[BOOK] Industrial Control System Security(3/8) - Fundamental Understanding from an IACS UR E26 and E27 Certification Perspective

📚 Book Review IACS UR E26 / E27 ICS / OT Security Maritime OT

[BOOK] Industrial Control System Security (3/8)

Chapter 3 Deep Dive: Host Security Fundamentals from an IACS UR E26 / E27 Perspective

⚓

Blue Horizonist

Maritime and Cyber Security Consultant / ISP Consultant

📅March 15, 2026

Book Information

Industrial Control System Security

Author: Pascal Ackerman · Published: 2019 · Korean Edition: Acon
Principal Industrial Cybersecurity Consultant @ Rockwell Automation (since 2015) · 15+ years in large-scale industrial systems & network security

Once the boundaries are defined (Chapter 2 — Network Architecture), the question becomes: "How do we protect the assets inside those boundaries?" Even with perfect network segmentation, internal compromise cannot be prevented if the Host itself is vulnerable. Chapter 3 answers precisely this question, addressing security controls at the Host level and mapping them directly to IACS UR E26 and E27 requirements.

Book Flow

Chapter 1

Nature of ICS
Operational Characteristics

→

Chapter 2

Network Architecture
IDMZ · VLAN · Firewall

→

Chapter 3

Host Security
Hardening · Credentials

Attack Scenarios Occurring at the Host Level

Browser Exploits SAM Dump Privilege Escalation Misuse of Service Accounts

All of these occur at the Host level. Chapter 3 answers: "How does a Host protect itself once an attacker has penetrated the OT network?"

UR E26 / E27 Relevance

Malicious Code Protection Authorization Enforcement Account / Identifier / Authenticator Management Security Configuration Guideline

Chapter 3 — Overall Structure

Host Security Fundamentals

3.1

Host Hardening — Reducing the baseline attack surface

3.2

Allow-list Based Execution Control — Code execution control

3.3

Patch Management — Vulnerability mitigation strategy

3.4

Credential Protection — Preventing privilege escalation

3.1 Host Hardening — Why Does It Come First?

The essence of Host Hardening is: "Reduce the attack surface." This is one of the most fundamental principles in security theory. In OT environments where EDR and antivirus agents are often restricted, hardening becomes the primary line of defense.

What Constitutes an Attack Surface?

Unnecessary services Open ports Default accounts Excessive privileges Default configuration states

The FileZilla service account example illustrates: "If a service runs with administrator privileges, the entire system becomes exposed to risk."

①

Applying the Principle of Least Privilege

· Services should run under restricted accounts rather than Administrator accounts

· Remove unnecessary local administrator privileges

· Do not use Domain Admin accounts on the Engineering Workstation (EWS)

②

Service Minimization

· Disable SMB if it is not required

· Restrict RDP access

· Remove unnecessary browsers

③

Security Configuration Baseline

→ Configuration based on CIS Benchmark

→ Use OT-specific hardened system images — aligns with UR E26 Security Configuration Guideline

---

3.2 Allow-list Based Security — Why Is It Essential in OT?

The key message from the Symantec CSP example: "Only allowed code should be executed." In OT environments, applications are largely fixed and system changes are rare, making allow-listing far more effective than blacklisting.

IT Environment

Users can freely install applications
→ Blacklist-based security (AV, EDR)

OT Environment

Applications fixed · Changes rare
→ Allow-list far more effective

Allow-list Technologies

Hash-based execution control Digital signature verification Kernel-level code integrity Secure Boot with TPM

Attacks Prevented

Meterpreter execution Reverse shell payloads Malware droppers Script injection

→ UR E26 test items: Malicious Code Protection and Use Control for Mobile Code. During testing, verify that unauthorized executables are blocked.

---

3.3 Patch Management — Why Must OT Approach It Differently?

The WSUS example demonstrates not just a configuration approach but a philosophy. The fundamental dilemma: Applying patches risks system downtime; not applying patches exposes vulnerabilities. OT environments typically adopt risk-based patching.

IT Environments

⚡

Patch ASAP

OT Environments

🔍

Patch After Validation

Typical OT Patch Strategy

→ Confirm vendor validation

→ Perform pre-testing in a test bench

→ Apply patches during a maintenance window

→ Prepare a rollback plan

→ Maintain N-1 or N-2 version strategies · Firmware updates require stricter control

UR E26/E27 alignment: Security Functionality Verification · Maintenance & Verification Plan · Secure Development Lifecycle

---

3.4 Credential Protection — Blocking the Critical Phase of an Attack

SAM dump, UAC bypass, and privilege escalation represent critical phases of the attack chain. "The success or failure of an attack often depends on privilege escalation." In OT, administrator privileges on an EWS or HMI can directly translate into the ability to modify PLC logic: Credential compromise = Control over industrial processes.

①

Authentication Strength

Password complexity Account lockout policy MFA (where possible)

②

Credential Storage Protection

LSA Protection Credential Guard NTLM restrictions Prevention of hash reuse

③

Prevention of Privilege Escalation

Strengthened UAC configuration Separation of local administrator accounts Minimal privileges for service accounts

UR E26 alignment: Human User Identification & Authentication · Account Management · Identifier / Authenticator Management · Authorization Enforcement

---

Chapter 3 — Defense-in-Depth Host Layer Architecture

Host Security Layer	UR E26 Related Test Item	UR E27 Documentation Element
3.1 Host Hardening	Malicious Code Protection	Security Configuration Guideline
3.2 Allow-list Execution	Use Control for Mobile Code	Malicious Code Protection Plan
3.3 Patch Management	Security Functionality Verification	Maintenance & Verification Plan
3.4 Credential Protection	Human User ID & Authentication	Account / Authenticator Management

When an attacker passes the network boundary (Chapter 2) and reaches a Host, the system reduces the attack surface through Hardening, controls execution through Allow-listing, reduces vulnerabilities through Patch Management, and prevents privilege escalation through Credential Protection. This is the fundamental structure of Host Security Fundamentals.

#ICSsecurity #OTsecurity #HostHardening #CyberResilience #IACS #URE26 #URE27 #MaritimeCyberSecurity #PatchManagement #Maritime40

⚓

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security

Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.(👉 메인 페이지: https://shippauljobs.blogspot.com/)

🌐 More Articles ↗