mandatory Access Control) - Access Matrix (Read, Write or Execute or R/W/X) - Take-Grant (Rights = Create, Revoke, Take and Grant Integrity of Stored Information - Biba Integrity Model (Bell-LaPadula upside down) - Clark-Wilson
IT
Information Technology
ITL
Information Technology Laboratory
Diagnostics
Information concerning known failure modes and their characteristics. Such information can be used in troubleshooting and failure analysis to help pinpoint the cause of a failure and help define suitable corrective measures.
Clear Text
Information that is not encrypted.
I/O
Input/Output
Buffer Overflows
Insertion of malicious code into memory by overrunning buffers outside of their assigned memory space.
Crypto - Key Clustering
Instance when two different keys generate the same ciphertext from the same plaintext. (Harris)
I3P
Institute for Information Infrastructure Protection
IEEE
Institute of Electrical and Electronics Engineers
Maltego
Intelligence gathering and analysis platform
IED
Intelligent Electronic Device
IED (Intelligent End Device)
Intelligent End Device - DPR is an example of an IED
CIGRE
International Council on Large Electric Systems
IEC
International Electrotechnical Commission
ISO
International Organization for Standardization
ICMP
Internet Control Message Protocol
IETF
Internet Engineering Task Force
IGMP
Internet Group Management Protocol
IP
Internet Protocol
IPsec
Internet Protocol Security
Inetd
Internet Services Daemon
IDS
Intrusion Detection System
IPS
Intrusion Prevention System
Discretionary Access Control (DAC)
Is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to a file and what privileges they have.
Service Account
Is an account that a service on your computer uses to run under and access resources. This should not be a user's personal account. Can also be an account that is used for a scheduled task (e.g., batch job account) or an account that is used in a script that is run outside of a specific user's context. (Ref GIAC White Paper)
RTPS - Real Time Publish Subscribe
Is the interoperability protocol used to allow multi-vendor Data Distribution Service (DDS) implementations to communicate
Denial Of Service (DOS)
Jamming a device with traffic - Bandwidth Exhaustion, System Resources, Network Medium interface, Interference wireless
Physical Attack Tools
Keystroke recorders, Trojans, USB keyboard emulators (rubber ducky) wired / Video loggers / wireless, USB Keys moving across air gaps
Early Launch Anti-Malware (ELAM)
Launched first by the kernel before any third-party software, and is therefore able to detect malware in the boot process and prevent it from initializing. Anti-root kit.
Token Ring
Layer 2 protocol developed by IBM in the 70s as a logical ring topology where systems communicate in a only one direction with their neighbors using a special frame called a Token.
Cross Site Request Forgery (CSRF)
Link that appears to link to a legitimate site but has hidden code that redirects you to a malicious site
/etc/inetd.conf
Linux configuration file that connects inetd service names to server names. Ex: telnet stram tcp nowait root /usr/sbin/tcpd in.telnetd
/etc/services
Linux configuration file that connects port numbers and protocols. Ex: telnet 23/tcp
/etc/inittab
Linux configuration file that specifies processes that start at boot and stop at shutdown
syslogd
Linux daemon responsible for accepting incoming log entries and dealing with them based on a set of rules found in /etc/syslog.conf
inetd
Linux daemon responsible for starting network services on demand when there is a request for that resource. /etc/inetd.conf /etc/services
syslog
Linux logger records major events that take place often found in /var/log/messages
Access Control List (ACL)
List of subjects (including groups, machines, processes*) that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete and create. (Harris) (*NIST)
LAN
Local Area Network
Caligula Virus
Located Pretty Good Privacy (PGP) private key file sent to FTP site. Maintained a trail of infected users and study relationships
Physical Attack Indications
Locks do not work with key, unauthorized vehicles, un-reconciled door or cabinet alarms, damage
Microkernel
Low-level interface over hardware, minimum software to provide control over hardware.
Social Engineering
Lying. Manipulating humans using logic and emotion to do what you want. If they knew your true intent they would not help you.
Crypto - MD5 Weakness
MD5 weak but there is little opportunity for an attacker to generate a matching MD5 has for an arbitrary file; however, if an attacker can influence the initial file content (M) then it is possible for them to create a second file (M') that will produce an identical MD5 hash. (Day 4, Page 181)
Mandatory Access Model
MLS Enforces the Mandatory Access Model used in Labeled Security Protection Profile (LSPP) env. constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target
SCA Snap-in
MMC Snap-in for configuration and analysis of security. Applying an auditing a local computers templates (does not work over network, as that is what Group Policy is for)
Cyber Investigation
Maintain Evidence, Report to owners, be cautious who you tell, plan for minimizing impact, consider regulation, detailed exam
Communication Integrity
Maintaining and assuring accuracy and consistency of data over entire life cycle.
Remote Maintenance
Maintenance activities conducted by individuals communicating external to an information system security perimeter.
Frequency Hopping
Makes wireless packet capture and demodulation much more difficult, but still possible.
AUDITPOL.exe
Managed audit policies from the command line. Use /get /category:* to list all audit policy sub categories
MIB
Management Information Base, used for SNMP
Kernel
Manages the hardware and executing processes, includes file system, low-level network protocol support, memory and process management.
Heirarchical Storage Management (HSM)
Manages the storage and recovery of files, which are copied to storage media devices that vary in speed and cost. The faster media holds the data that is accessed more often and seldom used files are stored on slower devices.
MES
Manufacturing Execution System
Wide Area Communications
Many ICS are geographical disparate. Offshore rigs, electrical systems, pipelines
MTU
Master Terminal Unit (also Master Telemetry Unit)
Phase Measurement Units (PMU)
Measures the electrical waves on an electrical grid using Time Sync
Network Access Control (NAC)
Mechanism for preventing systems from connecting to trusted networks. Allows computers plugged into a network to be placed in a separate Virtual LAN (VLAN) if their software is out of date and needs to be patched or poses a potential security risk to a trusted network.
MAC
Media Access Control
Biometrics
Metrics related to human characteristics and traits used for user authentication. Added to Control Panel in Windows 7
Routing and Remote Access Service (RRAS)
Microsoft Server software for routing and remote access service capabilities of the operating system, to function as a network router and VPN.
