Detect and prevent - Nixu participated in SANS Institute’s ICS Security Summit
In addition to building layers of protection, cyber security for the Industrial Internet requires situational awareness.
The US-based independent, internationally recognized SANS Institute organized the Industrial Control System (ICS) security summit in Amsterdam at the end of September. The event brought together industrial automation system security experts, authority representatives and field researchers to participate in the training courses, listen to presentations, and discuss their experiences.
The organizers invited 20 speakers to participate, including experts from National Grid, Shell, Aramcon, MSB (the Swedish Civil Contingencies Agency), Thales Group and Mandiant.
Jarkko Holappa from Nixu delivered a speech on Nixu’s ways of developing cyber security-related situational awareness for industrial systems. With improved situational awareness you can gain an up-to-date view of what is happening in the industrial system.
It is not enough to protect industrial systems with traditional information security solutions that prevent attacks, but in support of those solutions, a capability to detect a successful system attack and to react to it is needed. Otherwise, the attack will only be detected when the system freezes, or when the production process fails to function as desired. Without sufficient ability to detect the attack, it might take months, or even years, before the attacker’s malware is noticed.
Towards situational awareness
Because the industrial control systems are more and more interconnected with the IT systems, the capability to detect successful attacks requires close cooperation with the operator, the system vendor and a cyber security specialist. System-level knowledge is essential in order to build effective situational awareness.
As automation systems are typically multi-vendor environments, monitoring can be used for improved service quality control over different systems. Monitoring provides also information for an audit trail, which supports problem solving in these environments.
Industrial systems need to be protected in all phases of their life cycle. However, as perfect cyber defenses do not exist and near-perfect protection comes at a very high cost, generally the most cost-effective solution is to invest both in good defenses and in building cyber security situational awareness at the same time.
What’s new?
In an automation environment, the most important capability is to be able to detect new and surprising system anomalies, unplanned system changes or, for example, outgoing traffic connections to the Internet. The static nature of industrial systems makes it easier to detect anomalies.
On the other hand, the proprietary protocols of industrial systems create their own challenges, and require close cooperation with the system provider. Also the real time constraints of automation systems must be taken into account. Active network scanning is not possible in an automation environment, so monitoring must happen passively. Examples of passive methods are mirroring traffic to a separate system, or tracking vulnerabilities against the asset database.