So, yeah, I think I'll start off in talking about some of the definitions, cuz I've got a lot of acronyms. But we live in an acronym laden world, so that's probably no surprise. Then I wanna dive into some of the methods and technologies that can be used to help protect ICS environments, industrial control systems.
And then, and then wrap it up in about five minutes here. So, ot, operational technology, industrial control systems, critical infrastructure systems, and internet of things. I thought it'd be good to start with a VIN diagram. They're always fun to look at and you know, this is a good way to show where the overlaps are.
Ot, operational technology is kind of the broadest category we have here, and it contains both ICS and CIS industrial controls and critical infrastructure.
Some of the kinds of machines and assets that are used can be common between these different types of environments, including the SCADA nodes, the supervisory control nodes, human machine interface, and programmable logic, circuit nodes, sensors, and, and then increasingly we see the use of IOT sensors, you know, generally lower cost sensors, you know, that have, can work on IP networks and they can be used in these different kinds of environments.
Critical infrastructure is more critical. Infrastructure, you know, utilities and things like that.
ICS is more on the, you know, generally on the commercial side. I've got a list of how they break down here. We'll go into that a bit more here on this slide.
So, critical infrastructure tend to think of, you know, smart cities, transportation, also, you know, the power generation, distribution, utilities, water treatment facilities, things that are often operated, you know, at a municipal or state level. And that's sort of different from, you know, what we think of for industrial controls, which are often manufacturing warehouse kinds of applications.
Some automatic slide movement I wasn't expecting.
And then on the IOT side, you know, these sensors can be in common between different kinds of environments like agriculture, you know, temperature sensors, automotive, including, you know, connected car use cases, fleet management, you know, for trucks and ships and planes, retail environments. And then medical, medical IOT is an up and coming and, and fast growing area as well.
And this can cover not only clinics and hospital equipment, things like MRIs, CAT scanners, but also portable medical devices, sensors, the patients might carry home and wear or, you know, patient carts and hospitals, different kinds of equipment, anything that can have an IP address and report back to some sort of, you know, medical management solution. So you see that the, the range of of services here are, is quite wide.
So now that we've kind of covered the, the definitions, let's look at all the different kinds of tools and technologies that can be used to help secure these disparate environments. First up, we need to figure out, well what, what do you need for security at a very high level, conceptually when you need to be able to inventory the machines or the equipment that you have, Provide access controls.
And, you know, we've talked about zero trust the number of times over the last couple of days. And it's a concept that works equally well here. Security operations center monitoring, you know, monitoring all the things that go on in the ICS environment, integrating that potentially with enterprise IT or running that separately and having dedicated socks for industrial controls environments.
Once detections are made, then you need to be able to respond to them. And there are different kinds of tools that can handle, sorry, the response side and then also deception.
And we'll drill down into these in a bit here. First up, inventory. You can't protect it if you don't know that it exists. You can't really emphasize how important it is to really know what's in your environment.
And this, there's a couple of major ways of doing this. You can have passive inventory systems that, you know, listen over the air or on the wire for communications and then figure out, well what are these machines, what are the sources of this communication? What are they doing? And there are active methods which are, you know, periodic querying. You may set up a node on different subnets and query, you know, all the addresses in, in that subnet to be able to figure out what the machines are in there, what they're doing.
To do this, you need a protocol level, understanding the, the protocols that are in use in ICS environments may contain, you know, some of the same protocols that are used in enterprise it, but there's also a lot of specialty protocols in industrial control. And being able to understand what that traffic is is, you know, a paramount thing. And then lastly, we have automation.
I mean, you can't just do a one time inventory. Machines get added to environments and taken away from environments all the time. So it's good to be able to regularly carry out an asset inventory.
Next up, access control, like I said, this kind of aligns with zero trust. This is also sort of derived, I think from, you know, an exact reference architecture for access control, where you need to look at four major categories of, you know, attributes that can be evaluated against runtime policies. First up is the user. Where is the user located?
