Proactively querying your industrial assets, through their native protocols, drastically improves the speed at which organizations can detect and mitigate cyber threats.
It sounds obvious and has been said before, but without clear visibility into your industrial control system (ICS) assets and network activity, it's impossible to detect and mitigate threats in a timely manner. So, what's the most effective approach for understanding what's happening in your ICS environment at any given time?
Similar to IT network security dynamics in the late 1990s, managers of ICS networks today have two options for monitoring network activities: active and passive. Passive monitoring has been the traditional approach, but as the number of targeted attacks against ICS networks grows, a more active monitoring approach that accelerates time to detection and mitigation is required.
The best way to get the information you need is to ask
One of my favorite ways to explain the difference between active and passive monitoring is the cocktail party analogy. Let's say you've just started a new job and you're invited to a company party after your first week. You still don’t know most of your fellow workers but you recognize a group of people that you want to know more about.
One way to do it would be to stand at the bar and try to eavesdrop on their conversation while pretending to text on your smartphone. Dumb. You’ll discover a lot by this passive listening approach but you definitely won't get all of your questions answered.
A better and quicker way is to engage directly in a conversation with these people and ask them your specific questions. This is the most effective way to get the information you need (especially if you're in a hurry).
Security monitoring works in a similar fashion. We can passively tap the ICS network for communications between the programmable logic controller (PLC) and other components, but it might take a long time before you come across the nuggets of valuable information you really need. For example, a specific controller might be dormant, which means it won't be producing a great deal of traffic. Moreover, certain types of information, such as IP address, firmware version, serial number and updates, don’t always appear in network traffic on a regular basis.
Active querying without performance overhead
An active monitoring approach, on the other hand, involves asking a controller for the detailed information – IP and MAC address, firmware version, backplane configuration and more – that passive solutions might otherwise wait a long time to discover (if at all).
An important best practice in active monitoring is to perform queries in the relevant controller's native language (or protocol), which vary slightly depending on the manufacturer. The advantage of using native protocols, which are used by engineering workstation software to manage PLCs, is to ensure safe communication with zero impact on controller operations and performance.
Controllers are sensitive assets and can easily crash if communicated with in the wrong way (i.e., even simple "ping" commands). Using a non-native protocol is like trying to speak to a foreign tourist in your local language – there's a good chance of a misunderstanding. This is why querying a controller using a non-native protocol can be taxing on the controller's resources. However, the truth is that if you use the controller's native language for querying, there is no performance hit whatsoever.
Interestingly, this is the same conversation that dominated the IT world 15 years ago. Passive solutions like virus and intrusion detection were initially preferred over their active counterparts, such as virus protection and intrusion prevention, which were perceived as creating too much of a hit on performance. We know how this played out – when cyberattacks became ubiquitous, everybody moved to an active system.
We can assume that the same scenario will eventually play out on the operational technology (OT) side as well, given the ever more connected nature of the ICS environment and the evolving attack landscape.
The need for faster detection and mitigation
A key advantage of active monitoring is that it enables much faster detection of potential security risks than passive monitoring. In fact, sometimes the only way to discover certain types of information that may indicate a breach is to ask the right question – something that passive monitoring cannot do.
Modern attacks targeting ICS networks, as described in recent reports from the U.S. Cyber Emergency Response Team (CERT), are more sophisticated than ever. The escalating number and frequency of these attacks can be attributed to the fact that controllers are now connected to the outside world. Additionally, the widespread use of “internet of things” (IoT) technologies is blurring the lines between IT and OT networks, increasing the exposure of ICS to cyberattacks. Because these controllers are essential for running the daily operations of critical infrastructure and production facilities, they have become prime targets of government-sponsored strikes and other bad actors.
In this context, active network monitoring is more crucial than ever for protecting ICS assets. Industrial organizations need to detect and validate suspicious activities more quickly and mitigate threats in the shortest possible time frames to avoid harmful downtime or disruptions. The only way to achieve the required level of visibility is to include an active querying component in your ICS security arsenal.
Successful attacks against critical infrastructure in the U.S. and abroad illustrate the need for a different approach to ICS security. Dr. William Murray once said that, “Hackers live by the Pac-Man rule which is quite simply, ‘one cannot cheat at Pac-Man.’ The rules are implicit in the game. If it can be done, it is legitimate." Industrial organizations need to recognize this outlook and take a more aggressive and active approach in the face of today's sophisticated threats.
Want to learn more about how proactive monitoring can bolster your ICS security? Check out the Tenable.ot guide to active querying.