Domain Controller (DC)
Microsoft Server that responds to security authentication requests (logging in, checking permissions, etc.) to a number of computer resources with the use of a single username and password combination.
Internet Information Server (IIS)
Microsoft Server that responds to web application requests, FTP and serves web pages.
Network Load Balancing (NLB)
Microsoft implementation of clustering and load balancing that is intended to provide high availability and high reliability, as well as high scalability
Microsoft System Center Operations Manager (MOM)
Microsoft product that watches over your servers by continuously extracting and storing their event logs and looking for patterns in the data.
Encrypting File System (EFS)
Microsoft windows feature that encrypts file systems using a bulk symmetric key known as the File Encryption Key (FEK)
ModbusPal
Modbus Simulation Tool
mbtget
Modbus Spoofing Tool
ICS Network Protocols
Modbus: TCP/502, OPC UA TCP/4840, EtherCAT UDP/34980, EtherNet/IP TCP/44818 UDP/2222 UDP44818, FL-net UDP/55000 - UDP 55003, Foundation Fieldbus HSE TCP/1089-1091, UDP/1089-1091, PROFINET TCP/34962 to 34964, UDP/34962 to 34964, BACNet/IP UDP/47808, LONTalk UDP/1628, Fox TCP/1911, DNP3 TCP/20000 UDP/20000, ICCP TCP/102
Safety Instrumented Systems (SIS)
Monitoring or remediate any situation which may impact plant or personnel safety. Relief valve, ESD.
File integrity monitoring - Best Practice
Monitoring server OS binaries to detect unapproved changes
Server Core
Most basic installation of Windows Server with every optional resource removed.
IP Header
Most have a length of 20 bytes, but can be longer if options are applied.
Ethernet
Most popular layer 2 protocol used in LANs. Sends data using Frames
PKI - x.509 v3
Most popular public key certificate.
Multi Level Security (MLS)
Multi Level Security - Sensitivity Level Number
Multi-Category Security (MCS)
Multi-Category Security - Category Number 0 - 1024 in Fedora
Data Concentrator
Multiport device for concentrating and redistributing I/O data in SCADA
NERC CIP-003-3
NERC Security Management Controls - requires cyber security policy, availably policy, annual review, senior leadership responsible, policy exceptions documented
NERC EOP-008-1
NERC standard that Each applicable entity must have an operating plan that addresses loss of primary control center, must have backup control center, must transition in under 2 hours, must be operating both sides consistently, must be independent of primary facility
NERC CIP-002-3
NERC standard that Requires entities to develop,, document and annually perform risk bases assessment methodology (RBAM). Must consider 7 assets classifications. R1.2.1 - R1.2.7 . These asset classifications are used though CIP-003 to CIP-009
NERC CIP-008-3
NERC standard that contains requirements for organizations to develop and implement an Incident Response Plan
ICMP - Internet Control Message Protocol
NETWORK Layer protocol == PEER of IP. Datagram-based like IP, UDP Purposes 1. Report errors and troubleshooting (Destination host unreachable, Fragmentation needed and DF flag set) 2. To provide network information (Ping) Tied to version of IP -- ICMPv6 == IPv6
Media Sanitation
NIST SP 800-88, Guidelines for Media Sanitization, divides media sanitization into four categories: -- disposal, -- clearing, -- purging and -- destroying. It further suggests that the system owner: -- categorize the information, -- assess the nature of the medium on which it is recorded, -- assess the risk to confidentiality, and -- determine the future plans for the media. Then, decide on the appropriate sanitization process. The selected process should be assessed as to cost, environmental impact, etc., and a decision made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.
Port Scanning
NMap port scanning is most accurate for finding running services, can cause failures in control networks
Windows CE
NOT a stripped down version of windows, Visual Studio Development, includes Internet Explorer
NCSD
National Cyber Security Division
NISCC
National Infrastructure Security Coordination Centre
NIST
National Institute of Standards and Technology
ICS Vulnerabilities Databases
National SCADA Test Bed (NSTB), DHS Control System Security Program (CCSP), Common Weakness Enumeration (CWE), NIST, CVE
NSTB
National SCADA Testbed
VSAT Security Solutions & Architectures
Need to understand entire communication path to address security challenges - Use of VLAN/Virtual Private Networks - Support encryption of data (SSL, SSH, PGP AES-256) (Many VSAT service providers rely upon bulk encryption of channels (e.g., DES 56-bit) - Frequency hopping - Tunnel Mode IPSec - AV, Firewalls can be implemented at endpoints (Day 4, Page 127)
NAT
Network Address Translation
NetBios
Network Basic Input/output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol.
NFS
Network File System
NIC
Network Interface Card
Bridge
Network device that connects two desperate networks and tracks network addresses segments traffic and breaks up collision domain.
Switch
Network device that provides micro-segmentation, each port on the device receives traffic from a unique host using a MAC address (operates on OSI Layer 2). Intelligent network device reduces collisions. A combination of a Hub and a Bridge. Connects physical network segments that reside on the same logical network.
WAN Aggregation
Network device that provides the ability to aggregate multiple WAN data links and provide redundancy amounts ISPs
Hub
Network device that replicates traffic on all ports, minimal intelligence and security
Internetwork Packet Exchange (IPX)
Network layer protocol derived from Xerox Network Systems' IDP, It may act as a transport layer protocol as well, was very popular through the late 1980s into the mid-1990s because it was used by the Novell NetWare network operating system. Because of Novell Netware popularity became a prominent internetworking protocol.
Router
Network perimeter device that interconnects logical networks. Internet is built on these devices. Operates on OSI layer 3 by looking at the IP addresses and forwarding packets.
Field Area Network (FAN)
Network term for a layer that communicates with field devices in small geographic area. Also known as a Neighborhood Area Network (NAN)
Local Area Network (LAN)
Network term for a relatively small area such as a single office or building. control centers where trusted users access your network
Wide Area Network (WAN)
Network term for layer that covers a significantly large area.
Dynamic Host Configuration Protocol (DHCP)
Networking protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses.
