Anomaly Detection: Don’t Be Passive About OT Security

For the past five years, marketing efforts from industrial cyber security start-ups and OEM vendors attempted to convince automation engineers that the only way to address OT security is through passive anomaly detection solutions. As anyone involved in OT/ICS cybersecurity over the past 20 years will tell you, however, is that to beat the adversary, you cannot be passive, as many organizations are now finding out.

Based on Verve’s 25+ years of experience as automation engineers, we believe there is a fundamentally different, more effective, and efficient approach to achieving OT security.  For over a dozen years, we have proven that industrial organizations can achieve the same level of protection as their IT systems with techniques leveraging the unique requirements of industrial control systems, without placing critical processes at risk. We call this OT Security Management.

The Challenge: OT Security Management for Anomaly Detection

For years, IT teams have secured their networks and endpoints using a range of defense-in-depth models. Fundamental to this is the active management of systems – networking devices, servers, cloud applications or laptops. But in most OT environments, this type of “systems management” often does not exist.  Unique characteristics of these operational assets combined with the processes they control make using traditional IT-oriented systems management tools and solutions challenging.

Challenges adopting IT policies for OT:

• Many devices in an OT network do not run Windows/Unix/Linux, but instead operate on ICS equipment using OEM protocols without the ability to deploy traditional IT technology.
• Processes controlled by these OT systems are more sensitive than traditional IT processes.
• Many of these systems operate in remote environments.
• Updating and patching require coordinating with OEMs and rigorous testing and approval processes.
• Headcount is severely limited in operational environments and most organizations do not have process control staff trained in Windows, networking, or other technology administration.

Because of these challenges to industrial security, many companies have turned to passive monitoring tools which offer a promise of visibility and detection with minimal presence on the network/assets. But these solutions lack deep visibility of each asset such as all the users and accounts, password settings, unused software, accurate application patches, etc. They cannot remediate potential risks other than possibly integrating with a firewall ruleset. The user is often left with a limited view and a set of alerts that then need much further analysis and manual tasks to resolve.

Future OT Security Risk: Attackers, Insurers, and Regulators (AIR)

The world for automation engineers trying to secure their industrial control systems environments is about to change dramatically.  Due to three major driving forces (AIR), boards of directors and the C-suite will drive a more comprehensive “IT-level” of security into the OT environment. When that happens, the burden on automation leaders will increase dramatically unless they get out in front of the requirements today. Those three forces are:

1. Attackers: Security-by-Obscurity is no longer viable. In the past 12 months, the number of ICS-Cert advisories has increased by more than one-third, ICS-specific vulnerabilities increased by 47%, and the number of third-party researchers discovering vulnerabilities increased by close to 50%. COVID-19 and its remote work requirements expanded access into industrial facilities and accelerated the relatively slow pace of “Industry 4.0” initiatives by three to five years. Recent ransomware attacks on the vaccine supply chain at Westrock packaging and at the German glass manufacturer highlight the risks to supply chains of critical goods. The very recent attack boldfaced, and fortunately ineffective, attack on the Oldsmar water treatment facility highlighted the ease of access to so much of our critical infrastructure. The reality is that OT is now square in the scope of the attackers.
2. Insurers: Most large organizations have now secured some form of cyber security insurance. The past five years were a trial period with few significant claims and, therefore, a loose market. As we see more claims, the insurance industry is focused on ensuring their customers have appropriate security measures in place. One of the most significant underwritten risks is lost revenue from a business discontinuity. In industrial organizations, this focuses specifically on the OT systems. Over the next five years, insurers will require a greater and greater set of compliance standards in OT. They will expect their customers to achieve the same sort of security practices across all of their computing assets both IT and OT.
3. Regulators: In most major countries or governmental bodies, regulators are either already implementing OT/ICS cyber security requirements or are under consideration. As more attacks occur, we predict almost every geography to implement some form of compliance regime for critical systems over the next five years. These regulations require an ability to manage OT systems in a proactive manner to demonstrate compliance.

This “AIR”-force, so to speak, will drive a dramatic change to security requirements in OT and will increase the need to conduct true OT Systems Security Management. There is a significant need to bridge the gap to find solutions that can enable true security management of industrial control systems.

The Solution: OT Systems Management

Industrial organizations must begin now to prepare for this future – or present in many cases. It is possible with the adoption of OT systems management – the active administration of operating technologies. The approach includes three key elements:

Deep, accurate, and 360-degree asset inventory

Asset inventory is the foundation of a comprehensive OT Systems Management approach. Each step in security builds off the last, which is why it’s critical to get the foundation of your cyber security program – asset inventory – right the first time. The information needed for effective patching and configuration management relies on the depth and breadth of asset information gathered. If you don’t plan for a comprehensive security program when setting up your asset inventory, it will not be there when you need it. The asset inventory gives you the map on which to build your cyber security journey.

