Please Contact Us for questions about the acquisition, product support, or account management.here.
By Dan Hoban, CSO at Nuspire
As Industrial IoT (IIoT) and Industry 4.0 saturate the latest news in manufacturing and cybersecurity, there is a large clamoring from security professionals in the manufacturing space screaming “we’re not secure, we’re not ready.” ICS networks are notorious for old, outdated and unpatched systems. Traditionally, ICS systems were not connected and relatively inaccessible from the internet. The need to patch and update systems was outweighed by the need to keep systems stable and the risk of a breach from the internet was outweighed by the risk of compatibility issues form the upgrade. Industry 4.0 and IIoT changed all of that. Now, ICS systems are becoming more connected making them available to the outside world for greater efficiency.
Security administrators are now trying to figure out how to overcome this massive hurdle of how to “be secure.” In many ways the deck is stacked against them—systems are old, vulnerable, and have been neglected from a security perspective for decades. Admins don’t have time on their side because remote employees, vendors and enterprise systems need access now. On top of that, there isn’t enough time needed to catch up and revamp the ICS network before connectivity must happen. With all that said, ICS networks do have one advantage from a security perspective: the predictability of the network itself.
The ICS Difference—Predictability
ICS networks operate in a different fashion from other “corporate” networks. And this is the advantage. Corporate networks have many users, dynamic needs and myriad of connections, which is all driven by people. In comparison, ICS networks are driven by machines, meaning that they are generally predictable. Manufacturing IT administrators can and should use this to their advantage.
Employees need access to different systems, different networks, different people and different tools. And these needs are changing daily. On any given day corporate network users are checking personal email, streaming music, accessing cloud applications and communicating with networks all over the world. In today’s corporate environment, no two days are the same. There is no “normal.” ICS networks have operated under predictable conditions for decades. Machines aren’t streaming media, checking email, installing new applications, or talking to new networks every day. They have a task, and they repeat that task over and over. The network activity on an ICS network is similar to what it was yesterday and it will most likely be the same activity tomorrow.
Identify Threats with Ease
How does this benefit manufacturers from a security perspective? Simple, because of the predictability of network functions, anomalous activity should stand out in the ICS environment. Think of it like this: if every day your boss came into your office at 9:15am and said, “good morning, Joe,” you could expect his visit tomorrow, and the next day, and the next. If one day he showed up at noon, or said “good morning, Donna,” you would pause and wonder why. The same can be said for ICS. Each day the network performs the same actions, and makes the same network calls. If something different happens, you need to pause and ask yourself why that is happening. When this activity occurs, it’s crucial that it’s tracked.
A Security Information Event Management (SIEM) solution can help track this activity, and alert you when there is anomalous behavior. A SIEM tool can monitor normal activity, and alert for anything new or unusual. When you pair a SIEM tool with the help of a security operations center (SOC), the security experts can watch the SIEM on your behalf, perform the investigations, and help remediate threats that arise on the network.
What to Monitor on the ICS Network
Not sure what type of activity to look for on your ICS network? Here’s a few:
ICS network admins may not be able to upgrade and replace systems tomorrow, but, network monitoring can start in a few days. Nuspire has helped many manufacturers gain visibility into network operations, identify “normal” activity on the network and provide the necessary resources to respond to unusual network activity. By leveraging the strength of the ICS network (predictability) better security can be achieved quickly.