GICSP Encyclopedia v2.0

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Crypto - Merkle-Hellman (Trapdoor) Knapsack

(1978) Unique approach to asymmetric crypto. Broken in 1982 - based on fixed weights.

RF Mesh Networks

(Day 4, Page 128)

TCP Flags (6 bits)

(In order) - Urgent (URG) - Acknowledgement (ACK) - Push (PSH) - Reset (RST) - Synchronize (SYN) - Finish (FIN) (Also two added bits at most significant position of the flags byte that is used for ECN - Explicit Congestion Notification)

WirelessHART Technical Details

- 2.4GHz ISM Band (Same as Wi-Fi but NOT Wi Fi) - Leverages IEEE 802.15.4 for PHY/MAC (Same as Zigbee) - Mesh network for "self-healing" - Channel hopping to allow to work in same area as 2.4GHz protocols

TCP Header Size

- 20 bytes

802.11x WiFi (1997)

- 802.11b = 11 [email protected] - 802.11a = 54 Mbps@ 5 GHz - 802.11g = 22/54 Mbps @ 2.4 GHz - 802.11n = 100+ Mbps @ 5 GHz - Large data packets supported through fragmentation at Layer 2

Zigbee

- 802.15.4 - Low cost cable replacement technology - Close to 100M nodes in 2012 - Honeywell = HVAC systems - Zigbee used for low power consumption and rely on long, multi-year battery life

Zigbee Security

- Accomodate security at MAC(2), Network (3) and Application (7) Layers - Relies on master keys set by mfg, installer or end-user - Generates link keys to encrypt traffic - Encryption Based on AES-CCM (128 bit block cipher) - Security optional - AES may be too resource intensive for lightweight devices (battery life vs security) - KillerBee = python-based framework by Joshua Wright for Zigbee and other 802.15.4 devices

IPSec - Protocols Used

- Authentication Header (AH) - Provides integrity, authentication and non-repudiation - Encapsulating Security Protocol (ESP) - Provides confidentiality/encryption and limited authentication

Bluetooth Security

- Authentication stars with user selecting PIN to authenticate other devices in the Bluetooth PICONET - BD_ADDR (Pronounce Bee Dee Adder) (MAC Address) - PIN+MAC = Security Keys - Some devices use fixed PINs - Sniffing risk when first pair (Day 4, Page 136)

Extensible Authentication Protocol (EAP)

- Authentication support for wireless - Different EAP types suitable for different environments -- considering clients, directory type, hardware

BOOTP/DHCP

- Automatically configures network interfaces and load operating systems via the network when they start up. - UDP Ports 67 and 68

Crypto - Classes of Ciphers

- Block Ciphers (usu in software) (Reusable keys, key management easier) - Stream Ciphers (usu in hardware) (Faster, keys only used once) (RC4 most common)

RTU vs PLC

- Both have array of I/O Connections (digital input, analog input, digital output) - Software/logic for operating on I/O for automation and safety - Different than PLC in some ways: -- Usually only runs simple autonomous programs -- More suitable for large geographical areas -- Differences are decreasing each day

Data Erasure Stages

- CLEARING (overwriting the data media for internal reuse) - PURGING (degaussing or overwriting for removal of equipment) - DESTRUCTION (physically destroying) (Krutz)

Wireless HART Security

- Can be configured with unique join keys for each device - Join key configured manually on field device maintenance port (wirelessly) - Successful encrypted join packet retrieves network key - Join can be restricted by key, manufacturer, and product name/tag - All payloads encrypted with unique session key per device - Rogue devices cannot spoof other devices because of unique keys - Cryptographic-based nonrepudiation to verify data came from the device

Safety - Process Hazard Analysis (PHA) Methods Include

- Checklist - What if? - What if?/Checklist - Hazard and Operability Study (HAZOPS) - Failure Mode and Effects Analysis AFTER the PHA if Team could not reach decision: - Layer of Protection Analysis (LOPA) - Fault Tree Analysis

BCP - Data Processing Continuity Planning Sites

- Cold Site (days to weeks to readiness) - Warm Site (Hours to days to readiness) - Hot Site (Minutes to hours to readiness) - Reciprocal Site - Multiple Data Centers (Minutes to hours to readiness) - Redundant sites (configured just like primary site) - Rolling Hot Sites

hping

- Command line-oriented TCP/IP packet assembler/analyzer - Works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows (Check "h" tab for more)

Cellular Backhauls

- Commonly used as a WAN because of low cost and universal availability - GSM vulnerabilities (vulnerable at PHY/MAC layer) - Private IP offered by some cell companies

UDP

- Connectionless, send and forget - Delivery not confirmed - No sequence numbers - Less protocol overhead (faster) - fewer packets - Smaller header

Physical Security - What ICS Devices Need Physical Protection?

- Controllers to include RTUs and Flow Computers etc. - I/O Found in junction boxes - I/O found on process equipment being sensed or actuated - Perimeter protection and locks - Available ports and diagnostic ports (physical, wireless, infrared)

DNP3

- DNP = Distributed Network Protocol - Mainly used by Electric, Gas and Water utilities - Originally developed by Westronic - Open standard - IEEE 1815-2010 Standard - Up to 65,000 devices per network - Event time stamping - RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via radio and modem. - Master-slave protocol - but Slave can report without request - Master (HMI, FEP) to Slave (RTU, PLC, IED) communication - Functions include send request, accept response, confirmation, time-outs, error recovery

DNP3

- DNP = Distributed Network Protocol - Mainly used by Electric, Gas and Water utilities - Originally developed by Westronic - Open standard - IEEE 1815-2010 Standard - Up to 65,000 devices per network - Event time stamping - RS232, RS485 -- Can be encapsulated in TCP/IP or backhauled via radio and modem. - Master-slave protocol - but Slave can report without request - Master (HMI, FEP) to Slave (RTU, PLC, IED) communication - Functions include send request, accept response, confirmation, time-outs, error recovery -Support pre-shared keys for authentication.

DNP3 Security Issues

- DNP traffic sent in plaintext - DNP3 connections susceptible to session hijacking, DoS - DNP3 does not provide authentication or authorization natively

DNP3 Security Issues

- DNP traffic sent in plaintext - DNP3 connections susceptible to session hijacking, DoS - DNP3 does not provide authentication or authorization natively Support pre-shared keys for authentication.

UDP Ports

- DNS (53) - Bootp/DHCP (67 and 68) - TFTP (69) - Network Time Protocol (NTP) (123) - NBT (137-139) - SNMP (161 and 162) - Network File Share (Unix) (2049) - Syslog (514) (TCP or UDP)

DNS Security Issues

- DNS responses traditionally NOT cryptographically signed - DNSSEC modify DNS to add support for cryptographically signed responses. (Alternative is DNSCurve) - TSIG (another DNS extension) add support for cryptographic authentication between trusted peers and are commonly used to authorize zone transfer or dynamic update operations.

Physical Security -- Elements to consider

- Deter - Authorization - Detect - Identify - Respond

Security Awareness - Elements of Staff Training & Security Awareness (ISA)

- Develop training program - Provide procedure and facility training - Provide training for support personnel - Validate the training program (ensure personnel understand) - Revise the training program over time - Maintain employee training records (ISA Addressing Risk with CSMS/Security Policy, Organization and Assessment, Staff Training and Security Awareness)

Common Industrial Protocol (CIP)

- Developed by Rockwell Automation - Supported by Open DeviceNet Vendors Assn (ODVA) - Underlying protocol for: -- DeviceNet -- ControlNet -- Ethernet/IP - Designed to allow different networks to be used with a common protocol. - Since it is designed to be media and Data Link independent, it can run over existing TCP/IP networks and does not require safety gateways or specialized routing hardware.

Attacks on Field Components/PLCs

- Disrupting communications - Consume processes and resources - Changing the configuration for accessing the device - Re-boot the device - Modify the programming/set points - Change group settings - Manipulate the firmware (low-level machine code) - Modify applications on device

ICS Wireless Disadvantages

- DoS attacks are easier and "near impossible" to defend against - Network capture is possible regardless of RF frequency used or use of hopping technologies - Attacker has at least a limited ability to communicate on the wireless network (Security defenses should be focused on higher level network protocol because we should assume that most wireless protocols allow at least partial access to the MAC layer) (Day 4, Page 124)

RF Mesh/Microwave/ISM Band

- Don't expect security at PHY/MAC layer - PHY/MAC security not often included with proprietery wireless comms - Give preference to solutions that leverage encryption and authentication in upper layer protocols. - Frequency hopping and licensed RF bands should NOT be considered security defenses

ICS Wireless Advantage

- Drastically reduces costs for time/money due to no wires - Users can access network from anywhere - Mobility and connectivity - Usable in environments where wiring is difficult (e.g., factories, hospitals, assembly lines, etc.) - Temporary networks such as field technician laptops (Day 4, Page 122)

WiFi - Top Security Risks for All Wireless Protocols and Standards

- Eavesdropping - Masquerading - DoS - Rogue APs

Crypto - Stream Cipher

- Encrypts one bit of data at a time - Plaintext length = Ciphertext length (minus headers and checksum) - RC4 is most common (also A5/1, E0) - Very fast, becommin less popular due to management overhead and security concerns

Crypto - Block Cipher

- Encrypts one block of data at a time (Plaintext is padded to next block length) - Block length = key length - AES very common - also DES, 3DES, Blowfish

TCP

- Establishes connection BEFORE data transmission - Delivery confirmed - Packet sequence numbers - More protocol overhead (slower) - More packets for handshakes and ACK - Larger headers for session management

IDS Monitoring Devices

- Firewalls - IDS (e.g., SNORT) - Database Activity Monitors (DAMs) - Application monitors - Network Probes

DNS Look Up Zones

- Forward DNS = I know the Domain Name and want the IP Address - Reverse DNS = I know the IP address and want the Domain Name

Fieldbus

- General name for competing standards such as Profibus (German National Standard), FIP (French National Std), Foundation Field Bus.

Zone

- Grouping of Logical or Physical assets that share common security requirements - Has clear border - Security policy enforced by combination of mechanism at Zone edges and within the zone

HART

- Highway Addressable Remote Transducer Protocol - Serial-based like Modbus used over 4-20ma analog circuits

Wireless Masquerading

- Impersonate an authorized client or access point - Uses "Evil Twin" attack - Attacker changes MAC address

Backup Types

- Incremental Back Up - backs up only those filed modified since the previous backup of any sort. It does remove the archive attribute. - Differential Backup - Backs up all fielss that have been modified since the last FULL backup. It does not remove the archive attribute. - Full backup - Procedure that backs up all files, modified or not, and removes the archive attribute. (Harris)

What Needs to be Protected in an ICS Environment?

- Industrial networks (Upstream) - Fieldbus (Downstream) - Networking Equipment & Communications Bridges - Industrial protocols - Management protocols - RTOS (Real time operating systems)/Firmware - Network cards - System applications - Interfaces (RS-232, Wireless) - Field Devices - Engineering Workstations & Programs/Files - Diagnostic/Calibration Equipment - Remote Access Equipment - Safety/Protection systems (Day 4, Page 160)

TCP Sequence Numbers

- Initial Sequence Number (ISN) - ISN is random / semi-random for security reasons - Increase by 1 for each byte sent - If fills up then rolls over to 0 and continues

Safety Analysis - Parameters

- Inspection/Materials - Electrical - Safety/Loss Prevention - Environmental - Packaged Equipment

File Integrity Monitoring

- Is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline. - This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. - Other file attributes can also be used to monitor integrity. - Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. - Such monitoring can be performed randomly, at a defined polling interval, or in real-time. - EXAMPLE: Monitoring Server OS binaries to detect unapproved changes. - EXAMPLE: Tripwire

Common Industrial Protocol (CIP) -Safety Extension of

- Is the TUV-certified extension to the standard CIP protocol. - It extends the model by adding CIP Safety application layer functionality including integrity and prioritizing.

PLC Programming

- Ladder Logic - Function Block (vendor implementation dependent) - Structured Text (Difficult to troubleshoot) - Instruction List (similar to assembly language - not common in certain geographies) - Sequential Function Chart

Programming, PLC

- Ladder Logic - Function Block (vendor implementation dependent) - Structured Text (Difficult to troubleshoot) - Instruction List (similar to assembly language - not common in certain geographies) - Sequential Function Chart

VSAT Limitations

- Latency (measured in 100's of milliseconds) - Need good line of sight to satellite - Issues with animals, landslides, etc. - RF interference - Degradation of signal due to rain/weather - Lightening strikes cause damage - Signals impacted by extreme solar activity (Day 4, Page 126)

Group Policy Object Order

- Local Machine - Site - Domain - Individual Organizational Units (OUs) - A user or computer object can ONLY belong to a single site and a single domain at any one time.

Physical Security - Procedural Controls

- Log in books - Physical security policy - Physical security requirements signage - Visitor management program

Conduit

- Logical grouping of communications channels connecting 2 or more zones - share common security requirements - A particular type of security zone that groups communications that can be logically organized into a grouping of information flows WITHIN and EXTERNAL to a zone. - Can be trusted or untrusted - Can be physical or logical - No such thing as "subconduits"

Conduit

- Logical grouping of communications channels connecting 2 or more zones - share common security requirements - A particular type of security zone that groups communications that can be logically organized into a grouping of information flows WITHIN and EXTERNAL to a zone. - Can be trusted or untrusted - Can be physical or logical - No such thing as "subconduits" Required to be fully end-to-end secure

Microwave

- Loosely defined between 3GHz and 300GHz - As low as 300MHz - Understand specific frequency offered by vendor

Attack - Results of ICS Attack

- Mal-operating the process - change set points - damage ICS components - damage physical equipment - suppress safety system and protections - cause loss of view - block control - spoof operators - modify or even spoof input to logic

Crypto - Components of non-repudiation?

