Cyber Defense for Utility ICS using Industrial Process Analysis
Industrial Control System (ICS) experts worldwide are well aware, that there is no single cyber-defense measure, no matter how advanced or expensive, which can completely prevent all possible attack scenarios. The deployed measures such as SCADA-aware firewalls, Demilitarized Zone (DMZ) are all effective but have technology limitations and natural vulnerability due to being a software based. Being aware of these considerations as well as typical budget limitations utility experts realized that enhanced cyber defense measures must be adapted to existing systems without significant changes that might affect the Safety and Reliability of the ICS operation.
Challenges to Defend ICS
The typical system consist of an MS WindowsTM based ICS control center completed with Human machine Interface (HMI) computers, Disaster Recover (DR) computer, Historical Server (HS) computer, a variety of Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs) and an Operation Technology (OT) networks combining physical and wireless media.
Most legacy ICS installed worldwide, were not built with cyber defense in mind, and all efforts were directed to achieving operational reliability and safety. Furthermore, we all know that legacy ICS often use 10 to 15 years old hardware and software, and this creates a challenge when considering cyber security upgrade without major system retrofit. Securing ICS systems always calls for creative solutions and compensating defense measures for mitigating cyber-attacks.
The recent industry trend refers to use of Process Behavior Analysis using Big Data technology.
One may ask; why does this method deliver more effective cyber protection than those provided by other solutions. There are several reasons for that:
Source of Information
Detecting unusual conditions in a control system, resulted from a process disruption, sensor failure, operator mistake or cyber-attack is not an easy task. In order to achieve accurate detection of undesirable events, the system must learn a large amount of information from the raw data collected by the ICS servers and historian databases and perform fast and effective analysis.
Cyber defense measures must be capable detecting both internally generated and as well as externally generated attacks. This includes effectively dealing with unknown vulnerabilities. The process deployed by ICS2 utilizes several patented algorithms and therefore is capable of detecting a broad range of attacks targeted at the ICS. Furthermore, this kind of technology also detect operator faults, misconfigurations and malfunctions, and therefore may generate significant cost savings, prevent damages and minimize unplanned outages.
More Effective than Antivirus
Antivirus suppliers typically deploy a new update (signature) only after detecting fairly large number of attacks targeting a specific vulnerability. Since the prime goal of ICS is to assure the safety and reliability of the critical infrastructure, relying on the Antivirus is a problematic approach. You know that deployment of any new software represent a risk to the safety and reliability of critical infrastructure, and therefore deployment of any new software may take weeks or even months after its release. This kind of solution does not rely on published signatures and known vulnerabilities.
Broad coverage of detected anomalies
The ICS operation include a broad range of control programs dealing with communication and processes. ICS-aware firewalls deal mainly with detecting abnormal communication and unusual deviation from normal processes. This solution detects a broad range of anomalies while the baseline for detection is constantly adapted using a self-learning process. This makes the process highly efficient at detecting Zero day attacks, insider attacks and sophisticated hidden attacks on the ICS system.
Operation not influencing the ICS process
Deployment of a cyber defense process which does not interfere with the ICS operation and does not overload ICS server processes is a critical and a “must” requirement. The Industrial Intrusion detection System (IIDS) collects raw data from the ICS historian through a secured connection. The calculated process data is securely fed into the IIDS for generating specific alarms, and if applicable, making this information available to the Security Information Event Management (SIEM) system.
Data Collection across the ICS
Most ICS installed in utility and manufacturing applications utilize control hardware and operating systems, which can be as 15 years old. Since this hardware cannot be easily replaced nor upgraded (for justified reasons), it is important to deploy complementing /compensating defense measures. The ICS2 solution performs quality level anomaly behavior analysis, and it is equally reliable for defending modern as well as legacy type ICS using range of RTUs and PLCs, which use industry standard ICS-type protocols.
Upgradeable and Expandable Defense
Most ICS serving critical infrastructure are gradually expanded and upgraded as system needs change. Therefore, Cyber defense systems serving these ICS must be upgraded and expanded accordingly. The ICS2 system utilizes powerful computing platform, capable performing big data analysis based on large amount of data. Upon requirement to extend and upgrade the system, additional computers can be added thus matching the IIDS capability to new conditions. Furthermore the process performing anomaly detection is upgradeable and remotely updateable.
Summary and Conclusions
Although no one knows the type of the next cyber-attack on a critical infrastructure and when it will take place, we do know that the number of attacks and severity are growing, because today’s attackers are funded by hostile states and crime organizations, in order to steal business information and cause outage and damage. The conclusion is, that special attention is required and systematic investment needs be allocated to achieve safe and reliable operation of industrial and utility infrastructure. Consequently the management of these organizations must act with a greater determination, start deploying strong defense solutions to be “one step ahead of attackers” and prevent cyber-attacks which might lead to a harmful impact on the wellbeing of its citizens.
Industrial process behavior detection is a new technology capable dealing with a range of malfunctions caused by cyber-incidents, damaged sensors, software flaws and communication problems, and is considered as a suitable solution for ICS managing critical infrastructure.