Editor's Choice


Industrial control system ­cybersecurity

July 2018 Editor's Choice

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, and environment hardening. In this month’s article, we will look at how to start monitoring industrial control system networks, in what is called network security monitoring (NSM). NSM is not confined to security monitoring though, as most system owners’ state, the best return on investment for a NSM tool is often through finding incorrectly configured ICS devices and gaining a more in-depth understanding as to how the ICS assets communicate.

The benefits of NSM tools in the ICS environment

NSM deployments are not very common in ICS environments, but we are starting to see an increase in the number of customers implementing these solutions as their systems become more digitised, driven by the IIoT and Industry 4.0. Owners and operators are slowly starting to see the benefit of deploying such a system to help them gain more insight and visibility into their ICS networks. The golden rule of cybersecurity is that you cannot protect what you cannot see, and NSM helps you to ‘see’ your networks, thus enabling you to build stronger cybersecurity controls.

The NSM tool will enable you to collect, analyse, and correlate data across your ICS network(s), which will help to not only detect potential security risks, but also to identify network connectivity issues and configuration problems. NSM tools do present some challenges though, but that is an entire article on its own. These challenges are extremely well documented online and need to be investigated and, more importantly, understood before implementing any NSM tool. I would, however, like to highlight two of the main challenges that I often come across, these being: the massive amount of data that is collected by the monitoring tools; and the amount of time required to correlate and disseminate this data, to turn it into intelligent actionable information.

Now that I’ve told you about NSM tools, you’re probably starting to ask: “Well where do we start? And what do I need to begin monitoring?”

Both are valid questions. If you bring on too many information sources you and your team will be inundated with information, bring on too few, and you will leave areas of your network potentially exposed. The most effective way to implement NSM is to bring on segment by segment, or zone by zone. If you have already implemented the Purdue Model (PERA), the hard work of segmenting into zones is mostly completed. If you have not yet adopted this architecture, look for current established zones, like your perimeter, the engineering workstations, etc, and start collecting the data from those sources. This data will then be ingested into the NSM solution, and intelligence will be built and tweaked over time, to provide actionable reports. This process can then be repeated for each new segment/zone that is added to the NSM solution.

Recommendations

There are a few very good NSM solutions that are available commercially, which have the ability to ingest specific ICS data. These solutions also come with great support options from the respective vendors and partners. There are also quite a few options for open source solutions, specific to control systems, which are well documented online: including Security Onion, BroIDS, OSSEC and Snort, to name a few. These were initially developed for IT systems, but they have since evolved to include support for ICS networks.

However, there is no ‘one solution that fits all’. What we have found works very effectively is a combination of the tools mentioned above, and some others. One of the better guides I have read in this regard is from The Spanish Security and Industry CERT, certsi_, which has published a fantastic research piece on not only NSM, but also intrusion prevention/detection (IPS/IDS) https://tinyurl.com/y95roj4b. I strongly recommend that you download this guide and share it with your team.

Conclusion

In closing, whilst there are a number of NSM tools available, it is strongly recommended to combine these with industry best practices, for effective monitoring of an ICS network infrastructure. There are quite a few practitioners/vendors out there who claim that a SIEM (security information and event management) is the same as network monitoring, but it is not. Be careful and do your homework – there are only a limited number of vendors whose products are proven to work in an ICS environment.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, tommy@nclose.com





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Loop Signatures 1: Introduction to the Loop Problem Signatures series
May 2020, Michael Brown Control Engineering , Editor's Choice
Over the years I have had many requests to write a book giving more detailed explanations of some of the problems I have encountered in my work on practical loop optimisation. I am by nature and inclination ...

Read more...
Loop Signatures 2: The two classes of processes.
July 2020, Michael Brown Control Engineering , Editor's Choice
This article will discuss the two classes of processes called self-regulating and integrating (or ramping) processes. This subject is absolutely vital to regulatory control, but strangely is seldom taught ...

Read more...
From the editor's desk: The virtual business assistant
May 2020, Technews Publishing (SA Instrumentation & Control) , Editor's Choice
Have you ever wished someone would automate the daily grind of routine tasks and set you free to focus on the more engaging aspects of your job?

Read more...
From the editor's desk: The virtual business assistant
June 2020, Technews Publishing (SA Instrumentation & Control) , Editor's Choice
Enter robotic process automation (RPA), a disruptive workplace technology that uses software “robots” to mimic many of the repetitive interactions human beings have with their computers. It performs such ...

Read more...
Case History 172: Interesting controls in a copper extraction plant.
June 2020, Michael Brown Control Engineering , Editor's Choice
In my 30 years devoted to optimising controls in industrial process plants in many countries, I thought that I had seen all the possible process dynamics that one would encounter. Imagine my surprise ...

Read more...
The emergence of a new future in the energy sector
April 2020 , Editor's Choice
Adaptively complex and persistent challenges in Africa are driving the need for a new future in the energy sector. Lack of access to energy, (more than 600 million people in Africa with no access to energy) ...

Read more...
Case History 171: Instability in a metallurgical plant
March 2020, Michael Brown Control Engineering , Editor's Choice
I have written several articles about the unique problems I have encountered, specifically in the mining processing industry. This article is about some experiences in a mining operation where recently ...

Read more...
Case History 170
January 2020 , Editor's Choice
As mentioned in earlier articles, the integral (or I term) in the controller is a brilliant thing. It is an extremely elegant and simple solution for eliminating offset in control. However, like everything ...

Read more...
Case History 169: Tuning a very difficult temperature control loop
November 2019 , Editor's Choice
As I have mentioned in previous articles, Greg McMillan, one of the world’s top control experts, has said that he finds temperature control loops generally the worst optimised processes as most people ...

Read more...
Beyond Capex and Opex
November 2019 , Editor's Choice
How do we finance IT? We identify a need, we test the waters with a PoC (proof of concept), then we get the green light after we prove the value. We know roughly how much it will cost by looking at the ...

Read more...