- Message signing (Digital signature = encrypted hash value of message) - Hashing Function

WiFi Networks - protecting

- Migrate from WEP > WPA > WPA2 - Use Strong Authentication mechanism like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Mutual authentication to mitigate MITM and masquerading attacks - Always require mutual authentication - Audit network installations for consistency in deployment and config - Delete default admin passwords, community strings, or HTTP-enabled config pages - Educate users on how to spot suspect activity on WiFi network

ITU Defined ISM Bands

- Most common in US is 915MHz Band (902-928 MHz) - Second most common in US is 433.92MHz - Most common band in Europe for proprietary traffic is 859 MHz

WirelessHART (IEC 62591) - Security enabled wireless version of HART

- Multi-vendor wireless standard (2007) - Designed for process field device networks - Wireless Industrial Technology Konsortium (WiTECK) (37 members) - 50-80% market share in wireless ICS

IDS

- Network Based IDS (NIDS) - Host Based IDS (HIDS) - Signature Based - Anomaly Based

Bluetooth (1998)

- No line of sight requirement - Supports data, voice, content-centric applications with Bluetooth Profiles - Up to 7 simultaneous connections

Disruptions - Types of

- Nondisaster - device malfunction - Disaster - entire facility unusable for a day - Catastrophe - destroys facility altogether (Harris)

OPC Specifications

- OPC Data Access (OPC DA) (OPC Classic) - OPC Alarms & Events - OPC Batch - OPC Data Exchange (OPC DX?) -OPC Historical Data Access (Historians) - OPC Security - OPC XML-DA - OPC UA - Unified Architecture

OPC Security Concerns

- OPC Servers can be a bridge for an attacker from one system to another - OPC's use of DCOM and RPC make it highly vulnerable to attack - Subject to the same vulnerabilities as OLE - OPC is rooted in the Windows OS and susceptible to attack thru exploitation of any vulnerability in the Windows OS - Because OPC is supported on Windows, many basic host security concerns apply - Possible to create rogue OPC server and use for DoS, info theft or inject of malicious code

OPC

- Object Linking and Embedding (OLE) for Process Control - 1996 by Industrial Automation Task Force - Based on MSFT DCOM, OLE, COM technologies - OPC Foundation (https://opcfoundation.org)

Unauthorized Access

- Occurs when user, legimate or unauthorized, accesses a resource that the user is not permitted to use. (FIPS 191) - Viewing private accounts, messages, files or resources when one has not been given permission from the owner to do so. Viewing confidential information without permission or qualifications can result in legal action. (Business Dictionary)

TCP Uses

- Offers flow control to handle network congestion - Allows for transmission of larger amounts of data per packet - Guaranteed delivery of transmitted data is more important than speed - Offers better protection agains spoofing attacks - Common TCP-based Protocols: FTP Data (20), FTP (Control (21)), SSH (22), Telnet (23), DNS (53), HTTP (80), HTTPS (443)

WiFi - Rogue Access Points

- Often installed with default settings and no security - Permits full access to a network for unauthorized user - Contributes to unauthorized info disclosure

Profibus

- Open standard defined by German DIN 19245 - Based on Token bus/floating master system - Three types of Profibus - FMS, DP, PA - FMS = Fieldbus Message Specification (general data acquisition) - DP = where fast communication is needed - PA = intrinsically safe devices - Supports RS-485 and IEC 1158-2 intrisically safe

Modbus

- Open standard/Royalty Free - 1979 by Modicon (Now Schneider) - Most widely used protocol (>7M nodes) - Modbus org since 2004 (www.modbus.org) - Serial - MODBUS ASCII - that operates on RS232, RS485, - - Ethernet (Modbus TCP) (Port 502) - Master-Slave Protocol -- Master polls each slave -- Slaves do not communicate with other Slaves -- Communicate to Master -- ONLY on request -- Modbus Encapsulation at Application Layer - Up to 247 Devices per network - Broadcast by sending a request to Address 0 (all Slaves listen and respond)

Crypto - Message Digest Properties

- Original message cannot be recreated from the message digest - Finding a message that produces a particular digest shouldn't be computationally feasible. - No two messages should produce the same message digest (i.e., collision) - The message digest should be calculated by using the entire contents of the original message - (Dummies)

Hotfix

- Originally, the term was used to describe a kind of fix that could be applied without stopping or restarting a service or system. - Microsoft usually uses the term to refer to a small update addressing a very specific issue.

Means of sanitizing media

- Overwrite (Orange Book = formatted 7 times before discard or reuse) (Krutz) - Degaussing - Destruction / Shredding

PING

- Packet Internet Groper - Determine if destination host is alive - Determine latency between two locations -- <10 ms = local LAN; 200 - 300 ms (or more) is WAN/Internet - Determine rate of packet loss - Some Security Concerns - Some Sites Block ICMP -- Covert data channel -- DoS attack -- Used to map a network

Group Policy Manages

- Password Policy - Lockout Policy - NTFS Permissions - User Rights - Event Logs - Registry Settings - IPSec Settings - Kerberos Policies - Audit Policies - Security Options - e.g., Auth protocols - Startup options and permissions on services

WiFi - Rogue Access Point Mitigation

- Perform rogue AP detection (e.g., Kismet with Wireshark) - Use mutual authentication wireless protocols like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Deploy 802.1x on wired network - Deploy wireless IDS - Deploy strong wireless LAN

Crypto - Where can encryption happen?

- Physical layer which is link encryption, or at the Application Layer which is end-to-end encryption.

ISO27001 Process Approach

- Plan - Do - Check - Act (aka PDCA)

Modbus TCP Port

- Port 502 - Encapsulation done at Application Layer

Safety Analysis - Team Members

- Process Engineering - Operations - Maintenance/Reliability - Instrumentation

802.11i

- Provides strong encryption, replay protection, integrity protection

Wireless DoS Attacks

- RF jamming techniqes/tools - Wireless technologies NOT using frequency hopping less susceptible -- but not impervious -- e.g., Bluetooth based on frequency hopping/spread spectrum - 802.11 spec does not include per packet authentication mechanism - Flaws in wi-fi card firmware

TCP - Receipt of Data

- Receiver puts byte's sequence number into field, increments by 1, sets ACK flag, sends back to sender. - The Acknowledgement number does NOT specify the last byte received...rather, it specifies the sequence number of the next byte the receiver expects. - If receiver acknowledges byte 100, it is implicitly acknowledgedging all preceeding bytes. - If some packets arrive out of order, the higher seq numbers are put "on hold" until all lower seq number bytes arrive. - If missing bytes never arrive, the sender times out waiting for them to be acknowledged and eventually sends them again starting after the last byte for which it received an ACK.

Field Controllers

- Responsible for collecting and processing I/O - Send process data to HMI - Send process commands from HMI to field controllers - Essentially embedded micro-processor devices - Have microprocessor and internal memory but no hard drive - Types of field controllers = RTU, IED, PLC

Ethernet/IP

- Rockwell Automation - Part of "Common Industrial Protocol" - Implicit Messaging - UDP - Port 2222 - Explicit Messaging - TCP - Port 44818

VPN Security Protocols

- SSL (most common) - IPSec - SSL/TLS - DTLS - Datagram Transport Layer Security - MPPE - Microsoft Point to Point Encryption - SSTP - Secure Socket Tunneling Protocol - MPVPN - Multipath VPN - SSH - Secure Shell

VSAT - Very Small Aperture Terminal

- Satellite - Industrial uses include: Well control and data acquisition, pipeline SCADA, electrical SCADA (T&D, AMI), wind farms, maritime applications (oil platforms, drilling ships, etc) - Provides voice and video applications - Uses Time Division Multiple Access. - Operates in several frequency ranges: C-Band (4-8 GHz), Ku-Band (12-18 GHz), Ka-Band (26.5-40 GHz) -- some overlap with WiMax. (Day 4, Page 126) - Configure for AC or DC power

Physical Security - Active Technical Controls

- Security Guards at access point - Door locks (special keys, man traps, biometrics, card readers) - Centralized guard staff monitoring multiple access points

DHCP Snooping (Switch-based)

- Security feature that acts like a firewall between untrusted hosts and trusted DHCP servers

Zone Characteristics

- Security policies - Asset Inventory (Physical, Logical, S/W, data) - Access Requirements and Controls - Threats & Vulnerabilities - Consequences of Security Breach - Authorized Technology - Change Management Process

Conduit Characteristics

- Security policies - Asset Inventory (Physical, Logical, S/W, data) - Access Requirements and Controls - Threats & Vulnerabilities - Consequences of Security Breach - Authorized Technology - Change Management Process *** Connected Zones (Distinguish between Conduit and Zone)

Traceroute

- Shows path a packet took to reach its destination - Can tell route's external router and therefore used to map network - A normal traceroute lists all routers - General Rule: All hosts on same network must go through the same external router and, potentially, the same F/W

Profibus

- Siemens - Operates via RS485 via twisted pair cabling, fiber optics or wireless - Profibus DP (Factory Automation) - Master Slave like Modbus - Profibus FMS (Multiple Masters, peer-to-peer) - Profibus PA (Process Automation) - for intrinsically safe apps

Wireless Eavesdropping

- Signal can be picked up for >300 feet - Use antennas (Pringles chip can) -- extend from 600 feet to several miles

Digital Protective Relay (DPR)

- Single Purpose - Microcontroller - Detects Faults in system - Reports to RTU - Example: Schweitzer Relays - Example of Intelligent End Device (IED)

Time - NTP Clock Strata

- Stratum 0 = Directly connected to Atomic Clock = Reference Clock, Not Available to the Public - Stratum 1 = Primary Time Servers - Only Strata 0 to 15 are valid - Stratum 16 = unsynchronized device

Crypto - Encrpytion Cipher Types

- Substitution (change a character or bit for another) - Transposition (scrambles characters or bits) (Harris)

BCP - Off-Site Storage Factors to Consider

- Survivability of off-site storage facility - Distance from off-site to data center/airports/alternate sites - Close enough that media retrieval doesn't take too long - Far enough away to not be caught in same disaster - Electronic vaulting - Remote Journaling (only moving the journal or transaction logs to offsite/not the actual files)

VLAN Hopping

- Switch spoofing - Double tagging (to avoid - do not put any hosts on VLAN1)

Crypto - Algorithm Types

- Symmetric (DES, 3DES, IDEA, Blowfish, Twofish, AES (Rijndael Block Cipher)) - Asymmetric (RSA, Elliptic Curve (ECC), Diffie-Hellman, El Gamal, DSS)

Crypto - Effective Cryptosystem Includes:

- The encryption and decription process is efficient for all possible keys within the cryptosystem's keyspace. - The cryptosystem is easy to use. - The strength of the cryptosystem depends on the secrecy of the keys, rather than the secrecy of the algorithm.

PKI - Rules for Keys and Key Management

- The key length should be long enough to provide the necessary level of protection. - Keys should be stored and transmitted by secure means. - Keys should be extremely random and use the full spectrum of the keyspace. - The key's lifetime should correspond with the sensitivity of the data it is protecting (more sensitive data = shorter key lifetime) - The more the key is used the shorter its lifetime should be - Keys should be backed up or escrowed in case of emergencies - Keys should be properly destroyed at end of life. (Harris)

IPSec Modes

- Transport Mode (Only data encrypted) - Tunnel Mode (entire packet encrypted) (Dummies)

DNS

- UDP Port 53

900 mHz (33 cm band)

- UHF Radio Spectrum - 902 MHz to 928 MHz - Unique to ITU Region 2 (Americas, Greenland, Pacific Islands) - One of newest radio bands - Propagation dependent upon line of sight (put repeaters on top of large hills) - Excellent building penetration (small wavelength)

WiFi - Wireless DoS Attack Mitigation

- Understand impact of a DoS attack against environment - Prepare response strategy - especially for attack against production network - Wireless IDS possible but not widely avail

Security Awareness Core Topic

- Understanding and complying with security policies and procedures

Socket

- Unique pair of ports - Source IP and Source Port connected to Dest IP and Dest Port

OPC-Aware Firewalls

- Use deep packet inspection - Validates OPC connection request message - Momentarily opens TCP Port specified by sender

Wireless Eavesdropping Mitigation

- Use strong encryption and authentication in lowest layer of protocol possible (at PHY/MAC if avail) - Use TKIP for WPA - prefer to use WPA2 (AES) - Encrypt at multiple layers - low and high - Design wireless network with minimal coverage area - Audit network with packet sniffer (Kismet, Wireshark)

VLAN

- Virtual Local Area Network (VLAN) - Partitions a Layer 2 Network into multiple distinct segments - Protocol IEEE 802.1Q (tag)

Software Installation Controls

- Whitelisting - all s/w is checked against a list approved by the org - Checksums - all s/w is checked to ensure code has not changed - Certificate - only s/w with signed certificates from trusted vendor is used - Path or domain - only s/w within a directory or domain can be installed - File extension - s/w with certain file extensions such as .bat cannot be installed

WiFi Protected Access (WPA) (2003)

- WiFi Alliance = interoperability testing for 802.11 h/w vendors, consumers - Uses TKIP (Temporal Key Integrity Protocol) - WPA2 (Preferred) - Vast improvement over WEP, requires Access Point and NIC replacement (AES-CCMP)

ISA100.11a (IEC 62734)

- Wireless Standard developed by ISA - Competes with WirelessHART - Uses 6LoWPAN to gain benefits of IPv6 - Used 802.15.4 and Direct Sequence Spread Spectrum (DSSS) for PHY layer - Uses Time Division Multiple Access (TDMA) and meshing topology for MAC layer - Removed requirement for secuirty keys - Offers support for asymmetric join methods and Over the Air device configuration

OPC Classic

- aka OPC DA, OPC DCOM - Dynamically assigns TCP Ports (Firewall problem) - Don't know in advance the ports - Can't define Firewall rules

ICCP

- client server communication - Transfers originate with request from Control Center to another Control Center that owns and manages data (Client - Server) - Cleartext protocol

DNS Cache Poisoning

- data is distributed to caching resolvers under the pretense of being an authoritative origin server, thereby polluting the data store with potentially false information and long expiration times (time-to-live). - subsequently, legitimate application requests may be redirected to network hosts operated with malicious intent.

TCP - Transmission Control Protocol

- most commonly used transport protocol today - Connection-oriented communications - Guaranteed packet delivery (additional overhead to track packet delivery) - Protocols based on TCP: HTTP, FTP, POP3

Configuration Management Column Headers

- part/model # - serial number - owner - custodian - tag # - location - description - notes

What can Firmware modifications do?

- perform unknown functions - lock out authorized persons - disable features - impact the program - physically alter the functions of the ports

Vulnerabilities of Controllers & Field Devices

- physical access - network access - remote access

ICS and TCP/IP Stack

- turn off IPv6 - Disable protocols not in use - Analyze network traffic to discover misconfigured devices - From Network Enforcement zones, deny unnecessary traffic and protocols.

