Eric Knapp's book Industrial Network Security shipped this month and is also available for the Kindle. It is a tough book to review because the quality and accuracy was very uneven. As compared to other ICS Security books available today, grading on a curve, it deserves 4 stars out of a possible 5. However, it would only rate 2 stars if there was a high quality book on applying technical and administrative IT security to control systems. Unfortunately that book has not yet been written.
The highlights of this book are Chapter 8: Exception, Anomaly and Threat Detection and Chapter 9: Monitoring Enclaves. Not surprising since Eric works for SIEM vendor NitroSecurity (fd: NitroSecurity advertises on digitalbond.com). He covers in detail detection and monitoring for general networks and then with specific ICS examples. For example, Figure 9.12 shows a SIEM dashboard monitoring PI activity such as PI Trust Granted, PI Point Deletion and PI Point Alteration. I'll be rereading these chapters, and they would be helpful for a control system engineer trying to learn security.
Unfortunately I cannot recommend this book for an IT security professional who wants to learn about control systems. There is a lot of important information and good advice, but they would also be misled in important and numerous ways. The two most egregious examples are:
1. The author spends a lot of time on enclaves, his term for security zones. He follows that basics of the Purdue model, but his use of the SCADA DMZ is troubling. It is likely that an IT Security professional reading this would think that pipeline, water canal or transmission SCADA servers and workstations should go in a SCADA DMZ and be directly accessible from the corporate network through a perimeter security device. This does not reflect what is going on in actual ICS, what you would want if you were developing an ICS security architecture, nor the recommendations in the standards and guidelines today. It is missing important, real world discussions of control centers, plant floors, SCADA field sites, and DMZ's between control centers and business networks.
2. When defining components in an ICS the author has all of the HMI's communicating directly with the PLC's; he is missing the SCADA or Realtime Server that is common, especially in larger, critical infrastructure control systems. This is one of the most important servers to secure and it is not even mentioned.
There are enough other instances that were either wrong or not characterized as well as they should be that an IT Security Professional would be led down the wrong path by reading this book because they don't have the experience to know what is accurate.
There are gems in this book where I wrote YES in the margin, the reader just has to sift through the earth to find them. However, at 341-pages there is a lot of earth here and a control system engineer would learn from reading this book. It clearly is better than the Techno Security book because it does speak directly to ICS and a lot more detailed than the ISA/Teumim book with the same title that is 200 pages shorter and with a big font.
My reading recommendation is to start with Chapter 5, then Chapter 4, followed by Chapters 7, 8, and 9. Some other reading suggestions:
- The Tips that are broken out are some of the best and most concise info in the book.
- Also excellent are the tables that pull out the key requirements from various NIST, NISCC, ISA and other standards and guideline documents. The author then adds context and information on meeting the requirements. The tables are dense with info, but are worth reading.
- Skip the frustrating Chapters 2 and 3. The title of the chapters does not reflect what is in the chapter. For example, Chapter 3: Introduction to Industrial Network Security is mostly about APT and Cyber War, and even there the APT discussion is wrong. Chapter 2: About Industrial Networks is actually covered better in Chapter 5 -- just go straight to Chapter 5. I blame the editor for allowing Chapters 2 and 3, and hopefully not too many readers will lose interest before getting to the much better content.
- Smart Grid is discussed in a cursory way that is just a distraction. But again this is mostly in the earlier chapters that you should skip. (Note: this book continues the annoying trend in the US of saying smart grid but really meaning AMI rather than the diversity of projects under the smart grid umbrella.)
- Chapter 7: Establishing Secure Enclaves should be read just as background for the excellent Chapters 8 and 9. The author makes creating security zones unnecessarily complex, and even states that 5 different security zone levels is likely to be insufficient. I would have also preferred some priorities of zones. For example, first to segment the control systems from untrusted networks such as the business network -- and mediate the minimal required communication through a DMZ. Next to segment SCADA field sites from the control center and other field sites, ...
- Securing remote access is not covered in detail in this book. This is a significant omission given that almost every ICS requires for emergency remote access and vendor support.
As I wrote in the beginning, this was a tough book to review with all its highlights and lowlights. Salute the authors serious and substantial effort to produce a book of this size and detail, focus on Chapters 8 and 9, and hope for an improved second edition.
And we still await the definitive book on applying security technical and administrative controls to ICS.