Intrusion detection in the ICS environment


There are many network traffic analysis tools out there but how many of them understand industrial protocols like Modbus, Profibus or DNP3? More importantly, how effective are these solutions in the industrial control systems environment?

In this post I would like to share a quick summary of security vendors in this domain.

Please note that this space moves quickly so the list may not be up-to-date by the time you are reading this. That being said, I hope it provides a high-level overview of vendors and capabilities in this space.

Read the rest of this entry »

Global Industrial Cyber Security Professional (GICSP)

I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.

This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.

GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.

Here are some useful links for those of you who are interested in sitting the exam:

Exam FAQ


Certification Handbook

Delivering a Seminar at the London Metropolitan University

RIG (1)

I was invited to give a talk on industrial systems security at the London Metropolitan University.

The seminar was intended for academic staff to discuss current problems in this field. We managed to cover a broad range of issues regarding embedding devices and network and IT infrastructure in general.

The professors shared their perspective on this subject.  This resulted in the  identification of several research opportunities in this area.

Image courtesy of Vlado /

Presenting on Industrial Control Systems Security at the University of Westminster


I delivered a seminar to a group of students at the University of Westminster on industrial control systems security. We discussed the history of these systems, current developments and research opportunities in this area. There was some debate around the hypothesis that these systems weren’t designed to be secure and the trade-offs between confidentiality, integrity and availability helped the participants to better understand modern challenges. Practical recommendations were given pertaining the areas of risk management, disaster recovery, and resilience.

I also facilitated a workshop, where I divided the audience into several groups representing various stakeholders within the company: shareholders, process engineers, and security managers. This helped to drive further discussion regarding different points of view, priorities, and the complexity of communication.

Security in the Energy Sector


Another successful event organised by NextSec and hosted by KPMG.

Great speakers and fantastic networking opportunities for junior security professionals.

I feel very proud to be a NextSec committee member.

An Introduction to Industrial Control Systems Security Part III: Auditing the Environment

In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.

Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.


On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:

  • Modicon Momentum PLC
  • Rockwell Automation MicroLogix 1100 PLC
  • Siemens S7 1200 PLC
  • Small embedded RTU device

The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.

To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.


If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.


An Introduction to Industrial Control Systems Security Part II: An Overview of Protection Strategies

Initially, since most of the ICS components were physically found in secured areas, and were not connected to IT systems or networks, local threats were the only security concern. Because merging ICS systems and IT networks has become increasingly prevalent, the former have become significantly less isolated from the outside world, thus requiring security measures to protect them from external and remote threats.

Additionally, the implementation of wireless networking makes the ICS vulnerable to physically proximal adversaries who do not have a direct access to the equipment. The endless list of possible rivals or threats to an ICS might include discontented employees, hostile governments, malicious intruders, terrorist groups, natural disasters, accidents, complexities as well as accidental or malicious actions by insiders. Therefore, the security objectives for any ICS must follow the priority of availability, integrity and confidentiality, in that order.

An ICS may face the following possible scenarios:

  • A modification to the ICS software or configuration settings, or ICS software infection with malware.
  • ICS operation disruption due to delayed or blocked traffic through the ICS network.
  • Interference with the operation of safety systems, which could endanger human life.
  • Unauthorised changes to commands, instructions, or alarm thresholds, which could disable, damage or shut down equipment, create environmental impacts and risk human life.
  • Inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions.

An ICS implementation should include the following main security objectives:

  • Physical access restrictions to the ICS network and devices. A combination of card readers, locks, and/or security guards could be used as physical access controls to protect the ICS’s components from functionality disruptions.
  • Individual ICS component protection from exploitation. After testing them under the conditions of the field, security patches can be deployed as quickly as possible. All unused ports and services should be disabled, ICS user privileges should be restricted to only those that are required for each individual role, audit trails should be tracked and monitored, and security controls such as antivirus software and file integrity checking software should be used whenever it is technically feasible to prevent, detect, deter and mitigate malware.
  • Logical access restrictions to the ICS network and network activity. In order to prevent information flow from travelling directly between the ICS and the corporate networks, a demilitarized zone (DMZ) network architecture with firewalls can be used, along with separate authentication mechanisms and credentials for the ICS and corporate network users. Additionally, a network topology with multiple layers can be implemented, keeping the ICS’s most critical communications in the most reliable and secure layer.
  • Maintenance of functionality during adverse conditions. In order to do so, the ICS must be designed so that each critical component has a counterpart that is redundant. If and when a component fails, it should do so in a way that avoids unnecessary traffic from generating on the ICS and other networks, or that it doesn’t detonate a cascading event or other problems elsewhere.
  • System restoration after an incident. Because incidents are inevitable, it is essential to have an incident response program. The mark of an effective security plan is defined by how quickly a system can be restored after an incident has disrupted it. It is thus vital for a cross-functional cyber security team from various domains to share their experience and knowledge and to work together in evaluating and reducing the possible risk to the ICS. This team must at the very least include a member of the company’s IT staff, a control system operator, a control engineer, a network and the system security expert, a member of the management staff, and a member of the physical security department. Additionally, for consistency, this cyber security team must consult with the control system vendor and system integrator. They should report to the organisation’s CIO/CSO or the site management, who must take full responsibility and assume complete accountability for the ICS’s cyber security. An effective ICS cyber security program must focus on a “defense-in-depth” strategy which layers the security mechanisms to minimise the impact of a failure in any one of said mechanisms.


CSSP recommenced defence-in-depth architecture (NIST 800-82)

A defense-in-depth strategy in any typical ICS therefore requires:

  • Physical access restrictions to the ICS network and devices.
  • Modern technology, such as smart cards, for Personal Identity Verification (PIV).
  • The application of an ICS layered network topology, with the most critical communications occurring in the most reliable and secure layer.
  • The implementation of a DMZ network architecture to prevent traffic between the ICS and corporate networks.
  •  The establishment of a logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks).
  • The implementation of separate authentication mechanisms and credentials for users of the corporate network and the ICS network.
  • The application of role-based access control and the configuration of each individual role based on the principle of least privilege, which means restricting ICS user privileges according to who is required for each job.
  • The employment of security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
  • The implementation of security techniques such as cryptographic hashes and/or encryption to ICS data storage and communications where appropriate.
  • The rapid deployment of security patches after testing all patches under field conditions before installation on the ICS.
  • The disablement of unused ports and services on ICS devices after testing to reduce impact ICS operation.
  • Tracking and monitoring audit trails on critical areas of the ICS.
  • Ensuring that critical components are redundant and are on redundant networks.
  • The design of critical systems for graceful degradation (fault tolerant) to prevent catastrophic 
cascading events.
  • Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
  • The development of security policies, procedures, training and educational material that are specifically applicable to the ICS.
  • Taking into account the ICS security policies and procedures following the Homeland Security Advisory System Threat Level, and employing progressively amplified security measures as the Threat Level increases.

Guide to Industrial Control Systems (ICS) Security by NIST