WiFi Masquerade Mitigation

- use 802.1x (not very practical) - Use mutual authentication protocols like PEAP (Protected Extensible Authentication Protocol) or TTLS (Tunnelled Transport Layer Security) - Use SSL/TLS for passing sensitive info to web apps (e.g., HTTPS) - Educate users on dangers of clicking YES to digital certificate warnings - Attack tool = AirSnarf

RAID Level Descriptions

0 = Striping 1 = Mirroring 2 = Hamming Code Parity 3 = Byte Level Parity 4 = Block Level Parity 5 = Interleave Parity 7 = Single Virtual Disk

UDP Packet

04 89 00 35 00 2C AB B4 00 01 01 00 00 01 00 00 00 00 00 00 04 70 6F 70 64 02 69 78 06 6E 65 74 63 6F 6D 03 63 6F 6D 00 00 01 00 01

PKI - Four Basic Components

1) Certification Authority (CA) 2) Registration Authority - verify certificate contents for CA 3) Repository - distributes certificates 4) Archive - Long term storage of archived info from CA

PKI - 7 Key Management Issues

1) Key generation 2) Key distribution 3) Key installation 4) Key storage 5) Key change 6) Key control 7) Key disposal

CIP-007-1

1. Acceptance of Risk and tech feasibility 2. Test procedures 3. Mal soft prevent 4. Security status monitoring 5. disposal, redeploy 6. Cyber vulnerability assess 7. Doc review and maint

SDLC - NIST Software Development Lifecycle (SDLC)

1. Initiation 2. Development/Acquisition 3. Implementation/assessment 4. Operation/Maintenance 5. Disposal

Patch Management Program Recommendations (IT)

1. Inventory of all IT / OT assets. 2. Create patch and vulnerability group 3. Continuously monitor for vulnerabilities, remediations and threats 4. Prioritize patch application an use phased deployments as appropriate 5. Test patches before deployment 6. Deploy enterprise-wide automation patching solutions 7. Create a remediation database 8. Use auto updating applications as appropraite 9. Verify that vulnerabilities have been remediated. 10. Train staff on vulnerability monitoring and remediation techniques

OSI Model

1. Physical 2. Data Link 3. Network 4. Transport 5. Session 6. Presentation 7. Application (Please Do Not Throw Sausage Pizza Away)

Incident Handling Process

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned

Incident Handling

1. Preparation, 2. Identification, 3. Containment, 4. Eradication, 5. Recovery, 6 Lesions Learned (May optionally add Wait and See step). Steps from DOE (Department of energy)

Software - Verifying Remediation

1. Verify that files or config settings the remediation was intended to correct have been changed as stated in the vendor's documentation. 2. Scan the host with a vulnerability scanner that is capable of detecting known vulnerabilities. 3. Verify whether the recommended patches were installed properly by reviewing patch logs 4. Employ exploit procedures or code and attempt to exploit the vulnerability (i.e., perform a penetration test)

Data link connector identifier

10 bit address identifier in a Frame Relay network (MAC Address equip in IP) . OSI Layer 2

Biometrics -- Acceptable Throughput Rate

10 per minute

Private Network Addressing

10.0.0.0 -> 10.255.255.255, 172.16.0.0 -> 172.32.255.255, 192.168.0.0 -> 192.168.255.255

Loopback Addresses

127.0.0.0 -> 127.0.0.8

TCP Connections

3 way handshake - SYN - SYN-ACK - ACK

IP Address

32 bit address(4 bytes) identifier id used to determine address and set by user. OSI Layer 3

Microwave Networks

3Ghz to 300Ghz Point to point

Recommended Computer Room Relative Humidity

40% - 60%

MAC Address

48 bit hexadecimal identifier set by manufacturer, first 12 hex values contain a vendor id code and is used on OSI Layer 2

TCP Packet

7E 21 45 00 00 4B 57 49 40 00 FA 06 85 77 C7 B6 78 0E CE D6 95 50 00 6E 04 9F 74 5B EE A2 59 9A 00 0E 50 18 24 00 E3 2A 00 00 2B 4F 4B 20 50 61 73 73 77 6F 72 64 20 72 65 71 75 69 72 65 64 20 66 6F 72 20 61 6C 65 78 75 72 2E 0D 0A 67 B2 7E

WiFi - WEP Security Issues

= wired equivalent privacy - Based on pre-shared secret common to all stations in same wireless network - Spec never included rotation of shared secret - Not easy to change shared secrets - Recover WEP key after collecting millions of packets - Tools used: WEPCrack, AirSnort, dwepcrack (Written for Linux or BSD systems) - New fast tools: wnet/reinj, WEPWedgie (<1hour)

Historian

A Control System Server that is a Target rich environment. Application authentication attacks, SQL injection attacks

Rogue DSL

A Digital Subscriber Line (DSL) modem installed on a corporate network in order to bypass firewalls and other security measures.

Network Interface Card (NIC)

A MAC address is uniquely allocated to this.

Safety - HAZOP - Hazard Operations - Hazard and Operability Study

A Qualitative Technique. Is a structured and systematic examination of a planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation. This technique was initially developed to analyze chemical process systems but has later been extended to other types of systems and also to complex operations and to use software to record deviation and consequence.

Redundant Control Server

A backup to the control server that maintains the current state of the control server at all times.

Data Historian

A centralized database supporting data analysis using statistical process control techniques.

Steady State

A characteristic of a condition, such as value, rate, periodicity, or amplitude, exhibiting only negligible change over an arbitrarily long period of time.

Network Interface Card (NIC)

A circuit board or card that is installed in a computer so that it can be connected to a network.

Control Loop

A combination of field devices and control functions arranged so that a control variable is compared to a set point and returns to the process in the form of a manipulated variable.

Certification

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Trojan Horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Worm

A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

Application Server

A computer responsible for hosting applications to user workstations.

Router

A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.

Workstation

A computer used for tasks such as programming, engineering, and design.

Remote Terminal Unit (RTU)

A computer with radio interfacing used in remote situations where communications via wire is unavailable. Usually used to communicate with remote field equipment. PLCs with radio communication capabilities are also used in place of RTUs.

Separation of Duties

A concept that ensures no single individual has complete authority and control of a critical system or process. (Dummies)

Buffer Overflow

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

Resource Starvation

A condition where a computer process cannot be supported by available computer resources. Resource starvation can occur due to the lack of computer resources or the existence of multiple processes that are competing for the same computer resources.

Single Loop Controller

A controller that controls a very small process or a critical process.

Point-to-Point Protocol (PPP)

A data link protocol used to establish a direct connection between two nodes for connection authentication, transmission encryption, and compression.

Light Tower

A device containing a series of indicator lights and an embedded controller used to indicate the state of a process based on an input signal.

Alarm

A device or function that signals the existence of an abnormal condition by making an audible or visible discrete change, or both, so as to attract attention to that condition.

Controller

A device or program that operates automatically to regulate a controlled variable.

Industrial Control System (ICS)

A device or set of devices that managed commands directs or regulates the behaviour or other devices or system, bridges cyber to physical, a device that can influence the real world

Protocol Analyzer

A device or software application that enables the user to analyze the performance of network data so as to ensure that the network and its associated hardware/software are operating within network specifications.

Wireless Device

A device that can connect to a manufacturing system via radio or infrared waves to typically collect/monitor data, but also in cases to modify control set points.

Printer

A device that converts digital data to human-readable text on a paper medium.

Sensor

A device that produces a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow)

Pressure Regulator

A device used to control the pressure of a gas or liquid.

Modem

A device used to convert serial digital data from a transmitting terminal to a signal suitable for transmission over a telephone channel to reconvert the transmitted signal to serial digital data for the receiving terminal.

Fieldbus

A digital, serial, multi-drop, two-way data bus or communication path or link between low-level industrial field equipment such as sensors, transducers, actuators, local controllers, and even control room devices. Use of fieldbus technologies eliminates the need of point-to-point wiring between the controller and each device. A protocol is used to define messages over the fieldbus network with each message identifying a particular sensor on the network.

User Datagram Protocol (UDP)

A fast and efficient protocol without the overhead of error checking. Perfect for real-time data, multimedia, VOIP

Input/Output (I/O)

A general term for the equipment that is used to communicate with a computer as well as the data involved in the communications.

Supervisory Control and Data Acquisition (SCADA)

A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.

Distributed Plant

A geographically distributed factory that is accessible through the Internet by an enterprise.

Local Area Network (LAN)

A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network. Machine Controller A control system/motion network that electronically synchronizes drives within a machine system instead of relying on synchronization via mechanical linkage.

Trapdoor (aka Backdoor)

A hidden entry point into a system or application that is usually triggered by a certain command or keyboard sequence. (Harris)

Virus

A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Photo Eye

A light sensitive sensor utilizing photoelectric control that converts a light signal into an electrical signal, ultimately producing a binary signal based on an interruption of a light beam.

Access Control List (ACL)

A list of Access Control Entries (ACE) that identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. two types: a discretionary access control list (DACL) and a system access control list (SACL) .

Fiber Distributed Data Interface (FDDI)

A logical network architecture similar to a Token Ring, except two rings are used for redundancy. Data on the two rings travel in opposite directions. Only one ring is used a time, the other ring is only used at a time as the other ring is for redundancy. Often the physical network architecture is also a ring rather than a star.

Attack - Social Engineering

A low tech attack method that employs techniques such as dumpster diving and shoulder surfing. (Dummies) A practice of obtaining confidential information by manipulation of legitimate users (ISA)

Control Algorithm

A mathematical representation of the control action to be performed.

Access Control List (ACL)

A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources.

Role Based Access Control (RBAC)

A method of implementing discretionary access controls in which access decisions are based on group membership, according to organization or functional roles.

Local Group Policy (LGP)

A more basic version of a Group Policy for standalone, nondomain machines for applying environmental changes.

Nondeterministic

A network attribute that does not guarantee new data will arrive within a predefined timeframe, and typically has a frame size that varies. Example: IEEE 802 standard Ethernet

Deterministic

A network attribute that guarantees new data will arrive within a predefined interval and a predictable packet size. Ex. Asynchronous Transfer Modules (ATM)

Address Resolution Protocol (ARP)

A network protocol used to determine a MAC address based on the IP Address.

Reverse Address Resolution Protocol (RARP)

A network protocol used to determine an IP address based on the MAC Address.

Remote Authentication Dial In User Service (RADIUS)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. Credentials are sent to a Remote Access Server (RAS) using link-layer.

Proximity Sensor

A non-contact sensor with the ability to detect the presence of a target within a specified range.

IPSec - What is Security Association (SA) in IPSec

A one-way connection. You need a minimum of two for two-way communications. (Dummies)

Patch

A patch is a small piece of software that is used to correct a problem with a software program or an operating system. Patches are often called "fixes."

Unauthorized Access

A person gains logical or physical access without permission to a network, system, application, data, or other resource.

Wide Area Network (WAN)

A physical or logical network that provides data communications to a larger number of independent users than are usually served by a local area network (LAN) and that is usually spread over a larger geographic area than that of a LAN.

Actuator

A pneumatic, hydraulic, or electrically powered device that supplies force and motion so as to position a valve's closure member at or between the open or closed position.

Least Privilege

A principle requiring that a subject is granted only the minimum privilges necessary to perform an assigned task. (Dummies)

Data Manipulation

A process of altering register data so as to change output status, without altering the ladder program. (www.toolingu.com)

Baseline

A process that identifies a consistent basis for an organization's security architecture, taking into account system-specific parameters, such as different operating systems. (Dummies) A minimum level of security necessary throughout the organization (CISA)

Batch Process

A process that leads to the production of finite quantities of material by subjecting quantities of input materials to an ordered set of processing activities over a finite time using one or more pieces of equipment.

Continuous Process

A process that operates on the basis of continuous flow, as opposed to batch, intermittent, or sequenced operations.

Key Logger

A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.

Process Controller

A proprietary computer system, typically rack-mounted, that processes sensor input, executes control algorithms, and computes actuator outputs.

SQL Server

A relational database management system developed by Microsoft whose primary function is to store and retrieve data.

Database

A repository of information that usually holds plantwide information including process data, recipes, personnel data, and financial data.

Virtual Private Network (VPN)

A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

Router Flapping

A router that transmits routing updates alternately advertising a destination network first via one route, then via a different route.

Intrusion Detection System (IDS)

A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Temperature Sensor

A sensor system that produces an electrical signal related to its temperature and, as a consequence, senses the temperature of its surrounding medium.

Pressure Sensor

A sensor system that produces an electrical signal related to the pressure acting on it by its surrounding medium. [28] Pressure sensors can also use differential pressure to obtain level and flow measurements.

DMZ

A separation between two trust zones in the ISA-99/Perdue architecture

Domain Controller

A server responsible for managing domain information, such as login identification and passwords.

Control Server

A server that hosts the supervisory control system, typically a commercially available application for DCS or SCADA system.

Nonrepudiation

A service that ensures that the sender cannot later falsely deny sending a message and the receiver cannot deny receiving the message. (Harris)

Group Policy Objects (GPOs)

A set of Windows environment configurations that is transmitted to a machine using Active Directory

Object Linking and Embedding (OLE) for Process Control (OPC)

A set of open standards developed to promote interoperability between disparate field devices, automation/control, and business systems.

Standard

A set of requirements or framework that provides guidance on what must be done to support the policy. Differs amongst BU. Specific for business use.

Protocol

A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems.

Baseline Configuration

A set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. Used as a basis for future builds, releases, and/or changes. (NIST)

Programmable Logic Controller (PLC)

A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.

Protocol Stack

A specific set of protocols for communications on a network. Example: Communicating with a web page requires Ethernet,TCP/IP, HTTP, or HTTPS

System Access Control Lists (SACLs)

A specific type of Access Control List (ACL) that enables administrators to log attempts to access a secured object like NTFS files, printers and registry entries.

Discretionary Access Control List (DACL)

A specific type of Access Control List (ACL) that identifies the trustees that are allowed or denied access to a securable object.

Extensible Markup Language (XML)

A specification for a generic syntax to mark data with simple, human-readable tags, enabling the definition, transmission, validation, and interpretation of data between applications and between organizations.

Simple Network Management Protocol (SNMP)

A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor and map network availability, performance, and error rates. To work with SNMP, network devices utilize a distributed data store called the Management Information Base (MIB). All SNMP-compliant devices contain a MIB which supplies the pertinent attributes of a device. Some attributes are fixed or "hard-coded" in the MIB, while others are dynamic values calculated by agent software running on the device.

Procedure

A step by step process to accomplish the end goal. If Standards are documents identifying what needs to be done then procedures are the How they are done.

Password

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

Field Site

A subsystem that is identified by physical, geographical, or logical segmentation within the ICS. A field site may contain RTUs, PLCs, actuators, sensors, HMIs, and associated communications.

Control System

A system in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. Control systems include SCADA, DCS, PLCs and other types of industrial measurement and control systems.

SCADA

A system operating with coded signals over communication channels so as to provide control of remote equipment (using typically one communication channel per remote station).

Intrusion Prevention System (IPS)

A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

Enterprise Resource Planning (ERP) System

A system that integrates enterprise-wide information including human resources, financials, manufacturing, and distribution as well as connects the organization to its customers and suppliers.

