CIS216 midterm

Modbus

Modbus is the Modicon Bus protocol, used for intercommunication between industrial control assets. Modbus is a flexible master/slave command and control protocol. most wideley deployed ICS protocol de facto standard no authentication or encryption Layer 7 protocol used with very simple devices such as sensors or motors up to 247 devices supported should not be allowed on corporate LAN

AMI

advanced metering infrastructure the smart grid with electricity data travels over this which means the network infrastructure ends at the persons house.

modbus query

tells slave what kind of action to perform.

Project Aurora

A research project that demonstrated how a cyber-attack could result in the explosion of a generator. turned the generator on and off constantly

Red Network

A "red network" typically refers to a trusted network, in contrast to a "black network," which is less secured. When discussing unidirectional communications in critical networks, traffic is typically only allowed outward from the red network to the black network, to allow supervisory data originating from critical assets to be collected and utilized by less secure SCADA systems. In other use cases, such as data integrity and fraud prevention, traffic may only be allowed from the black network into the red network, to prevent access to classified data once they have been stored.

DAM

A Database Activity Monitor (DAM) monitors database transactions, including SQL, DML, and other database commands and queries. A DAM may be network- or host-based. Network-based DAMs monitor database transactions by decoding and interpreting network traffic, while host-based DAMs provide system-level auditing directly from the database server. DAMs can be used for indications of malicious intent (e.g. SQL injection attacks), fraud (e.g. the manipulation of stored data), and/or as a means of logging data access for systems that do not or cannot produce auditable logs.

Modbus TCP

A Modbus variant that operates over TCP/IP.

Modbus RTU

A Modbus variant that uses binary data representation.

Backchannel

A backchannel typically refers to a communications channel that is hidden or operates "in the background" to avoid detection, but is also used in reference to hidden or covert communications occurring back toward the originating sender, that is, malware hidden in the return traffic of a bidirectional communication

Control Center

A control center typically refers to an operations center where a control system is managed. Control centers typically consist of SCADA and HMI systems that provide interaction with industrial/automated processes.

Correlated Event

A correlated event is a larger pattern match consisting of two or more regular logs or events, as detected by an event correlation system. For example, a combination of a network scan event (as reported by a firewall) followed by an injection attempt against an open port (as reported by an IPS) can be correlated together into a larger incident; in this example, an attempted reconnaissance and exploit. Correlated events may be very simple or very complex, and can be used to detect a wide variety of more sophisticated attack indicators.

Data Diode

A data diode is a "one-way" data communication device, often consisting of a physical-layer unidirectional limitation. Using only 1/2 of a fiber optic "transmit/receive" pair would enforce unidirectional communication at the physical layer, while proper configuration of a network firewall could logically enforce unidirectional communication at the network layer.

HMI

A human-machine interface (HMI) is the user interface to the processes of an industrial control system. An HMI effectively translates the communications to and from PLCs, RTUs, and other industrial assets to a human-readable interface, which is used by control systems operators to manage and monitor processes.

Enclave

A logical grouping of assets, systems and/or services that defines and contains one (or more) functional groups. Enclaves represent network "zones" that can be used to isolate certain functions in order to secure them more effectively.

Master Station

A master station is the controlling asset or host involved in an industrial protocol communication session. The master station is typically responsible for timing, synchronization, and command and control aspects of an industrial network protocol.

Unidirectional Gateway

A network gateway device that only allows communication in one direction, such as a Data Diode. See also: Data Diode.

Log Management system

A system or appliance designed to simplify and/or automate the process of log management. See also: Log Management.

Zone

A zone refers to a logical boundary or enclave containing assets of like function and/or criticality, for the purposes of facilitating the security of common systems and services. See also: Enclave. DMZ, Business Network, Manufacturing zone

Stuxnet

An advanced cyber-attack against an industrial control system, consisting of multiple zero-day exploits used for the delivery of malware that then targeted and infected specific industrial controls for the purposes of sabotaging an automated process. Stuxnet is widely regarded as the first cyber-attack to specifically target an industrial control system.

Application Monitor / Application Data Monitor

An application content monitoring system that functions much like an intrusion detection system, only performing deep inspection of a session rather than of a packet, so that application contents can be examined at all layers of the OSI model, from low level protocols through application documents, attachments, and so on. Application Monitoring is useful for examining industrial network protocols for malicious content (malware).

Attack Vector

An attack vector is the direction(s) through which an attack occurs, often referring to specific vulnerabilities that are used by an attacker at any given stage of an attack.

Event

An event is a generic term referring to any datapoint of interest, typically alerts that are generated by security devices, logs produced by systems and applications, alerts produced by network monitors, and so on.

Outstation

An outstation is the DNP3 slave or remote device. The term outstation is also used more generically as a remote SCADA system, typically interconnected with central SCADA systems by a Wide Area Network.

