In this week’s Whiteboard Wednesday, Scott King, Senior Director for Security Advisory Services at Rapid7, walks us through the basics of security monitoring in industrial control systems (ICSs), and how they’re different from security monitoring in traditional IT environments. It starts with three factors: CnC, if your machines are communicating to the internet (they shouldn’t be), and associated vulnerabilities.
Curious how to enlist our experts? Learn more about Rapid7 services.
Hi, my name is Scott King. I work for Rapid7. I head up our Strategic Advisory Consulting business.Show more Show less
One of the questions that we get from many of our customers in the Industrial Control Systems space is how they should be thinking about security monitoring. Unlike traditional IT environments, monitoring an Industrial Control System that works is much more static, largely because there is less dynamic user behavior inside of the ICS environment, whereas an IT environment has a lot of unpredictability in regard to interacting with email, interacting with websites, and other types of business functions and tasks that employees and users will have within the environment.
In an ICS environment, which you see, for the most part is machine to machine based behavior. Understanding that machine to machine base behavior is the trick. It is the number one key in understanding within your ICS systems. Whether you work in a manufacturing industry, you work in an energy industry, oil, natural gas, or even the amusement industry, and interestingly enough; the alcohol industry uses a tremendous number of ICS systems. Monitoring those environments and looking specifically at those types of communications coming from an ICS device; what kind of command and control communications are happening, when those communications are happening, and when they're not happening. Those are all very important things to be looking for, because if you're able to identify and recognize patterns outside of the norm, that's usually going to be an indication that something bad is occurring that you want to look at and explore further.
What you don't often see in Industrial Control System networks is direct communication to the Internet. While it does happen, it is rare. So those types of communications should not be occurring. That would also be an anomaly. When you're thinking about vulnerabilities in Industrial Control Systems Networks, unlike in a traditional IT environment where the first course of action is to remediate or mitigate through compensate or control of vulnerability that you discover; most ICS systems are in-operations and can't be taken down outside of normal maintenance windows, which sometimes occur only once or maybe once a year or maybe once every other year.
So in those environments, you are primarily relying upon air gap networks, one-way data controls, as well as the protection and the monitoring of those systems. So as you're formulating your strategy, as you're thinking through what's most important to monitor within your ICS environment; think anomaly based, and that's going to save you a lot of time and a lot of headache from trying to implement traditional IT based monitoring approaches that just will not work in those environments.
Well, that's it for this week's Whiteboard Wednesday. We'll talk to you next time.