Control device security
Critical infrastructure
Features
Industrial Cyber Attacks
Technology & Solutions
Threat Landscape

Navigating challenges, technologies, collaborative strategies in industrial threat hunting for critical infrastructure

February 04, 2024
Navigating challenges, technologies, collaborative strategies in industrial threat hunting for critical infrastructure

The landscape of industrial threat hunting has undergone significant evolution in recent years, driven by a confluence of technological advancements and escalating cyber threats. Industrial environments face unique challenges in threat detection and mitigation compared to other sectors, primarily due to the critical nature of infrastructure, legacy systems, and complex interconnected networks. The emergence of the Internet of Things (IoT) has further amplified these complexities, creating a vast attack surface.

Key technologies employed in industrial threat hunting include advanced analytics, machine learning, and anomaly detection, contributing to enhanced cybersecurity resilience. Proactive threat hunting plays a crucial role in industrial cybersecurity, distinguishing itself from reactive approaches by actively seeking out potential threats before they manifest. However, striking a balance between continuous monitoring and minimizing disruptions caused by false positives remains a challenge for industrial organizations.

Addressing the shortage of skilled professionals in threat hunting involves implementing training programs and leveraging automation tools. Effective strategies include collaboration and information sharing within the industrial cybersecurity community to stay ahead of evolving threats, fostering a collective defense against increasingly sophisticated adversaries. Overall, the evolution of industrial threat hunting necessitates a holistic and collaborative approach to safeguard critical infrastructure and systems.

Exploring evolution of industrial threat hunting

Industrial Cyber reached out to industry experts to evaluate how the landscape of industrial threat hunting evolved in recent years, and what factors have contributed to this change. They also look into the specific challenges industrial environments face in terms of threat detection and mitigation, compared to other sectors, when it comes to threat hunting. 

Nathan Brubaker, Mandiant head of emerging threat and analytics at Google Cloud
Nathan Brubaker, Mandiant head of emerging threat and analytics at Google Cloud

Nathan Brubaker, Mandiant head of emerging threat and analytics at Google Cloud told Industrial Cyber that industrial threat hunting is still relatively new compared to threat hunting in traditional IT environments. “In recent years, it has experienced significant development due to the increased connectivity of industrial systems, the increasing sophistication of attacks targeting OT, and the increased recognition of risks.”

Brubaker said that when it comes to threat hunting, industrial environments pose several challenges compared to traditional IT environments. For instance, “there are operational constraints to consider so that threat-hunting procedures do not interfere with critical industrial processes. It is also common for OT environments to lack full system and network visibility, since many OT systems have limited logging capabilities and because many organizations have deployed only limited detection technology.” 

He added that industrial threat hunting also requires specialized knowledge, but specialists with expertise in IT security, OT security, and threat hunting are scarce.

Karl Scheuerman, senior director of threat hunting at Dragos
Karl Scheuerman, senior director of threat hunting at Dragos

Industrial systems are increasingly interconnected with IT networks and the Internet and they employ more remote operations and monitoring, Karl Scheuerman, senior director of threat hunting at Dragos, told Industrial Cyber. “They’ve also moved towards more homogenous infrastructure using common software packages, network protocols, and facility designs. These shifts have expanded the attack surface, making previously isolated OT environments more vulnerable to cyber threats, and have exposed OT environments to new types of vulnerabilities and attack vectors. It is also easier for adversaries to create attacks that are repeatable across sites and industries,” he added.

“Cyber threats targeting OT environments have also become more sophisticated. Threat groups dedicated to executing cyber attacks on OT, specifically designed malware, and ransomware attacks impacting industrial operations have become more prevalent,” according to Scheuerman. “Geopolitical conflicts have driven an increase in state-sponsored cyber attacks targeting critical infrastructure with very specific objectives in mind, such as espionage or sabotaging operations. These advanced threats require a different, more advanced approach to threat hunting and response.”

Fortunately, Scheuerman added that in response to the increasing number of cyber attacks against OT, governments and regulatory bodies have granted more funding and implemented stricter standards for cybersecurity in critical infrastructure, leading to a greater focus on proactive threat hunting and incident response capabilities. 

“The development of new cybersecurity technologies specifically designed for industrial systems has enhanced the ability of organizations to detect and respond to threats in real-time,” according to Scheuerman. “The increase in awareness of OT cybersecurity risks and improved information sharing between industries, governments, and cybersecurity researchers has led to better preparedness and more effective threat hunting strategies.”

