Industrial control systems are fundamental to all industrial processes, from power generation to water treatment and manufacturing. ICS refers to the collection of devices that govern a process to ensure its safe and effective execution. These devices include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control systems like Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC).
A malfunction in any of these systems or the network in which they operate could result in the failure of the entire industrial process, with severe economic and public safety repercussions. Incorrect power distribution in an electrical transmission network, for instance, could impact the availability of electricity to residences, offices, and hospitals, among others. Similarly, a defective component that regulates the amount of chemical substances in a pharmaceutical manufacturing process could result in the manufacture of entire batches of dangerous compounds.
Initially, ICS had little resemblance to traditional information technology (IT) systems, and ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas, and the components themselves were not connected to IT networks or systems. Nowadays, widely available, low-cost IP devices have replaced proprietary solutions, a shift which has increased the possibility of cybersecurity vulnerabilities and incidents.
To streamline operations, corporations rely largely on third parties such as contractors and suppliers. In all circumstances, connectivity increases productivity but introduces a new dimension of hazards, making the security of ICS networks vitally essential. The shift in how industrial networks are managed and maintained makes it imperative for enterprises to monitor their infrastructure not only for cyberattacks but also for system abuse by third parties.
Why Do We Monitor?
By establishing a comprehensive monitoring architecture for the ICS network, organizations may mitigate these risks and lower risk to the production environment. With an effective monitoring infrastructure in place, organizations are not only able to discover problems at an earlier stage, but they can also reduce repercussions before significant damage is incurred and recover more rapidly from any type of incident.
Several industry recommendations, guidelines, and standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), both in the United States, the NIS Directive from the European Union, and America's Water Infrastructure Act, recognize the significance of monitoring ICS networks (AWIA). These standards strive to prevent or mitigate the effects of well-known security breaches such as Stuxnet, WannaCry, TRITON, NotPetya, LockerGoga, and Ryuk.
In the words of NIST SP 800-82:
Monitoring, logging, and auditing activities are imperative to understanding the current state of the ICS, validating that the system is operating as intended, and that no policy violations or cyber incidents have hindered the operation of the system. Network security monitoring is valuable to characterize the normal state of the ICS, and can provide indications of compromised systems when signature-based technologies fail. Additionally, strong system monitoring, logging, and auditing is necessary to troubleshoot and perform any necessary forensic analysis of the system.
What Do We Monitor?
Before establishing any monitoring infrastructure or even adopting a particular solution, however, enterprises should evaluate their network and devices' exposure to risks and threats. During the assessment phase, a company must identify its most valuable assets and their vulnerabilities, as well as the threats and sources of those threats. An organization's threat sources may be external, such as foreign intelligence agencies, cyber-terrorists, and hacktivists, or internal, such as poorly trained or dissatisfied personnel, contractors, and vendors.
To successfully analyze risk, it is necessary to determine the potential impact and likelihood of any threat to an asset or network. The optimal course of action is to analyze high-impact threats and calculate the cost and effort necessary to recover production.
An additional challenge arises from the segregated nature of properly secured industrial networks. Deploying a single monitoring and information management system across multiple separated zones violates the security goals of those zones and introduces potential risk. The methods used to monitor and collect data must take into consideration network segregation. Therefore, centralized monitoring and management must be overlaid with appropriate security controls and countermeasures.
To manage the huge amounts of log and event data that can come from monitoring network zones and the issues of widely distributed and segregated zones, information management best practices must be adhered to. NERC CIP 007-6 and NIST SP 800-82, as well as NIST SP 800-92 and NIST SP 800-137, include these procedures.
Supplement Cyber Monitoring with Data Historians
Although data historians do not monitor cyber related activities, they can be a useful supplement to security monitoring by providing visibility into control system assets that may not be visible to typical network monitoring tools and by providing process efficiency and reliability data that can be useful for further security analysis. The operational data given by a data historian makes it easier for security analysts to discover and trace threats that start in IT environments yet target OT systems, such as Stuxnet.
How Can Tripwire Help?
Tripwire can help provide visibility and reduce operational risk for the potential impact of industrial cybersecurity events with its log management and configuration hardening solutions. Tripwire Log Center captures and stores log events that are relevant to understanding the industrial network’s cybersecurity state and operations. It would not be unfair to think of the Tripwire Log Center as a “cyber historian” for the industrial network.
A cyber historian like Tripwire Log Center performs five services for the industrial network: collection, storage, search, correlation and output. A cyber historian system should focus on the core requirements of collection and correlation but preserve the ability to deliver the log data to other systems—either in its entirety or filtered to specific events.
Log management is a best practice that is referenced by many ICS cybersecurity frameworks and regulations. This can prove valuable for discovering if there are any cyber events impacting—or with the potential to impact—the industrial process.
See how Tripwire LogCenter simplifies log collection while enhancing your security and compliance posture. Get started today.