DHS advises monitoring, modeling and Malcolm for cybersecurity

Nov. 14, 2020
The U.S. Dept. of Homeland Security's Cybersecurity and Infrastructure Security Agency assesses vulnerabilities and hunts for cyber-threats

Just as cybersecurity projects get easier when management buy-in is gained and a team is drafted, many users and their companies are getting increasingly sophisticated assessment and mitigation services from government agencies, such as the U.S. Dept. of Homeland Security's Cybersecurity and Infrastructure Security Agency.

"We're seeing an increase in interconnections between ICSs and IT/core systems, and more visible links to third party applications, too, such as managed service providers and customer portals. Some of this is because more ICSs are modernizing or replacing legacy equipment, which allows them to improve their cybersecurity, but its also risky if they simply add commercial off-the-shelf (COTS) software and solutions that increase their vulnerabilities," says Jonathan Homer, branch chief in the ICS Threat Hunting division at CISA. "Of course, COVID-19 is causing most industries to work more via telepresence, but ICS users and facilities haven't had to shift as quickly, so the pandemic hasn't yet added as much attack surface, vulnerabilities or threats as elsewhere. In the next three to five years, we'll likely see more remote access related to ICSs, which will impact the Validated Architecture Design Reviews (VADR) we do."

Homer reports that CISA performs two main services. First, it assesses and evaluates cybersecurity posture and risk for users, applications, facilities and organizations, and makes recommendations to them when it finds vulnerabilities. Second, it hunts for threat actors hiding in systems. "It's still important to segment networks and limit their functions to essential tasks. However, in the current environment, additional mitigations should include monitoring network traffic, and modeling expected behaviors and data flows on hosts, such as logic files on a PLC or data or a workstation or historian," explains Homer. "Fortunately, ICSs usually generate predicable traffic, which makes it easier for their organizations, process engineers and maintenance staff to put together a golden snapshot of their operations. This blueprint model can indicate if a performance change is an acceptable adjustment or if it might be a threat, but it must be documented and updated to be useful."

Homer adds that network monitoring and data modeling can gain context and value if they are accompanied by an understanding of the facility's critical equipment. These assets are more likely to be targeted by intrusions and attacks, especially when they're running COTS operating systems that are more prone to infection by ransomware or other malicious software. 

"Just like process safety, cybersecurity has to use a risk-based strategy, and prioritize its responses because it's not possible to mitigate everything," says Homer. "The first CISA solution for this is Cybersecurity Evaluation Tool (CSET) software that helps users take a systematic approach to understanding their networks and devices, and decide where and how to protect them. Our more recent solution is open-source Malcolm network traffic analysis software, which  gathers logs from devices to analyze their data, and solve problems proactively, so users don't have to react to incidents."

However, as useful as these software tools are, Homer concludes that no one can solve their cybersecurity challenges alone, so its crucial to talk and get help from coworkers, and share cybersecurity know-how with others. "CISA also recently started an ICS working group, which discusses emerging cybersecurity issues, so participants can be a force multiplier together," he says. "If we share knowledge, we can learn about patterns in other industries, and what other threat actors are doing. This can be a huge help because it's easy for intruders to change direction and target other command/control centers, but it's much harder for them to change their behavior and the ways they conduct attacks. Consequently, when one group learns to defend against a pattern or behavior, it's much more effective of they alert others and share it because the attacker will have a harder time pivoting to other users in the larger community and industry."

[sidebar id=1]

About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control.