How can security teams effectively monitor OT and ICS networks?

Modern industrial operations are complex and dynamic environments that have unique security challenges. Andrew Ginter, VP Industrial Security at Waterfall Security Solutions, talks about the issues associated with creating a robust cybersecurity posture in this domain and introduces Waterfall for IDS, a new type of unidirectional gateway.

monitor OT ICS networks

So Andrew, how are ICS threats and ICS security evolving? What should organizations be worried about?

The latest widespread threat is organized crime planting ransomware like LockerGoga in industrial networks and demanding large ransoms. When ransomware shuts down a plant, the industrial enterprise loses production and may also suffer equipment damage. Some industrial processes are really quite fussy – steel mills for example. If heavy equipment is shut down the wrong way, it may suffer physical damage. The problem with physical consequences, be they lost production, damaged equipment, or worse human casualties or environmental disasters – the problem with physical consequences is that they cannot be “restored from backups.”

In a sense this is not new though, our attackers have been becoming more capable for over a decade. The news is that while we have all been talking the talk about “IT/OT integration” for going on 15 years, we are finally seeing concrete progress on IT/OT security. In the last 18 months we are seeing that IT teams are increasingly responsible for OT security, and large numbers of them are for the first time acting on that responsibility. Enterprise security teams in industrial enterprises are moving in significant numbers to extend the visibility of their SOCs into industrial and operations networks. One concrete outcome of this activity is that we now see security teams buying and deploying a new class of OT IDS sensors.

There are a number of start-ups in this arena, many supported by heavy venture investments – think names like Indegy, Dragos, Nozomy, CyberX and ForeScout/SecurityMatters. These vendors provide technology focused on analyzing OT network traffic and raising alarms when suspicious traffic patterns or attack signatures are detected.

How important is the extension of intrusion detection systems into operations technology?

To industrial enterprises, this is very important. Intrusion detection and security monitoring are the backbone of enterprise security programs. That these enterprises are largely blind to the security status of some of their most important networks has been a major concern. Now that very OT-focussed IDS sensors are becoming widely available, enterprise security teams can address this concern.

There is a problem with this trend though – we see operations teams resisting this change. The root of the problem is that all IDS sensors, OT or not, are “fussy.” These sensors need regular adjustment to tweak machine learning algorithms, reduce false positives, update signatures, update software, and so on. This means SOC security analysts need routine remote access to the sensors.

There are only two ways to provide such remote access – connect IDS sensor management ports to OT networks, or connect management ports to external networks, such as enterprise networks, the Internet or some other external network. Operations objects – legitimately – to both approaches.

If we connect the management port to an OT network, then we need our SOC analysts to be able to log into most of our OT networks all over our enterprise pretty regularly. Operations teams ask us “You want who to get access to all of our plants? To do what? To do it to what on our networks?” Operations networks are sensitive – they control costly, powerful and often dangerous physical processes. One false move on those networks and we have physical consequences – the same consequences that our security systems are supposed to prevent, not contribute to.

If instead we connect the management ports to external networks, operations still push back. Any such connection represents an opportunity to attack the sensor from that external network. A successful attacker can then pivot their attack through the compromised sensor into the OT network. This is because every OT sensor is also connected to an OT SPAN or mirror port. These ports are notorious for providing bi-directional access back into OT switches, even when switch vendor documentation says otherwise.

You are announcing a solution – what is Waterfall for IDS and how does it help?

Waterfall for IDS is a type of unidirectional gateway. The product is deployed between an OT IDS sensor and an OT network mirror port. The product hardware is physically able to send information in only one direction – from the mirror port into the sensor. All cyber attacks are information. It does not matter how capable our attackers are or how sophisticated their malware is – if no information can get from a compromised sensor back into an OT network, then no attacks can get back either.

What this means is that we can deploy our new OT IDS sensors on our enterprise networks where our SOC analysts can log into them and manage them easily, without risk to operations. The Waterfall for IDS hardware physically prevents any attack information from leaking back into our very important operations networks from external sensors. Those sensors though, still get a clean feed of OT network traffic to analyze, so they can alert our central SOCs to any problems that arise on OT networks.

monitor OT ICS networks

How does Waterfall for IDS fit into the existing security infrastructures of industrial enterprises?

With Waterfall for IDS, operations resistance to enterprise security monitoring programs vanishes. Industrial enterprises can monitor their OT networks and manage OT sensors from their central SOC, all without risk to the monitored OT networks. From the perspective of the industrial network, nothing changes – no new hosts to manage, no new remote access connections to authorize, and no SOC analysts to add to security training and awareness programs.

Industrial networks are among the most important networks in industrial enterprises. Monitoring of those networks for security status and attack indications is vital. Waterfall for IDS enables that monitoring without introducing new remote access and attack pivoting vulnerabilities.

OT networks use different applications and protocols than do IT networks – will SOC analysts and SIEMs even understand what to do with OT IDS alerts?

Good question – this is a red herring that confuses a lot of people. The very highest levels of OT networks look a lot like IT networks – Windows hosts everywhere, relational databases, web servers, domain controllers and all the trappings of an IT network. The skills and automation that existing SOC analysts have for managing IT networks and investigating attacks in those networks very much apply to OT networks.

The very lowest levels of OT networks – the levels closest to the physical process – are where we see industrial network protocols, devices and applications that are alien to many enterprise analysts. These protocols are, however, understood by the new class OT IDS sensors and these things are increasingly understood by OT-capable SIEMs. Historically we have not focused on OT capabilities in our SOCs because we did not need to – our SOCs were blind to our OT networks. Today, as operations networks are brought into the fold of enterprise monitoring systems, SIEMs are being updated, SOC analysts are being trained and new OT-knowledgeable security experts are being hired. OT expertise in enterprise SOCs is a consequence of OT network visibility, not a prerequisite for it.

Has Waterfall for IDS been certified? What about compliance?

Waterfall for IDS uses the Waterfall Unidirectional Gateway hardware that is Common Criteria certified to level EAL4+ (high attack potential). This certification means the entire solution is proof against even the most sophisticated cyber attacks and adversaries. Waterfall products are also certified by the French ANSSI authority, Singapore NITES, Israeli NISA and other authorities.

Competing solutions have no such certifications or assurances:

  • Firewalls are software – steal a password and all of the software’s defenses are defeated. Software solutions are generally not able to be certified against high attack potential adversaries.
  • Network switches may claim to have unidirectional SPAN or mirror ports, but vendor documentation in this regard is notoriously unreliable. Even when these ports have some degree of protection, switches enforce unidirectionality in software, so again, steal a password and all such protections can be disabled. No network switch is certified to be unidirectional in the face of high attack potential.
  • Network taps often claim unidirectionality, but we have only the vendor’s claims here – no network tap is Common Criteria certified for unidirectionality.

As to compliance, Waterfall for IDS is recognized by NERC CIP, US DHS and other standards and best practices as enabling the highest degrees of protection for monitored OT networks.

In short, we are at the start of a new era for OT security monitoring. A host of vendors are finally producing credible OT sensors, SIEM vendors are updating their systems to understand OT networks and enterprise security teams are integrating these technologies into their systems, people and processes. The new Waterfall for IDS product supports this evolution and addresses objections from operations by safely feeding OT network information into the new generation of centrally managed OT IDS sensors.

Don't miss