Industrial Control Systems Security and Resiliency Practice and Theory Craig Rieger

Industrial Control Systems Security and
Resiliency Practice and Theory Craig Rieger
download
https://textbookfull.com/product/industrial-control-systems-
security-and-resiliency-practice-and-theory-craig-rieger/
Download full version ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!
Industrial Automation and Control Systems Security
Principles Second Edition Ronald L. Krutz
https://textbookfull.com/product/industrial-automation-and-
control-systems-security-principles-second-edition-ronald-l-
krutz/
Hacking Exposed Industrial Control Systems ICS and
SCADA Security Secrets and Solutions First (1St)
Edition Clint Bodungen
https://textbookfull.com/product/hacking-exposed-industrial-
control-systems-ics-and-scada-security-secrets-and-solutions-
first-1st-edition-clint-bodungen/
Control Performance Assessment: Theoretical Analyses
and Industrial Practice Pawe■ D. Doma■ski
https://textbookfull.com/product/control-performance-assessment-
theoretical-analyses-and-industrial-practice-pawel-d-domanski/
Alarm Management for Process Control a Best Practice
Guide for Design Implementation and Use of Industrial
Alarm Systems Rothenberg
https://textbookfull.com/product/alarm-management-for-process-
control-a-best-practice-guide-for-design-implementation-and-use-
of-industrial-alarm-systems-rothenberg/

Dissipative Systems Analysis and Control: Theory and
Applications Bernard Brogliato
https://textbookfull.com/product/dissipative-systems-analysis-
and-control-theory-and-applications-bernard-brogliato/
Recent Developments on Industrial Control Systems
Resilience Emil Pricop
https://textbookfull.com/product/recent-developments-on-
industrial-control-systems-resilience-emil-pricop/
Intelligent Systems in Cybernetics and Automation
Control Theory Radek Silhavy
https://textbookfull.com/product/intelligent-systems-in-
cybernetics-and-automation-control-theory-radek-silhavy/
Cyber Strategy: Risk-Driven Security and Resiliency 1st
Edition Carol A. Siegel
https://textbookfull.com/product/cyber-strategy-risk-driven-
security-and-resiliency-1st-edition-carol-a-siegel/
Systems Engineering in Research and Industrial Practice
Foundations Developments and Challenges Josip
Stjepandi■
https://textbookfull.com/product/systems-engineering-in-research-
and-industrial-practice-foundations-developments-and-challenges-
josip-stjepandic/

Advances in Information Security 75
Craig Rieger
Indrajit Ray
Quanyan Zhu
Michael A. Haney Editors
Industrial
Control Systems
Security and
Resiliency
Practice andTheory

Advances in Information Security
Volume 75
Series editor
Sushil Jajodia, George Mason University, Fairfax, VA, USA

More information about this series at http://www.springer.com/series/5576

Craig Rieger • Indrajit Ray • Quanyan Zhu •
Michael A. Haney
Editors
Industrial Control Systems
Security and Resiliency
Practice and Theory

Editors
Craig Rieger
Critical Infrastructure Security
and Resilience
Idaho National Laboratory
Idaho Falls, ID, USA
Indrajit Ray
Department of Computer Science
Colorado State University
Fort Collins, CO, USA
Quanyan Zhu
Department of Electrical and Computer
Engineering
Tandon School of Engineering
New York University
Brooklyn, NY, USA
Michael A. Haney
Department of Computer Science
University of Idaho
Idaho Falls, ID, USA
ISSN 1568-2633
Advances in Information Security
ISBN 978-3-030-18213-7 ISBN 978-3-030-18214-4 (eBook)
https://doi.org/10.1007/978-3-030-18214-4
© Springer Nature Switzerland AG 2019
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, express or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface
While cybersecurity has been a consideration of information technologies (IT) for
years, only since the last decade has an increase in concern for the security and
resulting safety of our industrial control systems (ICS) been observed. Through
standards and governmental agency guidance, the resources have been provided to
better enable the asset owners to orchestrate better security architectures with current
security technologies. Security vendors have advanced their product offerings to
improve defenses against the evolving threat, and within the ICS community, ICS
vendors have taken an active role to provide resources to the end users that enable
consistent application and maintenance of cybersecurity. However, the threats that
are specifically targeting ICS and the critical infrastructures we depend on are
becoming more evident, as recognized by the HAVEX malware and others since
then. Even with a consistent, risk-based application of security, an international
challenge exists to evolve and transform the system architectures and technologies to
be more resilient to cyber-threats.
As the desire to automate and achieve the efficiencies of labor and operation has
grown, so has the investment in control systems that allow for integrating different
operations, facilities, utilities, and infrastructures. Although significant strides have
been made in making ICS secure, increasing the connectivity of systems with
commodity IT devices and significant human interaction of ICS systems during its
operation regularly introduces newer threats to these systems resulting in ICS
security defenses always playing catch-up. To address this threat in the near-term
solutions, the layers of protection that include those that are physically oriented, such
as mechanically interlocking devices that have no cyber-connectivity, can reduce the
risk associated with compromise of critical systems. However, as control systems
evolve toward greater autonomy, reducing/changing the role of the human, the need
to consider resilience becomes more profound. Autonomous systems can react
quickly to anomalous conditions, ensuring we have power even if a transformer
fails. However, it can also cause a quick escalation to a cascading fault if the
autonomy has been corrupted by cyber-attack or unrecognized failure.
v

The next generation of control systems should have a better understanding of
threat versus quality-of-service trade-offs. Reasoned by such trade-offs, the next-
generation control systems should be designed to be resilient by nature. Such
resilient ICS design requires one to be proactive in understanding and reasoning
about the relationships and dependencies between the various ICS components,
evolving threats to them, and the effects of these threats on the mission goals of
the ICS system. As such, the ability to not only detect but correlate the impact on the
ability to achieve minimum normalcy is a necessary attribute. Enabling the human in
the loop will be necessary throughout, ensuring their ability to adapt to anomalous
conditions that the control system cannot. Threat-resilient architectures will provide
a holistic feedback and data-driven security solution that integrates a real-time cyber-
physical risk assessment, proactive and adaptive defense mechanism, and
decentralized reconfigurable resilient control design. The risk assessment evaluates
the real-time risks at the cyber and physical components of the system that can
provide reliable information for defense and control systems to respond.
Autonomous proactive defense mechanisms, such as deception and moving target
defenses, are pivotal to strategically adapt to adversarial behaviors, create informa-
tion asymmetry to deter the attacks, reduce attacker’s advantage, and mitigate the
losses. The resilient control design is the last mile protection for the industrial control
systems. A resilient controller can reconfigure the physical layer control laws that
can steer the control system away from the damages through quick detection, failure
localization, and fast response in a distributed fashion. The integrated design of risk
measure and learning, autonomous defense, and resilient controls plays an important
role in improving the resiliency of the system holistically. Resilience measures
provide quantitative metrics to guide the design process to achieve desirable
system-level performance. Multidimensional metrics, such as response time and
loss of performance, at both cyber and physical layers of the ICS are important
indicators and need to be part of the design goals of the next-generation
architectures.
In this edited volume, we hope to provide different perspectives for achieving
near- and long-term resilience, including technologies of the future. Therefore, what
follows is a synopsis of the current challenges that will need to be addressed in future
control systems designs. Current automation environments are the result of organic
interconnection of control systems and the inability to recognize and prevent
resulting, unrecognized faults. Addressing near-term resilience in this context
requires an understanding of the consequence and efficient use of resources to
address. In moving toward inherent resilience, adaptive and agile distributed frame-
works for recognizing and responding to threat are necessary. Benign human error as
the result of data overload and lack of information is an ongoing issue, and for the
malicious human, current perimeter protections are insufficient and not designed to
adapt rapidly to attacks in order to prevent compromise. The development of
autonomous defenses that use the attackers’ humanness against them is an impera-
tive. Finally, current control systems have multiple performance goals, but without
the necessary identification and prioritization can lead to undesirable response from
both the human operation and the automation design. Enabling the success of the
vi Preface

