It sounds obvious and has been said before, but without clear visibility into your ICS assets and the various communications occurring on the network, it's impossible to detect and mitigate threats in a timely manner. So what's the most effective approach for understanding what's happening in your ICS environment at any given time?
Similar to IT network security dynamics in the late 1990's, managers of ICS networks today have two options for monitoring network activities: active and passive. Passive monitoring has been the traditional approach but as the number of targeted attacks against ICS networks grows, a more active monitoring approach to accelerate time-to-detection and mitigation are required.
The best way to get the information you need is to ask
One of my favorite ways to explain the difference between active and passive monitoring is the cocktail party analogy. Let's say you've just started a new job and you're invited to a company party after your first week. You still don’t know most of your fellow workers but you recognize a group of people that you want to know more about.
One way to do it would be to stand at the bar and try to eavesdrop on their conversation while pretending to text on your smartphone. Dumb. You’ll discover a lot by this passive listening approach but you definitely won't get all of your questions answered.
A better and quicker way is to engage directly in a conversation with these people and ask them the specific questions that you want answered. This is the most effective way to get the information you need (especially if you're in a hurry).
Security monitoring works in a similar fashion – we can passively tap the ICS network for communications between the PLC and other components; but it might take a very long time before you come across the nuggets of valuable information you really need. For example, a specific controller might be dormant, which means it won't be producing a great deal of traffic. Moreover, certain types of information, such as IP address, firmware version, serial number, and updates, don’t always appear in network traffic on a regular basis.
Active Querying without Performance Overhead
An active monitoring approach on the other hand, involves asking a controller for the detailed information (IP and MAC address, firmware version, backplane configuration and more) that passive solutions might otherwise have to wait a long time to discover - if at all.
An important best practice in active monitoring is to perform queries in the relevant controller's native language (protocol), which vary slightly depending on the manufacturer. The advantage of using native protocols, which are used by engineering workstation software to manage PLCs, is to ensure safe communication with zero impact on controller operations and performance.
Controllers are sensitive assets and can easily crash if communicated with in the wrong way (e.g., even simple "ping" commands). Using a non-native protocol is like trying to speak to a foreign tourist in your local language - there's a good chance of a misunderstanding. This is why querying a controller using a non-native protocol can be taxing on the controller's resources. However, the truth is that if you use the controller's native language for querying, there is no performance hit whatsoever.
Interestingly, this is the same conversation that dominated the IT world 15 years ago. Passive solutions, like virus detection and intrusion detection, were initially preferred over their active counterparts (virus protection and intrusion prevention), which were perceived as creating too much of a hit on performance. We know how this played out – when cyber attacks became ubiquitous, everybody moved to an active system.
We can assume that the same scenario will eventually play out on the OT side as well, given the ever more connected nature of the ICS environment and the evolving attack landscape.
The Need for Faster Detection and Mitigation
A key advantage of active monitoring is that it enables much faster detection of potential security risks than passive monitoring. In fact, sometimes the only way to discover certain types of information that may indicate a breach is to ask the right question - something that passive monitoring cannot do.
Modern attacks targeting ICS networks, as described in the recently updated US CERT report, are more sophisticated than ever. The escalating number and frequency of these attacks can be attributed to the fact that controllers are now connected to the outside world. Additionally, the widespread use of IoT technologies is blurring the lines between IT and OT networks, increasing the exposure of ICS networks to cyber attacks. Because these controllers are essential for running the daily operations of critical infrastructure and production facilities, they have become prime targets of government-sponsored and other bad actors.
In this context, active network monitoring is more crucial than ever for protecting ICS assets. Industrial organizations need to detect and validate suspicious activities faster, and mitigate them in the shortest possible timeframes, to avoid harmful downtime or disruptions. The only way to achieve the required level of visibility is to include an active querying component in your ICS security arsenal.
Successful attacks against critical infrastructure in the US and abroad illustrate the need for a different approach to ICS security. Dr. William Murray said one time that, “Hackers live by the Pac-Man Rule which is quite simply, ‘one cannot cheat at Pac-Man. The rules are implicit in the game. If it can be done, it is legitimate.’" Industrial organizations need to recognize this and take a more aggressive and active approach in the face of today's sophisticated threats.