Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Looking to Improve Your Industrial Security Strategy? Try Active Monitoring

Proactively querying your industrial assets, through their native protocols, drastically improves the speed at which organizations can detect and mitigate cyber threats.

It sounds obvious and has been said before, but without clear visibility into your industrial control system (ICS) assets and network activity, it's impossible to detect and mitigate threats in a timely manner. So, what's the most effective approach for understanding what's happening in your ICS environment at any given time?

Similar to IT network security dynamics in the late 1990s, managers of ICS networks today have two options for monitoring network activities: active and passive. Passive monitoring has been the traditional approach, but as the number of targeted attacks against ICS networks grows, a more active monitoring approach that accelerates time to detection and mitigation is required.

The best way to get the information you need is to ask

One of my favorite ways to explain the difference between active and passive monitoring is the cocktail party analogy. Let's say you've just started a new job and you're invited to a company party after your first week. You still don’t know most of your fellow workers but you recognize a group of people that you want to know more about.

One way to do it would be to stand at the bar and try to eavesdrop on their conversation while pretending to text on your smartphone. Dumb. You’ll discover a lot by this passive listening approach but you definitely won't get all of your questions answered.

A better and quicker way is to engage directly in a conversation with these people and ask them your specific questions. This is the most effective way to get the information you need (especially if you're in a hurry).

Security monitoring works in a similar fashion. We can passively tap the ICS network for communications between the programmable logic controller (PLC) and other components, but it might take a long time before you come across the nuggets of valuable information you really need. For example, a specific controller might be dormant, which means it won't be producing a great deal of traffic. Moreover, certain types of information, such as IP address, firmware version, serial number and updates, don’t always appear in network traffic on a regular basis.

Active querying without performance overhead

An active monitoring approach, on the other hand, involves asking a controller for the detailed information – IP and MAC address, firmware version, backplane configuration and more – that passive solutions might otherwise wait a long time to discover (if at all).

An important best practice in active monitoring is to perform queries in the relevant controller's native language (or protocol), which vary slightly depending on the manufacturer. The advantage of using native protocols, which are used by engineering workstation software to manage PLCs, is to ensure safe communication with zero impact on controller operations and performance.

Controllers are sensitive assets and can easily crash if communicated with in the wrong way (i.e., even simple "ping" commands). Using a non-native protocol is like trying to speak to a foreign tourist in your local language – there's a good chance of a misunderstanding. This is why querying a controller using a non-native protocol can be taxing on the controller's resources. However, the truth is that if you use the controller's native language for querying, there is no performance hit whatsoever.

Interestingly, this is the same conversation that dominated the IT world 15 years ago. Passive solutions like virus and intrusion detection were initially preferred over their active counterparts, such as virus protection and intrusion prevention, which were perceived as creating too much of a hit on performance. We know how this played out – when cyberattacks became ubiquitous, everybody moved to an active system.

We can assume that the same scenario will eventually play out on the operational technology (OT) side as well, given the ever more connected nature of the ICS environment and the evolving attack landscape.

The need for faster detection and mitigation

A key advantage of active monitoring is that it enables much faster detection of potential security risks than passive monitoring. In fact, sometimes the only way to discover certain types of information that may indicate a breach is to ask the right question – something that passive monitoring cannot do.

Modern attacks targeting ICS networks, as described in recent reports from the U.S. Cyber Emergency Response Team (CERT), are more sophisticated than ever. The escalating number and frequency of these attacks can be attributed to the fact that controllers are now connected to the outside world. Additionally, the widespread use of “internet of things” (IoT) technologies is blurring the lines between IT and OT networks, increasing the exposure of ICS to cyberattacks. Because these controllers are essential for running the daily operations of critical infrastructure and production facilities, they have become prime targets of government-sponsored strikes and other bad actors.

In this context, active network monitoring is more crucial than ever for protecting ICS assets. Industrial organizations need to detect and validate suspicious activities more quickly and mitigate threats in the shortest possible time frames to avoid harmful downtime or disruptions. The only way to achieve the required level of visibility is to include an active querying component in your ICS security arsenal.

Successful attacks against critical infrastructure in the U.S. and abroad illustrate the need for a different approach to ICS security. Dr. William Murray once said that, “Hackers live by the Pac-Man rule which is quite simply, ‘one cannot cheat at Pac-Man.’ The rules are implicit in the game. If it can be done, it is legitimate." Industrial organizations need to recognize this outlook and take a more aggressive and active approach in the face of today's sophisticated threats.

Want to learn more about how proactive monitoring can bolster your ICS security? Check out the Tenable.ot guide to active querying.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.