You may have a special L D A or active directory instance that is for your ICS environment, or you may run that out of enterprise it depending on, you know, company policy and regulations. Then you need to take into account what action are they trying to do? Are they just simply trying to read data? Are they trying to update firmware actions need to be tied to policies based on privileges that users are assigned.
The resource itself, what, what machine or what application inside the ICS environment are they trying to access? And then lastly, the context.
This can include, you know, information about the device from which that request originates, the IP addresses that you can do geofencing, understanding the geolocation. And then even, you know, the, the device posture of the machine tried to make the request is that machine itself up to date with patches and you know, part of your managed environment. And then date and time, you know, many industrial controls environments have specific times where you know, maintenance is allowed or not. And the rest of the time certain actions should not be allowed to be taken.
I like this graphic.
It comes, it's adapted from the NIST zero trust architecture. I like how it separates out, you know, the data plane, the control plane, again, this kind of looks like the old exact reference architecture, policy enforcement points and policy decision points. Enforcement point lives in the data plane, all the rest of it sort of lives in the control plane.
You know, security policy defined by an enterprise can be input by a policy administrator and then executed in the policy engine, which is the policy decision point. And that lives outside of the policy enforcement point. This mediates quests from the subject, taking into account all those attributes that I just mentioned. These can be fed by, you know, continuous diagnostics and monitoring systems. They need to be, you know, designed with industrial compliance in mind. Personally the critical infrastructure side.
There are particular regulations that govern what can and can't happen in those kinds of environments.
Then there's threat intelligence. There are companies that specialize in curated threat intelligence for industrial control systems. There are very specific kinds of attacks that can show up in ICS environments and it's good to have up to date threat intelligence for that activity. Logs and sim, you know, all these infor, all these nodes generate information which needs to be processed by a sim, whether that's within the ICS network or outside in the enterprise.
And then of course identity management, credential management for the access control piece. A lot of the machines in an ICS environment probably have, you know, certificate based identities and machine identities and monitoring. So looking at monitoring, you know, nodes in ICS environments generate a lot of data. But you know, maybe, maybe on the good side, a lot of this data is very consistent.
You know, traffic inside the environment, you know, typically follows norms and it's a little bit easier to spot deviations from that.
So dedicated ICS security, you know, can often be vendor specific. Let's say you're running, you know, a factory and you're using a lot of equipment from a given manufacturer, sometimes they will aggregate telemetry, you know, for operational management this can be how well is everything working. But that same information can be used for security analysis.
And if possible, either you set up a dedicated SIM and SOAR within the industrial controls environment or in some cases it may be possible to integrate that with your enterprise SIM and soar. And so here security orchestration automation and response. This can allow, you know, actions to be taken including, you know, enterprise-wide investigations and certain types of automated responses.
But on the flip side, you know, there are some high security environments that maybe by regulation, depending on location or just security policy, say that you can't have any communication from the outside into the ICS environment. If you want get information out, say using Syslog to a SIM solution, it has to go through a one way firewall. So you know, there are different requirements, you know, depending on the nature of the industry as well as you know, company policies.
Next up is detection.
Detection know, like I said, these systems generate a lot of data, A lot of it's highly consistent, but you still need detection systems that can use machine learning detection algorithms to sift through these massive data sets. Some examples of things that you might look for on the ICS side would be PLCs that suddenly exit from their run mode. Any attempt to change a firm wire on, on any of the devices. Then kind of like enterprise environments, the login errors, protocol errors, you know, a protocol error might in, in a highly consistent environment.
A protocol error might indicate an attacker that doesn't really fully understand the protocol and is poking around to figure out how to do something malicious and any atypical network traffic on on your ICS subnets.
So I wanna talk a little bit about network detection and response for ics. This is network detection and response tools have been around for five or 10 years.
You know, it's kind of similar conceptually to what endpoint detection response does, but it's at the network layer and it's like the last place. Sometimes you can look for signs of malicious activity. These devices are usually appliances or virtual appliances. They plug in, you know, inline in the network or off span ports off of switches and routers. Sometimes they can be offline where thery is just sent to a log telemetry processing node. These are designed to detect both north south intrusions as well as, you know, lateral movement and reconnaissance.
