Note: on July 23rd 2019, SCADAguardian was renamed Guardian, and SCADAguardian Advanced was renamed Smart Polling.
Recently, Nozomi Networks sponsored the SANS Institute to survey hundreds of ICS practitioners and cyber security stakeholders across various vertical industries including energy, manufacturing, and oil and gas. The survey seeks to put the inputs of the respondents into actionable intelligence that can be used for resource allocation and the prioritization of protective measures.
Among the many questions asked in the 2017 SANS ICS Survey, respondents were asked to identify the threats that concern them the most. This article discusses the top three threat vectors and how Nozomi Networks’ SCADAguardian defends and mitigates against them.
Top ICS Cyber Security Threat Vectors
Overall, 44% of respondents identified “adding devices that can’t protect themselves to the network” among the top three perceived threats to their ICS. This was followed by internal incidents spurred by accidental actions and external state-funded attacks.
It is noteworthy that 22% of survey respondents said “external threats from hacktivists and state-funded attacks” was the top single concern. Furthermore, 35% of respondents identified extortion (including ransomware) as a top threat, placing this threat as the 4th highest threat among threat vectors, almost doubling from 2016. This dramatic change in threat perception highlights the increase and impact of ransomware cyberattacks like WannaCry and Petya.
To address the top threats, organizations with ICS networks realize they need a multi-tiered approach to industrial security. Conventional investments in firewalls and SIEMs (Security Information and Event Management tools) are no longer enough. A comprehensive cyber security strategy today needs to include investments in detection, response and predictive capabilities. In fact, according to respondents, 23% rank industrial intrusion detection as the number one technology they hope to deploy in the next 18 months.
Let’s take a look at the top three threat vectors, and how a real-time cyber security and operational visibility solution like SCADAguardian protects against ever-changing cyber threats.
Threat #1: Unsecure New Devices and “Things”
The concerns that ICS practitioners have for new unsecured devices being added into their networks is certainly a legitimate one. As operational technology (OT) becomes more connected with new intelligent devices, it exposes industrial systems to the types of attacks that IT teams are used to seeing, but with even more severe consequences.
The implications of system failure, whether due to a malfunction or cyberattack, can result in a massive loss of uptime or even human safety. While adding new devices into industrial networks may drive operational intelligence and new efficiencies, they must be secure. The common practice of ICS practitioners not knowing all of the endpoints in sprawling industrial networks is no longer viable.
SCADAguardian tackles this threat by quickly and automatically learning the entire network, including identifying all assets and their traits, such as vendor, model number, physical location, protocol, risk level and IP address. Rapid identification of new devices and “things”, as well as alerts to notify operators about them, guarantees that assets do not go unnoticed or untracked. An accurate asset inventory is always available, and measures can be immediately taken to secure any new nodes.
Furthermore, SCADAguardian’s vulnerability assessment capability rapidly examines the potential risk that discovered devices pose. Using the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST), SCADAguardian uses its powerful analytics engine to categorize vulnerabilities according to the Common Vulnerability Scoring System (CVSS). This allows operators to identify threats and take remediation actions in line with the NIST framework. This is particularly noteworthy considering that over 48% of SANS ICS survey respondents map their standards to the NIST framework.
Threat #2: Accidental Internal Threats
The perceived threat from internal staff is a threat that ICS networks will face as long as humans are involved in industrial operations. Advances in automation technologies have limited the possibilities for human error to impact many ICS networks at Layers 1 and 2, but actions taken using SCADA and various OT management platforms still provide insiders with the ability to negatively impact any ICS.
A core capability of SCADAguardian is its ability to learn an industrial system and determine baselines for communications and process variables. It then uses advanced anomaly recognition to recognize any changes in network communication or configuration, device performance or process performance. Whether a change is the result of a new device or accidental internal action, it is quickly brought to the ICS practitioner’s attention using a series of alerts and analysis tools.
A capability that helps with remedying unintentional errors is SCADAguardian’s TimeMachine feature. This allows the industrial network to be compared at multiple moments in time and helps identify the changes that led to anomalous behavior. This is a great operations management tool for mitigating and remediating internal threats to ICS networks for a broad set of use cases.
Threat #3: Combating Hacktivism and Malware
Nation-state threats in the form of malware attacks, is understandably a high concern. Sophisticated malware that targets ICS has been a dominant topic in the news lately. Increasingly, attackers are targeting critical infrastructure, such as transportation systems and power grids, threatening national security and economic stability on a global scale. The recent WannaCry attack alone is expected to cause damages exceeding $4 Billion USD.
The good news is that technology exists today that provides substantial assistance in identifying and mitigating targeted malware attacks. For example, SCADAguardian uses a multi-layered approach of anomaly detection and rule analysis to detect threats, greatly facilitating harm reduction.
Anomaly detection identifies early warning signs, like a device on an ICS network trying to connect to public IP address. Then it can detect changes in standard communication behavior, such as how Industroyer / CrashOverride used OPC DA to scan and discover devices on a network. Finally, it detects that an attack is occurring, and through integration with a firewall like Fortinet’s Fortigate, automatically triggers the implementation of rules that block the attack.
In terms of rules, SCADAguardian uses embedded YaraRules, an ever-expanding library of malware samples, to rapidly identify the presence of specific files associated with threats. The product also has an Assertions capability, which is custom rules that can be used to detect data and specific events that indicate changes in device behavior. Assertions allow operators to be as proactive as possible in the analysis and hunt for potential malware or hacktivist attacks.
Tackle the Top ICS Threat Vectors with SCADAguardian
The 2017 SANS Survey has highlighted what today’s ICS practitioners and business leaders view as the dominant threats to ICS infrastructure. With the proliferation of connected devices, ongoing risk from internal threats, and the the rise of cyberattacks on critical infrastructure, a multi-layered defense approach to security and reliability is needed.
One layer recommended in SANS’ 2017 report, is that ICS environments be “monitored in real time for process and security anomalies to enhance visibility and improve asset control.” If you’re looking to improve intrusion detection, network security monitoring, anomaly detection, asset tracking or vulnerability management, I encourage you to consider SCADAguardian. It’s a comprehensive platform that delivers real-time cyber security and operational visibility.
Securing Industrial Control Systems – 2017
This report covers:
- State of ICS security in 2017
- Levels of perceived threat
- Top threat vectors
- Security technologies planned for adoption
- Security budget levels
- SANS recommendations