Introduction
Dexcent, with several years of experience in Industrial Control Systems (ICS), has successfully delivered several industrial Cyber Security engagements and solutions helping our clients to improve their Cyber Security posture and resiliency. Dexcent has noted that:
Modernization of OT network traffic insights is key to OT asset discovery, network monitoring, vulnerability management, and threat detection challenges that are common in the present day industrial Operational Technology (OT) environment.
Deploying a modern Network Monitoring and Threat Detection solution helps to align businesses’ Cyber Security goals as well as it hastens better decision making, operational support and remediation outcomes.
Consolidating Cyber asset and threat monitoring and cyber-OT infrastructure support processes into an Industrial Cyber SOC have many benefits and will enhance your ability to identify, detect, protect, respond, and recover in a much shorter timeframe, potentially with less resources.
Introduction to Industrial Cyber Security SOC
In the enterprise corporate IT networks and Data Centres, the concept of a Cyber Security Operations Centre (SOC) has been around for many years and implemented by most organizations to have a single operations centre with consolidated monitoring and response capabilities centred around a powerful Security Information and Event Management (SIEM) platform staffed with various levels of security analysts that monitors all of the IT infrastructure and respond to incidents on a 24x7x365 basis.
Free Whitepaper Available for Download
Some of these centres has matured beyond monitoring and response and include skilled staff that managed daily infrastructure operations maintenance and support activities. However, in most cases we found that monitoring and response capabilities or typically separated from the daily maintenance and support functions.
In industrial OT network environments this concept of a centralised SOC is still in early stages of implementation or capabilities exists in a disjointed operations environment. The SIEM like technology used in IT networks is typically build around a single protocol used in IT networks called TCP/IP and focussed on IT equipment capabilities to detect and report security events using the same protocol. These SIEM systems are typically not suitable for OT networks because many different cyber processing platforms using different industrial communications protocols exists in OT networks in addition to traditional IT technology and TCP/IP protocols which are mostly confined to layer 3 and 2 of the OT Networks only. However powerful monitoring solutions for industrial networks are available on the markets today that are purpose build for ICS networks.
This article will focus on how these technologies and other purpose build technologies in your OT network can be best exploited when consolidated in a single operations centre. Let us first look at typical industry challenges that OT infrastructure operations faces and then on how to approach building capability to address these challenges.
Industrial Cyber Infrastructure Operational Challenges
The list below gives us some insight into the most prominent challenges that most ICS environments faces today in their OT infrastructure operations departments.
The need for an up-to-date and dynamically maintained OT assets inventory with meaningful details of those assets (e.g., firmware level, known vulnerabilities, physical location).
Dynamic threat and anomalous network traffic detection in the OT network.
Proactive and reactive monitoring and responding to threat insights or breaches to control systems, specifically down into the lower layers.
Maintenance and support of critical infrastructure components in ICS, where changes, system upgrades, and security patching may be limited to plant maintenance or turn-around cycles only
Skilled and knowledgeable support staff with the insight to operate in an ICS environment, including the ability to work with both process engineers and ICS automation technology vendors while adhering to regulations and processes.
To address these challenges, we need to first look at the basic understanding of the OT infrastructure environment and then how to start building core capabilities to address these challenges, ideally consolidated into an industrial Cyber Security Operations Centre (SOC).
Free Whitepaper
The concepts and building blocks to build a SOC to address these challenges are defined in more details in a Dexcent FREE White Paper called “Foundational Building Blocks of an Industrial Cyber SOC”, which can be downloaded below.