Make Industrial Cyber Resilience Your Goal

Operational continuity is critical for industrial and infrastructure organizations. Disruptions to normal operations are costly and jeopardize safety, compliance, and company reputation. Reliable equipment and control systems are necessary, but not sufficient. Organizations also need to address cyber resilience to limit the impact of unanticipated failures on key performance indicators for operations.

Reliability has long been a key goal in the design of industrial plants and infrastructure systems. These efforts eliminate many potential problems, but are not foolproof. Some failure scenarios will be overlooked and protective measures will be limited, particularly when facilities include legacy equipment. Cyber attackers will likewise find ways to overcome even the best defensive measures.

Smart organizations recognize these residual risks and invest equally in measures to ensure that operations are resilient. This includes management practices and technology that enables early detection of unexpected failures and rapid recovery.

Industrial organizations employ a variety of practices that minimize the impact of unexpected mechanical equipment failures. Periodic inspections are used to detect failing components. Vibration sensors are used for early detection of problems in rotating equipment, like turbines and generators. Early detection enables staff to coordinate repair outages with customers and prepare parts and resources to minimize the downtime.

Such techniques do not work for digital systems. Digital systems’ failures are random and lack advance indicators. This situation frustrates engineers and plant managers, as digital technology is increasingly being employed in control and other plant systems. As a result, it’s becoming increasingly important to have visibility into the health of digital assets. Companies also need a way to promptly detect latent malware and sophisticated cyberattacks that evade detection by firewalls and anti-virus software.

Cybersecurity technology for anomalous network message detection can provide an answer to this dilemma and thus enhance industrial cyber resilience. These solutions monitor network traffic within control systems to quickly detect and identify abnormal activity, whether a cyber-attack or digital system failure, to speed remediation.

What Is Industrial Cyber Resilience?
Resilience is the capability to quickly identify and recover from problems. Techniques like network segmentation, functional isolation, and redundancy are used to build basic resilience into control systems. But these measures only protect networks and operations from certain failure scenarios. Other problems, like misconfigurations, programming mistakes, and poor operations and management practices, can still undermine the operation and security of control systems.

Anomalous network message detection solutions help companies address these gaps. They alert operators and maintenance personnel to erroneous and undesired system behavior, thereby increasing the control system cyber resilience. In addition, they provide needed context to help operators diagnose and resolve problems.

ARC research indicates that anomalous network message detection solutions with enhanced capabilities for industrial cyber resilience are already helping plant staffs detect a wide range of control system problems before they can impact operational performance. These include:

• Failures of non-operating, backup processors

• Failures of intermittently used controllers

• Error states and malfunctions of key controllers

• Inadvertent configuration and programming errors

• Inappropriate operational requests (invalid setpoints, etc.)

• Latent malware communicating with command and control sites and other control system elements

Anomalous message detection solutions are also valuable in situations where control system problems immediately disrupt operations. They provide information to minimize the time needed to identify the cause of the failure, whether it is a mistake or malicious cyberattack, and quickly restore operations.

Industrial Cyber Resilience Benefits Many Stakeholders
The benefits of industrial cyber resilience are broad-based and address key concerns of stakeholders across industrial organizations, including plant managers, plant engineers, chief information officers (CIOs) and information technology (IT) managers, and chief information security officers (CISOs).

Plant Managers are directly responsible for the safety, costs, and revenues of their facilities. They understand how deviations in normal operations increase the likelihood of safety incidents. They are also keenly aware of the costs and customer issues that arise when operations are not immediately restored. While they appreciate that control system failures will occur, they are rightfully frustrated when restoration is delayed by complications in understanding the source of problems. The benefits they receive from reduced outages and outage durations are clear and significant. Industrial cyber resilience provides this through its ability to anticipate cyber failures, reduce downtime risks, enable predictive maintenance, increase productivity, and reduce the costs for problem mitigation.

Plant Engineers are responsible for control system reliability. They work with vendors to ensure that as many system failures as possible are anticipated, appropriate protections are incorporated, and adequate spares and support are readily on hand to keep systems operating. They have a vested interest in ensuring that unanticipated failures are promptly addressed before they cause accidents or disrupt operations, and that repair time and effort are minimized. Industrial cyber resilience directly supports these goals through early indicators of problems and threats, minimized troubleshooting effort and resolution time, enhanced reliability and availability of control systems, etc.