This robust asset inventory should include all IT and OT assets, whether they are OS-based (Windows/Linux/Unix) HMIs or servers, network devices, PLCs, relays, RTUs, or other types of embedded gear. A surface view based on communication through core switches at the top of your segmented network is insufficient.

Furthermore, the inventory should provide a “360-degree” view. This means an analyst can see the make/model/OS, in addition to the application software, users and accounts whether in use or dormant, network firewall and switch rules, password and configuration settings, and status from key protection and recovery tools such as application whitelisting or backups, etc.

Finally, an effective inventory provides the OT context to each asset to understand the criticality for safe operations. This type of 360-degree inventory allows for security practitioners to accurately assess and prioritize appropriate trade-offs and risk remediation activities.

OT-safe endpoint actionability

Security is much more than detection. Patching, vulnerability response, user and account management, configuration management, etc. are all necessary components of a mature security posture. Today, if these activities are done at all, they rely on many manual process steps, individual tools which cannot be managed centrally and do not integrate key data to provide a single risk view. Automating these key functions significantly reduces the cost and labor requirements to manage each of these functions.

To be clear, when we say “automate”, we do not mean centrally pushing patches or changing configuration settings without process control technicians engaged and aware. Automation should streamline the actions and place control over those actions in the hands of the operators who know their systems best. We call this approach “Think Global, Act Local”.

For efficiency, organizations need to centralize analysis, planning, and risk assessment. But, for operational safety and reliability, they need to enable the local team (who knows their process) to control the action. So the solution automates actions, once those most knowledgeable about the systems have approved it.

Further, the ability to take action beyond assessment improves time to remediation by collectively managing the identification, detection, and remediation of endpoints.

Central analysis and integration

IT developed silos of security functions and toolsets to address the many requirements of security and systems management as these requirements grew organically over time and promote specialization. In OT, the number one barrier to OT security is people (per CSAI’s 2020 survey, available talent is the number one gap).

Therefore, to achieve widespread OT security management, with a significant lack of skilled resources, you must scale across globally distributed sites, hundreds of different device types, and sub-segmented networks without the management of additional hardware. This scales the analysis and action with the safety of locally controlled operations.

Integrating this functionality with various IT security tools selected by OEM vendors (e.g., different AV approved by each vendor) and corporate ticketing or asset management tools such as ServiceNow lowers cost by leveraging current security investments and causes less disruption to operations.  Efficiency requires centralized analysis across the entire range of OT security risks, not a single-point solution.

Verve Security Center: OT Security Management Platform

Over a dozen years ago, Verve introduced the first version of the Verve Security Center, originally targeted to help North American utilities manage the wide range of security and compliance requirements of NERC-CIP. In the intervening years, we enhanced the security platform to address a range of security standards to provide a true security management platform that is both safe for OT as well as delivers significant improvement in labor efficiency.

Verve leverages a combined agent-agentless architecture to gather rich asset inventory by first obtaining visibility into the networks and subnets.  This is a completely different architecture than any other solution. It requires no spans or taps, no hardware, and provides deep visibility into segmented OT networks – all without any risk to the OT assets or network performance. The advantage of this architecture is that it provides those three key elements above: a 360-degree risk view, OT-safe actionability, and centralized/efficient analysis and detection. The depth and breadth of asset profile information are superior to passive listening, WMI calls, or active directory queries. Included in the data set are listening ports/services, installed software, patch information, Active Directory policy information, the operational context of the asset, and everything in between.

This asset inventory acts as the foundation to a broad suite of integrated OT security management functions – vulnerability management, patch management, configuration management, user and account management, host intrusion detection, incident response, etc. The integrated database allows for scaled decision-making as well as design or remediation or response actions.

The approach provides advanced security and addresses the biggest challenge facing industrial companies – labor and talent shortages. By aggregating these data points and automating many phases of remediation tasks, Verve saves up to 70% of the labor required to maintain security requirements in OT.

Verve Industrial leveraged 25 years of ICS engineering experience to build the Verve Security Center (VSC) software platform and our Verve Industrial Protection (VIP) services to deliver a complete OT endpoint management solution to address ongoing complexities.

VSC is the only solution of its kind, built from the ground-up, with Industrial Control Systems in mind. Verve has operated in plants, deployed Emerson, ABB, Rockwell, and many other control systems. We have seen the challenges these systems present and embedded this knowledge into VSC to create a solution that is safe, effective, and efficient for OT.

The challenges to OT security continue to grow. The “AIR”-force of attackers, insurers, and regulators will require organizations to adopt a similar level of active security management in OT as in IT. We have found methods to do just this effectively, efficiently, and safely in OT.