Blogs

Understanding the challenges for full network cybersecurity

Given its increasing reliance on connected products, production, and enterprises, the manufacturing industry is particularly vulnerable to cyber risks. In a survey conducted earlier this year, nearly half of the executives surveyed said that they lack confidence that they are protected from external threats, and it is increasingly important for organisations to assess their risk profile and preparedness in the event of a breach or cyberattack, says Stefan Turi, business development lead at Industrial Networks & Security Services.

Over the past year alone we have seen companies of all types and sizes, irrespective of industry or sector, fall victim to a cyberattack. While previously, digital sectors such as eCommerce companies were the first on the radar of criminals, this has now shifted towards industrial targets. That concern is reinforced by IBM Security‘s annual X-Force Threat Intelligence Index that listed manufacturing as the most targeted sector for cyberattacks in 2021. While phishing was the most common cause of cyberattacks in general in the past year, IBM Security X-Force observed a 33% increase in attacks caused by vulnerability exploitation of unpatched software, a point of entry that ransomware actors relied on more than any other to conduct their attacks in 2021, representing the cause of 44% of ransomware attacks.

What, when and where of assets

When we talk about the need to get visible operations technology (OT) networks it is about understanding how an OT environment is built. It will traditionally comprise of Ethernet connected devices, and non-native detectable devices such as drives, and motion controllers. Some of these can be inventoried automatically while others will need to be inventoried manually with a plant walkthrough.

The main question then for companies is what assets do we have on site? Once they have answered that, what is installed? This is important for companies that have a flexible production system where all the installed equipment is not always active or in use. Once that has been established it is all about location. For companies operating in sectors such as water and wastewater or oil and gas they may have widely distributed networks with assets in remote locations.

A question of who?

Then we need to enrich the data we are gathering to meet the customer needs. So, what do I mean with that? We need to think about who is looking at the data, whether it is for lifecycle information or from a vulnerability perspective. The lifecycle information is important to the OT department where they need to understand if an asset installed in the plant is obsolete, discontinued, and what spares are on hand. On the other hand, when the IT organisation look at the same data, it is from the vulnerability perspective.

We need to understand whether this specific combination of information can be linked to an open vulnerability. They need the serial number, the model number, the vendor, the MAC address, the IP address, the firmware version, and to understand if this combination could lead to an open vulnerability that has already been published. These are so called Common Vulnerabilities and Exposures (CVE), which is a database of publicly disclosed information security issues.

However, it is not just different divisions that are looking at this same data from a different perspective, but it could be hosted in different systems. The IT organisation could host this data in an asset management system such as ServiceNow. Do they want to give the OT organisation access to this database, or would they prefer to build a specific one for the OT space? What we often see is that companies are building up so called configuration management databases (CMDB) for the OT team. A CMDB is a database used by an organisation to store information about hardware and software assets. It is useful to break down configuration items into logical layers. it is specific asset management for the OT area.

Data collection

Asset visibility transparency is also an important factor to consider in the cybersecurity landscape.  A network will include internet connected devices and non-internet connected devices all within a heterogeneous landscape that could be over a large area. Within this network topology it is important to establish how to connect to sniff the traffic actively or passively for dangers.

The focus here is on the network switches. When connecting passively to a system, there needs to be a specific feature in those switches to allow mirroring. Port Mirroring also known as SPAN (Switch Port Analyser), are designated ports on a network appliance (switch), that are programmed to send a copy of network packets seen on one port (or an entire VLAN) to another port, where the packets can be analysed. You need to be able to configure and manage these switches to passively sniff the traffic that is collected through that switch and the methodology behind that is deep packet inspection.

It is also possible to adopt an active approach so that the device connected to the network is an active member of the network and is actively configured so a query in a subnet can obtain information on which devices and assets are in this subnet. They are reacting then on a specific protocol and giving the information about motor numbers, serial numbers, versions of the firmware, and vendor. This reduces the labour burden, because it replaces the need for a worker to travel to each asset and complete the details on a spreadsheet or mobile device.

To avoid this we leverage different tools to ensure that the information is collected automatically, and this can be achieved by asset management software. Rockwell Automation customers may have Factory Talk asset centre installed. While customers from other vendors may have other products. We need to consider global customers with different applications, so it makes sense to conduct some pre-site readiness tests to know what applications they are using. Those various applications supply configuration files that can be parsed into our solutions. From an asset inventory perspective, it is easier to get the information out of the configuration files directly, rather than connecting to a switch, configuring this actively or passively, or sending a worker around the network.

Validating the data

However, the data is collected, either automatically or physically, it still needs to be validated to ensure that it represents 100% on the inventory on my network. Companies must set up an enterprise-wide programme to mitigate the labour burden of ensuring full coverage in the future. if 60, 70 or 80% of the data can be gathered automatically, then there must be a scaling effort by implementing solutions like Claroty’s OT visibility and threat detection software that will reduce the price customers are paying for managed service in the future.

To have a satisfactory programme around data collection is a mixture of deploying services and deploying a framework that needs to be implemented. It is around how Rockwell Automation enrich the data we are gathering.

By that I mean that with our collection methods it will not give us the information that perhaps OT would like to see for things such as end of life obsolescence information or discontinued information. This information is not automatically being collected. What is required is to add some databases and enrich the data with information the customer needs at that point. This additional data needs to be translated and pre-configured to be hosted in a database such as ServiceNow or the CMDB. With this data you can create a dashboard that will show the complete status of a specific plant.

A partnership approach

To meet the increasing threats that companies face Rockwell Automation can call on its domain expertise, digital insights at global scale and our partners solution to keep networks secure. Our world class partners that help us cover OT equipment include companies such as Cisco, Dell, Claroty, Crowdstrike and Dragos. Together we can provide the most comprehensive ICS cybersecurity available on the market.

The author is Stefan Turi, business development lead at Industrial Networks & Security Services.

Comment on this article below or via Twitter @IoTGN