When discussing industrial cybersecurity requirements, the term “intrusion detection system” is often mentioned. But what exactly does it entail? And what capabilities must it offer in industrial environments?
Author: Uwe Dietzmann, Sales Manager at Rhebo
People love to kill two birds with one stone (well, not literally, of course!) And as much as we ourselves strive for simplicity in OT security, we must keep the world’s complexity – and a company’s complex connections, exposure and interdependencies – in mind.
Just look at what the EU NIS2 Directive requires:
- determine the internal and external cyberrisk,
- periodically evaluate the deployed security measures (who watches the watchmen?)
- establish a solid vulnerability patch management,
- incorporate the cyberrisk of your supply chain.
Without an intrusion detection system – that is to say “a network security tool that monitors network traffic and devices for known malicious activity, suspicious activity or security policy violations”[1] – this will become quite a headache. The reason is clear, because to comply to the requirements above, one needs a) visibility into devices, systems AND networks, and b) methods to deal with the imminent residual risk.
Residual risk?, you might wonder, I want 100% security! Spoiler alert: There isn’t something like that in cybersecurity, probably never has been. And with growing interconnectivity, interdependencies and loads of legacy the threat landscape just keeps expanding:
- The majority of industrial systems are equipped with minimal or no security mechanisms. It must be assumed that there is a high number of un(der)reported (zero-day) vulnerabilities, and according to analyses of cyber insurance claims, the exploitation of vulnerabilities ranks first among initial attack vectors.
- Every OT has a legacy system or uses legacy protocols at some point, whose security gaps can no longer be patched (Fig. 1).
- Access data in OT is often very easy to guess.
- In OT environments, service providers often have extensive authority to configure and maintain devices. Infected maintenance laptops or compromised updates (keyword: supply chain attack or supply chain compromise) can thus easily find their way into the OT.
- The supply chain is becoming increasingly opaque. Software developers have long relied on third-party libraries and software components. Hardware also often contains individual parts from dozens of upstream suppliers that you have no overview of yourself.
- IT/OT convergence and the increase in remote access via VPN are bridging the former air gap between manufacturing and the outside world. Edge devices and VPN access in particular are increasingly becoming the target of attackers.
- Traditional security tools for end devices can only be used to a very limited extent in OT due to limited computing capacities.
Ask yourself: Are firewalls sufficient in these cases? Or a Security Information & Event Management (SIEM) system?
Fig. 1: The most typical security risks in OT networks (taken from Rhebo Industrial Security Assessments in industrial companies and critical infrastructure)
Every tool has its place
The short answer is: no. The slightly longer: You wouldn’t attempt to build a car with only one screwdriver, would you? The same counts for an effective intrusion detection system. It is a combination of tools that enable the detection of specific threat types at specific locations in your infrastructure.
This multi-level approach is crucial, because perimeter security provided by firewalls alone is no longer sufficient. This is evident from statistics from recent years: the majority of initial attack vectors on companies exploit vulnerabilities and stolen access data. The attacks thus bypass the firewalls. This results in the need to establish another instance—a second line of defense—within the perimeter (Fig. 2).
The firewalls secure the industrial infrastructure as the first line of defense at the network and segment perimeters using pattern recognition against known attack tactics and the most common risks.
A network-based intrusion detection system (NIDS) monitors the inside of the networks. It consists of OT monitoring with anomaly detection, which identifies CVE vulnerabilities on OT systems and detects suspicious activity. It forms the second line of defense by detecting activities within the networks that firewalls are blind to. These malicious activities range from exploited vulnerabilities and network access using stolen credentials, to the introduction of malware via the supply chain ( vendor, service provider), to lateral movements of successful intruders and configuration changes.
Fig. 2: An OT monitoring with a NIDS provides the homeland security in your OT security strategy
The SIEM, in turn, acts as the mastermind of cybersecurity by intelligently consolidating and evaluating all data sources for cybersecurity alerts. A SIEM is therefore powerless without data sources in the respective areas to be protected. OT monitoring, end device logs, and firewalls are important data sources in this context. Similarly, a SIEM only becomes a useful tool once the network structure has reached a certain size and complexity.
Integrate network monitoring is easy
This may sound overwhelming at first, but it is easier to roll out than you might think. The German NIDS Rhebo Industrial Protector, developed for OT environments, can be integrated into production lines as a switch mirror port or software agent without interrupting production. The NIDS continuously and passively reads and analyzes all OT communications without interfering or causing latency. In the first step, a baseline of expected, legitimate traffic is established in collaboration with Rhebo experts. During day-to-day operations, deviations from this baseline are reported in real time as anomalies and documented, including forensic data. This enables cybersecurity teams to monitor their industrial facilities 24/7 and perform in-depth forensic analysis of all security incidents in manufacturing. Being a German company, Rhebo also ensures that sensitive plant data does not leave the site and that digital sovereignty is strengthened.
[1] https://www.ibm.com/think/topics/intrusion-detection-system