Safety Instrumented System (SIS)

A system that is composed of sensors, logic solvers, and final control elements whose purpose is to take the process to a safe state when predetermined conditions are violated. Other terms commonly used include emergency shutdown system (ESS), safety shutdown system (SSD), and safety interlock system (SIS).

Manufacturing Execution System (MES)

A system that uses network computing to automate production control and process automation. By downloading recipes and work schedules and uploading production results, a MES bridges the gap between business and plant-floor or process-control systems.

Supervisory Control

A term that is used to imply that the output of a controller or computer program is used as input to other controllers.

Account expiration

A time limit that is applied to the life of an account, so that it can be used only for a predetermined period of time. (MSFT)

Attack - Man-in-the-Middle (MITM)

A type of attack in which an attacker intercepts messages between two parties and forwards a modified version of the orginal message. (Dummies)

Variable Frequency Drive (VFD)

A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.

DC Servo Drive

A type of drive that works specifically with servo motors. It transmits commands to the motor and receives feedback from the servo motor resolver or encoder.

Discrete Process

A type of process where a specified quantity of material moves as a unit (part or group of parts) between work stations and each unit maintains its unique identity.

ATM Cell

A unit of data transported over an Asynchronous Transfer Modules (ATM) Network, is of a constant size (53 bytes, 48 contain the payload) to facilitate Quality of Service (QoS)

Solenoid Valve

A valve actuated by an electric coil. A solenoid valve typically has two states: open and closed.

Asynchronous Transfer Modules (ATM)

A very high speed, relatively expensive alternative and seldom used method for sending signals over a wire. Connection-oriented, Deterministic, uses a fixed frame size of 53 bytes (unlike Ethernet). Typically used to interconnect networks over large distances that require a high-speed backbone.

Disaster Recovery Plan (DRP)

A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

Backup Solutions

ARCServe, Backup Exec and NetBackup, Ultabac, EMC Networker, Backup Express, CommVault Archive, OmniBack II, Data Protector

Man-in-the-Middle Attacks

ARP Spoofing to insure traffic passes through their machine and can be intercepted or manipulated

Remote Desktop Services Application Virtualization

Ability to host individual application on an RDP server. To an end user the application will appear to be running locally but is actually running on and patched by a remote server.

ACL

Access Control List

Remote Access

Access by users (or information systems) communicating external to an information system security perimeter.

Mandatory Access Control (MAC)

Access model based on security clearance of subject and classification attributes of object. Type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

IPv4

Accommodates 4.2 billion unique 32-bit addresses

Binary Disk Image Solutions

Acronis and Symantec Ghost

Devices

Actuate things in order to process Stuff

SQL Injection

Adding escape characters to input fields in order to execute undesired SQL commands

ARP

Address Resolution Protocol

Wired WAN Technology

All examples of this technology Dedicated Lines, Frame Relays, MPLS, ISDN, DSL, Cable Modems

RF Mesh Networks

Allow each participating device (or node) to route data to other devices. Commonly used in wireless networks where there are: - Large number of devices - Devices have problems all seeing a central access point - A more flexible, "self-healing" network is preferred - Latency is less of a concern.

User Account

Allows a user to authenticate to system services and be granted authorization to access them; however, authentication does not imply authorization.

AC

Alternating Current

AGA

American Gas Association

API

American Petroleum Institute

Permanent Virtual Circuit (PVC)

An Asynchronous Transfer Modules (ATM) shared communications channel (circuit) that is configured in advance, Usually manually.

Switched Virtual Circuit (SVC)

An Asynchronous Transfer Modules (ATM) shared communications channel (circuit) that is configured in automatically on the fly using a signaling protocol.

LDAP - Lightweight Directory Access Protocol

An Internet Protocol (IP) and data storage model that supports authentication and directory functions. It is a remote access authentication protocol. Vendors = Microsoft Active Directory, CA eTrust Directory, Apache Directory Server, Novell eDirectory, IBM SecureWay and Tivoli Directory Server, Sun Directlry Server. OpenLDAP and tinyldap open source versions.

Servo Valve

An actuated valve whose position is controlled using a servo actuator.

Configuration Item (CI)

An aggregation of Information System components that is designated for configuration management and treated as a single entity in the configuration management process.

Protected Enclaves

An approach to defence-in-depth that involves segmenting your network using multiple VPNs, VLAN segmentation, switches, or firewalls to separate out networks. Reducing the exposure of a system can greatly reduce risk. Restricting access to critical segments.

Uniform Protection

An approach to defence-in-depth that treats all systems as equally important. Most common approach taken. Firewall, VPN, antivirus, patching etc.

Information Centric

An approach to defence-in-depth that you identify critical assets and provide layered protection. Network -> Host -> Application -> Information. Thoroughly checking the data leaving your network.

Attack - Directory Traversal

An attack aimed at extracting information from a web application's directory.

Attack - Denial of Service (DoS)

An attack on a system or network with the intention of making the system or network unavailable for use. (Dummies) In the context of ICS, can refer to loss of process function, not just loss of data communictions. (ISA)

Attack

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.

Social Engineering

An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.

Relays

An electrically operated switch. Complicated to configure cumbersome and expensive

Relay

An electromechanical device that completes or interrupts an electrical circuit by physically moving conductive contacts. The resultant motion can be coupled to another mechanism such as a valve or breaker.

Insider

An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization.

Control Center

An equipment structure or group of structures from which a process is measured, controlled, and/or monitored.

Valve

An in-line device in a fluid-flow system that can interrupt flow, regulate the rate of flow, or divert flow to another branch of the system.

Set Point

An input variable that sets the desired value of the controlled variable. This variable may be manually set, automatically set, or programmed.

Read Only Domain Controllers (RODCs)

An installation of a Domain Controller in a remote branch location where there are no trusted IT personnel to maintain it.

Operating System

An integrated collection of service routines for supervising the sequencing of programs by a computer. An operating system may perform the functions of input/output control, resource scheduling, and data management. It provides application programs with the fundamental commands for controlling the computer.

Firewall

An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).

Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional.

Lightweight Directory Access Protocol (LDAP)

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network

Enterprise

An organization that coordinates the operation of one or more processing sites.

Disturbance

An undesired change in a variable being applied to a system that tends to adversely affect the value of a controlled variable.

Backdoor

An undocumented way of gaining access to a computer system. A backdoor is a potential security risk.

Maintenance

Any act that either prevents the failure or malfunction of equipment or restores its operating capability.

Threat

Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Intelligent Electronic Device (IED)

Any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers).

Modbus TCP Encapsulation

Application Layer Port 502

Authentication Bypass

Application fails to properly authenticate a user

Mobile Devices / BYOD

Application should be fully understood

BitLocker

Apply encryption on Drive, USB flash drives and SD card and allows decryption key to live on a smart card. Added in Windows 7.

Guideline

Approaches and practices to achieve the items identified in Standards. Provides methods for supporting what needs to be done. Meant to be best practice document, but not mandatory. Can change regularly

Crypt0 - RSA

Asymmetric key algorithm based on factoring prime numbers.

Elevation of Privilege (EoP)

Attack method that exploits software / service privileges to gain additional priviledges in a system

Shamoon

Attack on Saudi Aramco used for cyber espionage, once completed it destroyed the machines boot sector. wiped the network.

Birthday Attack

Attack on hashing functions through brute force. The attacker tries to find two messages with the same hashing value.

Physical Attacks

Attack vector that trumps logical, leverage remote device physical access to gain access to other devices on a network

Firmware Attacks

Attack vector that uses computer chips that can be analyze for keys, find vulnerabilities, re-upload malicious code to device

Fragmentation Attacks

Attack which breaks malicious code execution across multiple IP packets which makes it difficult for IDS systems to detect. Other attacks will split packets and provide illogical and contradictory offsets which can cause a router to crash or enter an abnormal state. Another form of this attack will send thousands of initial fragments but never the rest and cause the IP stack buffer to overflow.

Active Directory (AD)

Authenticates and authorizes all users on a Windows domain network. Assigns security policies and installs or updates software.

AIC

Availability, Integrity, Confidentiality

Interface Identification

Based on the MAC address of the IPv6 NIC device. Last 64 bits (8 bytes)

Internet Protocol (IP)

Basis for all communication on the Internet. Core routing protocol that performs transmission of packets and defines addressing scheme. Relies on Upper layer protocols to handle guaranteed delivery, sequencing etc. OSI Layer 3

Patch Management

Bigfix, Shavlik, GFI ...

Change Control Board (CCB)

Board that ensures changes to policy are made within control parameters as part of configuration management process.

Physical Incidents

Break-ins unauthorized access to cyber assets

IP Tables

Built in Linux stateful firewall with NAT capability

BCP

Business Continuity Plan

Level 4

Business Unit or Site Specific Network (Plant network) in ISA-99/Perdue Architecture - Local site enterprise data

PCAP

Can capture data if it is transmitted in clear text or if control over system sending/receiving traffic

Wireless

Cellular, Mesh, Licensed Radio (330mhz-512mhz), Unlicensed (902mhz-928mhz), Microwave, Satellite uplink

CPU

Central Processing Unit

Multi-station Access Unit (MAU)

Central device in a Token Ring network which passes the Token from device to device serially in order and in a one-way direction.

CPNI

Centre for the Protection of National Infrastructure

VSAT Security Challenges

Challenges: - Disturbance of Line of Sight Alignment - Weather - Extreme Solar - Relies upon power source - link jamming/interception - lightning (Day 4, Page 127)

Configuration Auditing

Check that: - Change was recorded correctly and work matched the Request for Change (RFC) - Change had appropriate risk level - Configuration items updated appropriately - Documentation updated (CISCO)

CIDX

Chemical Industry Data Exchange

CIH Virus

Chernobyl Virus - deletes data on April 26th each year

wecutil.exe

Command line tool to manage the Windows Event Collector Utility.

SECEDIT

Command line version of Security Configuration and Analysis (SCA) tool. Compare a system against a template and produce a log file. Security Policy Verification.

OSI PI

Commercial Historian software. Most popular historian on the market today.

COTS

Commercial Off-the-Shelf

Metasploit Meterpreter

Common Buffer Overflow payload that provides a shell and diagnostic information

CVE

Common Vulnerabilities and Exposures

Cyber Attack Indications

Comms bogged down, unexplained connections, comms links loss, inexplicable behavior of control systems, new items

Front End Processing (FEP)

Communicates to multiple RTUS using multiple languages provides a single Modbus interface for all devices

ICCP (Inter-Control Center Communications

Communication between electrical operators (ISOs) or utilities. No auth, No encryption. IEC 60870-6 / TASE.2

CSE

Communications Security Establishment

Inter-Control Center Communications Protocol (ICCP)

Communications technology that provides status information between control systems typically owned by different parties.

CSRC

Computer Security Resource Center

CIA

Confidentiality, Integrity, Availability

syslog.conf

Configuration file used by Linux system logger daemon. Selectors (Facility,Log Level) on left and Actions on right.

Group Policy Objects (GPOs)

Configuration scripts stored in Active Directory (AD). Processed in the following order 1. Local 2. Site 3. Domain 4. Organizational Unit (OU)

Subnet ID

Configured according to the IPv6 needs of an organization. Middle 16 bits (2 bytes). For flat IPv6 networks this can usually be 0000 (aka ::)

Safety Instrumented System (SIS)

Consists of an engineered set of hardware and software controls which are especially used on critical process systems where life safety, environmental or finanacial damange can occur.

Cryptosystem

Consists of the algorithm (cipher) and cryptovariable (key), as well as all the possible plaintexts and ciphertexts produced by the cipher and key.

Windows XP Mitigation

Consult ICS vendors. Modernize hardware if possible. Update OS to final patch levels. System hardening. Additional Controls. Develop Testing capability. Virtualization.

CSSC

Control System Security Center

Information Leakage

Control Systems on Internet, Port Scan, Google Search Hacks, SHODAN searches

Level 1

Control devices in the ISA-99/Perdue architecture - PLC/Controllers, Tag lists mappings, set points, firmware, system applications, memory with data tables, logic/instructions, point information, device configurations

Crypto - Encryption

Conversion of plaintext to ciphertext through the use of a cryptographic algroithm. (FIPS 185)

Virtual LAN (VLAN)

Creates separation of a network using software in the Switch rather than hardware (additional physical switches). Can segment a network regardless of the network port used on a switch. Help to control the visibility of systems on a network.

Google Hacking

Creative searches in google to find exposed systems

CIP

Critical Infrastructure Protection

CMVP

Cryptographic Module Validation Program

Encryption

Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called "decryption", which is a transformation that restores encrypted data to its original state.

Cryptography vs Cryptanalysis

Cryptography = Science of encrypting and decrypting written communications. Cryptanalysis = process of trying to decrypt encrypted data WITHOUT the key or breaking the encryption.

Policy Governance

Culture of compliance, Compliance Controls, Policies must be reviewed and updated

CRPA

Cyber Risk Preparedness Assessments - put on but ES-ISCA

Discretionary Access Control

DAC is an acronym for

Procurement Language Tool Kit

DHS - Designed to for asking technology companies security questions when purchasing equipment

DHS CSET

DHS Cyber Security Evaluation Tool (CSET) accessing control systems and it systems

Entropy

Data pattern used to find encryption keys. Asymmetric keys have high levels of this.

Historians

Data warehouse for ICS

Geographic Information System (GIS)

Database containing Global Positioning System (GPS) information and maps or charts of assets.

DMZ

Demilitarized Zone

DoS

Denial of Service

DOE

Department of Energy

DHS

Department of Homeland Security

ICS-CERT

Department of Homeland Security (DHS) NCCIC Industrial Control Systems Cyber Emergency Response Team

Setpoints

Desired process output that a control system will aim to reach.

Malware Capabilities

Destroy data, leak info, backdoor access, etc. etc.

Cyber Risk Preparedness Assessments (CRPA)

Detect Cyber Attacks, Prevent Cyber Attacks, Respond to Cyber Attacks, Managed Electronic Systems, Communicate and Coordinate, Communicate and coordinate with local and federal authorities.

INL Developed Sophia

Detect good vs bad vs unknown traffic on ICS networks

Ping

Determine if destination is online, determine latency of destination, determine rate of packet loss

Physical Security Elements

Deterrence, Delay, Authorization, Detection and ID, Response

Remote Diagnostics

Diagnostics activities conducted by individuals communicating external to an information system security perimeter.

