Energy and manufacturing companies have spent years investing in bringing controls safely into their operational environments. The most mature programs will try to build a sustainable policy for their industrial environments by combining a NIST framework approach with a more specific automation policy like ISA 99/IEC 62443. The intent is to augment traditional detective controls including antivirus prevention, network segmentation, two-factor authentication, and remote access. But one of the remaining challenges is how to implement security monitoring — critical capabilities now that the days of industrial environments impermeable from the outside world are a thing of the past. In this column I’ll address the key factors to consider when building a strategy for gaining threat visibility in operations technology (OT) environments, and best practices for implementation.
Start with Your Attack Surfaces
First, understand the existing relationship and tools shared between your IT and OT organization. If your organization has matured to the point where you’ve built trust with your plant side, you’re managing firewalls and have defined a single point of accountability for security at each site, you stand a strong chance of success. Understand what tools your plant team is already using. I remember talking to a major utility who did not know that their generation control systems came with a SIEM even though they never activated it to connect. Assess your asset inventory — is it manual, left over from your control system architecture diagrams, or do you have a baseline configuration management database that you can automate for vulnerability discovery?
Secondly, consider the totality of what needs monitoring. If you have clearly defined segmentation and established zones and conduits across your industrial network, you have an excellent chance of identifying violations within traffic flowing across these zones. Showing a plant that they have a programmable logic controller (PLC) in a safety-instrumented system talking to an outbound network is a great example of policy violation that should never occur. By combining robust asset inventory with monitoring, you can quickly show misconfigured devices, new traffic patterns, and port scanning on ICS devices — all of which are quick wins to demonstrate effectiveness.
Next, consider the ideal security architecture for that environment. Traditional monitoring products (e.g., SIEM, IPS) can be prohibitively expensive and very challenging to deploy across multiple plants. Stacking up point products for securing industrial environments won’t provide the necessary visibility and will create solution sprawl. Every additional security product introduced will require testing and certification from automation vendors to support the network environment and understand it from the protocol level. Furthermore, with limited access to the automation vendor’s network, your options for monitoring traffic off of a span port will be limited.
A common process will need to be defined to allow IT security operations center (SOC) and process control network (PCN) teams to rapidly collect information from the plants, visualize the traffic, and provide meaningful analysis back to the plants. Given the nature of an OT environment, you will need to monitor classic IT protocols like server message block (SMB), and fully understand the interface between your Windows-based control system assets and your embedded devices like PLC’s. This is usually transacted through OPC connections or through your historian vendor which will need to be monitored. Furthermore, a strategy is needed for monitoring the major OT-specific protocols to properly recognize traffic and understand the attacks at the protocol level around the main open industrial protocols. This can be difficult because automation vendors have used a myriad of protocols. To help you navigate, establish a “Top 10” or an 80/20 rule between the top industrial protocols like OPC, Ethernet/IP and Modbus/TCP and your iT-based protocols.
Finally, keep in mind industrial threats execute over long periods of time before they deliver the industrial specific payload. Take BlackEnergy3, for example: Adversaries used the malware to gain control of corporate networks, pivoted into SCADA networks and disconnected substations from the grid, leaving 225,000 customers without power for over six hours. As SANS pointed out, “The strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multi-stage, multi-site attack.”
Move to the Cloud
To effectively anticipate and defend against advanced threats specifically designed to compromise OT environments, explore solutions that manage more than real-time information by retaining network traffic for long periods of time for analyzing anomalies and understanding protocols. Doing this economically is made possible by the cloud, where full-fidelity network traffic can be stored and continuously replayed against the latest threat intel to find past exploits of newly discovered vulnerabilities.
The cloud is also the key to supporting the collaborative requirements for monitoring upstream operations. Cloud-delivered security is minimally invasive at the plant level, which is appealing to the operations teams whose key priorities are uninterrupted operations and safety of the plants. The cloud will also facilitate monitoring trusted partners’ access to ICS environments to ensure they’re not inadvertently introducing threats.
The Future: Apply the Power of Data Visualization
Geologists use seismic mapping to discover oil in the subsurface through visualizing massive quantities of data. At Chevron, 3-D imaging covers thousands of miles and extends 10 miles into the earth, revealing a multilayered deep-earth panorama. By recording multiple 3-D surveys over time, they’re able to create a timeline of activity — 4-D information.
But when it comes to security, oil and gas companies still rely on one-dimensional technology that presents a myopic, single point in time analysis. What if it was possible to visualize OT security environments and deal with complex threats in the same manner as geophysical imaging — complete immersive visibility into a timeline for network traffic?
An immersive presentation layer enables intuitive interaction with petabytes of security data. A complex, dispersed operational environment is transformed into a virtual cityscape that can be easily explored and investigated, like a beat cop who uses 4-D awareness while patrolling to identify people or objects that are familiar, questionable or clearly dangerous. In an immersive security environment, graphics serve as a language that provide unprecedented situational awareness, enabling faster incident response and intuitive anomaly detection as the user is completely involved in the flow of relevant data.
Building a sustainable ICS security program begins with asset inventory and a clear understanding of the tools in place in your plant environments. A common process for collaboration between IT SOC and PCN teams is also foundational; through this process you can also define a strategy for mitigating the complexities of monitoring OT-specific protocols. An architecture that provides full visibility and detection of events across IT and OT environments will take your program to the next level — leverage a cloud-delivered security solution that will deliver real-time threat detections in even the most remote accesses and let you replay network traffic to discover the previously unknown. In a landscape where complex threats with very specific missions execute over long periods of time, you’ll have a distinct advantage.
A highly regarded leader in the ICS and IIoT security field, David Hatchell leads the Industrial Security practice at ProtectWise. He has spent the past decade building and leading critical infrastructure and industrial security practices for global technology companies, including Belden where he led acquisition integration efforts and defined go-to-market strategies that led to relationships with key energy and utility companies. Prior to that David led the global expansion of an ICS/IIoT/Critical Infrastructure practice for McAfee. www.protectwise.com