CIOs/IT Managers are often responsible for control system servers, workstations, and networking equipment. Their interests in system reliability align with the plant engineers. Likewise, they are concerned about operational disruptions being caused by networking failures and misconfiguration. These managers receive significant benefit through identification of misconfigured equipment and network services, validation of network changes and maintenance operations, quick identification of net-work failures, etc.

CISOs are responsible for cybersecurity across the organization. They also have primary responsibility for managing the organization’s risks and compliance. However, their typically limited understanding of control systems frustrates efforts to assess overall security posture. Constraints on control system defenses and updates is also a major concern. The additional layer of defense provided by industrial cyber resilience helps reduce these risks and alleviate many associated concerns. Industrial cyber resilience provides CISOs with visibility into what is happening behind OT firewalls, support for compliance, reduced exposure to cyber threats, detection of cyber-compromises, etc.

What Makes an Effective Industrial Cyber Resilience Solution?
Effective anomalous network message detection is fundamental for an effective industrial cyber resilience program. But many solutions in this category lack the essential features that companies need to rapidly detect, identify, and recover from unanticipated control system failures.

Advanced, next-generation firewalls may have the capability for deep packet inspection of messages, but they operate in-line and only look for malware based upon signatures and other indicators. Also, their goal is to block malware, not advise users of anomalous messages. These solutions are valuable for use at facility perimeters, but are rarely used within control systems to monitor internal messages. The risks of disrupting control system timing or blocking critical control messages far outweigh the potential benefits of detecting malware that may originate within control system devices.

The features of anomalous network message detection solutions for industrial facilities are distinctly different than those of next-generation firewalls. These solutions are specifically designed for use within industrial control systems. While they can detect malicious software that evades perimeter firewalls, they more importantly monitor all messages that flow between internal control system devices and alert on any anomalous behavior. They connect passively to control networks through spam or mirror ports and collect information without active device pinging. These industrial solutions are also different than solutions that look for anomalous messages in conventional IT systems. In fact, they are mostly built from the ground up with industrial control system threats and requirements in mind.

While industrial anomalous message detection solutions share a common focus, they vary in features and capabilities. To maximize the industrial cyber resilience benefits from an investment in this kind of technology, users should look for a solution that provides the following kinds of support:

• Ability to parse the specific industrial control system protocols used within the organization’s facilities

• Automatic development of control system cyber asset inventories and network maps

• Automatic learning of baselines of “normal” communication patterns and message content

• Libraries of known ICS-cyber threats and anomalous system activities and behaviors for a responsive, reliable detection with a low rate of false positives

• Context-rich alerts that enable people to quickly identify the source of problems and appropriate remediation actions

• A user-friendly dashboard with visual analysis of network flows and commands, both real-time and historical, and capability for users to track and monitor communications

• Ability to proactively search the network for emerging threats and to prevent the spread of existing ones (threat hunting).

• Capability to continuously record and store network traffic and support efficient analysis of this data in threat hunting and problem analysis

• Ability to specify custom controls and company policies regarding device interactions, user actions, etc.

Recommendations
The financial, safety, and compliance risks of disruptions in industrial operations are too large to ignore. While control systems are designed to be reliable, unanticipated failures will still occur. Given today’s challenging cyber environment the likelihood of such events is increasing. Every industrial organization needs to ensure that they are doing all they can to minimize the potential impact of these kinds of events. Technologies and practices that facilitate rapid detection and repair are essential to ensure that systems are resilient to problems.

ARC research shows that anomalous message detection solutions that support industrial cyber resilience are already helping many companies mitigate their risks of operational disruptions. The benefits that these solutions provide generally outweigh the cost, especially when all affected stakeholders are considered. Implementing such a solution should be on the radar of every industrial organization.

ARC Advisory Group clients can view the complete report at ARC Client Portal on Office 365 or Box.com or New Client Portal on this website

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Keywords: Cybersecurity, Anomaly & Breach Detection, Operational Continuity, ARC Advisory Group.