インサイダーの脅威を検知する:OT/ICS サイバーセキュリティの課題
今すぐ登録
A simple way to compare OT and IT is this: IT values data integrity, confidentiality and availability. OT values process uptime, safety and reliability.
IT is ubiquitous in an organization and used by nearly every employee, in every cost center. Therefore, IT security focuses on protecting data from unauthorized access or modification, with an emphasis on role-based access and training users, the weakest link, in safe cybersecurity practices.
OT assets and networks typically manage and control the crown jewels that drive revenue for an organization (or provide essential public services), often autonomously.If OT fails or is attacked, the stakes are higher than with IT, especially for critical infrastructure. Therefore, OT security involves ensuring the safe, reliable operation of physical processes.
The sheer volume and diversity of OT and IoT devices make them harder to manage than IT devices.Moreover, every component in an OT network is part of a larger process in a very distributed environment. If a machine has a problem, immediately you must learn what it depends on and what is depending on it.
Historically, OT networks were “air-gapped” – with no connectivity to the internet or enterpriseIT networks, cyber threats weren’t a concern. Those days are long gone, but too often cybersecurity in OT environments is still an afterthought. Thanks to industrial digitalization, today’s production environments include hundreds of interconnected digital systems that improve efficiency but also introduce new risks. Many OT devices are unmanaged and can’t be patched like IT computers and servers. Where patching is possible, it can’t be automated. With some exceptions, threat detection relies on deep packet inspection and behavior-based anomaly detection techniques specifically designed for OT/ICS environments.
Ransomware attacks make headlines, but day-to-day network or process misconfigurations, operational errors, resource usage spikes and other anomalies are far more likely to threaten OT environments than outside attacks. An anomaly is anything that diverges from baseline performance. That could be unstable process values, incorrect process measurements and misconfigurations that could lead to malfunction.
Data moving through OT assets and processes (such as process values) is only relevant for an instant, and there might be millions of these data points per minute. Therefore, OT cybersecurity focuses less on data exfiltration and more on ensuring that data only moves between authorized devices and is current in every instant.
Most IT has a short lifecycle, with built-in obsolescence. Software is sunsetted or undergoes a major upgrade every few years, and hardware must be frequently replaced. OT generally has a long lifecycle — up to several decades in some cases. Devices such as PLCs are often purpose-built for rugged production environments — and built to last. Many OT devices still rely on legacy technology that is “insecure by design,” with well-documented vulnerabilities that too often remain unpatched. And it can take years for factory authorized and site acceptance testing to occur, so small tweaks are not encouraged.
Some OT systems — and their components — run continuously for years, with short windows for scheduled maintenance. Continuous operations helps ensure safety and reliability, as downtime can lead to critical failures in industrial environments. Patches (if available) and other updates are infrequent and must be scheduled during narrow maintenance windows.
IT uses standard operating systems and communicate using standard protocols. Many OT devices have proprietary operating systems specific to their use. OT systems also use hundreds of protocols to communicate, many of them industry specific and inherently insecure. These protocols are tailored for real-time monitoring and control of physical processes and devices, prioritizing reliability, deterministic response times and resilience over speed and flexibility. Proprietary protocols like Modbus or Profibus that must be carefully analyzed using deep packet inspection (DPI) to identify suspicious or anomalous behavior.IT intrusion detection systems (IDS) and endpoint detection and response systems (EDRs) don't understand industrial protocols so can't detect OT-focused threats. At best they would be ineffective; at worst they could consume too many resources or break something.
On any given day, manufacturers may have dozens of third-party technicians logging in remotely to monitor production and troubleshoot equipment, often using their own remote access tools. Lax use of weak credentials and default passwords leaves companies open to attack via remote code execution.
Especially for unmanned equipment, default passwords may never get changed, making it easy for bad actors to hack them, and multi-factor authentication (MFA) is impractical. Instead, continuous monitoring is used to authenticate devices and ensure the integrity of communication between devices.
