ICS-ISAC Panel: A Few Thoughts On Situational Awareness

Thanks to all who were able to join us this week at the ICS-ISAC panel discussing the organization’s Situational Awareness Reference Architecture (SARA). If you missed the live event, you can still catch the recording of the session linked here or viewable below.

The session was chock-full of good discussions, but I wanted to expand on a few of the points made around situational awareness. Rest assured that this will be an important topic going forward.

First, what is the scope of the situational awareness we are talking about here? It could mean different things depending on the nature of the discussion. A Human Machine Interface (HMI) operator for instance may think of situational awareness more in terms of how different operational data or alarms could be visualized more effectively.

To be clear, in the context of ICS cybersecurity, I am talking about visibility into the nature of the control network traffic. Some of the primary parameters include the applications, users, allowed content, threats (known and unknown), sources, destinations, websites and temporal factors.

Segmentation per approaches such as those prescribed by ISA99/IEC62443 is crucial to make sure there are sufficient and meaningful points of inspection between different security zones. Furthermore, the concept of zero-trust also needs to be considered in all of this. Many of the security incidents occur within the operational technology (OT) environment, often by accident, rather than just at the perimeter. Therefore, asset owners must have as much awareness at the core of the operational environment as they do at the perimeter.

Finally, given the geographic distribution of ICS installations which often include several control centers and dozens if not hundreds of remote stations, the visibility must include as many interconnected facilities with critical cyber assets as possible. Some of our manufacturing ICS customers, for example, have facilities and assets throughout the world.

Advanced Threats Target ICS

Why do we need this kind of detailed visibility? Well it is pretty clear that advanced threats targeting ICS cleverly use a combination of attack vectors and techniques to carry out their specific agendas within and outside of an organization’s boundaries.

At the front end, they often utilize social engineering tactics such as spear phishing via email or social media applications and even techniques as crude as leaving infected USB sticks in the target organization’s parking lot as bait for unknowing employees. Once the basic package is in place, the advanced threat stealthily uses common applications and file-types to carry out its work whether it is to exploit vulnerabilities in applications used in the operational network, pivot among the OT assets, characterize industrial processes or establish the command and control infrastructure.

Stuxnet, for example, used applications such as Notepad and RPC, file-types, including .LNK and .PRF, to exploit Windows and Siemens Simatic software and eventually disrupt the uranium enrichment operations of the Natanz facility.  To curtail advanced threats, one must have the ability not only to see these different vectors but also to understand their relationship.  Otherwise the individual incidents may seem like isolated nuisance events rather than components of a cleverly orchestrated attack.

The benefits of increased situational awareness go beyond securing against malicious incidents that could compromise availability and/or safety.  Detailed visibility to traffic also ensures the OT is being used only for valid business purposes and not in ways that could impact availability even if just by accident.

For example, in one European energy company, we found eMule (P2P file sharing) and Wuala (cloud storage) running in a PCN server and PLC during one of our application and risk assessments where we plug our appliance into the asset owner’s OT network.  These applications are risky especially in control network environments as they could be used to reduce available bandwidth to operational data or critical programming commands and introduce malware.

Did these applications really have valid business uses?  In this case, the answer is no, and fortunately the nature of the application use was not malicious. Still it should not have been there and with this information, the asset owner could take corrective actions as required.  Interestingly enough, in one of our Oil & Gas SCADA deployments, a peer-to-peer file sharing application did have a valid business use! I’ll save the discussion of application control for another time, but in short, its use was safely enabled with our App-ID and User-ID technologies.

Situational awareness is a fundamental component to a complete defense-in-depth security strategy for industrial control systems.  In addition, enforcing a least privilege access model and applying a lifecycle approach to threat prevention are the other key elements.

We’ll be talking more about these pieces in future blog installments.  But if you are interested to learn more now, feel free to access our SCADA/ICS webinar that talks in more detail about how Palo Alto Networks helps with securing SCADA and Industrial Control Systems.

Below is a replay of the ISC-ISAC session: