This article was updated on December 28, 2022.
Industrial automation cyber security is a growing concern as the use of connected devices and systems in these environments increases. Industrial control systems, such as those used in manufacturing, energy, and transportation, are often critical to the operation of a facility and the safety of its employees. As such, they are a prime target for cyber attacks. In recent years, there have been several high-profile industrial cyberattacks that have disrupted operations and caused significant damage.
In 2017, the NotPetya attack, which targeted Ukrainian industrial facilities, caused widespread damage, and is believed to have cost billions of dollars. The 2019 Triton attack, which targeted a petrochemical facility in Saudi Arabia, was aimed at the facility’s safety systems and could have been catastrophic if it wasn’t caught in time. These attacks highlight the importance of industrial automation cyber security to protect against potential disruptions and dangers.
Real-time industrial control system (ICS) visibility and threat detection that compliments existing IT/OT processes and cyber security infrastructure can greatly improve cyber resiliency. Three important elements to incorporate when addressing cyber security challenges in industrial automation are visibility into ICS environments, hybrid threat detection and seamless IT, OT and IoT integration.
1. Getting Visibility into Complex OT Environments
The typical ICS environment is constructed of heterogenous systems consisting of various networking technologies, such as Ethernet TCP/IP, cellular, LAN, serial control and remote/intelligent I/O. Today’s industrial automation systems also incorporate unmanaged IoT devices to improve efficiency, perform predictive maintenance and save money. These OT and IoT devices —and the communications between them—can’t be identified and monitored via traditional IT network and cyber security tools.
To address this, today’s leading ICS cyber security solutions extend the visibility of IT into OT environments. These solutions generally deploy non-intrusively and provide visibility and detection across all corners of complex OT networks.
2. Using A Hybrid Approach to ICS Threat Detection
With new forms of malware continually emerging, industrial operators should consider a multi-faceted approach to threat detection—one that is attentive, responsive and proactive. Hybrid threat detection uses behavior-based anomaly detection and rules-based detection to identify malware at all stages of an attack. Incorporating both methods is critical to timely attack detection. We will examine both methods in detail below
Behavior-Based Anomaly Detection
The ability to non-intrusively learn and monitor the behavior of all traffic within an industrial control network allows you to identify would-be cyber threats that would generally go unnoticed using conventional cyber security approaches. Useful contextual analysis based on correlation of many anomalies across a geographically distributed, multi-tiered network separates behavior-based anomaly detection from conventional cyber security. Often, a common root cause can be attributed to thousands of cyber incidents, thus identifying the underlying culprit is crucial to achieving fast forensic analysis and remediation.
Rules-Based Analysis
Proactive threat-hunting driven by rules-based analysis allows you to leverage deep packet inspection to help uncover malware cyberattacks on your network and initiate a response prior to the initial infection phases. This is a key component of Nozomi Networks hybrid threat detection approach, which uses both external rules (such as Yara rules and packet rules) and proprietary rules inherent to Guardian’s unique and customizable analysis toolkit. Both forms of rules-based analysis are effective for identifying malware threats.
Utilizing a rich analytics engine and artificial intelligence (AI) techniques, our solution identifies both process and communication anomalies, including correlations with process data readings and critical state awareness. Examples of detected anomalies include modified or added devices within the network, irregular communications and bandwidth and latency variances. Using our contextual correlation, users can rapidly organize, aggregate and assess anomalies according to threat category, risk level and location within the network.
3. Integrating IT, IoT and OT Cyber Security
Another factor in success is how well an ICS cyber security solution scales to meets the needs of a large, distributed industrial organization, whose networks include multiple tiers of supervisory and operational control. For maximum effectiveness, the solution should integrate seamlessly with existing IT and ICS security infrastructure, such as firewalls, SIEMs and user authentication systems.
API (application programming interface) openness, protocol support capabilities and product modularity define the key integration and scalability capabilities of effective ICS cyber security solutions. Here’s what you should consider:
- An open API determines how easily and effectively a solution integrates with existing applications and adapts to the future direction of the overall enterprise architecture. For example, the API’s ability to support secure bi-directional flows of data should be tested to ensure that the selected ICS cyber security solution will support the sharing and ingesting of data from other applications.
- A protocol software development kit (SDK) supports the parsing and analysis of various OT and IT protocols and allows the solution to support protocols that are proprietary and require anonymity. Look for an SDK that allows for protocol privacy while providing advanced real-time cyber security monitoring and operational visibility.
- ICS cyber security solutions should support expansion and adapt to future additions and changes to the enterprise architecture in a cost-effective and secure manner. To evaluate their readiness to adjust and scale, examine how much of the complete technology stack—from hardware to operating system—they own and control. Additionally, research the ICS cyber security solutions’ product delivery options, from physical to virtual, to better understand how well they support your various application scenarios that require different bandwidth requirements.
Getting visibility into industrial control systems, taking a hybrid approach to threat detection and integrating your industrial security solution with existing infrastructure, leads to a future-proofed cyber security posture to keep you protected today and tomorrow.