ARC Forum: 4 Key Criteria for ICS Cyber Security Anomaly Detection

ARC Forum: 4 Key Criteria for ICS Cyber Security Anomaly Detection

This article was updated on October 10, 2019.

At the recent ARC Forum in Orlando, the automation community- 800 strong- met to discuss pressing issues for the future. Cyber security was on top of the list of topics with a full track led by ARC’s lead industrial security analyst, Sid Snitkin.

At a panel session, a group of experts gathered to talk about one of the most important new tools in the fight to keep control systems secure. The new tool is real-time anomaly and breach detection for industrial control networks. Let’s look at the four critical capabilities ARC identified for these products, and how Nozomi Networks’ technology addresses them.

1. Key Capability: Ensure Cyber Security and Operational Benefits

The ROI from deploying an anomaly and breach detection comes from both cyber security protection and operational benefits that, together, make automation systems more reliable.

To demonstrate how our Guardian product delivers value in both areas, I obtained the following two examples from our systems engineering group.

First, regarding cyber security protection, let’s imagine that the laptop of a malicious maintenance worker is connected to a substation network and introduces a targeted malware to the process network. The intruder publishes false layer 2 GOOSE packets and devices. The receiving side mistakenly believes it is receiving valid (true) packets sent by a trusted or secured entity. In this scenario:

  • The connection of the laptop to the network is immediately detected by Guardian.
  • The GOOSE packet injection is identified with stateful analysis of the counters coming from the IEDs.
  • A high-level incident alert is immediately sent to the appropriate operators and SOC staff.
  • Staff execute the incident response plan utilizing network diagrams, asset inventories and process information available from Guardian.
  • Post incident, Guardian ICS incident replay and archiving capabilities (“Time Machine” feature) accelerate forensic analysis.

Nomad laptops are one of the most significant risks to OT networks and this example shows how Guardian would rapidly help contain the damage from an intentional cyberattack.

Second, regarding operational benefits, let’s imagine that there are irregularities in the interactions between a substation RTU and a control center SCADA. The inspection/troubleshooting tools available with the SCADA are cumbersome to setup and are not necessarily enabled. Important information like trace logs may not be available. Moreover, if the logs are available, they tend to differ between vendors, making them hard to interpret.

In this scenario, Guardian evaluated IEC 60870-5-104 communications using a multidimensional approach that considered both network connections and the process state. By analyzing the amount of IEC 60870-5-104 ASDUs with Cause of Transmission = Spontaneous and grouping them by RTU, it discovered that 3 of them were from flapping alarm states related to the power status of the RTU. The customer chose to replace the power supply of the affected RTUs and the problem was solved.

This advanced notice of failing equipment contributed to operational continuity and allowed for less costly preventative maintenance. Going forward an organization could use the diagnostic query within Guardian’s monitoring dashboard to prevent extraordinary maintenance and keep all RTUs in good operating condition.

2. Key Capability: No Impact on Control System Operation

Security visibility tools have been used for a long time in the IT world, but such tools are not suitable for the high availability requirements of industrial control networks. These IT tools typically involve scanning processes that can disrupt network communication and threaten smooth process operations, risking production and even safety.  Some IT security solutions require their deployment to be in-band or in-line, which requires downtime and may increase operational risk.

Guardian is a completely passive solution that poses no risk to industrial systems. Available in a variety of hardware-based and virtual appliance models, it connects to network devices via SPAN or mirror ports. It installs non-intrusively with no network downtime or disruption.

3. Key Capability: Provide Context-Based Alerts with Minimal False Positives

A challenge with anomaly and breach detection tools is that they can generate false positives and overwhelm people with too many alerts. If too much information is provided, efficient assessment and appropriate, timely, action by operators is unlikely.

Guardian addresses these concerns by creating an accurate internal representation of the physical process, identifying all its phases, and the correlation between network devices, process variables and phases.  Once this internal representation of the physical process is baselined, the product creates very detailed profiles of the expected behavior of every device at each stage in the process.  With such custom profiles, the number of false positives is minimal, and deviations from it are very unlikely to be a false positive.

Also, an important measure our engineers and SI partners practice with customers is verifying the Virtual Image and the baselines it establishes for a system with its operators and security experts. Pre-existing anomalies can be incorporated or cleaned up, and once this is done it further reduces false positives.

Finally, an important capability of Guardian is that it analyzes alerts and consolidates them into context-aware incidents. Incidents can be also shown in customizable dashboards that are configured for key roles in the organization, and their visual presentation facilitates appropriate action.

4. Key Capability: Integration with Cyber Security Management Solutions

Security solutions are not effective if they don’t integrate with an organization’s security infrastructure.

Nozomi Networks’ products are designed to provide ICS intrusive detection and passive OT monitoring, integrated with other technologies such as SIEMs, user authentication directories and active security systems. For example, Guardian integrates with both Fortinet’s and Check Point’s security suites for granular, active enforcement of user-defined policies.

Practical Advice: Test Drive the Solution

There was a final piece of practical advice offered by the panel. To know which solution will work best for your plant or operation, test drive it in your environment. Nozomi Networks offers Proof of Concept pilots, just contact us to arrange a demo and set up your own test drive. We extend our thanks to Sid Snitkin and the other panelists for the interesting discussion at the ARC Forum and hope to continue the conversation next year!