Critical Infrastructure

Any infrastructure whose disruption could have severe impact on a nation or society. In the United States, Critical Infrastructures are defined by the Homeland Security Presidential Directive Seven as: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Critical Manufacturing; Dams; Defense Industrial Base; Drinking Water and Water Treatment Systems; Emergency Services; Energy; Government Facilities; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials, and Waste; Postal and Shipping; Public Health and Healthcare; Telecommunications; and Transportation Systems.

auditd

Auditd is the auditing component of the Linux Auditing System, responsible for writing audit events to disk. The Linux Auditing System is a useful tool for monitoring file access and file integrity in Linux systems.

HSPD-7

Critical Infrastructure Identification, Prioritization, and Protection replaced by PPD21

DPI

Deep-Packet Inspection The process of inspecting a network packet all the way to the application layer (Layer 7) of the OSI model. That is, past datalink, network or session headers to inspect all the way into the payload of the packet. Deep-packet inspection is used by most intrusion detection and prevention systems (IDS/IPS), newer firewalls, and other security devices.

DCS

Distributed Control System An industrial control system deployed and controlled in a distributed manner, such that various distributed control systems or processes are controlled individually. See also: Industrial Control System.

ESP

Electronic Security Perimeter An Electronic Security Perimeter (ESP) refers to the demarcation point between a secured enclave, such as a control system, and a less trusted network, such as a business network. The ESP typically includes those devices that secure that demarcation point, including firewalls, IDS, IPS, industrial protocol filters, application monitors, and similar devices.

Enumeration

Enumeration is the process of identifying valid identities of devices and users in a network; typically as an initial step in a network attack process. Enumeration allows an attacker to identify valid systems and/or accounts that can then be targeted for exploitation or compromise.

EtherNet/IP

EtherNet/IP is a real-time Ethernet protocol supporting the Common Industrial Protocol (CIP), for use in industrial control systems.

Function Code

Function Codes refer to various numeric identifiers used within industrial network protocols for command and control purposes. For example, a function code may represent a request from a Master device to a Slave device(s), such as a request to read a register value, to write a register value, or to restart the device.

IAM

Identity Access Management Identity access management refers to the process of managing user identities and user accounts, as well as related user access and authentication activities within a network, and a category of products designed to centralize and automate those functions.

IACS

Industrial Automation Control System. See Industrial Control System.

ICS

Industrial Control System An industrial control system (ICS) refers to the systems, devices, networks, and controls used to operate and/or automate an industrial process. See also: Distributed Control System.

IED

Intelligent Electronic Device An intelligent electronic device (IED) has a microprocessor and is able to communicate, digitally using fieldbus, real-time Ethernet, or other industrial protocols. hardened for the environment it is located in. (high voltage areas) supports a specific function (substation automation)

ICCP

Inter-Control Center Protocol The Inter-Control Center Protocol (ICCP) is a real-time industrial network protocol designed for wide-area intercommunication between two or more control centers. ICCP is an internationally recognized standard published by the International Electrotechnical Commission (IEC) as IEC 60870-6. ICCP is also referred to as the Telecontrol Application Service Element-2 or TASE.2.

IEC

International Electrotechnical Commission The International Electrotechnical Commission (IEC) is an international standards organization that develops standards for the purposes of consensus and conformity among international technology developers, vendors, and users.

IDS

Intrusion Detection System. Intrusion detection systems perform deep-packet inspection and pattern matching to compare network packets against known "signatures" of malware or other malicious activity in order to detect a possible network intrusion. IDS operates passively by monitoring networks either in-line or on a tap or span port, and providing security alerts or events to a network operator.

IPS

Intrusion Prevention System. Intrusion protection systems perform the same detection functions of an IDS, with the added capability to block traffic. Traffic can typically be blocked by dropping the offending packet(s), or by forcing a reset of the offending TCP/IP session. IPS works in-line, and therefore may introduce latency.

NAC

Network Access Control Network Access Control (NAC) provides measures of controlling access to the network, using technologies, such as 802.1X (port network access control), to require authentication for a network port to be enabled, or other access control methods.

NERC

North American Electric Reliability Corporation The North American Electric Reliability Corporation is an organization that develops and enforces reliability standards for and monitors the activities of the bulk electric power grid in North America.

NRC

Nuclear Regulatory Commission The United States Nuclear Regulatory Commission (NRC) is a five-member Presidentially appointed commission responsible for the safe use of radioactive materials including but not limited to nuclear energy, nuclear fuels, radioactive waste management, and the medical use of radioactive materials.

OSSIM

OSSIM is an Open Source Security Information Management project, whose source code is distributed under GNU General Public License GPL-2 by AlienVault.

Profibus

Profibus is an industrial fieldbus protocol defined by IEC standard 61158/IEC 61784-1.

Profinet

Profinet is an implementation of Profibus designed to operate in real time over Ethernet.

NIST 800-53

Publication that recommends security controls for federal info systems and organizations except those designed for national security.

RTU

Remote Terminal Unit remote communication capabilities with programmable logic for the control of processes in remote locations. communicates via modem, cellular, radio or wave technology monitors parameters and transmits data.

RBPS

Risk Based Performance Standards are recommendations for meeting the security controls required by the Chemical Facility Anti-Terrorism Standard (CFATS), written by DHS.

SERCOS III

SERCOS III is the latest version of the Serial Realtime Communications System, a real-time Ethernet implementation of the popular SERCOS fieldbus protocols.

