RadarServices, Europe‘s leading technology company in the field of Detection & Response, and CSPi, provider of advanced managed security products, Ethernet-based security products, and IT technology security services, launch the new RadarServices portfolio for industrial security at this year’s Hannover Messe.

The demand for industrial cybersecurity is very strong: In 2017, many production plants ground to a halt as a result of cyber attacks. Since then, the security of production plants, has taken on a new meaning. RadarServices is showcasing its new and comprehensive cyber security solution in this field at the Hannover Messe trade fair for industrial technology, in Hall 6, Stand C16. Together with its partner CSPi Germany, the experts will be the central contact point in the specifically created industrial security zone at the world’s leading industry trade fair which takes place from 23 to 27 April 2018.

Industrial security: the major challenges

Acute threat level

In 2017, the world was turned upside down. Damage running into billions was caused by a number of cyber attacks. For the first time, global market leaders and global logistics giants were made aware of security flaws in their systems and of the vulnerability of their operational technology (OT). NotPetya and Petya, WannaCry and Industroyer malware showed that no industry is immune to serious attacks.

The elimination of known IT security flaws should be standard practice in companies – but this is often not the case. Processes between IT security and IT operations do not always run smoothly. No checks are made on whether and when patches are applied. And then it happens: the malware spreads throughout the world within minutes, business processes are brought to a standstill and overnight, companies find themselves the focus of international media coverage. All of a sudden, “urgent help” is needed on an unprecedented scale.

Patching industrial control software is made more complicated because the systems have to run 24/7 and cannot be restarted.  Installing updates: impossible! The outcome: seriously outdated control software!

OT in the shadow of IT – who is responsible for OT security?

In recent years, major corporations have come to realise the importance of a Chief Information Security Officer with the role becoming defined and established. Things are different in OT: there are hardly any companies where the security officer role even exists. IT and OT security are also developing at quite different speeds. There are numerous solutions and services for IT, but the number of OT suppliers worldwide can be counted on one hand. Plus: OT and IT run in parallel. This means that they have different processes, standards and priorities. Security systems in OT primarily protect processes and avoid critical incidents, or ensure standby emergency power in the context of physical security.

IT teams tend to have less experience of industrial systems, some of which date back several decades. IT had little influence in OT for many years, it was only the advent of “Industry 4.0” that brought the breakthrough. Automation processes in OT were hurried along by applying IT developments and links with IT. OT and IT are now closely interconnected, communicate constantly with one another and their working processes are seamlessly intertwined. Plant operators monitor and control remotely, embedded systems communicate independently with one another, cloud planning systems calculate job steps and machine scheduling, maintenance personnel gain access and make changes to configurations from all over the world. And security? Is lagging behind.

Risk scenarios in the complex world of OT

There are many gateways for attackers to exploit. Three examples illustrate the diverse opportunities available to an attacker:

Attackers introduce malicious programs and completely block production and logistics. Production and utilisation data are inspected, application and system data manipulated. In the worst-case scenario, a crippled or misdirected machine causes physical damage to its surroundings.

Commands are given to industrial robots by embedded systems, which are usually connected to a PLC. The control components are connected to the Internet. An attacker can therefore read out the application and system data, install data packets and subsequently sabotage anything from production lines and connected systems to all the company IT.

Attackers use and influence human behaviour via social engineering, in order to access data, bypass protective measures or install malicious code on people’s computers. This is how they achieve their aim of staying on, undisturbed, in the company network and even reaching the production network.

Safeguarding OT: these are the tasks

Establish structures, standardise strategies

IT and OT connectivity keeps expanding. The same principle applies to IT and OT security: IT and OT strategies and structures must be standardised and processes must be harmonised.

Separate tasks must be eliminated and data silos broken down. Attackers engage in months of preparation and remain in the network. Their gradual scanning and penetration of a network and all its components leaves traces behind, which attract attention if IT and OT security is monitored continuously. Attackers are stopped before they reach their target – in this case the control systems of the production plants.

Sharing an IT and OT analysis platform, result processing and reporting to all stakeholders in the company, including security teams, operations and company management, will simplify the process appreciably.