Safety - Layers of Protection Analysis (LOPA)
Newest methodolgy for hazard evaluation and risk assessment. The methodolgy lies between the Qualitative end of the scale and Quantitative end. (www.oshrisk.org)
WSUS - Windows Server Update Services
Next version of automatic updates for internal use. Built into Windows Server 2003. Previously called Software Update Services (SUS) and Windows Update Services (WUS) but now obsolete. (Day 3, Page 56-57)
NERC
North American Electric Reliability Council
NERC
North American Energy Reliability Corporation - Energy Policy Act 2005 - Improve reliability of the Grid enforceable standards
NERC-CIP
North American Reliability Standards mandatory and enforceable. Mandates encryption, vulnerability assessment, etc
OPC
OLE for Process Control
Application Layer
OSI Layer interacts with the application to determine the network services required. Layer 7. Ex. SSH, NFS, SNMP, Telnet, HTTP, FTP
Transport Layer
OSI Layer that ensures data reliability on the network and handles sequencing of packet transmission. Layer 4. Ex. TCP, SPX, UDP.
Network Layer
OSI Layer that handles network address schemes and connects multiple network segments. Describes how network segments find and communicate with each other. Layer 3. Ex. IP and ICMP, AppleTalk DDP, IPX.
Session Layer
OSI Layer that handles the establishment and maintenance of connections between systems. Insure the connection is in sync with both sides. full-duplex, half-duplex, or simplex operation. Layer 5. Ex. Remote Procedure Calls (RPCs), NFS, NetBios names, SQL.
Physical Layer
OSI Layer that handles the transmission across wres, fiber, radio waves between hardware connections. Layer 1. Ex. RJ45, RS232
Presentation Layer
OSI Layer that makes the data sent from one machine useful to another machine. This layer formats, compresses and encrypts data to be sent across a network. Layer 6. Ex. Encryption, Compression, ASCII, EBCDIC, TIFF, GIF, PICT, JPEG, MPEG, MIDI
Data Link Layer
OSI Layer that translates the electrical, light, radio wave signals to packets and data streams. Layer 2. Ex. Ethernet IEEE 802.3/802.2, PP, FDDI, ATM, IEEE 802.5/ 802.2, HDLC, Frame Relay
OLE
Object Linking and Embedding
OSHA
Occupational Health and Safety
Collision
Occurs on a network when multiple nodes send information simultaneously.
Fault Tolerant
Of a system, having the built-in capability to provide continued, correct execution of its assigned function in the presence of a hardware and/or software fault.
OMB
Office of Management and Budget
American Gas Association (AGA)
Oil and Gas Energy Sector industry to help self-organization and self-regulation Cyber Security Task Group
Crypto - Trapdoor Function
One-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information (NIST) (Asymmetric algorithms could fit with the public and private keys)
OSI
Open Systems Interconnection
MODBUS
Open device protocol, Serial and Ethernet, Master-Slave, up to 247 devices
Metasploit
Open source exploit tool framework. Written in PERL. Works on windows and Linux
SNORT
Open source network intrusion detection / prevention tool
OS
Operating System
ICS Data
Operations Data, Personnel Data, Security sensitive data, project files, schemas, logic instructions, device configurations, settings, programming, Setpoints, Alarm points, Calibration data, Lab Data, Process data, simple time-ordered logs and trend data, Firmware, System software, Model Diagrams, P&IDs
Level 3
Operations Support DMZ in the ISA-99/Perdue architecture - Operator logs, replication of process historians, maintenance logs for critical processes
Data Classification
Part of Information Lifecycle Management (ILM) process can be defined as a tool for categorization of data to enable/help organization to determine (amongst other things) what data should stay private and what should be publicly available.
Zed Attack Proxy
Password Fuzzing Tool
Registration Authority (RA)
Performs certificate registration duties. RA cannot issue certificates but can act as middleman between user and CA.
Mandatory Access Control (MAC)
Permissions to objects are managed centrally by an administrator. Is an access policy determined by the system, rather than by the owner. Organizations use this in multilevel systems that process highly sensitive data such as classified govt or military. Examples: 1) Rule-based, 2) Lattice Model
PDA
Personal Digital Assistant
PIN
Personal Identification Number
PIV
Personal Identity Verification
Real-Time
Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results of the computation can be used to guide the physical process.
Critical Infrastructure
Physical and electronic devices, communications enable infrastructure, consequences public safety, economic, and defense
Electric Generation
Plants connected to switch yards which contain transmission scads systems. Dispatched from balancing authorities using AGCS
Pivot Point
Point in network which you can be used to access deeper levels of security. Used to pass through a DMZ
PPP
Point-to-Point Protocol
Verifying Policy Compliance
Policy's are documents for rule sets
Contingency Analysis
Potentially harmful events, thresholds or configurations are identified so actions can be taken. Trip breakers, valves, alarms
get-wmiobject
PowerShell command can interface with Windows Management Instrumentation (WMI) just like WMIC.exe.
get-eventlog
PowerShell command to lists local event logs and their config setup. get-eventlog -list
get-process
PowerShell command to return a list of running processes. Can use with | format-list *
Virus Definitions
Predefined signatures for known malware used by antivirus detection algorithms. Vulnerability Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Security Motto
Prevention is ideal, detection is a must
PCSF
Process Control System Forum
OPC (OLE for Process Control)
Process communication technology based on OLE, is old Microsoft technology. Consolidate data. Unpredictable port usage over network.
Configuration Control
Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation.
Authorization
Process for determining what someone has access to.
Authentication
Process for proving who you are with: Something you know, something you have, something you are, some place you are
Configuration Control
Process of controlling modifications to hardware, firmware, software and documentation to protect the information system against improper modification prior to, during, and after system implementation. (NIST)
Data Classification
Process of selecting one of two primary levels for data, cleared for public release and private information.
Application White Listing
Process where cryptographically signed binaries are verified before execution and applications are checked against lists of applications that can and cannot run. Does not prevent shell code from being inserted into running process.
init
Processes started automatically after Linux kernel finishes loading. Configured using /etc/inittab
PLC
Programmable Logic Controller
PID
Proportional - Integral - Derivative
PP
Protection Profile
Remote Desktop Protocol (RDP)
Protocol for graphically controlling Windows machines remotely. 3389/TCP 3389/UDP
IPSec
Protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session
Network Address Translation (NAT)
Protocol that maps Private network addresses to public internet addresses.