operator requires integration of visualizations, such that the various roles of cyber-
defender or process operator can maintain the same context, for the former an
understanding of what is important in the process and the latter how cyber-assets
are affecting the physical operation.
Idaho Falls, ID, USA Craig Rieger
Preface vii

Contents
Part I Current and New Practice
Current Standards for Cyber-Hygiene in Industrial
Control System Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Ken Modeste
Consequence-Based Resilient Architectures . . . . . . . . . . . . . . . . . . . . . . 17
Curtis St. Michel and Sarah Freeman
Part II Cyber-Modeling, Detection, and Forensics
Cyber-Physical Anomaly Detection for Power Grid with Machine
Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Pengyuan Wang and Manimaran Govindarasu
Toward the Science of Industrial Control Systems Security
and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Mohammad Ashiqur Rahman and Ehab Al-Shaer
Toward Cyber-Resiliency Metrics for Action Recommendations
Against Lateral Movement Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Pin-Yu Chen, Sutanay Choudhury, Luke Rodriguez, Alfred O. Hero,
and Indrajit Ray
Part III Proactive Defense Mechanism Design
Moving Target, Deception, and Other Adaptive Defenses . . . . . . . . . . . . 95
Benjamin Blakely, William Horsthemke, Alec Poczatec, Lovie Nowak,
and Nathaniel Evans
Beyond Mirages: Deception in ICS—Lessons Learned
from Traditional Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Nate Soule and Partha Pal
ix

Moving Target Defense to Improve Industrial Control
System Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Adrian R. Chavez
Proactive Defense Through Deception . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Massimiliano Albanese and Sushil Jajodia
Next-Generation Architecture and Autonomous Cyber-Defense . . . . . . . 203
Carol Smidts, Xiaoxu Diao, and Pavan Kumar Vaddi
Part IV Human System Interface
Fault Understanding, Navigation, and Control Interface:
A Visualization System for Cyber-Resilient Operations
for Advanced Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Christopher Poresky, Roger Lew, Thomas A. Ulrich, and Ronald L. Boring
Part V Metrics
Resilient Control System Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Timothy R. McJunkin and Craig Rieger
x Contents

Part I
Current and New Practice

Current Standards for Cyber-Hygiene
in Industrial Control System Environments
Ken Modeste
Abstract Industrial control systems (ICS) have historically been closed systems
reliant on serial connectivity that was exclusive to these networks. The potential for
cybersecurity incidents associated with these closed systems required physical
access to the facilities and hence was considered low risk in most circumstances.
Introduction
Industrial control systems (ICS) have historically been closed systems reliant on
serial connectivity that was exclusive to these networks. The potential for cyberse-
curity incidents associated with these closed systems required physical access to the
facilities and hence was considered low risk in most circumstances.
However, as technology has rapidly started adapting to a newer world of con-
nectivity, Internet of things (IoT), and cloud systems, the potential for ICS connec-
tivity to information technology (IT) systems, and general trends to IoT, these
systems have been migrating to open systems that are connected via Ethernet or
wireless to the rest of the commercial use networks in facilities. As such, these open
networks are now being connected to the Internet for a multitude of innovative and
new capabilities, driving some areas such as:
(a) Remote maintenance and diagnostics of facility equipment
(b) Data collection and analytics
(c) Cloud service capabilities
(d) Smart systems with aggregation of sensor data for business analytics
Vendors, system installers, operators, and facility owners now have newer capa-
bilities that promote economic value and technology upgrades that align with
twenty-ﬁrst-century opportunities and competitiveness. The traditional and managed
concepts of safety that covered hazards like ﬁre, electric shock, or person harm now
K. Modeste (*)
Underwriters Laboratories, Northbrook, IL, USA
e-mail: Ken.Modeste@ul.com
C. Rieger et al. (eds.), Industrial Control Systems Security and Resiliency, Advances
in Information Security 75, https://doi.org/10.1007/978-3-030-18214-4_1
3

have additional risks with this new connectivity to other commercial and enterprise
systems and the Internet. These new risks to safety can now be classified with
disruption of businesses; additional risks to new safety concerns like privacy,
exfiltration of data, remote control, and modification of equipment outside of their
intended use; and ultimately use of ICS equipment and systems for unplanned
nefarious purposes.
Incorporating new cyber-technologies, methods, and processes in the design,
development, installation, support, and use of ICS equipment requires standardiza-
tion to support the industry in applying best practices that are economically feasible,
relevant, and capable of assessing and managing these risks. Understanding the
relevant standards and specifications available that can be applied to the ICS industry
can support all stakeholders in continuing to apply new and innovative technologies
that address connectivity and IoT opportunities while effectively managing the
associated risk.
Ways to Address Cyber-Hygiene
Consider cyber-hygiene similarly to our own personal bodies and health hygiene
practices. As personal hygiene revolves around activities that individuals incorporate
into their regular practices, cyber-hygiene does the same. What are the best practices
that organizations can deploy to continue to maintain the organization’s cyber-well-
being or improve upon it?
These best practices can involve the following common solution areas:
1. Design specifications and standards
These standards and specifications help manufacturers by providing guidance
in how to implement cybersecurity controls in products, components, and sys-
tems in aligned industries. These design standards may also apply to specific
technologies that implement good cyber-capabilities (i.e., cryptography, software
updates, etc.).
2. Test and performance standards
These standards provide capabilities to evaluate and assess cybersecurity
capabilities in products, components, and systems. Typically, they are used by
trusted third parties to evaluate, assess, or audit cybersecurity practices, or can be
used to assess a design standard.
3. Product development team processes
Frameworks that define the process used to build products from their inception
to their eventual decommissioning. These processes incorporate cybersecurity
features from the beginning to ensure a vendor’s cybersecurity objectives are
built into the development process.
4. Organization and process standards
Audit criteria for assessing an organization’s overall cybersecurity practices.
Vendors, system installers, and building owners have standard operating pro-
cedures that cover their business practices.
4 K. Modeste