SIEM

Security Information and Event Management Security information and event management (SIEM) combines security information management (SIM or log management) with security event management (SEM) to provide a common centralized system for managing network threats and all associated information and context.

Set Points

Set points are defined values signifying a target metric against which programmable logic can operate. For example, a set point may define a high temperature range, or the optimum pressure of a container, and so on. By comparing set points against sensory input, automated controls can be established. For example, if the temperate in a furnace reaches the set point for the maximum temperature ceiling, reduce the flow of fuel to the burner.

SCADA

Supervisory Control And Data Acquisition Supervisory Control and Data Acquisition (SCADA) refers to the systems and networks that communicate with industrial control systems to provide data to operators for supervisory purposes, as well as control capabilities for process management.

Situational Awareness

Situational Awareness is a term used by the National Institute of Standards and Technology (NIST) and others to indicate a desired state of awareness within a network in order to identify and respond to network-based attacks. The term is a derivative of the military command and control process of perceiving a threat, comprehending it, making a decision and taking an action in order to maintain the security of the environment. Situational Awareness in network security can be obtained through network and security monitoring (perception), alert notifications (comprehension), security threat analysis (decision making), and remediation (taking action).

TASE.1

Telecontrol Application Service Element-1 The initial communication standard used by the ICCP protocol. Superseded by Telecontrol Application Service Element-2.

TASE.2

Telecontrol Application Service Element-2 The Telecontrol Application Service Element-2 standard or TASE.2 refers to the ICCP protocol. See also: Inter Control Center Protocol.

APT

The Advanced Persistent Threat (APT) refers to a class of cyber threat designed to infiltrate a network, remain persistent through evasion and propagation techniques. APTs are typically used to establish and maintain an external command and control channel through which the attacker can continuously exfiltrate data usually governments do this.

CFATS

The Chemical Facility Anti-Terrorism Standard, established by the US Department of Homeland Security to protect the manufacture, storage, and distribution of potentially hazardous chemicals.

NIST

The National Institute of Standards and Technology. NIST is a nonregulatory federal agency within the United States Department of Commerce, whose mission is to promote innovation through the advancement of science, technology, and standards. NIST provides numerous research documents and recommendations (the "Special Publication 800 series") around information technology security.

NERC CIP

The North American Electric Reliability Corporation reliability standard for Critical Infrastructure Protection.

NEI

The Nuclear Energy Institute is an organization dedicated to and governed by the United States nuclear utility companies.

Attack Surface

The attack surface of a system or asset refers to the collectively exposed portions of that system or asset. A large attack surface means that there are many exposed areas that an attack could target, while a small attack surface means that the target is relatively unexposed.

finger

The finger command is a network tool that provides detailed information about a user.

Technical Feasibility/Technical Feasibility Exception (TFE)

The term "Technical Feasibility" is used in the NERC CIP reliability standard and other compliance controls to indicate where a required control can be reasonably implemented. Where the implementation of a required control is not technically feasible, a Technical Feasibility Exception can be documented. In most cases, a TFE must detail how a compensating control is used in place of the control deemed to not be feasible.

Compensating Controls

The term "compensating controls" is typically used within regulatory standards or guidelines to indicate when an alternative method than those specifically addressed by the standard or guideline is used.

supervisory workstation

collects information from assets presents data for read only actions can be HMI, dashboard etc. be aware of where it is implemented

PPD-21

defines 16 critical control sectors areas that can impact the nation some sectors aren't ICS though (banks)

network segmentation

dividing larger networks into smaller networks devices can intercommunicate default to open

Blacklisting

everything allowed except for what is blocked. don't use this in ICS networks

Whitelists

everything blocked except for what is allowed

weaponized malware

high level of sophistication motive intent

cyberwarfare

high level of sophistication and consequence ultimate goal is destruction over profit

ICS protocol examples

modbus CIP ICCP - inter control center protocol DNP3 - distributed network protocol OPC - object linking and embedding process control

network segregation

no shared equipment and no communcation. air gap. data diodes can help achieve this vlans on separate switches software data diodes prevent inter-vlan communication

modbus response

normal; echo of the function of query data is collected by the slave if something wrong exception code will be sent

ICS network vulnerabilities

often running older systems that haven't been updated in a while susceptible to DoS attacks automation

ICS Protocols

originally RS-232 or RS-485 (serial) connection evolved to run over ethernet using TCP/IP works with only specific equipment in mind verifies data integrity and/or security highly susceptible to DoS

Vulnerability Assessment

port scan to find vulnerable services / open ports

securing ICS networks

segregation and segmentation defense in depth strategy access control monitoring activity IDS/IPS

Data Historian

software program that records and retrieves production/process data by time. Information stored in database that can efficiently store data with minimal disk space / fast retrieval can be proprietary, 3rd party or open source.

modbus vulnerability

susceptible to MITM and replay attacks

PLC

used to automate functions relies on an application to function generates outputs based on inputs designed for efficiency sequential function charts to program them (ladder logic)

vlan vulnerabilities

vlan hopping flood attack ARP poisoning