ECCouncil ICS-SCADA - ICS/SCADA Cyber Security Exam

The Modbus protocol was developed by Modicon, now a brand of Schneider Electric.

It was originally designed in 1979 for use with its programmable logic controllers (PLCs) in industrial applications.

Modbus is a serial communications protocol that has become a de facto standard communication protocol and is now commonly used to connect industrial electronic devices. The main reasons for its use are its simplicity and the fact that it is open-source, which allows manufacturers to build their own implementations of the standard.

References

"Modbus Protocol Reference Guide," Modicon, Inc., 1979.

"A Guide to the Modbus Protocol," Schneider Electric.

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

The temporal score in CVSS adjusts the base score of a vulnerability based on factors that change over time, such as the availability of exploits or the existence of patches.

The temporal score includes:

Remediation Level

Report Confidence

Attack Vector and User Interaction are part of the base score, not the temporal score, as they describe the fundamental characteristics of the vulnerability and do not typically change over time.

References

Common Vulnerability Scoring System v3.1: Specification Document.

"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).

In the context of physical to logical asset protection in network security, several threats can be directed against the network, including:

Elevation of Privileges: Where unauthorized users gain higher-level permissions improperly.

Flood the Switch: Typically involves a DoS attack where the switch is overwhelmed with traffic, preventing normal operations.

Crack the Password: An attack aimed at gaining unauthorized access by breaking through password security. All these threats can potentially compromise the network's security and the safety of its physical and logical assets.References:

CompTIA Security+ Guide to Network Security Fundamentals.

IEC 62443 is an international series of standards on Industrial communication networks and system security, specifically related to Industrial Automation and Control Systems (IACS). Within the IEC 62443 standards, Security Level 3 is defined as protection against deliberate or specialized intrusion. It is designed to safeguard against threats from skilled attackers (cybercriminals or hackers) targeting specific processes or operations within the industrial control system.References:

International Electrotechnical Commission, "IEC 62443 Standards".

A network switch typically operates at Layer 2 of the OSI model, which is the Data Link layer. This layer is responsible for node-to-node data transfer—a function that involves handling data frames between physical devices on the same network or link. The switch uses MAC addresses to forward data to the appropriate destination within the network.References:

Andrew S. Tanenbaum, "Computer Networks".

IEC 62443 defines multiple security levels (SLs) tailored to address different types of threats and attackers in industrial control systems.

Security Level 4 (SL4) is designed to protect against sophisticated attacks by adversaries such as hacktivists or terrorists. SL4 involves threats that are targeted with specific intent against the organization, using advanced skills and means.

This level assumes that the adversary is capable of sustained and focused efforts with significant resources, including state-level actors or well-funded groups, aiming at causing widespread disruption or damage.

References

IEC 62443-3-3: System security requirements and security levels.

"Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems," by Eric Knapp.

Hacktivism refers to the act of hacking, or breaking into computer systems, for a politically or socially motivated purpose. Hacktivists use their skills to promote a cause, influence public opinion, or bring attention to social injustices. The term combines "hacking" and "activism," representing a form of activism that takes place within cyberspace.References:

Dorothy E. Denning, "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy".

TCP flags are used in the header of TCP segments to control the flow of data and to indicate the status of a connection. Valid TCP flags include:

FIN: Finish, used to terminate the connection.

PSH: Push, instructs the receiver to pass the data to the application immediately.

URG: Urgent, indicates that the data contained in the segment should be processed urgently.

RST: Reset, abruptly terminates the connection upon error or other conditions.

SYN: Synchronize, used during the initial handshake to establish a connection.These flags are integral to managing the state and flow of TCP connections.References:

Douglas E. Comer, "Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture".

In ICS/SCADA systems, the highest priority typically is Availability, due to the critical nature of the services and infrastructures they support. These systems often control vital processes in industries like energy, water treatment, and manufacturing. Any downtimecan lead to significant disruptions, safety hazards, or economic losses. Thus, ensuring that systems are operational and accessible is a primary security focus in the context of ICS/SCADA security.References:

National Institute of Standards and Technology (NIST), "Guide to Industrial Control Systems (ICS) Security".

In ICS/SCADA systems, the typical priority hierarchy of the IT Security Model components places Availability and Integrity above Confidentiality. This prioritization is due to the critical nature of operational continuity and data accuracy in industrial control systems, where system downtime or incorrect data can lead to significantoperational disruptions or safety issues. Confidentiality, while important, is often considered of lesser priority compared to ensuring systems are operational (Availability) and data is accurate (Integrity).References:

National Institute of Standards and Technology (NIST), "Guide to Industrial Control Systems (ICS) Security".