Industrial control systems (ICS) play a fundamental role in monitoring complex industrial processes and infrastructure. Proper ICS security is critical, as these systems often face malicious threats and cyberattacks. The National Institute of Standards and Technology (NIST) explains the importance of ICS cybersecurity in the NIST Special Publication 800-82, stating:
“ICS cybersecurity programs should always be part of broader ICS safety and reliability programs at both industrial sites and enterprise cybersecurity programs, because cybersecurity is essential to the safe and reliable operation of modern industrial processes. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders.”
Attacks on operation technology have been on the rise for decades — here’s what you need to know about ICS security and monitoring of operational technology (OT) networks.
ICS is a major segment in the OT sector that comprises systems used to monitor and control industrial process. These systems are mission-critical applications with a high availability (HA) requirement. Most industrial control systems are process control systems managed via programable logic controllers (PLC) or a discrete process control system (PDCS) that can use any PLC or other control device.
ICS are usually managed via supervisory control and data acquisition (SCADA) that provides a user interface (UI) for observation and alarm management. In a nutshell, SCADA systems are industrial control systems that provide supervisor and control over the processes using devices as PLCs and remote terminal units (RTUs) in OT networks. The PLCs collects the process data, executes the control logic, and sends commands to field devices.
SCADA networks consist in multiples computers, software, and devices that perform essential services in critical infrastructure. These systems are used to monitor key processes to ensure the proper provisioning of those critical services.
In the beginning, these kinds of systems were designed for a specific purpose, without considering the security or the need to protect from external threats. These systems performed well and sometimes worked for decades without requiring any kind of update. As you can imagine, even when they are reliable and flexible, they lack security.
The Purdue model was adopted from the Purdue Enterprise Reference Architecture (PERA) model by ISA-99 and used as a concept model for ICS network segmentation. It is an industry adopted reference model that shows the interconnections and interdependencies of all the main components of a typical ICS. This model is a great resource to start the process of figuring out a typical modern ICS architecture:
The levels may change in name, but what occurs at each level does not. If you’re interested in exploring each zone at a more granular level, visit Packt’s blog to see a more in-depth breakdown of the ICS architecture.
ICS has some characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world such as impacting the health and safety of human lives, damaging the environment, causing financial issues and production losses, compromising proprietary information, or hurting the nation’s economy.
ICS has unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of the control systems.
A successful attack in an ICS environment may result in the interruption of critical services, redirection of processes, or manipulation of operational data that can have serious consequences. Here are examples of industries that ICS exists in — all of which have an important role in the everyday functions of modern society:
Just imagine a successful attack on a nuclear plant — it’s a scary thought!
SCADA market size exceeded 30 billion dollars in 2019 and will continue to increase in the coming years. According to Global Market Insights, we can attribute this market growth to the increasing adoption of cloud-based SCADA, infrastructural developments in smart cities and transportation, and industry 4.0 technologies such as Industrial IoT (IIoT) and cloud to enhance efficiency and productivity.
Several concerns become more prevalent as the market continues to grow, such as:
Recognizing those specificities and risks, as well as the tremendous impact they can have on SCADA-based critical infrastructures such as energy grids, water distribution systems, transportation systems, or factory plants, there needs to be a strong investment towards enhancing the security of SCADA systems.
By connecting control systems to a computer network, we are accepting that there are risks of a compromise. Today these networks are going to be either connected to the internet or subject to an increased risk of insider threat. Opening up old control systems to the internet and modern cyber landscape simply increases the threat surface against which an attacker or person with malicious intent could gain a foothold. With newer OT technologies, the risks are still present albeit a little more controlled.
The truth is that there is no going back. The benefits of controlling modern, or even aging infrastructure, outweigh the potential consequences over the operational costs of before, but only if the risks are understood. Here’s a brief breakdown of potential processes and components that may pose security risks in your ICS system:
The National Institute of Standards and Technology developed some guidelines on how to defend against SCADA cyberattacks. Here’s an overview of actions that can be taken based on their report, NIST Special Publication 800-82:
Approaching security in an OT environment might be intimidating; however, LogRhythm has a solution in different approaches such as classic security modeling and passive discovery analysis. Let’s take a deeper dive into each process.
Remembering the Purdue Model, the different zones can be protected using LogRhythm out-of-the-box modules.
The core set of capabilities for LogRhythm includes data collection, parsing (or normalizing) data, and correlating that data to identify suspicious or problematic activity. This processing and enrichment of data enables all forms of data analysis.
Once the data has been ingested and normalized, the SIEM solution correlates events across all the data in aggregate to identify patterns of compromise and alert the end user to suspicious activity.
Here are some methods that helps this approach:
The enterprise zone contains systems on the enterprise network that normally sit at a corporate level and span multiple facilities or plants. Most of those components are usual for the IT department and LogRhythm’s solutions can monitor and detect any threat with out-of-the-box modules.
The Manufacturing Zones: Level 3 – Operation
Ignoring for a second that this layer is part of the ICS environment, we can find several resources that can be monitored in the same way as we do with IT environments.
Using standard techniques, here are ways to monitor the site operations zone:
Firewall:
Engineering Workstation:
Servers:
The other method companies can use with or instead of the previous one is using passive discovery and analysis using an “inside-out” approach. This method can be called “Bridging the Visibility Gap” and it has multiple advantages:
Using LogRhythm AI Engine in combination with LogRhythm NetMon, security teams get the following benefits:
The known cyberattack sophistication, complexity, and identified numbers of state affiliated actors is steadily escalating. Defending and responding to sophisticated adversaries are constantly evolving as an essential capability.
With LogRhythm NetMon, analysts have full visibility into their OT network in order to analyze traffic and detect abnormal behaviors between the components, such as: IP’s not in the whitelist, configurations changes sent to the ICS devices, replay attacks, injection attacks, and more.
One of the major features of NetMon is the DPA language that allows analysts to extract specific bytes out of a packet so you can:
In order to help security analysts detect abnormal behaviors on the ICS environment, LogRhythm NetMon is capable of analyzing and extracting:
There is so much more to explore with how LogRhythm can help your security team monitor and secure your OT networks. LogRhythm’s NextGen SIEM Platform delivers comprehensive security analytics, user and entity behavior analytics (UEBA), network traffic analysis (NTA), and security orchestration and automation response (SOAR) within an integrated platform for rapid detection, response, and neutralization of threats.
Learn more about how LogRhythm can strengthen the maturity of your security operation and streamline your ICS security efforts. Schedule a demo with a product expert to discover the solution!
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…