Cyber Security For Corporate and Industrial Control Systems
Cyber Security For Corporate and Industrial Control Systems
The business of cyber security has changed dramatically in the past few years, presenting a significant challenge to
management teams across all industries and business domains. Organizations today are in a unique position to quantifiably
outpace threats and manage them to minimize organizational impact, whether that be reputational, financial or physical.
We see an increasing trend toward IT security teams taking on more accountability and responsibility for securing the OT
systems, which require different specialist skills and working practices. This cultural and technical convergence will be a
steep learning curve, one to be overcome.
Now open to the same attack vectors used in the majority of cyber-attacks, ICS devices are inherently much less secure but
their compromise can lead to enormous physical damage and danger to human lives. Ever since the Stuxnet malware was
widely reported in 2010, threats to industrial systems have grown rapidly in both number and capability. This was made
clear in the 2014 compromise of a German steel mill that caused massive damage to a blast furnace. Ongoing malware
campaigns such as Energetic Bear are actively acquiring critical data about control systems, while quietly maintaining
persistent access. Existing defenses such as firewalls have repeatedly proven inadequate on their own, especially against
insiders who may already have privileged access.
Darktraces Industrial Immune System is a fundamental innovation that views data from an ICS network in real time,
and establishes an evolving baseline for what is normal for operators, workstations and automated systems within that
environment. Advanced Bayesian mathematics and cutting-edge machine learning detect abnormal behavior and flag
it for investigation, capable of discovering previously unknown attacks as they emerge. Total prevention of all cyber
compromises is not a realistic goal but, if identified early enough, threats can be mitigated before they become a full-
blown crisis. Darktraces technology can be deployed across both IT and OT environments to provide full coverage of an
organization.
3
Enabling Modern Industry Enhanced performance through cost and time
saving which allows for the smooth transition
Industrial Control Systems (ICS) are at the heart of of newly-developed products into existing
modern industry, monitoring and controlling complex manufacturing operations, reducing time to market
processes and equipment. Many businesses are Business optimization using data transferred
wholly underpinned by the reliable functioning of between IT and OT environments
this Operational Technology (OT), such as automated
production lines at car manufacturing plants. For The breakdown of this cultural divide between OT and
organizations that form part of the National Critical IT staffs will often require CISOs to manage across
Infrastructure, the consequences of unplanned teams that historically have different approaches to
outages are far-reaching, being responsible for cyber security. During this convergence the assurance
maintaining utilities such as power, heating and clean of long-term reliability and safety requires CISOs to
water to huge numbers of households and places of reshape enterprise security practices. The merging
work. In many industrial processes, reliability of an ICS of specialized OT systems with IT technologies and
has a direct and immediate impact on the safety of endpoints will require CISOs to assume responsibility
human lives. for OT cyber security without specialized OT skills or
in matrix-based organizational environments, thereby
exposing new technology and change-management
risks. This gap in skill sets as IT and OT systems converge
ICS and SCADA will generate new cyber security problems as attacks
ICS is an umbrella term covering many historically become more focused and sophisticated. A strategic
different types of control system such as SCADA and unified approach to cyber security will inevitably
(Supervisory Control and Data Acquisition) and DCS benefit organizations, allowing them to operate in a
(Distributed Control Systems). Also known as IACS more reliable and efficient manner.
(Industrial Automation and Control Systems), they are
a form of Operational Technology. In practice, media Industrial Control Systems face numerous cyber-
publications often use SCADA interchangeably with security threat vectors with varying degrees of potential
ICS. loss, ranging from non-compliance to disruption of
operations which could result in destruction of property
and, unfortunately, potential loss of human life.
Corporate Information Technology (IT) systems and
Industrial Control Systems have different objectives, Examples of potential ICS-related threats include:
even when operating within the same organization. Advanced Persistent Threats (APTs)
While IT and OT often speak different languages, cyber- Unintended spillover of corporate network
attacks across both environments have continued to compromises
evolve to become more targeted and destructive. When Disruption of voice & data network services
it comes to ICS, reliability is the primary concern as Coordinated physical & cyber-attack
attackers aim to disrupt the critical services customers Insider sabotage
rely upon. Hacktivist attacks
Supply chain disruption or compromise
IT and OT systems are converging, driven primarily by Catastrophic human error
economic pressures resulting from globalization and Distributed Denial of Service (DDOS)
intensifying competition, along with the benefits and
eventual competitive advantages that stem from the The cost is significantly higher to remediate a system
integration of these disciplines. These benefits include; than to detect a cyber threat early, not only in time
and money, but also in safety and reputation. Legacy
Cost reduction by applying similar technology,
approaches have fallen short as evidenced by cyber-
standards and governance principles for IT and OT,
attacks ranging from the infamous Stuxnet to a recent
including remote management
German steel mill compromise. What if the Saudi
Risk reduction through jointly addressing safety Aramco attack had been aimed at critical infrastructure
issues, leading to an integrated approach that instead of business workstations?