Bandolier

Digital Bond Nessus compliance plugins for ICS specific components

Portelage

Digital Bonds project based on OSI PI that correlates security events using PI Advanced Computing Engine (ACE)

DPR (Digital Protective Relay)

Digital Protective Relay - Microcontroller measuring voltages and currents

DRP

Disaster Recovery Plan

Stuxnet

Discovered June 2010, Targeted Iran's nuclear facilities, several zero day exploits, usb keys, impacted data integrity of devices

Physical Security Threats

Disgruntled Employees, Thieves, Espionage, Terrorism

Traceroute

Displays the path a packet took to its destination. Can be used to map a network. Uses a combination of TTL and ICMP replies to map out a network route.

DCOM

Distributed Component Object Model

DCS

Distributed Control System(s)

DETL

Distributed Energy Technology Laboratory

DNP

Distributed Network Protocol

IPv6 Addressing

Divided into 3 portions Network Prefix (48bits) - defines organization, Subnet ID (16bits) - Internal to organization, Interface ID (64bits) - Defined by MAC Address

ISA-99 (Perdue Architecture)

Division of ICS network into 5 Levels

Business Impact Analysis (BIA)

Documents what a the disruptive event might have on a corporation

Crypto - End-to-End Encryption

Does not encrypt the header and trailers and therefore does not need to be decrypted at each hop.

Problem with proprietary protocols

Does not mean they are inherently less secure -- only that they pose a security unknown.

DNS

Domain Name System

Organizational Unit (OU)

Domain controller group

File Replication Service (FRS)

Domains master replicate scripts to each other using FRS

EPRI

Electric Power Research Institute

ISA-12

Electrical Equipment for Hazardous Locations

ES-ISAC

Electrical sector Information Sharing and Analysis Center

Central Access Policies (CAP)

Enable organizations to centrally deploy and manage authorization policies that include conditional expressions that use user groups, user claims, device claims, and resource properties.

Crypto - Link Encryption

Encrypts the entire packet including headers and trailers and has to be decrypted at each hop.

EMS

Energy Management System

Domain Name System Security Extensions (DNSSEC)

Enhanced security specifications for Domain Name System (DNS) provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Level 5

Enterprise Business Network in ISA-99/Perdue architecture - Enterprise business data

ERP

Enterprise Resource Planning

Monolithic Kernel

Entire OS working in Kernel space, high level interface, lots of software over hardware.

Field Device

Equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications.

Crypto - Work Factor

Estimated time, effort, and resources necessary to break a cryptosystem.

Industrial Ethernet

Ethernet with rugged connectors and temp ranges / TCP/IP more common today

Extended Unique Identifier (EUI)

Expanded 64 bit version of the 48-bit MAC address used at the end of an IPv6 address. First 3 octets of MAC, constant FF:FE, last 3 bytes of the MAC

CANVAS

Exploit tool kit framework

xinetd

Extended internet services daemon performs security checks before key network services are started on demand. Fend of DOS and port scans.

EAP

Extensible Authentication Protocol

XML

Extensible Markup Language

Closing a TCP Session

FIN - ACK - FIN - ACK or abrupt closure: RST/ACK

File Transfer Protocol (FTP)

FTP is an Internet standard for transferring files over the Internet. FTP programs and utilities are used to upload and download Web pages, graphics, and other files between local media and a remote server which allows FTP access.

Server Manager

Feature that groups Windows Server components into modular roles and features which can be easily added and removed using a GUI. Important for removing superfluous services.

FERC

Federal Energy Regulatory Commission - Electrical Sales and Distribution and natural gas and pipelines

FIPS

Federal Information Processing Standards

FISMA

Federal Information Security Management Act

FTP

File Transfer Protocol

Reasons to Attack ICS

Financial, Corporate espionage, Terrorism, Nation State, Hacktivist, Education, Misguided ethical hacking

Non-directed Worm

Find their way into ICS systems by chance and high infection rates / Leading cause of incidents in ICS environments

Network Prefix

First 48 bits (6 bytes) of Ipv6 addresses, Address portion that is allocated to organizations that need to address IPv6 clients.

Network Identifier (NET_ID)

First part of an IP Address

Duqu

First varient found of Stuxnet with cyber espionage payload

Guest Account

For users who don't have a permanent account on your computer or domain. It allows people to use your computer without having access to personal files. Per MSFT cannot install software or hardware, change settings, or create a password. (MSFT)

Security Plan

Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

Project Shine

Found ICS devices in 2012 - 1 Million internet connected devices

NMAP

Free Port Scanner: sudo nmap -p- -A 192.168.1.20

Group Policy -- Application

GPOs are Automatically Applied: - At boot up - At login - 90 - 120 Minutes

Human Machine Interface (HMI)

GUI for process / model diagram / Displays alerts and alarms

GPS

Global Positioning System

Physical and Safety Control

Govern people, processes and technologies to attain safety and security

GAO

Government Accountability Office

TCP -- Closing a TCP Session

Graceful Closure 1. Send FIN to other machine 2. Respond with ACK 3. Respond with FIN 4. Send ACK Abrupt Closure (aka "aborting a connection") 1. RST send

CIS Hardening Guide

Group of worlds Security experts got together to create a guide for securing Windows, Linux, IOS, VMware etc. and published it for free.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Physical Security Controls

Guns and Gates / Procedural Logs, policy, signage, visitor management

UNIX

HP-UX, AIX are this OS

Remote Code Execution

Hacking technique that takes advantage of exposed Remote Procedure Call (RPC) services

Bus Snooping

Hacking technique that uses Chip-off capture of data in motion.

EEPROM Hacking

Hacking technique that uses Data dumping from EEPROMs

Hyper-V

Hardware accelerated operating system virtualization feature built into Server 2008 and higher.

HVAC

Heating, Ventilation, and Air Conditioning

Domain Name System (DNS)

Hierarchical distributed naming system for computers, services, or any resource connected to a network. Associates Domain names to IPs.

Cable Modems

High speed offering from cable companies can be installed on existing cable networks and provides a low cost internet access.

Digital Subscriber Line (DSL)

High speed offering from telephone companies can be installed on existing phone networks and provides a low cost internet access.

Policy

High-level corporate supported document that details business goals and objectives. Applies to EVERYONE. Nonperformance results in disciplinary action. Goal orientated. Supported by Standards, Guidelines and Procedures.

ICS Databases

Historians, wide use of excel, GIS Servers, Memory databases, Alarm Databases, Security Databases, Project Databases with SCADA/DCS application

HSPD

Homeland Security Presidential Directive

HMI

Human-Machine Interface

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

Sensor Networks

I/O Racks Distributed. Insure proper process conditions

Mainframes

IBM System Z, DEC are this type of system

Defence in Depth

ICS Security posture which creates multiple levels of protective layers.

IEC Standards

IEC 15408 Common Criteria IEC 60870 ICCP IEC 61508 Safety Std - SIL IEC 61511 SIS for Process Ind IEC 62351 DNP3 IEC 62591 Wireless HART

Threats to ICS

INTERNAL (Employee) - Inappropriate behavior - Disgruntled employee - Accidental EXTERNAL OPPORTUNISTIC (NON-DIRECTED) - Script Kiddies - Recreational Hackers - Virus writers EXTERNAL DELIBERATE (DIRECTED) - Criminal groups - Activists - Terrorists - Nation State (ISA 99 Student Notebook page 53)

Class B Networks

IP Class that has a Network Identifier (NET_ID) of 16 bits

Class C Networks

IP Class that has a Network Identifier (NET_ID) of 24 bits.

Class A Networks

IP Class that has a Network Identifier (NET_ID) of 8 bits

Time To Live (TTL)

IP header that tells how many hops a packet is allowed to take before reaching its destination. At the last hop the Router may send an ICMP Destination Unreachable packet back. Guards against routing loops

Strict Source Routing

IP protocol header option that allows sender to specify the exact route a packet should take to its destination.

Loose Source Routing

IP protocol header option that allows the specification of a list of routers a packet should pass through, but it may also pass through other routers if required.

2002::

IPv6 Network Prefix for IPv6-to-IPv4 gateway networks

2001::

IPv6 Network Prefix for large ISP inter-domain routing

fe80::

IPv6 Network Prefix for local networks

ff00::

IPv6 Network Prefix for multicast traffic

INL

Idaho National Laboratory

Wireless DoS

Identify frequencies used, generate noise to take down channels

Crypto - What does SSL/TLS do?

Implements Confidentiality, Integrity and Authentication ABOVE the Transport Layer.

Distributed Control System (DCS)

In a control system, refers to control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit.

Manipulated Variable

In a process that is intended to regulate some condition, a quantity or a condition that the control alters to initiate a change in the value of the regulated condition.

Least Privilege Principle

In information security, computer science, and other fields, this principle requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Hot Wash

Incident response exercise after Acton lesions learned

Exercise Narrative

Incident response exercise backstory

Inject

Incident response exercise event delivered to the players

GridEx

Incident response exercise focused on Electrical Grid for Bulk Power Systems. Open for all NERC registered entities

Real Time

Incident response exercise inject time delta that corresponds to actual time line

Master Facilitator

Incident response exercise lead planner

Master Scenario Event List (MSEL)

Incident response exercise matrix that outlines entire exercise

White Cell

Incident response exercise player that role plays

Moves

Incident response exercise series or collection of injects (events)

Table Top Exercise (TTX)

Incident response exercise that does not involve live systems or hands on activities

Service Pack

Includes multiple, tested fixes and addressed a wide variety of OS bugs.

Security Audit

Independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.

IAONA

Industrial Automation Open Networking Association

ICS

Industrial Control System(s)

ISID

Industrial Security Incident Database

Boot Record Infector

Infects boot record of computer so that it is loaded into memory on computer startup

Access Control Models

Information Flow Non Interference Confidentiality of Stored Information - Bell-LaPadula (Mandatory Access Control) - Access Matrix (Read, Write or Execute or R/W/X) - Take-Grant (Rights = Create, Revoke, Take and Grant Integrity of Stored Information - Biba Integrity Model (Bell-LaPadula upside down) - Clark-Wilson

IT

Information Technology

ITL

Information Technology Laboratory

Diagnostics

Information concerning known failure modes and their characteristics. Such information can be used in troubleshooting and failure analysis to help pinpoint the cause of a failure and help define suitable corrective measures.

Clear Text

Information that is not encrypted.

I/O

Input/Output

Buffer Overflows

Insertion of malicious code into memory by overrunning buffers outside of their assigned memory space.

Crypto - Key Clustering

Instance when two different keys generate the same ciphertext from the same plaintext. (Harris)

I3P

Institute for Information Infrastructure Protection

IEEE

Institute of Electrical and Electronics Engineers

Maltego

Intelligence gathering and analysis platform

IED

Intelligent Electronic Device

IED (Intelligent End Device)

Intelligent End Device - DPR is an example of an IED

CIGRE

International Council on Large Electric Systems

IEC

International Electrotechnical Commission

ISO

International Organization for Standardization

ICMP

Internet Control Message Protocol

IETF

Internet Engineering Task Force

IGMP

Internet Group Management Protocol

IP

Internet Protocol

IPsec

Internet Protocol Security

Inetd

Internet Services Daemon

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

Discretionary Access Control (DAC)

Is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to a file and what privileges they have.

Service Account

Is an account that a service on your computer uses to run under and access resources. This should not be a user's personal account. Can also be an account that is used for a scheduled task (e.g., batch job account) or an account that is used in a script that is run outside of a specific user's context. (Ref GIAC White Paper)

RTPS - Real Time Publish Subscribe

Is the interoperability protocol used to allow multi-vendor Data Distribution Service (DDS) implementations to communicate

Denial Of Service (DOS)

Jamming a device with traffic - Bandwidth Exhaustion, System Resources, Network Medium interface, Interference wireless

Physical Attack Tools

Keystroke recorders, Trojans, USB keyboard emulators (rubber ducky) wired / Video loggers / wireless, USB Keys moving across air gaps

Early Launch Anti-Malware (ELAM)

Launched first by the kernel before any third-party software, and is therefore able to detect malware in the boot process and prevent it from initializing. Anti-root kit.

Token Ring

Layer 2 protocol developed by IBM in the 70s as a logical ring topology where systems communicate in a only one direction with their neighbors using a special frame called a Token.

Cross Site Request Forgery (CSRF)

Link that appears to link to a legitimate site but has hidden code that redirects you to a malicious site

/etc/inetd.conf

Linux configuration file that connects inetd service names to server names. Ex: telnet stram tcp nowait root /usr/sbin/tcpd in.telnetd

/etc/services

Linux configuration file that connects port numbers and protocols. Ex: telnet 23/tcp

/etc/inittab

Linux configuration file that specifies processes that start at boot and stop at shutdown

syslogd

Linux daemon responsible for accepting incoming log entries and dealing with them based on a set of rules found in /etc/syslog.conf

inetd

Linux daemon responsible for starting network services on demand when there is a request for that resource. /etc/inetd.conf /etc/services

syslog

Linux logger records major events that take place often found in /var/log/messages

Access Control List (ACL)

List of subjects (including groups, machines, processes*) that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete and create. (Harris) (*NIST)

LAN

Local Area Network

Caligula Virus

Located Pretty Good Privacy (PGP) private key file sent to FTP site. Maintained a trail of infected users and study relationships

Physical Attack Indications

Locks do not work with key, unauthorized vehicles, un-reconciled door or cabinet alarms, damage

Microkernel

Low-level interface over hardware, minimum software to provide control over hardware.

Social Engineering

Lying. Manipulating humans using logic and emotion to do what you want. If they knew your true intent they would not help you.

Crypto - MD5 Weakness

MD5 weak but there is little opportunity for an attacker to generate a matching MD5 has for an arbitrary file; however, if an attacker can influence the initial file content (M) then it is possible for them to create a second file (M') that will produce an identical MD5 hash. (Day 4, Page 181)

Mandatory Access Model

MLS Enforces the Mandatory Access Model used in Labeled Security Protection Profile (LSPP) env. constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target

SCA Snap-in

MMC Snap-in for configuration and analysis of security. Applying an auditing a local computers templates (does not work over network, as that is what Group Policy is for)

Cyber Investigation

Maintain Evidence, Report to owners, be cautious who you tell, plan for minimizing impact, consider regulation, detailed exam

Communication Integrity

Maintaining and assuring accuracy and consistency of data over entire life cycle.

Remote Maintenance

Maintenance activities conducted by individuals communicating external to an information system security perimeter.

Frequency Hopping

Makes wireless packet capture and demodulation much more difficult, but still possible.

AUDITPOL.exe

Managed audit policies from the command line. Use /get /category:* to list all audit policy sub categories

MIB

Management Information Base, used for SNMP

Kernel

Manages the hardware and executing processes, includes file system, low-level network protocol support, memory and process management.

Heirarchical Storage Management (HSM)

Manages the storage and recovery of files, which are copied to storage media devices that vary in speed and cost. The faster media holds the data that is accessed more often and seldom used files are stored on slower devices.

