IC34M Module Seven v3
Notes:
©2023 ISA
�Notes:
©2023 ISA
�Notes:
Let’s take a minute to learn how to navigate this module. Previous and Next buttons are
found at the bottom right of the screen. Here, you will also find the replay button and
volume control. On the bottom left, you’ll find the Play/Pause toggle. The sidebar on the left
includes tabs for the menu, transcript and resources.
©2023 ISA
�Notes:
After completing this module, you should be able to:
• Describe an Intrusion Detection System (IDS)
• Define Network Intrusion Detection System
• Define Host Intrusion Detection System
• Explain the differences between Network and Host Intrusion Detection Systems
• Describe IDS best practices
©2023 ISA
�Notes:
In this module, we will discuss the need for System Hardening to increase defenses and
reduce possible attacks.
©2023 ISA
�Notes:
You may be asking, what is system hardening?
System hardening is the process of securing a system by reducing its attack surface. That is
reducing the available vectors of attack, including:
Removal of unnecessary software
Removal of unnecessary user accounts
Strong access controls (e.g., multifactor authentication)
Disabling or removal of unnecessary services
and the installation of security patches
All of these things together are part of a defense-in-depth approach to system hardening.
©2023 ISA
�Notes:
So, what types of systems or devices can be hardened?
Nearly anything that is configurable! This includes:
• Operating Systems
• Databases
• Applications
• Managed Switches
• Routers and Firewalls
• Communication Gateways
• Modems
• Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs)
• Intelligent Electronic Devices (IEDs)
• Variable Frequency Drives (VFDs)
As a general rule, if it is configurable there are some hardening steps you can take. Let’s
take a closer look at some of these.
©2023 ISA
�Notes:
While not the most glamorous part of a cybersecurity analyst job, OS Hardening is very
important and necessary to keep the attack surface down. Where can you turn for guidance
on OS Hardening?
The National Institute of Standards Technology (NIST) has a special publication 800-123,
which is the “Guide to General Server Security”
Microsoft has numerous guides.
The Center for Internet Security (CIS) has Security Benchmarks.
Defense Information Systems Agency (DISA) has the “Security Technical Implementation
Guides” known as STIGs. Often referred to by their acronyms, DISA STIGs. A good portion is
open to the public, but some require a government ID card.
There are additional Security Guides from automation suppliers, including:
Yokogawa, Emerson, Honeywell, Siemens and Others.
©2023 ISA
�Notes:
When it comes to securing the system what are the steps that you take?
Here is a list of some of the most common steps to securing an OS.
• Keep the OS current on all patches and updates
• Review, remove or disable any unnecessary services, applications, and network protocols.
Microsoft OS’s come with games, like Solitaire which may seem fun but is unnecessary on a
work machine. Make sure only needed applications and services are enabled. You may
want to review your permissions and “lock down” the ability to install or enable these as
well.
• Which leads to Configure access controls appropriately. Remember to practice least
privilege when it comes to user accounts.
• Also configure the OS’s user authentication to ensure only authorized users can access the
system.
• Install and configure additional security controls.
• Be sure to Test the security of the OS to ensure all the configurations are set appropriately.
©2023 ISA
�Here is a good list of unnecessary software and services.
• Games
• Unused device drivers for hardware. such as printers
• Messaging services
• Servers or clients for unused Internet or remote access services
• Software compilers (except from non-production, development machines)
• Unused protocols and services
• Unused administrative utilities, diagnostics, network management and system
management functions. When users have problem admins have many tools they use
resolve them, be sure to clean up an uninstall any utilities after the problems are
resolved.
• Test and sample programs or scripts
• Unused productivity suites and word processing utilities
• Unlicensed tools and shareware, this can be a liability as well as a security concern.
• Universal Plug and Play services
©2023 ISA
�Notes:
It is extremely difficult and time-consuming to try to manage all the group policy object
settings. There are many tools out there to automate that management, including: Active
Directory, Microsoft Windows Security Compliance Manager. The Defense Information
Systems Security Agency has technical implementation guides that can help in automating
these processes. When you click on the security option and export, there are over 100
settings, so changing the configuration on each device is time-consuming if done manually.
©2023 ISA
�Notes:
Material covered in lab demonstrations is not included on the certificate exam.
