Editor's Choice

Industrial control system ­cybersecurity

July 2018 Editor's Choice

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, and environment hardening. In this month’s article, we will look at how to start monitoring industrial control system networks, in what is called network security monitoring (NSM). NSM is not confined to security monitoring though, as most system owners’ state, the best return on investment for a NSM tool is often through finding incorrectly configured ICS devices and gaining a more in-depth understanding as to how the ICS assets communicate.

The benefits of NSM tools in the ICS environment

NSM deployments are not very common in ICS environments, but we are starting to see an increase in the number of customers implementing these solutions as their systems become more digitised, driven by the IIoT and Industry 4.0. Owners and operators are slowly starting to see the benefit of deploying such a system to help them gain more insight and visibility into their ICS networks. The golden rule of cybersecurity is that you cannot protect what you cannot see, and NSM helps you to ‘see’ your networks, thus enabling you to build stronger cybersecurity controls.

The NSM tool will enable you to collect, analyse, and correlate data across your ICS network(s), which will help to not only detect potential security risks, but also to identify network connectivity issues and configuration problems. NSM tools do present some challenges though, but that is an entire article on its own. These challenges are extremely well documented online and need to be investigated and, more importantly, understood before implementing any NSM tool. I would, however, like to highlight two of the main challenges that I often come across, these being: the massive amount of data that is collected by the monitoring tools; and the amount of time required to correlate and disseminate this data, to turn it into intelligent actionable information.

Now that I’ve told you about NSM tools, you’re probably starting to ask: “Well where do we start? And what do I need to begin monitoring?”

Both are valid questions. If you bring on too many information sources you and your team will be inundated with information, bring on too few, and you will leave areas of your network potentially exposed. The most effective way to implement NSM is to bring on segment by segment, or zone by zone. If you have already implemented the Purdue Model (PERA), the hard work of segmenting into zones is mostly completed. If you have not yet adopted this architecture, look for current established zones, like your perimeter, the engineering workstations, etc, and start collecting the data from those sources. This data will then be ingested into the NSM solution, and intelligence will be built and tweaked over time, to provide actionable reports. This process can then be repeated for each new segment/zone that is added to the NSM solution.


There are a few very good NSM solutions that are available commercially, which have the ability to ingest specific ICS data. These solutions also come with great support options from the respective vendors and partners. There are also quite a few options for open source solutions, specific to control systems, which are well documented online: including Security Onion, BroIDS, OSSEC and Snort, to name a few. These were initially developed for IT systems, but they have since evolved to include support for ICS networks.

However, there is no ‘one solution that fits all’. What we have found works very effectively is a combination of the tools mentioned above, and some others. One of the better guides I have read in this regard is from The Spanish Security and Industry CERT, certsi_, which has published a fantastic research piece on not only NSM, but also intrusion prevention/detection (IPS/IDS) https://tinyurl.com/y95roj4b. I strongly recommend that you download this guide and share it with your team.


In closing, whilst there are a number of NSM tools available, it is strongly recommended to combine these with industry best practices, for effective monitoring of an ICS network infrastructure. There are quite a few practitioners/vendors out there who claim that a SIEM (security information and event management) is the same as network monitoring, but it is not. Be careful and do your homework – there are only a limited number of vendors whose products are proven to work in an ICS environment.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, tommy@nclose.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Loop Signatures 10: Digital controllers – Part 2: Testing controller operation
Michael Brown Control Engineering Editor's Choice
There is a commonly held belief in control circles that all PID controllers are similar and relatively simple. This is a dangerous fallacy.

A review of the 2021 MESA Africa conference
MESA Africa NPC Editor's Choice
The overarching lesson from this year’s conference: yes, we have problems now and solutions are on the table, but we need collective action!

Cybersecurity for operational technology: Part 5: Cybersecurity threats to critical information infrastructure.
Editor's Choice
CII describes infrastructure that is essential to the functioning of a country’s society and economy(2). Local examples include energy (Eskom), government (SARS, judiciary), police and defence (SAPS, ...

The ultimate control valve
Valve & Automation Valves, Actuators & Pump Control Editor's Choice
Zwick has designed its TRI-SHARK range of Triple Eccentric Valves to be used in control or throttling applications as well as for pure on/off functionality.

From the editor's desk: 2022 must be the year SA gets its vaccination act together
Technews Publishing (SA Instrumentation & Control) Editor's Choice News
This is his last "From the editor's desk" that Steven Meyer wrote before his death in early January 2022.

What to do when fragmented systems get too complex
Absolute Perspectives Editor's Choice
With proper planning, a strategic approach, careful vendor selection and a systematic project methodology, you can successfully upgrade to a future-proof ICT infrastructure that supports ongoing digital transformation.

Case History 180: Fuel gas pressure control problem
Michael Brown Control Engineering Editor's Choice
The problem with the pressure control was that it seemed to work intermittently and seldom got to setpoint, resulting in large and unacceptable variance on the control.

Cybersecurity for operational technology: Part 4: Practical recommendations to reduce cybersecurity risks for OT systems
Wolfpack Information Risk Editor's Choice
It is essential that IT professionals are able to clearly articulate cybersecurity risks to management.

Loop Signatures 9: Digital controllers – Part 1: Introduction to the simple PID controller
Michael Brown Control Engineering Editor's Choice
There is a commonly held belief in control circles that all PID controllers are similar and relatively simple. This is a dangerous fallacy.

Totally Integrated Automation – added value in three dimensions
Siemens South Africa Editor's Choice System Integration & Control Systems Design
Discover everything that’s in TIA, the leading automation concept from Siemens, and how it all works together to create a unique product for machine builders and industrial enterprises.