Editor's Choice

Industrial control system ­cybersecurity

July 2018 Editor's Choice

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, and environment hardening. In this month’s article, we will look at how to start monitoring industrial control system networks, in what is called network security monitoring (NSM). NSM is not confined to security monitoring though, as most system owners’ state, the best return on investment for a NSM tool is often through finding incorrectly configured ICS devices and gaining a more in-depth understanding as to how the ICS assets communicate.

The benefits of NSM tools in the ICS environment

NSM deployments are not very common in ICS environments, but we are starting to see an increase in the number of customers implementing these solutions as their systems become more digitised, driven by the IIoT and Industry 4.0. Owners and operators are slowly starting to see the benefit of deploying such a system to help them gain more insight and visibility into their ICS networks. The golden rule of cybersecurity is that you cannot protect what you cannot see, and NSM helps you to ‘see’ your networks, thus enabling you to build stronger cybersecurity controls.

The NSM tool will enable you to collect, analyse, and correlate data across your ICS network(s), which will help to not only detect potential security risks, but also to identify network connectivity issues and configuration problems. NSM tools do present some challenges though, but that is an entire article on its own. These challenges are extremely well documented online and need to be investigated and, more importantly, understood before implementing any NSM tool. I would, however, like to highlight two of the main challenges that I often come across, these being: the massive amount of data that is collected by the monitoring tools; and the amount of time required to correlate and disseminate this data, to turn it into intelligent actionable information.

Now that I’ve told you about NSM tools, you’re probably starting to ask: “Well where do we start? And what do I need to begin monitoring?”

Both are valid questions. If you bring on too many information sources you and your team will be inundated with information, bring on too few, and you will leave areas of your network potentially exposed. The most effective way to implement NSM is to bring on segment by segment, or zone by zone. If you have already implemented the Purdue Model (PERA), the hard work of segmenting into zones is mostly completed. If you have not yet adopted this architecture, look for current established zones, like your perimeter, the engineering workstations, etc, and start collecting the data from those sources. This data will then be ingested into the NSM solution, and intelligence will be built and tweaked over time, to provide actionable reports. This process can then be repeated for each new segment/zone that is added to the NSM solution.


There are a few very good NSM solutions that are available commercially, which have the ability to ingest specific ICS data. These solutions also come with great support options from the respective vendors and partners. There are also quite a few options for open source solutions, specific to control systems, which are well documented online: including Security Onion, BroIDS, OSSEC and Snort, to name a few. These were initially developed for IT systems, but they have since evolved to include support for ICS networks.

However, there is no ‘one solution that fits all’. What we have found works very effectively is a combination of the tools mentioned above, and some others. One of the better guides I have read in this regard is from The Spanish Security and Industry CERT, certsi_, which has published a fantastic research piece on not only NSM, but also intrusion prevention/detection (IPS/IDS) https://tinyurl.com/y95roj4b. I strongly recommend that you download this guide and share it with your team.


In closing, whilst there are a number of NSM tools available, it is strongly recommended to combine these with industry best practices, for effective monitoring of an ICS network infrastructure. There are quite a few practitioners/vendors out there who claim that a SIEM (security information and event management) is the same as network monitoring, but it is not. Be careful and do your homework – there are only a limited number of vendors whose products are proven to work in an ICS environment.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, tommy@nclose.com


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Nick Denbow’s European report: Trends in plant monitoring
March 2019 , Editor's Choice
Early last year, the interest from many large automation and sensor suppliers focused on condition monitoring, for example, using wireless communications to monitor the condition of the motors and bearings ...

Now might be the time to have a talk with your IT service provider
March 2019, Absolute Perspectives , Editor's Choice, IT in Manufacturing
The Gartner hype cycle provides a simple graphic representation of how emerging technologies are adopted in the market. The principle is quite simple: a new technology (such as augmented reality) will ...

Nick Denbow’s European report: Will UK industry pull out of the Brexit torpor?
February 2019 , Editor's Choice
Whether the UK – whoever is in charge – decides in March to remain in the EU, drop out, or make a negotiated partial exit, the last year has been disastrous for UK industrial investment in instrumentation ...

New toolkits for innovation
January 2019, Absolute Perspectives , Editor's Choice
Why you might want to bypass the DCS and scada systems.

Emerging technologies pose a pressing governance challenge
December 2018 , Editor's Choice
As the year draws to a close, multiple factors compel the continuation of the Industry 4.0 theme and its challenges, particularly those related to governance. Many readers of this column, as well as social ...

Nick Denbow’s European report: Condition monitoring resurrected yet again as sensors get smarter
December 2018 , Editor's Choice
Back in the mists of time, that is, in the sixties, the engineers in charge of the gas turbines used to generate electricity in power stations, and others monitoring helicopter gearboxes, used sensors ...

First rack-mounted switches that comply with the IEC 61850-3 Edition 2 Class 2 Standard
November 2018, RJ Connect , Editor's Choice
In today’s industrial processing environment, industrial Ethernet has become a de-facto standard to connect to the company’s PLCs in manufacturing, IEDs in substations and cameras for CCTV, in harsh environments. All of these demand ruggedised networking switches to ensure stable communications to the company’s scada, ERP and MES software. Often, industrial networking products are installed in and around the production areas where they are subjected to high temperatures, vibrations and electrical noise from VSDs and motors.

Nick Denbow's European report: Japan reopens nuclear power plants while progress is slow elsewhere
November 2018 , Editor's Choice
The Fukushima nuclear power plant accident occurred back in March 2011. Following that disaster, Japan ordered the close-down of all the nuclear generating plants in the country – there were 42 of them, ...

The Digitalisation Productivity Bonus
October 2018, Siemens Digital Industries , Editor's Choice
Siemens researches the value of digitalisation to manufacturers.

How adding services to products could start your journey towards an Industry 4.0 solution
October 2018, Absolute Perspectives , Editor's Choice, IT in Manufacturing
For manufacturers, digital transformation involves understanding a range of new technologies and applying these to both create new business and to improve the current operation. Industry 4.0 provides ...