How Network Detection & Response (NDR) Monitors OT Environments

Architecting the Optimal OT Security Solution Against Hackers, Thanks to Metadata Analysis and DPI

OT security in 2023: critical infrastructure operators face the challenge of integrating vulnerability monitoring, asset management and network security monitoring. At the same time, additional hardware and software require thorough testing. Sometimes, even electromagnetic certifications are necessary before your new appliance can finally be integrated.

The second typical challenge is that patching is, in some industries, still not possible in a timely manner – some of the recent incidents enumerated below prove this pain point: - In March 2023, an Australian Army helicopter crashed due to a failure to apply a software patch. - In June 2022, the Skyguide air traffic control for Switzerland had to cease work for a few hours as a patched server had to be rebooted. Further details on this technical incident can be found here.

These are just two examples of an underlying problem – on one hand, in the OT security space, a certain number of trainings, certifications and personnel are important to keep the operations up and running. On the other hand, regulators have to certify and/or clear your patches and patching strategy. Transferring this to the security industry and products therein, classic hourly updates for your signatures are probably not going to happen, and, depending on your industry, automatic isolation of hosts or automated firewall changes as response tactics are just as difficult to implement. In addition, for instance, power distributors usually work on a location-based, widely distributed network. Therefore, dedicated installation of hardware on every site to get a complete overview of the network is either not possible from a technical point of view or simply too expensive.

Requirements for Network Visibility in an OT SOC

To comprehend requirements in OT security regarding SOC setups, it is imperative to understand that most critical infrastructure providers have their own IT SOC but are currently working on expanding the former into an OT SOC area. As such, hiring and continued education remain the challenges they ever were, only increased by the OT vector. This publication by the European Union Agency for Cybersecurity provides good guidance to OT SOC expansion.

From a technical perspective, most OT SOCs have different requirements – sometimes regarding standards such as ISO 27019 for energy operators and ISO 27799 for medical information security management, extending the classical ISO 27001 scope. The CENELEC TS 50701 extends IEC 62443 specifically for the railway cybersecurity scope.

Solution: Analyzing OT Traffic with Joint DPI and Analytics Architecture

My proposal to this OT security concern is to use XT as a solution to analyze OT traffic with a joint deep packet inspection (DPI) and analytics architecture. Why, you ask? Well, using a DPI sensor in the central operator station to get a full packet capture of critical traffic that passes the operator stations helps to take care of the following threat scenarios:

• Active communication and ongoing infections of PLCs (Programmable Logic Controllers), the spreading of malware between components
• Attacks against devices like PLCs using established protocols and connections

At the same time, based on the threat model, it probably wouldn’t make sense to have hardware sensors at all locations but only the most critical ones. As such, the benefits of combining both solutions are much more feasible.

NDR Detection Use Cases in OT Networks

The following detection use cases, through the use of Network Detection & Response (NDR) serve as examples that were identified in OT security, i.e. the networks, where a pure metadata approach is absolutely sufficient:

• A new (malicious) device is actively connecting to the network
• Active communication and ongoing infections of PLCs/spreading of malware between components
• Port scanning and utilization of enumeration techniques
• Lateral movement between zones by active attackers
• Exfiltration of data (e.g., unauthorized disclosure of confidential engineering data)
• Lack of communication to core components (has to be engineered into the detection algorithms on a case-by-case basis)

To improve detection, the following threats can be covered by utilizing deep packet inspection (DPI) in addition to metadata analysis:

• Attacks against devices using established protocols and connections by utilizing protocol analysis

The following attacks will be hard for both solutions to detect:

• Local attackers modifying specifically crafted PLC code (i.e., timed and logic bombs)
• Purely passive listening on the network (via tap port)

Conclusion

In this article, I highlighted the challenges faced by operators of critical infrastructure in integrating vulnerability monitoring, asset management, and network security monitoring, as well as the difficulties in timely patching and the need for certification and clearance of patches. I also emphasized on the importance of establishing an OT SOC (Security Operations Center) and understanding the specific requirements for network visibility in the OT security space – a very hot topic following the announcement of NIS2.

The proposed solution is to analyze OT traffic using a joint Deep Packet Inspection (DPI) and analytics architecture, particularly using DPI sensors in central operator stations to capture critical traffic and address various threat scenarios such as communication and infections of PLCs (Programmable Logic Controllers) and attacks against devices. I mention the use of metadata analysis with examples of detection use cases in OT networks where a pure metadata approach is sufficient.

However, please note that certain threats, such as local attackers modifying PLC code and passive listening on the network, may be challenging for both the proposed solutions to detect.

Overall, this OT security article suggests leveraging DPI, analytics, and metadata analysis to enhance monitoring and detection capabilities in OT environments, while acknowledging the specific challenges and limitations that may arise in the process. What are your thoughts? I would love to hear about your challenges and potential questions.