Rising focus on threat response, anomalous behavior to address ICS threat detection within organizations

Organizations are increasingly finding that they must safeguard their critical infrastructure installations from cybersecurity threats and attacks while also involving and extending ICS threat detection mechanisms. As a result, apart from providing an accurate understanding of relevant cyber threats, there is an increased requirement to carry out rigorous security testing, and threat detection and response regularly and highlight anomalous behaviors at the earliest so that appropriate measures can be rolled in.

Cyber threat intelligence (CTI) across the OT (operational technology) environment relies heavily upon context to detect, describe, and mitigate threats, as threats differ across industry verticals. The combination of a defense-in-depth (DiD) posture for a given infrastructure, the components used in that infrastructure, and the systems comprising the IT and OT infrastructures, help to determine this context. It also helps build appropriate mechanisms to gauge ICS (industrial control system) visibility, detection and response are paramount across the industrial automation and process control systems that run in the OT networks.

Threat intelligence provides the technical and policy recommendations customized for and based on the context of the threat. It covers detective guidance to help identify the breaches in an environment, policy guidance to secure from potential disruption, detailed threat behavior, data collection suggestions to support effective detection, and threat scope and impact details supporting risk-based strategic decision-making. Threat detection can be summarized into the configuration, modeling (anomalies), indicators, and behavioral analytics. 

The indicators of compromise (IOCs) provide technical elements of information used to enable threat detection, typically covering IP addresses, domain names, file names, and file hashes. Security Incident and Event Management (SIEM) tools trigger alerts for security operations centers. Similarly, threat behavior analytics identifies a system or user actions indicating suspicious or malicious activity and provides contextual knowledge of an environment. Behavioral analytics drive the cost of ownership lower due to better false-positive and true-positive rates, which can be a challenge based on current machine-learning or anomaly-based approaches.

Threat intelligence data must be complete, accurate, relevant, and timely. The analysis of such data can be used to scrutinize information, harden cyber defenses, and improve ways to anticipate, prevent, detect, and respond to cyber-attacks. These components will ultimately provide critical infrastructure environments with sufficient detail to enable a proper response. With the right information, ICS threat detection helps the organization to zero in on relevant threats and carry out necessary mitigation measures for effective action. Such data must also be produced and made available in a timely manner, so that it can be swiftly acted upon, to make a difference within the organization. 

Industrial Cyber reached out to industry experts to determine how the critical infrastructure sector computes ICS threat detection in the evolving threat landscape. Apart from that, the experts look into how the threat is determined, assess the impact on the organization, and decide on appropriate action to mitigate the threat in both the near- and mid-term.

Critical infrastructure organizations view ICS threats as any unmitigated cyber vulnerability that can disrupt, damage, or destroy an asset, Rob Nolan, expert associate partner at McKinsey & Co., told Industrial Cyber. “When assessing impact, an organization could examine if the threat can be solved through hygiene (i.e., patching), the level of access required to reach the vulnerable system/device/software (e.g., is it remotely accessible, or secure behind several firewalls with isolated access?), etc., then begin the process of immediate remediation.” 

Nolan said that the near term could either be to patch and/or disable remote connectivity. “Mid-term (assuming near-term action has been taken), begin the process of performing cyber crisis response drills with relevant teams for ICS, including tabletop exercises, defining roles and responsibilities, awareness of cyber threats, and building common footing between operators and cyber practitioners, in addition to deploying ICS-specific threat monitoring and intrusion detection solutions,” he adds.

“It’s important to understand that ‘Critical Infrastructure’ is an umbrella term made of many industries that are deemed critical to society and national security,” Ben Miller, vice president of services at Dragos, pointed out to Industrial Cyber. “It’s important to understand each industry has its challenges and really its own evolving landscape. The advantage of collaborating across critical infrastructure industries is that their equipment and systems used often span many, so a lesson learned in one industry can be adopted into another.”