Establishing an OT early warning system

Attacks cannot be prevented. The more a company focuses on promptly detecting actual IT risks instead of repulsing “imaginary” dangers, the more efficiently and purposefully it uses its resources and the more it limits the damage in the event of an attack.

This approach requires continuous OT security monitoring and structured processes. The requisite technology includes OT risk detection modules for analysing network traffic (industrial network & behaviour analysis), analysing log data (industrial system log collection & analysis) and analysing vulnerabilities for selected areas (selective vulnerability management & assessment). The findings from these risk detection modules must be correlated and cross-correlated by an advanced correlation engine. Comprehensive correlation of the findings is also one of the requirements for detecting the suspicious behaviour of hidden or as yet unknown forms of attack. The findings of the analysis must subsequently be analysed, assessed and prioritised by experts.

Gaining access to expert know-how.

Machine learning is also a significant trend in IT and OT security. But as things stand at present, it is not yet possible to replace the analytical skills of human beings. Information relevant to security that is collected by automated means has to be analysed, assessed and prioritised by experts. This is the basis for initiating the correct countermeasures. The automata for the risk analysis software also have to be constantly developed by means of the latest information and insights and the policies and rules within the risk detection modules and the advanced correlation engine have to be adapted.

Expert know-how is the one. Insights into the security situation must be presented centrally and in the form of detailed and comprehensible reports and statistics on a daily basis, both for internal security teams and for company management. The information must focus on crucial events, so that elimination can concentrate fully on what is actually important. In urgent cases, alerts must be triggered in all the right places.

The latest development from RadarServices: converged IT and OT security

An integrated approach must be taken to establishing IT and OT security. RadarServices provides companies with all the technologies for risk detection and the correlation and presentation of findings – for IT and OT security individually, as well as jointly. If requested by the customer, the requisite expert services are also provided in the context of managed security services.

The main focus is always on prompt risk detection. This is the basis for the correct countermeasures.

The portfolio includes:

  • IT risk detection modules
    • Security Information & Event Management (SIEM): creating an alert in the event of security issues or potential risks through the collection, analysis and correlation of logs from various sources.
    • Network-based Intrusion Detection (NIDS): High performance analysis of the network traffic is used for signature- and behaviour-based detection of dangerous malware, anomalies and other network traffic risks.
    • Vulnerability Management and Assessment (VAS): a 360-degree overview of potential security flaws in operating systems and application software, and the monitoring for anomalies of all data flows on the network.
    • Advanced Cyber Threat Detection (for Email and Web, ATD): the deployment of next-generation sandbox technologies to detect “advanced malware” in emails and web downloads.
    • Host-based Intrusion Detection System (HIDS): the collection, analysis and correlation of server and client logs as well as rapid alerting when attacks, misuse or errors are detected.
    • Software Compliance (SOCO): automated monitoring of adherence to compliance regulations and the immediate reporting of breaches to minimise compliance risks.
  • OT risk detection modules
    • Industrial network & behaviour analysis: Identifying protocols and applications in network traffic, analysing extracted data and visualising anomalies to create clarity regarding the ongoing situation. The DPI (deep packet inspection) solution R&S®PACE 2 classifies and decodes the data streams down to the content layer. Authorised protocols are thus also checked for hidden attacks. Security problems originating from infected machines, incorrect configuration or potential cyber attacks are detected.
    • Industrial system log collection & analysis: Collection, analysis and the correlation of logs from different sources in the OT environment, for warning when there are security problems or potential risks.
    • Selective vulnerability management & assessment: Vulnerability scans (vulnerability management and assessment, VAS) are run in selected areas and environments. Scanning does not cause any data availability or integrity problems.
  • Advanced Correlation Engine
    • Correlation within a module as well as cross-correlation of information from various modules results in superior detection of risks and security flaws and a rich view of enterprise activity.
  • Risk & Security Intelligence Team
    • The Risk & Security Intelligence Team analyses, consolidates and assesses all data delivered by the automated monitoring and detection modules to form superior risk and security information. False positives and false negatives are eliminated.
  • Risk & Security Cockpit
    • The Risk & Security Cockpit is the central source for risk and security information. Customised and easy to understand reports and statistics are available on the push of a button.