Securing Substations and Power Grids with ICS Anomaly Detection

Securing Substations and Power Grids with ICS Anomaly Detection

This article was updated on October 10, 2019.

One of the findings of the recent SANS report “Securing Industrial Control Systems – 2017” is that the number one technology industrial organizations are looking to implement over the next 18 months is intrusion detection. Up until recently, detecting anomalies that might be caused by a cyberattack has been “mission impossible.”

That’s because industrial networks typically include equipment from a wide assortment of vendors, run thousands of real-time processes and generate huge volumes of data. Analyzing and monitoring this data to detect anomalies that might be caused by a cyberattack is beyond the resources and capabilities of most industrial operations or security teams.

Furthermore, IT security tools that do the same job, just don’t work for industrial systems. That’s because they are too complex, they introduce too much risk to reliability, and they simply do not support the wide range of protocols and technologies used in OT.

The good news is that a new generation of ICS cyber security tool is available for industrial intrusion detection. This article describes how our product, Guardian does it, and gives an example of how it would detect and counter a cyberattack on a regional control center of an electric power utility.

How ICS Anomaly Detection Detects Intruders and Cyber Risks

One of the most important advances in computer science in the last decade has been the significant development of artificial intelligence (AI) and machine learning techniques. This technology uses algorithms that iteratively learn from data rather requiring direct programming instructions for each decision or result generated. Breakthrough applications that use it include IBM’s Watson for cancer diagnosis, Google’s self-driving cars, and Amazon’s voice recognition home assistant, Alexa.

In the realm of industrial cyber security, as the risks from malware attacks and connecting more and more devices to networks increases, machine learning and AI “become a force-multiplier for supplementing scarce cyber security operations talent.

A good implementation of AI for ICS security requires not just the technology, however, but the insight and structure that our industrial security experts provide to make it effective. This knowledge is built on both the academic and standards work that our founders have done in the areas of critical infrastructure security and artificial intelligence, and on the real-world experience our team has gained through large-scale deployments.

Once our AI algorithms have been properly enabled, they rapidly analyze the huge volumes of network communication and process variable data that are extremely difficult to evaluate any other way. This “smart” data analysis is used to model an ICS, and develop process and security profiles specific to it. Once baselines are established, high speed behavioral analytics are used to constantly monitor them.

The result is the rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities. This information can be used to prevent, contain or mitigate cyber threats or process incidents before significant damage can occur. The data analysis itself is also invaluable in reducing troubleshooting and remediation efforts.

Sounds interesting? Great, let’s look at how this capability would work if a malicious entity conducts a cyberattack on a regional control center of an electricity supplier.

Detecting / Countering a Cyberattack on a Regional Control Center

Imagine that a threat actor conducts a cyberattack on a regional control center and gains access to its LAN. From the vantage point of inside the LAN, the attacker has visibility to hundreds of bay control units and can possibly control them, threatening, or causing a power outage.

Guardian’s ICS anomaly detection would detect the threat, provide cyber resiliency, and accelerate forensics.

Here’s how:

  • Guardian had previously modeled the industrial network including its components, connections and topology. Its advanced learning capabilities then developed baseline process and security profiles specific to the substations and power grid in question.
  • Once the profiles were established, the system automatically switched into protection mode (a capability we call Dynamic Learning), without operator action. This shortens the length of time without monitoring for anomalies and avoids human errors involved with determining when to switch from learning to protection modes.
  • When a threat actor accessed the regional control center LAN, Guardian rapidly identified the suspicious activity.
  • A high-level incident would be immediately sent to the appropriate operators and SOC staff.
  • Staff would then execute the incident response plan, taking actions that prevent, contain or mitigate process disruption or information theft. When doing so, they would utilize the network diagrams, asset inventories and process information available from Guardian’s various modules.
  • ICS incident replay using point-in-time system snapshots (a feature we call TimeMachine), and querying capabilities, would be used to accelerate forensic analysis post incident. (These capabilities are also helpful for proactive threat hunting.)

In addition to detecting intruders using anomaly detection, Guardian also uses Yara rules and custom rules to identify threats. You can read about that in our blog on the Industroyer malware.

ICS Anomaly Detection – An Easy to Deploy Solution that Delivers Value Today

If the recent wave of ICS cyberattacks or malware disclosures has your organization wanting to deploy intrusion detection, I hope this article helps you understand how next generation, advanced solutions can help. In the case of Guardian, its ICS “smarts” are under the hood. It only takes a simple SPAN or mirror port install to deploy, and then its dashboards and network visualization tools immediately start providing useful, actionable information.

Furthermore, Guardian’s capabilities extend beyond intrusion detection to include network security monitoring, process variable anomaly detection, asset tracking and vulnerability management functionality, making it a comprehensive platform for real-time cyber security and operational visibility.

For more details on how our solution improves cyber security for substations and power grids, plus eight more anomaly detection use cases, don’t miss the white paper available below.