Part # 4 - OT / ICS Asset Discovery, Vulnerabilities & Threat Detection (or OT IDS / AD) Solution Selection & Implementation

Table of Contents

• OT Industry Challenge – Lack of Contextual Visibil …

• Market Response – OT IDS/Anomaly Detection Solutio …

• OT/ICS Cybersecurity Program & Mapping to Industry …

• Pre-requisites & Things To Consider

• OT IDS / Anomaly Detection Solution Comparison & S …

• OT IDS / Anomaly Detection – Methods & Techniques

• OT IDS / AD Solution Implementation Types / Scenar …

• Define Success Criteria

• OT IDS / Anomaly Detection – POC & Implementation

• OT Cybersecurity Program & Processes

• Documenting the Deployment – Solution Design & Imp …

• Knowledge Transfer Overview

• Recommendations

• Key Takeaways

• Next Steps

This is Part 4 – “OT / ICS Asset Discovery, Vulnerabilities & Threat Detection (or OT IDS / AD) Solution Selection & Implementation”, of “The OT Security Dozen - The OT Security Dozen – a 12-part series of building an OT / ICS Cyber security Program” – an essential part of building an OT/ICS Cyber security / Management Systems (OT CSMS) or Program governance for an industrial operations environment.

Note:

· OT/ICS cybersecurity awareness is a common theme and is integral across "The OT Security Dozen” series and the aim is to raise awareness on each type of control covered

· This is a vendor neutral perspective – and hence no vendor names are included, nor the intent is to promote any specific products. Not sponsored content.

This part is to help industrial end user/operator organizations understand typical challenges and drivers behind selecting, implementing, and maintaining an OT Intrusion Detection (or OT IDS) or Anomaly Detection (AD) solution for OT networks and how such solution(s) helps address challenges around contextual visibility and situational awareness through identification of assets, traffic flows, vulnerabilities, risks, plus, aids in continuous monitoring and incident response activities.

Assuming: an OT/ICS Cyber security assessment / review is completed with the discovery of assets and network diagram (and ideally, Network segmentation between IT & OT networks is in place – though not mandatory - could potentially help in lower costs of solution implementation). Now we have all the essential pre-requisites for the site and technical information, that is required to evaluate, select, implement and run an OT IDS / AD solution to enhance an OT/ICS Cyber security program.

OT Industry Challenge – Lack of Contextual Visibility

Historically, because of IT & OT convergence (yes, this has transpired 2+ decades ago), OT/ICS or production control networks lacks contextual visibility in terms of what’s connected to the network and how traffic flows between the assets on the networks. Due to increase in business demands for more efficiency, productivity, and connectivity requirements for Industry 4.0 / IIOT related digital transformation initiatives, visibility challenges have compounded further. Until a few years ago, there were a handful of solutions with very limited or no capabilities of interpreting a wide range of industrial protocols, detecting anomalies, required a lot of customization and advanced skill sets.

Other challenges associated with OT asset and traffic visibility are - true to this day for many manufacturers (but not limited to):

• No or outdated overall / central OT Asset inventory and network diagrams maintained by the production facility

• Lack of traffic visibility (or documented data/communications flow) across OT network

• Project based OT Asset inventory and network diagrams (sometimes only for part of production facility e.g., new production lines) – usually outdated and changes/updates are lost due to various reasons (vendor / SI provided diagram at time of commissioning, implementations done several years ago, people/vendor moved on, missing original copy etc.).

• Engineering resources are tasked to manage individual production lines, so lack of knowledge and or ownership to keep track of changes & updating documents.

Knowing what needs to be protected (assets discovery) and what are the risks (vulnerabilities and threats) are crucial for any IT or OT cybersecurity program and according to almost all international standards and best practices are part of foundational controls that should be put in place. 

Market Response – OT IDS/Anomaly Detection Solution(s)

Industry responded initially with solution offerings addressing specific needs with point products (e.g., by OEM vendors) addressing OT asset discovery/inventory challenges and or specialized products addressing anomaly detection challenges.

