Reinforce industrial control system security with ICS monitoring

Monitoring an industrial control system environment isn't that different from monitoring a traditional IT environment, but there are some considerations to keep in mind.

IT/OT convergence fosters data sharing, enables better decision-making and can lower costs. With operational technology systems no longer separated from IT environments, however, they are susceptible to the same threats IT environments face, creating yet another security dilemma. Due to the benefits, isolating industrial control systems (ICSes) from IT environments is no longer a feasible solution.

Beyond designing ICS architectures with security top of mind, security monitoring is key. Pascal Ackerman, author of Industrial Cybersecurity, Second Edition, published by Packt, calls security monitoring the "second-most effective method to improve the ICS security posture."

Here, Ackerman explains why he takes this stance and discusses the differences between ICS and IT security monitoring, who has responsibility for ICS monitoring and more.

How does ICS monitoring complement the first best method of improving ICS security posture -- designing secure architecture -- in the first place?

Pascal Ackerman: It complements it because you're double-checking your work. You're making sure you're effective and keeping an eye on the prize. You're also making sure you didn't forget anything. As you learn more about your environment and cybersecurity -- and as cybersecurity evolves -- you must monitor, check and assess what you have. You may notice things aren't completely right, or maybe processes implemented used to be best practice and no longer are. Monitoring gives you a chance to reevaluate, rinse and repeat.

Cover image of Industrial Cybersecurity by Pascal AckermanClick to learn more about
'Industrial Cybersecurity' by
Pascal Ackerman, published
by Packt.

What is different about monitoring an ICS environment versus a traditional IT network?

Ackerman: Honestly, there's very little difference in the monitoring. What you're looking at is often the same -- IP addresses, vulnerabilities, exploit attempts and so on. From that perspective, not much changes. It's when you start assessing your environment where things are different between OT and IT.

What are the of the top things to look for when assessing OT?

Ackerman: Make sure you zoom out. I've seen a lot of companies do OT assessments, penetration tests, risk assessments and gap analysis and only concentrate on the OT part. They look at the complete network, the complete production facility or organization and then fully assess only the systems specific to manufacturing. They look at PLCs [programmable logic controllers] and HMIs [human-machine interfaces] that are probably decades old, find issues and challenges, and write up a report. But this doesn't show the real risk behind it. Sure, these things could have vulnerabilities, but if no one can access that network to attack vulnerable devices or exfiltrate data, then are you really at risk?

It's important to take everything into consideration. At my company, we do a lot of ICS assessments and ICS pen tests where we look not only at OT, but also IT. We'll attack and approach the project as an outsider. So, give us your IP address range, and we'll find a way into the enterprise network. From there, we'll get into the industrial network. That's often what we call 'end of game' or 'end of engagement.' Once an attacker gets onto that network, they can compromise anything really easily.

Who is responsible for monitoring OT networks?

Ackerman: Security monitoring is often sent to a security operations center [SOC], so it's usually the IT side. But this means SOC analysts have to now know what industrial threats look like and how to respond to them. They now have extra screens and extra alerts to deal with.

On the OT side, I've noticed engineering teams get excited about ICS monitoring systems. All of a sudden, they see all the assets on the production floor. They can go in and determine why certain assets aren't running properly. OT and engineering teams often start to use the monitoring systems more and more, just for different reasons.

The book describes three components of secure ICS monitoring. Could you explain each?

Ackerman: The three components are passive monitoring, active monitoring and threat hunting.

Passive monitoring is just sitting there and looking at your appliances. Maybe you pick up somebody doing something wrong, or your antivirus detects malware.

Active monitoring is doing vulnerability scanning, making sure all your devices are up to date, looking at configurations and so forth. This is all done with scanners.

Threat hunting is when you make a hypothesis that says, for example, 'We think there's malware on some of our Windows systems in our industrial environment.' You then prove or disprove that hypothesis with a series of tests. You start up items, pull out a list of executables that start up with Windows, start looking around, taking hashes and comparing them to known malicious executables. If there's something there, you've proven your hypothesis.

More on Industrial Cybersecurity

Check out an interview where Ackerman explains the concept of the industrial DMZ.

Read an excerpt from Chapter 17 of Industrial Cybersecurity to learn about the ICS kill chain.

Tell me a little bit about the book. It's a second edition -- what has changed? What do you want readers to get from it?

Ackerman: Even though it's called a second edition, it's more a second volume. About 99% of the material in the second book is brand new.

I wrote it because I wasn't done with my story yet. When I wrote the first book, I was focused on architecture and program development and writing governance decks, so I wrote about that. Over time, I've been more involved in the offensive side -- assessments, monitoring and threat hunting. This book complements the first book.

If readers get anything from the book, it should be: Don't sit back and think you're done now that you've created your program. Make sure it's working the way you intended it to and expect it to. Challenge what you did, go back and review, and continually improve on things.

About the author
Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering and more than 20 years of experience in industrial network design and support, information and network security, risk assessments, pen testing, threat hunting and forensics. His passion lies in analyzing new and existing threats to ICS environments, and he fights cyber adversaries both from his home base and while traveling the world with his family as a digital nomad. Ackerman wrote the previous edition of this book and has been a reviewer and technical consultant of many security books.

Dig Deeper on Network security