IoT Brings access to everything
In the IT world, knowledge is volatile and evolves every day. It is therefore essential for us to learn from various expert sources and update ourselves with the latest information. Knowledge shared is knowledge gained. We bring to you a series of expert articles on various tools, technologies, and applications that are useful and relevant.
Safeguarding the Industrial IoT: Adopting a next-generation approach
By Trevor Daughney, Vice President of Product Marketing, Exabeam
The digitalization of industrial assets is creating a growing awareness of the
importance of protecting connected OT environments from cyberattacks that damage production,
organization, and expose sensitive data
As we discovered
in the previous article, cyber threats are increasingly being directed at industrial control
systems (ICS) with the aim of shutting down production lines or inflicting massive physical
damage to equipment.
With threats
to industrial networks on the rise, employees responsible for managing and securing IT and OT
will need to collaborate closely to pinpoint potential vulnerabilities and prioritize where
security gaps need to be closed. In doing
so, IT and OT teams gain the deep understanding they need of the inter-relationships between OT
environments, business networks and the wider industrial ecosystem itself – which may also
incorporate suppliers, vendors and partners.
That’s no easy task when you consider how,
until now, IT and OT security issues have largely been addressed in their respective silos.
What’s more, the challenge of addressing the security of OT solutions is not an easy one to
surmount.
When it comes to protecting industrial control systems, many
organizations still employ an approach known as air-gapping, or security by isolation,
in a bid to bolster the security of legacy OT systems against cyberattack.
However, while effective as a stopgap security measure, air-gapping isn’t an ideal
solution for the long term. And it certainly shouldn’t be utilized in isolation. Take
the Stuxnet worm attack, for example, which was designed
to breach its target environment via an infected USB stick – crossing through any air
gap. With malicious computer worms such as this in existence, air-gapping alone is not
adequate security.
Aside from the fact
that air-gapping systems significantly limits the ability of organizations to leverage
the real-time data these systems generate to cut costs, reduce downtime and improve
efficiency, many of today’s modern architectures
now enable the connection of legacy OT to the internet for the purposes of modern
operational command and control. Indeed, 40% of industrial sites have at least one
direct connection to the public internet – which puts
these OT networks directly in the line of fire when it comes to potential exposure to
adversaries and malware.
Unfortunately, many of the security solutions designed for the IT
world weren’t custom-built to handle the complexities of today’s connected OT
environments. That’s because the IoT devices utilized within OT systems weren’t
devised to be integrated with the security monitoring and management tools designed
for corporate IT networks.
The implications of this for organizations are
profound: they have no visibility of OT network
events or assets. And without an enterprise-wide view of all potential risks,
vulnerabilities and potential infiltration points, the rapid threat detection and
response capabilities of these companies are seriously
compromised.
That’s not good news for security teams tasked with protecting
IIoT environments from a growing number of threat actors who are targeting the
control systems of multiple industries.
Addressing device risks with UEBA
The good news is that efficiently and effectively monitoring OT devices
isn’t an impossible task. Typically designed to operate without human action, these
devices ‘behave’ in a certain way. For example, they communicate using
specific ports, with certain IP addresses and devices, at expected times. These actions
can be reinterpreted as ‘behavior’ and user entity behavior analytics (UEBA) deployed to
increase security-monitoring capabilities
that can be integrated with security information and event management (SIEM) to perform
comprehensive infrastructure monitoring in a truly unified manner.
Rather than
spending days or weeks using a legacy SIEM system
to manually query and pivot each of the hundreds or thousands of logs per second
generated by a single OT control point, UEBA makes it faster and easier to uncover
indicators of compromise.
Using analytics to model
a comprehensive normal behavioral profile of all users and entities across the entire
environment, UEBA solutions will identify any activity that is inconsistent with these
standard baselines. Packaged analytics can then
be applied to these anomalies to discover threats and potential incidents.
In
this way, it becomes possible to systematically monitor the voluminous outputs from IIoT
devices, alongside IT devices, to find potential
security threats. Other activities, such as device logins, can also be
monitored.
As we’ve seen, the limitations of both legacy and modern IIoT, OT and
IoT solutions are persistent, but there are steps that companies can take to ensure the
integrity of their business operations.
The key here is to
avoid a ‘point solution’ approach and instead opt for an integrated solution that
combines UEBA with a modern SIEM platform to deliver an enterprise-wide view of IT and
OT security. Making it possible to initiate the all-important
centralized monitoring that enables the increased detection of threats – including
difficult to detect techniques like lateral movement.
With this in place, a
single SOC team can leverage the SIEM to ingest and
analyze data from all the organization’s sources and gain a real-time view on all
security – including full visibility of all devices in their OT environments.