Integrating intrusion detection into OT/ICS frameworks can build network activity visibility, detect potential risks

Building an intrusion detection system tailored for OT/ICS environments can help organizations improve the visibility of network activity and detect potential threats, especially across critical infrastructure installations facing increasing cybersecurity threats, such as Snake, Volt Typhoon, and CosmicEnergy OT malware. Ideally, these intrusion detection systems must be able to monitor industrial protocols like Modbus, DNP3, and Ethernet/IP used across OT (operational technology) networks with the ability to analyze anomalous behaviors that could indicate malware or unauthorized access attempts.

Intrusion detection systems monitor network traffic and analyze data to identify suspicious activity that could indicate a security threat. Deploying intrusion detection technologies within OT and ICS environments presents unique challenges due to real-time requirements, legacy protocols and systems, and specialized network architectures. 

These intrusion detection systems must be compatible with legacy and specialized protocols, and be able to understand and monitor these protocols to detect threats. They must deliver real-time threat detection without disrupting operations, and accommodate isolated network segments. Deployments of intrusion detection systems must work towards minimizing false alarms through machine learning, behavioral analysis, and customization. 

By integrating a tailored intrusion detection system that addresses these considerations, OT and ICS organizations can gain improved visibility into network activity, detect threats from outside and inside the network, and respond to mitigate risks before they impact industrial processes and operations.

In addition to intrusion detection systems, organizations must also have a comprehensive intrusion detection strategy that requires people and processes. Regular security audits and employee training help identify vulnerabilities before threats emerge. Establishing standardized response plans and integrating the intrusion detection systems with IT security systems enables effective incident response when issues do arise. 

As new threats develop, these intrusion detection systems and overall organizational security programs must continually evolve to consider people, processes, and technologies together as part of a holistic security program.

Industrial Cyber contacted cybersecurity experts to learn how ICS intrusion detection systems vendors and end users adjusted to deal with threats arising from Snake, Volt Typhoon, and CosmicEnergy OT malware.

When new threats emerge, often already known techniques, intrusion detection systems need to evaluate their coverage quickly so they can adapt alerts for adversaries’ attacks on ICS/OT systems, Mark Urban, vice president of product and industry market strategy at Dragos, told Industrial Cyber. “Understanding the techniques and methods adversaries use are key to developing behavioral detections and updating indicators (hashes); it’s a continuous process to track threat groups and their TTP evolution – as well as to continue to look for new groups.”  

Urban also mentioned that in ICS/OT, there are specialized threat groups with industrial-focused TTPs that are very different from IT. “Volt Typhoon and COSMICENERGY might not have gone unnoticed by end users in the case of a compromise, but it is still an opportunity to develop new robust behavioral detection based on recent information,” he added.

“In most cases, cybersecurity defenses are funded according to the threats posed to them, the risks to the public, and the impact of not being available,” Chris Grove, director of cybersecurity strategy at Nozomi Networks, told Industrial Cyber. “Most of today’s critical infrastructure can withstand attacks from individual hackers, gangs of criminals, and terrorists. But, most are not funded to withstand a directed nation-state level attack with humans behind the attack instead of automated and easily detected tools, viruses, or worms.” 

Grove added that in the case of advanced persistent threats and their operations that are motivated and resourced enough to ‘live off of the land’ during a hacking incident, very few organizations and tools are equipped to defend against a tier-1 nation-state hacker team. 

“However, there are some things that operators do to increase chances of detecting and mitigating these types of APTs,” according to Grove. “First, by baking cybersecurity into the design of the system from day one, operationalizing the maintenance of the cybersecurity, and having increased visibility into everything happening. Anomaly Detection is particularly useful because signature matching products need an incident before a signature can be crafted, but hackers ‘living off the land’ are likely to cause a lot of network anomalies from their activities.”

Despite the sudden news blitz that occurs once a strike or breach is discovered, these attacks occur over a long period of time, Ilan Barda, founder and CEO at Radiflow, told Industrial Cyber. “Not only does it take time for threat actors to first penetrate and then navigate through a network, but it can also take weeks for other industries to recognize that they are vulnerable once a threat is published and take steps to implement appropriate mitigations.”

Barda pointed out that considering the state of many intrusion detection systems (IDS) today, new intrusions may not be identified or may even be perceived as a false alarm, should they mimic or go around the IDS system’s parameters. “Even if the IDS does trip an alarm and it is acknowledged by the CISO, you now know that the threat is already in the system, making it potentially too late to remediate. That’s not to say that IDS’ aren’t crucial. They are only a piece in fighting OT cybersecurity threats, alongside continuous assessments, patching, and security mitigations,” he added.

In addition to the deployment of the intrusion detection systems, Barda recommends “staying up to date on threats, identifying how each one applies to a specific network and devices, then taking steps to mitigate the threat early on. From there, teams must simulate the attack across their network, allowing them to see the network impact, and business impact, and identify any threats during ‘peacetime.’”

Intrusion detection systems continuously monitor network traffic within the industrial environment, analyzing communication patterns and identifying anomalous behavior. The executives evaluate the challenges these systems face to address the latest wave of industrial malware.