5. Personnel training
These standards provide the criteria for a person to be evaluated for their
qualifications to support cybersecurity capabilities in the ICS space.
6. General
These standards and specifications typically will define technologies and
provide general system descriptions and overall technical guidance on how
particular technologies operate.
Standards
North American Electric Reliability Corporation Critical
Infrastructure Protection (NERC CIP)
One of the more well-known standards are the NERC CIP1
series of standards for
physical security and cybersecurity. These standards provide minimum security
requirements for bulk power generation in the USA, Canada, and parts of Mexico.
These standards were adopted in 2006 and are defined in Table 1.
The NERC standards provide for a comprehensive cybersecurity framework.
These standards are considered typical in an audit process to confirm that the policies
and procedures in place can provide a minimum level of security for BES. There are
also some associated security best practices that can be located at https://www.eisac.
com/resources/documents.
ISA/IEC 62443
ISA99 is the name of the Industrial Automation and Control System (IACS) Security
Committee of the ISA.2
This committee developed the series of ISA 62443 standards
and technical reports. The intended audience for this series of standards and techni-
cal reports are asset owners, system operators and integrators, and ICS manufac-
turers. It is intended to provide guidance that an asset owner can use as procurement
criteria for its supply chain and system operators to follow. These standards are now
being reviewed and published as IEC 62443 in conjunction with IEC Technical
Committee 65 Working Group 10 (IEC TC68/WG 10) as international standards.
They fall into four categories, as defined in Table 2 for IEC publications.
These standards are well known in the factory automation space and are seeing
some traction in the oil and gas market. They are designed specifically to ensure an
asset owner can define cybersecurity objectives for its automation facility with a
1
https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
2
ISA, International Society of Automation (http://www.isa.org/)
Current Standards for Cyber-Hygiene in Industrial Control System Environments 5

defined cybersecurity maturity level; manufacturers can then design to those require-
ments to meet the security level prescribed at the maturity level. System installers,
integrators, and service providers can then be trained on the established objectives of
the asset owner and the implementation knowledge of the components to meet those
objectives.
Underwriters Laboratories (UL) 2900
These standards were developed to provide testing criteria for product components
and systems. The UL 2900 series focuses on the best cybersecurity practices that are
used in assessing devices and components when addressing the software and
firmware. They fall into three categories as defined in Table 3 for the ANSI/CAN/
UL publications.
The UL 2900 series of standards are designed to provide testing criteria to
evaluate and assess manufacturer’s devices, components, and ICS. Its targeted
audience are asset owners to use as procurement requirements for ICS manufacturers
to meet for third-party testing and certification and for ICS manufacturers to use on
their supply chain.
Table 1 NERC CIP standards
Standard Type Description
CIP-002 Design specifications
and standards
Bulk Energy System (BES) Cyber-System Categorization
Provides criteria for the inventory of device and software
assets of a BES that can adversely impact the reliability of
the BES via a regular risk assessment methodology
CIP-003 Organization and pro-
cess standards
Policies for security management controls to prevent com-
promise of the BES
CIP-004 Personnel training Security awareness and training for personnel operating and
managing BES
and standards
Electronic security perimeter controls for a BES
and standards
Physical security controls for a BES
and standards
System security management of BES, which defines the
security controls of the system, how to assess those controls,
and continuous vulnerability management
cess standards
Incident response and planning policies for a BES
cess standards
Recovery plans for a BES in the event of a shutdown, failure
of controls, or a cyber-event
cess standards
Configuration change management policies for a BES
cess standards
Policies and procedures for information protection of a BES
6 K. Modeste

Table 2 IEC publications
Part 1: series of the standards covers general terms, glossary items, and ICS life cycle and use
cases
62443-1-1 General Defines terminology, concepts, and models for IACS typi-
cally used in factory automation
This section also defines seven functional requirements in
securing an IACS, which are:
(a) Identification and authentication control
(b) Use control
(c) System integrity
(d) Data confidentiality
(e) Restricted data flow
(f) Timely response to events
(g) Resource availability
Part 2: series of the standards covers policies and procedures for an asset owner or system
operator
62443-2-1 Organization and
process standards
Industrial communication networks: network and system
security
Part 2-1: establishing an industrial automation and control
system security program
This standard provides guidance for application of a
cybersecurity management system for IACS systems and is
based on ISO/IEC 17799 information technology – security
techniques – code of practice for information security
management and ISO/IEC 27001 standards information
technology – security techniques – information security
management systems: requirements that describe a cyber-
security management system for business/information
technology systems
process standards
Technical report for patch management of an IACS system
process standards
Security program requirements for IACS service providers.
This standard introduces the four maturity levels of an
organization. These security levels are based on the matu-
rity levels found in Capability Maturity Model Integration
(CMMI)a
for services called CMMI-SVC. The levels are
used throughout the series of the standard as they define for
an asset owner where an expectation of capabilities and risk
management exists
Part 3: series of the standards covers policies and procedures for an system operator, installer,
and integrator
62443-3-1 General Industrial communication networks – network and system
security – Part 3-1: security technologies for industrial
automation and control systems
This defines the typical technologies that would exist to
promote security in an IACS
(continued)

Table 2 (continued)
62443-3-3 Design specifications
and standards
Industrial communication networks – network and system
security – Part 3-3: system security requirements and
security levels
Taking the seven functional requirements in 62443-1-1,
this standard defines four security level requirements for
each of the functional requirements from one to four with
increasing levels of security based on the risk of exposure to
the IACS based on an attackers capabilities and means
Part 4: series of the standards covers policies and procedures for a manufacturer of IACS
components
process standards
Secure product development life cycle requirements
These requirements provide criteria for a manufacturer of
IACS components to follow when designing and building
the IACS component. They are aligned with industry best
practices around secure development life cycles (SDL)
62443-4-2 Design specifications
and standards
Technical security requirements for IACS components
To specify security capabilities that enable a component to
be integrated into a system environment at a given security
level
An ICS component shall be designed for relevant require-
ments of this standard per the security level where the ICS
component is intended to be installed
a
https://cmmiinstitute.com/
Table 3 UL standards
Part 1: series of the standards covers the general requirements to assess any product, device,
component, or system when addressing the software and firmware risks
UL 2900-1 Test and perfor-
mance standards
Software cybersecurity for network-connectable products
Part 1: general requirements
These requirements provide testing criteria for any device
that contains software or firmware
Part 2: series of the standards covers industry-specific requirements
UL 2900-2-2 Test and perfor-
mance standards
Software gybersecurity for network-connectable products
Part 2-2: particular requirements forICS
These requirements provide testing criteria for any ICS,
devices, or components that contain software or firmware
8 K. Modeste

