What these gaps have in common is that they can be addressed and resolved via domain-specific modeling by expert analysts.
Digitization and external connectivity for industrial assets and production zones is a double-edged sword. While ushering in a new era of operational and business efficiencies, they also open vectors for security problems in environments that have little or no resistance against them.
Until recently, little had been done to cyber-harden industrial machines, ICS networks and emerging IoT devices. A new class of IoT visibility products – including Free and Open Source Software, or FOSS products – has emerged to address these challenges. These tools are now available to perform sorely need functions such as network-capture analysis, asset inventory, and event correlation for industrial controls equipment, SCADA environments, and connected-sensor networks.
However, there are three critical gaps in IoT cybersecurity and risk management that these early tools fail to address:
- The Analytics Gap. Today’s visibility technologies deliver IoT analytics that are not detailed or granular enough. Cyber-risk and operations teams require analytics that deliver the rich detail required for NG visibility into operational processes.
- The Context Gap. IoT events lack context for interpretation. An ideal way to augment visibility is to feed data through a context engine which incorporates domain-specific intelligence that converts event streams into actionable insights.
- The Skills & Knowledge Gap. There is a severe shortage of skilled IoT cyber resources. The only way to fill this gap is with experts that provide you with the combination of IoT/OT and cyber knowledge needed to proactively defend your organization and fine-tune your operational process models.
What these gaps have in common is that they can be addressed and resolved via domain-specific modeling by expert analysts. Filling the gaps also mandates extensive event monitoring and intelligent risk monitoring/management.
Indeed, according to the ARC Advisory Group, organizations need to develop new integrated strategies and approaches that combine IT and OT security efforts and maximize use of all corporate cybersecurity resources. For these reasons, Insight Cyber augments IoT visibility tools with expert services, automated tools, consulting, and continuous monitoring. Our objective is to enable investments in OT assets and cyber technologies to succeed.
A Lack of Context and Action-ability
Visibility technologies for IoT generally have the ability to parse application-level data from industrial network PCAPs. Ideally, this makes it possible to detect and report on status, condition, and command-flow of machines and control systems. As useful as this sounds, it’s not a fundamental improvement over what SCADA systems and historians already provide.
Even with technologies that can track security-relevant events, such as failed logins and firmware updates, there is a lack of context and action-ability. For example, a conventional visibility system could report a time-series that gives the reactive power level of IEDs in an electric-power distribution system.
But a cyber-risk manager is more interested in being notified when such power levels are abnormal. He or she needs data that is correlated with network-level anomalies to indicate, for example, if an attack is in progress.
By contrast, an operations manager who expects power-level excursions with unusual demand variations, will require a different context. He or she will want to know if these events are instead correlated with equipment failures, control-system problems, or communications faults.
Complicating all this is the need to define precisely which power-level excursions are abnormal. This requires that granular context is integrated into a visibility solution, through rules-based policy, deep learning, or a combination of both. Further, an analytics processor is needed to convert raw data flows into context-aware events.
Visibility technologies typically lack these detailed context parameters and advanced analytics and will therefore produce numerous false positives, and generally less-useful information and events. In turn, more expert-level interpretation is needed to convert the events into actionable insights that can enhance security and operational efficiency.
Dual Benefit for IT and OT
Investments in IoT visibility should deliver meaningful cybersecurity enhancements. But from an OT manager’s point of view, this often isn’t enough value to justify the needed time and resources – not to mention the operational burden of adding new equipment to OT networks.
Fortunately, if approached properly, NG visibility can also improve business outcomes in OT operations. This dual benefit can make the investment much more attractive to both IT and OT managers.