The digitalisation of industrial assets is driving a growing awareness of the importance of protecting connected OT environments from cyberattacks that damage production, plant and assets – and expose sensitive data, says Trevor Daughney, vice president of product marketing at Exabeam
As we discovered in the previous article, cyber threats are increasingly being directed at industrial control systems (ICS) with the aim of shutting down production lines or inflicting massive physical damage to equipment.
With threats to industrial networks on the rise, employees responsible for managing and securing IT and OT will need to collaborate closely to pinpoint potential vulnerabilities and prioritise where security gaps need to be closed. In doing so, IT and OT teams gain the deep understanding they need of the inter-relationships between OT environments, business networks and the wider industrial ecosystem itself – which may also incorporate suppliers, vendors and partners.
That’s no easy task when you consider how, until now, IT and OT security issues have largely been addressed in their respective silos. What’s more, the challenge of addressing the security of OT solutions is not an easy one to surmount.
Air-gapped systems are not a viable solution
When it comes to protecting industrial control systems, many organisations still employ an approach known as air-gapping, or security by isolation, in a bid to bolster the security of legacy OT systems against cyberattack. However, while effective as a stop-gap security measure, air-gapping isn’t an ideal solution for the long term. And it certainly shouldn’t be utilised in isolation. Take the Stuxnet worm attack, for example, which was designed to breach its target environment via an infected USB stick – crossing through any air gap. With malicious computer worms such as this in existence, air-gapping alone is not adequate security.
Aside from the fact that air-gapping systems significantly limits the ability of organisations to leverage the real-time data these systems generate to cut costs, reduce downtime and improve efficiency, many of today’s modern architectures now enable the connection of legacy OT to the internet for the purposes of modern operational command and control. Indeed, 40% of industrial sites have at least one direct connection to the public internet – which puts these OT networks directly in the line of fire when it comes to potential exposure to adversaries and malware.
Getting to grips with complexity
Unfortunately, many of the security solutions designed for the IT world weren’t custom-built to handle the complexities of today’s connected OT environments. That’s because the IIoT devices utilised within OT systems weren’t devised to be integrated with the security monitoring and management tools designed for corporate IT networks.
The implications of this for organisations are profound: they have no visibility of OT network events or assets. And without an enterprise-wide view of all potential risks, vulnerabilities and potential infiltration points, the rapid threat detection and response capabilities of these companies are seriously compromised.
That’s not good news for security teams tasked with protecting IIoT environments from a growing number of threat actors who are targeting the control systems of multiple industries.
Addressing device risks with UEBA
The good news is that efficiently and effectively monitoring OT devices isn’t an impossible task. Typically designed to operate without human action, these devices ‘behave’ in a certain way. For example, they communicate using specific ports, with certain IP addresses and devices, at expected times. These actions can be reinterpreted as ‘behaviour’ and user entity behaviour analytics (UEBA) deployed to increase security monitoring capabilities that can be integrated with security information and event management (SIEM) to perform comprehensive infrastructure monitoring in a truly unified manner.
Rather than spending days or weeks using a legacy SIEM system to manually query and pivot each of the hundreds or thousands of logs per second generated by a single OT control point, UEBA makes it faster and easier to uncover indicators of compromise.
Using analytics to model a comprehensive normal behavioural profile of all users and entities across the entire environment, UEBA solutions will identify any activity that is inconsistent with these standard baselines. Packaged analytics can then be applied to these anomalies to discover threats and potential incidents.
In this way, it becomes possible to systematically monitor the voluminous outputs from IIoT devices, alongside IT devices, to find potential security threats. Other activities, such as device logins, can also be monitored.
Taking an integrated approach to security
As we’ve seen, the limitations of both legacy and modern IIoT, OT and IoT solutions are persistent, but there are steps that companies can take to ensure the integrity of their business operations.
The key here is to avoid a ‘point solution’ approach and instead opt for an integrated solution that combines UEBA with a modern SIEM platform to deliver an enterprise-wide view of IT and OT security. Making it possible to initiate the all-important centralised monitoring that enables the increased detection of threats – including difficult to detect techniques like lateral movement.
With this in place, a single SOC team can leverage the SIEM to ingest and analyse data from all the organisation’s sources and gain a real-time view on all security – including full visibility of all devices in their OT environments.
The author is Trevor Daughney, vice president of Product Marketing at Exabeam