“Security is as much, if not more, about the people as it is about the tools.”
It’s not always that the tools are seemingly ineffective, especially if they’re not used.
“Established network security tools actually have a great probability of success in guarding and protecting industrial control systems because, like industrial control systems themselves, they are a proven and trusted means of establishing control,” says Wes Sylvester, global director, Industrial & Consumer Go-To-Market, Cisco Systems.
“Part of the challenge in protecting internet connection sharing networks is that [manufacturers] don’t always use those network security tools. Cisco is teaching a whole different group of people—who are sometimes outside of IT—how to secure their networks. Security is as much, if not more, about the people as it is about the tools. This is one reason why Cisco has a manufacturing solutions team—people who have worked in the industry, who continue to learn about how it is changing, and bring best practices with them to help manufacturers adapt to changing environments.”
Malware has been overwhelmingly the most frequent tool of choice for malevolent actors when attacking manufacturing systems, says Sylvester. Ransomware specifically is the means of extracting money from victims—hence the motive is largely financial. The malware families used by hackers are largely well known to the IT security community, and thus the means of mitigating their impact is understood. The key is having effective people in place that know how to use those tools to protect the IT/OT environment. In today’s world of interconnected IT/OT systems, this is more important than ever before.
“For years, we saw insider threats as the biggest threat facing OT security, but for the first time, that’s changing. There’s now an equal concern around external threats, whether from nation-states or ransomware.”
Though hacking tools are quite prevalent, one way bad actors use technology is by sharing their techniques and growing their base, says Cisco’s Sylvester. “It’s less about the tools and more about the quantity of attacks that exist daily because of the ease of sharing in the hacker community. Many open-source tools, exposure to ‘how-to’ and attack infrastructure have brought about the industrialization of criminal intrusions and exploitation.”
How do you go up against this literal tsunami of attacks? “Our approach to protect against these attacks has to be tool driven and easily scaled across the ICS landscape,” says Sylvester. Another one of the gaps Cisco is focused on closing is the lack of discipline, training and head count at the ready to build out defenses and detect intrusions. It’s definitely a “cat-and-mouse” game, where Cisco teaches and trains a workforce to stay ahead of the bad actors who are also sharing their techniques. This is where a solution such as Cisco’s Talos Intelligence Group can play such an important role, helping customers to better understand the threats out there, how to identify and detect vulnerabilities more quickly and how to effectively protect themselves from those threats, adds Sylvester.
“The sad reality is that our OT defenses have not kept pace. The advantage has been ‘security by obscurity.’”
AI and ML can be used when large enough sets of data reflecting network and application behaviors are available, says Cisco’s Sylvester. What they may add can vary according to the AI/ML models’ ability to reflect the threats in the monitored space. In cases where the OT intrusion is similar to that found in the traditional IT network, the same AI techniques can be used in-plant.
For more site-unique conditions, the use of pre-existing models and learning sets are developed, and then those models have to “learn,” adds Sylvester. Until those models are properly trained, evaluated and confirmed, traditional analysis will continue to provide the best benefit. For ICS systems, even adding basic “machine awareness” can increase security significantly. For example, the network “knowing” that a security camera should not talk to a drive motor could prevent some very real risks. This is true for both well-intentioned internal errors (e.g., a technician makes a PLC programming error) as well as bad actors.
So how do AI/ML techniques fit in? Verve Industrial’s Livingston likes to use a football analogy. Attackers understand the keys to avoid being observed in a traditionally secured network. For years, they have had to fight against the best defenses in the world. As a result, their offensive skills get better and better. “It is as if your offense had to play against the Chicago Bears 1985 Super Bowl defense every day,” says Livingston. “You will find new ways to do things to fool the defense. This is why we now have the spread offense or the run-pass option. Offenses evolve to find ways to beat the best defenses, etc.”
So, in IT, traditional network and endpoint protections have been in place for years, adds Livingston. “Offenses have learned how to adapt. In OT, many of those traditional defenses aren’t in place… think of the Bears during the 2000s rather than 1985."
To thwart nefarious hack attacks manufacturers will need—to use football jargon—a playbook that consists of several and varied defensive and offensive measures. So if you ask where AI/ML should be deployed, a good answer might be here, there or anywhere—wherever the need arises. This is where you need expert coaches who’ve seen it all and can anticipate the next hacker offensive tactic. At the same time, you need all your team members on board and in the huddle. Beating hackers and depraved criminal minds won’t happen with a single star quarterback—it takes a team.
“Security is about people, process and technology—in that order,” says Sylvester. “Much of what we focus on is ‘how’ to address customer security challenges instead of a product-first approach. Technologies succeed only when the people can apply them in a proper process.”
“We invest heavily in the creation and deployment of Cisco Validated Designs—a thorough and evolving set of documents which go into great detail on what to do and how to do it,” adds Sylvester. “There are no magic technology shortcuts—you must establish the basics and apply them vigorously. From there you can grow into more sophisticated solutions but without the basics, the foundation will crumble and your defenses with it.”
Typically, says Sylvester, Cisco’s AI/ML based offerings are cloud hosted, where a larger variety of training data sets can be applied. On-premise solutions can be provided as well, and some models learned from the cloud can be brought to on-premise deployment. The more unique the environment, however, the less likely it is be reflected in prior “learnings.” Services can be applied to help detect traffic of interest more rapidly but it does suggest that the AI is less artificial and the ML has reduced machine influences.
Perelman’s team provides flexible options that are dependent and recommended, based on each manufacturer’s situation. It’s not likely that any two operations will be the same. So, cybersecurity systems need to be tailored to fit the operation.
“In our view, the right combination is software and services,” says Verve Industrial’s Livingston. “Hardware itself is less critical as much of it can be virtualized today. But when people tell you that software will magically detect everything without humans, they are lying. At a minimum you need to tune the AI/ML to the particular environment. But on an ongoing basis, you need services that understand the OT process. These service personnel will help both build the right signatures, but also ensure that the response to any true threat takes into consideration the operational reality of the industrial process.”
In terms of services, Cisco has network security services for design, deployment and ongoing support. There are also incident response services. It very much depends on where the manufacturer is in its industrial security lifecycle, says Sylvester.
“Our company has been around for nearly 30 years as a control systems integrator,” says Livingston. “This means that we have been helping customers across a range of industries in designing and securing their systems—well before we were a software company. As a result, our team brings this deep process knowledge to the deployment and management of OT security.” FE
Introduction video courtesy of Getty Images/PerlaStudio