This article was updated on October 1, 2019.
Exploding ICS (industrial control systems) connectivity is revolutionizing industrial automation, but it’s also exposing industrial networks to new operational risks and cyber threats. Highly destructive malware like Industroyer/CrashOverride, which took down parts of Kiev’s power grid, reflect the rising tide of targeted attacks on ICS and OT (operations technology) networks—and the implications of not having an effective ICS cyber security strategy in place.
Real-time ICS visibility and threat detection that compliments existing IT/OT processes and cyber security infrastructure can greatly improve cyber resiliency. New cyber security technologies deliver on this, but how?
Extending Visibility into Complex OT Environments
The typical ICS environment is constructed of heterogenous systems consisting of various networking technologies, such as Ethernet TCP/IP, cellular, LAN, serial control and remote/intelligent I/O. The disparate and often proprietary nature of OT networks means that some segments—and the communications between them—can’t be monitored via traditional IT network and cyber security tools.
To address this, leading ICS cyber security solutions extend the visibility of IT into OT environments. These solutions generally deploy non-intrusively and provide visibility and detection across all corners of complex OT networks.
Take A Hybrid Approach to ICS Threat Detection
With new forms of malware continually emerging, industrial operators should also consider a multi-faceted approach to threat detection—one that is attentive, responsive and proactive. Fortunately, the advanced ICS cyber security solutions available today take a highly-effective hybrid approach that includes both behavior-based anomaly detection and rules-based analysis.
Let’s start with a look at behavior-based anomaly detection. The ability to non-intrusively learn and monitor the behavior of all traffic within an industrial control network allows you to identify would-be cyber threats that would generally go unnoticed using conventional cyber security approaches. Useful contextual analysis based on correlation of many anomalies across a geographically distributed, multi-tiered network separates behavior-based anomaly detection from conventional cyber security. Often, a common root cause can be attributed to thousands of cyber incidents, thus identifying the underlying culprit is crucial to achieving fast forensic analysis and remediation.
Utilizing a rich analytics engine and artificial intelligence (AI) techniques, Nozomi Networks Guardian identifies both process and communication anomalies, including correlations with process data readings and critical state awareness. Examples of detected anomalies include modified or added devices within the network, irregular communications and bandwidth and latency variances. Contextual correlation allows Guardian to rapidly organize, aggregate and assess anomalies according to threat category, risk level and location within the network.
Now, let’s consider rules-based analysis. Proactive threat-hunting driven by rules-based analysis allows you to leverage deep packet inspection to help uncover malware cyberattacks on your network and initiate a response prior to the initial infection phases. This is a key component of Nozomi Networks hybrid threat detection approach, which uses both external rules (such as Yara rules and packet rules) and proprietary rules inherent to Guardian’s unique and customizable analysis toolkit. Both forms of rules-based analysis are effective for identifying malware threats.
The Value of Integrated IT/OT Cyber Security
Another factor in success is how well an ICS cyber security solution scales to meets the needs of a large, distributed industrial organization, whose networks include multiple tiers of supervisory and operational control. For maximum effectiveness, the solution should integrate seamlessly with existing IT and ICS security infrastructure, such as firewalls, SIEMs and user authentication systems.
API (application programming interface) openness, protocol support capabilities and product modularity define the key integration and scalability capabilities of effective ICS cyber security solutions. Here’s what you should consider:
- An open API determines how easily and effectively a solution integrates with existing applications and adapts to the future direction of the overall enterprise architecture. For example, the API’s ability to support secure bi-directional flows of data should be tested to ensure that the selected ICS cyber security solution will support the sharing and ingesting of data from other applications.
- A protocol software development kit (SDK) supports the parsing and analysis of various OT and IT protocols and allows the solution to support protocols that are proprietary and require anonymity. The Nozomi Networks Protocol SDK allows for protocol privacy while providing advanced real-time cyber security monitoring and operational visibility.
- ICS cyber security solutions should support expansion and adapt to future additions and changes to the enterprise architecture in a cost-effective and secure manner. To evaluate their readiness to adjust and scale, examine how much of the complete technology stack—from hardware to operating system—they own and control. Additionally, research the ICS cyber security solutions’ product delivery options, from physical to virtual, to better understand how well they support your various application scenarios that require different bandwidth requirements.
Taking a hybrid approach to ICS threat detection, and integrating your security solution with existing IT/OT infrastructure, leads to a comprehensive ICS cyber security posture that addresses your needs today… and tomorrow.
“The Cost of OT Cyber Security Incidents and How to Reduce Risk”
Read this document to learn:
- How OT cyberattacks cause business disruption
- The cost of high profile cyber security incidents
- How to reduce risk with OT visibility and cyber security technology
- Examples of OT cyber security incidents by industry
- Blog: Defending Against Industroyer with ICS Anomaly Detection
- Data Sheet: Guardian
- Solution Brief: Nozomi Networks
- Blog: Nozomi Networks Selected by FireEye for ICS Depth & Technical Excellence