By Gregory Hale
Industrial Control System (ICS) monitoring has reached a point where increased visibility has become a stronger, more vital tool in the cybersecurity defense arsenal.
Passive monitoring has been de rigueur for manufacturers ever since its introduction into the sector over the past four years or so. While passive monitoring is good, converting to active monitoring can bring about an increase in visibility, plus the possibility to react to an attack much quicker.
“We always were scared of active monitoring inside the network,” said Andrea Carcano, co-founder and chief product officer of Nozomi Networks during a talk at Black Hat USA 2019 in Las Vegas, NV, earlier this month. “Technology inside critical infrastructure is not designed for active polling, but what if we had a standard that was designed for doing this?”
The standard Carcano is talking about is IEC 62351 which defines network and system management data object models that can be used to monitor the health of networks and systems, to detect possible security intrusions, and to manage the performance and reliability of the information infrastructure.
Threat Surface Growing
As the Industrial Internet of Things (IIoT) gets a stronger grip on the manufacturing industry, and with IT and OT converging, networks now face newer and multiple threats coming from outside.
Carcano mentioned state of the art smart grids today have some technical challenges like they are insecure by design, employ passive network monitoring which gives limited visibility into asset health.
Carcano said IEC 62351-7 improves security, introduces secure network channels and utilizes network and system management. In addition, he added, Part 7 defines key data objects, uses SNMP-like protocols, increase asset visibility, improves treat detection, and applies to worldwide smart grid technologies.
The standard allows for greater identification of hard to detect threat scenarios.
In mentioning scenarios, Carcano, along with Allesandro Di Pinto, Nozomi security research manager and Younes Dragoni, Nozomi security researcher showed some demonstrations where active monitoring can find answers and give solutions quicker than it would with a passive system.
Di Pinto gave a demonstration where active monitoring could help discover a physical attack on a hydro dam process.
In the example Di Pinto said an attacker, either a person working inside or someone outside, is able to get in and control the water level. In a physical attack, he said, it is possible to define the attacker.
“The attacker gained access to unplug a sensor,” Di Pinto said. “When the attacker unplugs the sensor, the system sends out an alert immediately. We are able to provide the data information on which sensor inside the process was disconnected. They can reply immediately to the specific sensor.”
In another demo, Di Pinto said an attacker could upload new ladder logic to the RTU. In this case, the attacker didn’t change the process, but was able to add malware to exfiltrate data.
“We can detect the malicious attack using the active approach,” he said. “The attacker uploads the malware and the system was able to detect the threats and within seconds an alert goes out saying CPU usage and memory usage was too high.”
Growing Into Active Monitoring
While active monitoring of networks has been around for a while, users have been hesitant to employ the technology fearing it could cause a negative effect on the system. However, after a few years of passive monitoring, and with the attack surface growing larger, the industry seems poised to move to the next level which is active monitoring.
After a series of demonstration, the researchers were able to show with the proper knowledge of the technology and with a solid skill set in the people sitting behind the computer, it is possible to create a stronger level of defense in depth.