National Institute for Standards and Publications (NIST)
Special Publications
The National Institute for Standards and Publications (NIST)3
of the US government
produces many specifications to provide guidance and best practices for use in
critical infrastructure. These are referenced fairly prolifically throughout the industry
and begin from an overall description of ICS and how to implement security all
toward the specifics needed to define robust cybersecurity practices and are defined
in Table 4.
Table 4 NIST standards
SP 800-53 Organization and
process standards
Security and privacy controls for federal information
systems and organizations
They provide guidelines for selecting and specifying
security controls for organizations and information
systems. The IEC 62443 and UL 2900 security con-
trols typically follow this popular guidance document
SP 800-53A Test and perfor-
mance standards
Guide for assessing security controls in information
systems
They provide assessment criteria for SP 800-53
SP 800-82 General Guide to ICS security
Provides guidance for securing ICS, supervisory con-
trol and data acquisition (SCADA) systems, distrib-
uted control systems (DCS), and other systems
performing control functions
SP 800-94 General Guide to intrusion detection and prevention systems
This can be used by a system installer or operator to
provide guidance on how to configure and set up
intrusion detection and prevention systems
SP 800-87 General Establishing wireless robust security networks
Provides good guidance on setup and configuration of
wireless networks following the IEEE 802.11i-based
wireless local area networks (LANs)
NIST cybersecu-
rity framework
Organization and
process standards
Framework for improving critical infrastructure
cybersecurity
Provides capabilities for organizational assessments of
critical infrastructure assets. The model is based on
five major tenets: identify, protect, detect, respond, and
recover
NIST IR 7176 Test and perfor-
mance standards
Protection profile for ICS
3
https://csrc.nist.gov/publications/sp

Department of Homeland Security (DHS) and Department
of Energy (DOE) Publications
The US Department of Energy (DOE) produced a capability maturity model
through the Cybersecurity Capability Maturity Model (C2M2) program.4
C2M2
focused on the implementation and management of cybersecurity practices associ-
ated with the operation and use of information technology and operational technol-
ogy assets and the environments in which they operate. The goal of these maturity
models was to provide clarity in general and for certain sectors like electricity and
oil and gas for asset owners and system operators to determine a baseline of where
their current cybersecurity practices are and to develop goals for cybersecurity
objectives in the future.
The US Department of Homeland Security (DHS) and its Industrial Control
System Cyber Emergency Response Team (ICS-CERT)5
continually work to
address challenges and risks within ICS regarding cybersecurity. The Common
Criteria for Information Technology Security Evaluation is a program mutually
recognized by 28 countries worldwide that uses the technical standard ISO 15408
information technology – security techniques – evaluation criteria for IT security as
a foundation for developing security requirements for a particular system or device.
The evaluation criteria are developed in associated protection profiles. NIST pro-
duced an NIST Interagency Report (IR) called NIST IR 7176, which provides a
protection profile that document security requirements associated with ICS.
DHS also produces several documents and specifications that educate the indus-
try on best practices, ongoing risk mitigation techniques, and general good hygiene
for the industry, which are defined in Table 5.
Smart Grid Publications
There are several standards that focus on helping manufacturers design equipment
specific in the smart grid space. These standards are typically focused on specific
types of equipment and their use, or communication protocols in the smart grid, and
how to deliver security requirements into the protocol. They are defined in Table 6.
4
https://www.energy.gov/oe/cybersecurity-critical-energy-infrastructure/cybersecurity-capability-
maturity-model-c2m2-program
5
https://ics-cert.us-cert.gov/Standards-and-References
10 K. Modeste

French Network and Information Security Agency (ANSSI)
The French government, through its security agency, ANSSI,6
has been producing
standards and specifications for critical infrastructure to subject all new critical ICSs
to an approval process, thus ensuring that their cybersecurity level is acceptable
given the current threat status and its potential developments. Some of those
produced recently and are becoming commonplace in new deployments in France
are shown in Table 7.
Table 5 DHS documents
ES-C2M2 Organization and
process standards
Electricity Subsector Cybersecurity Capability Matu-
rity Model
This specification covers a common set of industry
acceptable best cybersecurity practices that cover the
electricity subsector
ONG-C2M2 Organization and
process standards
Oil and Natural Gas Subsector Cybersecurity Capa-
bility Maturity Model
This specification covers a common set of industry
acceptable best cybersecurity practices that cover the
oil and gas subsector
Control system
catalog
Organization and
process standards
Catalog of Control Systems Security: Recommenda-
tions for Standards Developers
It specifies a catalog of security controls applicable to
ICS from different standards, specifications, and other
industry publications
Control system
cybersecurity
Organization and
process standards
Recommended Practice: Improving Industrial Control
System Cybersecurity with Defense-in-Depth Strate-
gies
Provides a good overview of deploying defense in
depth for an ICS
Procurement
language
Organization and
process standards
Cybersecurity Procurement Language for Control
Systems
Provides security principles for ICS when considering
designing and acquiring ICS
CNSSI-1253R2 Organization and
process standards
Security Categorization and Control Selection for
National Security Systems
This document uses NIST SP 800-53 and establishes
the processes for categorizing facilities and the infor-
mation they process and for appropriately selecting
security controls from NIST SP 800-53
CNSSI-1253 Organization and
process standards
Security control overlays for ICS
Specifications of security controls and supporting
guidance used to complement the security control
baselines and parameter values in the supplemental
guidance in NIST SP 800-53
6
https://www.ssi.gouv.fr/publications/

Bundesamt für Sicherheit in der Informationstechnik (BSI)
The German Federal Office for Information Security (BSI) has been developing
standards and best practices around industry 4.0 and cybersecurity principles nec-
essary for the German economy. The German government recently launched a
cybersecurity implementation plan for critical infrastructure called KRITIS,7
pri-
marily intended to focus on securing the country’s networked information infra-
structure while making it still productive and economically competitive. KRITIS is
Germany’s contribution to the European Program for Critical Infrastructure Protec-
tion (EPCIP). Some of these specifications can be seen in Table 8.
The industrial Internet of Things Consortium8
has developed several technical
documents to help instruct industry on the risks and challenges in having IoT and
ICS. They have published an Industrial Internet of Things Security Framework,
which provides some of the general understanding of how the industrial Internet
Table 6 Smart grid publications
IEEE
1686
Design specifications
and standards
Substation Intelligent Electronic Devices (IEDs) Cyberse-
curity Capabilities
Covers applying security controls to IEDs regarding the
access, operation, configuration, firmware revision, and
data retrieval
IEEE
C37.240
Design specifications
and standards
Cybersecurity Requirements for Substation Automation,
Protection, and Control Systems
Covers security controls implemented at the substation that
factors in risk levels associated with the business practice
and the cost associated with the technical control
NISTIR
7628
Organization and pro-
cess standards
Guidelines for Smart Grid Cybersecurity
Provides best practices for an asset owner deploying smart
grid technology to consider security implications
Table 7 ANSSI standards
Cybersecurity
for ICS
Organization and
process standards
Classification method and key measures
Provides a mechanism to classify ICS based on accept-
able risk and how to measure the classes defined
Cybersecurity
for ICS
Organization and
process standards
Detailed measures
Provides technical and organizational criteria needed for
cybersecurity for new ICS systems that fall under
industry 4.0a
a
Industry 4.0 is a European focus of industrial Internet of things where ICS systems are integrated to
external systems via the Internet
7
https://www.kritis.bund.de/SubSites/Kritis/EN/strategy/strategy_node.html
8
http://www.iiconsortium.org
12 K. Modeste

