We sat down with Edward Rhyne who heads the Cyber-Physical Systems Security team at Securonix to dig into what he sees as the most important aspects of cybersecurity for OT and IoT. As a former U.S. Department of Energy and Department of Homeland Security Senior Technical Advisor, he shared his knowledge of the sector and how he sees cybersecurity content and collaboration as critical to successfully protecting OT and IoT systems.
Question: Tell us why content matters for SIEM and what makes that content so important?
Ed: Content is the sum of the knowledge, experiences, understanding, and instructions of a SIEM that can be shared across the platform and with customers. All SIEMs collect lots of information and information by itself has value. But it doesn’t really convey a lot of understanding in the true sense of the word. If you think about letters as being data that is randomly scattered or put together, it doesn’t really convey a lot of meaning. When you start stitching those letters together with context, you start building words and then sentences and then paragraphs. Eventually you get to the point where you can actually convey understanding or meaning.
That’s the real value of content.
At Securonix we look at the entire picture. Every business has lots of data feeds. OT environments are different as there are third-party alerts that are predictable and can be used to our advantage. With OT you’re controlling a physical process, which is governed by the laws of physics so you can have a predictability that you don’t have on an IT network. Alerts that are set up mean a lot more and you can start stitching those together. Analysts can look for anomalies and behavioral changes and tie those into potential techniques. In such cases you can link those together, correlate them and build a better understanding of what’s really going on in your OT environment.
Question: How does content help harden an organization’s security posture?
Ed: I believe it starts with taking advantage of a federated defense or collective defense approach where you can detect or identify threats earlier and consequently make mitigations faster. If you could detect something and stop it with ever-decreasing impacts earlier in the cycle, you can get to it faster. And the more hardened the environment becomes the better you’ll be able to operate. For OT that can actually affect the bottom line.
How OT content works
Question: What are the similarities and differences between IT and OT security?
Ed: OT is different from IT. I like to characterize it as the inverse of IT. I tend to think of it as an equation where in IT there are infinite behaviors since everybody’s going to behave differently on their keyboard than anybody else. But we’re all generally doing roughly the same things–email, web, and maybe half a dozen to a dozen protocols we use. So IT is characterized by infinite behaviors and finite protocols, whereas in OT it’s predictable where you’re controlling a process. So the behaviors are finite. You know exactly what you’re expecting and it is predictable. But the protocols for every vendor are going to be different as they have their own protocols or even implementation of a standard. Every asset owner may also have a different way of implementing standards as well.
With the protocols in OT being effectively infinite, and the behaviors being finite, the equation is flipped compared to IT. Understanding these relationships helps when we start to detect and identify threats in OT and there are two sides to this. One is the traditional network and protocol analysis, which is looking just at the communications path. But again, cyber-physical systems are both cyber and physical, so we also have to look at the process control side and the physical side. In these situations we’re going to be coupling anomalies on the operations side as well as the network side.
OT systems under attack
Question: What does the process of detection, investigation, and response look like for OT threats?
Ed: The process of detection, investigation, and response in OT is different from IT. There are fewer specifically (industrial control systems) ICS or OT attacks, but the impacts are larger. It is not as distanced as data being stolen or information being taken and OT attacks can really hurt people or equipment which in turn affect a lot of people. When something shuts down or breaks or is destroyed that’s when the investigation starts.
There’s more and more emphasis being put on network identification and knowing what’s in your environment is critical. We are making a lot of progress and that’s why building that understanding is going to be the key to using the operational data.
The reason is that when attackers get into networks, they’re noisy, they’re doing reconnaissance, they’re mapping networks, they’re gaining access and they’re going to be throwing alerts and alarms. Once they’re in for a while, fewer alerts will be created, and they’re going to know how to traverse the network and how to get to the programmable logic controllers (PLCs) they want. To do this they’re going to need to maintain access and control. The only way to see that they’re maintaining this is to make small perturbations and not make them big enough to trip a control alarm or go out of a control band, but it’s something that they can say, I did that. Yes, it is not enough to cause an alarm to make an operator say, I need to change this, but it is enough of a signal to allow a threat team to identify and correlate network anomalies to detect the attack.
Question: How could security teams utilize better or be more collaborative to change this process? What would that end result look like?
Ed: Coupling the operations with the security teams, especially the network security teams is the first step. I’m not expecting the network security folks to become operators or the operators to become network security folks. But knowing that a pump could fail or a valve could fail or act anomalously, not necessarily only based on physical effects, but also on sending a bad signal is valuable knowledge. For example, if you’ve got something that has a life cycle of five years, but you’re replacing it after two, is it a big deal? Well, if you’ve done preventative maintenance and nothing shut down and broke, it’s probably not a big deal. It’s not an impact on the business. You probably also accounted for it. But you may have just wasted money when it was a perfectly fine piece of equipment that was sent a bad signal and looked like it was going bad.
Question: It makes sense that each group has its expertise that can help build stronger security systems. What do you think is next?
Ed: Collaboration is the future. As technology evolves, adversaries at the forefront are leveraging this new tech. We see evidence of it as we up our game on the defensive side. The attackers get more creative and the more that we can do to share knowledge, such as the content from Securonix Threat Labs, will be a gamechanger. Threat Labs is set up to conduct threat research, data science, and threat detection. Within that structure there are verticals. OT is a vertical. To be successful we need network and protocol analysts as well as operators who have vast experience in the operations of these systems. Our goal is to get better on the network detection side and up our game on anomaly detection on the physical processes as well.
The reason why collaboration is important at any level is that each group holds important information that the other team needs to create a successful outcome. With our team we’ve got two sides of the same coin. We’ve got the network detection side with network and protocol analysis, and we have the operations side with process control analysis. In operations, you generally have control bands, areas where your processes are behaving normally. There are all sorts of health and welfare sensors, such as vibrations, temperature, and pressure that inform operators that the system is operating correctly. Now within this there are going to be natural deviations when parts wear out or process parameters change. These are physical things that change over time. We can account for that progression and the operator’s knowledge of how long something should work or how something should behave in certain environments is key. That’s because then they can determine if there is a natural process deviation, as opposed to something that’s been giving a bad signal.
If they find a process deviation that doesn’t look right for our job from the SIEM they need to see if there is a communications path to the device that’s anomalous. For example, is it outside the normal operating hours or was there a signal looking at the health and welfare of this, or was the system out of bounds of its current frequency?
Let’s say this pings every hour, but at the half-hour there’s something that traverses the network. Was that a malicious signal or was that just an odd health and welfare signal? It’s our job to try to shine a light on that, so that the owners of the system with the best context can determine whether or not that’s really a threat or inadvertent activity. As we add more sensors to critical infrastructure, there’s more emphasis on visibility and we need to continue building the understanding of all the data we are getting.
For more on how Securonix protects IoT systems, check out our post “Detect Hidden Attacks Exploiting IoT and Unmanaged Devices With Securonix and Armis.”