This is the second of a two-part series of blog posts covering the challenges of securing Industrial IT infrastructures. This part covers:
- The ICS Cybersecurity Maturity Model guides organizations through the process of reducing risk exposure
- Breach Detection is a critical technology that helps detect advanced threats before significant damage is inflicted
- Network Traffic Analysis is an effective solution that leverages network traffic flows to identify threats that might affect the entire spectrum of devices connected to the network
In the first part of this blog post, we looked at the security challenges inherent to the Industrial IoT. The recent cybersecurity bill passed by the US Senate stands as testament that there is no easy, silver bullet solution to the problem. So, what is there to do? We usually see digitization as a one-way street, but it’s not always like that. On June 27, The U.S. Senate passed a cybersecurity bill designed to study ways to replace automated systems with low-tech redundancies to protect the country's electric grid from hackers. In other words, to decrease grid digitization. Why? The risks associated with digitization have surpassed acceptable thresholds.
Not all industries and organizations are exposed to the same level of risk. Risk management is, or at least should be, at the center of every discussion on cybersecurity. And the response to risk – both in terms of procedures and in terms of technologies – should be relative to the level of risk the organization is exposed to. Arc Advisory Group developed a model – the ICS Cybersecurity Maturity Model (Figure) – to help industrial managers understand cybersecurity challenges without having to become experts on the subject.
This step-by-step model is designed to guide the organization through the process of reducing risk exposure, while considering the level of resources required. It starts with securing the devices, and continues with defending them, containing incidents, managing response and anticipating future threats.
Every technology in the ICS Cybersecurity Maturity Model is worth discussing, but I will focus on one that is of critical importance: Breach Detection. Why is Breach Detection so important? All the technologies to the left, from Secure to Contain, focus on prevention. They fight threats early in the attack kill-chain, denying them access to devices and preventing them from executing attacks. Preventive security layers are very important because they dramatically reduce the attack surface and can technically stop almost all attacks (usually above 99.9%).
But some highly sophisticated attacks manage to fly under the radar and avoid all prevention layers. These attacks are the ones we see in the media. They are typically the most destructive ones – either exfiltrating or destroying valuable information, or manipulating critical processes leading to destruction of equipment of other severe consequences.
And this is where Breach Detection solutions coupled with Incident Management and Response play a critical role. These technologies and procedures are built to work together and help security teams detect advanced threats, and even advanced attacks that have managed to pass the prevention layers but still haven’t advanced far enough to do real damage. So, how can we detect an advanced attack unfolding in such a heterogenous and complex IIoT environment? There is no one-size-fits-all answer. Fortunately, we do have options to address risk and reduce exposure.
Let’s take a bird’s eye look at the IIoT architecture diagram. The Purdue model I presented in Part 1 has evolved into a new architecture, with three areas: Edge Computing (contain most of the OT), the Network and the Cloud.
Looking at this diagram we can easily see a common denominator for all the elements in the IIoT environment: the network. IIoT was born out of communication needs and that makes network-based breach detection the most appropriate, and the most effective, option we currently have to detect advanced threats targeting all IIoT devices. Any IIoT device activity translates into a network “trace.” By analyzing patterns of network traffic, malicious activity can be detected.
There are two major approaches to network security: flow analysis and content analysis. Content analysis (also known as deep packet inspection) sounds appealing, for it promises both context and details on the communication. However, it’s complicated and expensive, especially when considering the multitude of proprietary protocols in an IIoT environment. On the other hand, flow analysis only leverages traffic meta-data (source, destination, protocols, packet count, etc.) and focuses on traffic patterns and subtle changes in network communication behavior to detect advanced attacks and compromised endpoints. This is how Network Traffic Analysis (NTA) solutions emerged. NTA is a category of security solution that focuses on network traffic and leverages advanced technologies like Machine Learning (ML) and behavioral analytics to improve detection of advanced threats targeting any network-connected device.
In addition to detecting malicious actions, next-generation NTA solutions like Bitdefender Network Traffic Security Analytics can automatically triage and correlate security events to create a crisp picture of the unfolding threat. This is a very important capability for another element of the ARC model: Incident Investigation and Response. Automated triage of security alerts not only helps security teams save time; it also enables them to stay focused on the security incidents that pose a real threat to the organization.
In a nutshell, NTA provides three key benefits for industrial infrastructure managers:
- Visibility into all devices that generate traffic
- The ability to monitor the behavior of devices to identify advanced threats that passed prevention mechanisms
- Support for incident investigation and response efforts
Is NTA, as a Breach Detection platform, the ultimate solution to keep industrial IoT safe? Will it close all the gaps? It’s hard to answer with a definitive “yes” or “no.” Closing all the gaps requires the complete re-engineering of many industrial systems in use today. And that’s hardly an option. However, NTA is an effective and readily-available solution that can help organizations reduce their exposure to cyber risk and defend critical industrial infrastructures.
If you’d like to learn more about Bitdefender Network Traffic Security Analytics, visit: https://www.bitdefender.com/business/enterprise-products/network-traffic-security-analytics.html