6 minute read
Can you entrust your OT/ICS Security to your SOC-as-a-Service?
text: Franco Monti, MSFPartners
Since about five years specialized service providers offer companies to take over the entire security monitoring as a service for them. At the beginning only larger companies, sometimes those with international business activities started to take Security Operation Center services on board. In most cases these were typically threat monitoring and vulnerability management. Threat monitoring was used to identify any incident occurring and provide immediate alarming of the company monitored with enriched data about what happened and about how critical the situation is. In the case of vulnerability management in most cases of-theshelf products were used and directly included into the SOC service in order to provide detailed information about any security issue by non-patched system components or security weaknesses in a customer’s infrastructure.
Advertisement
In order to be capable monitoring a customer, SOC providers usually install a SIEM (Security Information and Event Management). The SIEM is a core element of any SOC services, providing correlation on millions of events happening in every company in a single month. These events are correlated inside a SIEM and filtered in a way that all ongoing malicious activities become visible to the SOC and its customer – usually not more than a few dozen per months. Using the SIEM and further subject matter expertise, SOC organizations are mapping every incident found to any known attack pattern. They provide their customer with detailed information, the criticality of the incident and assistance about what to do next to respond to the incident and how to recover best.
Figure 1 - Traditional IT-centric SOC Model
Traditionally, the service portfolio of large national or international SOC providers has been focused on the IT of their customers. Over last years they gained significant expertise how effectively and efficiently protect an IT environment with office automation, corporate networks, firewalls, proxy servers or clients and servers. By collecting log files from all relevant IT infrastructures, they feed this information for correlation into the SIEM.
When it comes to the protection of manufacturing facilities or of critical infrastructure such as e.g. components of the grid or of power plants in utility companies, the classic SOC mechanism does not work anymore. In this environment industrial specific control infrastructure has been established. In the past this was used to isolate from IT and to separately manage dedicated industrial components. Such an environment is called Industrial Control Systems (ICS) in manufacturing or Operational Technology (OT) in the utility industries. ICS/OT infrastructure consists of control systems (SCADA) to manage industrial controllers (PLCs) which again are driving industrial equipment such as e.g. robots, any production line equipment, turbines, water purification or gas pipelines. ICS/OT environments are driven by real-time processes. There, it is no longer possible to easily retrieve security log files from the infrastructure without risking interrupting the industrial processes or to put the controllers out of sync. In cases where industrial controllers stumble because of unforeseen process intervention, the danger of significant industrial damage or accidents immediately rises. This is why special methodology and care needs to be applied to monitor ICS/OT environments against cyber security attacks. That is why we consider the establishment of an OT concept as key before any installation of OT monitoring.
Traditional SOC providers have been faced with new requirements to connect as well ICS/OT infrastructure to their SOC and to correlate events happening in the IT environment with those coming from ICS/OT. Given the attack pattern of many well-known industrial cyber-attacks this makes perfectly sense. However, most SOC providers have not yet gained enough experience on how to deal with these classes of industrial events. Therefore, they don’t know how to absorb best OT monitoring into their service. All the expertise gained from monitoring typical IT environments cannot be used to understand events, incidents and even vulnerabilities coming from an industrial environment. Today’s SOC provider’s personnel are IT professionals with excellent skills to protect their customer’s corporate business IT. When it comes to understand the dynamics of an industrial process in many cases their experience is NIL.
In order to understand how to react on an ICS/OT event coming from the OT monitoring there is a need to have employees in the SOC who deeply understand industrial processes, networks and all relevant components. Those who understand these events are typically specialized, well trained industrial engineers who hardly ever change their jobs to work for a SOC provider. On the other hand, when connecting the OT monitoring to the SOC service, those ICS/OT engineers in many cases do not recognize a value-add brought by the SOC provider. They argue, that they already have full security transparency using their OT monitoring management console in their control centers and act accordingly when an alert arrives.
Our experience tells us yes but… there need to be some measures in place to benefit from connecting OT monitoring to a SOC.
First of all, in most industrial environments ICS/OT engineers to not monitor cyber security 7x24x365 due to a lack of resources and due to the cost evolving with this. In such a constellation, a SOC could already provide a significant increase of protection by monitoring the ICS/ OT infrastructure around the clock. If an incident arrives, say during the weekend, a best-effort incident response process could be initiated by the SOC provider alarming plant engineers on duty or trying to contact the cyber security officers of their customer.
Second, as most attacks are beginning in the IT environment of a company before they touch ICS/OT. Example attacks are Ukraine 1 and 2 on Ukraine’s electricity infrastructure, or TRITON when the Safety Instrument Systems (SIS) became attacked for the first time in history. The usual way is to get access to a company by social engineering. Once the attacker lands inside the IT, he or she moves laterally into the ICS/OT network. There, SCADA systems and PLCs are target equipment which the attacker tries to compromise, using either well known vulnerabilities or zero-day approaches to e.g. modify the firmware or to add malicious code to a controller. A SOC helps to find quicker ways to stop such an attack by providing correlation not only between its log sources, but as well between IT and ICS/OT. This could become critical to immediately stop an attack as early as possible in the kill-chain.
Third, we experienced in our projects a huge advantage in establishing ICS/OT specific scenarios which help the security monitoring personnel in the SOC to quicker and better understand the technical nature of an ICS/OT incident or vulnerability. ICS/OT scenarios are linked with the typical use cases every SOC offers to its customers. A classic use case can have one or several scenarios. These have a significant benefit for the plant engineers as they gain an additional view by the SOC when malicious activities occur.
Figure 2 - SOC Use Cases have one or several ICS/OT scenarios - Example scenario
Finally, it is fair to say, that if a SOC provider and his customer work together in establishing the right ICS/ OT scenarios, it becomes very beneficial to connect OT monitoring to the SOC and to establish a companywide security posture, not only covering IT but as well ICS/ OT – at least that is what we observe every day in real life projects protecting ICS/OT environments.
It is no use saying, ‘We are doing our best.’ You have got to succeed in doing what is necessary.
– Winston Churchill
Franco Monti is co-owner and co-founder of MSFPartners.com, a Swiss cyber security boutique with offices in Switzerland and Dubai. He can draw on many years of experience in protection for critical infrastructures (IT & OT/ICS). Over this period, he has accumulated a wealth of expertise in developing cyber security strategies and drawing up complex cyber security programmes. He takes responsibility for Swiss and international projects that focus on setting up security operations centres, introducing incident management and protecting IT and OT infrastructures. Franco has graduated in engineering at the Swiss Federal Institute of Technology (ETH) and in business administration at the University of St. Gallen (HSG).
www.msfpartners.com
