Organizations involved in industrial or critical infrastructure are faced with a security challenge like never before. Whether it is the traditional hack, the insider threat or an accidental security lapse, what was once an isolated and fully secured OT infrastructure is more at risk than ever before. This has heralded a completely new industrial cyber security initiative which has yielded many new security vendors and the subsequent noise and confusion as an undesired by-product.
For the past several years, some new entrants with limited experience have downplayed the benefits of “active” detection. The truth is that active detection is important because it provides detection of threats that do not run over the network such as a technician that physically connects to the network. Furthermore, active querying digs deeper including the ability to track configurations down to an extremely granular level, it can find code changes and even check dormant devices that do not regularly communicate on the network. Active threat hunting provides a crucial view into the OT environment that passive detection simply cannot perform.
Some of the newbies to the ICS security market have even said that active querying is “harmful” because it can “destabilize the OT environment”. This is the type of misinformation that confuses the market and ultimately does a disservice to the company looking to properly secure their OT environment. It is in fact possible and preferred to query each asset without affecting the network and the process by querying it using their native protocol. Industrial controllers expect these types of queries and are more than suited to responding to them without any of the supposed “dangers”. So device querying or “active detection” is not only preferred from a security perspective, done properly it is also completely safe.
Critical Infrastructure Cyber Security:
How to Actively Secure Your Industrial Environment In the New Era of Distrust
What should you look for when it comes to active technology? In order to separate reality from myths, here are a few things to consider:
Query Depth Variance & Configuration – It is essential that the administrator has the power to create the depth of the query as well as configurability such that you can decide which queries are run at which time. Furthermore, you should have the option to perform on demand queries to validate the details that are important. This yields the most security, power and control when implementing active detection in your OT environment. For example, an administrator should be able to auto map the controllers physical module connections to show full paths of configurations and architectures as well as the ability to query over serial networks to get to the deepest devices.
Holistic Approach - enables a unique offering by extending the usage of active beyond basic asset discovery and details. A holistic approach should enrich alerts and check configurations after changes are detected.This gives the user the most comprehensive and deep understanding regarding what is going on in the industrial network.
Validation – provides the administrator with a check that in the case of a variance or change, that there is a second virtual “set of eyes” that these changes are expected and/or not harmful. These validations should include:
- Performing code validation and comparison after observing a code download in the network.
- Periodically probing assets to validate that the physical configuration has not changed and no modules on the PLC backplane were physically removed or damaged. This should be offered as with an option to be fully configurable and/or on demand to verify controller states, to ensure process continuity.
After years of leading the way and gaining experience in the active field, Indegy has the knowledge and battlefield experience in providing the most robust, safe and deep active component on the market. This experience creates the most mature active component going into the deepest details that no other vendor can offer. This peace of mind that Indegy provides to top manufacturing and critical infrastructure companies activates the right security to keep top organizations safe from unacceptable security threats. And that is no myth.