Later industry saw rise and emergence of specialized security solutions, quickly recognizing the market demands, to bundle both the visibility and detection capabilities. Last 6 years or so the number of such security vendor solutions have dramatically increased via emergence of niche players entering this space and raising millions in funding and or traditional global networking or software names either building or acquiring such specialized solutions and integrating them in their product portfolio.

And the last 2 years of pandemic saw an accelerated growth in terms of maturity of such solutions, expanded OT protocol coverage, greater accuracy in asset, vulnerability and anomaly/threat detection, and other added capabilities e.g., IOT, IIOT or IOMT device visibility. These solutions are now available in different form factors like, on-prem hardware, software-based solution, containerized in networking gear and managed via SaaS based portals.  

Below diagram depicts a list of few cybersecurity challenges faced by an industrial organization and how OT IDS / AD solution(s) addresses them across PREDICT, PREVENT, DETECT and RESPONSE cycle (at a high-level):

OT/ICS Cybersecurity Program & Mapping to Industry Standards

Pre-requisites & Things To Consider

There are several key prerequisites for implementing an OT IDS / AD solution for OT environments (e.g., manufacturing). Some important considerations include:

• Senior leadership support is critical (allocation of funds & resources)

• Full discovery is done for the sites in scope and site readiness validated

• Target monitoring scope clearly defined i.e., coverage for north-south and east-west traffic OT traffic (e.g., i.e., OT DMZ, across production lines, warehouse, building management, lab etc.)

• Collaboration & coordination in terms of resources Identified with clear RACI and support structure plan between IT & OT teams

• Support from OEM vendors, System Integrator’s, or suppliers that runs / operates / supports production and associated network facilities.

• Management of collected data, its security and privacy.

OT IDS / Anomaly Detection Solution Comparison & Selection

There are several different OT IDS / AD solutions available in the market with support to provide coverage across IT, OT, IOT, IIOT devices/systems. 

Below is a high-level list of OT IDS / AD Solution evaluation and selection criteria (in no particular order): (Note: while comparisons are good but conducting POC and viewing the outcome is the best way to select a solution – narrow down to at least top 2 solutions for POC).

• Most critical - Alignment with end user OT/IOT specific environment variables (network architecture, OT Protocols used and its support, and below elements)

• Accuracy & Performance (identifying assets, ability to create baselines & Mapping of Network (traffic flows between zones/conduits) and detecting anomalies)

• Data sources and coverage (IT/OT/IOT/IIOT and protocol coverage)

• Methods and Techniques (Passive, active probes, config parsing etc.)

• Scalability and Integration (ease of scaling up/down and integration with existing IT/OT technology stack)

• Alerting, Reporting & Dashboards (baseline deviations, security/operational alerts, risk reporting, customization of local/global summary/dashboards etc.)

• Support and Maintenance (technical support, frequency of updates, documentation, training etc.)

• Costs and ROI (both direct and indirect costs of hardware, licenses, subscriptions, annual maintenance, and services – i.e., implementation, fine tuning, maintaining for both external / internal resources)

• Optional - mapping to industry standards e.g., IEC 62443 / NIST CSF / CSC20 (now rebranded as CSC18) and or Mitre Att@ck framework.

OT IDS / Anomaly Detection – Methods & Techniques

There are a few different methods that can be used by OT IDS / AD solution(s), including passive, active, and configuration file methods. Each of these methods has its own unique characteristics and advantages, and they can be used alone or in combination depending on the specific goals and objectives defined.

• PASSIVE discovery = is non intrusive, easy to configure, and real-time. 

• ACTIVE scans / probes = will query assets and is especially good at finding the details about windows devices that passive will miss. 

• Parse Device Configuration files = will parse device configuration files to reconstruct an inventory.

• API Integration to discover infrastructure & connected devices.

OT IDS / AD solution(s) may leverage a combination of statistical analysis, machine learning and artificial intelligence techniques for enhanced detection and alerting capabilities. 

OT IDS / AD Solution Implementation Types / Scenarios

Following diagram highlights few examples of both on-prem & hybrid implementations in a 2 tier or 3 tier architecture models for a single site and or multi-site global deployment:

Define Success Criteria

Define success criteria early in the project lifecycle across the following:

• Project Execution / Deliverables – across each project stage

• For solution running in Learning / Monitoring / Training Mode

• For solution running in Alerting / Audit Mode.