MES

Manufacturing Execution System

Wide Area Communications

Many ICS are geographical disparate. Offshore rigs, electrical systems, pipelines

MTU

Master Terminal Unit (also Master Telemetry Unit)

Phase Measurement Units (PMU)

Measures the electrical waves on an electrical grid using Time Sync

Network Access Control (NAC)

Mechanism for preventing systems from connecting to trusted networks. Allows computers plugged into a network to be placed in a separate Virtual LAN (VLAN) if their software is out of date and needs to be patched or poses a potential security risk to a trusted network.

MAC

Media Access Control

Biometrics

Metrics related to human characteristics and traits used for user authentication. Added to Control Panel in Windows 7

Routing and Remote Access Service (RRAS)

Microsoft Server software for routing and remote access service capabilities of the operating system, to function as a network router and VPN.

Domain Controller (DC)

Microsoft Server that responds to security authentication requests (logging in, checking permissions, etc.) to a number of computer resources with the use of a single username and password combination.

Internet Information Server (IIS)

Microsoft Server that responds to web application requests, FTP and serves web pages.

Network Load Balancing (NLB)

Microsoft implementation of clustering and load balancing that is intended to provide high availability and high reliability, as well as high scalability

Microsoft System Center Operations Manager (MOM)

Microsoft product that watches over your servers by continuously extracting and storing their event logs and looking for patterns in the data.

Encrypting File System (EFS)

Microsoft windows feature that encrypts file systems using a bulk symmetric key known as the File Encryption Key (FEK)

ModbusPal

Modbus Simulation Tool

mbtget

Modbus Spoofing Tool

ICS Network Protocols

Modbus: TCP/502, OPC UA TCP/4840, EtherCAT UDP/34980, EtherNet/IP TCP/44818 UDP/2222 UDP44818, FL-net UDP/55000 - UDP 55003, Foundation Fieldbus HSE TCP/1089-1091, UDP/1089-1091, PROFINET TCP/34962 to 34964, UDP/34962 to 34964, BACNet/IP UDP/47808, LONTalk UDP/1628, Fox TCP/1911, DNP3 TCP/20000 UDP/20000, ICCP TCP/102

Safety Instrumented Systems (SIS)

Monitoring or remediate any situation which may impact plant or personnel safety. Relief valve, ESD.

File integrity monitoring - Best Practice

Monitoring server OS binaries to detect unapproved changes

Server Core

Most basic installation of Windows Server with every optional resource removed.

IP Header

Most have a length of 20 bytes, but can be longer if options are applied.

Ethernet

Most popular layer 2 protocol used in LANs. Sends data using Frames

PKI - x.509 v3

Most popular public key certificate.

Multi Level Security (MLS)

Multi Level Security - Sensitivity Level Number

Multi-Category Security (MCS)

Multi-Category Security - Category Number 0 - 1024 in Fedora

Data Concentrator

Multiport device for concentrating and redistributing I/O data in SCADA

NERC CIP-003-3

NERC Security Management Controls - requires cyber security policy, availably policy, annual review, senior leadership responsible, policy exceptions documented

NERC EOP-008-1

NERC standard that Each applicable entity must have an operating plan that addresses loss of primary control center, must have backup control center, must transition in under 2 hours, must be operating both sides consistently, must be independent of primary facility

NERC CIP-002-3

NERC standard that Requires entities to develop,, document and annually perform risk bases assessment methodology (RBAM). Must consider 7 assets classifications. R1.2.1 - R1.2.7 . These asset classifications are used though CIP-003 to CIP-009

NERC CIP-008-3

NERC standard that contains requirements for organizations to develop and implement an Incident Response Plan

ICMP - Internet Control Message Protocol

NETWORK Layer protocol == PEER of IP. Datagram-based like IP, UDP Purposes 1. Report errors and troubleshooting (Destination host unreachable, Fragmentation needed and DF flag set) 2. To provide network information (Ping) Tied to version of IP -- ICMPv6 == IPv6

Media Sanitation

NIST SP 800-88, Guidelines for Media Sanitization, divides media sanitization into four categories: -- disposal, -- clearing, -- purging and -- destroying. It further suggests that the system owner: -- categorize the information, -- assess the nature of the medium on which it is recorded, -- assess the risk to confidentiality, and -- determine the future plans for the media. Then, decide on the appropriate sanitization process. The selected process should be assessed as to cost, environmental impact, etc., and a decision made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.

Port Scanning

NMap port scanning is most accurate for finding running services, can cause failures in control networks

Windows CE

NOT a stripped down version of windows, Visual Studio Development, includes Internet Explorer

NCSD

National Cyber Security Division

NISCC

National Infrastructure Security Coordination Centre

NIST

National Institute of Standards and Technology

ICS Vulnerabilities Databases

National SCADA Test Bed (NSTB), DHS Control System Security Program (CCSP), Common Weakness Enumeration (CWE), NIST, CVE

NSTB

National SCADA Testbed

VSAT Security Solutions & Architectures

Need to understand entire communication path to address security challenges - Use of VLAN/Virtual Private Networks - Support encryption of data (SSL, SSH, PGP AES-256) (Many VSAT service providers rely upon bulk encryption of channels (e.g., DES 56-bit) - Frequency hopping - Tunnel Mode IPSec - AV, Firewalls can be implemented at endpoints (Day 4, Page 127)

NAT

Network Address Translation

NetBios

Network Basic Input/output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol.

NFS

Network File System

NIC

Network Interface Card

Bridge

Network device that connects two desperate networks and tracks network addresses segments traffic and breaks up collision domain.

Switch

Network device that provides micro-segmentation, each port on the device receives traffic from a unique host using a MAC address (operates on OSI Layer 2). Intelligent network device reduces collisions. A combination of a Hub and a Bridge. Connects physical network segments that reside on the same logical network.

WAN Aggregation

Network device that provides the ability to aggregate multiple WAN data links and provide redundancy amounts ISPs

Hub

Network device that replicates traffic on all ports, minimal intelligence and security

Internetwork Packet Exchange (IPX)

Network layer protocol derived from Xerox Network Systems' IDP, It may act as a transport layer protocol as well, was very popular through the late 1980s into the mid-1990s because it was used by the Novell NetWare network operating system. Because of Novell Netware popularity became a prominent internetworking protocol.

Router

Network perimeter device that interconnects logical networks. Internet is built on these devices. Operates on OSI layer 3 by looking at the IP addresses and forwarding packets.

Field Area Network (FAN)

Network term for a layer that communicates with field devices in small geographic area. Also known as a Neighborhood Area Network (NAN)

Local Area Network (LAN)

Network term for a relatively small area such as a single office or building. control centers where trusted users access your network

Wide Area Network (WAN)

Network term for layer that covers a significantly large area.

Dynamic Host Configuration Protocol (DHCP)

Networking protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses.

Safety - Layers of Protection Analysis (LOPA)

Newest methodolgy for hazard evaluation and risk assessment. The methodolgy lies between the Qualitative end of the scale and Quantitative end. (www.oshrisk.org)

WSUS - Windows Server Update Services

Next version of automatic updates for internal use. Built into Windows Server 2003. Previously called Software Update Services (SUS) and Windows Update Services (WUS) but now obsolete. (Day 3, Page 56-57)

NERC

North American Electric Reliability Council

NERC

North American Energy Reliability Corporation - Energy Policy Act 2005 - Improve reliability of the Grid enforceable standards

NERC-CIP

North American Reliability Standards mandatory and enforceable. Mandates encryption, vulnerability assessment, etc

OPC

OLE for Process Control

Application Layer

OSI Layer interacts with the application to determine the network services required. Layer 7. Ex. SSH, NFS, SNMP, Telnet, HTTP, FTP

Transport Layer

OSI Layer that ensures data reliability on the network and handles sequencing of packet transmission. Layer 4. Ex. TCP, SPX, UDP.

Network Layer

OSI Layer that handles network address schemes and connects multiple network segments. Describes how network segments find and communicate with each other. Layer 3. Ex. IP and ICMP, AppleTalk DDP, IPX.

Session Layer

OSI Layer that handles the establishment and maintenance of connections between systems. Insure the connection is in sync with both sides. full-duplex, half-duplex, or simplex operation. Layer 5. Ex. Remote Procedure Calls (RPCs), NFS, NetBios names, SQL.

Physical Layer

OSI Layer that handles the transmission across wres, fiber, radio waves between hardware connections. Layer 1. Ex. RJ45, RS232

Presentation Layer

OSI Layer that makes the data sent from one machine useful to another machine. This layer formats, compresses and encrypts data to be sent across a network. Layer 6. Ex. Encryption, Compression, ASCII, EBCDIC, TIFF, GIF, PICT, JPEG, MPEG, MIDI

Data Link Layer

OSI Layer that translates the electrical, light, radio wave signals to packets and data streams. Layer 2. Ex. Ethernet IEEE 802.3/802.2, PP, FDDI, ATM, IEEE 802.5/ 802.2, HDLC, Frame Relay

OLE

Object Linking and Embedding

OSHA

Occupational Health and Safety

Collision

Occurs on a network when multiple nodes send information simultaneously.

Fault Tolerant

Of a system, having the built-in capability to provide continued, correct execution of its assigned function in the presence of a hardware and/or software fault.

OMB

Office of Management and Budget

American Gas Association (AGA)

Oil and Gas Energy Sector industry to help self-organization and self-regulation Cyber Security Task Group

Crypto - Trapdoor Function

One-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information (NIST) (Asymmetric algorithms could fit with the public and private keys)

OSI

Open Systems Interconnection

MODBUS

Open device protocol, Serial and Ethernet, Master-Slave, up to 247 devices

Metasploit

Open source exploit tool framework. Written in PERL. Works on windows and Linux

SNORT

Open source network intrusion detection / prevention tool

OS

Operating System

ICS Data

Operations Data, Personnel Data, Security sensitive data, project files, schemas, logic instructions, device configurations, settings, programming, Setpoints, Alarm points, Calibration data, Lab Data, Process data, simple time-ordered logs and trend data, Firmware, System software, Model Diagrams, P&IDs

Level 3

Operations Support DMZ in the ISA-99/Perdue architecture - Operator logs, replication of process historians, maintenance logs for critical processes

Data Classification

Part of Information Lifecycle Management (ILM) process can be defined as a tool for categorization of data to enable/help organization to determine (amongst other things) what data should stay private and what should be publicly available.

Zed Attack Proxy

Password Fuzzing Tool

Registration Authority (RA)

Performs certificate registration duties. RA cannot issue certificates but can act as middleman between user and CA.

Mandatory Access Control (MAC)

Permissions to objects are managed centrally by an administrator. Is an access policy determined by the system, rather than by the owner. Organizations use this in multilevel systems that process highly sensitive data such as classified govt or military. Examples: 1) Rule-based, 2) Lattice Model

PDA

Personal Digital Assistant

PIN

Personal Identification Number

PIV

Personal Identity Verification

Real-Time

Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results of the computation can be used to guide the physical process.

Critical Infrastructure

Physical and electronic devices, communications enable infrastructure, consequences public safety, economic, and defense

Electric Generation

Plants connected to switch yards which contain transmission scads systems. Dispatched from balancing authorities using AGCS

Pivot Point

Point in network which you can be used to access deeper levels of security. Used to pass through a DMZ

PPP

Point-to-Point Protocol

Verifying Policy Compliance

Policy's are documents for rule sets

Contingency Analysis

Potentially harmful events, thresholds or configurations are identified so actions can be taken. Trip breakers, valves, alarms

get-wmiobject

PowerShell command can interface with Windows Management Instrumentation (WMI) just like WMIC.exe.

get-eventlog

PowerShell command to lists local event logs and their config setup. get-eventlog -list

get-process

PowerShell command to return a list of running processes. Can use with | format-list *

Virus Definitions

Predefined signatures for known malware used by antivirus detection algorithms. Vulnerability Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Security Motto

Prevention is ideal, detection is a must

PCSF

Process Control System Forum

OPC (OLE for Process Control)

Process communication technology based on OLE, is old Microsoft technology. Consolidate data. Unpredictable port usage over network.

Configuration Control

Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation.

Authorization

Process for determining what someone has access to.

Authentication

Process for proving who you are with: Something you know, something you have, something you are, some place you are

Configuration Control

Process of controlling modifications to hardware, firmware, software and documentation to protect the information system against improper modification prior to, during, and after system implementation. (NIST)

Data Classification

Process of selecting one of two primary levels for data, cleared for public release and private information.

Application White Listing

Process where cryptographically signed binaries are verified before execution and applications are checked against lists of applications that can and cannot run. Does not prevent shell code from being inserted into running process.

init

Processes started automatically after Linux kernel finishes loading. Configured using /etc/inittab

PLC

Programmable Logic Controller

PID

Proportional - Integral - Derivative

PP

Protection Profile

Remote Desktop Protocol (RDP)

Protocol for graphically controlling Windows machines remotely. 3389/TCP 3389/UDP

IPSec

Protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session

Network Address Translation (NAT)

Protocol that maps Private network addresses to public internet addresses.

Transmission Control Protocol (TCP)

Protocol that provides guaranteed packet delivery, error checking, most commonly used protocol today. FTP Data 20, FTP 21, SSH 22, Telnet 23, DNS 53, HTTP 80, HTTPS 443

Carrier Sense Multiple Access (CSMA)

Protocol used by EtherNet to listen for existing traffic and wait until the line is clear before sending data in order to avoid Collisions. (Layer 2)

DMZ

Provides a series of function specific zones where services and data can be shared between the zones. Added between levels of trust.

IPv6

Provides authentication of end points, encryption built into protocol, QoS built into protocol, Accommodates 340 undecillion addresses unique 128-bit addresses

Centralized Logging

Provides protection against the destruction and modification of log files. Easy to search and scan log files from a single location.

Business Zone

Purdue 4 and 5 Levels

Operations Zone

Purdue Levels 3,2,1,0

Well Written Policy

Purpose, Related docs, Cancellation or expiration, Background, Scope, Policy Statement, Responsibility, Action

RFC 826

RFC number describing Address Resolution Protocol (ARP)

Linux Package Management

RPM, YUM, Apt-get etc.

VxWorks

RTOS Isolated Memory Space, often left with debug tools still installed. Windriver

QNX

RTOS microkernel runs on MIPS, PowerPC, ARM,x86 owned by blackberry

Historians

Real-time database logs or archives real-time data to a allow business users to view trends

Personal Area Network (PAN)

Recent network term used for a type of ad-hoc network (usually wireless) used to communicate to one or more devices in a short range (10m or less). Bluetooth and ZigBee are both examples of this network type.

