Detect: Monitoring, identifying, and responding to industrial cyber threats

The first article in this series covered why visibility into industrial environments is challenging yet necessary, highlighting three key questions to ask when evaluating industrial cybersecurity solutions. In my second article, I detailed the actions required to understand, prioritize, and reduce risk so you can proactively protect your industrial environment.

These are essential components to any industry cybersecurity program, but the harsh reality is that even the most advanced protective controls and processes you implement can’t eliminate risk completely. So, being able to detect and respond to potential threats quickly and effectively when they do surface is imperative.

Unfortunately, threat detection is significantly more difficult within industrial networks for the following reasons:

• Incompatibility with IT security tools: The wide range of proprietary, vendor-specific OT protocols used in industrial assets are not always compatible with traditional threat detection tools. Attempting to implement the same 15+ IT security tools within an OT environment is rarely effective and can lead to downtime and an overwhelming barrage of false positives and negatives.
• Size and complexity of OT environments: The intricacy of large-scale, multi-site industrial networks can make it difficult to identify deviations from an accepted baseline. If you don’t know what normal looks like, you can’t discover misconfigurations, traffic overloads, or other issues that pose risks.
• IT-OT convergence: As the digitization of industrial networks increasingly blurs the lines between IT and OT, adversaries can enter through the IT side and remain undetected within the OT environment for months or even years, looking for subtle ways to undermine operations and create havoc. Defenders need a holistic solution that can detect threats across these increasingly interconnected environments.
• Lack of industrial cybersecurity expertise: It’s difficult and costly to find and retain OT security specialists, and many security teams are trained solely to resolve IT-centric incidents. OT-specific knowledge needed to defend industrial environments is lacking.

These challenges make detection and response to known and unknown industrial cyber threats complex. And since every OT environment is different, a one-size-fits-all approach isn’t effective. Whether your company is assessing your existing capability to detect and respond to threats within your OT environment or considering new solutions, these three questions can help guide your evaluation:

1. Which mechanisms are in place to detect the full range of potential threats? Detecting all the different types of threats that can impact OT networks requires multiple approaches. To detect known threats, you need an extensive database of signatures and indicators of compromise. However, that’s just a starting point. For unknown threats, you’ll need several additional detection mechanisms, including the ability to identify deviations in typical communication patterns between assets, zones, and other components of the network. You’ll also need the ability to identify behavior patterns behind IT- and OT-specific intrusion methods to help identify phishing and vulnerability exploitation. In addition, capabilities that monitor operational behaviors, like configuration changes and firmware upgrades, and apply context to the details can point to signs of malicious activity. Lastly, because no two industrial networks are the same, custom rules allow you to tailor threat detection and alerts to the unique needs of your network.
2. Once a threat is detected, how can we use that information to make better risk-mitigation decisions? Without the right capabilities in place, security personnel can be flooded with alerts that may be related to a series of activities from a single adversary. To overcome this challenge, a technology solution that includes relevant context can allow you to quickly understand the big-picture story behind a series of alerts, so you spend less time trying to connect the dots and more time making risk-mitigation decisions and taking action. The ability to prioritize alerts based on potential risk to your business can also help teams determine which actions to take, if any, and when.
3. What can we do to compensate for a lack of OT-specific cybersecurity skills within our team? Even highly experienced security personnel may have limited experience dealing with OT networks, and many security teams are already under-resourced on the IT side to begin with. To overcome this challenge, look for a solution that has OT-specific detection mechanisms built in and automated, so your teams can work efficiently and effectively. Alerts that include response recommendations can help accelerate decision making and response. What’s more, be mindful of how often detection mechanisms and response guidance are updated to ensure your existing team has the tools and insights it needs to keep pace with the latest threats.

Industrial enterprises face unique challenges when it comes to detecting and responding to threats. Fortunately, by knowing the right questions to ask and what’s possible, you can gain the capabilities you need for effective risk mitigation.

Detect is the third of four essential pillars of industrial cybersecurity.

To learn more about how Claroty can enable your business by empowering your team to more effectively monitor, identify, and respond to industrial cyber threats, request a demo.