Visibility and asset management has to be the cornerstone of modern Operational Technology (OT) security architecture and digital transformation. To secure Industrial Control Systems (ICS) and reap the productivity benefits of IT-OT convergence, the industrial cyber security program must be recognized as a cross-functional lifecycle and journey. IT and OT must work together for either team to be successful. We must get beyond addressing cybersecurity and addressing process-centric and protocol operational issues. Garland Technology recently spoke with James Cabe, Senior Channel Architect at CyberX about this topic.
How is OT/IoT security different from IT security?
IT and OT are very different worlds with very different responsibilities. Fundamentally, IT secures data and manages the flow of digital information. An intentional or unintentional cyber threat could result in the loss of intellectual property, corporate financials, and employee or customer information – and the ripple effect can be costly, ranging from $200K to $4M per incident.
In contrast, OT and ICS deal with machines and execute control processes that are used to operate and/or automate industrial processes. A cyber threat could have devastating physical consequences to critical infrastructure and services, employees, human life and safety, and the environment.
How do we translate OT “Safety” into Cyber Security?
In my opinion, OT engineers have a completely different “language” and you may find yourself translating what is meant by “security.” One of the biggest misunderstandings we see between IT and OT is the tendency of CIS/CISOs to view OT through the lens of standards, regulations, or best practices, and focus on IT security practices that do not translate into ICS. This can lead to friction, sometimes a chasm between IT and OT that is needless and unhelpful. OT environments and OT systems must be viewed as processes and people with their own requirements. Great lengths need to be taken to learn and gain an understanding of their language, the mission of the industrial environment, and the different systems, risks, and cyber threats they face.
Visibility and Asset Management has to be the cornerstone of modern OT security architecture and digital transformation. How do we get out beyond addressing cybersecurity and addressing process-centric and protocol operational issues?
To begin with, malware is not a factor in this world like it is in the IT world. OT system protocols do not really allow for the corruption. Fabric security is definitely a requirement, but operational intelligence is equally important in order to know what risks are associated with the industrial control system. As digital transformation and Industry 4.0 unlock new levels of productivity and efficiency, they are also driving the deployment of new IIoT devices and increased connectivity between IT and OT networks. Because these devices don’t support agents — and are often unmanaged, unpatched or misconfigured — they can easily be compromised by adversaries. As a result, boards and management teams are increasingly concerned about the expanding attack surface and risk of costly downtime, safety incidents, and theft of sensitive intellectual property.
Assisted by the Garland Visibility Architecture Platform, CyberX provides full visibility into your IoT devices and their risk posture without requiring agents or impacting network performance.
>> Download now: Learn why SPAN Ports should not be used in industrial security solutions [Whitepaper]
How do visibility products such as Garland Technology solutions augment the CyberX Solution?
Deployment of the Garland Technology TAP ensures 100% of the ICS traffic is delivered to the CyberX platform. CyberX is able to analyze the traffic in order to protect complex logistical enterprises by detecting cyber threats in specific localized vulnerabilities. The solution eliminates dropped packets from oversubscribed and low prioritization SPAN ports, ensuring optimal CyberX platform performance and operation for ICS network security. This multi-layered strategy addresses complex challenges across Internet connection sharing vulnerabilities. By providing complete network visibility and access to process and leverage data, IT and OT teams can drive better decisions for scalable production and increased efficiency to unify security monitoring and governance across your enterprise.
How has the CyberX platform been designed to meet the OT world?
CyberX was founded by nation-state defenders for critical infrastructure. They understood from the beginning that OT was a different attack surface with different requirements that didn’t fit easily or neatly in the IT security framework. To understand the actual payload of the infrastructure and applications that the platform needed to protect required deep packet inspection. CyberX is IoT/OT-aware with embedded knowledge of IoT and ICS protocols, devices, vulnerabilities, and behaviors. Machine learning and patented M2M behavioral analytics are used in CyberX’s five detection engines. These engines do not stop at anomaly and malware detection, but also go further into understanding the operations, protocols, and policies in ICS environments. The engines were pre-trained to make them an “Expert System,” not just a tool that accepts baselines alone. That means the platform can start delivering value within 5-10 minutes of deployment. That truly sets the CyberX platform apart and our partners like Garland Technology assist us to make that deployment and speed to business value even quicker.
What makes the CyberX platform better and different?
CyberX provides the most widely-deployed industrial cybersecurity platform to continuously reduce IIoT and ICS risk. The CyberX platform delivers continuous ICS threat monitoring and asset discovery, combining a deeply embedded understanding of industrial protocols, devices, and applications with ICS-specific behavioral anomaly detection, threat intelligence, risk analytics, and automated threat modeling. The fact is, CyberX is the only company that addresses all four requirements of Gartner’s Adaptive Security Architecture. In addition, CyberX can be deployed with either a virtual machine or an appliance-based system that can be deployed and start providing business value in less than an hour t. Another benefit our customers enjoy is the ability to expose attack vectors, correlate an attack timeline to lower MTTR of an incident.
What is the impact of not having complete wire visibility?
The escalating attack frequency, combined with an increasingly sophisticated threat landscape, highlights the need to make critical IC systems more resilient to cyber threats. Arguably the most important aspect for securing your Industrial environment is network visibility. Putting expensive security and monitoring appliances in place and investing in employee training won’t help defend the network if the network isn’t designed with visibility in mind. Like traditional network security, packets are delivered to out-of-band solutions by either Network TAPs or SPAN, which can then be coupled with Network packet brokers (NPBs) to aggregate and groom packet data for out-of-band solutions.
When critical infrastructures are involved, companies can’t afford blindspots, drop packets, traffic bottlenecks, or suffer network downtime. Deploying network TAPs throughout the Industrial framework ensures uptime and eliminates the packet delivery issues that SPAN/Mirror ports sometimes introduce.
Cybercriminals are constantly searching for vulnerabilities and IoT devices open up a whole new world to hackers and cyber thieves. What are some of the emerging trends you are seeing in OT/IoT security?
Emergence is a tough topic to handle, especially in security, because it is the unknown-unknowns that provide the scariest scenarios for many companies and CISOs. Sadly this should be the last of their focus. It is the known-unknowns and known-knowns that companies usually find themselves embroiled in. Ransomware and highly automated malware frameworks have started to incorporate ICS attacks by enumerating OT specific protocols and software and then shutting them down. This is a stage 1 style attack that we saw at the beginning of worms. Malware like Slammer Worm and I.Love.You.The virus did just that for organizations. We saw that recently with some automotive manufacturers. So sadly, this is just the beginning. There are plenty of attacks that can do these things without malware at all. Three simple scripting languages can enable a fully “Live off the Land” attack to ICS environments. This can be extremely hard to defend against. It is time to create a new type of Defense in Depth -- one that incorporates enforcement, adaptation, and behavior-based detection rather than simply cobbling defenses together.
Looking to add visibility to your industrial environment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.