OT system implementation plan

Design OT network monitoring sites

1. Verify architecture in the executive documentation
2. Plan and select key segments to monitor

Installation of probes in the right sites

The installation of the probes should ensure traffic monitoring appropriate to the scale of the risk. The “traditional” location of the probe in IT networks directly behind the firewall ensures monitoring only against external intrusion and external threats. In order to fully protect the network, we must also (or above all) monitor whole network traffic in each single subnet to which physical unauthorized access is possible.

„In order to obtain the highest possible accuracy and reliability in the detection of anomalies, it is important that the location of industrial network’s monitoring is as close as possible to the communicating devices.”

Such special protection is most important in the case of industrial networks, where the monitoring of traffic at the lowest level (individual sensors and actuators) allows to prevent and / or minimize the impact on the production process (i.e. the company’s critical infrastructure). In order to obtain the highest possible accuracy and reliability in the detection of anomalies, it is important that the location of industrial network’s monitoring is as close as possible to the communicating devices. Data on traffic model in each OT network segment should be collected. Thanks to this, it would be possible to observe changes for all objects on the given site, including in particular the appearance of a new device, any new communication between devices or its change.

In fact, the number of network segments in industrial networks is very large and users tend to monitor closely only critical parts of the networks. The remaining segments remain without full control and can only be minimally supervised through their communication with the already monitored network segments. The decision on the choice of network monitoring scope should be made jointly by all process owners in cooperation with those responsible for security in the organization.

Not only Ethernet

Often, industrial networks have not only the Ethernet layer, but also older communication buses such as RS or CAN. It is possible to install in these networks an unauthorized device equipped with an LTE modem, which can be used to fully take control over communication of devices in this network. Therefore, it is recommended to cover those devices with monitoring and traffic analysis too. PThe above architecture of the monitoring method enables the view of the entire OT infrastructure deployment, along with the analysis and detection of anomalies. Among other things, it will allow detection of the appearance of a new unauthorized device connected to the subnetwork, also in a situation where it does not communicate with devices in other parts of the infrastructure, but only with a small group of elements within its own subnetwork. An example of such an anomaly may be a connection of a foreign device through which an attack on the infrastructure, e.g. “man in the middle” type, can be carried out.

This brings the need to start a monitoring in many locations (network segments), thanks to which the collected information allows for a precise indication of a potential root cause of a problem incl. the direction from which the attack took place.

Select a system with an appropriate anomaly detection methodology:
1. Behavioral methods
2. Rule methods
3. Hybrid methods

Behavioral analysis vs. rules and signatures

The traditional approach to the problem of detecting anomalies in the industrial networks’ traffic uses packet analysis to discover events that violate a predefined set of rules or comply with the pattern of dangerous behavior (signatures).

In the first case, we can distinguish three types of rules: anomalous (e.g. momentary changes in the number of packets), threshold (e.g. the number of events in the network that exceeds a given limit) and behavioral (e.g. unexpected sudden communication of the e-mail server with many clients).

In the second case mentioned above, the system works by comparing the contents of the packages with the signatures in the database of known threats. The disadvantage of both of the described solutions is the need to know the characteristics of the threat before its occurrence. If a new type of threat appears, it will not be detected. The solution for automatic detection of unknown anomalies needs to use machine learning methods to map the reference network architecture (including: network traffic) and then report any deviations from the trained model.

Thanks to the awareness of the working environment, such a system is able to react to any deviations from the norm in network traffic without the need to manually define traffic rules, synchronize the database of threats, or extensive knowledge of the system by the system user.

“Building models closely matched to the characteristics of the protected network covers a significant part of the spectrum of possible threats”

Behavioral methods in detecting threats have an advantage over signature and rule-based methods due to the fact that the monitoring system can be completely „cut off” from the outside world – there is no need to update rules and signatures. Building models closely matched to the characteristics of the protected network covers a significant part of the spectrum of possible threats, complementing a much smaller and already known area of threats detected by rule and signature-based methods.

Eliminating false-positive alarms

As described above the main advantage of the behavioral analysis is the ability to detect unknown threats and unknown types of attacks (Zero Day Attacks). This allows for increased control over communication in industrial networks, and any deviation from normal behavior is detected. The disadvantage of such a solution is the appearance of false alarms, resulting from the detection of harmless deviations in the correct operation of the network, however, the use of several behavioral models allows to eliminate false-positive alarms.

Signature-based detection allows you to track down known threats quickly, provided they are precisely defined and as such it is an accurate prediction system, but remains helpless against more sophisticated attacks. In the era of the cyber armaments race, responsiveness remains key, so systems that can adapt to detect new threats have a significant advantage over signature-based systems.

In practice, it is best to implement hybrid solutions using rule and signature methods, as well as methods based on machine learning. This will allow you to quickly detect known attacks and draw attention to the anomalous behavior of the monitored system in case of zero-day attacks.

Monitor, audit, manage assets and vulnerabilities,
discover threats and classify as a incidents

Integrate system with SIEM, UEBA lub SOAR