provides enhanced security against cyber intrusions
from outside the company and to central cyber-
security governance within the company
4
ICS Cyber Security Issues well documented and easily exploited. The use of a VPN
(Virtual Private Network) is also not sufficient protection
Historically, industrial control environments were air- for ICS users as this can be trivially bypassed with
gapped; physically isolated from corporate networks physical access to network switches and never provides
and the internet. However, computer viruses and end-to-end coverage. ICS vendors are increasingly
other forms of cyber-attacks such as Stuxnet [1] and urging CISOs to converge their approaches to IT and
agent.btz [2] have been known to bridge the gap OT cyber security, with an equal level of caution and
by exploiting security holes related to the handling depth in defense strategy.
of removable media, or simple human error. While
security is an upside of having a seemingly closed or
isolated system, the downside includes the limited Challenges Facing Industry
access or inability to access enterprise decision
making data or to allow control engineers to monitor Industry faces a growing challenge in dealing with
systems from other networks. Additionally, ICS often cyber threats, both external and internal. There are
tie together decentralized facilities such as power, oil an increasing number of threat actors with both the
& gas pipelines, water distribution and wastewater motivation and capability to compromise industrial
collection systems, among many others, where the control networks and devices. The consequences of
network is hard to physically secure. compromise range from damaging to catastrophic,
from immediate physical harm to long-term industrial
ICS systems, whilst effectively designed to be espionage.
interoperable and resilient, are not necessarily
secure. With the increasing number of connections Control engineers historically have not had to worry
between ICS systems, corporate networks and the about cyber threats coming through corporate IT
internet, combined with the move from proprietary systems, while IT security staff have had little to do with
technologies to more standardized and open solutions, the fundamental differences in control systems or the
they are becoming more susceptible to the kind of physical equipment that those systems manage. ICS
network attacks that are found more commonly in IT devices are inherently insecure, and extremely difficult
environments. to update with even the rudimentary protections that
are possible.
Cyber-security researchers are particularly concerned
about the systemic lack of authentication in the
design, deployment and operation of some existing
ICS networks and the belief that they are completely A New Approach: Darktrace and the
secure simply because they are physically secure. It Immune System
has become clear that any possible connection to the
Utilities, OT-centric industries and other national
internet can be exploited, even if it is not direct. ICS-
infrastructure organizations, are challenged with
specific protocols and proprietary interfaces are now
rethinking cyber security across all technologies to
deliver continuous insight that provides early warning
of both indiscriminate and targeted compromises,
supported by mechanisms that can manage incidents
"Darktrace adds another level before they become a business crisis. Total prevention
of sophistication to our defense of compromise at any cost is untenable, however,
detection and response to prevent a crisis from
systems, and had already developing is an achievable cyber security goal in an IT/
identified threats with the potential OT environment.
to disrupt out networks."
Darktraces Industrial Immune System for ICS is a
Martin Sloan, Group Head of Security, Drax fundamental innovation that implements a real-
time immune system for operational technologies
and enables a fundamental shift in the approach to
cyber defense. Based on groundbreaking advances in
Bayesian probability theory and powered by cutting-
edge machine learning, Darktrace analyzes data and
5
creates a unique behavioral understanding of self attributed to this; the Davis-Besse nuclear power station
for each user and device within the network and, like a (Ohio, USA) when safety systems were crippled by the
biological immune system, it detects threats that cannot Slammer worm [5], the Browns Ferry nuclear power
be defined in advance by identifying even subtle shifts station (Alabama, USA) being manually scrammed as a
in expected behavior. People and devices all behave result of a drastic increase in network traffic [3], and the
in a unique way that necessarily differs from their Hatch nuclear power station (Georgia, USA) due to a
peers to varying degrees. However, their behaviors are faulty software update on a business network machine
significantly more predictable when compared to their that communicated with the control network [6].
historical behaviors and patterns of change.