would technically be deployed and some of the main elements needed to ensure the
security of such a deployment.
Personnel Training
Ensuring the personnel that design, build, manufacture, install, service, and operate
critical infrastructure systems supports the general cyber-hygiene of an overall
system. Qualified personnel who have capabilities to support the cyber-objectives
of an installation drive overall competency. Some of those certified specifications are
shown in Table 9.
Table 8 BSI specifications
ICS Security
Compendium
General ICS Security Compendium
This is a great reference document that outlines the
security in ICS procedures and the relevant standards
globally that can support
CIP Implemen-
tation Plan
General CIP Implementation Plan of the National Plan for
Information Infrastructure Protection
Provides a national plan for securing the national
information technology infrastructure based on pre-
vention, preparedness, and sustainability
Baseline protec-
tion concept
Organization and
process standards
Protection of Critical Infrastructures: Baseline Pro-
tection Concept
Provides facilities based in Germany with guidelines
for the internal cybersecurity of the facility
Table 9 Personnel training specifications
CompTIA Personnel
training
CompTIAa
has several certifications with criteria for qualification
around general cybersecurity, cloud systems, and security testing
EC-
Council
Personnel
training
EC-Councilb
has several training and certification programs with
popularity around the ethical hacker courses
GIAC Personnel
training
GIACc
has several standard technology certification programs and
specific criteria for ICS personnel
ISACA Personnel
training
ISACAd
focuses on training personnel for specific cybersecurity
roles within an organization
(ISC)2 Personnel
training
(ISC)2e
qualifies different roles in cybersecurity and the required
credentials
a
https://certification.comptia.org/certifications
b
https://www.eccouncil.org/programs/
c
https://www.giac.org/
d
http://www.isaca.org/Certification/Pages/default.aspx
e
https://www.isc2.org/Certifications

Summary
This chapter provided a list of cybersecurity standards and specifications, which can
help in developing a good way to determine cyber-hygiene in critical infrastructure
systems. However, one singular standard or specification cannot provide a truly
holistic view of the cyber-capabilities of a facility’s implementation of systems and
services. A combination of several “types” of standards would provide the best
avenue to ensure that an organization is using the best capabilities readily available.
One of the first steps to help an asset owner determine this is to understand the
nature of some of the cybersecurity and critical infrastructure risks. Several “gen-
eral” standards can provide great insight for someone who is attempting to under-
stand the landscape of a system. NIST SP 800-82 and the Industrial Internet Security
Framework are both good places to start to get a good declaration on control systems
and what is typically done to secure them.
The asset owner would then need to assess the current state of his/her system by
using some of the identified “organization and process standards.” These standards,
like the NIST Cybersecurity Framework, DOE’s Capability Maturity Model, or
ANSSI’s cybersecurity for ICS, can provide an overall assessment of the current
state of his/her system. Included in that is the need to examine the relevant staff
charged with maintaining those systems and ensure they have the relevant creden-
tials to execute on cybersecurity-related activities. Using some of the “personnel
training” standards to assist candidates of the asset owner’s technical staff to increase
their knowledge can help as well. Cybersecurity professionals can either learn on the
job or be trained beforehand. Understanding the current state and capabilities of
one’s current staff will provide an asset owner with a good understanding of where
his/her organization currently is.
The next step is to use some of the identified “organization and process standards”
to build a scalable plan to help identify a target or desirable state of the facility’s
completed cybersecurity capabilities. A capability maturity model can help set up
target capabilities and create a plan to get there. Using some of the “test and
performance standards,” in combination with the “organization and process stan-
dards,” can provide asset owners with a way to measure how good the current
facility is. NIST SP 800-53A, combined with IEC 62443-2-4 (which takes much of
its input from NIST SP 800-53A), can evaluate the current state. This is what the
NERC CIP standards in the bulk energy sector focus on by providing the criteria
needed to perform an assessment of what an organization has built into its infra-
structure to meet cybersecurity requirements. Using procurement guidance to begin
building procurement requirements for the supply chain of the facility would be
another great step by informing system operators, installers, and maintenance teams
of control systems, integrated technology systems, etc., of what is expected of them.
The qualifications in installing and servicing equipment to make sure they meet a
manufacturer’s stated specifications are crucial in meeting cybersecurity needs.
Procurement language can also be driven into the entire supply chain of the
infrastructure. “Design specifications and standards” and “test and performance
14 K. Modeste

standards” can then be used to document what criteria are needed for equipment and
services and how those systems will be assessed. The design standards will provide
technical criteria that must be met for a device, component, or system to be acquired,
and the test standards can provide compliance criteria to evaluate and assess those
capabilities. In this regard, the 62443-3-3, 62443-4-2, and DHS cybersecurity
control documents can provide information to the supply chain of the technical
security controls that are needed. UL 2900 can be used to evaluate and assess the
supply chain’s devices, components, and systems, so a procurer can expect a trusted
third party to perform assessments and provide a certified and qualified supply chain.
Manufacturers of the supply chain can then apply these “design specifications and
standards” and “test and performance standards” to build the products to be used in
the installation. Manufacturers in the supply chain can also apply “product devel-
opment team processes” standards to ensure security is considered when building
those products. These standards would focus on driving some of the best practices
developed by leading organizations in delivering quality products and systems
designed with cybersecurity risks in mind for the impacted product in certain
implementations and factor in mitigation and control capabilities to minimize
those risks. Manufacturers can even apply the same “organization and process
standards” to their organizations as well to robustly build a team that can address
security risks both inside the organization and for the processes used to build
products for the industry. Ultimately, the manufacturer can apply the “personnel
training” standards to qualify their technical resources in building their products, by
pushing them through their own supply chains.
As has been demonstrated, asset owners can use an amalgam of these standards
and specifications to provide robust capabilities for their systems. Most of these
standards align with common best practices for systems in critical infrastructure
globally, and are recognized by industry and cybersecurity professionals. Once
maturity levels are defined, and plans are made to ascertain a certain level, the
right standards, specifications, and guidance documents will align with an asset
owner’s cybersecurity plans.

