“There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked.”
I heard these chilling words a couple years ago at an IoT conference. The implication is there may be bugs inside a company’s network that are laying low, collecting vital information and waiting for an opportune time to attack.
While much of the cybersecurity attention is focused on preventing unwanted entry, companies also need to scrub the inside of their networks to make sure they’re free of latent malicious threats that entered before the firewall was strong enough to withstand attack. To help with this effort, Rockwell Automation has introduced threat-detection services to monitor the insides of the control system for the presence of unwanted intruders.
The threat-detection effort rounds out the standard safety system that provides a safe parameter around the network. “We provide defensive capabilities across the attack continuum: before during and after,” Umair Masud, consulting services portfolio manager at Rockwell Automation, told Design News. “We’ve focused on the before side with firewall security. What we’re doing with threat detection is adding the capability of building a baseline of what’s normal and then detecting when something is outside of that normal.”
Scrubbing the Inside of the Network
In building firewalls, Rockwell partners with Cisco Systems. For threat detection, Rockwell brought in another partner. “We are utilizing technology from Claroty. They have software that enables detection capabilities,” said Masud. “We combine their services with our industrial expertise, our ability to implement, and our understanding how to deploy monitoring services.”
After it’s implemented, the detection technology scans the network to determine what’s healthy traffic and what’s anomalous. “Once the software is installed in the environment, it goes into learning mode and passively listens to the traffic and documents the traffic flows – it learns the baseline,” said Masud. “This is this process of scrubbing and validation. You need be able to understand how things are supposed to run in order to scrub that baseline.”
The process of developing the baseline is conducted is a manner that has no effect on network traffic. Once the baseline is in place, the company needs to develop a plan of action when something untoward occurs. “When we have the baseline, we are able to make recommendation to the customer on how to deal with any anomalies or events that may be potentially malicious or may be causing harm to the environment,” said Masud.
Removing Unwanted Visitors Without Shutting Down
While detection if one portion of the service, another part involves developing an alert system and a plan for action. “We utilize Claroty’s technology to announce issues on the network, and then we respond,” said Masud. “We create an incidence response plan. There is a set of five actions we can take without disrupting the availability of the network’s process.”
When an anomaly is detected, the actions that follow are designed to avoid the disruption of plant operations if at all possible. “The selections of courses you can take are wide, including shutting things down. When you’re trying to contain something malicious in the control system, you need to manage things with finesse,” said Masud. “You can’t just shut down the PLC or switches. You have to understand the control system in order to take a viable approach. The last thing you want is to face an intrusion without a plan.”
Keeping Everyone in the Mix
While the control team runs the network, the IT and security teams also need to be involved in overcoming any malicious bug found hiding on the network. “When we talk about the effective way to respond, the key point is to make sure we’re engaging the right people with the right information so we can help them take the right action,” said Masud. “We include IT and any security resources to make sure they have the right information and they can see the alerts so we can make sure the facility takes the right action.”
The threat-detection includes the development of a plan of action once a threat is identified. “A lot of this requires preparation on the front end so the procedures are defined and agreed upon so we know who to talk to and how the communication opens and what data needs to be recovered,” said Masud.
|The Embedded Systems Conference (ESC) is back in Minnesota and it’s bigger than ever. Over two days, Nov. 8-9, 2017, receive in-depth education geared to drive a year’s worth of work. Uncover software design innovation, hardware breakthroughs, fresh IoT trends, product demos, and more that will change how you spend time and money on your next project. Click here to register -- Use the code " SAVE15ESCMINN" to save 15% on conference passes.|
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
Image courtesy of Rockwell Automation.