随着行业规模的不断扩大，网络攻击显著增加。了解受控系统的漏洞，学习如何抵御关键基础设施系统所遭受的网络威胁变得越来越重要。配合真实案例，帕斯卡·阿克曼著的这本《工业网络安全（影印版）（英文版）》将介绍保护关键基础设施系统所必需的方法和安全措施，帮助你快速确定尚无先例的挑战。
本书首先介绍了工业控制系统（Industrial Control System，ICS）技术，其中包括ICS体系结构、通信媒体与协议。然后讲述了ICS的安全性和不安全性。在展示与ICS相关的攻击情景之后，讨论了ICS的安全问题，包括网络分段、纵深防御策略以及保护性解决方案等主题。
除了保护工业控制系统的实例，书中还详细介绍了安全评估、风险管理和安全程序开发。另外还涵盖了基本的网络安全，例如威胁检测和访问管理。还包括与端点强化相关的主题的讨论，如监视、更新和反恶意软件实现。

帕斯卡·阿克曼(Pascal Ackerman) is a seasoned industrial security professional with a degree in electrical engineering and over 15 years of experience in designing, troubleshooting, and securing large-scale industrial control systems and the various types of network technologies they utilize. After more than a decade of hands-on, in-the-field experience, he joined Rockwell Automation in 2015 and is currently employed as Senior Consultant of Industrial Cybersecurity with the Network and Security Services Group. He recently became a digital nomad and now travels the world with his family while fighting cyber adversaries.

Preface
Chapter 1: Industrial Control Systems
An overview of an Industrial control system
The view function
The monitor function
The control function
The Industrial control system architecture
Programmable logic controllers
Human Machine Interface
Supervisory Control and Data Acquisition
Distributed control system
Safety instrumented system
The Purdue model for Industrial control systems
The enterprise zone
Level 5 - Enterprise network
Level 4 - Site business planning and logistics
Industrial Demilitarized Zone
The manufacturing zone
Level 3 - Site operations
Level 2 - Area supervisory control
Level 1 - Basic control
Level 0 - Process
Industrial control system communication media and protocols
Regular information technology network protocols
Process automation protocols
Industrial control system protocols
Building automation protocols
Automatic meter reading protocols
Communication protocols in the enterprise zone
Communication protocols in the Industrial zone
Summary
Chapter 2: Insecure by Inheritance
Industrial control system history
Modbus and Modbus TCP/IP
Breaking Modbus
Using Python and Scapy to communicate over Modbus
Replaying captured Modbus packets
PROFINET
PROFINET packet replay attacks
$7 communication and the stop CPU vulnerability
EtherNet/IP and the Common Industrial Protocol
Shodan: The scariest search engine on the internet
Common IT protocols found in the ICS
HTTP
File Transfer Protocol
Telnet
Address Resolution Protocol
ICMP echo request
Summary
Chapter 3: Anatomy of an ICS Attack Scenario
Setting the stage
The Slumbertown paper mill
Trouble in paradise
Building a virtual test network
Clicking our heels
What can the attacker do with their access?
The cyber kill chain
Phase two of the Slumbertown Mill ICS attack
Other attack scenarios
Summary
Chapter 4: Industrial Control System Risk Assessment
Attacks, objectives, and consequences
Risk assessments
A risk assessment example
Step 1 - Asset identification and system characterization
Step 2 - Vulnerability identification and threat modeling
Discovering vulnerabilities
Threat modeling
Step 3 - Risk calculation and mitigation
Summary
Chapter 5: The Purdue Model and a Converged Plantwide Ethernet
The Purdue Enterprise Reference Architecture
The Converged Plantwide Enterprise
The safety zone
Cell/area zones
Level 0 - The process
Level 1 - Basic control
Level 2 - Area supervisory control
The manufacturing zone
Level 3 - Site manufacturing operations and control
The enterprise zone
Level 4 - Site business planning and logistics
Level 5 - Enterprise
Level 3.5 - The Industrial Demilitarized Zone
The CPwE industrial network security framework
Summary
Chapter 6: The Defense-in-depth Model
ICS security restrictions
How to go about defending an ICS?
The ICS is extremely defendable
The defense-in-depth model
Physical security
Network security
Computer security
Application security
Device security
Policies, procedures, and awareness
Summary
Chapter 7: Physical ICS Security
The ICS security bubble analogy
Segregation exercise
Down to it - Physical security
Summary
Chapter 8: ICS Network Security
Designing network architectures for security
Network segmentation
The Enterprise Zone
The Industrial Zone
Cell Area Zones
Level 3 site operations
The Industrial Demilitarized Zone
Communication conduits
Resiliency and redundancy
Architectural overview
Firewalls
Configuring the active-standby pair of firewalls
Security monitoring and logging
Netwo