Role of essential technologies in industrial threat hunting

The executives discuss the essential technologies used in industrial threat hunting and their role in strengthening cybersecurity resilience. They also explore the challenges posed by interconnected industrial systems and the Internet of Things (IoT) in the context of threat hunting.

Organizations can employ several technologies for industrial threat hunting, such as network monitoring tools, endpoint detection and response (EDR) tools, security information and event management (SIEM) tools, and threat intelligence platforms, Brubaker said. “There are a lot of different products organizations can choose to use, some of which have been specifically developed for OT environments and others that were originally designed for traditional IT environments but that have now been adapted for use in OT environments.” 

He added that these tools contribute to cybersecurity resilience by providing increased visibility and providing contextual information.

Brubaker also identified that interconnected industrial systems and IoT devices can amplify the complexities of threat hunting by potentially expanding an organization’s attack surface and introducing a greater diversity of devices and protocols.

“The technologies used for threat hunting in IT environments are generally the same as what is used in OT with one exception – industrial environments require specialized security solutions designed for industrial control systems and SCADA systems,” Scheuerman said. “These tools understand the unique protocols and configurations of industrial systems and can detect anomalies specific to these environments.”

Proactive vs Reactive: Navigating landscape in industrial cybersecurity

The experts also provide insights into the significance of proactive threat hunting in industrial cybersecurity and its distinctions from reactive approaches. They further examine how industrial organizations manage the trade-off between continuous monitoring and the potential disruptions caused by false positives in threat detection.

Brubaker revealed that reactive approaches to threat hunting typically focus on responding to alerts or incidents after they occur. “While this is essential, the approach is limited by its dependence on existing knowledge of attacks. Proactive approaches to threat hunting assume that adversaries may have already penetrated defenses and seek to actively uncover those hidden threats using hypothesis-driven investigations and indicators of compromise (IOCs).”

He added that while maintaining continuous monitoring is crucial in industrial environments, organizations need to address false positives to avoid alert fatigue. “This can be accomplished by fine-tuning detection technologies and leveraging threat intelligence to understand the latest tactics and likely attack vectors to help focus on genuine threats.”

Proactive approaches continually and consistently seek out threats before they trigger alerts that rely on traditional security technologies, Scheuerman pointed out. “These proactive and continuous hunts aim for uncovering unknown and hidden adversaries before they are able to achieve their objectives and cause negative impacts.”

Due to the expertise required, proactive threat hunting is more resource-intensive, requiring specialized skills, according to Scheuerman. “Reactive approaches, in contrast, respond to threats after an incident has occurred, deal with known indicators and techniques, and often follow more established procedures.”

Scheuerman added that regularly updating and adjusting behaviorally focused hunting queries based on the unique characteristics of OT environments, while integrating contextual information that can be used to correlate data from other sources can all help reduce false positives and thus maintain efficiency and efficacy.

Strategies for tackling skills across industrial environments

The executives address how industrial organizations are addressing the shortage of skilled professionals in threat hunting, and what strategies are proving effective. They also discuss the importance of collaboration and information sharing within the industrial cybersecurity community to address evolving threats. 

Brubaker highlighted that the gap between the demand for skilled threat hunters in industrial environments and the available talent is a major challenge. “Organizations are addressing this by upskilling existing cyber security and OT staff members, leveraging managed security services providers (MSSPs) with OT expertise, and by leveraging security tools and automation to offset dependencies on skilled professionals.” 

He further pointed out that collaboration is vital in the face of evolving threats in industrial cyber security. “By sharing information, we can expand the threat awareness in the industrial cyber security community and leverage collective expertise.”

“Hunting for threats in OT environments requires specific knowledge of how OT systems operate and how cyber adversaries operate within them,” Scheuerman said. “Most organizations are looking first to their IT-focused cybersecurity personnel to hunt for threats with OT objectives in IT networks before they can pivot to OT. But that is not going to be enough, and for organizations looking to hire, there is no way of getting around a limited number of skilled professionals.” 

Scheuerman also pointed out that what “we’re seeing is that this helps our customers ramp up their security operations much faster, they’re able to get the skills they need, and with reach back into an entire ecosystem of OT cybersecurity professionals. This type of partnership provides substantial peace of mind.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems