Introduction
There are many technology infrastructures that are handling one or more processes in the Operational Technology (OT) networks environment. Due to the complexity of management and growth of these large number of infrastructures, this drives the industrial sectors to digitize and automate processes at an increasingly rapid rate.
Process automation application for industrial control systems are designed and purpose build for different industries for example: oil and gas, energy production and power distribution, mining, water processing and distribution, manufacturing, traffic control systems, and facility management.
While connected systems deliver added value and improved productivity, they also increase Cyber Security risk. Many attacks on OT systems seem to target older devices running unpatched Operating Systems (OS) and software. Malware and other attacks, specifically designed for OT systems, seem to be on the rise, with Industrial Control Systems (ICS) increasingly being a target. All of this is happening against a backdrop of accelerating concern about cyber threats by organization’s and world leaders.
However, we need solutions that will accelerate digital transformation by providing exceptional network visibility, threat detection and operational insight to this environment.
OT Networking Challenges and Solutions
Considering the sudden rise of cyber risks to the OT environment, and increase of newly discovered vulnerabilities and threats posed to these environments, business and asset owners need to address these pressing issues with urgent attention. Moving forward, they have to assess the risk and potential damage to critical assets and other attacks against ICS infrastructures that may cause the organization serious or unrecoverable harm related to loss of production, loss of life, environmental or reputational damage.
This can be achieved with the help of Network Monitoring and Anomaly Detection (NMAD) tools. These tools should be able to perform some major tasks to mitigate threat posed by the Cybercriminals. Also, many OT systems use a wide range of protocols, which might not be understood by some NMAD tools. This can create many challenges as assets owners tend to combine many tools to mitigate these attacks and creating complexity from different vendor offerings these products.
The following top five NMAD challenges provide an overview of the most critical and common challenges to OT networking environments.
1. Asset Visibility
In any effective Cyber Security environment, keeping the assets current (i.e. software and firmware level, and security configurations) can be extremely difficulty, time-consuming and required experienced technical expertise. Majority of the OT environments are confronted with the same challenges: have a large number of devices from multiple vendors; assets are being added and changed frequently; inability to detect new devices; and many unknown devices that can attract Cyber-criminals that you do not know existing on your network. Security and Network Professional will not be able to completely defend systems against sophisticated cyberattacks, but visibility into these threats will help to minimize security risks.
Hence, a complete and accurate, well formatted, and centralized asset inventory is very key for an effective OT network. An NMAD solution should automatically track all OT assets and immediately visualize the networks for contextual communication flows – revealing who “talks” to who. It should have automatic asset discovery with network visualization abilities. The feature should include up-to-date asset inventory which enhances cyber resiliency and saves time as automated asset inventory identifies all communicating devices.
More so, it should provide extensive node information including name, type, serial number, firmware version and components, and should also present risks information such as security and reliability alerts, missing patches and known vulnerabilities. Extensibility or customization of the asset repository with additional information such as owner, location, back-up status, endpoint security posture, and other related information is desirable. This capability should provide instant awareness of all OT network devices and their activity patterns.
Key network data such as traffic throughput, TCP connections, traffic flows (who talks to who), error transmissions, and protocols should also be presented. The presentation of the key data is required to improve the understanding of normal operations. There should be intuitive dashboards and reports which provide the ability to explore macro views and drive downs into detailed information on endpoints and connections. It should be able to filter views by subnets, type, role, zone, topologies and visually group discovered assets in lists and detailed single asset views.
2. Detection of Anomalies and Suspicious Activity
Majority of OT networks today are faced with sophisticated cyberattacks due to inability to detect and block unauthorized access to devices operating outside the normal set parameters. Especially, the current effect of zero-day attacks can be so overwhelming. The potential impact that can be achieved by their exploitation and the difficulty of finding and tracking all instances of the vulnerable library is wearisome. If a threat agent manages to get into the OT network, by exploiting zero-day exploits for instance, it may infiltrate the OT assets directly or through a subsequent attack. Unfortunately, many anti-virus and email security products are not able to detect these attacks, causing the adversary or threat agent to silently gather information and cause damage.
An NMAD solution should be able to quickly detect and disrupt threats and anomalous behaviours in OT multi-vendor operations environment. The solution should be able to provide irregularity-based detection to detect ‘zero-day’ attacks and provide the capability to detect OT assets behavior based on asset profile reporting on suspicious behaviours by providing detailed anomaly-based monitoring, so that deviations from the baseline will be detected and alerted.
Furthermore, OT networks need to adopt a solution that has the ability to use and/or combine network traffic and packet matching rules, payload/data content to trigger on signatures of anomalous and malicious behaviours, and custom rules as devised by a particular customer operations team to trigger on specific use cases and scenarios.