Transmission Control Protocol (TCP)
Protocol that provides guaranteed packet delivery, error checking, most commonly used protocol today. FTP Data 20, FTP 21, SSH 22, Telnet 23, DNS 53, HTTP 80, HTTPS 443
Carrier Sense Multiple Access (CSMA)
Protocol used by EtherNet to listen for existing traffic and wait until the line is clear before sending data in order to avoid Collisions. (Layer 2)
DMZ
Provides a series of function specific zones where services and data can be shared between the zones. Added between levels of trust.
IPv6
Provides authentication of end points, encryption built into protocol, QoS built into protocol, Accommodates 340 undecillion addresses unique 128-bit addresses
Centralized Logging
Provides protection against the destruction and modification of log files. Easy to search and scan log files from a single location.
Business Zone
Purdue 4 and 5 Levels
Operations Zone
Purdue Levels 3,2,1,0
Well Written Policy
Purpose, Related docs, Cancellation or expiration, Background, Scope, Policy Statement, Responsibility, Action
RFC 826
RFC number describing Address Resolution Protocol (ARP)
Linux Package Management
RPM, YUM, Apt-get etc.
VxWorks
RTOS Isolated Memory Space, often left with debug tools still installed. Windriver
QNX
RTOS microkernel runs on MIPS, PowerPC, ARM,x86 owned by blackberry
Historians
Real-time database logs or archives real-time data to a allow business users to view trends
Personal Area Network (PAN)
Recent network term used for a type of ad-hoc network (usually wireless) used to communicate to one or more devices in a short range (10m or less). Bluetooth and ZigBee are both examples of this network type.
Linux Logs with SYSLOG
Record major events that take place often found in /var/log/messages
RPO
Recovery Point Objective
RTO
Recovery Time Objective
Linux
Red Hat, Novel Suse, Debian or Ubuntu are this OS
Distributed Control System (DCS)
Refers to a control system of a process plant and industrial process wherein control elements are not only located in central location (like the brain) but are also distributed throughout the system with each component sub-system controlled by one or more controllers so the intelligence is distributed across the sections of the plant. Follows hierarchy in its control philosophy with various function spread across . Is a computerized control system used to automate processes in various industries.
RMA
Reliability, Maintainability, and Availability
RADIUS
Remote Authentication Dial In User Service
RPC
Remote Procedure Call
RTU
Remote Terminal Unit (also Remote Telemetry Unit)
RTU
Remote Terminal Unit / Remote Telemetry Unit
Unified Extensible Firmware Interface (UEFI)
Replacement for BIOS as the software interface between OS and Hardware. Secure Boot with windows uses PKI to validate firmware image.
Internet Control Message Protocol (ICMP)
Reports errors for troubleshooting Destination Host Unreachable, Fragmentation needed and to provide network information: Ping. Differs in IPv4 and IPv6. OSI Layer 3.
Bastille
Reports on how secure your installation is and provides the step by step process for hardening it.
RFC
Request for Comments
R&D
Research and Development
Health, Safety and Environmental (HSE)
Responsibility for protecting the health and safety of workers and surrounding community and maintaining high environmental stewardship. (ISA)
NERC CIP-007
Responsible entities to define methods processes and procedures for securing systems determined to be Critical Cyber Assets and non critical assets with electronic security perimeters. Password mgmt., Account mgmt., no shared accounts, authorization, Password Min length of 6, Alpha, numeric and special characters, changed annually or more depending on risk factors
Application Sandboxing
Restricts a running process to certain operating system operations.
Crypto - Collision
Results when two messages produce the same digest or when a message produces the same digest as a different message. (Dummies)
INF Security Templates
Reusable security settings that can be applied using the command Secedit /configure /db secedit.sdb /cfg
Qualitative Risk Assessment
Risk Assessment approach, Easy to calculate by results more subjective, typically categorized as low medium or high.
Quantities Risk Assessment
Risk Assessment approach, valuable business decision support tool based on metrics such as dollars
Validation Authority (VA)
Role as a third-party can provide this information on behalf of Certificate Authority (CA). Part of PKI
Certificate Authority (CA)
Role is to digitally sign and publish the public key bound to a given user. Part of PKI
Registration Authority (RA)
Role that ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation. Part of PKI
RBAC
Role-Based Access Control
Real Time Operating System (RTOS)
Runs on an embedded device for scheduled processing of inputs. (usually round robin)
Cyber City
SANS course the provides a working model city power system that can be attacked and taken down.
NetWars
SANS online course that provide a digital security battle ground.
Scan Time
SCADA (1 sec to 1 min), DCS (0.05 sec to 1 sec), PCS (1ms to 1 sec), SIS (2ms to 1 sec)
GLEG
SCADA+ Pack from GLEG plugin for Metasploit
Application Sandboxing
SELinux, AppArmor, GRSecurity are examples of this type of application for Linux
Crypto - NIST-approved Hashing Functions
SHA1 (some caveats/constraints) SHA2 (SHA-224, -256, -384, -512)
SQL Injection
SQLi Bypass authentication using SQL injection
SIS
Safety Instrumented System
SSEP
Safety and support mechanism, emergency preparedness, and support systems in NRC
SNL
Sandia National Laboratories
Login/Logoff
Scripts Run as User
Host Identifier (HOST_ID)
Second part of an IP Address
Crypto - Session Key
Secret key used to encrypt messages between two users (Harris)
SCP
Secure Copy
SFTP
Secure File Transfer Protocol
SSH
Secure Shell
SSL
Secure Sockets Layer
SC
Security Category
SCA Snap-in
Security Configuration and Analysis can apply a security template and compare a computers configuration against a security template. Security Policy Verification.