©2023 ISA
�Notes:
The Center for Internet Security has configuration benchmarks which are recommended
controls used for hardening devices, applications, and networks. They were defined through
a consensus of hundreds of security professionals in government, business, and academia.
There are a number of free benchmarks available in PDFs and even more to members in
machine-readable XML format for integration into systems. . Lots of enterprises use these
as the de facto standard for IT configuration best practices. There are others out there, but
this one seems to have gained the most presence.
©2023 ISA
�You can find more at C S I security dot org, including a list of benchmarks for Microsoft and
Linux operating systems.
©2023 ISA
�The benchmarks for Windows 11 and over 25 vendor products can be downloaded. Again,
see CIS’s website for more information.
Windows 11 Benchmark has prescriptive guidance for establishing a secure configuration
posture. It details approximately 250 recommended settings for local group policies. For
each policy, there is a description, rationale, audit, and remediation. impact, default value,
and references.
©2023 ISA
�Notes:
Now that you understand more about System Hardening, let’s take a look at device
hardening.
Industrial Automation and Control Systems (IACS) consist of a large number of non-Windows
devices (i.e. endpoints). These devices are typically cyber-physical devices, as the actually
control the physical process. These devices can be networked and run embedded operating
systems. Some examples you are likely familiar with are:
• PLCs
• Motors & Drives
• I/O
• HMIs
• Sensors & Analyzers
• IEDs
• and Flow Computers
©2023 ISA
�Notes:
Just like with Operating System Guidance, you want to know where to turn for guidance on
IACS Devices.
NIST publishes the Guide to Industrial Control System (ICS) Security.
Always look to the vendor for specific guidance, such as with the Rockwell controllers listed
here.
Independent test reports are also available from Achilles and ISASecure for products that
includes what type of security they require.
©2023 ISA
�Notes:
Material covered in lab demonstrations is not included on the certificate exam.
©2023 ISA
�Notes:
We have covered Operating System Hardening and Device Hardening, now let’s discuss
Network Hardening.
To provide a solid defense in depth strategy, it is not sufficient to just look at the end points,
you need to consider the network that ties all the devices together. This means hardening
network components such as:
• switches
• routers
• firewalls
• gateways
• access points
• and IDS sensors
©2023 ISA
�This example references a Cisco device, but the same applies to any device. There are three
integral components of a telecommunications architecture. Think of these three planes as
different areas of operations. Each plane carries a different type of traffic and is conceptually
(and often in reality) an overlay network (which is a telecommunications network that runs
independently on top of one another, although it is supported by the entire infrastructure).
Click each plane to learn more about it.
©2023 ISA
�Notes:
There are many network hardening guidance resources including NSA, Cisco, SANS Institute, and NIST. It is best to
start with the vendor and go on from there. Look at the best practices to help determine what you require.
Best Practices
©2023 ISA
�Best Practices (Slide Layer)
The best practices for network devices should look familiar, there are commonalities to all
the best practices.
Install all firmware updates.
Compare the file hash to the manufacture’s published hash.
Shut down unused physical interface and network devices.
Enable and configure access control on switch ports.
Change and encrypt passwords (enable Cisco secret)
Enable logging. Be sure to collect the logs (e.g. syslog) and review them regularly.
Shut down all unneeded services
Use secure protocols for remote management. Be sure to disable Telnet. as this is not
secure. PuTTY offers a secure Telnet connection. Use SSHv2 and use HTTPS when available.
Restrict remote management to specific, well-protected computers.\Use SNMP3v3 with
encryption enabled.
©2023 ISA
�Notes:
After completing this module, you should be able to:
Identify the 7 Foundational Requirements (FR) from ISA-62443-3-3 and their associated
technologies.
Identify the component classifications in ISA-62443-4-2
Explain the relationship between ISA-62443-3-3, ISA-62443-4-1, and ISA-62443-4-2.
Use SL-T to find ISA/IEC 62443-3-3 System Requirements (SR) and Requirement
Enhancements (RE)
©2023 ISA
�3. Review
3.1 Course Review
©2023 ISA
�©2023 ISA
�Assessment Questions:
©2023 ISA
�1. What are the CIS Benchmarks?
2. What is system hardening?
3. Can you achieve sufficient security by hardening endpoints?
4. How can IACS devices be hardened?
5. Name five network device hardening best practices.
©2023 ISA
�4.8 End of Module 7
Notes:
©2023 ISA