Increased connectivity in the industrial internet of things (IIoT) world has led to a corresponding increase in cyberattacks on different infrastructures. This has created a necessity for more security practices to help mitigate risk across industrial networks and devices. One potential option is a security operations center (SOC).
At McCormick Place in Chicago, Rockwell Automation held their annual Automation Fair from November 16-17. This is where many of Rockwell’s partners come to demonstrate their products, as well as hold educational sessions on various subjects. Several of these sessions hit on different aspects of industrial cybersecurity.
One such session, presented by Quade Nettles, cybersecurity product manager at Rockwell Automation, was entitled “How a managed SOC can transform your operations and help mitigate risk.”
A SOC serves a dedicated role in monitoring, preventing, and responding to cyberattacks and threats on a given company’s network. Rockwell Automation has released a new service that can let a business use Rockwell as a SOC and cybersecurity hotline.
Cybersecurity risk is more prominent than ever
Nettles spent the first part of his presentation discussing an overview of the past decade of cyberattacks to paint a picture of not only the growing frequency of cyberattacks, but the wide variety of attack types.
According to Nettles, one of the most common attack vectors threat actors take advantage of is misconfigured software and hardware. An example of this is businesses thinking they are using baked-in cyber practices when they really aren’t — only because they didn’t know they had to turn them on.
The other major attack vectors are as follows:
- Insider/malicious acts by an employee
- Weak passwords
- Compromised user credentials
- Software and hardware vulnerabilities
Even though these attacks are becoming very regular, there are still ways to mitigate the risk.
Indicators of compromise
According to Nettles, there are several indicators of a compromised system: unusual user activity, unusual network behavior, suspicious registry changes and domain name server (DNS) request irregularities.
Unusual user activity is exactly what it sounds like — a “user” doing things in a system that are out of the ordinary. Indicators of unusual user activity can be the time at which the system was accessed, multiple authentication failures and unusual login locations.
Unusual network behavior is similar to unusual user activity, just with connections and communications. According to Nettles, indicators of unusual network behavior can include outbound connections from an internal system and communication on non-standard ports.
Suspicious registry changes can give control system access to threat actors. Indicators of this can include altered registry keys and new registry keys from unknown applications.
DNS request irregularities can allow threat actors to communicate with control systems from anywhere in the world. Indicators of this are DNS requests to an external host, communication during irregular hours and an abnormal amount of DNS queries, according to Nettles.
With so many known indicators of compromise, it’s crucial to choose the right cybersecurity product(s) to fit the needs of your business or plant.
Choosing cybersecurity products to protect your SOC
Nettles laid out several steps for choosing the correct cybersecurity products. They are as follows:
- Determine needs: Identifying needs based on business goals and risks.
- Determine budget: Allocating money to each of the chosen goals and risks.
- Design Portfolio: Determining which products offer the most value for you.
- Pick technology: Choosing the products that give you the best capabilities for the price.
- Rebalance as necessary: Making adjustments based on the threat landscape and innovations.
Following these steps will ensure businesses are headed in the right direction with their cybersecurity practices.
Common detection technologies
When protecting OT systems and networks, there are several common detection technologies that are available for businesses, according to Nettles, including endpoint protection, threat detection, next generation firewalls, secure remote access and USB security.
Endpoint protection ensures that harmful code is stopped before any damage is caused. It also allows only pre-approved software to run on endpoints.
Threat detection is able to present a baseline of data flow, alerts on data deviation and inspection of industrial protocols.
Next generation firewalls provide intrusion detection, application visibility, protection from malware, analytics and URL filtering.
Secure remote access makes it so there is only one access pathway to communicate with network assets and observe real-time user activity, with the ability to terminate the session if it is suspicious.
USB security includes the ability to scan all USBs for any harmful content. This can make it so only pre-approved USBs can be used.
We live in a world where security is becoming more and more important. By following Nettles’ advice, businesses and plants can take one more step toward protecting their SOC and mitigating cyber risk.