A layered “defense-in-depth”
approach to security has been best practice advice for many years for both IT
networks and ICS networks. Intrusion detection systems (IDS) and security information
and event managers (SIEM) are often described as the pinnacle of these layered
security architectures. Many organizations have purchased these systems,
but few have achieved their project goals. The deployments are never completed,
or the systems are implemented and ignored: in both cases, becoming
“shelfware.”
According to the Ponemon Institute’s “Risk & Innovation inCybersecurity Investments” industry survey sponsored by Lockheed Martin, 90 percent of respondents said their organization invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. The reasons ICS IDSs become shelfware are unanticipated costs and the eventual realization that these projects can never achieve their goals. Let’s discuss cost first… All IDSs and their SIEM analysis systems need to be tuned. If the systems are made too sensitive, they generate floods of false alarms resulting in information overload. If the systems are de-sensitized to where false alarms are eliminated, the systems stop detecting real attacks. There is a middle ground that must be found. A certain number of false alarms per day, or per week, are essential to effective intrusion detection. The problem is that nobody knows which alarms are false until the alarms are investigated. Investigating alarms takes experts who understand control systems working with the network technicians that received the alarms, not just network technicians in an outsourced security service. Costs escalate because control system experts are busy with other work and can’t drop what they are doing a dozen times a week to investigate false alarms without impairing the progress of every other active OT project. Each investigation costs time and effort from our already overburdened experts.
Costs are a problem, but also worth considering is: does the new security system meet its goals? Even when we discover a potential intrusion, it takes hours or days to establish that the intrusion is real and then determine how to remediate it. That being said, how long are we willing to permit an enemy to control our costly and often dangerous industrial equipment? Days? Hours? Minutes? Investigating and remediating real intrusions takes at least this long, while unauthorized, unqualified intruders are on our control systems the entire time. This is dangerous.
According to the Ponemon Institute’s “Risk & Innovation inCybersecurity Investments” industry survey sponsored by Lockheed Martin, 90 percent of respondents said their organization invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. The reasons ICS IDSs become shelfware are unanticipated costs and the eventual realization that these projects can never achieve their goals. Let’s discuss cost first… All IDSs and their SIEM analysis systems need to be tuned. If the systems are made too sensitive, they generate floods of false alarms resulting in information overload. If the systems are de-sensitized to where false alarms are eliminated, the systems stop detecting real attacks. There is a middle ground that must be found. A certain number of false alarms per day, or per week, are essential to effective intrusion detection. The problem is that nobody knows which alarms are false until the alarms are investigated. Investigating alarms takes experts who understand control systems working with the network technicians that received the alarms, not just network technicians in an outsourced security service. Costs escalate because control system experts are busy with other work and can’t drop what they are doing a dozen times a week to investigate false alarms without impairing the progress of every other active OT project. Each investigation costs time and effort from our already overburdened experts.
Costs are a problem, but also worth considering is: does the new security system meet its goals? Even when we discover a potential intrusion, it takes hours or days to establish that the intrusion is real and then determine how to remediate it. That being said, how long are we willing to permit an enemy to control our costly and often dangerous industrial equipment? Days? Hours? Minutes? Investigating and remediating real intrusions takes at least this long, while unauthorized, unqualified intruders are on our control systems the entire time. This is dangerous.
The
first goal of a control system security program must be intrusion prevention,
not detection. Intrusion detection may be considered the pinnacle of a
defense-in-depth program, but intrusion prevention is the mountain. We
can't support the pinnacle on thin air – there must be a
base. Shelfware is the natural consequence of the failure to achieve
our most important goal: preventing compromise.
Intrusion detection certainly has its place, especially when the perimeter firewalls are porous by design and made for bidirectional communications. On the corporate IT side, compromised equipment can simply be restored from backup after intruders have “stirred the pot” for days or even weeks, but, on the OT side, damaged industrial equipment, lost production and even human lives cannot simply be restored from backup. Even the briefest operation of industrial equipment by unauthorized, unqualified intruders is an unacceptable risk.
Unlike IT, the clear focus and priority for ICS security programs must be intrusion prevention, which begins at the control system network perimeter – the IT/OT network interface.
Intrusion detection certainly has its place, especially when the perimeter firewalls are porous by design and made for bidirectional communications. On the corporate IT side, compromised equipment can simply be restored from backup after intruders have “stirred the pot” for days or even weeks, but, on the OT side, damaged industrial equipment, lost production and even human lives cannot simply be restored from backup. Even the briefest operation of industrial equipment by unauthorized, unqualified intruders is an unacceptable risk.
Unlike IT, the clear focus and priority for ICS security programs must be intrusion prevention, which begins at the control system network perimeter – the IT/OT network interface.