6
If an environment is infected in this manner, only its Passive Observation
unique behavior, once installed on the ICS network,
could be used to detect Havexs presence. Connecting new devices into a corporate network is
straightforward and routine, with little attached risk.
A survey published in April 2014 by the SANS Institute The same is not true of industrial networks, where for
[12] reported a significant increase in the number of many applications even the slightest interruption in
identified or reported breaches of control systems service could be damaging. This is why larger and more
over just the previous twelve months. Respondents critical networks are left as untouched as possible
also noted that their ability to protect these systems between planned outages.
had not improved within the same period. This is a
chilling indictment of the challenges facing the OT The Darktrace appliance runs on a server that is
cyber-security efforts of organizations today. connected completely passively to an ICS network,
receiving copies of as much communication traffic
as possible. It does not interfere with the operation
Darktrace Technology of the control network in any way, flagging anomalies
for investigation but not attempting to influence the
New vulnerabilities are emerging at a pace that is situation. The appliance receives copies of raw network
difficult to keep up with, and looking only for published data using the built-in port mirroring or spanning
historical attack types is an unsuitable approach for capabilities of network switches, or using fail-safe
operationally important environments. Darktrace does taps, sometimes via an aggregator to bring together
not require a priori assumptions about environments numerous connections in one location.
or threats, and can therefore detect the unknown
unknown threats that are as yet unidentified, either ICS networks are deliberately segregated into Trust
because they are novel or have been tailored to a Levels as defined by the ISA95/Purdue reference model
particular defender. [13], depending on how much each device on the
network is trusted to behave as expected. Darktrace
The Darktrace architecture continues to adapt and can be connected at Level 2 (supervisory control), Level
self-learn throughout its entire deployment. Its 3 (data servers) and Level 4 (IT networks) to provide
understanding is constantly being revised and refined defense in depth. It also extends cyber-security
in light of new evidence as it ingests and analyzes new coverage down into Level 1 (field devices).
information - the more data it sees, the more it learns.
This adaption means that no new or customized threat A highly flexible, distributed architecture allows
has the ability to hide from Darktrace. Whenever an Darktrace to securely cover multiple Trust Levels and
abnormal change to behavior takes place within the the wide variety of network topologies within and
environment, the Industrial Immune System identifies between them. Examples include wholly separate
deviations from the learned pattern of life and alerts appliances for each Trust Level, or multiple appliances
the organization to the possible threat. Changes that within a widely distributed single Trust Level with
are not real threats are incorporated into Darktraces a master appliance providing a single interface. If
evolving understanding of normality. required, a network diode device could guarantee that
a channel for moving data from one Trust Level to a
The advanced mathematics inside Darktrace make it higher Trust Level to reach a single appliance covering
uniquely capable of highlighting significant potential both cannot be used to communicate in the other
threats without burying them beneath many direction.
misguided, insignificant or repeating alerts. Far more
than a set of simple rules applied to network traffic,
it can correlate many subtle indicators separated by
location or time into strong evidence of a real emerging
threat, meaning that security analysts are not flooded
with false positives.
7
Visibility Into Industrial Control Systems
Darktrace Proof of Value Architectures of ICS systems and their operational
networks are often documented to a standard that
Darktrace's Proof of Value (POV) allows organizations exceeds corporate equivalents, but these long-lived
to experience first-hand its Industrial Immune environments are complicated and will typically have
System's ability to detect previously unseen threats undergone many changes by multiple individuals over
and anomalous behaviors within a customers own their lifetime. Knowing and understanding what is
environment. Along with the POV, Darktrace provides genuinely happening inside the environment can be a
access to our Threat Visualizer (below) for use during real challenge. Darktrace addresses this challenge by
the POV as well as weekly Threat Intelligence Reports observing, analyzing and capturing communications
produced by its team of cyber security specialists. along with their associated metadata.
Some organizations prefer to trial Darktrace on their
corporate IT systems to confirm the passive and In addition to its core identification of anomalous
secure operation before engaging installation into ICS activity and possible compromise, Darktraces Threat
networks. Visualizer interface uniquely displays all this rich
information in an intuitive 3D dashboard that allows
the operator to get a true and real-time overview of
what is happening. This can be used to investigate
whether the control systems real behavior matches its
intended design.