Segmentation is an essential compensating control to limit communications and protect devices that can be remediated infrequently if at all. To isolate industrial crown jewels and prevent cyber incidents on IT networks from moving laterally to OT networks, industrial environments make use of secure zones and conduits that control and monitor traffic between segments
Understanding cybersecurity risk, introducing security best practices and creating a culture of awareness in industrial settings are major cultural changes. For example, getting OT engineers to accept cybersecurity risk mitigation as scheduled maintenance requires a shift in thinking. As CISOs embrace enterprise risk management and OT increasingly comes under their authority, this shift must happen.
Despite initial skepticism, OT operators derive many benefits from continuous asset and network monitoring. It collects a wealth of information about the assets and processes it monitors that is useful for detecting important changes, both anomalies from the baseline and cybersecurity threats. Moreover, once continuous monitoring begins, it typically exposes longstanding issues that operators never knew existed.
As soon as the Nozomi Networks platform is installed, network sensors start analyzing the ICS network traffic and builds an interactive visualization of it. Operators and cyber security staff see the industrial network nodes visualized, often for the first time. They quickly perceive aspects of their environment that they weren’t previously aware of, and can easily drill down to find more information.
The addition of safe, non-disruptive endpoint sensors purpose-built for OT assets provides another layer of valuable information.Operators can see not just configuration changes and anomalies but also who’s logged onto a device, what other devices it’s communicating with and what protocols it’s using. Two big wins are visibility into East-West traffic at lower Purdue levels and unauthorized USB connections.
Merged IT/OT security operations centers (SOCs) are where the two cultures really come to a head. They are gaining popularity for obvious reasons such as central CISO oversight, IT/OT convergence, improved response times and, of course, cost savings. Rather than a merged SOC, however, more often what you see is the traditional IT SOC team providing a service to a new customer, the OT business unit. Frequently what plays out is a textbook example of the service provider not understanding their customer. A major knowledge transfer needs to occur but doesn’t.
A simple way to compare OT and IT is this: IT values data integrity, confidentiality and availability. OT values process uptime, safety and reliability.
IT is ubiquitous in an organization and used by nearly every employee, in every cost center. Therefore, IT security focuses on protecting data from unauthorized access or modification, with an emphasis on role-based access and training users, the weakest link, in safe cybersecurity practices.
OT assets and networks typically manage and control the crown jewels that drive revenue for an organization (or provide essential public services), often autonomously.If OT fails or is attacked, the stakes are higher than with IT, especially for critical infrastructure. Therefore, OT security involves ensuring the safe, reliable operation of physical processes.
The sheer volume and diversity of OT and IoT devices make them harder to manage than IT devices.Moreover, every component in an OT network is part of a larger process in a very distributed environment. If a machine has a problem, immediately you must learn what it depends on and what is depending on it.
Historically, OT networks were “air-gapped” – with no connectivity to the internet or enterpriseIT networks, cyber threats weren’t a concern. Those days are long gone, but too often cybersecurity in OT environments is still an afterthought. Thanks to industrial digitalization, today’s production environments include hundreds of interconnected digital systems that improve efficiency but also introduce new risks. Many OT devices are unmanaged and can’t be patched like IT computers and servers. Where patching is possible, it can’t be automated. With some exceptions, threat detection relies on deep packet inspection and behavior-based anomaly detection techniques specifically designed for OT/ICS environments.
Ransomware attacks make headlines, but day-to-day network or process misconfigurations, operational errors, resource usage spikes and other anomalies are far more likely to threaten OT environments than outside attacks. An anomaly is anything that diverges from baseline performance. That could be unstable process values, incorrect process measurements and misconfigurations that could lead to malfunction.
Data moving through OT assets and processes (such as process values) is only relevant for an instant, and there might be millions of these data points per minute. Therefore, OT cybersecurity focuses less on data exfiltration and more on ensuring that data only moves between authorized devices and is current in every instant.
