The topic of IT security – or more precisely, reports of successful cyber attacks on government agencies and companies – now makes it onto the front pages of newspapers and news portals every day. Nowadays, attackers (or groups of attackers) are motivated, well networked and have commercial or even political interests in spying on their target company, blackmailing it and thus causing it financial or reputational damage.
On the other hand, many companies are struggling to achieve and maintain an IT security level that is appropriate for the current situation. High IT security budgets are often beyond the financial means of the company, and there is often a lack of time and personnel resources.
OT security – i.e. the protection of operational technology, production facilities, industrial plants or infrastructure facilities – is still in the shadows. This is surprising, because an OT attack usually first has to overcome IT security in order to gain access to the OT. However, if insufficient IT security solutions are implemented at this point, the attackers can go about their business unhindered and cause immense damage to the attacked company. In addition to the resulting malfunctions of the OT, in the worst case scenario there is a risk to life and limb or the environment.
Despite the vulnerability and major risks that can materialize when their OT is attacked, organizations are often unable to detect potential threats in a timely manner or to consistently monitor suspicious traffic on these devices. Worst case, there are no controls in place to manage the security and risks that IoT (Internet of Things) brings to an enterprise. And the integration of IoT with artificial intelligence, machine learning, automated processes and the cloud is still in its infancy.
Never change a running system?
“Never change a running system”- this paradigm has long been attributed to IT – misleadingly! In the age of digitalization, not only should IT strategies and infrastructures be regularly and critically scrutinized with regard to IT security, but fundamental system decisions in organizations should also be put to the test.
In terms of IT and OT, this means: Despite some possible overlap – e.g., same operating systems, infrastructure components, network components – there are fundamental aspects in OT that need to be considered and factored into strategic decisions:
- Safety First – an OT system must run safely and stably, because in the worst case, malfunctions can endanger life and limb.
- Another focus should be on not allowing any interruptions in the control operation, since shutting down and starting up the system usually involves a great deal of effort.
- Often old hardware is in use, with operating systems that are partly no longer supported.
- Often, there are many components and devices with few personnel.
- Non-IT, often medium-sized system manufacturers, are still very common in use.
- Standardized sensors and controllers are often used.
- Different protocols are often used compared to IT (e.g. ICCP, Modbus, DNP3, etc.).
- Rough operating environments may prevail in industrial plants.
Create 3 important basic requirements!
OT Security is not a quick win – OT Security is complex and tedious. After all, it involves bringing systems from two worlds into contact with each other – systems that have been in operation for decades in some cases and that are poorly documented.
A step-by-step approach provides orientation:
Step 1: Inventory of systems and overview of potential targets
This involves taking inventory of assets, i.e., researching what the OT system landscape looks like and how it is integrated – what needs to be protected in terms of data, software, systems, devices and processes. This first step is critical to success because it means leaving no blind spots that an attacker could exploit.
Step 2: Risk analysis
The inventory and its vulnerability analysis, combined with possible or necessary patches to the OT system, provide information for a risk analysis. In some cases, for example, it may be safer to work with an older version of the system without patches and mitigate a potential security issue by specifically monitoring the risk. Accepting and mitigating a risk may be safer than crashing the system by making changes whose complexity and dependencies cannot be predicted in their entirety. For risk analysis, the MITRE ATT&CK Framework for ICS (Industrial Control Systems) provides good guidance by supporting a structured assessment and inventory.
Step 3: Central logging
Cyberattacks – or even just a malfunction of a system or component – leave their traces in log files. The central collection of log files is the basic prerequisite for analysis and alerting, and possibly even automated containment of an attack. For efficient and fast analysis, it is crucial that the log data of the various – sometimes very old – subsystems are stored in a normalized format, since the use of high-performance analysis methods and machine learning requires “clean” data (see also TechTalk article: Layered Analytics: This cybersecurity approach is giving hackers a headache.
OT Security at Work
Once the appropriate foundations have been laid, the real OT security work can begin: ongoing analysis to detect and defend against attacks in good time. Two methods that have already proven themselves in IT security are used here: real-time correlation and user and entity behavior analytics (“UEBA”), i.e. the use of unsupervised machine learning to detect deviations from normal system operation.
Realtime Correlation analyzes existing log data using defined correlation rules. The decisive factor for effectiveness is the performance of the analysis – the faster attacks are detected, the faster the response and the lower the damage. Reduction of the “detection time” and the “reaction time” are the most important keywords here. To ensure that the relevant spectrum of possible attacks is covered, the MITRE Attack Framework for ICS already mentioned above is a useful framework with the aim of including possible attack vectors in the security analysis in a structured manner.
Unlike Realtime Correlation, UEBA relies on first observing how normal operations and interactions within the OT landscape proceed in order to form a baseline. The baseline is a representation – statistically determined – of the OT system, the behavior and the interaction of the components with each other during normal operation. The baseline is later important for detecting deviations from normal operation. Two advantages are decisive here: First, the system learns independently and can therefore also react to attacks that are not yet stored in correlation rules. Second, attacks on OT systems also involve system interactions that are not problematic in themselves, but whose timing and/or frequency are detected as a deviation from the baseline.
UEBA is a relatively new topic in IT security, which many companies are only now tackling – as the next evolutionary step after real-time analysis. For OT security, the opposite approach is recommended. OT systems are designed to repeat activities, production or process steps. It is, so to speak, in the nature of machines to always do the same thing and conspicuities, i.e. deviations from the baseline, are thus easier to find. Furthermore, UEBA does not require the establishment of correlation rules. The basic prerequisite for UEBA – based on machine learning – is cleaned data, because without cleaned data any data analysis will fail.
Solutions for OT Security Monitoring
Detecting cyberattacks in real time requires security software backed by strong security analytics. ArcSight, for example, has the connectors needed to connect OT systems – this applies to both cutting-edge log sources and aged subsystems. What all connectors have in common is that they bring the data to a uniform format as a basis for further analysis. This is the basic requirement for efficient data analysis.
Log data is stored in a log database with built-in analytics – the advantage is obvious: Forensics as well as real-time correlation and machine learning can be performed on a common, consistent database.
By using Machine Learning, a solution such as ArcSight Intelligence enables the detection of deviations from the baseline – i.e. from regular operation – and thus a backup of your OT after only a few days of independent learning. Targeted analysis of attack vectors on your OT can be done with ArcSight Detect; this is where the tactics and methods documented in the MITRE ATT&CK-ICS framework are applied.
Customers who do not have or do not want to create the capacity to manage OT security monitoring on their own have the option to rely on a SAAS solution or to have their OT security provided as a managed service.
Asset Inventory is the foundation for OT Security. Clean raw data as input for automated analysis is a prerequisite for efficient application of correlation rules and, above all, unsupervised machine learning, so that deviations from normal operation are detected – even if they are hidden behind seemingly normal system interactions.
UEBA is the shortcut on the path to quickly detecting cyberattacks on OT because it does not require the definition of correlation rules.
ArcSight, for example, as a potential security software, brings the necessary technology and methodologies to consolidate, cleanse and analyze the underlying log data in an automated manner so that organizations can effectively protect their OT.
At this point, the OT system would be protected against cyberattacks. But now that the data is available in a consistent, cleansed and normalized form, it stands to reason that it could be used for other purposes, such as predictive maintenance – or for overall system optimization. After all, not every incident is an indication of a cyber attack, but rather early or late indications of component failure.