Consequence-Based Resilient Architectures
Curtis St. Michel and Sarah Freeman
Abstract As described in Lee et al., cyber-attackers conducted a coordinated,
multifaceted operation against three distribution companies on 23 December 2015,
resulting in a customer outage of nearly 4 hours. The significance in this event does
not originate from the infiltration of the electric sector; on the contrary, Gorman,
Toppa, Perlroth, Dearden, and Borger indicate they have been compromised before
and will continue to be compromised in the future. Nor was this event significant
because it harkened the arrival of some previously unknown, sophisticated industrial
control system (ICS) malware, as Karnouskos, Fidler and Matrosov et al. argued was
the case with Stuxnet. Rather, the significance of the December 2015 event stems
from the means by which the attackers interfaced with and, ultimately, used the
energy system design to their advantage.
The Challenges of Security by Design
As described in Lee et al. [1], cyber-attackers conducted a coordinated, multifaceted
operation against three distribution companies on 23 December 2015, resulting in a
customer outage of nearly 4 hours. The significance in this event does not originate
from the infiltration of the electric sector; on the contrary, Gorman [2], Toppa [3],
Perlroth [4], Dearden [5], and Borger [6] indicate they have been compromised
before and will continue to be compromised in the future. Nor was this event
significant because it harkened the arrival of some previously unknown, sophisti-
cated industrial control system (ICS) malware, as Karnouskos [7], Fidler [8] and
Matrosov et al. [9] argued was the case with Stuxnet. Rather, the significance of the
December 2015 event stems from the means by which the attackers interfaced with
and, ultimately, used the energy system design to their advantage.
Engineering controls are the result of countless hours of analysis, during which
design engineers validate the safety, reliability, and functionality of a designed
C. St. Michel (*) · S. Freeman (*)
Control Systems Cybersecurity Analyst, Idaho National Laboratory, Idaho Falls, ID, USA
e-mail: Curtis.StMichel@inl.gov; Sarah.Freeman@inl.gov
C. Rieger et al. (eds.), Industrial Control Systems Security and Resiliency, Advances
in Information Security 75, https://doi.org/10.1007/978-3-030-18214-4_2
17

system. One prevalent method for validation is failure mode and effects analysis
(FMEA), a systematic approach for proactively identifying where and how a system
might fail, as well as any potential resulting impact. FMEA and its variants, such as
failure mode, effects, and criticality analysis (FMECA) and multi-attribute failure
mode analysis (MAFMA) [10], are linked in their failure to properly consider cyber-
events and their potential impact to reliability and, ultimately, the resiliency of a
designed system.
As additional digital components have been introduced into traditionally analog
systems, the risk associated with equipment failure shifts. This is due in part to a
change in the device control themselves, as well as the possibility for additional
malicious activity directed against this equipment. For example, cyber-attacks can be
multiplied by employing attacks that both rely on the visibility digital sensors and
data aggregators, as well as the manipulation of engineering control algorithms
themselves [11]. Although these changes in technology can provide a wealth of
data management opportunities and improved efficiency, this shift has also posed a
challenge for individuals and organizations tasked with securing this equipment.
The shift toward an increased reliance on digital technology harkens the arrival of
a new reality in which these systems and technology can be used for increasingly
sophisticated cyber-attacks. Events against electric grids worldwide since 2015
highlight the distinct difference in targeted and untargeted cyber-attacks and the
failure of perimeter cyber-defense to combat directed attacks. Today traditional
cyber-hygiene and best practices, although important, are no longer sufficient to
stop targeted cyber-attacks. At the same time, traditional FMEA and its variants must
evolve to address both adversary capability and consumer demand for technology so
that reliability, safety, and resiliency of these critical engineered systems continue.
The Vulnerability Mitigation Cycle
Vulnerability assessments are a requirement for North American Electric Reliability
Corporation (NERC) Critical Infrastructure Protection (CIP) compliance and are
intended to limit the possibility of a cyber-attack against the bulk electric system
(BES); numerous guides have been written, and research has been conducted to
optimize these activities, most notably by Sandia National Laboratories [12]; Ten
et al. [13]; and Ralston et al. [14]. This technique is fundamentally limited to known
vulnerabilities or the zero-day vulnerabilities that may be found by a cybersecurity
researcher as part of that assessment, however. Additionally, organizations and
vendors frequently also employ a vulnerability/mitigation strategy that involves
the application of patches as new vulnerabilities become known. The fundamental
result of this system is one in which the individual vulnerabilities that are identified
and mitigated focus primarily on known adversary capabilities and exploits. There-
fore, a proactive vulnerability management strategy becomes inherently reactive.
Unfortunately, given the speed at which new vulnerabilities are identified, orga-
nizations face an uphill battle in securing their operational technology (OT) space.
18 C. St. Michel and S. Freeman

Vulnerabilities with some of the greatest potential for weaponization, zero days, are
so named due to the fact that they are vulnerabilities in systems that were otherwise
unknown, with no patching available at the time of their discovery. In 2013, the
number of zero-day (0-day) vulnerabilities discovered doubled from the previous
year to 23. Between 2014 and 2015, there was a 125% increase in the number of
vulnerabilities to 52, leading Symantec [15] to theorize that zero days have been
“professionalized,” a critical tool for state-sponsored activity. Security is also com-
plicated by the white phase of the zero-day life cycle, when a patch has been released
but in many cases has not yet been applied. Dacier et al. [16] noted a five times
increase in the malicious use of zero-day vulnerabilities, after they had been
disclosed, highlighting the continued risk posed to organizations even later in the
vulnerability life cycle. This finding is shared by Ablon and Bogart [17], a recent
review that evaluated more than 200 zero days over 14 years (2002–2016), which
found that the average “life expectancy” following discovery of a zero-day vulner-
ability averaged 6.9 years. In 25% of these cases, life expectancy for these vulner-
abilities averaged more than 9.5 years. Within the ICS/Supervisory Control and Data
Acquisition (SCADA) space, where patches occur far less frequently, it is possible
that life expectancy is even higher.
In general, OT is patched far less frequently than its information technology
(IT) cousin. Tom et al. [18] note that legacy systems are typically patched late, if
patched at all, in part due to “. . .their service age, proprietary nature, perceived
obsolescence, or simply because the patches are unavailable.” The result is that
vulnerabilities, zero days or not, can be used to exploit OT for several years and,
given the rate at which new vulnerabilities emerge and the lack of infinite resources
to devote to cybersecurity, complete mitigation through patching cannot be
expected.
How, then, can organizations protect themselves from the inevitable stream of
vulnerabilities? The best approach may be not to focus on the vulnerabilities, but to
introduce resiliency into the technical designs themselves, through methods of
consequence-based analysis.
Consequence-Driven Cyber-Informed Engineering
Introduced by St. Michel et al. [19], Consequence-driven Cyber-informed Engineer-
ing (CCE) is one method to address the organizational risk posed by increasingly
sophisticated cyber-attacks. Rather than focus solely on the vulnerability mitigation
cycle, CCE prioritizes cybersecurity response capabilities based on impact and,
ultimately, the potential severity of a cyber-attack. In this way, CCE addresses the
most significant threat to an organization’s critical functions and services in a
resource-constrained environment.
The motivation for the development of CCE stemmed in part from the develop-
ment of increasingly sophisticated adversary capabilities and the corresponding
challenges associated with the vulnerability mitigation cycle. CCE also originated
Consequence-Based Resilient Architectures 19

