Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Endpoint Detection and Response (EDR) Solutions for IT and OT/ICS

Endpoint Detection and Response (EDR) solution, in addition to an essential security controls within an enterprise/IT on endpoints (servers, laptops, desktops), are now becoming also a critical need for securing endpoints within the critical infrastructure Operational Technology (OT) / industrial Control systems ICS environments. This provides adequate protection against growing and sophisticated cyberthreats like Ransomware and other forms of malware or malware-less attacks on the IT, OT/ICS or factory or automation or production control networks (all these terms are used).

However, implementing such EDR solution requires careful planning and execution to avoid any downtime or disruptions both to enterprise applications environment (in IT) and to production operations (in OT/ICS).

Note: EDR solutions are not like Endpoint protection solutions which uses antivirus features, inspection of files for corruption, or analyze for suspicious behavior, against known signatures database, detect, and prevent mostly known attacks. EDR solutions uses (typically cloud based) Machine Learning (ML), Artificial intelligence (AI), behavior analytics and threat intelligence (TI) to detect threats and take the additional step of acting to eradicate threats and neutralize existing attacks by actively blocking and or isolating endpoints.   

Threat Landscape and Business Needs

Ransomware attacks have surged since last few years and 2023 is no exceptions, rather seen a rise in such attacks. We've all seen some significant supply chain disruptions due to global ransomware attacks on small to large enterprise organizations. One (of the many) very recent example is highlighted below:

Businesses wants to minimize the number of endpoint security control solutions deployed for ease of management and for minimizing the impact on performance (especially the number of agents running on any given endpoint) and ultimately the production environment. The typical control requirements from such solutions are (but not limited to):

Note: cloud native/containers and other special purpose endpoint detection and response controls may exists (/need to have) as well - (not included here).

No alt text provided for this image

 

A Critical Telemetry source

EDR solutions are at the heart of, and one of the main, telemetry / log source (critical) as part of any broader XDR/MDR cybersecurity monitoring strategy.

EDR Solution Selection:

Feature comparison

  • Mapping your business requirements both in IT and OT ensures that required telemetry is provided by your selected EDR tool is a required activity. This can be achieved using feature comparison and requirements analysis and or running a Proof of Concept exercise. Industry analyst reports could be another source for understanding products capabilities, strengths/weaknesses and company direction.

IT/OT EDR Project Execution Strategy

For details on executing such complex deployment or implementation projects, both in IT & OT/ICS environments please refer to #SecuringThings whitepaper by M. Yousuf Faisal here.

 

Documentation

Documentation of such implementation is critical, both in terms of guidance for IT users and Plant Users as well as guidance for implementation, back-end operations and maintenance teams (e.g, or plant project engineering team).

 

No alt text provided for this image

 

Relying on EDRs only

EDR solutions are one part of an IT and OT/ICS environments defense-in-depth layered model and not an all protection/detection solutions for all your cybersecurity needs. Solely relying on EDRs will expose your IT and OT environments for potential bypass/tampers and related attacks of such EDR solutions. Few reference examples below:

Lessons Learned (an actual implementation)

Below outlines few key examples of potential outcomes/benefits and Pitfalls/Don'ts from an actual global IT/OT EDR implementation.

No alt text provided for this image

Feel free to reach out or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow or connect with me for future posts, interest, simply discussions:

Muhammad Yousuf Faisal
Muhammad Yousuf Faisal
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has more than two decades of industry experience in technology and cybersecurity, helping organization across multiple industry sectors worldwide, secure their digital transformation journey. As founder of “Securing Things," currently offering Cybersecurity Advisory and Consulting services, training, and solutions, both IT & OT/ICS/IOT environments. He holds a B.E. Electrical and an Executive MBA degree.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM