Operational technology (OT) is the backbone of automation, manufacturing systems and other utilities, communication systems, building automation, physical security systems, vehicle controls, and more. Despite the criticality of these industries, the security measures in place on OT products are often weak or non-existent.
Traditionally, most of the OT assets were isolated, meaning they were physically not connected to any central network therefore the security was always bult on perimeter security i.e., there will minimal check at the entry level but once you are in these network you can just walk around the network with no security checks similar to like walking into an airport where they will check you at gate with you ID but once you there then you can take anything in your bags and take any flights no security checks.
However, with time the interconnectivity between IT and OT to improve operational efficiencies has led these assets have appeared to come online. With introduction of advance IOT sensors, edge commuting, IIOT devices and IT/OT convergence it introduced potential risk into this estate. OT is now directly exposed to outside risks via remote sensors to retrieve data, Wi–Fi enabled controllers, and USB devices to update software etc.
Underestimating the Risk
Critical infrastructure is a is not only a lucrative target for bad actors, but it is also a prime target for nation state sponsored cyberattacks. A major gas pipeline, multiple government agencies, a Florida water supply facility, several hospitals, and the world’s largest meat producing plant are all evidence of the surge in OT attacks. And a 2021 Gartner® report states, “by 2025, attackers will weaponize operational technology environments to harm or kill humans”
Ransomware attacks against IT systems, as demonstrated against NEW Cooperative, Colonial Pipeline, and JBS Foods, must be taken into consideration because they can cross over to systems that manage OT, or force the shutdown of critical processes and services. Maintaining and storing backups offline will enable quicker data restoration when needed and help resume operations
xDR
The “X” in XDR stands for extended, but it really represents any data source, because it’s not efficient or effective to look at individual components of an environment in isolation. XDR has evolved from EDR. EDR utilised EPP agents and sent telemetry to with a data repository. The data was analysed with any suspicious behaviour or activity alerted to SOC. XDR still operates in a similar way with some fundamental differences.
As with EDR, telemetry is extracted from EPP agents, but this is sent into a vendor cloud data-lake. In addition, telemetry from networks, cloud and security tooling (where compatible) is also sent into the vendors cloud data-lake. XDR brings a proactive approach to threat detection and response. XDR delivers visibility across all data types while applying analytics and automation.
The 3 key main features are- visibility, response, and detection.
Visibility |
Visibility of the assets across the complete estate ·Analysis of internal and external traffic: External and insider threat ·Complete 360-degree view of all the assets within the network either via TCP/UDP or via physical discovery ·Integrated threat intelligence: Intelligence from global network to identify subsequent attack ·Vulnerability assessment to scan systems and identify environments most vulnerable to attack and apply this telemetry to alert severity levels ·Asset management for the detection of rogue/shadow device discovery |
Response |
Time is of the essence and a SOC agent/team needs to quickly triage and investigate these threats. ·Correlation and grouping of related alerts and telemetry data o Reduce alerts o Prioritise alerts o Build a timeline of the attack and stitch together activity logs from network, endpoints, and cloud environments o Sequence events to determine the root case ·Swift investigation into incidents with instant access to all forensic artifacts, events, and threat intelligence in one location ·Manual and automated threat hunting ·Coordinated response: Effective remediation and policy enforcement. Automated responses with machine learning and ability for analyst to take response action through the XDR Response capabilities 1. Automated root cause analysis 2. Visualisation of the chain of execution 3. Timeline analysis 4. Querying for indicators of compromise (IOCs) and behaviours 5. Easily pivot between views with granular filtering and sorting of query results 6. Automatic aggregation of relevant Internet Protocol (IP) or hash information, including threat intelligence, events, and related incidents in a single view to simplify investigations and block access to malicious IP addresses or domains 7. Remote ability to view, suspend, or terminate running processes or download binaries 8. Automated stitching of security alerts, such as firewall alerts, to endpoint data 9. Noise cancellation and removal of non-significant binaries and dynamic-link libraries (DLLs) from chain 10. Integration with security orchestration, automation, and response (SOAR) and security information and event management (SIEM) solutions 11. Incident scoring allowing ranking and prioritization of high-risk incidents to zero in on the most critical threats; creating incident scores based on alert attributes, including the users or hosts in an alert 12. Quarantining malicious files and removing them from their working directories 13. Swiftly finding and deleting files across your organization in real time by indexing endpoint files |
Detection |
At each stage of the attack cycle (Reconnaissance, Weaponization, Exploitation, Installation, Command and Control, Lateral Movement). Use of machine learning to discover unique characteristics between normal and unusual activity. This fuels advanced analytics, profiling, and behavioral threat detection ·Targeted attacks: Cross data analytics to profile user behavior and pinpoint anomalous behavior ·Malicious Insiders: Use trusted credentials to steal RMG data without detection. XDR looks for anomalies in user behavior and activity to present a 360 view with a clear risk score ·Inadvertent risk: Well-meaning employees can inadvertently expose organizations to undue risk through abuse and misuse ·Compromised endpoints: Via malware and XDR brings security together across networks, cloud and endpoints for suspicious traffic and malware ·Customizable threat detection: Aligned to RMG Crown Jewels and different user groups ·Machine learning-based detection: Detection adapts to known environments to deploy advanced analytical techniques to detect abnormal or suspicious activity across all telemetry Detect attacker techniques through MITRE ATT&CK evaluations and tagging these to alerts and detection rules |
APPROACH for OT
When looking to implement xDR in ICS/OT we need to watch out for the following points (these should be answered) so that it’s covered in the design and the solution must support majority of these, i.e:
- Will there be a vulnerability scanning/Continuous Monitoring.? (Regular Malware scanning and incident response?)
- Scanning, identification, handling and reporting for A/V, Malware, Ransomware.
- OT agent / sensor compatible with the organisation with ICS devices?
- Threat intelligence and threat hunting for OT areas.
- Process flow, RACI, SOC to SOC hand over for events (what type of events, when)
- SOC to SOC services.
- The use of tools, for instance could the MSSP provide managed service for OT tooling.
- Host-based agents can impact the performance of the OT device because of the resources they consume from the host. Internal engineering/manufacturing process will get impacted if the performance is reduced.
- Provides Asset device info, Network Visibility and Protocol visibility to network managers to monitor and prevent cyber threats proactively with central management capability
- Legacy OS support.
References
Gartner, “Reduce Risk to Human Life by Implementing this OT Security Control Framework”, Wam Voster, June 17, 2021.
CISA, Cybersecurity Incident & Vulnerability Response Playbooks, https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf