classic | mobile


SA Instrumentation & Control Buyers' Guide

Technews Industry Guide - IIoT 2018

Technews Industry Guide - Maintenance, Reliability & Asset Optimisation


Industrial control system ­cybersecurity
July 2018, This Week's Editor's Pick

In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, and environment hardening. In this month’s article, we will look at how to start monitoring industrial control system networks, in what is called network security monitoring (NSM). NSM is not confined to security monitoring though, as most system owners’ state, the best return on investment for a NSM tool is often through finding incorrectly configured ICS devices and gaining a more in-depth understanding as to how the ICS assets communicate.

The benefits of NSM tools in the ICS environment

NSM deployments are not very common in ICS environments, but we are starting to see an increase in the number of customers implementing these solutions as their systems become more digitised, driven by the IIoT and Industry 4.0. Owners and operators are slowly starting to see the benefit of deploying such a system to help them gain more insight and visibility into their ICS networks. The golden rule of cybersecurity is that you cannot protect what you cannot see, and NSM helps you to ‘see’ your networks, thus enabling you to build stronger cybersecurity controls.

The NSM tool will enable you to collect, analyse, and correlate data across your ICS network(s), which will help to not only detect potential security risks, but also to identify network connectivity issues and configuration problems. NSM tools do present some challenges though, but that is an entire article on its own. These challenges are extremely well documented online and need to be investigated and, more importantly, understood before implementing any NSM tool. I would, however, like to highlight two of the main challenges that I often come across, these being: the massive amount of data that is collected by the monitoring tools; and the amount of time required to correlate and disseminate this data, to turn it into intelligent actionable information.

Now that I’ve told you about NSM tools, you’re probably starting to ask: “Well where do we start? And what do I need to begin monitoring?”

Both are valid questions. If you bring on too many information sources you and your team will be inundated with information, bring on too few, and you will leave areas of your network potentially exposed. The most effective way to implement NSM is to bring on segment by segment, or zone by zone. If you have already implemented the Purdue Model (PERA), the hard work of segmenting into zones is mostly completed. If you have not yet adopted this architecture, look for current established zones, like your perimeter, the engineering workstations, etc, and start collecting the data from those sources. This data will then be ingested into the NSM solution, and intelligence will be built and tweaked over time, to provide actionable reports. This process can then be repeated for each new segment/zone that is added to the NSM solution.


There are a few very good NSM solutions that are available commercially, which have the ability to ingest specific ICS data. These solutions also come with great support options from the respective vendors and partners. There are also quite a few options for open source solutions, specific to control systems, which are well documented online: including Security Onion, BroIDS, OSSEC and Snort, to name a few. These were initially developed for IT systems, but they have since evolved to include support for ICS networks.

However, there is no ‘one solution that fits all’. What we have found works very effectively is a combination of the tools mentioned above, and some others. One of the better guides I have read in this regard is from The Spanish Security and Industry CERT, certsi_, which has published a fantastic research piece on not only NSM, but also intrusion prevention/detection (IPS/IDS) I strongly recommend that you download this guide and share it with your team.


In closing, whilst there are a number of NSM tools available, it is strongly recommended to combine these with industry best practices, for effective monitoring of an ICS network infrastructure. There are quite a few practitioners/vendors out there who claim that a SIEM (security information and event management) is the same as network monitoring, but it is not. Be careful and do your homework – there are only a limited number of vendors whose products are proven to work in an ICS environment.

Tommy Thompson

Tommy Thompson is a passionate cybersecurity professional with some 15 years’ experience. Starting as a firewall engineer in 2001, Thompson has assisted a variety of companies in numerous roles with their cybersecurity problems. He holds a BComm degree in Information Management from Oxford Brookes University (UK) and he is certified by PECB (Canada), as a Scada Security Professional (CSSP).

For further information contact Tommy Thompson, +27 (0)11 463 0096,

Supplied By: Nclose
Tel: +27 11 463 0096
Share via email     Share via LinkedIn   Print this page

Further reading:

  • New toolkits for innovation
    January 2019, Absolute Perspectives, This Week's Editor's Pick
    Why you might want to bypass the DCS and scada systems.
  • Emerging technologies pose a pressing governance challenge
    December 2018, This Week's Editor's Pick
    As the year draws to a close, multiple factors compel the continuation of the Industry 4.0 theme and its challenges, particularly those related to governance. Many readers of this column, as well as social ...
  • Nick Denbow’s European report: Condition monitoring resurrected yet again as sensors get smarter
    December 2018, This Week's Editor's Pick
    Back in the mists of time, that is, in the sixties, the engineers in charge of the gas turbines used to generate electricity in power stations, and others monitoring helicopter gearboxes, used sensors ...
  • First rack-mounted switches that comply with the IEC 61850-3 Edition 2 Class 2 Standard
    November 2018, RJ Connect, This Week's Editor's Pick
    In today’s industrial processing environment, industrial Ethernet has become a de-facto standard to connect to the company’s PLCs in manufacturing, IEDs in substations and cameras for CCTV, in harsh environments. All of these demand ruggedised networking switches to ensure stable communications to the company’s scada, ERP and MES software. Often, industrial networking products are installed in and around the production areas where they are subjected to high temperatures, vibrations and electrical noise from VSDs and motors.
  • Nick Denbow's European report: Japan reopens nuclear power plants while progress is slow elsewhere
    November 2018, This Week's Editor's Pick
    The Fukushima nuclear power plant accident occurred back in March 2011. Following that disaster, Japan ordered the close-down of all the nuclear generating plants in the country – there were 42 of them, ...
  • The Digitalisation Productivity Bonus
    October 2018, Siemens Digital Factory & Process Indust. & Drives, This Week's Editor's Pick
    Siemens researches the value of digitalisation to manufacturers.
  • How adding services to products could start your journey towards an Industry 4.0 solution
    October 2018, Absolute Perspectives, This Week's Editor's Pick, IT in Manufacturing
    For manufacturers, digital transformation involves understanding a range of new technologies and applying these to both create new business and to improve the current operation. Industry 4.0 provides ...
  • Nick Denbow’s European report: Vision sensors, the brain and intelligent data processing
    October 2018, This Week's Editor's Pick
    At a certain age, around 70, our bodies begin to show signs of wear. What becomes apparent is that our built in control loops and data processing software steps in to compensate, and covers the gaps in ...
  • Economic thought and lessons from China
    October 2018, This Week's Editor's Pick
    Through my past experience occupying various roles across multiple industries and institutions in South Africa, in both the private and public sectors, one thought that inextricably captures my imagination ...
  • Industrial control system cybersecurity - Part 5: ICS network segmentation.
    October 2018, Nclose, This Week's Editor's Pick, IT in Manufacturing
    In the last three articles on cybersecurity in ICS environments, we have covered risk assessments, asset discovery and vulnerability management, environment hardening and security monitoring. In the penultimate ...
  • Case History 162: Optimising an interesting temperature control.
    September 2018, Michael Brown Control Engineering, This Week's Editor's Pick
    I have often written about the huge advantages of using cascade control on processes with very slow dynamics. It is particularly useful when it comes to most temperature related processes, which are normally ...
  • Integrity management key for ­industrial assets
    September 2018, This Week's Editor's Pick
    What is AIM? Integrity management is a key component for a successful asset management programme. The main objective of asset management initiatives is to ensure that assets perform their required functions ...

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual


    classic | mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.