Enabling Visibility and Monitoring for ICS Networks: Fortifying cybersecurity and streamlining operations

Operational Technology (OT) and Industrial Control Systems (ICS) play a critical role in modern industrial processes, from manufacturing to critical infrastructure management. But as cyber risks grow and operational environments modernize, ensuring the security and efficiency of these networks is paramount.

This article explores the importance of enabling network traffic visibility and monitoring in ICS environments and outlines different strategies to achieve it.

Understanding the ICS landscape

Operational Technology (OT) encompasses a wide range of systems and devices used to control industrial processes, including Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), and Programmable Logic Controllers (PLCs). Industrial Control Systems specifically manage and automate critical industrial processes such as power generation, manufacturing, and transportation. These technologies form the backbone of essential infrastructure sectors for any country.

Challenges and weaknesses

The inherent challenges of ICS environments include their long lifecycles, reliance on proprietary protocols, and often outdated or unpatched software and hardware components. These characteristics make them attractive targets for cyberattacks.

Example: BlackEnergy malware: On December 23, 2015, this malware remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers.

Figure 1: BlackEnergy attack flow mapping diagram

The crucial role of real-time visibility

Real-time network traffic visibility is the ability to collect, review, and monitor data from every facet of an ICS environment continuously. This data encompasses information from sensors, controllers, actuators, and other industrial components. It allows plant operators and cybersecurity professionals to gain comprehensive insights into the state of security of the network and its components at any given moment, as well as checking for misconfigurations and helping troubleshoot non-security issues at the same time.

Use Case: In a smart grid scenario, real-time visibility empowers grid operators to monitor voltage levels, identify grid congestion, and predict potential failures. By continuously analysing data from sensors and substations, they can take proactive measures, such as rerouting power flows or remotely controlling equipment, to ensure reliable and efficient electricity distribution.

Continuous monitoring for security

Intrusion detection and prevention systems are very important when it comes to safeguarding ICS environments. These systems perform automated or semi-automated analysis network traffic, looking for patterns indicative of cyberattacks or unauthorized access attempts. They can be tailored to recognize specific threats, including malware, Denial-of-Service (DoS) attacks, and Command and Control (C2) communication.

Behavioral analytics in OT

Behavioral analytics, powered by machine learning algorithms, play a pivotal role in identifying subtle anomalies that might go unnoticed with traditional security measures. For instance, in a chemical processing plant, these systems can learn the typical behavior of various components and raise alarms when deviations occur, such as unexpected temperature fluctuations in a reactor.

Strategies for enabling ICS visibility and monitoring

Network segmentation in ICS environments isn’t just about dividing a network into isolated segments and conduits as established under the Purdue architecture and the IEC 62443 standard; it should be treated as a holistic approach to security. It includes defining access controls, segmenting based on function and criticality, implementing stringent firewall rules, and adding security appliances.

Figure 2: Purdue Enterprise Reference Architecture (PERA) Model

A purpose-built ICS approach to segmentation

A purpose-built approach segmentation with monitoring security appliance can monitor the ICS environment, remove all unauthorised traffic, alert on anomalous traffic, and let the authorised traffic to pass through to enhance and allow greater visibility control at each of the ICS segmentation points.

Example: If Process A has a local HMI, the operator can set it up so that the HMI can only talk with Process A’s PLC, safety system, and RTU. Additionally, with the ICS monitoring security appliance, an operator can clearly define and approve authorized traffic between the HMI and the PLC, safety system, and RTU.

Figure 3: A purpose-built approach to ICS network ICS environment segmentation

Enhancing visibility with SIEM and NSM platforms

Let’s take an example of a water treatment plant responsible for providing clean water to a major city. This facility relies on numerous OT systems to control pumps, valves, chemical dosing, and water quality monitoring. The criticality of uninterrupted water supply and the inherent vulnerabilities of OT systems require of robust cybersecurity measures to protect this facility and its systems.

Architecture implementation

Security information and event management (SIEM)

• Selection: The water treatment plant selects a SIEM solution tailored for ICS environments, known for its scalability, real-time monitoring capabilities, and compatibility with industry standards such as IEC 62443.
• Deployment: The SIEM is deployed as a central monitoring and analysis platform within the plant's network (level 4 of Purdue model). It collects log data and security events from various OT devices, sensors, and network components.
• Log collection: Connectors are installed on OT devices (Level 1 and Level 2) to collect telemetry data, logs, and security events. These devices include PLCs, SCADA systems, HMIs (Human Machine Interfaces), and network switches.
• Correlation and analysis: The SIEM system correlates the collected data, using predefined rules and behavioral analytics to detect anomalies and potential security incidents. It classifies events based on severity levels.
• Alerting and reporting: When a security incident is detected, the SIEM generates real-time alerts, notifying designated security personnel. Additionally, it generates detailed reports for incident investigation and compliance purposes.

Network Security and Monitoring (NSM) appliance

• Purpose: The water treatment facility plans to choose an NSM appliance specifically designed for industrial network security monitoring. NSM enables deep packet inspection and threat detection capabilities, in this specific case to focus on the unique needs of ICS environments.
• Deployment: The NSM appliance should be strategically deployed at critical points in the ICS environment.
  • A good option is to deploy an OT-aware sensor with the capability of performing the deep packet inspection that supports and covers a broader range of OT protocols.
  • SPAN traffic is collected from the network switches at Levels 3, 2 or 1 (Purdue Model Framework) to get maximum benefit since these are good choke point where OT devices such as PLCs and RTUs send data and most protocol communicate with HMIs. 
• Passive scanning: Analyses traffic continuously, enabling it to not only pinpoint any changes in the OT environment, but also automatically update the asset inventory to reflect those changes in real-time.
  
  • Active scanning in OT/ICS environments is generally considered risky because it can disrupt sensitive industrial processes. However, when implemented by trusted vendors in a thoroughly tested environment, it can provide significant benefits by enriching visibility and improving asset inventory accuracy. Well-known vendors such as Dragos, Industrial Defender, and others offer active scanning capabilities designed for OT networks. These solutions, when used cautiously, can help plants identify unmanaged assets, detect vulnerabilities, and validate configurations ultimately strengthening security posture. Active scanning should only be performed under controlled conditions and with vendors that have proven expertise in OT/ICS environments to minimize operational risk.
    
• Traffic analysis: The appliance shall continuously analyze network traffic, examining packets for known and unknown threats. It identifies and profiles assets within the network, creating an inventory of OT devices.
• Asset discovery: The appliance detects and profiles various devices, such as PLCs, RTUs, and industrial sensors. It creates a comprehensive asset inventory of the ICS environment, providing insights into device behavior and communication patterns.
• Threat detection: Many NSM appliances incorporate the use of threat intelligence and behavioral analytics to detect anomalies and suspicious activities.
• Integration with SIEM: The NSM appliance integrates seamlessly with SIEM solutions. It sends alerts and event data to the SIEM for centralized monitoring and analysis, enhancing the plant's overall security posture.

Benefits of a unified ICS visibility architecture

The combined SIEM and NSM solution offers real-time monitoring and detection of cyber threats, ensuring rapid response to potential incidents. In addition, it also offers the following benefits:

• Full asset visibility: The appliance provides comprehensive asset visibility, helping operators track the status and behavior of critical OT devices.
• Better compliance: The SIEM solution assists in meeting regulatory requirements, such as those outlined in IEC 62443, while the NSM appliance contributes to network monitoring and threat detection, crucial for compliance.
• Faster and more accurate incident response: The SIEM's alerting and reporting capabilities, coupled with the network-level insights from the NSM appliance, enable efficient incident response and focused forensic analysis.
• Holistic OT/ICS security: This architecture ensures a holistic approach to OT/ICS cybersecurity, encompassing both network-level monitoring and comprehensive host-level log analysis.

Security and monitoring scenario illustration 

In this scenario (Figure 4), the SIEM solution (in this case using EXABEAM) and NSM appliances work well together to secure the water treatment plant's OT network. This architecture not only enhances security but also provides the plant with security and monitoring architecture to respond effectively to cyber threats.

Figure 4: Architecture implementation to enable visibility and monitoring on ICS environment

Conclusion

This blog provides useful approaches for enabling visibility and monitoring on the ICS environments. CPX would like to emphasize that these practices should not be optional but they are imperative to ensure the security, efficiency, and compliance of critical infrastructure networks. As entities navigate the ever-evolving landscape of cyber threats and technological advancements, the integration of robust monitoring solutions remains an essential part for the resilience of our vital systems.

The article aims to serve as a resource for business owners, industry professionals, and cybersecurity experts, offering actionable strategies, real-world examples, and a vision of the future of ICS environment management.

References

https://www.opswat.com/blog/navigating-the-cybersecurity-landscape-of-ics-and-ot-networks-insights-and-solutions
https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf
https://cyble.com/blog/ot-security-good-practices/
https://www.dragos.com/blog/how-to-improve-ot-network-visibility/