Security and Reliability for ICS Networks

When you think about cyber security, the phrase, “it’s all about the data” might spring to mind. We utter sayings like, “protect the crown jewels” and “keep sensitive data from prying eyes.” And though it’s true that in many cases cyber security boils down to protecting the data—keeping unauthorized users, processes, and software off our networks and away from the data upon which our businesses are run—security practitioners also know that the cyber “divine triad” includes confidentiality, integrity, and availability. All three elements are central to IT security programs. Yet, if push comes to shove and malware is found on a system or if an attacker is lurking in the network of a tech company, for instance, security’s first response may be, “shut it down!”

This may work OK for IT security when an incident strikes (though it’s not without fallout and irritation from non-security executives), but when we’re talking about OT—operational technology: hardware and software that monitors and controls how physical devices work—in critical infrastructure, the name of the game is availability. For industries like healthcare, utilities, telecommunications, logistics, and transportation, while data loss is bad, loss of productivity and availability is worse. If a power company is attacked and customer records are lost, that’s bad. But power outages for millions of customers for hours (or days, if the incident is severe enough) is worse. The cyber attack on the Ukraine power grid, though that incident lasted only for about an hour, is a sign of potential by a suitably motivated attacker.

Stuxnet, a cyber attack on an Iranian Uranium enrichment plant in 2010, remains the best (or worst, depending on your point of view) example of what could happen when OT systems are attacked. Yet one can also look at how NotPetya took down Maersk, a global container shipping company, for two weeks (and an estimated $300 million), or how the Shadow Brokers’ attack spread to more than 75 countries, causing, for example, operational disruptions at UK hospitals, forcing them to turn away patients and reschedule life-saving surgeries.

Operating a converged IT/OT network

The convergence of OT and IT poses serious risks and questions about how to operate. Given how commonly operations technology is embedded in organizations’ IT infrastructures today, more threat vectors than ever exist. The consequences of a cyber attack, or even an innocent configuration error, in an OT network impacts more than the data, as demonstrated by the examples, above.

This is the mission against which Indegy, a 5-year old industrial control systems (ICS) security company, operates. With customers in the public and private sectors, Indegy helps secure industrial networks through asset visibility, vulnerability management, and configuration control. Senior Director of Marketing Michael Rothschild and CMO Joe Scotto explained that the company's Industrial Cybersecurity Control Suite can be deployed as hardware, a virtual appliance, or even in the cloud via their CIRRUS offering, making the company the first ICS security vendor to offer a cloud-based service. Once installed, Indegy’s sensors probe the network for devices and connections, allowing them to identify and monitor OT as it communicates.

A key to Indegy’s capability lies with its patent for active detection of cyber threats. "Passive monitoring alone cannot provide the visibility into critical systems that our customers need,” said Rothschild. The patent, he said, “requests source code from programmable logic controllers within industrial networks then compares the reported code to a stored, baseline version of the code. If the two sources don’t match, an alert is sent and an operator can take action. To enable active detection, it’s a simple add-on. In addition, the solution can be completely cloud connected, which is especially attractive when deploying additional gear is not practical or feasible, such as in large distributed sites or smaller customer environments.”

Baselining behavior and activity

When running in the customer environment, Indegy looks at traffic from OT, behavior of the devices, device signatures, and the integrity of the devices, themselves, based on firmware models, serial numbers, versions, and patches. The technology also integrates threat intelligence sourced from the National Vulnerability Database (NVD), ICS-CERT, Suricata, and Indegy Labs so that known threats can be quickly identified and alerted upon. In addition, Indegy tracks and monitors changes to installed controllers, providing an audit trail and allowing operators to verify that changes were intended and executed by authorized operators.

With the information collected through the above processes, Indegy not only reports on how, when, and with what OT is communicating in a customer environment, but like any good cyber security tool today, it provides a risk assessment that operators can use to track progress over time and triage critical alerts.

Future challenges

The convergence of IT and OT has given cyber security teams greater control over the types of devices running on their networks, how they’re configured, how and when they’re communicating, and if any problems arise. That said, OT networks introduce their own challenges above and beyond the traditional IT network: OT networks are not necessarily coherent; devices may sit out of band, they can be a messy, hodgepodge of technology, and devices can be air-gapped for safety reasons. Further, OT assets don’t look like traditional IT assets from a network perspective, and systems can be outdated, lacking any options for patches.

Indegy’s platform (which integrates with third-party tools such as next-generation firewalls and SIEMs) can tackle several of these issues right now and achieve improved visibility, monitoring, alerting, and reporting of communicating assets in customers’ converged IT/OT environments.

The greater challenge, and the one that keeps ICS operators up at night, is finding the unknown unknowns within a network—the Stuxnet-like signals that could cause physical damage, pose a threat to humans, or prevent the normal operation of critical services. Without active communication, OT devices remain unknown and unmanaged—and highly risky.

Indegy helps detect known and dormant devices, and with its CIRRUS offering, small- and medium-sized ICS players now have a way to manage their environments. If you manage an OT network, large or small, I recommend you evaluate how Indegy can help you sort through the noise and rein in risks from unmanaged, unprotected systems. It’s not hard to imagine that attacks against critical infrastructure will become more prevalent in the future; some skeptics might say it’s likely attackers are inside your networks now. Wouldn't it better to use a tool like Indegy to find intrusions and events before they impact your operations?