Audit Policy Change
Security event log type used to monitor changes to audit policies and user right assignments
Audit Object Access
Security event log type which is used to monitor access to the NTFS file system, registry keys and printers
Windows Server 2008
Security features added in this Windows version: Component modularization, Server Core, Read-only domain controllers, Network Access Protection (NAP), Secure Socket Tunneling Protocol (SSTP), RDP Virtualization, R2: DNSSEC, AppLocker, DirectAccess, AD Recycling Bin, Enhanced Audit Policy Control
Windows Server 2003
Security features added in this Windows version: Enhanced DFS, ADFS, ADAM, Domain Controller, RRAS, DNA, RADIUS, NLB, Clustering
Windows Server 2012
Security features added in this Windows version: Multiple password policies per domain, Virtualized DCs, PowerShell History viewer, Secure Boot, BitLocker Enhanced, Early Launch Anti-Malware (ELAM), Data Classification, Central Access Policies, Kerberos armoring and easy config
Windows 8
Security features added in this Windows version: Pin/Picture authentication, Windows Defender AV, IE10 Smartscreen, System Recovery enhancements, PKI based secure boot using UEFI
Security Policy
Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions "what" and "why" without dealing with "how." Policies are normally stated in terms that are technology-independent.
Master Terminal Unit (MTU)
See SCADA Server.
SHODAN
Sentient Hyper Optimized Data Access Network - Indexes service banners and service headers
DirectAccess
Server 2008 feature that allows Windows 7 clients to IPSec IPV6 Packets to corporate LAN over internet and connect to the rest of the Internet simultaneously
SSID
Service Set Identifier
Distributed File System (DFS)
Set of Windows client and server services to organize many distributed Server Message Block (SMB) file shares into a distributed file system.
Crypto - Encryption Algorithm
Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key. (NIST)
PROFIBUS
Siemens Fieldbus. PROFIBUS DP (Factory) PROFIBUS FMS (Multi-Master, Peer-to-Peer) PROFIBUS PA
NER CIP-009-3
Similar to EOP-008-01 but applies to certain identified critical cyber assets, Recover plans for assets, clear roles and responsibilities, Exercise recovery plans annually, Full change control and change awareness within 30 calendar days, Asset level backup procedures, asset level restore procedures, requirements for testing backup media annually
Attack - Session Hijacking
Similar to Man in the Middle Attack, except that the attacker impersonates the intended recipient instead of modifying messages in transit. (Dummies)
SMTP
Simple Mail Transfer Protocol
SNMP
Simple Network Management Protocol
Digital Signature (aka Open Message Format)
Simple way to verify the authenticity (and integrity) of a message. Instead of encrypting a message with the intended receiver's public key, the sender encrypts it with his own private key. The sender's public key properly decrypts the message, authenticating the originator of the message. (Open message because anyone with the Public Key can decrypt.)
System Size
Small DCS (1 or 2 controllers, hundreds of I/O) Large DCS (7+ controllers, thousands of I/O)
Mike Davis Worm
Smart meter worm in lab environment
Blended Attacks
Social Engineering based on daily routines, complacency and natural tendency to not look beyond obvious.
Malware
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).
Antivirus Tools
Software products and technology used to detect malicious code, prevent it from infecting a system, and remove malicious code that has infected the system.
Spyware
Software that is secretly or surreptitiously installed onto an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.
SP
Special Publication
Facilities
Specifies how the messages are produced in a Linux syslog file.
Log Aggregators
Splunk, Kiwi, Snare, WinSyslog, ArcSight, LogRythm
Conflicter
Spread using MS-086 DCOM/RPC vulnerability / hit several energy companies
Configuration (of a system or device)
Step in system design; for example, selecting functional units, assigning their locations, and defining their interconnections.
SQL
Structured Query Language
Flame
Stuxnet second varient found but Highly infectious extremely hard to remove. Used for cyber espionage
Level 2
Supervisor Control LAN in the ISA-99/Perdue architecture -Engineering workstation: Project files/schemas, Logic, Loop configurations, Control Algorithms, Device configuration data, Set points, Device firmware and system applications, Alarm Server, Historian, OPC Server,HMI, Communications Gateway devices
SCADA
Supervisory Control and Data Acquisition
Database Security
Susceptible to SQL Injection attacks, Web based attacks, weak authentication, default passwords
Kerberos
Symmetric key authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client-server model, it provides mutual authentication and protects against eavesdropping and replay attacks.
Alternating Current Drive
Synonymous with Variable Frequency Drive (VFD).
Actions
Syslog message output handling. Used to specify a file, printer, terminal, First In First Out file or remote host.
Levels
Syslog selector based on the priorities: Emerg or Panic, Alert, Crit, Err, Warning, Notice, Info, Debug, None, * - ALL
Security Event Log and Audit Policies
System Audit Policies Managed from Advanced audit Policy Configuration GUI, with Group Policy and AUDITPOL.exe
SPP-ICS
System Protection Profile for Industrial Control Systems
Reference Monitor
System component that enforces access controls on an object.
Default Account
System login account predefined in a manufactured system to permit initial access when system is first put into service. (pciscanner)
Transmission Control Protocol (TCP)
TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
ICCP
TCP/102 Control Center Communications Protocol
Foundation Fieldbus HSE
TCP/1089 to 1091, UDP/1098 to 1091 Emerson
File Transfer Protocol
TCP/20 data TCP/21 FTP
DNP3
TCP/20000, UDP/20000 energy sector
PROFINET
TCP/34962 to 34964, UDP/34962 to 34964 Siemens
EtherNet/IP
TCP/44818, UDP/2222, UDP/44818 Rockwell Automation
OPC UA Discovery Server
TCP/4840
Modbus TCP
TCP/502
OPC UA XML
TCP/80 TCP/443
Attack - Spoofing
Technique used to forge TCP/IP packet information or email header information. In network attacks it is used to gain access to systems by impersonating the IP address of a trusted host. In email the sender address is forged to trick an email users into opening or responding to an email. (Dummies)
ICCP aka
Telecontrol Application Service Element 2 (TASE.2)
ISA
The Instrumentation Systems and Automation Society
Integral
The PID value that is proportional to both the magnitude of the error and the duration of the error. In a PID controller, it is the sum of the instantaneous error over time and gives the accumulated offset that should have been corrected previously. The accumulated error is then multiplied by the integral gain (K_i) and added to the controller output.
Proportional
The PID value that produces an output value that is proportional to the current error value. The proportional response can be adjusted by multiplying the error by a constant Kp, called the proportional gain constant.
Access Reconciliation
The action of making accounts consistent. A process used to compare two sets of records to ensure the data are in agreement and are accurate.
Collision Detection (CD)
The capability of a layer 2 network protocol to know when two network nodes send data simultaneously, creating unreadable data.
