Situational awareness more important than traditional security in OT and ICS

The current state of security for operational technology and industrial control systems is turning a corner. In today’s real-life scenarios, there has been an increase in related cyber incidents. In one week in May 2022, the Cybersecurity and Infrastructure Security Agency in the U.S. released 27 Industrial Control Systems Advisories.

The growing number of attack patterns has revealed three pitfalls in operational and industrial systems:

• Companies are reacting to security incidents, rather than investing in reducing severity
• Threat of sophisticated, nation-state level attacks, narrows focus to threat hunting at the expense of other indicators
• Data science in theory is useful for security, but in practice does not solve challenges in operational and industrial systems

Industrial and operational technologies encompass a wide range of machines and configurations, pumps, compressors, valves, turbines, and similar equipment, interface computers and workstations, programmable logic controllers and diagnostics, safety, metering, and monitoring and control systems that enable or report the status of variables, processes, and operations.

A single programmable logic controller can be designed and produced by several different vendors, can be configured using different programming languages, and enable communications from hundreds of different protocols.

When simplified, any programmable logic controller from an average of 10 major vendors, utilising any of the top 5 most common programming languages, and one or more of the 12 most common communications protocols, has at least 600 possible operational configurations. This example demonstrates how quickly standardising the technologies and products to establish their attack scenarios will become an enormous task.

We need to build a deterministic nature of purpose-built systems in operational technology and industrial control systems, customised for every and any operation. This approach ensures no two attacks on operational and control systems are ever the same.

This is the next step in building security systems for operational technology and industrial control systems environments. The purpose-built systems and subsystems need to be translated into purpose-built systems for security.

In security we continue to amass knowledge in the form of indicators of compromise. Unfortunately, attacks on operational and industrial systems do not provide the volume of telemetry data to adequately derive threat actor objectives helping to identify novel attacks ahead of time.

Indicators of compromise do not capture indicators for misconfigurations, malfunctions, or accidental changes that go undetected. These limitations are only captured by monitoring actual processes and operations.

Most of the security companies doing intrusion detection in this space focus on network traffic capture and security monitoring that evaluates and scans for known threat activity. There are limitations to this type of collection, rule application, and analysis for operational and industrial systems.

Since there are no cut and paste tactics, techniques, procedures from incidents in operational and industrial systems, the only way to secure operations is to include plausibility checks for systems in play.

Security is relative to functioning of the entire process or critical operation worth securing. Systemwide frameworks for understanding risk and threat scenarios are a must for this field. A systemwide framework examines the largest-scale dynamics, and the inherent systemic risk of the Internet. This approach is necessary to secure operational and industrial systems and explore the full range of potential intrusions, espionage, attacks, disruptions, and accidents.

The more efficient we become at asset intelligence, process variable detections and plausibility checks for real-world outcomes, the better we will be able to augment threat intelligence. It is more efficient to spend resources in building intuition and bolstering situational awareness, rather than incident response capabilities.

The next wave of building intuition into monitoring for operational and industrial systems security is behavioural analytics that cover communications traffic and process variables simultaneously.

With an, assume a breach has happened mentality, the focus for security products must be on reducing the severity of potential impacts, not on responding to worst case scenarios after they unfold. Building intuition into security for purpose-built operations requires customising detections and prevention methods. That is the way forward.