OT IDS / Anomaly Detection – POC & Implementation

The implementation of an OT IDS / AD solution typically involves several steps or stages. Some of the key steps involved in both running a POC and or deploying/implementing an OT IDS / AD solution are depicted in the following diagram:

Note: Two types of POC approaches can be adapted (a) Offline POC and (b) Online POC – key difference between them is one is implemented in a lab environment with use of PCaps and the other performed on site at a production facility.

OT Cybersecurity Program & Processes

OT IDS / AD solution once implemented, becomes one of main key OT log source providing comprehensive details for network-based activities / events and generates alerts for which organizations need to have a plan in place for handling those alerts effectively, which should include:

• Prioritizing and trialling alerts

• Investigating and determining the cause of the alert

• Implementing a response plan

• Monitoring and evaluating the response

• Where required, update policies and procedures accordingly.

After implementation, organizations can take several steps to run and improve OT cybersecurity program which may include:

• Developing guidelines to effectively manage and run the solution

• Regularly review and update policies and procedures

• Conducting regular assessments and audits

• Train and educate personnel responsible for interacting with solution

• Implementing controls and measures to protect the solution.

Documenting the Deployment – Solution Design & Implementation (Configs & SOPs)

Document | Document | Document – entire project lifecycle - it’s critical to understand the importance of documenting the discovery, design/architecture, implementation details and standard operating procedures for managing the solution. Following diagrams highlights essential elements as an example only (not an exhaustive list), to be documented, maintained, and kept up to date (create, and maintain a single or a set of documents, based on organizational practices):

Knowledge Transfer Overview

After OT/IDS Solution has been implemented, ensure that there’s a hand-over between the implementation team and operations team that will be running & managing (plus monitoring) the solution – a good way is to arrange a knowledge transfer session between the teams covering the following topics:

• Brief on Solution Components & Functions

• Solution Implementation Design / Architecture

• Brief introduction on basic and Advance functionality

• Processes and Support for smooth operations.

Note: This is not supposed to be a training alternative. For product training, look for OT IDS / AD vendor specific training options.

Recommendations

Avoid common failures with addressing needs across asset visibility, solution selection & implementation and operationalization of solution by:

• Ensuring the pre-requisites (mentioned earlier) are addressed with full commitment from executive management

• Don't get hung up on solution comparison - go with tools that meets your requirements and budgets (feature war is for another day - if you are not going to use a certain functionality, why worry or invest in it?)

• Don't solely rely on solutions (can have false +ves), validate discovered assets via physical inspection/observations and update/tag corrections in asset inventory.

• ensure resources are allocated and build processes around the solution for continuous monitoring and improvements.

Key Takeaways

OT IDS / AD solution is also a key security controls solution for any given OT cybersecurity program, directly or indirectly improving or facilitating the following security processes:

• Asset Management (identification & inventory)

• Network Segregation (identify data flows between zones & systems)

• Vulnerability Management (identification & tracking)

• Configuration Hygiene (identify configuration weaknesses, insecure protocols)

• Cybersecurity monitoring (detection and alerting)

• Incident Response (to security incidents and breaches)

• Compliance (with applicable regulations, standards, and internal policy).

Next Steps

For your industrial operations select, design, and implement an OT IDS / AD solution for contextual visibility of OT network environment. If you are unsure where to start, engaging an expert is your best bet to help you select and implement the right OT IDS / AD solution.

Feel free to reach out or get in touch at info[@]securingthings[dot]com for your OT IDS / AD Implementation project.

Follow @securingthings. It’s a great day to start “Securing:Things”. 

#theotsecuritydozen #otsecuritydozen #securingthings #otsecurity #ot #otcybersecurity #ics #icssecurity #icscybersecurity #otids #otanomalydetection #icssecuritysolutions #isa #icsreferencearchitecture #operationaltechnology #otidsimplementation #iec62443 #criticalinfrastructure #criticalinfrastructureprotection #otsidsolutioncomparison #ottools #criticalinformationinfrastructure #sgcii #securityawareness #OTsecurityawareness #icssecurityawareness #otstrategy #icscybersecurityprogram #otcybersecurityprogram