Fuzzy Logic
The degrees of truth, Truth Value between 0 and 1 for various factors. Values used to determine final operation
SCADA Server
The device that acts as the master in a SCADA system.
Port
The entry or exit point from a computer for connecting communications or peripheral devices.
PowerShell
The future of command-line administration on Windows. Slated to replace CMD.exe
Human-Machine Interface (HMI)
The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software.
Protocol
The language rules that dictate how computer communicate on a network. Standardize format, specify ordering, enable 3rd party communications.
Risk
The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.
Security Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Motion Control Network
The network supporting the control applications that move parts in industrial settings, including sequencing, speed control, point-to-point control, and incremental motion.
Accreditation
The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Denial of Service (DoS)
The prevention of authorized access to a system resource or the delaying of system operations and functions.
Risk Assessment
The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.
Risk Management
The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.
Identification
The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.
Crypto - Keyspace
The range of all possible values for a key in a cryptosystem. The larger it is and the full use of it allows more random keys to be created thus bringing higher security.
Authorization
The right or a permission that is granted to a system entity to access a system resource.
Operational Controls
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Management Controls
The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information security.
Internet
The single interconnected world-wide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the Internet Architecture Board (IAB) and the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Public Key Infrastructure (PKI)
The software and procedures needed to support digital certificates. Includes Certificate Authority (CA), Validation Authority (VA), Registration Authority (RA)
Pneumatics
The technique of using gases for power transmission.
Jitter
The time or phase difference between the data signal and the ideal clock.
Cycle Time
The time, usually expressed in seconds, for a controller to complete one control loop where sensor signals are read into memory, control algorithms are executed, and corresponding control signals are transmitted to actuators that create changes the process resulting in new sensor signals.
Statistical Process Control (SPC)
The use of statistical techniques to control the quality of a product or process.
Controlled Variable
The variable that the control system attempts to keep at the set point value. The set point may be constant or variable.
MLS/MCS
These two acronyms are used in Fedora for controling: Sensitivity Level : Category ex: s0:c0.c10
Derivative
This PID value in the process error is calculated by determining the slope of the error over time and multiplying this rate of change by the derivative gain Kd. The magnitude of the contribution of the derivative term to the overall control action is termed the gain.
Wireless Attacks
This attack vector makes DOS = easy. is a hub, data capture easy.
Policy
This must be written using: SMART - S:pecific M:easureable A:chievable R:ealistic T:ime-Based - and the 5 Ws
Tripwire
This software product is an example of intrusion detection through integrity checking, Creates secure database of file and directory attributes.
Control Network
Those networks of an enterprise typically connected to equipment that controls physical processes and that is time or safety critical. The control network can be subdivided into zones, and there can be multiple separate control networks within one enterprise and site.
Time Sync
Time stamping in RTUs / GPS / NTP Network Time Protocol
NRC
Title 10 of the Code of Federal Regulation - 10 CFR 73.54 - Protection of digital computer and communication systems
Integrity Checkers
Tools like TripWire that are used to detect intrusions through file and folder modifications.
Physical Topology
Topology of how a network is actually connected, how the data flows via wires and wireless (AKA OSI Layer 1)
Logical Topology
Topology of the rules which a network uses for sending data. The process a protocol follows to send data regardless of the media. (AKA OSI Layer 2) Example: A Token ring
TCP
Transmission Control Protocol
TCP/IP
Transmission Control Protocol/Internet Protocol
Broadcast
Transmission to all devices in a network without any acknowledgment by the receivers.
Crypto - HMAC Hashing
Transmitter creates a hash with the assistance of a secret value known to the transmitter and the recipient. Attacker does not know secret so they cannot create a valid hash. (Defense against MITM attack) Any hashing function can also be used as an HMAC hash. (Day 4, Page 180)
TLS
Transport Layer Security
Phishing
Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites).
TFTP
Trivial File Transfer Protocol
Layer 2 Tunneling Protocol (L2TP)
Tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. has its origins primarily in two older tunneling protocols for point-to-point communication: Cisco's Layer 2 Forwarding Protocol (L2F) and Microsoft's[2] Point-to-Point Tunneling Protocol (PPTP).
ICMP - Common Types and Codes
Type 0 = Echo Reply* (Ping response) Type 3 = Destination Unreachable - Code 0: Network Unreachable - Code 1: Host Unreachable - Code 3: Port Unreachable - Code 9: Destination Network Administratively Prohibited (e.g. F/W) Type 5 = Redirect (Can be used by attacker to redirect traffic) Type 8 = Echo Request* (Ping request) Type 11 = Time Exceeded - Code 0: TTL Expired in transit - Code 1: TTL Expired during reassembly
NTP
UDP/123
NBT
UDP/137-UDP/139
SNMP
UDP/161 UDP/162
LonTalk
UDP/1628 (Config Server UDP/1629) Building Automation Systems
Network File System NFS
UDP/2049 file sharing for unix networks
EtherCAT
UDP/34980
BACnet/IP
UDP/47808 Building Automation Systems
SYSLOG
UDP/514
Domain Name Service (DNS)
UDP/53
FL-net
UDP/55000 to 55003 Anybus Japanese JEMA
Bootp
UDP/67
DHCP
UDP/68
Trivial File Transfer Protocol (TFTP)
UDP/69 Transfer files from one device to another without authentication
CFATS
US Chemical Facility Anti-Terrorism Standards - DHS comprehensive federal security regulations for high-risk chemical facilities
Nuclear Regulatory Commission (NRC)
US Regulatory Commission that handles the security and safeguards for civilian nuclear facilities and materials
Transport Safety Administration (TSA)
US Safety Administration in charge of Pipeline Security. Physical, Data Link, Network, Transport, Session, Presentation, Application
Wi-Spy
USB spectrum analyzer, Analyze all bands of 802.11, find rogue devices.
Internet Assigned Numbers Authority (IANA)
Ultimate authority for assigning IP addresses on the Internet.
