The Biggest Security Advantage For ICS Networks


blur business chart 159888

By Dan Hoban, CSO at Nuspire

As Industrial IoT (IIoT) and Industry 4.0 saturate the latest news in manufacturing and cybersecurity, there is a large clamoring from security professionals in the manufacturing space screaming “we’re not secure, we’re not ready.” ICS networks are notorious for old, outdated and unpatched systems. Traditionally, ICS systems were not connected and relatively inaccessible from the internet. The need to patch and update systems was outweighed by the need to keep systems stable and the risk of a breach from the internet was outweighed by the risk of compatibility issues form the upgrade. Industry 4.0 and IIoT changed all of that. Now, ICS systems are becoming more connected making them available to the outside world for greater efficiency.

Security administrators are now trying to figure out how to overcome this massive hurdle of how to “be secure.” In many ways the deck is stacked against them—systems are old, vulnerable, and have been neglected from a security perspective for decades. Admins don’t have time on their side because remote employees, vendors and enterprise systems need access now. On top of that, there isn’t enough time needed to catch up and revamp the ICS network before connectivity must happen. With all that said, ICS networks do have one advantage from a security perspective: the predictability of the network itself. 

The ICS Difference—Predictability

ICS networks operate in a different fashion from other “corporate” networks. And this is the advantage. Corporate networks have many users, dynamic needs and myriad of connections, which is all driven by people. In comparison, ICS networks are driven by machines, meaning that they are generally predictable. Manufacturing IT administrators can and should use this to their advantage.

Employees need access to different systems, different networks, different people and different tools. And these needs are changing daily. On any given day corporate network users are checking personal email, streaming music, accessing cloud applications and communicating with networks all over the world. In today’s corporate environment, no two days are the same. There is no “normal.” ICS networks have operated under predictable conditions for decades. Machines aren’t streaming media, checking email, installing new applications, or talking to new networks every day. They have a task, and they repeat that task over and over. The network activity on an ICS network is similar to what it was yesterday and it will most likely be the same activity tomorrow. 

Identify Threats with Ease

How does this benefit manufacturers from a security perspective? Simple, because of the predictability of network functions, anomalous activity should stand out in the ICS environment. Think of it like this: if every day your boss came into your office at 9:15am and said, “good morning, Joe,” you could expect his visit tomorrow, and the next day, and the next. If one day he showed up at noon, or said “good morning, Donna,” you would pause and wonder why. The same can be said for ICS. Each day the network performs the same actions, and makes the same network calls. If something different happens, you need to pause and ask yourself why that is happening. When this activity occurs, it’s crucial that it’s tracked.

A Security Information Event Management (SIEM) solution can help track this activity, and alert you when there is anomalous behavior. A SIEM tool can monitor normal activity, and alert for anything new or unusual. When you pair a SIEM tool with the help of a security operations center (SOC), the security experts can watch the SIEM on your behalf, perform the investigations, and help remediate threats that arise on the network. 

What to Monitor on the ICS Network

Not sure what type of activity to look for on your ICS network? Here’s a few:

  • Bandwidth: Bandwidth usage in an ICS network should be fairly consistent and spikes should correlate to different times of the day. Look for unusual bandwidth spikes, and traffic at unusual times. This could be an indication of compromise or data exfiltration.
  • Source and Destination IPs: ICS nodes do not talk to many hosts, and very few are outside of their own network. Monitor for new source and destination IPs to and from the network. New connections in and out of the network should be known and documented ahead of time. If there is a new connection, investigate where the connection is coming and going – and more importantly, what it is doing.
  • Protocols: FTP, SNMP, SMTP protocols are unusual in an ICS environment. If they are being used, IT should be aware of it. Alert on any of these protocols and investigate accordingly.
  • Remote connections: Remote connections in today’s ICS environments are becoming more common. However, the connections are not as varied, or happen as often as a normal corporate network. Document remote connections. Monitor these connections, and if possible, use ACLs to control these connections. 
  • Endpoints: ICS shouldn’t be a BYOD environment. The number of endpoints on an ICS network should remain static, and changes well known. If a new endpoint joins the network, make sure to investigate it.

ICS network admins may not be able to upgrade and replace systems tomorrow, but, network monitoring can start in a few days. Nuspire has helped many manufacturers gain visibility into network operations, identify “normal” activity on the network and provide the necessary resources to respond to unusual network activity. By leveraging the strength of the ICS network (predictability) better security can be achieved quickly.