For instance, in 2017, an ICS-focused malware strain was written to attack a safety system and was used to disrupt an oil refinery overseas, according to Miller. “This disruption luckily didn’t lead to a human safety event, though it’s very possible. The safety system that was attacked in this scenario is used across many verticals including electric, water, chemical, and other sectors. While such attacks are slowly increasing over time, they do give asset owners scenarios to plan and design around,” he adds.

“Determining what is a threat can vary slightly between organizations as one activity may be common for one, yet suspicious for another,” Ilan Barda, founder and CEO at Radiflow, told Industrial Cyber. When it comes to detection for the critical infrastructure sector, threats are detected by implementing cybersecurity tools on the OT network – most of which are some sort of IDS and/or firewall. The alerts from these tools flow directly into a Security Operations Center (SOC), where the analyst should correlate it with the recent threat information feeds, he adds.

Barda said that there are two ways to approach proper threat detection, response, and mitigation. “The tactical approach involves an all-hands-in approach where teams rely on playbooks and manual prioritization. From there, teams can conduct short-term mitigation (shut down access, limit operation, etc.) and/or long-term mitigations (ex: implementing multi-factor authentication on remote access),” he adds. 

The second technique is a holistic approach that will see a company rely on a trusted cybersecurity partner/consultant to audit their network and identity threats without bringing operations to a halt, according to Barda. “This should be preferably done on a periodic basis and not as a one-time exercise as the threat landscape always evolves. Being separate approaches, they can still both be used simultaneously, providing critical protection and ensuring nothing falls through the cracks,” he adds.

Given the prevailing threat landscape, it is imperative to analyze the strategic steps and tactical actions that the critical infrastructure sector must adopt when it comes to tackling ICS threat detection across cyber-physical systems. 

“Strategically, the first step is to ensure the team accountable for cybersecurity understands the processes within the ICS environment,” Nolan said. Mapping critical processes back to physical systems create an immediate picture of operations and what operational integrity looks like, while also creating the opportunity to establish proper security boundaries between operational environments (ICS) and the enterprise network. Tactically, begin the process of deploying ICS-specific threat monitoring solutions, he adds.

Miller said that historically, most asset owners do not start their security programs within their most critical industrial environments and move outward, but the opposite. “They start at the enterprise and then extend outward, in many cases the security programs actually stop before getting into the industrial environments. This is backward to what most people expect, but the industry is making improvements,” he adds. 

“The first step is understanding what is occurring within industrial environments through ICS specific security controls that understand industrial equipment, protocols, and how they communicate,” according to Miller. “It’s key to understand what is normal or expected to quickly assess if an activity is potentially malicious. You can only do that by proactively deploying these tools ahead of an attack.” 

More strategically, business owners often do not understand the risks that are unique to ICS security – it’s often not about data loss but instead human safety and business disruption, Miller said. “Building this understanding with key officers such as general counsel, risk committees, and board members, is critical to building the business case and alignment that’s needed to tackle these big challenges,” he adds.

“There are a number of both strategic and tactical approaches that organizations must take to tackle ICS threat detection on cyber-physical systems,” Barda said.

Addressing the strategic approach needs, Barda suggests that organizations begin by building an OT cybersecurity program in all facilities, form an alliance within the enterprise – have stakeholders become more involved in building out their cybersecurity program. “This will allow for the planning of a cross-organization remediation effort to identify and respond to any attacks. Ultimately, it’s a matter of if and not when. Having stakeholders involved keeps them prepared to remediate any attack,” he adds.

“Once a long-term plan is in place, secure a multi-year budget,” Barda said. He also said that organizations must “choose strategic partners who can help along the way with knowledge in OT/ infrastructure and experience in protecting operations without introducing bottlenecks. Map business-side priorities. Choose the company’s champion, and conduct a successful pilot program.”

Moving over to the tactical approach, Barda cited risk assessment to understand the current cybersecurity posture at critical sites and within critical machinery, maintain a high level of visibility and produce a mitigation prioritization plan, produce an initial detection and first response plan, and analyze which assets are most critical to the company’s bottom line. “Consider how you would evaluate if a new threat is relevant to your facilities- Do you need to take action? Are new controls and processes needed?” he queries.

