Industrial production is undergoing a digital transformation by connecting more and more physical devices at all levels. This allows the benefits of M2M communication and machine learning to be exploited. However, automated networking is creating highly critical production environments. In the event of a cyberattack, there is a risk of entire plants coming to a standstill, as the study 'Cybersecurity Level in OT' by tech consult shows: of the 26% of industrial companies that experienced hacker attacks on their production infrastructure in the last twelve months, 57% experienced an immediate interruption to production. This causes enormous costs - and in the production of hazardous substances, OT cyber attacks can not only result in financial losses, but also cause environmental damage and endanger human life.

Dangerous functional gaps

The importance of visualizing OT networks for cyber security is demonstrated by the example of a global producer of specialty chemicals with sites in many countries: Production lines are networked throughout the company, with dozens of plants running with different system types and topologies. Although the existing cyber security system covered the IT networks well in the past, when applied to the OT networks, it revealed dangerous functional gaps. For example, the system was unable to process the specific network protocols and there was a lack of complete coverage and transparency of all systems at each location.

Globally active companies with distributed locations need a powerful visualization of their OT infrastructure.

© Radiflow

In order to detect attacks on its distributed OT networks at an early stage, the company identified the requirements: The cybersecurity system should continuously monitor all OT assets, detect threats as well as anomalies, actively warn against them, track logic changes on all industrial controllers and finally report OT cyber alerts to the 'Security Information and Event Management System' (SIEM). Radiflow, a company specializing in the cyber security of critical industrial business processes, found a solution to the specific challenges based on its Industrial Threat Detection System (iSID) software: Used at a central location, iSID simultaneously detects threats at any number of remote locations or, alternatively, locally at each individual location. A combination of both solutions is also possible.

In the case of the specialty chemicals manufacturer, an iSID unit was installed locally in each production plant. As each plant comprises several subnets, each subnet also received an 'iSAP Smart Collector'. This device enables a mirrored stream of all TCP/IP traffic to be sent to the local iSID. Installed at each site, the iSAP Smart Collectors receive all LAN traffic from the local switch and filter the data. It is compressed to prevent network congestion and sent to the central iSID via VPN tunnels. In addition, iSID uses the collected TCP/IP data to visualize a model of the network topology. This visualization of the network contains all systems, ports and protocols with their complete properties and assigns them to the corresponding business processes.

Monitoring network traffic

iSID is a passive system, which means that its use has no effect on network traffic or performance. It captures the network - usually via port mirroring - and identifies the systems, the connections between the systems and the network topology based on the collected data traffic.

Industrial production lines are controlled by Industrial Control Systems (ICS). iSID is designed for these ICS networks and also performs deep packet inspection for SCADA protocols to obtain more in-depth data. iSID continuously monitors network traffic to detect anomalies and signatures of malicious activity and reports them to the customer's Security Operations Center (SOC). The SOC can then immediately take the necessary protective measures. The central platform ICEN - Monitoring and Management of Distributed Networks - can monitor several iSID systems and is therefore well suited for use in larger industrial companies.

Data basis instead of random decisions

Companies that recognize threats and report them to their SIEM before any damage occurs already have a good basis for protecting their OT infrastructure. However, they also need to be able to cope with future threats. Companies should therefore optimize their security architecture so that they are always one step ahead of the attackers.

An effective OT security system provides industrial operators with complete network visualization and key insights to mitigate risk.

© Radiflow

This is achieved by prioritizing the security measures that need to be implemented, taking into account budget constraints and limited allowable downtime. The McKinsey report 'Risk-based approach to cybersecurity' states: "The most advanced institutions are moving from a 'maturity-based' to a 'risk-based' approach to cyber risk management." With risk-based network protection, activities - based on threat intelligence - focus on two factors: firstly, the attackers and attack techniques that actually threaten the network, and secondly, the most critical business units. The risk assessment of the network results from the sum of the probability of an attack - in relation to each individual business unit - weighted by the impact that an attack causes (financial loss or other damage). The goal is a constantly updated risk assessment and a prioritized list of measures that ensure the cost efficiency of OT security systems without generating irrelevant or excessive costs. In this way, cyber security expenditure can be optimized by simulating attacks on automated networks and prioritizing the most effective defensive measures.

Threat situation requires a holistic approach

The current threat situation requires a holistic approach to securing industrial processes. It must do more than simply alerting in the event of cyber attacks. CISOs should integrate network security more deeply into long-term planning and day-to-day operations. To do this, it is important that they accurately monitor and assess their risk position and unique threat landscape based on reliable data.

Ilan Barda is the founder and CEO of Radiflow in Tel Aviv, Israel.

© Radiflow

Platform solutions specializing in OT networks combine the threat level for each individual device and business unit as well as the impact of an attack on each business unit. Algorithms simulate tens of thousands of attack scenarios to accurately calculate network risk. Radiflow's IEC 62443-compliant 'Cyber Industrial Automated Risk Analysis Platform' (CIARA), for example, uses this to create an easy-to-follow roadmap for achieving the highest level of security per euro spent. Automatic optimization ensures compliance with the security requirements of each business unit while taking into account the tolerable risk level of the respective company.