“Traditional IDS products leverage signatures of known attacks to look for things on the network. Since there are so many possible signatures in the wild, and so many protocols they could occur in, some products specialize in certain areas, like focusing on web-facing HTTP, or industrial protocols,” Grove said. “Traditional IDS products really struggle in OT because they’re not capable of understanding the nuances of industrial control systems, the protocols used, the asset types, configurations, and even if they could, they lack the specialized hardware necessary to deploy on a ship, on a train, in a car factory, or a wastewater plant.” 

He added that specialized ICS cybersecurity products are typically used to solve this challenge.

“Industrial control systems (ICS) and operational technology (OT) environments are different worlds from IT. There are dozens of different system vendors, hundreds of different system types, and many hundreds of proprietary protocols,” Urban said. “Traffic patterns change constantly based on transient conditions. As such, simple anomaly-based detection engines built for less diverse, more predictable IT network traffic are ineffective in the OT world. The result can often be dashboards with an overwhelming number of events, where true threats get lost in the noise – or never detected at all.” 

Urban added that effectively analyzing and detecting threats requires detailed knowledge of industrial systems, their communications, and their commands to effectively identify threat activity. “This requires purpose-built technology to dissect the traffic and system communications, plus the intelligence to create proper detections based on past and emerging threats.”

Barda highlighted that intrusion detection systems are a great tool to identify a threat once it has banged down the door. “The challenge they face is that they are inherently limited to analyzing anomalous behaviors. In the recent discovery of Chinese-backed hackers attacking US infrastructure, actors were able to skirt the IDS by acting as a Windows administrator and using ‘normal’ activities to mask their actions.”

In some cases, Barda added that the IDS only monitors a part of the OT network, making malicious activity appear as normal activity within that zone. “So, it’s important to maximize the coverage of all network segments, IDS included.”

Most often industrial malware is produced and propagated by state-sponsored actors, targeting critical infrastructure. For example, CosmicEnergy, like INDUSTROYER2 before that, is a malware designed to cause electric power disruption. 

The security experts assess how well utilities and critical infrastructure providers are positioned to deal with this nation-state malware threat. They also address whether the size of a company plays a factor in its ability to effectively respond to these threats.

“Utility, companies, and operators have made great strides in working with authorities to bolster their OT security. However, the increased complexity of the systems they are onboarding is matched by the speedy adaptations made by attackers,” Barda said. “Addressing these challenges demands continuously updating software and monitoring all active vulnerabilities within a network– scanning for new threats and understanding the impact of an attack.”

He added that, of course, this is easier said than done. 

“Larger operators have the resources to build an internal OT security team, collecting and acting on information from threat feeds and insights gained from protecting multiple facilities,” according to Barda. “For smaller companies, this level of protection is only possible by working with an MSSP, outsourcing OT security to leverage their large wealth of capabilities. It is also worth noting that there are efforts by the industry to push for governments to provide up-to-date threat feeds to smaller operators; however, this seems to be stuck.”

The industrial sector has, in the past, under-invested in securing OT assets, especially when compared to IT systems, Urban identified. “Some organizations are in good shape, but many are not. Regulations have helped spur action in some segments – NERC CIP for electrical utilities is a good example – but the complexity of regulatory requirements means that too many systems are still not protected adequately.” 

“Newer regulations – in oil and gas, transportation, and country-specific regulations – have started to simplify the regulatory goals, creating a faster path to more effective protection,” according to Urban. “Smaller organizations often lack the expertise and financial resources. To address this gap, we established Dragos OT-CERT to provide free tools, education, and services for under-resourced organizations.” 

To better prepare and defend against threats, organizations should start with SANS Five Critical Controls for effective OT security, Urban suggested. “SANS is a key educator in the space, and that work provides a streamlined set of controls that are more achievable, and align well to many of the newer regulations. The SANS Five Critical Controls address the need for IDS in the OT/ICS environment,” he added.

The executives also examine whether industrial environments are likely to transition from intrusion detection systems to intrusion prevention systems (IPS) soon. They further investigate what is preventing this transition and what needs to happen for it to occur.

Grove said that the cybersecurity product industry has already made that transition, as most of today’s products have integrations with leading firewall and switch vendors and can send a signal to end a session, turn down a switch port, or take other actions. “It’s up to the owner/operators to leverage this capability.” 

But, he added that they have been reluctant due to safety risks, complexities of troubleshooting, and other challenges when automating defenses in an industrial control network. “In IT, it’s easy to say, ‘if this workstation gets infected, shut it off,’ but in an industrial control system where the infection machine is the emergency stop button, we can’t just shut it off, there needs to be a safe shutdown procedure in place.”

“This gap is not surprising, considering how false responses and automatic actions can cause disturbances beyond what site managers will find tolerable,” Barda said. “The bottom line, there are simply too many gaps in OT IPS applications to be fully trusted.”

But, Barda added, that is not to say, that “we haven’t seen a shift over time in that direction. What we have seen amongst our customers is that once an IDS is implemented and a baseline is formed, they implement a selective SOAR, fine-tuning which IPS responses are appropriate for various incidents.” 

“For example, an abnormal event can close off all connections outside the facility, such as external connections or remote support, allowing for operations to activate a selective firewall instead of shutting down a facility,” according to Barda.

Urban said that for OT, a higher priority is placed on safety, reliability, and continuity of operations which makes active automated policies like IPS less than ideal in industrial environments. “If malware or a vulnerability is detected and a machine in an OT environment was automatically blocked or shut down, the risks for safety, reliability, and continuity increase,” he concluded.