Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Best Practice Recommendations to Create the Best Operational Technology Rule Set

Tenable leverages industrial control systems (ICS) security expertise to secure your converged IT/OT environments.

While operational technology (OT) is not a new target, many experts say 2019 is the year of industrial cybersecurity. 

A confluence of factors has put OT networks online and made them more susceptible to cyberattacks. 

In fact, industrial control system (ICS) networks often lack the kinds of security protocols that have been used in IT networks for more than two decades. Moreover, the mantra of “set it and forget it” in OT networks results in obsolete and unsupported Windows versions and more, making it infinitely easier for attackers to exploit them.

For example, attackers launched Shamoon, a weaponized virus, and targeted specific oil and energy companies. It focused on an old Windows kernel secured in IT networks from many months, if not years, before. 

Many claim this attack was more destructive than the industry previously saw and directly impacted the ICS environment. 

Without addressing threats targeting the OT network, any manufacturing facility, industrial operation or critical infrastructure can be ground zero for a devastating attack.

Like they do in IT environments, OT attackers use similar stages, including reconnaissance, mapping, weaponization, installation and execution. 

In many cases, the first two stages may occur over a period longer than the attack itself. This is typical because it takes time to find a vulnerability to exploit and attackers are careful not to trigger alarms by engaging in heavy probing.

Rule set curation

The ICS threat landscape may include scans and port knocking on the reconnaissance side and denial of service, malware, ransomware and special ICS targeting on the attack side. 

When tasked with creating rule sets optimized for ICS environments, security experts must consider some key areas. They must find a balance between creating quality rules that catch probing and reconnaissance, even during extended periods of time, and eliminating the generation of false positives or negatives at the same time.

Building these types of rule sets requires vast knowledge and expertise, both on the security and OT infrastructure side, so you can alert on relevant threats to your network. 

Rules are created and collected from many sources. They are tested and implemented into ICS security products and solutions to provide necessary protection for the new security realities that exist in OT environments today. 

To ensure the network is protected from new developments and campaigns that are constantly evolving, you must keep rules updated. Each environment is different, so part of the art is fine-tuning rule sets for each specific environment to find every attempted attack while still conducting business as usual.

Tenable’s unique ICS rule set

To create and deploy these sophisticated rule sets, Tenable leverages the power of the community, combined with ICS security expertise. Through our threat detection engine, we provide customers with a unique ICS rule set to protect them from the ever-growing threats. We update this rule set frequently to keep up-to-date with new threats as they emerge and evolve.

Using rules groups

Below are four primary rules groups worth exploring: 

  1. Malware and ransomware: Over the years, attackers have hit ICS environments with many variants of malware and ransomware. They use these methods to collect data, wipe out files, execute additional attack stages and continue to propagate to other devices and assets. This rules group alerts on a wide range of computer numerical control (CnC) communications, suspicious domain name system (DNS) requests, indicators of compromise, propagation of malware, file encryption requests and file lockdowns. Examples of threats detected by this rule set include: Locky, Cerber, Delf, VPNFilter, Gh0st and Emotet, among many others.
  2. Exploits and attacks: Detecting attacks and exploits is challenging. The attacks and exploits rules group emphasizes unique properties of attacks aimed at ICS environments, including known exploits, suspicious SSL certificates, malicious traffic to and from servers, corrupt payloads, phishing attacks and more. Detection should address the widest range of attacks, including but not limited to: Heartbleed, Eternal Blue, Eternal Romance, Spectre, Reverse Shell attacks and Metasploit-based attacks, among others.
  3. ICS attacks: ICS attacks are unique in the equipment they attack, how they propagate and the complexity of their detection. This unique and curated rules group detects ICS-specific attacks using multiple sensors and indicators of compromise to detect attacks as early as possible — including Stuxnet, BlackEnergy, Shamoon, Havex, Industroyer, as well as potentially dangerous traffic in the ICS environment, based on attack groups that operate and attack ICS environments.
  4. Scans and denial of service: This rules group detects hundreds of different types of network scans that can indicate pre-attack reconnaissance. A wide range of tools can generate these scans and then collect data from different devices to lay the foundation for the next stage of an attack. This rules group also protects from Denial of Service (DoS) attacks. Such attacks can have a massive effect on your network and your operational processes, including downtime and loss of production. These include the detection of NMAP scans, operating systems probing, RDP and VNC scans and a large range of denial of service and buffer overflow traffic and behavior.

Integrating these capabilities and rules to your security program can take threat detection to the next level by improving the range of threats you can detect, as well as near real-time updates to protect your organization from ongoing attacks. 

With the range of threats growing and evolving so quickly, it is essential that ICS security vendors contribute to and leverage the power of the security community. More eyes can catch more threats and that rising tide of protection will protect all participating industrial organizations against the industrial cybersecurity threats.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.