Active and passive monitoring key to addressing industrial IoT security challenges
Cybersecurity company Tripwire recently released a report looking at the security of connected devices in industrial environments. According to the report, 95 percent of security professionals are concerned about the risk associated with the Internet of Things and industrial IoT devices on their network. “The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT environment,” Tim Erlin, vice president of product management and strategy at Tripwire, said in a press release. “In the past, cybersecurity was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. You can’t protect what you don’t know.”
Tim Erlin, VP of product management and strategy at Tripwire
The report was based on a survey of 312 security professionals that manage the security of IoT and industrial IoT devices across their organization. Ninety-seven percent of those respondents said they have concerns about supply chain security, and 87 percent agree that existing IoT and industrial IoT security guidelines put their supply chain security at risk.
“It’s understandable that managing supply chain risk is top of mind for industrial security teams given the level of attack we have seen this year,” Erlin said. “Large-scale supply chain risk isn’t new, so if anything, this should encourage companies to invest in resources that help maintain a more secure environment.”
According to the report, 99 percent of security professionals report challenges with the security of their IoT and industrial IoT devices. Additionally, more than three-quarters of those surveyed said that connected devices do not easily fit into their existing security approach, and 88 percent said additional resources are necessary to meet their IoT and industrial IoT security needs.
Further, 53 percent of industrial security professionals said they are unable to fully monitor connected systems entering their controlled environment, and 61 percent have limited visibility into changes in security vendors within their supply chain.
“One of the greatest challenges with industrial security is visibility into assets on the network,” says Zane Blomgren, a senior security engineer at Tripwire. “Understanding the totality of devices on the network, those that are misconfigured and ones that may have changed is an essential function of monitoring. Ultimately, you can’t secure what you don’t know.”
Industrial Cyber talked to Blomgren about security challenges in industrial environments and how passive and active monitoring can help address these challenges.
“Active monitoring allows you to communicate directly with your endpoints,” says Blomgren. “You can identify, ask pointed questions of, and talk to an endpoint in its native protocol or language at times that are most optimal for your environment. Active monitoring also makes it less likely to miss endpoints and can, in most cases, simplify the deployment of OT technology. “
Conversely, Blomgren says that passive monitoring provides a baseline and is non-intrusive.
Zane Blomgren, a senior security engineer at Tripwire.
“In an industrial setting, things are routinely in motion. Using tools that are not native to regular processes can cause things to lock up or have other adverse interactions, which has implications for production but more importantly, safety. Passive monitoring also allows you to understand conversations between endpoints, what they’re about and when they take place. Through these conversations, security teams can identify anomalies and take the necessary steps to harden systems against vulnerabilities. A good passive monitoring system will also retain a packet capture of anomalous behavior, which can be stored for future forensic and root cause analysis.”
Blomgren says that when it comes to securing industrial environments and industrial IoT devices, both active and passive monitoring are necessary.
“They cover each other’s deficiencies,” Blomgren says. “In base level implementation they help reduce or even eliminate blind spots and should be deployed simultaneously where practical. A great solution makes bringing active and passive monitoring together transparent to the end user. “
An organization’s chosen approach to endpoint discovery and anomaly detection will depend on the type of equipment being secured and current maturity in deployment. Blomgren says the approach should take into account network segmentation and maturity in that segmentation. He recommends the ISA/IEC 62443 standards, which specify security capabilities for control system components.
“There’s not a one size fits all solution but generally, active favors communicating with endpoints and passive is best for anomaly detection and non-intrusive data collection,” Blomgren says. “Ideally, you want to deploy a solution that can do both and more – a technology that can adapt and meet an environment where it’s at today, as well as guide it to where it needs to be tomorrow. A great example of this is to model segmentation through virtual zones.”
Blomgren is an advocate of a hybrid discovery model which passively collects information from traffic that’s generated on the network while sending out active queries when necessary. This method can give organizations comprehensive information by continuously monitoring the network, without disrupting it or adding to the network latency.
“A hybrid solution can often deliver exceptional results. With a hybrid system, instead of going directly to the endpoints which has the potential to disrupt regular operations, intermediate control system components can act as a central point to read project or configuration files at the endpoints,” Blomgren says. “This eliminates direct communication that you’d see in active monitoring and instead, relies on a central point to disseminate information.”
Related
