Enterprise security for IT and ICS or SCADA networks

Stuxnet – stress testing for enterprise security CONNECTING THE DOTS The most secure networks today are multi-layered and don’t rely on a single security technology or vendor. They’re often integrated, with a SIEM system aggregating outputs from applications, operating systems and network solutions to ensure easy data correlation and interpretation. This enables security staff to bridge their different technology systems, to see all the activity across the organisation, and gain centralised monitoring perspective. Modern targeted attacks have shown they can bypass even the best traditional enterprise security systems such as firewalls, Intrusion Detection Systems and other point solutions. Hackers even use multi-vector attacks in different parts of enterprise systems to obscure the identity of the real threat. As a result, better tools are needed, not more of the same. As Ernst & Young has warned: ‘Simply shoring up existing and conventional defenses is not enough’. This is so in any environment, including critical infrastructure and industrial plants. In enterprise security as in life, non-compliant or suspicious activity is often the first indictor of planned malicious activity. For this reason, behaviour-based technologies can strengthen the protection offered by rules-only SIEM systems, by detecting and alerting on the abnormal patterns of activity which may be an early warning of misuse. Behaviour Anomaly Detection (BAD) helps security staff see suspicious events that are often invisible to rules-only SIEMs. By connecting the dots between abnormal and apparently unrelated activities, BAD allows security staff to quickly spot any (i) internal misuse, or (ii) carefully orchestrated attack designed to exploit security blind spots. In ICS systems and other IT environments, these early alerts can make the difference between responding in real time and making a difference, or after the damage is done. THE TAKE-AWAY Stuxnet sounded a warning about the vulnerability of the security monitoring and control procedures in organisations using ICS systems. We’ve seen that this new vector or a variant can penetrate the SCADA and control systems that were once thought secure. Moreover, leveraging the Internet’s connectivity for new technologies like smart grids and smart metering for electricity and gas will expose greater areas of vulnerability, and open millions of unsecured end points across the grid for attack. In May 2011, we learned how easily a SIM card in a Tasmanian smart meter trial was hacke Clearly, ICS (and other) operators should frequently review their security policies and processes, to: Undertake a risk assessment of systems, monitoring and control processes across all parts of the enterprise;

Confirm and monitor the integrity of remote sites and communication links;
Aggregate IT and ICS event logging for integrated real-time correlation and interpretation;
Implement technologies and procedures that can extend beyond policy-based compliance monitoring to detect risky and suspicious system activity as it occurs; and
Adopt a security monitoring and control system that maintains evidential integrity and can adapt to current and future needs.

About the Author

Astal Mark writes for Tier-3 that raises your cyber security to the highest level with Huntsman, providing intelligent data protection, threat management and IT security for government, finance and critical infrastructure since 1999.

Rating: Not yet rated

Comments