However, for most ICS and automation system operators, baselining and tracking expected behavior is difficult, and requires lots of time and specialized expertise. Additionally, not all applications and operating systems are easy to configure in order to log the data required to accurately detect anomalous behavior. Although asset owners can benefit from having logging and monitoring capabilities in their ICS-process specific applications, most often, these capabilities are geared solely to making improvements in process performance. By refocusing their use of these systems to include detection of anomalous – and therefore suspicious – network activity, ICS owners can significantly improve the security posture of their systems.
5. Collection, Analysis, and Workflow Lifecycle Integration – Many organizations stop at the collection step and then label their security and compliance efforts a success. The fact is that data collection is really just the first step. To be truly successful, an organization must collect, analyze, and then act on the security and compliance data it gathers from its ICS environment. By continually iterating over and acting upon the data, an organization can track and improve its security and compliance efforts over time.
For example, consider an organization that logs failed logons. If no analysis is performed on the failed logon events, the organization will not know if the failures are malicious or if the events are failed logons from a service that is configured to use an expired password.
Another example, from a compliance perspective, is when an organization logs events to meet a compliance requirement. How will the organization know when log data collection fails or if there is a gap in the collection? Without tracking the dates, times and failures of log collection, the organization leaves itself vulnerable to a compliance deficiency.
The scope and pace of technological change now occurring or coming soon to many ICS environments present new risks to automation systems professionals. But as is always the case with change, risks are accompanied by opportunities. Old approaches to ICS system design and security are becoming increasingly ineffective in the face of major technology trends and business changes that are now impacting operators. Forward-thinking professionals must find effective ways to overcome these new security and operations challenges.
The first step is recognizing that in many areas of ICS security, what worked in the past likely won’t work in the future. Teams must explore new options and develop effective business cases for investing the next-generation ICS security technologies. By embracing the changes that are taking place in the industry, and adopting new solutions to address them, ICS professionals will be able to mitigate risks and capitalize on the terrific opportunities that lie ahead.