Addressing asset anxiety: listening to and learning from critical systems (Guest blog by Atkins)
Industrial Control Systems (ICS), commonly known as Operational Technology (OT), are a combination of hardware and software used to operate physical industrial processes. A typical OT estate could be made up of many different elements: from distributed control systems (DCS) and remote telemetry units (RTU); to human machine interfaces and smart instruments. Failures of OT systems can lead to production delays, disruption of essential services – and could potentially cause safety incidents that result in fatalities.
With OT equipment supplied by various vendors, and often including unsupported legacy kit, operators of industrial sites face a major challenge: not knowing exactly what assets they have and how they are being managed. This means they are unable to maintain a detailed asset register to track asset vulnerabilities, and identify upgrade requirements and dependencies to help them reduce their risk of OT failure.
The solution? OT-specific asset discovery software, which can automatically gather this information by ‘listening in’ on network traffic. But these asset discovery solutions not only gather asset data, they can also provide real time cyber security monitoring capabilities, through anomaly detection[1]. By passively (or actively) listening to network traffic over time, the normal behaviour of a network is learnt and a baseline formed. Any deviation from this baseline is then reported as an anomaly, while threat feeds are used to identify and report vulnerabilities.
An asset discovery and anomaly detection solution can provide immense value to an organisation seeking to boost its OT asset management and cyber security strength. So, how can an organisation ensure it gets best value from its solution? To ensure they procure the best-fit solution for their organisation, businesses must first define the problems they face, and fully understand how each system could deliver their requirements.
A waste-to-energy plant, for example, which has its OT infrastructure physically contained within one installation, and physical and remote access to its environment strictly controlled by the operator, may need an asset discovery solution to develop a current asset register. Anomaly detection, as a secondary requirement, could be implemented at a later stage. A water distribution pipeline, in contrast, which has its OT infrastructure spread across a vast geography, including a central supervisory control and data acquisition (SCADA) system, which interfaces with hundreds of pumping stations, over cellular data and radio links may already have a detailed asset register. But while physical and remote access to its central SCADA may be strictly controlled by the operator, access to pumping stations may not be adequately managed. Anomaly detection would be the primary requirement here, as an additional security layer for this organisation. Asset discovery could also be used to enhance the existing asset register.
Choosing the right solution
Defining and understanding the problem is the first step, but before procuring the solution, a complete lifecycle approach must be considered, and the following questions asked.
- What is the Operational Technology (OT) environment?
Asset discovery products provide varying levels of detail. Some products are better at identifying assets from a particular vendor. Organisations should consider which product is best suited to their unique OT asset environment, conducting onsite trials to test product performance.
- What resourcing is available?
Whilst implementation can be carried out by a vendor, or its partners, significant effort is still required from organisations’ internal resources. A site engineer who understands the OT network would need to be heavily involved during the procurement and implementation processes. Even greater involvement would be expected post implementation, to identify the ‘false positives’ generated when the product is first installed, and to fine tune it to understand the network’s normal behaviour. Does the control system engineer, who also has to ensure control and safety systems are operational have capacity to support or is an OT Cyber Engineer needed?
- Who will monitor the data?
A large amount of data (alerts, notifications, etc.) is generated once the product is live. Continuous monitoring can be outsourced, or achieved by integration with a Security Information Event Management (SIEM) system, if available internally. Some OT vendors also offer monitoring services, potentially combined with existing maintenance and support contracts, which deliver the added advantage of using qualified OT professionals.
Looking forward to the future
The asset discovery and anomaly detection marketplace is ever-changing, with smaller companies entering the market and then being acquired by more established vendors. It is important for operators to consider the vendor’s road map, and whether it aligns with their own strategy. Factors such as data residency, local support and future offerings should be considered within procurement strategies.
Vendors continue to develop new and innovative offerings, including features such as secure remote access, digital twins, and incident response playbooks; and there has already been a shift from a product-oriented offering, to a complete solution offering that includes service and support. To ‘future proof’ their solutions, organisations need to ensure the future needs of their users are considered before any procurement takes place.
[1] https://www.snclavalin.com/en/beyond-engineering/anomaly-detection-for-critical-national-infrastructure-is-there-a-perfect-cyber-solution
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Upcoming events
Get involved
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.