A new generation of connected Industrial IoT (IIoT) devices are helping businesses leverage the power of the internet for smarter operational technology (OT). Programmable logic controllers (PLCs) are widely used to control industrial electromechanical processes for manufacturing and robotics, and increasingly online. In cities, connected OT solutions are leveraged to increase efficiency and productivity for a number of critical services.
These urban OT solutions, along with connected transportation and infrastructure technologies, also ensure organizations keep pace with society’s increasingly mobile cultural and economic landscape. As such, OT solutions featuring IIoT devices have become the backbone of modern commercial automation solutions, business operations and critical infrastructure.
But the quick ascent of these devices has also left them—and the businesses they are designed to aid—vulnerable. In fact, in a 2019 study by the Ponemon Institute found the OT involved in running critical utilities like water and electric are increasingly targeted with cyberattacks that can cause “severe” damage.
Before, control systems had specific functions and were often unconnected to other systems, making attacks less likely and more difficult. But, companies are adding sensors and embedded devices to control networks, monitor operations and boost efficiency. Those systems are increasingly connected to corporate internal tech systems, to facilitate the transfer of data.
Problems then arise because network monitoring and other security practices not regulated or in place to manage security on the devices. Stuxnet, for example, was developed to target centrifuges, devices at nuclear power plants that are designed to isolate isotopes of uranium. Stuxnet is a worm that possesses safeguards to not be detected by certain security measures and was designed to seek out centrifuges and reprogram them to repeat cycles that would cause the centrifuges to disintegrate.
IIoT devices also often have native integration with IP networks. This ability streamlines operational tasks – but it also means that everything connected has now become increasingly vulnerable. Like standard IT devices, they remain vulnerable “soft targets” for global cyber threats.
But it isn’t just IIoT devices being exploited within OT systems: windows computers and networks are also under attack. Historically, cyberattacks have targeted IT assets that enable business operations, like computers and mobile devices, for data theft. However, new attacks against IT devices, like the machines, networks, and systems that transmit or distribute power in an OT system, can hijack control systems that operate critical infrastructure, causing physical damage and widespread outages.
Organizations with IIoT and IT devices within their OT systems need to evaluate exposure and maximize their ability to quickly detect and investigate anomalies as well as their ability to respond to and mitigate attacks. However, providing device security can be challenging, specifically since IIoT and IT devices are inherently different.
IIoT devices also aren’t designed to integrate with security management tools. Understanding the limitations and opportunities of device risk is essential to help increase a company’s long-term viability.
Challenges of OT Solution Security
Like with any problem, when addressed in a silo, challenges become more difficult to thwart. Yet, traditionally, OT and IT security have been addressed in their respective silos, rather than taking a holistic approach.
For example, air-gapping is a common technique deployed to try to increase the security of legacy OT systems, providing limited assurances of operational integrity and control. While techniques such as air-gapping provide a stop-gap security measure, various architectures allow connecting legacy OT to the internet for modern operational command and control. Specifically, 40% of industrial sites have at least one direct connection to the public internet, increasing their vulnerability.
Connected OT solutions carry intrinsic security challenges, challenges that could be significantly damaging for companies. Moreover, devices within OT systems lack an integrated capability for security management. Without an enterprise view of risks, companies lack an important enterprise capability for rapid threat detection and appropriate response.
But efficiently and effectively monitoring devices is not a lost hope. Devices in OT environments typically operate without human action and are modeled to ‘behave’ in a certain way. This programming means the algorithms can be reinterpreted as ‘behavior,’ and user entity behavior analytics (UEBA) can be deployed to increase security monitoring capabilities and SIEM integration.
How Behavioral Analytics Address Device Risks
Legacy threat detection solutions were not devised for connected OT systems and the age of big data. They required security teams to pour hours into maintaining static correlation rules and to identify new threats as they arose. Investigation proved similarly painful, requiring querying and pivoting amongst security and IT systems until analysts gathered enough evidence to manually create a timeline of events. Once analysts figured out what happened, they could contain and respond to the incident.
The challenge here is that each OT control point generates hundreds, if not thousands of logs per second, making it difficult to detect an adversary in the network.
UEBA provides a different approach by using analytics to build the standard profiles and behaviors of users and entities across time and peer group horizon. Activity that is anomalous to these standard baselines is presented as suspicious, and packaged analytics applied to these anomalies can help discover threats and potential incidents. UEBA solutions build baselines for user and entity profiles to identify normal activity, and they offer a way to systematically monitor the voluminous outputs from IIoT devices, along with IT devices, for potential security threats.
IT and OT Security Integrated with a Modern SIEM
As previously discussed, the limitations of both legacy and modern IIoT/OT/IoT solutions are native and persistent. But there are ways around it. If companies want to ensure the security and integrity of their business operations, they should avoid a “point solution” approach and opt for an integrated solution that combines UEBA and a modern SIEM platform to achieve an enterprise-wide view of IT and OT security. This step to centralizing the monitoring can lead to increased detection of threats, including difficult to detect techniques like lateral movement. The SIEM can ingest and analyze data from all of the organization’s sources, allowing one SOC team to have a real-time view on all security, and visibility across all devices in their OT environments.