One of the first lessons taught to healthcare professionals is the importance of reading a patient’s symptoms to form a diagnosis. Spotting a potential problem early enables corrective measures to be taken more quickly thereby yielding better patient outcomes and less “damage”.
Based on my experience in healthcare, I see an interesting parallel that applies to cyber security. It simply makes sense that in the security realm, detecting an infection early will result in less damage thereby yielding a better outcome and enabling the “patient” to resume its normal “life” more quickly. And while all of this is pretty self-evident on paper, many organizations ignore this completely and wait for the “patient” to become deathly ill before dealing with the cyber infection.
Despite the fact that OT networks’ sole purpose is to run the industrial side of the house, including pumps, actuators, robotics, processes and more, securing these environments has been an afterthought until fairly recently. For the longest time, OT networks were isolated and “air gapped” from other parts of the organization. As a result, it was nearly impossible to reach and infect these networks.
All that has changed. The combination of IT and OT convergence coupled with the widespread adoption of IoT technology has caused the OT attack surface to expand and exploit vectors to grow geometrically practically overnight. The notion of air gapped systems and completely isolated OT networks is now history, making them prone to attacks and infections.
Figure 1: OT Network is no longer isolated
In order to address this new reality, many organizations recognize they need to deploy security in their OT network in much the same as they have in their IT network. Because the infections or attacks differ from IT to OT, the types of security solutions differ between the two as well. In deploying OT security, many organizations have deployed a product that sits and “listens” to what is happening on the network. If any hint of an attack is detected, OT security tools should be able to recognize it and alert on it – right? Wrong.
While many security products do a reasonably good job of listening to network traffic, passively monitoring network activity is too late in the infection chain to limit “damage”! Much like in the healthcare scenario, we need to catch the infection as early as possible; while it is localized. Detecting indicators of compromise in network traffic is the healthcare equivalent of identifying a biological infection when it is already in the patient’s bloodstream – long after the initial local outbreak started. Once an attack has hit the network, it is already propagating to other areas, making it a more complex to address and leaving more damage in its wake.
In order to find problems earlier, it is important to understand that attacks do not generally target networks, but rather the devices on the network. As such, passive network detection should not be relied on exclusively. Active detection that can query devices on the network (in their native language) can detect problems earlier, allow for faster intervention and limit damages rather than waiting for signs to show up in the network’s “blood stream”. In fact, some devices are dormant and seldom, if ever, communicate on the network, which means even a longer delay in detection and intervention.
Achieving early diagnosis of OT security infections can only be accomplished by implementing a purpose built industrial cyber security solution that can perform both network monitoring and active device integrity checks. Combining both active and passive OT threat monitoring technologies that can integrate with existing IT security tools can keep industrial and critical infrastructure organizations healthy and protected against infections lurking in the wild.