Blog

Solving Scalability and Visibility Challenges for ICS Cybersecurity Stakeholders

Thomas Nuth | May 29, 2019

The digitalization of industrial automation and critical infrastructure systems has changed the job description for cybersecurity and operations stakeholders in nearly every industrial vertical. These stakeholders are still struggling to meet the demands of today’s evolving threat landscape and growing device networks, and their job isn’t going to get much easier.

According to Forrester’s recent landscape overview report of 21 ICS cybersecurity vendors, the demand for ICS cybersecurity solutions is only set to rise due to the growing prevalence of state-sponsored cyberattacks, more OT-specific malware, and the general reality that many OT environments have too many legacy devices that are highly vulnerable. 1

Below are a few of the challenges OT cybersecurity stakeholders face on a daily basis, and steps they should be taking to solve them.

New Devices. New Problems.
New devices are connecting to ICS networks almost daily. The ability to understand what these devices are and how they are communicating is critical to provide a starting point for analysts to combat the next generation of cyber adversaries. Attackers are evolving and using more complex attack methods, including the ability to execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder threat intelligence. 2

All these new devices, coupled with the advanced techniques that adversaries are using to hide in plain sight, make complete OT network visibility a necessity. Threat hunters must also evolve and shift their focus to tactics, techniques, and procedures (TTP), instead of IoCs alone.

Reducing MTTR
Say these words with me: “Reduce mean time to resolution (MTTR).”

For the average operations person or SOC, the MTTR is critical, but many ICS cybersecurity solutions don’t quite solve the MTTR problem. The main thing to keep in mind is that most leading ICS cybersecurity solutions are passive. Without an ability to at least offer an active solution and automate policy enforcement, an ICS cybersecurity solution will merely tell you that there’s a problem, but it won’t help you fix it, regardless of what they claim.

When choosing cybersecurity solutions for ICS networks, stakeholders must ensure that the technology offers a selective active component to provide deeper context into an issue and help orchestrate remediation and recovery efforts.

The SOC Silo
SOC analysts only have access to a portion of their companies’ data due to the high cost of analysis and storage. Workflows are still rules-based or manual, leading to a reactive approach to threat intelligence instead of a proactive, efficient SOC. These factors are keeping many SOCs out of the modern age of security, and therefore exposing entire organizations to risk. Considering that downtime affects the entire organization, this challenge is a shared one for the CSO, CISO and local operations teams alike.

Both IT and OT cybersecurity stakeholders need to scale and delegate visibility and actions throughout the organization. After all, what the SOC needs to see isn’t necessarily what the CISO needs to see, so the intelligent delegation and management of information over a multisite, geo-distributed deployment needs to be flexible enough to customize operational functions.

OT asset owners know that cybersecurity is important – that ship has sailed. But what now? How can they solve the mounting scalability and visibility challenges facing modern ICS networks? Investing in great technology to increase visibility and threat detection is only half the battle. The other key design attribute that any SOC, CSO or CISO must consider when selecting an ICS cybersecurity solution is scalability.

Can the solution easily rollout in both greenfield and brownfield deployment scenarios? Can the solution traverse the IT-OT domains? Can my SOC integrate this with their existing cybersecurity infrastructure? The answer always needs to be “yes”.

With the release of SilentDefense 4.0, Forescout now offers monitoring and control capabilities for multi-network and geo-distributed enterprise deployment scenarios with the new Enterprise Command Center (ECC). This allows SOCs and/or CISOs to rapidly discern if there are cyber or operational threats, where these threats are located, and how to remediate them via a centralized dashboard view.

The ECC is an ideal tool for corporate and group IT SOCs to have a unified, high-level view of the status of the entire OT infrastructure and facilitates deployments in large, complex organizations with multiple chains of responsibility for the management of the security information.

With the ECC, both IT and OT users can enhance their security posture with rich asset data and robust threat intelligence from a fleet management perspective.

Some key use cases and functional benefits include:

  • Global oversight across multiple, geo-distributed network sites
  • Cross-site investigation to compare behaviors of different regions from a single location
  • Reduction of the mean time to respond (MTTR) through real-time awareness and context
  • The ability to switch between regions, networks and sites to increase productivity
  • Better understanding of threats due to contextual analysis

Ultimately, the ECC can help to reduce downtime and revenue loss while enhancing communication between executive leaders and those in the field.

To learn more about how the ECC helps solve ICS scalability and visibility challenges, read the solution brief.

Forescout Solution Brief SilentDefense-4

1 New Tech: Industrial Control Systems (ICS) Security Solutions, Q1 2019; Forrester’s Landscape Overview Of 21 Providers; by Merritt Maxim and Joseph Blankenship; February 28, 2019 | Updated: March 5, 2019

2 Key Pillars of the Modern SOC; SC Magazine; by Julian Waits