8
Insider Threat
Threat from trusted insiders is an important consideration for OT environments. Over the long lifecycles
involved with the building and utilization of infrastructure and manufacturing equipment, a large number of
different individuals, including both permanent staff and short-term contracted specialists, will usually have
interacted with control systems. Many of them will have had privileges that allow them to modify configurations
or the underlying software and hardware.
Vetting and training staff can reduce but not eliminate the risk of insider incidents from occurring. These
incidents can be unintentional due to a mistake or intended short-cut that puts something important at risk, or
a deliberate act by a disaffected or ideologically motivated individual. The increased access and organizational
familiarity that insiders have means their malicious actions can be very well targeted and effective at disrupting
operations. They also have a greater ability to interfere with monitoring or masquerade as others, making their
activities harder to identify and attribute.
Insider risk is a serious challenge often underestimated in breadth. When supply chains or contractors are
involved, it becomes impossible to draw a neat line between inside and outside. We need to trust people in
our extended organizations with the access and privilege that they require to do their jobs, but we also need
mechanisms to identify when something is going wrong and needs to be corrected.
Traditional network border defenses such as firewalls perform an important function in a complete cyber-
security solution, but insiders are a key example of their limitations. Insiders do not have to pass through
border defenses to accomplish most of their potential goals, meaning that those defenses have no chance at
all to prevent or identify their actions [14].
Given the complexity and the variety of people and processes that make up an organization, any monitoring
approach needs to start from a complete understanding of what is normal for the unique environment. Only
then can it have the insight to identify subtle patterns and correlated action over time that can be the only
early signs of emerging issues, and allow them to be handled before they become major crises.
9
Conclusion
Businesses face many challenges as we move into an era of ever increasing connectivity and standards of communication.
Those trying to secure industrial control systems as well as corporate networks face additional and substantially different
problems, as the devices involved are far less secure than their corporate counterparts.
There is public evidence of growing motivation and capability of threat actors towards control systems, a trend likely to
continue and brought into sharp focus by the 2014 cyber sabotage of a German steel mill. This attack used state-of-
the-art methods to reach the control system of a target with little political or ideological significance, a combination not
previously observed.
De-risking the OT environment is a perpetual challenge requiring new technologies that will deliver continuous insight
and provide early warning of both indiscriminate and targeted compromises. Total prevention of compromise seems
effectively impossible for the foreseeable future, but prevention of crises is an achievable goal across both corporate IT
and operational technology environments.
A new approach that can manage incidents across corporate IT and OT before they become an operational crisis is
required. With Darktraces self-learning immune system, organizations are able to detect and respond to emerging
threats in real-time. Advanced behavioral analysis mathematics can detect even previously unseen novel or tailored
attacks, regardless of whether they originate in the corporate IT or OT domains or traverse between them.
10
Resources
These additional resources, available from our website, complement the information in this white paper.
11
About Darktrace Contact Us
Winner of the Queens Award for Enterprise in Innovation 2016, Darktrace is one of the worlds leading US: +1 (415) 243 3940
cyber threat defense companies. Its Enterprise Immune System technology detects and responds to
Europe: +44 (0) 1223 324 114
previously unidentified threats, powered by machine learning and mathematics developed by specialists
from the University of Cambridge. Without using rules or signatures, Darktrace is uniquely capable of APAC: +65 6248 4516
understanding the pattern of life of every device, user and network within an organization, and defends
against evolving threats that bypass all other systems. Some of the worlds largest corporations rely
on Darktraces self-learning technology in sectors including energy and utilities, financial services, Email: [email protected]
telecommunications, healthcare, manufacturing, retail and transportation. Darktrace is headquartered
in Cambridge, UK and San Francisco, with 20 global offices including Auckland, Johannesburg, Lima,
London, Milan, Mumbai, Paris, Seoul, Singapore, Sydney, Tokyo, Toronto and Washington D.C. www.darktrace.com
ICS-001r4en Darktrace Copyright 2015 Darktrace Limited. All rights reserved. Darktrace is a registered trademark of Darktrace Limited. Enterprise Immune System, and Threat
Visualizer are unregistered trademarks of Darktrace Limited. Other trademarks included herein are the property of their respective owners.