Linux Logs with SYSLOG

Record major events that take place often found in /var/log/messages

RPO

Recovery Point Objective

RTO

Recovery Time Objective

Linux

Red Hat, Novel Suse, Debian or Ubuntu are this OS

Distributed Control System (DCS)

Refers to a control system of a process plant and industrial process wherein control elements are not only located in central location (like the brain) but are also distributed throughout the system with each component sub-system controlled by one or more controllers so the intelligence is distributed across the sections of the plant. Follows hierarchy in its control philosophy with various function spread across . Is a computerized control system used to automate processes in various industries.

RMA

Reliability, Maintainability, and Availability

RADIUS

Remote Authentication Dial In User Service

RPC

Remote Procedure Call

RTU

Remote Terminal Unit (also Remote Telemetry Unit)

RTU

Remote Terminal Unit / Remote Telemetry Unit

Unified Extensible Firmware Interface (UEFI)

Replacement for BIOS as the software interface between OS and Hardware. Secure Boot with windows uses PKI to validate firmware image.

Internet Control Message Protocol (ICMP)

Reports errors for troubleshooting Destination Host Unreachable, Fragmentation needed and to provide network information: Ping. Differs in IPv4 and IPv6. OSI Layer 3.

Bastille

Reports on how secure your installation is and provides the step by step process for hardening it.

RFC

Request for Comments

R&D

Research and Development

Health, Safety and Environmental (HSE)

Responsibility for protecting the health and safety of workers and surrounding community and maintaining high environmental stewardship. (ISA)

NERC CIP-007

Responsible entities to define methods processes and procedures for securing systems determined to be Critical Cyber Assets and non critical assets with electronic security perimeters. Password mgmt., Account mgmt., no shared accounts, authorization, Password Min length of 6, Alpha, numeric and special characters, changed annually or more depending on risk factors

Application Sandboxing

Restricts a running process to certain operating system operations.

Crypto - Collision

Results when two messages produce the same digest or when a message produces the same digest as a different message. (Dummies)

INF Security Templates

Reusable security settings that can be applied using the command Secedit /configure /db secedit.sdb /cfg

Qualitative Risk Assessment

Risk Assessment approach, Easy to calculate by results more subjective, typically categorized as low medium or high.

Quantities Risk Assessment

Risk Assessment approach, valuable business decision support tool based on metrics such as dollars

Validation Authority (VA)

Role as a third-party can provide this information on behalf of Certificate Authority (CA). Part of PKI

Certificate Authority (CA)

Role is to digitally sign and publish the public key bound to a given user. Part of PKI

Registration Authority (RA)

Role that ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation. Part of PKI

RBAC

Role-Based Access Control

Real Time Operating System (RTOS)

Runs on an embedded device for scheduled processing of inputs. (usually round robin)

Cyber City

SANS course the provides a working model city power system that can be attacked and taken down.

NetWars

SANS online course that provide a digital security battle ground.

Scan Time

SCADA (1 sec to 1 min), DCS (0.05 sec to 1 sec), PCS (1ms to 1 sec), SIS (2ms to 1 sec)

GLEG

SCADA+ Pack from GLEG plugin for Metasploit

Application Sandboxing

SELinux, AppArmor, GRSecurity are examples of this type of application for Linux

Crypto - NIST-approved Hashing Functions

SHA1 (some caveats/constraints) SHA2 (SHA-224, -256, -384, -512)

SQL Injection

SQLi Bypass authentication using SQL injection

SIS

Safety Instrumented System

SSEP

Safety and support mechanism, emergency preparedness, and support systems in NRC

SNL

Sandia National Laboratories

Login/Logoff

Scripts Run as User

Host Identifier (HOST_ID)

Second part of an IP Address

Crypto - Session Key

Secret key used to encrypt messages between two users (Harris)

SCP

Secure Copy

SFTP

Secure File Transfer Protocol

SSH

Secure Shell

SSL

Secure Sockets Layer

SC

Security Category

SCA Snap-in

Security Configuration and Analysis can apply a security template and compare a computers configuration against a security template. Security Policy Verification.

Audit Policy Change

Security event log type used to monitor changes to audit policies and user right assignments

Audit Object Access

Security event log type which is used to monitor access to the NTFS file system, registry keys and printers

Windows Server 2008

Security features added in this Windows version: Component modularization, Server Core, Read-only domain controllers, Network Access Protection (NAP), Secure Socket Tunneling Protocol (SSTP), RDP Virtualization, R2: DNSSEC, AppLocker, DirectAccess, AD Recycling Bin, Enhanced Audit Policy Control

Windows Server 2003

Security features added in this Windows version: Enhanced DFS, ADFS, ADAM, Domain Controller, RRAS, DNA, RADIUS, NLB, Clustering

Windows Server 2012

Security features added in this Windows version: Multiple password policies per domain, Virtualized DCs, PowerShell History viewer, Secure Boot, BitLocker Enhanced, Early Launch Anti-Malware (ELAM), Data Classification, Central Access Policies, Kerberos armoring and easy config

Windows 8

Security features added in this Windows version: Pin/Picture authentication, Windows Defender AV, IE10 Smartscreen, System Recovery enhancements, PKI based secure boot using UEFI

Security Policy

Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions "what" and "why" without dealing with "how." Policies are normally stated in terms that are technology-independent.

Master Terminal Unit (MTU)

See SCADA Server.

SHODAN

Sentient Hyper Optimized Data Access Network - Indexes service banners and service headers

DirectAccess

Server 2008 feature that allows Windows 7 clients to IPSec IPV6 Packets to corporate LAN over internet and connect to the rest of the Internet simultaneously

SSID

Service Set Identifier

Distributed File System (DFS)

Set of Windows client and server services to organize many distributed Server Message Block (SMB) file shares into a distributed file system.

Crypto - Encryption Algorithm

Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key. (NIST)

PROFIBUS

Siemens Fieldbus. PROFIBUS DP (Factory) PROFIBUS FMS (Multi-Master, Peer-to-Peer) PROFIBUS PA

NER CIP-009-3

Similar to EOP-008-01 but applies to certain identified critical cyber assets, Recover plans for assets, clear roles and responsibilities, Exercise recovery plans annually, Full change control and change awareness within 30 calendar days, Asset level backup procedures, asset level restore procedures, requirements for testing backup media annually

Attack - Session Hijacking

Similar to Man in the Middle Attack, except that the attacker impersonates the intended recipient instead of modifying messages in transit. (Dummies)

SMTP

Simple Mail Transfer Protocol

SNMP

Simple Network Management Protocol

Digital Signature (aka Open Message Format)

Simple way to verify the authenticity (and integrity) of a message. Instead of encrypting a message with the intended receiver's public key, the sender encrypts it with his own private key. The sender's public key properly decrypts the message, authenticating the originator of the message. (Open message because anyone with the Public Key can decrypt.)

System Size

Small DCS (1 or 2 controllers, hundreds of I/O) Large DCS (7+ controllers, thousands of I/O)

Mike Davis Worm

Smart meter worm in lab environment

Blended Attacks

Social Engineering based on daily routines, complacency and natural tendency to not look beyond obvious.

Malware

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).

Antivirus Tools

Software products and technology used to detect malicious code, prevent it from infecting a system, and remove malicious code that has infected the system.

Spyware

Software that is secretly or surreptitiously installed onto an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

SP

Special Publication

Facilities

Specifies how the messages are produced in a Linux syslog file.

Log Aggregators

Splunk, Kiwi, Snare, WinSyslog, ArcSight, LogRythm

Conflicter

Spread using MS-086 DCOM/RPC vulnerability / hit several energy companies

Configuration (of a system or device)

Step in system design; for example, selecting functional units, assigning their locations, and defining their interconnections.

SQL

Structured Query Language

Flame

Stuxnet second varient found but Highly infectious extremely hard to remove. Used for cyber espionage

Level 2

Supervisor Control LAN in the ISA-99/Perdue architecture -Engineering workstation: Project files/schemas, Logic, Loop configurations, Control Algorithms, Device configuration data, Set points, Device firmware and system applications, Alarm Server, Historian, OPC Server,HMI, Communications Gateway devices

SCADA

Supervisory Control and Data Acquisition

Database Security

Susceptible to SQL Injection attacks, Web based attacks, weak authentication, default passwords

Kerberos

Symmetric key authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client-server model, it provides mutual authentication and protects against eavesdropping and replay attacks.

Alternating Current Drive

Synonymous with Variable Frequency Drive (VFD).

Actions

Syslog message output handling. Used to specify a file, printer, terminal, First In First Out file or remote host.

Levels

Syslog selector based on the priorities: Emerg or Panic, Alert, Crit, Err, Warning, Notice, Info, Debug, None, * - ALL

Security Event Log and Audit Policies

System Audit Policies Managed from Advanced audit Policy Configuration GUI, with Group Policy and AUDITPOL.exe

SPP-ICS

System Protection Profile for Industrial Control Systems

Reference Monitor

System component that enforces access controls on an object.

Default Account

System login account predefined in a manufactured system to permit initial access when system is first put into service. (pciscanner)

Transmission Control Protocol (TCP)

TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

ICCP

TCP/102 Control Center Communications Protocol

Foundation Fieldbus HSE

TCP/1089 to 1091, UDP/1098 to 1091 Emerson

File Transfer Protocol

TCP/20 data TCP/21 FTP

DNP3

TCP/20000, UDP/20000 energy sector

PROFINET

TCP/34962 to 34964, UDP/34962 to 34964 Siemens

EtherNet/IP

TCP/44818, UDP/2222, UDP/44818 Rockwell Automation

OPC UA Discovery Server

TCP/4840

Modbus TCP

TCP/502

OPC UA XML

TCP/80 TCP/443

Attack - Spoofing

Technique used to forge TCP/IP packet information or email header information. In network attacks it is used to gain access to systems by impersonating the IP address of a trusted host. In email the sender address is forged to trick an email users into opening or responding to an email. (Dummies)

ICCP aka

Telecontrol Application Service Element 2 (TASE.2)

ISA

The Instrumentation Systems and Automation Society

Integral

The PID value that is proportional to both the magnitude of the error and the duration of the error. In a PID controller, it is the sum of the instantaneous error over time and gives the accumulated offset that should have been corrected previously. The accumulated error is then multiplied by the integral gain (K_i) and added to the controller output.

Proportional

The PID value that produces an output value that is proportional to the current error value. The proportional response can be adjusted by multiplying the error by a constant Kp, called the proportional gain constant.

Access Reconciliation

The action of making accounts consistent. A process used to compare two sets of records to ensure the data are in agreement and are accurate.

Collision Detection (CD)

The capability of a layer 2 network protocol to know when two network nodes send data simultaneously, creating unreadable data.

Fuzzy Logic

The degrees of truth, Truth Value between 0 and 1 for various factors. Values used to determine final operation

SCADA Server

The device that acts as the master in a SCADA system.

Port

The entry or exit point from a computer for connecting communications or peripheral devices.

PowerShell

The future of command-line administration on Windows. Slated to replace CMD.exe

Human-Machine Interface (HMI)

The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software.

Protocol

The language rules that dictate how computer communicate on a network. Standardize format, specify ordering, enable 3rd party communications.

Risk

The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Motion Control Network

The network supporting the control applications that move parts in industrial settings, including sequencing, speed control, point-to-point control, and incremental motion.

Accreditation

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Denial of Service (DoS)

The prevention of authorized access to a system resource or the delaying of system operations and functions.

Risk Assessment

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

Risk Management

The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

Identification

The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

Crypto - Keyspace

The range of all possible values for a key in a cryptosystem. The larger it is and the full use of it allows more random keys to be created thus bringing higher security.

Authorization

The right or a permission that is granted to a system entity to access a system resource.

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).

Technical Controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Management Controls

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information security.

Internet

The single interconnected world-wide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the Internet Architecture Board (IAB) and the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

Public Key Infrastructure (PKI)

The software and procedures needed to support digital certificates. Includes Certificate Authority (CA), Validation Authority (VA), Registration Authority (RA)

Pneumatics

The technique of using gases for power transmission.

Jitter

The time or phase difference between the data signal and the ideal clock.

Cycle Time

The time, usually expressed in seconds, for a controller to complete one control loop where sensor signals are read into memory, control algorithms are executed, and corresponding control signals are transmitted to actuators that create changes the process resulting in new sensor signals.

Statistical Process Control (SPC)

The use of statistical techniques to control the quality of a product or process.

Controlled Variable

The variable that the control system attempts to keep at the set point value. The set point may be constant or variable.

MLS/MCS

These two acronyms are used in Fedora for controling: Sensitivity Level : Category ex: s0:c0.c10

Derivative

This PID value in the process error is calculated by determining the slope of the error over time and multiplying this rate of change by the derivative gain Kd. The magnitude of the contribution of the derivative term to the overall control action is termed the gain.

Wireless Attacks

This attack vector makes DOS = easy. is a hub, data capture easy.

Policy

This must be written using: SMART - S:pecific M:easureable A:chievable R:ealistic T:ime-Based - and the 5 Ws

Tripwire

This software product is an example of intrusion detection through integrity checking, Creates secure database of file and directory attributes.

Control Network

Those networks of an enterprise typically connected to equipment that controls physical processes and that is time or safety critical. The control network can be subdivided into zones, and there can be multiple separate control networks within one enterprise and site.

Time Sync

Time stamping in RTUs / GPS / NTP Network Time Protocol

NRC

Title 10 of the Code of Federal Regulation - 10 CFR 73.54 - Protection of digital computer and communication systems

Integrity Checkers

Tools like TripWire that are used to detect intrusions through file and folder modifications.

Physical Topology

Topology of how a network is actually connected, how the data flows via wires and wireless (AKA OSI Layer 1)

Logical Topology

Topology of the rules which a network uses for sending data. The process a protocol follows to send data regardless of the media. (AKA OSI Layer 2) Example: A Token ring

TCP

Transmission Control Protocol

TCP/IP

Transmission Control Protocol/Internet Protocol

Broadcast

Transmission to all devices in a network without any acknowledgment by the receivers.

Crypto - HMAC Hashing

Transmitter creates a hash with the assistance of a secret value known to the transmitter and the recipient. Attacker does not know secret so they cannot create a valid hash. (Defense against MITM attack) Any hashing function can also be used as an HMAC hash. (Day 4, Page 180)

TLS

Transport Layer Security

Phishing

Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites).

TFTP

Trivial File Transfer Protocol

Layer 2 Tunneling Protocol (L2TP)

Tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. has its origins primarily in two older tunneling protocols for point-to-point communication: Cisco's Layer 2 Forwarding Protocol (L2F) and Microsoft's[2] Point-to-Point Tunneling Protocol (PPTP).

