With new cybersecurity risks and threats emerging that seek to steal intellectual property or disrupt, damage or cause destruction to critical infrastructure, the importance of network security monitoring of industrial control systems (ICS) cannot be understated. While convergence of technologies and expanded connectivity of devices, systems and business operations is providing tangible value, it’s also making systems more complex and susceptible to network-based activities that can negatively impact the integrity, confidentiality and safety of manufacturing cyber physical systems, platforms and facilities.
According to the 2016 BDO Manufacturing RiskFactor Report, 97 percent of manufacturers are facing competitive pressures this year to do more with less and keep up with advancing technologies such as the Industrial Internet of Things (IIoT). To combat these pressures, organizations in the manufacturing industry are increasingly adding technologies to their environment to improve productivity and reduce costs. This convergence of modern information technology (IT) into operational technology (OT) has resulted in significant cybersecurity risks. Fortunately, these risks are becoming more realized by industry professionals as cyber incidents increase in volume and complexity. In fact, according to BDO’s report, 92 percent of manufacturers cite cybersecurity as a top concern in their SEC disclosures this year, a 44 percent increase since 2013.
Over the past few years, ICS network security monitoring has emerged to be one of the most comprehensive security safeguards for all critical infrastructure industries. While benefits abound, ICS network monitoring not only helps identify and stop cybersecurity threats, but it also provides owners and operators with greater visibility into the performance of their mission critical devices and equipment.
Below are the top 5 reasons why the manufacturing industry must invest in ICS network monitoring technology:
1. Real-Time Visibility into Network Communications – As mass-connectivity has infringed into once isolated, legacy ICS systems, the cybersecurity of these systems has emerged as a viable threat to national security. Presently, ensuring safety first requires organizations to recognize the risks associated with operations and the many variables that could affect daily workflows and tasks. The most dangerous risks occur from unauthorized and anomalous communications that exist on the ICS network, regardless of whether or not the communications are the result of malicious behavior or human error. In an effort to establish a strong security posture, manufacturers can turn to network security monitoring for real-time visibility into all of the devices communicating on their ICS networks, as well as to understand the behavior and engage in remediation tactics as necessary.
2. Maintain Accurate Inventory of Dynamic Devices – As a result of connected infrastructure, industrial networks have more devices communicating than ever before. Unfortunately, legacy ICS lack the basic tracking, training and logging functionalities inherent to IT networks and maintaining an accurate inventory of all the equipment connected to and communicating in an ICS network is extremely difficult and time consuming. As a result, organizational risk is amplified as real-time situational awareness into network architecture and communications is non-existent or insufficient. In addition, today’s legacy systems have evolved into dynamic systems that are always online and in a constant state of flux. With network security monitoring, manufacturers can maintain a holistic view of all interactions, ensuring that changes and anomalies on the critical ICS networks are discovered immediately. This real-time visualization helps assure availability and system integrity while limiting risk, reducing liabilities and enhancing safety, security and productivity of mission critical assets.
3. Mitigate Malicious Behavior Early – Little, innocuous back office attacks, such as the one at Bowman Avenue Dam just outside New York City, should not be minimized, because they have potential to be systematic of something more impactful to come. Even minor breaches can serve as early warning signs of unauthorized reconnaissance or attempts at data collection, and they can even perform as initial entry points into networks that could serve as a beachhead for eventually gaining access to even more critical networks and systems. As an outcome of the Bowman Avenue Dam's solid engineering practices, the intrusion did not have downstream effects. However, the indictment does charge that the hackers were able to "access information about the dam's operations, including its water level, temperature and the sluice gate." If not for network monitoring catching the attack early, the attackers could have gained additional levels of access and caused significant financial and physical damage.
4. Detect Deviances with Situational Awareness – Cybersecurity is not the only benefit of network monitoring for manufacturing. According to a presentation developed for the SANS Institute, situational awareness attained through network monitoring is also important in helping detect deviances in key processes. With network monitoring, control engineers can identify poorly performing equipment as well as devices that have, or are in the process of, going offline. In addition, network monitoring helps deduce the most efficient processes for troubleshooting and determine whether or not other types of remediation, like downtime for maintenance, are required. If downtime is required, then network monitoring can help mitigate the risks introduced when a system is taken offline for planned maintenance or installation.
5. Identify Source & Intent of Unusual Activity – Of the 245 unique ICS incidents reported by ICS-CERT in 2014, an estimated 70-80 percent were the result of human error. While human error can take many forms, the two most common occur when a misconfiguration is introduced during downtime or an employee falls victim to a phishing campaign. Network monitoring empowers control engineers to quickly identify the source and intent of the unusual activity and determine if it is the result of criminal activity or human error. This is important, because remediation tactics can differ dramatically if an organization is under attack or if an internal mistake needs to be resolved. In the end, being able to rule out external threats can safe valuable time, money and resources, and ultimately allow for the return of max productivity and efficiency in a shorter amount of time.
Manufacturers, no matter their mission and objectives, must be proactive and vigilant in safeguarding their ICS networks from the cyber risks introduced by maintaining a connected infrastructure. Networking monitoring is the best place to begin.
Preston Futrell is an executive at NexDefense.