Some of the things, you know, the tactics that we see on the MI attack and many of the NDR tools just did a report on that.
You know, within the last year the NDR tools understand OT and ICS protocols.
And again, I'll, I'll show a few of those in a minute, but you know, they can be significantly different than what our in enterprise IT environments. These have threat hunting tools allow you proactively look for threats in an ICS network. They can find evidence of malicious behavior when, when it may not be found by endpoint detection. Cuz a lot of ICS environments can't run endpoint security tool and the manufacturers control the actual devices that are on an ICS network and it may not be possible to install your company's particular approved EPD R solution.
And then they allow for automated responses such as node isolation and blocking traffic. You know, drilling down on MDR a little bit more, you know, this is like next generation intrusion detection and prevention. They use machine learning, as I said, unsupervised machine learning looks at, you know, all the data looking for anomalies. Once an anomaly is discovered, then the supervised ML detection algorithms examine and classify, you know, to figure out what kind of threat that is.
It's best if these detection models are trained live on the data in a customer environment so that it, you know, it's more effective if it understands the data that's, you know, resonant in your own environment and not just provided by the, the goal of it is to get actionable intelligence out so that your security teams can know what to do when something is discovered that may be amiss.
So I've been talking about the differences in ot, ICS and IIOT protocols.
I thought I'm read through these list entirely, but you can see here are some of the common ones in, in conducting research on both network detection and response and distributed deception platforms, which I'll talk about in a minute. Many of those tools actually understand these protocols and more. There's a lot of different kinds of protocols that can be in use in these environments depending on what kind of industry you're, so again, understanding what the protocol is, what's normal, what's not can help you identify, prevent and, and stop attacks.
So kind of wrapping up on ndr, you know, they can support OT i c s environments, some of them check out the research. We can show you which, which vendors provide tools that that cover these different protocols and different kinds of environments. Some of it can look at traffic without having to decrypt it, you know, which I think is, is really useful.
There are are methods here and won't get into too much detail, but there are methods that allow them to essentially look at the, the TCP headers and figure out whether or not the traffic might be malicious so that you don't have to set up a security tool that requires decryption, which in itself can be a risk. They use machine learning, they use that ICS specific cyber threat intelligence. They have enterprise consoles, you know, that can sit in your ics. So for example, or an enterprise SOC if you have that integrated APIs for connecting to sim.
And so, and then lastly, playbooks for being able to take automated actions like automated incident investigation, forensic analysis. And then, you know, being able to block traffic as I was saying a few minutes, XDR is kinda like the next generation I think of where NDR and EPD R endpoint protection detection response will go. But xdr XDR has a little ways to go yet in getting there.
You know, they're vendors are are XDR vendors today. You know, they're coming from an E P D R endpoint background network background. But we a lot of different technologies that are sort of rolling into XDR and these two can be useful in an industrial controls environment.
Deception, you know, I think deception tools are really interesting, especially for OT and ics. These are distributed deception platforms.
These are, you know, you may think, oh these are just old honey pots, you know, they're, they can be quite difficult to deploy and manage and what kind of useful information can you get from something like that. But, you know, deception platforms have evolved quite a bit and, and I think they can be very sophisticated, they're very useful for ICS for a number of reasons, which I'll get into here.
You know, they can provide realistic emulations not only of enterprise IT assets, but in many cases they can be programmed to look like devices in industrial control settings. They're designed to draw attackers into the DP and away from your real assets. This allows you to discover attacks faster and understand exactly what the attacker was trying to do.
You know, if you have traps and lures, this is the, the terminology that's used in DDPs for servers and you know, specific resources that are designed to get the attention of attackers and see what they do with it.
This gives you an idea of, of how they might try to conduct an actual attack. Anything that happens in a dp, you know, if it's logically separate from your enterprise or production networks, anything that happens there, you can almost be assured that it's an attacker. And I think active deception can, you know, be a real compliment to, you know, active and passive monitoring on the network and endpoint side as well.
