The digitalisation of industrial assets is driving a growing awareness of the importance of protecting connected OT environments from cyberattacks that damage production, plant and assets – and expose sensitive data, says Trevor Daughney, vice president of product marketing at Exabeam
As we discovered in the previous article, cyber
threats are increasingly being directed at industrial control systems (ICS)
with the aim of shutting down production lines or inflicting massive physical damage
to equipment.
With threats to industrial networks on the
rise, employees responsible for managing and securing IT and OT will need to
collaborate closely to pinpoint potential vulnerabilities and prioritise where
security gaps need to be closed. In doing so, IT and OT teams gain the deep
understanding they need of the inter-relationships between OT environments,
business networks and the wider industrial ecosystem itself – which may also
incorporate suppliers, vendors and partners.
That’s no easy task when you consider how,
until now, IT and OT security issues have largely been addressed in their
respective silos. What’s more, the challenge of addressing the security of OT
solutions is not an easy one to surmount.
Air-gapped systems are not a viable solution
When it comes to protecting industrial control systems, many organisations still employ an approach known as air-gapping, or security by isolation, in a bid to bolster the security of legacy OT systems against cyberattack. However, while effective as a stop-gap security measure, air-gapping isn’t an ideal solution for the long term. And it certainly shouldn’t be utilised in isolation. Take the Stuxnet worm attack, for example, which was designed to breach its target environment via an infected USB stick – crossing through any air gap. With malicious computer worms such as this in existence, air-gapping alone is not adequate security.
Aside from the fact that air-gapping
systems significantly limits the ability of organisations to leverage the real-time
data these systems generate to cut costs, reduce downtime and improve
efficiency, many of today’s modern architectures now enable the connection of
legacy OT to the internet for the purposes of modern operational command and
control. Indeed, 40%
of industrial sites have at least one direct connection to the public
internet – which puts these OT networks directly in the line of fire when it
comes to potential exposure to adversaries and malware.
Getting to grips with complexity
Unfortunately, many of the security
solutions designed for the IT world weren’t custom-built to handle the
complexities of today’s connected OT environments. That’s because the IIoT
devices utilised within OT systems weren’t devised to be integrated with the security
monitoring and management tools designed for corporate IT networks.
The implications of this for organisations are profound: they have no visibility of OT network events or assets. And without an enterprise-wide view of all potential risks, vulnerabilities and potential infiltration points, the rapid threat detection and response capabilities of these companies are seriously compromised.
That’s not good news for security teams
tasked with protecting IIoT environments from a growing number of threat actors
who are targeting the control systems of multiple industries.
Addressing device risks with UEBA
The good news is that efficiently and
effectively monitoring OT devices isn’t an impossible task. Typically designed
to operate without human action, these devices ‘behave’ in a certain way. For
example, they communicate using specific ports, with certain IP addresses and
devices, at expected times. These actions can be reinterpreted as ‘behaviour’ and
user entity behaviour analytics (UEBA) deployed to increase security monitoring
capabilities that can be integrated with security information and event management
(SIEM) to perform comprehensive infrastructure monitoring in a truly unified
manner.
Rather than spending days or weeks using a
legacy SIEM system to manually query and pivot each of the hundreds or
thousands of logs per second generated by a single OT control point, UEBA makes
it faster and easier to uncover indicators of compromise.
Using analytics to model a comprehensive normal
behavioural profile of all users and entities across the entire environment,
UEBA solutions will identify any activity that is inconsistent with these
standard baselines. Packaged analytics can then be applied to these anomalies
to discover threats and potential incidents.
In this way, it becomes possible to
systematically monitor the voluminous outputs from IIoT devices, alongside IT
devices, to find potential security threats. Other activities, such as device
logins, can also be monitored.
Taking an integrated approach to
security
As we’ve seen, the limitations of both
legacy and modern IIoT, OT and IoT solutions are persistent, but there are
steps that companies can take to ensure the integrity of their business
operations.
The key here is to avoid a ‘point solution’
approach and instead opt for an integrated solution that combines UEBA with a
modern SIEM platform to deliver an enterprise-wide view of IT and OT security.
Making it possible to initiate the all-important centralised monitoring that enables
the increased detection of threats – including difficult to detect techniques
like lateral movement.
With this in place, a single SOC team can leverage the SIEM to ingest and analyse data from all the organisation’s sources and gain a real-time view on all security – including full visibility of all devices in their OT environments.
The author is Trevor Daughney, vice president of Product Marketing at Exabeam
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
Leave a Reply