Industrial control systems (ICSs) have grown increasingly connected to the Internet over the past decade—a trend showing no signs of slowing down. Though accelerated connectivity of the ICS has helped to optimize automation, it has also exposed new operational risks and cyber threats. As evidenced by the recent appearance of Industroyer/CrashOverride and Triton, we are clearly experiencing a rising tide of targeted attacks on ICSs and operations technology (OT) networks.
To develop a truly comprehensive approach, it’s important for industrial companies to heighten capabilities for real-time visibility and threat detection within their OT environments that complement IT processes and existing cybersecurity infrastructure. As a user seeking world-class operations, continuous improvement and risk management, you must be able to evaluate the best solution for your needs.
The first step in this assessment process involves the recognition that the typical ICS environment is multi-tiered—consisting of various network segments, such as Ethernet TCP/IP, cellular, LAN, serial control and remote/intelligent I/O. The disparate and often proprietary nature of OT networks means that some segments—and the communications between them—cannot be monitored using traditional network and cybersecurity tools.
To address this, leading ICS cybersecurity solutions extend the visibility of IT cybersecurity into OT environments. These solutions generally deploy non-intrusively and provide visibility and detection across all corners of complex OT networks. For example, when an engineering workstation sends data to remote terminal units (RTUs), Nozomi Networks’ SCADAguardian discerns between a case where the RTU is being communicated with directly vs. when the RTU is being used as a gateway to a physical device. In this direct communication circumstance, a conventionally secured industrial network would be exposed to attackers through a nested node without the network security personnel being aware that these connections even exist.
A hybrid approach to threat detection
New forms of malware are emerging on a weekly basis. This reality requires a multi-faceted approach to threat detection, empowering users to be attentive, responsive and proactive in their ICS cybersecurity posture. To achieve this, the best choice of ICS cybersecurity solutions offers a hybrid approach to cyber threat detection, comprised of both behavior-based anomaly detection and rules-based analysis.
Behavior-based anomaly detection is foundational to any ICS cybersecurity approach. The ability to non-intrusively learn and monitor all traffic within an OT network enables the user to identify would-be cyber threats, with context, that would otherwise go unnoticed using conventional active cybersecurity approaches, such as industrial firewalls and agent-based security information and event management (SIEM) systems.
Achieving a useful level of contextual analysis is what separates behavior-based anomaly detection from conventional cybersecurity. The difference relies on a solution’s ability to support the correlation and covariance-testing of many anomalies across a geo-distributed, multi-tiered network. Often, a common root cause can be attributed to thousands of cyber incidents, so understanding the underlying culprit is critical to achieving fast forensic analysis and remediation.
Utilizing a rich analytics engine and artificial intelligence (AI) techniques, SCADAguardian identifies both process and communication anomalies, including correlations with process data readings and critical state awareness. Examples of anomalies detected include modified and/or added devices within the network, or irregular commands and communications like bandwidth and latency variances. This concept of contextual correlation allows SCADAguardian to rapidly organize, aggregate and assess anomalies according to threat category, risk level and location within the network.
Rules-based analysis provides a proactive threat-hunting component to ICS cybersecurity strategy and posture, allowing users to leverage deep packet inspection to help uncover malware cyberattacks on their network and to initiate a response prior to the initial infection phases. Rules-based analysis is a key component to Nozomi Networks’ hybrid threat detection approach, which uses both external rules (such as Yara rules and packet rules) and proprietary rules inherent to SCADAguardian’s unique and customizable analysis toolkit. Both forms of rules-based analysis are effective for proactive threat hunting.
An integrated IT/OT cybersecurity posture
A final discerning factor to define successful cybersecurity strategies is how well the solution scales and meets the demands of a large, geo-distributed enterprise. For scalability, ICS cybersecurity solutions must integrate seamlessly with existing IT-oriented security infrastructure, working with firewalls, SIEMs and other enterprise IT components. ICS cybersecurity solutions should scale laterally across geo-distributed networks and vertically between multi-tiered levels of supervisory and operational control.
With these factors in mind, application programming interface (API) openness, protocol support capabilities and product segmentation define the key integration and scalability capabilities of ICS cybersecurity solutions. Here’s what to look for in those three areas:
- An API is a set of defined functions and methods for interfacing with the underlying operating system; it is essentially a software gateway that makes it possible for applications to interact and share data. Not all APIs are equal and should be tested in the evaluation phase of ICS cybersecurity solutions. The API will dictate how easily and effectively a solution integrates with existing applications and adapts to the future direction of the overall enterprise architecture. For example, the API should be tested to support secure bi-directional flows that will allow sharing data with other applications and ingesting data from other sources for valuable real-time analytics, such as the aforementioned contextual correlations, when anomalies are detected.
- A protocol software development kit (SDK) allows for the parsing and analysis of various OT and IT protocols and gives the user the ability to dissect protocols that are proprietary and require anonymity, including secrecy from the ICS cybersecurity solution provider. Nozomi Networks’ protocol SDK allows the user to maintain secrecy, as required, while still taking advantage of all the integration capabilities provided by an open API.
- The ICS cybersecurity vendor of choice should support expansion and adaptability to future additions and changes to the enterprise architecture in a cost-effective and secure manner. To evaluate the readiness of an ICS cybersecurity solution provider to adjust and scale, evaluate the sourcing and segmentation of its product offering to determine how much of the complete stack—from hardware to operating system—the company owns and controls. Find out if they segment their solution physically or virtually. Also ask how they can effectively deploy their solution to support various application scenarios that require different bandwidth requirements.
Assessing these future-proofing, total-cost-of-ownership questions will help you select an ICS cybersecurity solution that best fits your current and future requirements.