Defending Industrial IoT – the truth lies in the data

The power to cripple a nation

SCADA systems tie together power, oil, gas pipelines, water distribution and other decentralized facilities. They control and monitor physical processes, like transmission of electricity, transportation of gas and oil in pipelines, traffic lights, and the list could go on. The security of SCADA systems is crucial — compromising them affects key areas of society. A blackout, for example, can cause enormous financial losses to everyone tied to that grid.

Designed to be open and easy to operate and repair, SCADA systems don’t provide secure environments and can be difficult to harden. Additionally, the recent move from proprietary technologies to open solutions, coupled with increased network connectivity, has made them extremely vulnerable to network-type attacks.

In his book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, author Ted Koppel reveals that a major cyberattack on America’s power grid is not only possible, but likely. Worse still, the U.S. is shockingly unprepared for such a hack, despite ongoing cyber-tensions between the world’s leading powers. Koppel argues that a successful attack would plunge America into the dark ages. Iif the 2015 attack on Ukraine’s power grid is any indication, he’s right.

In 2015, alleged Russian operatives brought leaders of a Ukrainian power plant to their knees. Known as the December 2015 Ukraine power grid cyberattack, the incident is the first known successful cyber-attack on a power grid. Attackers used several methods to compromise the grid, taking SCADA under control and remotely switching substations off. They then disabled IT infrastructure components, destroyed files stored on servers and workstations with the KillDisk malware and deployed a denial-of-service attack on the grid’s call center to deny consumers information on the blackout.

Around the world, cybercriminals are actively targeting critical infrastructures, including healthcare facilities where human lives are at risk every time an attack is deployed. The profits in compromising IoT devices provide criminals with significant motivation. For example, smart electricity meters can be hacked to siphon money. Truly, the possibilities are endless, and the security of the smart world is at grave risk.

Real-time threat detection for networked devices

In recent years, bad actors have honed their skills to penetrate networked infrastructures through vulnerabilities embedded in the very IoT applications we herald as the key to a better future. Because industrial systems are not typical computers and don’t support on-board defenses against cyberattacks, IT administrators need a way to detect potential attacks in real time, before hackers take control. This means industrial IoT applications need a completely different kind of protection.

Network traffic analytics has emerged as a key technology to help protect large infrastructures with disparate systems, as it provides complete threat-related network activity for any device on the network. By focusing on the network behavior of endpoints, network traffic analytics can help security operation centers defend fleets of devices with limited or no built-in security and no endpoint security agent running on it. Network traffic analytics uses a technique called device fingerprinting to keep tabs on every networked device. In this case, a fingerprint is various data points, such as the device’s unique ID, its media access control address or information from network data packet headers.

This lets network traffic analytics solutions take note when a device behaves abnormally, based on what it should and shouldn’t do. When an anomaly is detected, IT admins can choose one of several courses of action to prevent the attack from unfolding, including cutting off all ties to the Internet or secluding the suspiciously behaving endpoint from the rest of the network until a complete analysis is performed.

At the heart of network traffic analytics lies machine learning. Next-generation network traffic analytics solutions use predictive machine learning models that accurately reveal threat activity and suspicious traffic patterns. An ideal network traffic analytics deployment leverages semi-supervised or tunable machine learning. Unlike strictly supervised approaches, a tunable machine learning model does not require only labeled training data, meaning it readily identifies key patterns and trends in the live data flows, without the need for human input. When a threat is detected, IT admins receive a detailed security incident explanation and a suggested course of action, facilitating incident investigation and response.

Legacy or traditional security systems fail in the face of silent threats that creep their way onto networks. Studies show that the cybersecurity skill gap is widening every year. Plus, attackers today are smarter than ever, using malware that changes form to evade pattern-matching algorithms. As the threat landscape evolves in unpredictable ways, a new approach to cyberdefense is urgently needed. Network traffic analytics technology distills the patterns to a set of readily-identifiable scenarios to alert security teams, which guides response efforts faster and more efficiently than ever before.

With the number of connected smart devices on the network multiplying faster and more haphazardly than the predictable growth of traditional fixed and mobile endpoints, there is only one truly effective approach to cover all devices that generate cyber-risk: analyze network data.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.