January 19, 2021 Aligning the SOC to Secure IT, OT and IIoT

To understand the major challenges of properly securing OT (OT), we must first identify how it is unlike the traditional IT environments.

By Cynthia Gonzalez, product marketing manager, Exabeam

More than a decade ago, in 2010, the world witnessed the emergence of a malicious computer worm, dubbed Stuxnet, which targets supervisory control and data acquisition (SCADA) systems and would later be widely believed as responsible for substantial damage to and destruction of centrifuges from Iran’s nuclear program. Fast forward to 2014, we saw the emergence of the Sandworm hacker group, responsible for a targeted offensive against Ukraine infrastructure that caused nationwide blackouts, and suspected for the massive NotPetya attack that crashed organizations around the world. Even more recently, we’ve seen threats specifically target Israel’s water system within the past year.

These types of state-sponsored attacks on critical infrastructure are thought to be increasing in incidence and opportunity, and there are technology-specific reasons why. Here, we will examine those reasons, and what can be done to build a stronger offense as a defensive measure to protect mission-critical systems from hackers and other vulnerabilities.

Understanding Operational Technology and Critical Infrastructure

To understand the major challenges of properly securing operational technology (OT), we must first identify how it is unlike the traditional information technology (IT) environment. OT refers to computing systems that are used to manage industrial operations, while IT works with digital information and data.

Operational systems are made up of industrial control systems (ICS) like the network, ICS servers, ICS workstations, routers, switches, as well as process control and automation such as human machine interface (HMI) and SCADA, etc. The ICS are a major segment within the OT sector, typically categorized as mission-critical applications with high-availability requirements and used to monitor and control industrial processes. These could be mine site conveyor belts, manufacturing plants, telecommunications, water and waste control, oil and gas refining, transportation, power consumption on electricity grids and alarms from building information systems.

Unlike IT environments, where a team uses a CIO’s plan and design for the entire ecosystem and builds the network infrastructure to be interconnected with the internet, an industrial environment is built to focus purely on productivity and remain on a closed network system. This fundamental difference is what makes it exceedingly difficult to retrofit a security posture that can protect OT systems.

How Threats Can Be Introduced

As the backbone of modern commercial automation solutions and ICS for critical infrastructure, OT devices and systems must be protected. Initially, OT environments were built with the intent to remain closed. For an attack to occur, an attacker had to be physically inside the OT environment. The Stuxnet worm, introduced earlier, is a prime example—it required someone to use an infected USB flash drive on a network device.

These mature OT systems, effectively running for decades, continue to use legacy technologies. Legacy examples include programmable logic controllers (PLCs) that run industrial electromechanical processes for manufacturing and robotics; open and close valves for water, oil, and gas; or turn circuits on and off to regulate the flow of electricity.

Newer scenarios are increasingly introducing the Internet of Things (IoT) to legacy OT devices. Solutions are being connected to IP networks and the internet to enable a centralized command-and-control, as well as provide remote access. Other purpose-built OT devices – also called Industrial Internet of Things (IIoT) or Industry 4.0—provide native integration with IP networks. This involves the use of smart machines, sensors, big data technologies and machine-to-machine (M2M) communication to gather, analyze and relay data that can detect inefficiencies, as well as process or product defects, to improve production methods and save businesses time and money. Some already common examples are sensors on truck fleets; trains and drones that enable driverless operations; and ‘smart city’ sensors on public infrastructure used to control street lights or change stop light traffic patterns. Here, OT enables unlimited possibilities for more cost efficient and reliable operations. However, by introducing IIoT for remote access, and to help operationalize and monitor these processes, OT environments are dangerously exposed to the global internet. The exposure of a formerly ‘closed environment’ exponentially expands its attack surface, leaving it vulnerable to a catastrophic failure.

Still, there is benefit to IoT within OT environments, so it’s important that organizations can prepare for them. Whether OT devices are smart or not, simple or complex, the shared characteristic of IP connectivity over the global internet means that security solutions must address the nearly universal exposure to the same cyberthreats associated with enterprise IT.

The good news is, there are models for integrating OT device security with enterprise IT security to provide a centralized, organization-wide view to enable rapid detection, investigation, response and mitigation of internet-borne threats.

