工业控制系统(女性)已经分辨asingly connected to the Internet over the past decade—a trend showing no signs of slowing down. Though accelerated connectivity of the ICS has helped to optimize automation, it has also exposed new operational risks and cyber threats. As evidenced by the recent appearance of Industroyer/CrashOverride and Triton, we are clearly experiencing a rising tide of targeted attacks on ICSs and operations technology (OT) networks.
To develop a truly comprehensive approach, it’s important for industrial companies to heighten capabilities for real-time visibility and threat detection within their OT environments that complement IT processes and existing cybersecurity infrastructure. As a user seeking world-class operations, continuous improvement and risk management, you must be able to evaluate the best solution for your needs.
The first step in this assessment process involves the recognition that the typical ICS environment is multi-tiered—consisting of various network segments, such as Ethernet TCP/IP, cellular, LAN, serial control and remote/intelligent I/O. The disparate and often proprietary nature of OT networks means that some segments—and the communications between them—cannot be monitored using traditional network and cybersecurity tools.
To address this, leading ICS cybersecurity solutions extend the visibility of IT cybersecurity into OT environments. These solutions generally deploy non-intrusively and provide visibility and detection across all corners of complex OT networks. For example, when an engineering workstation sends data to remote terminal units (RTUs), Nozomi Networks’ SCADAguardian discerns between a case where the RTU is being communicated with directly vs. when the RTU is being used as a gateway to a physical device. In this direct communication circumstance, a conventionally secured industrial network would be exposed to attackers through a nested node without the network security personnel being aware that these connections even exist.
A hybrid approach to threat detection
New forms of malware are emerging on a weekly basis. This reality requires a multi-faceted approach to threat detection, empowering users to be attentive, responsive and proactive in their ICS cybersecurity posture. To achieve this, the best choice of ICS cybersecurity solutions offers a hybrid approach to cyber threat detection, comprised of both behavior-based anomaly detection and rules-based analysis.
Behavior-based anomaly detection is foundational to any ICS cybersecurity approach. The ability to non-intrusively learn and monitor all traffic within an OT network enables the user to identify would-be cyber threats, with context, that would otherwise go unnoticed using conventional active cybersecurity approaches, such as industrial firewalls and agent-based security information and event management (SIEM) systems.
实现有用的上下文分析水平是将基于行为的异常检测与常规网络安全区分开的原因。差异依赖于解决方案支持在地理分布的多层网络中许多异常的相关性和协方差测试的能力。通常,一个常见的根本原因可以归因于成千上万的网络事件,因此理解潜在的罪魁祸首对于实现快速法医分析和修复至关重要。
Utilizing a rich analytics engine and artificial intelligence (AI) techniques, SCADAguardian identifies both process and communication anomalies, including correlations with process data readings and critical state awareness. Examples of anomalies detected include modified and/or added devices within the network, or irregular commands and communications like bandwidth and latency variances. This concept of contextual correlation allows SCADAguardian to rapidly organize, aggregate and assess anomalies according to threat category, risk level and location within the network.
基于规则的分析为ICS网络安全策略和姿势提供了积极的威胁狩猎组成部分,使用户能够利用深层数据包检查来帮助揭示其网络上的恶意软件网络攻击,并在初始感染阶段之前启动响应。基于规则的分析是NOZOMI Networks混合威胁检测方法的关键组成部分,该方法使用外部规则(例如Yara规则和数据包规则)和Scadaguardian独特且可自定义的分析工具包固有的专有规则。两种形式的基于规则的分析对于主动威胁狩猎都是有效的。
集成的IT/OT网络安全姿势
A final discerning factor to define successful cybersecurity strategies is how well the solution scales and meets the demands of a large, geo-distributed enterprise. For scalability, ICS cybersecurity solutions must integrate seamlessly with existing IT-oriented security infrastructure, working with firewalls, SIEMs and other enterprise IT components. ICS cybersecurity solutions should scale laterally across geo-distributed networks and vertically between multi-tiered levels of supervisory and operational control.
考虑到这些因素,应用程序编程界面(API)开放性,协议支持功能和产品分割定义了ICS网络安全解决方案的关键集成和可扩展性功能。这是在这三个领域中寻找的东西:
- An API is a set of defined functions and methods for interfacing with the underlying operating system; it is essentially a software gateway that makes it possible for applications to interact and share data. Not all APIs are equal and should be tested in the evaluation phase of ICS cybersecurity solutions. The API will dictate how easily and effectively a solution integrates with existing applications and adapts to the future direction of the overall enterprise architecture. For example, the API should be tested to support secure bi-directional flows that will allow sharing data with other applications and ingesting data from other sources for valuable real-time analytics, such as the aforementioned contextual correlations, when anomalies are detected.
- 协议软件开发套件(SDK)允许对各种OT和IT协议进行解析和分析,并使用户能够解剖专有和需要匿名的协议,包括秘密的ICS网络安全解决方案提供商。NOZOMI Networks的协议SDK允许用户根据需要维护保密,同时仍利用开放API提供的所有集成功能。
- The ICS cybersecurity vendor of choice should support expansion and adaptability to future additions and changes to the enterprise architecture in a cost-effective and secure manner. To evaluate the readiness of an ICS cybersecurity solution provider to adjust and scale, evaluate the sourcing and segmentation of its product offering to determine how much of the complete stack—from hardware to operating system—the company owns and controls. Find out if they segment their solution physically or virtually. Also ask how they can effectively deploy their solution to support various application scenarios that require different bandwidth requirements.
Assessing these future-proofing, total-cost-of-ownership questions will help you select an ICS cybersecurity solution that best fits your current and future requirements.
