Note: on July 23rd 2019, SCADAguardian was renamed Guardian, and SCADAguardian Advanced was renamed Smart Polling.
When dealing with the difficulties of securing critical infrastructure, it’s sometimes good to take a step back from day-to-day challenges and take a macro view; look at the big picture. Fortinet’s CISO Phil Quade did just that recently in an article originally appearing in CSOonline.com.
I found his key themes both relevant and insightful. Phil indicates that while the news media focuses attention on high profile malware and ransomware attacks, like WannaCry, the bigger threat to critical infrastructure—water, energy and transportation systems—comes from “low and slow” attacks that are hard to detect. And, since a lot of critical infrastructure is owned and operated by the private sector, securing it takes real cooperation between industry and government.
Phil also states that we are on the verge of a security revolution that includes using automation strategies to find and respond to incremental cyber intrusions. Automation is what underpins the Fortinet / Nozomi Networks partnership. Read on to learn more about Phil’s perspective and how our combined solution secures critical infrastructure.
“Low and Slow” Cyberattacks on Critical Infrastructure
When major attacks happen, victims readily see them and can move to counter them. The risks from less than obvious attacks are harder to counter. “Low and slow” attacks – often resulting in indiscernible, incremental changes to the compromised system – worry many security experts. They’re hard to detect before it’s too late and a system is moving towards a critical state. Sophisticated intrusions often work together in subtle ways, yet can disrupt essential services such as water and power.
Cooperation and Automation are Key
In many countries, critical infrastructure is owned and operated by thousands of municipal entities and the security problem is so complex that it’s hard to know where to start. Government can’t solve the problem by itself, and private companies can’t be expected to defend against the cyber military of other nations. An important step is for organizations to cooperate and automatically share threat and vulnerability information within their industries.
Automation is key. As Phil states:
“The best way to find the incremental intrusions and respond in a coordinated and comprehensive fashion is through automation. Human eyes often can’t see the low-and-slow attacks, and we can’t respond fast enough once a breach has been detected.”
The Fortinet / Nozomi Networks partnership is built on cooperation and automation. Nozomi Networks’ SCADAguardian (now Guardian) product uses automated machine learning and artificial intelligence techniques to detect cyber security and process anomalies occurring within the Industrial Control Systems (ICS) of critical infrastructure. When anomalous and/or suspicious behavior is detected, an alarm is generated and sent to security operators and network administrators.
At the same time, SCADAguardian is capable of automatically triggering the right policy in FortiGate firewalls to segment and block the suspicious traffic, all while permitting the unaffected, critical control traffic to continue and keep the plant operating with stability. The combination of advanced anomaly detection, which can identify “low and slow” changes to industrial networks, along with automated feedback and active integration into Fortinet Security Fabric products, goes a long way to improving critical infrastructure cyber security.
