Industrial cyber defense – A new era
In the present article, we will discuss the approaches that enable us to transform primarily IT-focused cybersecurity capabilities to create an efficient industrial (that is OT – Operational Technology) cybersecurity framework.
It’s important to highlight that one of the areas in need of the most improvement is cybersecurity incident management, which is when capable experts assess suspicious events quickly, efficiently and professionally, then take appropriate measures to avert danger or minimalize damage.
As a first step, it’s worth clarifying why we need OT cyber defense.
The answer to that is fairly simple: today, cybersecurity is more important than ever. The number of cyber-attacks is continuously growing – the averted attacks and increasing number of successful incidents against our customers show that their sophistication is on the rise and, as a consequence, they’re also becoming more significant and harmful. However, they’re not only targeting IT systems anymore, but SCADA/ICS, IoT and IIoT environments as well, which are connected to the “office” network at an increasing number of points, therefore there is a burning need for appropriate incident management practices in these areas as well, with special attention to detection and response abilities.
This raises further questions:
- Is it necessary or appropriate to look at IT and OT incident management from different aspects?
- Are there any crutches we can rely on?
In order to answer the above questions, we should next think about why using frameworks is worthwhile. Luckily, it’s not only industrial processes that possess well-designed, long-time proven frameworks, but industrial information security as well. By using these frameworks, we can spare plenty of effort and unnecessary work – in other words, we don’t have to reinvent the wheel.
Frameworks provide a structure and supporting reference points which we can use when designing a development roadmap or a desired operational model.
Below is a non-exhaustive figure depicting the potentially most important frameworks.
Why are IT frameworks suitable to be used in industrial environments as well, and why do they correspond to one another relatively easily? The reason for that is these environments share multiple similarities from an incident management perspective:
- The threats are very similar. In both cases, there is an attacker with malicious intent, appropriate skills and a given opportunity who poses a danger to the IT and OT environment. The attacker is capable of using the weaknesses or vulnerabilities of the people, the processes or the technology to compromise the systems of the organization
- Defense measures (controls) should be applied at the level of the people, the processes and the technology.
- In both cases, similar multi-level Defense-in-Depth should be implemented.
Incident management in cybersecurity
In a traditional organizational IT environment, cyber defense incident management includes developing, maintaining and improving early detection and quick response capabilities. To minimize harmful impact on the business, we must place equal emphasis on the People, Processes and Technology layers.
- To enable detection and response capabilities, it’s necessary to integrate a modern, industrial network-compatible technology into the cyber defense architecture.
- It’s necessary to define the main incident management processes and align them with IT and non-IT processes.
- The cyber defense incident management team must possess the appropriate skills, knowledge and authorizations.
IT and OT incident management shares a lot of similarities. Naturally, they share the same objective: detecting and managing incidents as soon as possible. In addition, attack processes are also very similar, and they have the same primary steps in their incident management processes as well:
- Making sure that the monitoring system is continuously operational (Continuous Monitoring)
- Applying a system of rules that allows us to detect attacks (Detection)
- Categorizing threats based on their type and criticality and responding accordingly (Triage)
- Isolating suspicious devices and resources until the assessment is complete (Containment)
- Analyzing the impact, extent and attack method (Analysis)
- Removing harmful codes and fixing the affected systems (Eradication & Remediation)
- Assessing the lessons learned and incorporating them into the operations (Reporting & Enhancement)
In many cases, the cybersecurity team cannot perform specific steps in the process, but it must provide coordination and oversee internal communication.
In any case, it’s important to use various technologies and different approaches in an industrial environment frequently. There may be differences in the processes and involved areas as well, but the fundamental steps must be the same. What’s more, as digitalization becomes more widespread, the similarity increases with it.
Since there is so much similarity, one could assume that we could simply copy proven IT incident management processes and technologies into an OT environment. However, the situation is not so easy unfortunately, as there’s a difference in focus and requirements.
In an ideal world, confidentiality, integrity and availability might receive equal attention, but in reality and IT environments, while data confidentiality is treated as top priority to prevent unauthorized access, availability is considered the least important. By contrast, in an OT environment, it’s done the other way around: availability comes first, and confidentiality is only a tertiary aspect.
NIST SP 800-82, one of the standards featured in the first figure, makes recommendations on securing industrial control systems (ICS), outlining the differences between the requirements as well. For example, during the ‘Containment’ step of the incident management process (Incident Response Chain), isolating the affected system elements poses a serious challenge due to the availability requirements. Similarly, the tight operational schedule of industrial systems makes it difficult to plan and execute changes (updates) in the system.
In conclusion, it’s definitely recommended to build on available frameworks but we must simultaneously keep in mind the differences in priorities. What we need to do is choose the framework that suits us best, review the traditional cybersecurity incident management processes and technological elements separately, and align these to the special requirements of OT systems.
Get an idea from SOCWISE to build or develop your SOC!
Some CISOs have built their SOCs over time with a mix of internal and external resources. But, given the ongoing evolution of cybersecurity techniques and the need to constantly adopt new skills and tools, managing this mix is becoming increasingly complicated.
Benchmarking : The Key to Creating an Efficient Security Operations Center (SOC)
See how we built it, how it works, and what technologies we use!