An Integrated SOC (or “iSoc”) is one that simultaneously collects and correlates security-relevant events from both IT and OT environments. If you’re one of the many industrial-company CISOs that are looking to manage cyber-risk in OT/production environments, you’ve already started thinking about iSOCs.
Let’s take a look at the state of the art.
Correlation with OT
Most midsized and large organizations have one or more Security Operations Centers, or SOCs, to stay on top of security problems in their computer networks. When it comes to running SOCs, most CISOs and their teams do a very good job indeed. So it seems natural to extend today’s SOC to cover security and risk management for OT networks.
Wouldn’t it be great to combine events from IT systems, and correlate them with events from OT systems? That would enable you to increase the scope and accuracy of metrics measuring your business outcomes.
It’s becoming a reality. Here’s how it’s coming together.
While today’s OT systems are rapidly integrating with IT, the boundary between them is fading and fuzzing. “Digitization” is a huge part of this. The basic concept is extremely simple: machines and control systems have extensive and detailed physical state, which has traditionally been captured in SCADA systems.
While this is good and effective, how much more effective would it be to capture and correlate all of this state data across an entire industrial or infrastructure footprint? At the margin, this means adding little bits of compute and storage capability to production machines and control systems, and connect them together using Ethernet, which combines high bandwidth with cost-effective manageability.
New Apertures for Attack
And therein lies the security problem. Digitizing industrial production and infrastructure management introduces all the security problems endemic to IT environments, from hyper-complex OS stacks to broken device drivers to data-level attacks and malware.
The trouble is compounded because of the traditional lack of security culture in process automation. They’ve never needed it before, because their Ethernets always had restricted connectivity.
And it’s far worse than that because of the risk profile. Impacts from equipment misbehavior in OT are off-the charts high, in terms of business risk, compliance costs, and crucially, safety of workers and the public. Those are the stakes in OT cyber risk management.
An iSOC is the ideal starting point for corralling the issue. We’re trending in the right direction.
But – and you knew there was a but – there are challenges. OT is a complex world of production systems, facilities management and other infrastructure where you find the machines and the automated control systems that make and deliver your company’s products and services. Automated machines talk to each other, just like people and computers do. In our next blog, we’ll look at how the iSOC will help address these challenges.