Network Monitoring—Passive, Active or Both
I recently had the pleasure of addressing the Industrial Control Systems Joint Working Group (ICSJWG) within the U.S. Department of Homeland Security. They invited us to discuss the importance of monitoring industrial networks for comprehensive visibility, as well as present some views on how best to do so. I think that many OT professionals outside of that room—or anyone concerned with industrial cyber security—would also find some value in the topic, so I’d like to offer up a bit of the flavor of that discussion.
There is little doubt that the need for OT operators to adapt to stronger cyber security postures is getting increasingly urgent. Yet, there are a lot of myths and misconceptions that could very well hinder many operators from taking the appropriate actions. For example, many presume that “cyber events” equate to “hackers.” In fact, the vast majority of cyber events—events that impact the efficacy of the production line—come from sources such as human error or equipment failure, and, if they are nefarious in nature, they are more likely to come from a disgruntled employee than from an outside hacker. Some practices that are good for visibility into human error and equipment failure are also the same best practices that can be used to spot malicious behavior.
Another misconception is that smaller industrial operations are immune from catching the attention of hackers. In reality, nothing could be further from the truth—the organizations with less expertise, fewer investigatory personnel and fewer overall resources are actually far more attractive to hackers, whether it be for practice or to “enslave” their equipment and use it for more widespread exploits. You cannot control if you are a target for malicious behavior.
I compare the situation to responding to a hurricane. It’s definitely coming, as we have radar to see it coming, but are we prepared. So we can choose to learn as much about its trajectory, location, speed and so on and take the proper precautions to mitigate and minimize its impact, or we can let it make a surprise hit and then shake our fists at the skies like ancient peoples did. I suggest the former. Can we see cyber events coming?
Getting the information needed to stay ahead of potential cyber events means monitoring the network and gathering reams of data which, when handled correctly, will then be
- Run through sophisticated analytics
- Translated into practical actionable information
It All Starts with Data
As noted, getting the raw data is step one. Traditionally, there have been two main ways of doing that—passive monitoring, which means basically “eavesdropping” on the network and sampling the information that happens to be passing by, or active monitoring, which means scanning/polling the network directly for specific answers. Active monitoring, obviously, can be more efficient and comprehensive, while passive monitoring leaves us with some good information, but in many cases not all the information needed in the appropriate depth or in a timely manner.
The problem is, active monitoring has had an unfortunate history amongst OT professionals. Early on, IT professionals took some active monitoring methods used in the office environment and tried to use them wholesale on the more sensitive OT networks. The result—some devices malfunctioned and caused costly stoppages on the production line. Even today “scanning” has become a word that can leave many OT professionals quaking with fear.
Passive AND Active...AND Hybrid
Fortunately, there is a way to get many of the benefits of active monitoring without some of the potential risks. It’s called hybrid monitoring, or, more descriptively, “talking to the thing that talks to the thing.” That is, rather than talking directly to the sensitive endpoints, devices such as a PLC or VFD which could bristle under the query and malfunction, instead talk to some piece of control hardware that might already be on the network for reasons other than security and is already playing nice with the end points. Often used examples include Rockwell Software FactoryTalk AssetCentre, MDT Autosave and Kepware KepServerEX.
That said, it is also important to note that a complete monitoring solution in a complex industrial automation environment doesn’t need to be 100% passive or 100% active or even 100% hybrid. In fact, the most effective monitoring solution is often made up of a combination of tools with the most effective one operating at each point to generate the best combination of comprehensive visibility and network reliability. There is no “one size fits all” method or even combination of methods.
Further, know that these solutions are often a flexible process and not “one and done.” For example, if you’ve opted for a passive approach it is quite possible to modify it with other active or hybrid tools as time goes on to “evolve” the most effective combination monitoring system. So don’t worry about getting “stuck”—it’s most important that you do something, even if you modify it later.
We’ve seen a lot of success with this combination approach. In fact, Tripwire is one of the few industrial cyber security firms who can offer all different types of solutions—active, passive and hybrid alike, so you never have to worry about getting a less than best-fit solution for any network point. Solutions are even vendor agnostic, so the often diverse brand mix of OT equipment is never an issue. If you’d like to discuss your specifics, we’d welcome a dialog at your convenience.