So you know specifically on the traps and lures, again, these are the, the, the terms for the entities within the deception environment, the, that are designed to get their attention. They can look like real ICS assets. They can look like PLCs, human to machine interfaces, different kinds of sensors and actuators. And in a many, especially on the DDP side, even more so than the network detection and response side understand OT and ICS protocols. And this is because they are, you know, trying to actively be in that market to protect critical infrastructure in industrial controls environments.
So they also understand IT environments, you know, common protocols, you know, so it can be used for both enterprise IT as well as ot. And since the events that happen inside a DDP are specific to that organization, I think it can be considered very high fidelity threat intelligence.
In fact, we're told that often organizations that are running that will see TTPs, you know, tactics, techniques and procedures that happen only in that deception environment that you know, may not be known elsewhere. There are a couple of different ways that DDR DP systems can be deployed. They can be deployed in parallel with your production environment so that they're, you know, both logically and physically separate.
You know, this is probably, you know, a really good way to do it if you have time and money to set it up this way for, you know, full separation.
But we also, you know, increasingly see organizations that deploy this, mix it in. So it'll be on the production network, the ddp, the platform will manage, which machines are, are deceptive and keep traffic away from, you know, the real assets.
And then also there's a newer deployment method that some of the vendors in this space use, which is to use agents that live sort of in the production network that when an attacker or anybody tries to make contact with it, they immediately do an SDM projection to the vendors cloud where they then run, you know, assets that are look like assets in a customer environment. This is generally cheaper, more cost effective and faster to set up. It does require running some agents on machines in the production network to do that.
You know, one of the concerns I had when I heard about it was what's the latency? I mean is it, is it slow enough to where an attacker would figure out this isn't real, but the claim is that no, that this is very real time, very fast and this is a way of catching attackers in the act.
So to wrap up, you know, OT is really different than it. I mean we may run, you know, some of the same kinds of devices we may run, you know, similar operating systems and applications.
But that in many cases where the similarities end, you know, there are greater dependencies on the device manufacturers on the OT or IT side, ICS side and the support organizations. You know, many organizations will contract with a vendor. The vendor has a support team that essentially comes in and manages all the systems in an industrial control environment. And the customer really doesn't have to do that much. In some cases there could be less frequent updates for things like operating systems and applications. There may be fewer built in security tools.
Obviously most ICS environments are, are production and nature. So downtime, you know, can be hours to minutes a year even so the maintenance windows are are shorter and farther in between. They're very different, you know, in most cases from an enterprise IT environment, they're specialized, they run different protocols. As I've said, many may not be allowed to add security software like endpoint agents, you know, directly on those machines. You can't run, you know, antivirus on some of the machines in an OT ICS network. And then regulations govern what can and can't happen there.
So in the interest of time, I'll just say, you know, the IT tools as I've kind of, you know, detailed above can help secure these environments. There are OT and ICS specific security platforms published a report on that back this summer. But then there are also things here from the IT world that can be adapted to work in the ICS world. And with that, I will, I'll wrap up here and I'm at the, the bottom of the hour. So are there any questions?
Thank you very much John. There are no questions from the audience, but there's one question from me.
You've mentioned that on one slide with these distributed deception platforms that there are great tool for also for creating detailed intelligence is such, are such reports already available so that people can understand independent of their actual OT infrastructure, what attackers do, where they come from and what their aim is. Is there already documented evidence?
Yes, there are. There are threat intelligence companies that are sort of dedicated to the industrial controls critical infrastructure side and they often publish reports about what they see in these environments.
You know, on our side we do have leadership compass that cover distributed deception platforms. We can tell you, you know, what, what the different vendors can do for those environments. We also have reports on network detection and response endpoint protection, detection response. So we're in many of the other tools that we've talked about here.
Great. Thanks. So thank you very much for the time for getting up early for to talk to us and looking forward to seeing you in person next time at eic maybe.
Yes, definitely.
Okay, thank you very much. Bye-bye John.
Thank you. Bye.
