Securing industrial control systems (“ICS”) against cyber attacks is a very difficult challenge. ICS networks connect thousands of devices, often decades old and ranging from simple sensors to sophisticated SCADA servers. The range of operating systems, protocols, and chipsets dwarfs the range seen in IT systems, which are fairly consolidated by comparison. This complexity increases the ICS attack surface and makes traditional security approaches either infeasible or incomplete. And while ICS networks are exposed to classic IT threats like denial-of-service attacks, the past five years have seen new threats like Stuxnet and Dragonfly that target ICS first. Industrial control systems run a lot of the critical infrastructure supporting modern life, and vulnerabilities in these systems mean vulnerabilities in our power grid, manufacturing plants, and water treatment centers, among others.
At Symantec, we have been working on this problem for years. We have put together a suite of solutions that identify and authenticate devices, lock down ICS endpoints and ensure the software running on them hasn’t been tampered with. This month we launched Anomaly Detection for ICS, which is security analytics built from the ground up for the ICS space.
Anomaly Detection for ICS deploys at the network level and passively monitors traffic in order to learn the system and create a model of expected behavior. Anomaly Detection for ICS then automatically looks for anomalous behavior relative to that learned model, without the user creating any rules or policies. Proprietary machine learning algorithms help Anomaly Detection for ICS do deep packet inspection of any industrial protocol as well as look for subtle, correlated anomalies across the system. This approach to ICS security monitors legacy and simple devices that can’t be directly locked down, and can detect zero day attacks because it does not rely on signatures.
There is no silver bullet product to solve ICS security, but the best solution is a defense in depth approach that protects up and down the stack. With the launch of Anomaly Detection for ICS, Symantec adds network monitoring to its existing solutions in authentication, endpoint, application, cloud, and data center security for industrial systems.
Machine Learning is a great feature to finally have in the products. It does require a lot of exclusions from what I have seen so far as it is based on behavior.
It seems very exciting, yet it is just Symantec getting the basics right. The idea seems to be so simple, which makes it genuine and reliable. However, with the rapid change in ICS systems due to improved manufacturing and control processes, the question seems to be asked as to how much administrative overhead is needed to keep up?
So I wonder if the ICS in Iran could have been protected from Stuxnet with ' Anomaly Detection for ICS'? Still it's a big gap for many companies. And it's good to see this challenging area being targeted by Symantec.
The most important aspect of analytics in the context of IT security today is user behavior analytics. Based on what has been reported, many of the recent and largest breaches, including Anthem and Sony Pictures, can be attributed to the theft of insider credentials, particularly those of privileged users. So understanding what behavior is normal for users and being able to identify behavior that is abnormal is a critical component of finding threats.
In IT security, we have relied heavily on static rules to detect threats based on known attack patterns. But if the steady revelation of new victims is any indication, that approach has long ago reached its limits. The recent development of the democratization of Machine Learning is an indication that it’s time to consider adding it to our security arsenal.
Machine learning reduces the need to hire additional data analysts and brings insights to the right decision makers at the right time. Nearly half of all IT security professionals believe there are skills gaps within their organization. By automating the process of recognizing valuable patterns in security data, businesses can focus on making better business and hiring decisions with data that is readily available to them. Machine learning is ideal for small and medium sized businesses as it is a cost effective way to keep security data controlled, and it eliminates the need to hire additional team members for data analysis.
In compliance, there are plenty of opportunities for missteps. Businesses must cope with staying up to date with complex regulations, time consumed by ongoing compliance monitoring and data gathering and the risks of potential errors or omissions. Clearly, streamlining compliance reporting can be a very smart business investment. The question is how to make it happen – how to move from ad hoc to more automated and auditable systems.
Technology moves swiftly. Nowhere is that more accurate than in the current state of machine learning. One merely has to look at a variety of ubiquitous technological experiences they undergo each day, and find a myriad of machine learning applications at their core. Take, for example, the task of online shopping. Almost every large online storefront will recommend items you may want to purchase.In addition, these current technologies are being improved daily, with these improvements being fuelled by greater data analytics, reduction in the cost of computation, and advancements in the state of the art of machine learning research.
How does this integrate with Security Analytics for protecting ICS? I know several of the new features of SA were designed for addressing ICS security concerns.
***Security Analytics now supports SCADA Protocol Analysis and delivers the power of Blue Coat Security Analytics to industrial control environments. Security Analytics monitors Modbus and DNP3 protocols that are common in networks that control operations at nuclear facilities, water treatment plants, power plants, oil refineries, manufacturing facilities…and numerous other industries. Use of Indicators, Rules (notifications) and Anomaly Detection is possible on indexed SCADA attributes.
Security Analytics now supports Anomaly Detection performs statistical analysis on your captured data and alerts you on anomalous behavior. When you pivot from the alert to the new Anomaly Investigation view, you can see when the anomaly occurred, how often, and which other endpoints were involved.
Thanks for all the comments. While I have responded individually to many of you, I also want to address some of the questions in the posts above here for everyone's purpose:
1. Airgapped systems: Airgap systems don't affect the product. The product does not depend on any signatures being downloaded to it. The product is deployed within the subnet or network with the ability to view the alerts on a central console. It just learns the behaviour of the network automatically once it is deployed.