ICMP - Common Types and Codes

Type 0 = Echo Reply* (Ping response) Type 3 = Destination Unreachable - Code 0: Network Unreachable - Code 1: Host Unreachable - Code 3: Port Unreachable - Code 9: Destination Network Administratively Prohibited (e.g. F/W) Type 5 = Redirect (Can be used by attacker to redirect traffic) Type 8 = Echo Request* (Ping request) Type 11 = Time Exceeded - Code 0: TTL Expired in transit - Code 1: TTL Expired during reassembly

NTP

UDP/123

NBT

UDP/137-UDP/139

SNMP

UDP/161 UDP/162

LonTalk

UDP/1628 (Config Server UDP/1629) Building Automation Systems

Network File System NFS

UDP/2049 file sharing for unix networks

EtherCAT

UDP/34980

BACnet/IP

UDP/47808 Building Automation Systems

SYSLOG

UDP/514

Domain Name Service (DNS)

UDP/53

FL-net

UDP/55000 to 55003 Anybus Japanese JEMA

Bootp

UDP/67

DHCP

UDP/68

Trivial File Transfer Protocol (TFTP)

UDP/69 Transfer files from one device to another without authentication

CFATS

US Chemical Facility Anti-Terrorism Standards - DHS comprehensive federal security regulations for high-risk chemical facilities

Nuclear Regulatory Commission (NRC)

US Regulatory Commission that handles the security and safeguards for civilian nuclear facilities and materials

Transport Safety Administration (TSA)

US Safety Administration in charge of Pipeline Security. Physical, Data Link, Network, Transport, Session, Presentation, Application

Wi-Spy

USB spectrum analyzer, Analyze all bands of 802.11, find rogue devices.

Internet Assigned Numbers Authority (IANA)

Ultimate authority for assigning IP addresses on the Internet.

UPS

Uninterruptible Power Supply

US-CERT

United States Computer Emergency Readiness Team

US-CERT

United States Computer Emergency Readiness Team - 24/7 arm of the Department of Homeland security national cybersecurity and communications integration center (NCCIC)

USB

Universal Serial Bus

chroot

Unix application feature that only allows the program to access resources within its executing folder.

chroot

Unix application feature that only allows the program to access resources within its executing folder. Isolate themselves to particular directory.

df

Unix command to see free space on all mounted partitions

/etc/inittab

Unix configuration file that contains instructions on which program scripts to run at init based on their Run Levels

Run Condition Directory

Unix directory that contains a directory for each run level (usually names rc#.d). Each directory contain linked scripts

/etc.

Unix file path that contains configuration files

/etc/fstab

Unix file that configures disk partitions

/var

Unix folder path containing log files, ques and disk memory

/usr

Unix folder path containing primary OS files. READ ONLY

/dev

Unix folder path containing system device related files

/usr

Unix folder path originally intended to contain containing larger executables

/bin

Unix folder path originally intended to contain containing small executables

/home

Unix folder path that contains user home directories

/

Unix folder path to root director

Run Levels

Unix init selects which set of scripts to run based on these

chkrootkit

Unix malware detection tool that looks for rootkits,sniffers, deleted logs, Trojans, kernel modules

cron

Unix scheduling daemon

Database Security Basics

Use DBAs, Separation of duties, Patching, Monitor and audit, audit logins, strong authentication, security testing, certificate management. Do not reuse certificates for both client and server connections.

SIEM - Security Information and Event Management System

Used for centralized logging from various systems and devices on a network (e.g., Syslog from Linux)

Engineering Workstation

Used for making changes to ICS, also Operator Workstation

Subnet Mask

Used to determine the network class based on the length of the unmasked NET_ID.

UDP

User Datagram Protocol

Siemens Simatic WinCC

Username = WinCCAdmin Password = 2WSXcder

Modbus Spoofing

Using MBTGET to spoof Modbus signals

Port Scanning

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

Local File Inclusions (LFI)

Using a seemly harmless local file request to gain access to sensitive data (etc/shadows)

Remote File Inclusion (RFI)

Using a seemly harmless remote file request to gain access to sensitive data (etc/shadows)

DNP3

Utilities. Westronic. IEEE standard 1815-2012. 65,000 devices, Event Time Stamping, Serial or Ethernet

winrn.vbs

VB Script used to manage Windows Event Collector settings from the command line.

802.1Q

VLAN tagging protocol (TAGS)

Secure Socket Tunneling Protocol (SSTP)

VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. Available for Linux, BSD, and Windows. Use of Port 443 allows it to easily pass through firewalls. AKA SSL VPN (similar to OpenVPN)

Digital I/O

Value communicated by simple On-or-Off signals. Relays, Switches, and device Status.

Analog I/O

Value communicated by varying Voltage or Current. Measure Temperature, Pressure, Flow, Speed

Field Device

Valves, Solenoids, Pumps, Agitator, Burners and Compressors. I/O

VFD

Variable Frequency Drive

Auditing and Forensics

Verify Policy compliance, Vulner scanning, Gather ongoing operational data, create baseline snapshot, change detection and analysis

Authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

VLAN

Virtual Local Area Network

VPN

Virtual Private Network

Melissa Virus

Virus launched around March 26, 1999, is a mass-mailing macro virus. As it is not a standalone program, it is not a worm. Leaking word documents.

Malware

Virus, Trojans, Backdoors, Bots, Worms -

UCSniff

VoIP and IP Video Security Assessment Tool - Inject audio / video into VOIP

Nessus

Vulnerability scanner and config scanner for windows, Linux and VM

Frame Relay

WAN interconnection based on packet switching (breaking data into packets each traveling individually) shared by multiple companies

Dedicated Line

WAN interconnection of two remote sites using a dedicated Point-to-point network typically leased from a provider. Ex. T1, T4, E1 or E3

Multiprotocol Label Switches (MPLS)

WAN technology that supports imp traffic (IPv6, VOIP, etc.) and provides a unified data carrying service (both OSI layer 2 and layer 3. AKA layer 2.5). Seen as a replacement for Asynchronous Transfer Modules (ATM) and Frame Relay as it supports modern protocols.

Microsoft System Center

WSUS on steroids, more complex, more resource usage, not free like WSUS

Attack Appropriate Response

Walk down site, consider cyber related, what can I access from here, can I impact equipment, escalate with evidence

Vulnerabilities

Weaknesses in a system. Gateways in which threats can manifested

SHODAN

Webservice that allows you to put in Vendor and Model and will show you IP addresses of where they can be reached

Windows Server Update Service

What does the Acroyn WSUS stand for?

Building Management System (BMS)

What does the acronym BMS stand for also know as BAS?

Critical Digital Asset (CDA)

What does the acronym CDA stand for?

Energy Management System (EMS)

What does the acronym EMS stand for?

Human Machine Interface (HMI)

What does the acronym HMI stand for?

International Atomic Energy Agency (IAEA)

What does the acronym IAEA stand for?

Manufacturing Execution Systems (MES)

What does the acronym MES stand for?

National SCADA Test Bed

What does the acronym NSTB stand for?

Process Control System (PCS)

What does the acronym PCS stand for?

Supervisory Control And Data Acquisition (SCADA)

What does the acronym SCADA stand for?

Fragmentation

When an IP protocol router encounters a packet that is too large to send along and needs to split it up into smaller pieces.

WAN

Wide Area Network

Secure Boot

Windows 8 feature that leverages Unified Extensible Firmware Interface (UEFI) and Public Key Infrastructure (PKI) to prevent malware from infecting boot process.

Active Directory Application Mode (ADAM)

Windows Active Directory mode for Lightweight Directory Access Protocol (LDAP) based services, promotes interoperability with *nix systems.

Active Directory Federation Services (ADFS)

Windows Active Directory service that allows single sign-on across company boundaries

Security Template

Windows INF file that can contain: Password Policy, Lockout Policy, Kerberos Policy, Audit Policy, User Rights, Event Log Settings, NTFS, Services, Registry

Windows Management Instrumentation Console (WMIC)

Windows Management command line tool swiss army knife

Network Access Protection (NAP)

Windows Server 2008 (and higher) feature used to enforce client health policies before allowing them to access a network.

Windows End of Lifes (EoLs)

Windows XP = April 2013, Windows XP Pro for Embedded = Jan 12 2016,

gpupdate

Windows command to force a Group Policy update

Security Templates

Windows editor for Microsoft Management Console (MMC) for modifying reusable security INF files.

Group Policy

Windows feature that controls configuration of the working environment for user accounts. Can be managed centrally using Active Directory.

User Account Control (UAC)

Windows feature that reduces the number of tasks that can run as local administrator. Designed to warn users when an application requests elevated rights.

Data Execution Prevention (DEP)

Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks.

Remote Procedure Call (RPC)

Windows features that allows remote execution of commands.

Distributed Component Object Model (DCOM)

Windows protocol for allowing distributed communication between programs on a network. Extensive use of MSRPC.

AppLocker

Windows software restriction (whitelisting) feature. Can import and export configs, audit configs, apply rules based on Group Policy.

Modulation

Wireless data is encoded on wireless signal carriers through this process.

IEC 62591

WirelessHART

Cross Site Scripting (XSS)

Wrap a website in malicious code in order to intercept private data, change users browser settings, passing JavaScript to other browser sessions

Password Fuzzing Tool

Zed Attack Proxy

Proportional Integral Derivative (PID)

a control loop feedback mechanism (controller) widely used in industrial control systems. Calculates an error value as the difference between a measured process variable and a desired setpoint.

PLC

a digital computer used for automation of typically industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures

Attack Surface

a list of system inputs that an attacker can use to attempt to compromise a system

Attack Tree

a logical way to string multiple attacks together to accomplish some greater attack goal

Process Hazard Analysis (PHA)

a set of organized and systematic assessments of the potential hazards associated with an industrial process

ISO27001 Emphasizes Importance In:

a) Understanding an organization's infosec requirements and the need to establish policy and objectives for infosec b) Implementing and operating controls to manage an organization's infosec risks in the context of the organization's overall business risks. c) Monitoring and reviewing the performance and effectiveness of the InfoSec Management System (ISMS) d) Continual improvement based on objective measurement

Control Loops

calculating and controlling an environment or process based on feedback.

Windows Push Scripts with Group Policy

can distribute scripts to run on Startup, Shutdown, Logon and Logoff

Communications Gateways

data acquisition, storage, transmission, and protocol conversion in ICS. RS232 or RS485 to TCP/IP

RTP - Real Time Transport Protocol

defines a standardized packet format for delivering audio and video over IP networks

Project Files

details of control system architectures, configs, logic and parameters

Operational Historians

different than Enterprise historians as they are typically used by engineers on the plant floor rather than by the business process.

WIFI kill

disconnects everyone from the net work except for you, disassociated every MAC address except for yours

Facility Requirements

driven by life and limb, physical security

Runtime Library

expose and integrate disparate ices technologies with each other. Customize and interconnect system. APIs

Discretionary Access Control (DAC)

governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. Most commonly used access control model in operating systems today.

Session Hijacking

hijack session using cookie session id if session is sequential and not hashed. Takes advantage of Weak Session Management

Access Control Entries (ACE)

identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. A list of this object type creates the Access Control List (ACL)

Alarms

informs operator of an abnormal event or condition. Visible or audible. Call to action for operator

Layers of Protection Analysis (LOPA)

is a powerful analytical tool for assessing the adequacy of protection layers used to mitigate process risk. Builds upon well-known process hazards analysis techniques, applying semi-quantitative measures to the evaluation of the frequency of potential incidents and the probability of failure of the protection layers. IEC 61511

DNS - Reverse Lookup

is a query of the DNS for domain names when the IP address is known.

Safety - Process Hazard Analysis (PHA) (aka Process Hazard Evaluation)

is a set of organized and systematic assessments of the potential hazards associated with an industrial process. Provides information to assist managers and employees in making decisions for improving safety and reducing the consequences of unwanted or unplanned releases of hazardous chemicals. (Wiki)

Role Based Access Control (RBAC)

is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC).

Linux # mount -o remount,nosuid /tmp

mount = mount a file mount -o = options remount = attempt to remount an already mounted file system nosuid = Do not allow set-user-identifier or set-group-identifier bits to take effect Translate: Requires programs run with the permissions of the user that executed the program.

NCCIC

national cybersecurity and communications integration center

Modbus Vulnerabilities

no authentication or encryption, easy to modify Modbus values from anywhere, widely deployed

nodev

option in Unix ignores special device files. Used in areas outside /dev folder to prevent unauthorized system device access

nosuid

option in Unix ignores the set-UID and set-GID bits on executables

Ladder Logic

originally a written method to document the design and construction of relay racks as used in manufacturing and process control

ro

read only option causes the Unix operating system to prevent writes or updates

Microsoft PowerShell

replace cmd.exe, designed to be better than BASH

Hazard and operability study (HAZOP)

s a structured and systematic examination of a planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation; it is carried out by a suitably experienced multi-disciplinary team during a set of meetings

Risk Based Assessment Methodology (RBAM)

s the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss

Startup/Shutdown

scripts Run as System

Spear Phishing

sending a highly focused attack to a select number of targets

Phishing

sending an attack to a large number of individuals

Attack Model

series of diagrams and or descriptions of how attackers can attack a system

Integrated Services for Digital Network (ISDN)

set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network.

Open System Interconnection (OSI)

seven layers that network protocols can work on. Physical, Data, Network, Transport, Session, Presentation, Application

Quantitative Risk Analysis (QRA)

software and methodologies give quantitative estimates of risks, given the parameters defining them. They are used in the financial sector, the chemical process industry, and other areas.

Fuzzing Network Protocols

testing an applications ability to handle a variety of traffic. Attackers and Pen testers. Enumeration, Target Vulners, Buffer overflows

Quality of Service (QoS)

the overall performance of a telephony or computer network, particularly the performance seen by the users of the network. Manage the delay, jitter, bandwidth, and packet loss parameters on a network

With mandatory access control

this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted.

Safety

training and certification, PPE, corporate culture

Virtual Channel Identifier (VCI)

used to identify a path between two Asynchronous Transfer Modules (ATMs) and can be reused later after the connection is terminated.

Virtual Path Identifiers (VPI)

used to label a collection of Asynchronous Transmission Module (ATM) connections which help with connection management.


Set pelajaran terkait

Activity and Exercise Ch 44 Activity, Test Your Knowledge, Review questions & NCLEX from quizlet

View Set

mission statement vs vision statement

View Set

TBUS 400 CH 9 Ethics, Corp Social Responsibility, Environmental Sustainability, and Strategy

View Set

Module - 4 Substance exposure in pregnancy

View Set

Foodservice Management Definitions and Tables

View Set