Most IT has a short lifecycle, with built-in obsolescence. Software is sunsetted or undergoes a major upgrade every few years, and hardware must be frequently replaced. OT generally has a long lifecycle — up to several decades in some cases. Devices such as PLCs are often purpose-built for rugged production environments — and built to last. Many OT devices still rely on legacy technology that is “insecure by design,” with well-documented vulnerabilities that too often remain unpatched. And it can take years for factory authorized and site acceptance testing to occur, so small tweaks are not encouraged.
Some OT systems — and their components — run continuously for years, with short windows for scheduled maintenance. Continuous operations helps ensure safety and reliability, as downtime can lead to critical failures in industrial environments. Patches (if available) and other updates are infrequent and must be scheduled during narrow maintenance windows.
IT uses standard operating systems and communicate using standard protocols. Many OT devices have proprietary operating systems specific to their use. OT systems also use hundreds of protocols to communicate, many of them industry specific and inherently insecure. These protocols are tailored for real-time monitoring and control of physical processes and devices, prioritizing reliability, deterministic response times and resilience over speed and flexibility. Proprietary protocols like Modbus or Profibus that must be carefully analyzed using deep packet inspection (DPI) to identify suspicious or anomalous behavior.IT intrusion detection systems (IDS) and endpoint detection and response systems (EDRs) don't understand industrial protocols so can't detect OT-focused threats. At best they would be ineffective; at worst they could consume too many resources or break something.
On any given day, manufacturers may have dozens of third-party technicians logging in remotely to monitor production and troubleshoot equipment, often using their own remote access tools. Lax use of weak credentials and default passwords leaves companies open to attack via remote code execution.
Especially for unmanned equipment, default passwords may never get changed, making it easy for bad actors to hack them, and multi-factor authentication (MFA) is impractical. Instead, continuous monitoring is used to authenticate devices and ensure the integrity of communication between devices.
Segmentation is an essential compensating control to limit communications and protect devices that can be remediated infrequently if at all. To isolate industrial crown jewels and prevent cyber incidents on IT networks from moving laterally to OT networks, industrial environments make use of secure zones and conduits that control and monitor traffic between segments
Understanding cybersecurity risk, introducing security best practices and creating a culture of awareness in industrial settings are major cultural changes. For example, getting OT engineers to accept cybersecurity risk mitigation as scheduled maintenance requires a shift in thinking. As CISOs embrace enterprise risk management and OT increasingly comes under their authority, this shift must happen.
Despite initial skepticism, OT operators derive many benefits from continuous asset and network monitoring. It collects a wealth of information about the assets and processes it monitors that is useful for detecting important changes, both anomalies from the baseline and cybersecurity threats. Moreover, once continuous monitoring begins, it typically exposes longstanding issues that operators never knew existed.
As soon as the Nozomi Networks platform is installed, network sensors start analyzing the ICS network traffic and builds an interactive visualization of it. Operators and cyber security staff see the industrial network nodes visualized, often for the first time. They quickly perceive aspects of their environment that they weren’t previously aware of, and can easily drill down to find more information.
The addition of safe, non-disruptive endpoint sensors purpose-built for OT assets provides another layer of valuable information.Operators can see not just configuration changes and anomalies but also who’s logged onto a device, what other devices it’s communicating with and what protocols it’s using. Two big wins are visibility into East-West traffic at lower Purdue levels and unauthorized USB connections.
Merged IT/OT security operations centers (SOCs) are where the two cultures really come to a head. They are gaining popularity for obvious reasons such as central CISO oversight, IT/OT convergence, improved response times and, of course, cost savings. Rather than a merged SOC, however, more often what you see is the traditional IT SOC team providing a service to a new customer, the OT business unit. Frequently what plays out is a textbook example of the service provider not understanding their customer. A major knowledge transfer needs to occur but doesn’t.