Early indicators of attack or compromise (IOC) are crucial to the OT environment. The tools should be able to categorize detected alerts based on threat severity or risk rating. Alerting system should have the ability to aggregate related alerts into a single incident. The detection of all malicious and anomalous activities should not be limited to protocol misuse, malware communication, tunneling attempt, as well as intrusion and hacking attempts from desktops, laptops, mobile devices, etc.
3. Centralized Monitoring System
The OT network environment is normally made up of multiple vendors devices and applications. These are usually administered and monitored individually, most times from different systems located at different locations. Majority of OT networks have no centralized security management platform across all diverse infrastructure components, as a result, different vendor systems are managed individually.
An NMAD solution should deliver a platform that supports most, if not all the different vendors systems and applications used in the OT network. It should be able to monitor and administer Cyber Security risks and threats from a single pane of glass platform. More so, an NMAD solution should be able to deliver a centralised OT network security management platform – no matter how large or distributed the customer’s processing infrastructure domestically or globally.
The solution should provide one management console interface that can monitor all network segments locally and remotely delivering aggregated summaries with drill-down to detailed information by the site which should aid questions resolution fast with the use of powerful queries capability.
The solution should deliver instant awareness of OT networks and their activity patterns to capture key data such as traffic throughput, TCP connections, protocols used between zones, and as well, accelerates incident response and troubleshooting efforts.
4. Vulnerability Management
There are multiple examples of malware, ransomware and other attacks that have caused financial, operational, and reputational damage to various industries. Potential threats scenarios could be executable files and applications containing malicious codes, or insider misuse of privileges resulting in data leakages, malware infections, and system or process disruptions. Inability to easily detect unpatched devices and to know the patch status of all the IT/OT devices are often presented as an excuse for the limitation of using automated scanning tools that are not allowed based on the threat of disruption in production infrastructure components. It is very difficult to have visibility into security vulnerabilities and potential penetration points in the OT networks without deep network insights into all levels of the OT network.
An NMAD should provide vulnerability assessment capability with supported automated identification of devices with vulnerabilities including severity levels. There should be an easy way to visualize, find, and drill down on asset and vulnerability information. We should be able to have a clear visibility of the known vulnerabilities and notify users when systems installed in the monitored network suffer any known issues. Vulnerabilities should be taken and synchronized from the National Vulnerability Database (NVD) and other sources, and matches based on updateable fields.
The NMAD solution should be able to present published vulnerability data on systems and devices that exist within the OT network environment, this information shall be gathered in a non-intrusive manner and without performing active network device scans.
The detection of Zero-day and other attacks are paramount. The NMAD solution should detect non vulnerability-based attacks or attempts such as zero-day attacks, brute force attack, information theft and application scanning.
5. Common IT/OT Platform
The major issue in deploying solution across IT/OT networks is the ability to have a common compliance driver across all the network segments. There are hundreds of protocols that need to interoperable across and within these mixed environments. Additionally, there are limited support to integrate the OT network to Security Information and Event Management systems (SIEMs) which typically lives in the IT network.
There is a need for a solution that will provide a unified OT, IIoT and IT security integration and monitoring platform across all the networks. The solution should be easy and fast integrated easily with IT asset, ticketing, identity management systems and SIEMs, as data and security processes are streamlined across all the business network systems. The solution should make the existing infrastructure works better and more effective. Streamline security processes across IT/OT and make it easy to harmonize security data for cohesive response with in-built integrations for asset, ticket, and identity management systems, as well as SIEMs.
Conclusion
Dexcent with several years of experience in Industrial Control Systems (ICS) and having successfully delivered a number of industrial Cyber Security solutions has noted that modernization of OT network traffic insights is key to OT asset discovery, network monitoring, vulnerability management, and threat detection challenges that are common in the present day industrial Operational Technology (OT) environment. In addition, deploying a modern NMAD solution helps to align businesses’ cyber security goals as well as it hastens processes and better decision making.
Ask an Expert
WANT TO LEARN MORE ABOUT the “Top Five Challenges and Solutions of Network Monitoring and Anomaly Detection (NMAD)” or do you need a solutions that will provide network visibility and operational insight?
COMPLETE OUR CONTACT FORM and one of our “OT” experts will contact you shortly. Feel free to contact us at [email protected], or call us directly at (780) 482 – 4100.
About Dexcent
Founded in 2006, Dexcent Inc. is an engineering consulting and industrial automation company that provides a range of specialized solutions for clients in a variety of industries throughout the world. Our professionals have modernized IT and OT engineering methodologies into comprehensive solutions, specializing in information analytics, cyber security, infrastructure, and control systems engineering. As such, we pride ourselves on truly transforming industrial operations to optimize business performance and deliver bottom-line results.