Evolving Technologies Create Problems

As technologies evolve, and OT embraces IIoT with connectivity to the internet, one problem that has emerged is that the staff overseeing OT is likely different from the staff handling IT processes. When OT is outsourced, or has IIoT devices deployed over a wide geography, IT may be fundamentally blind to those devices, without authority over the information needed to manage security from a single or centralized view. It is no wonder, then, that OT systems are often overlooked in essential security practices like creating a disaster recovery plan or monitoring for suspicious activity. Additionally, OT devices often have vulnerability issues baked into their design, and with multiple staff managing them on a day-to-day basis, the devices are prone to neglect, with no one explicitly tasked to apply security patches regularly. These factors create an environment that is ripe for malicious attackers who troll on weakness.

It is clear that siloed security efforts for OT and IT is not an effective strategy. There must be a comprehensive view of all risks, with an integrated capability for threat detection and response across all types of connected technology—whether from OT environments, IT or IIoT. Legacy OT devices will often have no integrated capability for security management, and surprisingly, this can even be true for some newer IIoT devices. This means that organizations using both old and new OT must overcome these differences to determine an appropriate path for stronger OT security.

Finding a Functional Security Solution

Detecting an attack on IIoT and OT requires baseline security monitoring of all devices in the OT system. However, monitoring these devices is a specialized task and requires expertise in OT protocols. Organizations without OT protocol expertise can use a third-party device monitoring solution, and these solutions frequently integrate with external sources for analytics and response automation, such as a modern SIEM management platform, providing a consolidated view across IIoT, IT and OT device types.

It is possible that native security monitoring is baked into newer IoT and IIoT devices, allowing them to automatically transfer and receive security data with a central OT monitoring solution. However, this is unlikely with legacy OT devices due to limited memory or processing capability. In these scenarios, gathering event data will be more challenging.

One solution is to automate periodic device polling with scripts to get around lack of security software on legacy OT devices. Another is to monitor the devices by network activity. Network traffic analysis is interesting because OT devices typically operate without human action. They are pure machines, so understanding ‘behavior’ in an attack chain requires a different approach from traditional security tools that monitor IT activity based on direct human actions. To accomplish this, entity analytics can be applied to OT device activity, used by modern enterprise IT security solutions to detect and remediate advanced threats that are unable to be addressed by legacy solutions.

User and entity behavior analytics (UEBA) solutions use operational data from many sources, along with machine learning and behavior analysis to define a baseline for ‘normal’ behavior on an enterprise network. Entities may include IT assets such as hosts, applications, network traffic and data repositories – and virtually any IIoT or OT device. As an example, if OT devices for an oil and gas valve controller system are usually accessed from designated operators using specific computers at a precise location, an entity analytics system can instantly detect an abnormal attempt to access those OT devices.

Anomalous activity triggers an alert to security operations center (SOC) analysts who use data for investigation and remediation of threats. This illustrates the benefits of integrating entity analytics capabilities with a modern SIEM platform to construct an enterprise-wide view of all IT, OT and network security, for a single SOC team. For every incident, timelines are created, where events and associated risk reasons are correlated with contextual data. These provide analysts with normal and abnormal behaviors for users and devices, be they IT, OT or IIoT, and make it easy for SOC analysts to pinpoint anomalies and mitigate incidents. The single view on enterprise-wide security helps the SOC to ensure that security event detection and response is applied exactly as needed, wherever it is required.

Using Intelligence to Prevent Catastrophic Destruction

Around the world, we are seeing a growing number of attacks to OT environments that can shut down or disrupt critical infrastructure. The fact is malicious attackers often look for the easiest way to accomplish their task – to be blunt, they aim to be as lazy as possible. The prize, especially as a nation state actor, is to shut something down or gain intelligence. There are no extra points for crazy techniques, so why would they bother attacking Windows or iPhones, when IIoT devices are already vulnerable, and the OT networks they are connected to are worth billions of dollars? If the infrastructure is mission-critical, and disrupting it can effectively shut down a country, that is a rich target to a hacker.

The U.S. government acknowledges that IoT security is a global challenge, and as such, is moving forward with measures to combat these threats as well, by passing the IoT Cybersecurity Improvement Act (H.R. 1668). This bill, which is highly likely to soon be signed into law, is a significant step forward to advocating for implementation of coordinated vulnerability disclosure.

Many major OT attacks originate from exploited vulnerabilities of IoT devices connected to IT systems, before pivoting to OT systems. Unfortunately, organizations treat IIoT and OT security differently than IT security, and in doing so fail to build a cohesive security strategy, leaving IIoT and OT vulnerable to attacks. Instead, organizations should merge the OT and IT security operations and extend IT security practices to OT environments, including IIoT devices. This approach, as illustrated here, can also help organizations to continuously improve security using analytics against attacks that exploit vulnerabilities in IT systems and then move laterally to attack OT systems.

Subscribe to Industry Today