Modern security solutions use analytics also to monitor industrial systems within the industrial IoT. IoT solutions have not only conquered our homes in recent years, but smart devices are also being used more and more frequently in the industry. The industrial IoT (IIoT) offers companies various possibilities, and the use cases extend across all sectors. The most common scenarios for IIoT include predictive maintenance, intelligent measurement technology, asset management, and fleet management.
Since 5G promises even higher reliability and speed than previous generations of mobile communications, networked devices, machines, and systems will offer even more options in the future. The IIoT can thus be used increasingly mobile and extended to regions that have hitherto been poorly connected.
With this expansion of the industrial networks into the least accessible corner, the attack surface for companies also increases. Because every network is only as secure as the weakest link in the chain. Unsurprisingly, cyber threats are increasingly targeting industrial control systems (ICS). Suppose these attacks on industrial plants are flourishing. In that case, they could release sensitive data and cause massive physical damage to machines and bring the entire production of manufacturing companies to a standstill. To prevent the risk that attackers from all parts of the world can sabotage via the Internet, companies are well-advised to attach great importance to securing their IIoT environments.
Table of Contents
IT And OT Need To Work Together
Traditionally, the IT and operational technology (OT) teams work side by side without significant contact points. To find potential weak points, close security gaps, and thus ward off the increasing threats to industrial networks, the employees responsible for the management and security of IT and OT now have to work closely together. In this way, the teams understand the interrelationships between IT and OT environments, corporate networks, and the broader industrial ecosystem, which can also include suppliers, vendors, and partners.
Considering the complexity of the security of OT solutions per se and the fact that security issues in IT and OT have so far been primarily resolved independently of one another, this new collaboration between these teams is no easy task. When working together, outdated approaches to securing OT devices must also be tested, such as the previously widespread ones.
Air-Gapping: Holey Protection
Because when it comes to protecting industrial control systems, many organizations have historically used what is known as air gapping or security through isolation. Computers isolated by air gapping have no network interfaces, neither wired nor wireless. To move data between the outside world and the air-gapping system, it is necessary to write data to a physical medium, such as a USB stick, and move it between computers physically.
Air gapping is indeed a security measure that excludes many attack scenarios. Still, firstly it prevents the advantages of digitization (for example, a proactive message from a machine that it needs a spare part) – and secondly, it offers the only safeguarding measure that is by no means absolute protection: The Stuxnet worm, for example, was designed in such a way that it penetrated its target environment via an infected USB stick.
In addition to security that can be compromised, the approach restricts organizations: Anyone who carries data through production halls in sneakers can only use technologies such as big data, artificial intelligence, and predictive maintenance to a minimal extent. So it’s no wonder that the trend is more towards networking older, previously isolated OT systems in modern architectures. Given the long service life of industrial systems, this requires a lot of finesse anyway. By their very nature, these systems are challenging to integrate into traditional IT environments. And together with the technical hurdle of integration, you have to deal with attack scenarios in detail to close possible gateways for attackers.
OT Systems Go Beyond The Scope Of Current IT Security
There are fundamental problems in securing OT environments with traditional IT security solutions: On the one hand, many solutions are based on having access to the devices and, for example, installing a software client on the operating system. With older industrial machines, this often fails because the operating system is missing or out of date or a closed, proprietary system. On the other hand, IT security solutions want to protect OT devices from the outside – a kind of digital air gapping that only allows concrete tunnels for communication. None of the approaches have been developed for the diversity of networked OTs. The devices used were not intended to integrate the security monitoring and management tools designed for corporate IT networks.
This problem has profound implications for organizations as they have a blind spot in their networks in OT systems. Without a comprehensive overview of all potential risks, weak points, and potential infiltration points in a network, the rapid detection of threats and the ability to react is not possible. The way out of this dilemma is, to put it simply, through precise observation. But how exactly do new security technologies manage to protect IIoT devices adequately?
UEBA: Check The Behavior
OT devices are usually designed to carry out the individual work steps without human intervention and behave in a certain way in a relatively predictable pattern. This also applies to the interfaces to the network. For example, they communicate with specific IP addresses and devices over specific ports at expected times. A single OT device can generate thousands of log data per second. Ultimately, the main thing is to use the existing logs to analyze the behavior of the device. SIEM solutions (Security Information and Event Management) can collect this log data and make it accessible to monitor devices and forensics.
Older SIEM solutions still lacked the necessary technology to analyze a large amount of log data. IT security employees would often have to spend days manually working through difficult-to-understand data to uncover compromise indicators. The latest generation of SIEM solutions also relies on a highly automated behavior analysis to analyze traditional endpoints and user accounts. This “User Entity Behavior Analytics” (UEBA) also dramatically simplifies the monitoring of the security of IIoT devices. By using analytics to model a comprehensive average behavioral profile of all users and entities, a UEBA solution can identify any activity that deviates from the baseline. Thanks to a modern SIEM, the OT devices’ communications logs can be used for comprehensive and uniform protection of even these difficult-to-monitor systems.
Security Down To The Last Corner
Conclusion: The hurdles to secure networked OT with a comprehensive security strategy are unquestionably high. To ensure IIoT environments in a meaningful way, OT and IT teams have to come together, avoid the pitfalls of outdated, punctual approaches such as air gaps, and ultimately find an integrated solution that guarantees the company’s integrity down to the last nook and cranny. SOC teams can use the latest generation of advanced SIEM solutions to monitor a wide variety of OT solutions in real-time. With behavioral analyzes, these create full transparency for all users and entities in the network company-wide. In this way, threats can also be detected quickly and reliably on all IIoT devices in the network, including lateral movements that are otherwise difficult to detect and zero-day exploits.
