The physical separation between IT and OT communication networks (operational technology) is no longer a modern security concept in view of smart factories, predictive maintenance and Industry 4.0. The consequence of networked environments is that attackers are increasingly finding a way into the ever more complex industrial production and process control environments. In office networks, all connections can be interrupted for a short time in the event of an attack in order to fend off the attacker. This is not possible in OT networks, as the availability of the systems is the most important thing here. This is why a different protection strategy is now gaining acceptance: The zero-trust principle 'never trust, always verify' is gaining in importance. Where previously the rule was "I can trust whoever is in my network", in future the rule must be "I don't trust anyone" (Zero Trust Network Access, ZTNA). This is particularly important for older production facilities (brownfield), which are becoming increasingly networked. Five principles are helpful here:

• It is no longer just the central access to the network that needs to be protected. Special attention must also be paid to the target systems and the individual network assets. To achieve this, all activities in the network must be monitored and logged. In essence, it is all about prevention and early detection.
• Transparency in the network must be improved: Which assets are in the network and which have a higher need for protection? It needs to be clarified who is allowed to talk to whom and who is allowed to do what.
• The minimum principle must apply to identities, roles and rights. Only what is necessary is permitted.
• Only specific services may be permitted for communication and not entire systems or even networks.
• A fast and adaptable protection strategy is required.

These principles further increase the demands on the administration of the OT network. Because OT operators are already overburdened with the necessary rules for the network, services and assets, intelligent support is required.

Holistic, intelligent threat management

In a zero trust strategy, it is no longer enough to analyze anomalies in the data stream with intrusion detection (IDS) and intrusion prevention systems (IPS). For example, if any network component sends a control command to a centrifuge, there is nothing conspicuous in the data stream itself and therefore nothing is detected. The system does not check whether this network component is allowed to send such a signal or whether this behavior is unusual. Attackers can therefore take over system components in the network without this being noticed immediately. It is therefore becoming more essential to detect and contain attacks at an early stage. This is possible by monitoring the behavior patterns of all network devices (assets) and assigning them to defined rules. To do this, it must be known at all times who is communicating with whom and which connections are permitted. In addition, different security zones help to set up a higher protection status for particularly sensitive data and systems.

The increased need for monitoring and regulation will no longer be manageable with conventional manual measures in the future. Even today, OT network operators are barely able to cope with the multitude of tasks and requirements. They also often lack the experience and time to acquire the necessary knowledge. The solution lies in intelligent systems that support OT operators and IT administrators in their tasks. Using data analytics and threat intelligence, such tools take over many manual tasks, automate activities and supplement existing firewall solutions. Genua's cognitix Threat Defender is an example of what these tools can achieve. It allows automated network monitoring to be set up and network traffic from all devices in the network segment to be analyzed using anomaly detection. The Threat Defender shows the development of traffic in real time and provides information about the applications causing it. Network analysis, intrusion detection, asset tracking and a dynamic policy engine are combined in one system.

Segment the network by function

Figure 2: The screenshot shows a section of a set of rules in 'cognitix Threat Defender'. Summarized in self-contained policies, rules that build on each other ensure order in the network.

© Genoa

With the help of an expert system and intelligent heuristics, the Threat Defender models the behavior in the network and assigns it to certain behavior patterns. Rules can then be defined by the OT operator. Once all network devices have been recorded and the behavior patterns of these as-sets are monitored, the operator can mark and tag the devices according to functions and tasks. This enables dynamic and transparent segmentation of the network and no longer just at the transition to another network segment. By tagging network components, the operator can define their security properties individually. How a device is allowed to communicate with other participants in the same network or other networks is now decided on the basis of its function and behavior. The operator can use appropriate rules to define the behavior of the network components in order to prevent unwanted communication.

It is also relevant for an OT network that the behavior of the devices can change depending on the operating status of the system. Rules can therefore include specific definitions for faults, remote maintenance access or maintenance measures. If a new unknown communication is detected by the system, it is initially suspicious and triggers an alarm. The new communication can now be automatically throttled or completely interrupted, while all known and permitted processes continue to run unchanged. Throttling an unknown communication is a particularly good way of slowing down the attack and gaining time to evaluate the communication.

Mastering the chaos in the network

The assumption that OT networks are static and practically not subject to change is no longer valid. The example of the automotive industry shows that production facilities are being adapted more and more dynamically. External services from the cloud are increasingly being integrated for monitoring and surveillance, while more and more sensors and the integration of IoT devices are further increasing the complexity of OT networks. At the same time, the requirements for network availability and performance are increasing. If OT networks change dynamically, it will be even more difficult for OT operators to keep track of and understand them in future. They will need additional support in analyzing ever larger volumes of data, evaluating alerts and selecting suitable measures. Added to this is the requirement to keep the network structure and firewall rules up to date in the face of dynamic changes.

Advanced AI (artificial intelligence) and ML (machine learning) methods can also be used to control the chaos in the network in the long term. In the Wintermute research project (see box), AI and ML-supported methods will address three key problems in the future:

• Situation assessment - classifying system behavior and providing feedback on anomalies,
• policy definition - individual rule creation,
• the enforcement of security in complex networks.

Usability in particular is becoming increasingly important, as the aim is to better understand highly networked systems in order to simplify risk analysis and risk management as well as usability. The aim is to support the OT operator in defining suitable rules and security policies. AI should also help them to deal with dynamic changes in the network more easily. The research team of the Wintermute project is not aiming for an automated system for network security, but rather to create technologies that serve as support for the administrator. The main approaches within the research project are described below.