2. Traditional devices (PCs, Servers, Mobile devices): Yes the product can detect any device since we also see traditional devices like servers and mobiles on the Industrial side. But product is meant to be deployed on the Industrial /ICS network and not on the Enterprise IT network
3. Replacement of IT Staff: I think the best systems use a combination of machine intelligence+human intelligence. In that sense this product will augment the IT staff to focus their efforts and go deeper into a narrower set of issues that the product will identify. Also a lot of emphasis has been put on minimizing false positives to give the operator the confidence that an alert is really an alert
4. If you have any specific questions about the product, please send us an email at DL-IOT-Contact@symantec.com
Thanks
Shankar
Not yet.
Is there any integration with DLP?
Airgap systems don't affect the product. The product does not depend on any signatures being downloaded to it. It is deployed within the network or subnet. It just learns the behaviour of the network automatically once it is deployed.
Doesn't integrate as yet. But over time we will do it
:). It will provide IT staff with the tools to better analyse and cover more ground. In my opinion the best systems are a combination of machine intelligence + human intelligence. It will allow the IT staff to focus and dig deeper on a certain specific issues raised
Yes works on all kinds of devices. Though the intention is to deploy it on the Industrial network side and not on the generic Enterprise IT side. (though we understand there could be traditional devices like servers, deskptops, MACs) on the enterprise IT side as well
Hi
Airgap systems don't affect the product. The product does not depend on any signatures being downloaded to it. It just learns the behaviour of the network automatically once it is deployed.
Yes. That's the intention. Plus this has been purpose built for Industrial systems allowing a level of granularity that is otherwise not possible
Con estos sistemas heredados que no tienen ningún atardecer planificado deben ser protegidos tanto como los sistemas más nuevos. Symantec agrega el monitoreo de red a sus soluciones existentes en seguridad de autenticación, punto final. Nos ayuda a asegurar que todo se supervisa correctamente
el aprendizaje de comportamiento es una gran herramienta y Sen ymantec se ha puesto una flor en el ojal con esta tecnologia. el detalle es que tan eficiente puede ser en equipos industriales. En el caso del Stuxnet son equipos poco dinamicos no reciben actualizaciones y esto a la larga puede ser un problema y en otros caso una ventaja. Hay que ver como se puede desarrollar esta idea.
I think it should be the vendor's responsibility that security is properly integrated into their product. It's good to see Symantec already do this to protect vunerable devices. I can't say that ive ever heard of ICS before, it does sounds good though.
I would be interested in knowing how Symantec implements these systems in an environment that is traditionally airgapped.
Machine learning is scary, could put us all out of a job. I've never actually heard of ICS before however, the Anomaly Detection sounds impressive! Great article as always
Anomaly detection for industrial products sounds great, i’d love to see it in action and whether you would have to pick lots of holes in the product to actually make the system work.
Pretty impressive, sounds awesome
This article reminded me the Stuxnet detection and prevention video presented by Symantec few years ago, I thought it was amazing one, glad to see Symantec continue to get better security in the inductrial control systems, securing the ICS is a difficult task, the product not only have to protect the critial system, but also cannot create any other issues.
Anomaly Detection for ICS sounds like a great idea,
Symantec again not sitting back but taking an active approach to combat threats,
WOW...!!! Anomaly Detection for ICS by Symantec.
I couldn't be more impressed.
This is like SDCS for ICS. Amazing.
Does this integrate with anyother softwares?
Yes, Symantec adds network monitoring to its existing solutions in authentication, endpoint, application, cloud, and data center security for industrial systems.
I've never heard of ICS before. I imagine that securing industrial control systems is incredibly hard! Thanks for enlightening me to this aspect of security.
One could wonder if the more software Symantec develops that relates to machine learning, they could be trying to put us IT staff out of job! ;-)
But seriously, it does help us to ensure everything are properly monitored and caught before it gets worse/accessed our internal network. Basically, it's an 'software tool' to help us to keep us on our toes! :D
@Symantec you have managed to impress me again!
I'm still learning about the ICS product suite, but as I do work for an industrial company, we need to look into using this product. By having another product in the suite that learns the system and watches for anomalous behavior, you guys have another award winning product!
I would be interested in knowing how Symantec implements these systems in an environment that is traditionally airgapped. From what's being suggested in the blog post, it sits within the network and learns what the current state is and monitors deviations from that? There's no need for a connection outside of the local network due to the nature of what's being monitored.
Great Article @Symantec.
I like the sound of the Anomaly Detection product. With these legacy systems that dont have any sundown planned need to be protected just as much as newer systems. The problem is that a lot of these systems dont have any documentation or any applications ownsers who still know how they all work in order to protect them. Thses new products can now get a baseline of whats going on in order to detect these anomolies.
Appreciate the product development for this.
And Symantec continues to impress. Ultimately, it should be the vendor's responsibility that security is properly baked into their product(s) but we all know that is not the case. It's wonderful to see Symantec taking the lead on this and proactively defending this vulnerable devices.