“The first part of my career was helping users to connect things, the second part was helping them disconnect them to make them secure,” said Umair Masud, product manager, security services, Rockwell Automation, to attendees of his session, “Real Time Threat Detection Improves Visibility and Security,” at this week’s Rockwell Automation TechED conference in San Diego. Now he’s showing users how to keep production assets connected despite today’s constant barrage of cyberattacks.
“NIST defines an attack continuum—what to do before an attack, during an attack, and after an attack,” Masud said. Most users have focused on what to do before an attack. “You want defense in depth, with controls, firewalls and stuff on the endpoint. You’ve been asking, ‘How many layers of the onion do I have in place?’” Now we’re starting to look more at what we need to have during an attack, for response and recovery.
In operations technology (OT), visibility is a challenge. Industrial facilities need an inventory of what’s connected in the OT environment. IT tools for this are limited, however, because manufacturing plants usually include non-routable networks, islands of automation, and transient connections like maintenance laptops.
“Our focus today is on a continuous OT inventory, a passive approach that lets us see this attack surface, the areas where you are weak, where they want to hit you,” Masud said. “We can get an understanding of this surface through visibility.”
Doing this gives you “the home-field advantage—you know the terrain,” Masud said. The Secret Service that protects the White House has this advantage. Instead of moats and walls, “It uses eyes on everything, procedures and a fence. If someone jumps the fence, they get tackled on the lawn before they reach the house.”
Claroty offers clarity
Rockwell Automation is among the industrial automation companies that has partnered with Claroty, a provider of a threat detection software specific to industrial control networks. Claroty sits on an OT network, collects information and automatically builds out a baseline of what’s normal so it can recognize deviations. It improves visibility of all the assets on the network and extends the cyber defense capabilities of the IT environment across the OT attack surface.
“A PLC on an asset is an attack surface,” Masud said. “Its vulnerabilities are published in a known database. If you know that, you know what to look for.”
Users can know the location of every asset, its attributes (type, vendor, model, serial number, etc.), its apps (configuration and software versions), and its communications. “You can know that a particular asset writes to these tags, to those controllers, and everything that deviates from that is abnormal,” Masud said.
Claroty picks up this information from routine network traffic and system identity calls. “Claroty knows how to unpack the packets and where to look. It may take some time—a week or more—for it to discover everything because it doesn’t actively seek information.” If needed, this discovery period can be expedited by actively opening and using components, but it is best not to do that during the baseline period.
Alerts on anomalies, provides insights
When it has seen enough normal traffic and understands the system, Claroty notifies you when it sees something abnormal. A security analyst can use its information about the abnormality to make a specific recommendation based on the known assets and actions, not just a general network traffic alert.
“If you just require authorization, that can be compromised,” said Masud. “With whitelisting, authorized actions can be used for nefarious purposes. A tool like this will see bad things happen even when they’re not malicious.”
Alerts give the source and nature of the event—the user, kind of activity (i.e. upload/download), and details. “It can give you the differences in the ladder logic before and after,” Masud said. “This provides the situational awareness for a real-time response.” These configuration changes also can be logged and summarized.
Claroty’s collection of asset information can also be used to gain insights into vulnerabilities. Users can filter the assets that are subject to a specific threat, and know the assets that interact with them. For example, suppose there are five PLCs that are a concern due to a certain threat vector. What devices, such as Windows boxes, can be used to exploit that vulnerability and need to be patched? Insights can inform whitelisting, security configuration, and firewall configuration.
Integration expedites actions
Integration with a central log collector and other systems can speed mean time to respond and recover (MTRR) by providing a means to respond to an alert, context to help evaluation, and enforcer tools to perform actions.
The computerized maintenance management system (CMMS) can show if there’s an existing work order, in which case no response may be necessary. Active Directory allows users to look at administrator accounts to see the origin of breach attempts. FactoryTalk alarms and events can show if the alarm is the result of an operational issue, and application and Endpoint logs might show if there’s an antivirus involved.
“Integration with the perimeter firewall allows immediate action to limit or lock down traffic, and with network access control, you can take a targeted action to kick an asset off the network, such as a maintenance laptop,” Masud said. “You can use Cisco’s Identity Services Engine (ISE) to enforce the actions.”