Connected environments are increasingly required to adopt mechanisms that help assist with ICS threat detection across critical infrastructure environments. For example, bringing in machine learning algorithms to automatically learn the process dynamics and control strategies play in such frameworks would enable the organization to build and structure its cybersecurity security posture using such tools and techniques. 

“Machine learning and computational intelligence play a critical role in differentiating between an operational integrity event and a cybersecurity anomaly (e.g., the device moves away from its expected behavior, anomalous state), Nolan said. “Models improve with proper supervision, tuning, and retraining,” he adds.

Barda said that any mechanism designed to assist with ICS threat detection requires an ongoing awareness of popular threats that are impacting similar facilities. These include having a cyber analyst perform both manual and automatic queries and who preferably relies on AI models to analyze the relevance of new feeds.

“What they find can then be played out using machine learning patterns to understand each attack’s impact on relevant zones,” according to Barda. “An example of this is understanding how ‘Attack A’ may be an inconvenience for Facility #1, but the same attack would result in a failure in Facility #2. This same capability will help cybersecurity teams minimize time to detection (TTD) and time to response (TTR), should an attack occur.”

Barda also cited a real-world instance of how this mechanism would be implemented with SOC alert prioritization and handling- based on prior risk assessment.

For example, there are software tools available that can conduct a full multi-facility risk assessment to determine which zones receive the highest prioritization, according to Barda. “This can be based on discovered vulnerabilities or understanding which facility has the greatest business impact should it be taken offline due to an attack. Once this is understood, teams can conduct an OT-BAS in a virtual environment to properly mitigate against potential vulnerabilities. From there, they can use machine learning technology to establish a network traffic baseline and activate alert correlations with the IT security controllers,” he adds.

In the NIST SP 800-82 document, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has partnered with Idaho National Laboratory and energy companies on a research initiative to enhance energy sector threat detection of anomalous behavior potentially indicating malicious cyber activity in OT networks. 

Looking into the processes that the other critical infrastructure sectors have in place and are serving the purpose, Nolan said “we’ve seen many different CI sectors leverage similar technologies and processes when addressing cybersecurity within their operational technology networks (e.g., manufacturing, mining, high technology to name a few).”

“Currently the NIST 800-82 guidance is over 300 pages yet the section on threat detection in OT is only 7 pages,” Dragos’ Miller said. “The community needs OT-specific threat detection tools and they need to be in place prior to an incident.”

Miller calls for stronger guidance on threat detection and response within OT/ICS is needed and CESER is in a great position to offer guidance. “This wouldn’t just be applicable for the energy sector but for any organization that owns and operates industrial environments.”

Barda said that in the past when attacks on OT facilities and infrastructure were less common, companies protected their assets to meet the minimal government requirement. “Today, they are doing so out of a business need that will allow the organization to continue meeting market demand in the face of an attack. To protect both modern and legacy systems, companies have no choice but to invest in scanning and understanding each endpoint’s vulnerabilities. However, since patching can’t be done frequently on OT assets, there needs to be a risk-based approach to prioritizing the vulnerabilities and determining the ideal mitigation techniques,” he adds.

For some industries, this may be more straightforward than others, Barda highlighted. “One example is rail networks which are bringing together the monitoring of individual systems by understanding what is best for the technology being used – one tool for securing the power and facility systems and another for the rail signaling systems. What’s important is they are bringing alerts into one centralized platform, so they can see what is happening across their full network in one place,” he adds.

“Water infrastructure systems, on the other hand, demand public-private cooperation but lack the funding needed to increase their landscape awareness,” according to Barda. “For them, the focus is on value, implementing impactful systems where they matter most while still going beyond the basic regulation and compliance requirements. This can probably be best implemented by MSSPs that are focused on this niche market. Ultimately, it’s about protecting key assets using the resources that an organization has available,” he concluded.