UPS
Uninterruptible Power Supply
US-CERT
United States Computer Emergency Readiness Team
US-CERT
United States Computer Emergency Readiness Team - 24/7 arm of the Department of Homeland security national cybersecurity and communications integration center (NCCIC)
USB
Universal Serial Bus
chroot
Unix application feature that only allows the program to access resources within its executing folder.
chroot
Unix application feature that only allows the program to access resources within its executing folder. Isolate themselves to particular directory.
df
Unix command to see free space on all mounted partitions
/etc/inittab
Unix configuration file that contains instructions on which program scripts to run at init based on their Run Levels
Run Condition Directory
Unix directory that contains a directory for each run level (usually names rc#.d). Each directory contain linked scripts
/etc.
Unix file path that contains configuration files
/etc/fstab
Unix file that configures disk partitions
/var
Unix folder path containing log files, ques and disk memory
/usr
Unix folder path containing primary OS files. READ ONLY
/dev
Unix folder path containing system device related files
/usr
Unix folder path originally intended to contain containing larger executables
/bin
Unix folder path originally intended to contain containing small executables
/home
Unix folder path that contains user home directories
/
Unix folder path to root director
Run Levels
Unix init selects which set of scripts to run based on these
chkrootkit
Unix malware detection tool that looks for rootkits,sniffers, deleted logs, Trojans, kernel modules
cron
Unix scheduling daemon
Database Security Basics
Use DBAs, Separation of duties, Patching, Monitor and audit, audit logins, strong authentication, security testing, certificate management. Do not reuse certificates for both client and server connections.
SIEM - Security Information and Event Management System
Used for centralized logging from various systems and devices on a network (e.g., Syslog from Linux)
Engineering Workstation
Used for making changes to ICS, also Operator Workstation
Subnet Mask
Used to determine the network class based on the length of the unmasked NET_ID.
UDP
User Datagram Protocol
Siemens Simatic WinCC
Username = WinCCAdmin Password = 2WSXcder
Modbus Spoofing
Using MBTGET to spoof Modbus signals
Port Scanning
Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).
Local File Inclusions (LFI)
Using a seemly harmless local file request to gain access to sensitive data (etc/shadows)
Remote File Inclusion (RFI)
Using a seemly harmless remote file request to gain access to sensitive data (etc/shadows)
DNP3
Utilities. Westronic. IEEE standard 1815-2012. 65,000 devices, Event Time Stamping, Serial or Ethernet
winrn.vbs
VB Script used to manage Windows Event Collector settings from the command line.
802.1Q
VLAN tagging protocol (TAGS)
Secure Socket Tunneling Protocol (SSTP)
VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. Available for Linux, BSD, and Windows. Use of Port 443 allows it to easily pass through firewalls. AKA SSL VPN (similar to OpenVPN)
Digital I/O
Value communicated by simple On-or-Off signals. Relays, Switches, and device Status.
Analog I/O
Value communicated by varying Voltage or Current. Measure Temperature, Pressure, Flow, Speed
Field Device
Valves, Solenoids, Pumps, Agitator, Burners and Compressors. I/O
VFD
Variable Frequency Drive
Auditing and Forensics
Verify Policy compliance, Vulner scanning, Gather ongoing operational data, create baseline snapshot, change detection and analysis
Authentication
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
VLAN
Virtual Local Area Network
VPN
Virtual Private Network
Melissa Virus
Virus launched around March 26, 1999, is a mass-mailing macro virus. As it is not a standalone program, it is not a worm. Leaking word documents.
Malware
Virus, Trojans, Backdoors, Bots, Worms -
UCSniff
VoIP and IP Video Security Assessment Tool - Inject audio / video into VOIP
Nessus
Vulnerability scanner and config scanner for windows, Linux and VM
Frame Relay
WAN interconnection based on packet switching (breaking data into packets each traveling individually) shared by multiple companies
Dedicated Line
WAN interconnection of two remote sites using a dedicated Point-to-point network typically leased from a provider. Ex. T1, T4, E1 or E3
Multiprotocol Label Switches (MPLS)
WAN technology that supports imp traffic (IPv6, VOIP, etc.) and provides a unified data carrying service (both OSI layer 2 and layer 3. AKA layer 2.5). Seen as a replacement for Asynchronous Transfer Modules (ATM) and Frame Relay as it supports modern protocols.
Microsoft System Center
WSUS on steroids, more complex, more resource usage, not free like WSUS
Attack Appropriate Response
Walk down site, consider cyber related, what can I access from here, can I impact equipment, escalate with evidence
Vulnerabilities
Weaknesses in a system. Gateways in which threats can manifested
SHODAN
Webservice that allows you to put in Vendor and Model and will show you IP addresses of where they can be reached
Windows Server Update Service
What does the Acroyn WSUS stand for?
Building Management System (BMS)
What does the acronym BMS stand for also know as BAS?
Critical Digital Asset (CDA)
What does the acronym CDA stand for?
Energy Management System (EMS)
What does the acronym EMS stand for?
Human Machine Interface (HMI)
What does the acronym HMI stand for?
International Atomic Energy Agency (IAEA)
What does the acronym IAEA stand for?
Manufacturing Execution Systems (MES)
What does the acronym MES stand for?
National SCADA Test Bed
What does the acronym NSTB stand for?
Process Control System (PCS)
What does the acronym PCS stand for?
Supervisory Control And Data Acquisition (SCADA)
What does the acronym SCADA stand for?
Fragmentation
When an IP protocol router encounters a packet that is too large to send along and needs to split it up into smaller pieces.
WAN
Wide Area Network
Secure Boot
Windows 8 feature that leverages Unified Extensible Firmware Interface (UEFI) and Public Key Infrastructure (PKI) to prevent malware from infecting boot process.
Active Directory Application Mode (ADAM)
Windows Active Directory mode for Lightweight Directory Access Protocol (LDAP) based services, promotes interoperability with *nix systems.
Active Directory Federation Services (ADFS)
Windows Active Directory service that allows single sign-on across company boundaries
Security Template
Windows INF file that can contain: Password Policy, Lockout Policy, Kerberos Policy, Audit Policy, User Rights, Event Log Settings, NTFS, Services, Registry
Windows Management Instrumentation Console (WMIC)
Windows Management command line tool swiss army knife
Network Access Protection (NAP)
Windows Server 2008 (and higher) feature used to enforce client health policies before allowing them to access a network.
Windows End of Lifes (EoLs)
Windows XP = April 2013, Windows XP Pro for Embedded = Jan 12 2016,
gpupdate
Windows command to force a Group Policy update
Security Templates
Windows editor for Microsoft Management Console (MMC) for modifying reusable security INF files.
Group Policy
Windows feature that controls configuration of the working environment for user accounts. Can be managed centrally using Active Directory.
User Account Control (UAC)
Windows feature that reduces the number of tasks that can run as local administrator. Designed to warn users when an application requests elevated rights.
Data Execution Prevention (DEP)
Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks.
Remote Procedure Call (RPC)
Windows features that allows remote execution of commands.
Distributed Component Object Model (DCOM)
Windows protocol for allowing distributed communication between programs on a network. Extensive use of MSRPC.
AppLocker
Windows software restriction (whitelisting) feature. Can import and export configs, audit configs, apply rules based on Group Policy.
Modulation
Wireless data is encoded on wireless signal carriers through this process.
IEC 62591
WirelessHART
Cross Site Scripting (XSS)
Wrap a website in malicious code in order to intercept private data, change users browser settings, passing JavaScript to other browser sessions
Password Fuzzing Tool
Zed Attack Proxy
Proportional Integral Derivative (PID)
a control loop feedback mechanism (controller) widely used in industrial control systems. Calculates an error value as the difference between a measured process variable and a desired setpoint.
PLC
a digital computer used for automation of typically industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures
Attack Surface
a list of system inputs that an attacker can use to attempt to compromise a system
Attack Tree
a logical way to string multiple attacks together to accomplish some greater attack goal
Process Hazard Analysis (PHA)
a set of organized and systematic assessments of the potential hazards associated with an industrial process
ISO27001 Emphasizes Importance In:
a) Understanding an organization's infosec requirements and the need to establish policy and objectives for infosec b) Implementing and operating controls to manage an organization's infosec risks in the context of the organization's overall business risks. c) Monitoring and reviewing the performance and effectiveness of the InfoSec Management System (ISMS) d) Continual improvement based on objective measurement
Control Loops
calculating and controlling an environment or process based on feedback.
Windows Push Scripts with Group Policy
can distribute scripts to run on Startup, Shutdown, Logon and Logoff
Communications Gateways
data acquisition, storage, transmission, and protocol conversion in ICS. RS232 or RS485 to TCP/IP
RTP - Real Time Transport Protocol
defines a standardized packet format for delivering audio and video over IP networks
Project Files
details of control system architectures, configs, logic and parameters
Operational Historians
different than Enterprise historians as they are typically used by engineers on the plant floor rather than by the business process.
WIFI kill
disconnects everyone from the net work except for you, disassociated every MAC address except for yours
Facility Requirements
driven by life and limb, physical security
Runtime Library
expose and integrate disparate ices technologies with each other. Customize and interconnect system. APIs
Discretionary Access Control (DAC)
governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. Most commonly used access control model in operating systems today.
Session Hijacking
hijack session using cookie session id if session is sequential and not hashed. Takes advantage of Weak Session Management
Access Control Entries (ACE)
identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. A list of this object type creates the Access Control List (ACL)
Alarms
informs operator of an abnormal event or condition. Visible or audible. Call to action for operator
Layers of Protection Analysis (LOPA)
is a powerful analytical tool for assessing the adequacy of protection layers used to mitigate process risk. Builds upon well-known process hazards analysis techniques, applying semi-quantitative measures to the evaluation of the frequency of potential incidents and the probability of failure of the protection layers. IEC 61511
DNS - Reverse Lookup
is a query of the DNS for domain names when the IP address is known.
Safety - Process Hazard Analysis (PHA) (aka Process Hazard Evaluation)
is a set of organized and systematic assessments of the potential hazards associated with an industrial process. Provides information to assist managers and employees in making decisions for improving safety and reducing the consequences of unwanted or unplanned releases of hazardous chemicals. (Wiki)
Role Based Access Control (RBAC)
is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC).
Linux # mount -o remount,nosuid /tmp
mount = mount a file mount -o = options remount = attempt to remount an already mounted file system nosuid = Do not allow set-user-identifier or set-group-identifier bits to take effect Translate: Requires programs run with the permissions of the user that executed the program.
NCCIC
national cybersecurity and communications integration center
Modbus Vulnerabilities
no authentication or encryption, easy to modify Modbus values from anywhere, widely deployed
nodev
option in Unix ignores special device files. Used in areas outside /dev folder to prevent unauthorized system device access
nosuid
option in Unix ignores the set-UID and set-GID bits on executables
Ladder Logic
originally a written method to document the design and construction of relay racks as used in manufacturing and process control
ro
read only option causes the Unix operating system to prevent writes or updates
Microsoft PowerShell
replace cmd.exe, designed to be better than BASH
Hazard and operability study (HAZOP)
s a structured and systematic examination of a planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation; it is carried out by a suitably experienced multi-disciplinary team during a set of meetings
Risk Based Assessment Methodology (RBAM)
s the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss
Startup/Shutdown
scripts Run as System
Spear Phishing
sending a highly focused attack to a select number of targets
Phishing
sending an attack to a large number of individuals
Attack Model
series of diagrams and or descriptions of how attackers can attack a system
Integrated Services for Digital Network (ISDN)
set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network.
Open System Interconnection (OSI)
seven layers that network protocols can work on. Physical, Data, Network, Transport, Session, Presentation, Application
Quantitative Risk Analysis (QRA)
software and methodologies give quantitative estimates of risks, given the parameters defining them. They are used in the financial sector, the chemical process industry, and other areas.
Fuzzing Network Protocols
testing an applications ability to handle a variety of traffic. Attackers and Pen testers. Enumeration, Target Vulners, Buffer overflows
Quality of Service (QoS)
the overall performance of a telephony or computer network, particularly the performance seen by the users of the network. Manage the delay, jitter, bandwidth, and packet loss parameters on a network
With mandatory access control
this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted.
Safety
training and certification, PPE, corporate culture
Virtual Channel Identifier (VCI)
used to identify a path between two Asynchronous Transfer Modules (ATMs) and can be reused later after the connection is terminated.
Virtual Path Identifiers (VPI)
used to label a collection of Asynchronous Transmission Module (ATM) connections which help with connection management.