Industrial Control Systems (ICS) include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other control system configurations such as Programmable Logic Controllers (PLC). They are typically used in industries such as electric, water, oil and natural gas, transportation, chemical, pharmaceutical and manufacturing (e.g., automotive, aerospace). These control systems are vital to the operation of U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. Initially, ICS had little resemblance to traditional information technology (IT) systems, and ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas, and the components themselves were not connected to IT networks or systems. Nowadays, widely available, low-cost IP devices have replaced proprietary solutions, a shift which has increased the possibility of cybersecurity vulnerabilities and incidents. This integration supports new IT capabilities, but it provides significantly less isolation from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments because ICS have characteristics that differ them from traditional information processing systems.
Pillars of an Effective Cybersecurity Program
For the above reasons, there have been developed various ICS cybersecurity frameworks and regulations, such as IEC62443, NERC CIP, NIST SP 800-82 and American Water Works Association Process Control Network Security Guidance. These frameworks cater to best practices, which are the pillars for a strong industrial cybersecurity program. These best practices consist of:
- Identifying what systems need to be protected.
- Separating the systems logically into functional groups.
- Implementing a defense-in-depth strategy for each functional group.
- Controlling access into and between each group.
- Limiting the actions that can be executed within and between these groups.
Why Do We Monitor?
Once you have implemented the above-mentioned foundational security controls, organizations can advance their security posture by implementing continuous monitoring. Gary DiFazio, industrial security expert at Tripwire, says that this step can help organizations answer key questions about their industrial environments, which will thereby help you keep your industrial process running. As he explains in another blog post:
“Just like you have a SCADA to help optimize and control your industrial process, you need a 'SCADA'-like cybersecurity solution to help optimize and control visibility to industrial cybersecurity events and ensure the protective controls you have implemented are operating correctly. This is not a one-and-done activity. This needs to be performed continuously.”
In the words of NIST SP 800-82:
Monitoring, logging, and auditing activities are imperative to understanding the current state of the ICS, validating that the system is operating as intended, and that no policy violations or cyber incidents have hindered the operation of the system. Network security monitoring is valuable to characterize the normal state of the ICS, and can provide indications of compromised systems when signature-based technologies fail. Additionally, strong system monitoring, logging, and auditing is necessary to troubleshoot and perform any necessary forensic analysis of the system.
In addition, NERC CIP 007-6 provides the rationale that “security event monitoring has the purpose of detecting unauthorized access, reconnaissance and other malicious activity, and comprises of the activities involved with the collection, processing, alerting and retention of security-related computer logs. These logs can provide both (1) the detection of an incident and (2) useful evidence in the investigation of an incident. The retention of security-related logs is intended to support post-event data analysis.”
What Do We Monitor?
The first step of information analysis required data collection so as to create a healthy database to assess. Collecting evidence relevant to security requires knowing what to monitor and how to monitor it. Unfortunately, there is a lot of information that could be relevant to cybersecurity because there are unknown threats and instances of exploitation. Information that may not seem relevant today may be relevant tomorrow as new threats arise. The events triggering a real-time alert may change from day to day as system administrators and incident responders better understand the types of events that might be indications of a cybersecurity incident. In addition, the information that is being collected is overwhelming, consisting of millions of events in a single day with even higher rates during the event of an actual cyberattack. It is therefore necessary to assess which events, assets, applications, users and behaviors should be monitored. An additional challenge arises from the segregated nature of properly secured industrial networks. Deploying a single monitoring and information management system across multiple separated zones violates the security goals of those zones and introduces potential risk. The methods used to monitor and collect data must take into consideration the network segregation. Therefore, centralized monitoring and management needs to be overlaid with appropriate security controls and countermeasures. In order to deal with massive volumes of log and event data that can result from monitoring established network zones and the challenges of highly distributed and segregated zones, best practices in information management must be followed. These practices are included in NERC CIP 007-6, and NIST SP 800-82, as well as NIST SP 800-92 and NIST SP 800-137.
Supplement Cyber Monitoring with Data Historians
Although data historians do not monitor cyber related activities, they can be a useful supplement to security monitoring by providing visibility into control system assets that may not be visible to typical network monitoring tools and by providing process efficiency and reliability data that can be useful for further security analysis. The operational data provided by a data historian allow threats that originate in IT environments but target OT systems, such as the case of Stuxnet, to be more easily detected and tracked by security analysts.
How Can Tripwire Help?
Tripwire can help provide visibility and reduce operational risk for the potential impact from industrial cybersecurity events with its log management and configuration hardening solutions. Tripwire Log Center captures and stores log events that are relevant to understanding the industrial network’s cybersecurity state and operations. It would not be unfair to think of the Tripwire Log Center as a “cyber historian” for the industrial network. A cyber historian like Tripwire Log Center performs five services for the industrial network: collection, storage, search, correlation and output. A cyber historian system should focus on the core requirements of collection and correlation but preserve the ability to deliver the log data to other systems—either in its entirety or filtered to specific events. Log management is a best practice that is referenced by many ICS cybersecurity frameworks and regulations. This can prove valuable for discovering if there are any cyber events impacting—or with the potential to impact—the industrial process. Get started today. For more information regarding Tripwire Log Center visit tripwire.com/products/tripwire-log-center/.