from the increasingly prevalent (if not pessimistic) view that perfect (or event near
perfect) cybersecurity protection is a mirage and something that cannot be realisti-
cally achieved [20]. If this view is to be adopted, then any organization is limited in
its ability to develop suitable responses to the threat of cyber-attack. In many cases,
the challenge of securing critical systems, processes, and procedures from a sophis-
ticated, targeted, state-sponsored cyber-attack exceeds the capabilities of the
organization.
The problem of security is compounded by the increasingly varied cyber-
boundaries of an organization. An electric utility, for example, expects to exchange
some amount of operational information with other utilities, especially those whose
infrastructure they interface with or with whom they conduct electricity market
transactions.
The cyber-boundary has also shifted through the adoption of emerging technol-
ogy. In late March–early April 2018, three US pipeline companies experienced
communications system disruptions after a third-party provider experienced a
cyber-attack [21]. The affected system existed on the boundary of the organizations,
and although it did assist with operational activity – by providing communications
support to the pipeline customers and their purchases – it did not fundamentally
inhibit the delivery of product. Operationally, transactions were able to continue,
albeit at a slower pace. Still, the event highlights cybersecurity challenges. Tradi-
tional definitions and boundaries of the electronic perimeter have become obfuscated
by technology intended to improve or streamline operational activity.
If perfect or near perfect cybersecurity is not a possibility, how can organizations
respond to the potential risk of a cyber-attack? One idea gaining additional traction is
the concept of cyber-insurance, a risk management approach in which the individual or
organization provides an insurance premium to transfer the risk to an insurance
company [20]. In the event of a cyber-attack, the cost of the event would be distributed
among the collective pool of individuals and organizations purchasing insurance. The
market for cyber-insurance continues to grow; Romanosky et al. [22] note that with less
than $1 billion in premiums in 2012, estimates are as high as $20 billion by 2020. Still
several barriers to an effective cyber-insurance market persist. For example, in spite of
the growth, the cost associated with a cyber-event greatly outweighs the cyber-
insurance market with estimated global costs of $445 billion a year [23].
Another issue for insurance companies is how to underwrite and define the risk
they are willing to absorb and the cyber-incidents they are willing to cover. Related
questions include how to quantify an organization’s protection or exposure and what
cybersecurity components, exactly, are the responsibility of a single organization?
What degree of protection is a reasonable expectation?
To develop a healthy insurance market, insurance companies must deem the
market space profitable; that is, the profit gained from underwriting risk cannot be
eclipsed by the financial loss of an actual cyber-attack. Boundaries must limit what is
within the responsibility of an organization and the insurer and what is beyond both
of them. Within that gap area, the federal government must step in as the insurer of
last resort, belaying some of the risk. Without federal government participation, the
cyber-insurance market cannot expand to meet the safety needs.
20 C. St. Michel and S. Freeman

Without a flourishing cyber-insurance market, organizations must adopt alterna-
tive strategies to mitigate the risk associated with cyber-attacks. CCE aims to fill that
gap by providing a scalable cybersecurity framework that can be employed by an
individual, organization, or government and customized based on their own risk
tolerance.
The “Future” Analysis Problem and Consequence
Prioritization
As noted previously, one of the primary challenges in developing secure cyber-
systems stems in part from the speed at which adversary capabilities evolve.
Organizations are caught in a constant cycle of vulnerability identification and
mitigation based on the latest vendor advisories and threat reports. The main issue
with this approach, however, is that organizations maintain a reactive posture,
responding and mitigating vulnerabilities only after they have been identified. As
many have noted, it is difficult to make predictions, especially about the future.
This view is echoed by Colbaugh and Glass [24], who note that the “fundamental
issues associated with the dynamics and predictability of the coevolutionary ‘arms
race’ between attackers and defenders has yet to be resolved.” Although academic
efforts have aimed to provide clarity on the means of prediction related to the
potential exploitation of a specific vulnerability [24, 25], these pieces are limited
in their tendency to assume a correlation between current adversary activity and
future capability, or that existing vulnerability scoring systems correlate to the cyber-
risk posed to an organization (i.e., the likelihood that a vulnerability will be
exploited). In reality, there is a complex system that dictates whether a specific
vulnerability will be targeted, one that is based on a variety of factors including
existing capability, funding, motivation (e.g., desired end effect), and state-sponsor
interest. From an organization’s perspective, the challenge to identifying the most
significant risk is vast.
In spite of the challenges associated with determining the risk of a cyber-attack,
organizations need a method to prioritize resources within a resource-constrained
environment. Organizations cannot expect to eliminate the risk (eliminate all of the
vulnerabilities); they must therefore identify the means to persist in spite of the risk.
Risk is often defined within the context of the equation:
Risk ¼ Probability Impact
Given this definition, it is possible to describe risk in terms of the potential impact
or consequence. If constant probability is assumed, then there is a proportional
relationship between risk and impact. Even without an assumption of a constant
for probability, the potential impact of an event can still yield significant risk. CCE
works within this construct to identify the most significant cyber-events (those with
Consequence-Based Resilient Architectures 21

Other documents randomly have
different content

By Charlotte M Yonge
CONTENTS
CHAPTER I.
CHAPTER II.
CHAPTER III.
CHAPTER IV.
CHAPTER V.
CHAPTER VI.
CHAPTER VII.
CHAPTER VIII.
CHAPTER IX.
CHAPTER X.
CHAPTER XI.
CHAPTER XII.
CHAPTER XIII.
CHAPTER XIV.
CHAPTER XV.

CHAPTER XVI.
CHAPTER XVII.
CHAPTER XVIII.
CHAPTER XIX.
CHAPTER XX.
CHAPTER XXI.
CHAPTER XXII.
CHAPTER XXIII.
CHAPTER XXIV.
CHAPTER XXV.
CHAPTER XXVI.
CHAPTER XXVII.
CHAPTER XXVIII.
CHAPTER XXIX.
CHAPTER XXX.
CHAPTER XXXI.
UNDER THE STORM

By Charlotte M. Yonge
CONTENTS
CHAPTER I. THE TRUST
CHAPTER II. THE STRAGGLERS
CHAPTER III. KIRK RAPINE
CHAPTER IV. THE GOOD CAUSE
CHAPTER V. DESOLATION
CHAPTER VI. LEFT TO THEMSELVES
CHAPTER VII. THE HERMIT'S GULLEY
CHAPTER VIII. STEAD IN POSSESSION
CHAPTER IX. WINTRY TIMES
CHAPTER X. A TERRIBLE HARVEST DAY
CHAPTER XI. THE FORTUNES OF WAR
CHAPTER XII. FAREWELL TO THE CAVALIERS
CHAPTER XIII. GODLY VENN'S TROOP
CHAPTER XIV. THE QUESTION
CHAPTER XV. A TABLE OF LOVE IN THE WILDERNESS
CHAPTER XVI. A FAIR OFFER
CHAPTER XVII. THE GROOM IN GREY
CHAPTER XVIII. JEPH'S GOOD FORTUNE
CHAPTER XIX. PATIENCE
CHAPTER XX. EMLYN'S SERVICE

CHAPTER XXI. THE ASSAULT OF THE CAVERN
CHAPTER XXII. EMLYN'S TROTH
CHAPTER XXIII. FULFILMENT

List of Illustrations
Cover
The Hiding of the Casket
Stead Stirring the
Porridge.
Finding of Emlyn
Farewell to the Cavaliers
Emlyn at the Market
Stead Before the
Roundheads
THE TWO SIDES OF THE
SHIELD

