Editor's Choice


Industrial control system ­cybersecurity

July 2018 Editor's Choice

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, and environment hardening. In this month’s article, we will look at how to start monitoring industrial control system networks, in what is called network security monitoring (NSM). NSM is not confined to security monitoring though, as most system owners’ state, the best return on investment for a NSM tool is often through finding incorrectly configured ICS devices and gaining a more in-depth understanding as to how the ICS assets communicate.

The benefits of NSM tools in the ICS environment

NSM deployments are not very common in ICS environments, but we are starting to see an increase in the number of customers implementing these solutions as their systems become more digitised, driven by the IIoT and Industry 4.0. Owners and operators are slowly starting to see the benefit of deploying such a system to help them gain more insight and visibility into their ICS networks. The golden rule of cybersecurity is that you cannot protect what you cannot see, and NSM helps you to ‘see’ your networks, thus enabling you to build stronger cybersecurity controls.

The NSM tool will enable you to collect, analyse, and correlate data across your ICS network(s), which will help to not only detect potential security risks, but also to identify network connectivity issues and configuration problems. NSM tools do present some challenges though, but that is an entire article on its own. These challenges are extremely well documented online and need to be investigated and, more importantly, understood before implementing any NSM tool. I would, however, like to highlight two of the main challenges that I often come across, these being: the massive amount of data that is collected by the monitoring tools; and the amount of time required to correlate and disseminate this data, to turn it into intelligent actionable information.

Now that I’ve told you about NSM tools, you’re probably starting to ask: “Well where do we start? And what do I need to begin monitoring?”

Both are valid questions. If you bring on too many information sources you and your team will be inundated with information, bring on too few, and you will leave areas of your network potentially exposed. The most effective way to implement NSM is to bring on segment by segment, or zone by zone. If you have already implemented the Purdue Model (PERA), the hard work of segmenting into zones is mostly completed. If you have not yet adopted this architecture, look for current established zones, like your perimeter, the engineering workstations, etc, and start collecting the data from those sources. This data will then be ingested into the NSM solution, and intelligence will be built and tweaked over time, to provide actionable reports. This process can then be repeated for each new segment/zone that is added to the NSM solution.

Recommendations

There are a few very good NSM solutions that are available commercially, which have the ability to ingest specific ICS data. These solutions also come with great support options from the respective vendors and partners. There are also quite a few options for open source solutions, specific to control systems, which are well documented online: including Security Onion, BroIDS, OSSEC and Snort, to name a few. These were initially developed for IT systems, but they have since evolved to include support for ICS networks.

However, there is no ‘one solution that fits all’. What we have found works very effectively is a combination of the tools mentioned above, and some others. One of the better guides I have read in this regard is from The Spanish Security and Industry CERT, certsi_, which has published a fantastic research piece on not only NSM, but also intrusion prevention/detection (IPS/IDS) https://tinyurl.com/y95roj4b. I strongly recommend that you download this guide and share it with your team.

Conclusion

In closing, whilst there are a number of NSM tools available, it is strongly recommended to combine these with industry best practices, for effective monitoring of an ICS network infrastructure. There are quite a few practitioners/vendors out there who claim that a SIEM (security information and event management) is the same as network monitoring, but it is not. Be careful and do your homework – there are only a limited number of vendors whose products are proven to work in an ICS environment.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Harnessing industrial AI agents for reliable automation
Editor's Choice IT in Manufacturing
The excitement around generative AI (GenAI) has been undeniable, promising wide-ranging changes across industries. However, for those of us in the world of industrial control and automation, the realities of implementing these powerful technologies are a little more nuanced.

Read more...
Futureproof your industrial network security with OT-centric cyber security
RJ Connect Editor's Choice
To achieve digital transformation, industrial operators must first address the daunting task of merging their information technology (IT) and operational technology (OT) infrastructure. In this article, we focus on the importance of strong OT network security and provide some tips on how to strengthen cybersecurity for industrial operations.

Read more...
The symbiotic relationship between OEMs and SIs
Schneider Electric South Africa Editor's Choice System Integration & Control Systems Design
While businesses tend to turn directly to original equipment manufacturers OEMs or vendors when embarking on IT projects, the role of the SI as a key facilitator and partner cannot be overstated.

Read more...
Case History 196: Unstable condensate level control.
Michael Brown Control Engineering Editor's Choice Level Measurement & Control
The operators in a petrochemical refinery were having great trouble in trying to stabilise the condensate level in a vessel, and this was adversely affecting other loops downstream. Several unsuccessful attempts had been made to retune the controller.

Read more...
Big themes for 2025
Editor's Choice News
2024 was a year of unprecedented innovation and global upheaval. As we look ahead, Amy Webb, CEO of the Future Today Institute asks which technologies will reshape our world in 2025?

Read more...
Loop signature: Tuning part 4 processes
Michael Brown Control Engineering Editor's Choice Fieldbus & Industrial Networking
The purpose of this particular article is to try and give those unfortunate enough to have to use SWAG (scientific wild ass guess) tuning a bit of an idea of how to go about it, and even more importantly some understanding of a couple of basic principles.

Read more...
EtherCAT and PC-based control elevate next-generation laser cutting machine
Beckhoff Automation Editor's Choice
Cincinnati Incorporated has been building sheet metal processing equipment for 125 years. Since the switch to PC-based control, the only limits to development have been physical.

Read more...
Ensure seamless integration and reliable performance with CANbus solutions
RJ Connect Editor's Choice Fieldbus & Industrial Networking
Modern industrial applications require robust and effective communication. The CANbus product range guarantees smooth integration and data transfers throughout systems.

Read more...
Connecting every transport node
RJ Connect Editor's Choice Data Acquisition & Telemetry
Stockholm's bus system strategically links urban mainline, suburban mainline, non-mainline routes, community service buses and night buses. To acquire and process data from multiple sources and analyse onboard information on their moving buses, Transdev sought a dependable and powerful onboard computer. It teamed up with CatAB, Moxa’s local representative, known for delivering top-notch industrial data communication boards and equipment since 1988.

Read more...
Local range of planetary units
SEW-EURODRIVE Editor's Choice Motion Control & Drives
As SEW-EURODRIVE South Africa actively extends its offerings to customers, the SEW PPK and SEW P2.e industrial gearbox ranges are good examples of solutions that are well suited to the local business environment.

Read more...