CONTENTS
PREFACE
THE TWO SIDES OF THE SHIELD
CHAPTER I. — WHAT WILL BECOME OF ME?
CHAPTER II. — THE MERRIFIELDS.
CHAPTER III. — GOOD-BYE
CHAPTER IV. — TURNED IN AMONG THEM
CHAPTER V. — THE FIRST WALK
CHAPTER VI. — PERSECUTION
CHAPTER VII. — G.F.S.
CHAPTER VIII. — MY PERSECUTED UNCLE
CHAPTER IX. — LETTERS
CHAPTER X. — THE EVENING STAR
CHAPTER XI. — SECRET EXPEDITION
CHAPTER XII. — A HUNT
CHAPTER XIII. — AN EGYPTIAN SPHYNX

CHAPTER XIV. — A CYPHER AND A TY.
CHAPTER XV. — THE BUTTERFLY’S BALL.
CHAPTER XVI. — THE INCONSTANCY OF CONSTANCE.
CHAPTER XVII. — THE STONE MELTING.
CHAPTER XVIII. — MYSIE AND DOLORES.
CHAPTER XIX. — A SADDER AND A WISER AUTHORESS.
CHAPTER XX. — CONFESSIONS OF A COUNTRY MOUSE.
CHAPTER XXI. — IN COURT AND OUT.
CHAPTER XXII. — NAY.
THE PILLARS OF THE HOUSE;
OR,
UNDER WODE, UNDER RODE.

CONTENTS TO VOL. I.
I.THE BIRTH-DAY GIFT
II.THE PIC-NIC
III.FORTUNATUS' PURSE
IV.TWILIGHT AND DAWN
V.WORKING FOR BREAD
VI.THE CACIQUE
VII.THE CHESS-PLAYER'S BATTLE
VIII.THE HOME
IX.THE THIRTEEN
X.THE FAMILY COBWEB ON THE MOVE
XI.THE CHORAL FESTIVAL
XII.GIANT DESPAIR'S CASTLE
XIII.PEGASUS IN HARNESS
XIV.WHAT IT MAY LEAD TO
XV.WHAT IT LED TO
XVI.THE WINTER OF DISCONTENT
XVII.MIDSUMMER SUN
XVIII.BY THE RIVER
XIX.THE HOUSE WITHOUT PILLARS
XX.VALE LESTON
XXI.A KETTLE OF FISH
XXII.THE REAL THING AND NO MISTAKE
XXIII.SMOKE-JACK ALLEY

THE PILLARS OF THE HOUSE
OR
UNDER WODE, UNDER RODE
By

Charlotte M. Yonge
IN TWO VOLUMES
VOL II.
CONTENTS TO VOL II.
XXIV.FAMILY GHOOLS
XXV.DON GIOVANNI
XXVI.TRANSMUTATION
XXVII.DON OR MYNHEER
XXVIII.STARS GRATIS
XXIX.BRYNHILD
XXX.THE SCULPTOR
XXXI.THE BARBE BLONDE
XXXII.THE NID D'AVIS
XXXIII.A BOOTLESS BENE
XXXIV.THE VICAR OF VALE LESTON
XXXV.THE OLD SQUIRE AND THE NEW
XXXVI.POSSESSION
XXXVII.INVASIONS
XXXVIII.K.T.
XXXIX.FOUR YEARS
XL.A K T STROPHE
XLI.CHESTS AND HEARTS
XLII.A HALCYON DAY
XLIII.PRINCESS FAIR-STAR
XLIV.THE FIDDLER'S RANCH
XLV.THE MYRTLE SPRAY
XLVI.SOUR GRAPES
XLVII.THE TASK OVER
XLVIII.SHATTERED PILLARS
XLIX.THE RIVAL OWLS

CONCLUSION
JOHN Keble’S PARISHES
A HISTORY OF HURSLEY AND OTTERBOURNE

AN OLD INHABITANT

CONTENTS
PAGE
CHAPTER I
Merdon and Otterbourne 1
CHAPTER II
Mediæval Gifts 13
CHAPTER III
Reformation Times 27
CHAPTER IV
Puritan Times 39
CHAPTER V
Customs of the Manor of Merdon 53
CHAPTER VI
Cranbury and Brambridge 69
CHAPTER VII
The Building at Hursley 78
CHAPTER VIII
Old Otterbourne 83
CHAPTER IX
Church Building 92

CHAPTER X
Hursley Church 107
CHAPTER XI
The Golden Days of Hursley 125
CHAPTER XII
Hursley Vicarage 135
CHAPTER XIII
Later Changes 145
CHAPTER XIV
A Survey 153
CHAPTER XV
Words and Phrases 171
CHAPTER XVI
Natural History 190

LIST OF ILLUSTRATIONS
John Keble, from the Pencil Drawing by John
Bacon, jun., (1851), by permission of the Rev. J. B.
Medley of Tyntesfield
Frontispiece
Merdon Castle and Well, Hursley Park
To face page
10
Richard Cromwell, Lord Protector 49
The Old Church at Hursley 79
Hursley Park House. N.-E. FRONT, 1867 81
Exterior, Otterbourne Church 98
Ampfield Church 102
Fountain at Ampfield 103
Hursley Vicarage and Church 122
Sir William Heathcote, Bart. After the picture by
George Richard, R.A., 1870; by permission of P. and
D. Colnaglie and Co.
128
Hursley Church 141
Interior, Otterbourne Church 144

CONTENTS
PREFACE
WHAT IS A GOLDEN DEED?
THE STORIES OF ALCESTIS AND ANTIGONE
THE CUP OF WATER
HOW ONE MAN HAS SAVED A HOST
THE PASS OF THERMOPYLAE
THE ROCK OF THE CAPITOL
THE TWO FRIENDS OF SYRACUSE
THE DEVOTION OF THE DECII
REGULUS
THE BRAVE BRETHREN OF JUDAH
THE CHIEF OF THE ARVERNI
WITHSTANDING THE MONARCH IN HIS WRATH
THE LAST FIGHT IN THE COLISEUM
THE SHEPHERD GIRL OF NANTERRE

LEO THE SLAVE
THE BATTLE OF THE BLACKWATER
GUZMAN EL BUENO
FAITHFUL TILL DEATH
WHAT IS BETTER THAN SLAYING A DRAGON
THE KEYS OF CALAIS
THE BATTLE OF SEMPACH
THE CONSTANT PRINCE
THE CARNIVAL OF PERTH
THE CROWN OF ST. STEPHEN
GEORGE THE TRILLER
SIR THOMAS MORE'S DAUGHTER
UNDER IVAN THE TERRIBLE
FORT ST. ELMO
THE VOLUNTARY CONVICT
THE HOUSEWIVES OF LOWENBURG
FATHERS AND SONS
THE SOLDIERS IN THE SNOW
GUNPOWDER PERILS
HEROES OF THE PLAGUE
THE SECOND OF SEPTEMBER
THE VENDEANS

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
textbookfull.com

Industrial Control Systems Security and Resiliency Practice and Theory Craig Rieger

More Related Content

Similar to Industrial Control Systems Security and Resiliency Practice and Theory Craig Rieger (20)

Recently uploaded (20)

Industrial Control Systems Security and Resiliency Practice and Theory Craig Rieger