Artificial intelligence and machine learning (AI/ML) are tools that you’re hearing a lot about lately. In fact you may already own a device or tool that purports to use AI.
A graphics program called Luminar AI has several AI/ML tools built in. However, you can’t expect it to read your mind as you process photos. While it has some predefined rules, which make it very useful, Luminar AI needs to process several photos to learn what it is you find important in a photo—be it a portrait, landscape or something else.
So while the AI/ML tools we’ll talk about here can help you ferret out bad actors in your IT and OT networks, sometimes a human set of eyes and brain remain the best tools to prevent a potentially disastrous situation from occurring. Case in point: the recent hack of a Florida fresh water utility in Oldsmar. Had it not been for an attentive operator who spotted suspicious activity on his screen and put an end to it, a bad actor might have been able to alter the pH balance of water leaving the utility to customers—not that this would have resulted in any immediate crisis. (See “Remote attacks on process/automation systems can wreak havoc,” FE, Feb. 17, 2021.) [1]
This incident begs the question, how did the hacker get into the process control system in the first place? Well we know it was through a remote desktop program called TeamViewer, used occasionally by the operator’s supervisor to check system status from home. So then the next question: How did the hacker get into the remote desktop program? Human engineering? Sloppy security? Firewall/router issue? What else? There could be any number of reasons—but you can’t necessarily expect even an AI/ML-based machine or system always to cover human mistakes.
According to the Claroty “Biannual ICS Risk & Vulnerability Report: 2H 2020,” there’s plenty of blame to go around in terms of vulnerabilities to industrial control systems (ICSs). Claroty’s researchers found that nearly 72% of vulnerabilities to ICS equipment are exploited through a network attack that is remotely exploitable, and nearly 80% of the vulnerabilities that don’t require user interaction are remotely exploitable. (For more information, see FE’s March 2021 Manufacturing News.)
“Security is as much, if not more, about the people as it is about the tools.”
— Wes Sylvester, global director, Industrial & Consumer Go-To-Market, Cisco Systems
Why aren’t yesterday’s cybersecurity tools always effective?
It’s not always that the tools are seemingly ineffective, especially if they’re not used.
“Established network security tools actually have a great probability of success in guarding and protecting industrial control systems because, like industrial control systems themselves, they are a proven and trusted means of establishing control,” says Wes Sylvester, Cisco Systems global director, Industrial & Consumer Go-To-Market.
“Part of the challenge in protecting internet connection sharing networks is that [manufacturers] don’t always use those network security tools. Cisco is teaching a whole different group of people—who are sometimes outside of IT—how to secure their networks. Security is as much, if not more, about the people as it is about the tools. This is one reason why Cisco has a manufacturing solutions team—people who have worked in the industry, who continue to learn about how it is changing, and bring best practices with them to help manufacturers adapt to changing environments.”
Malware has been overwhelmingly the most frequent tool of choice for malevolent actors when attacking manufacturing systems, says Sylvester. Ransomware specifically is the means of extracting money from victims—hence the motive is largely financial. The malware families used by hackers are largely well known to the IT security community, and thus the means of mitigating their impact is understood. The key is having effective people in place that know how to use those tools to protect the IT/OT environment. In today’s world of interconnected IT/OT systems, this is more important than ever before.
Unfortunately, the efficacy of air gapping (no external LAN connections) OT networks is no longer practical as organizations are increasingly converging their IT and OT environments, whether intentional or not, says Barak Perelman, Tenable vice president, OT security. “This leaves systems exposed and security teams without the proper visibility, security and control necessary to thwart attacks.”
“OT environments are increasingly being targeted because these systems are evolving faster than the OT security that should be implemented,” says Sylvester. “We are seeing more attacks that start on the IT side and move to the OT side, which is often seen in converged IT/OT systems.”
Another common technique is targeting and infecting a seemingly trustworthy third-party operation to gain access through elevated credentials, says Perelman.
While AI/ML techniques may be key to stopping advanced hackers, often the ICS suffers from basic issues, says John Livingston, Verve Industrial CEO. “Many industrial environments today are ‘insecure by design.’ What we mean by that is they do not have the same rigorous security regimes that apply to most IT departments. For instance, many industrial environments have remote access to allow OEM vendors to access the control system for tuning or maintenance. They may not have strong firewall protections separating critical systems from corporate IT systems.”
“For years, we saw insider threats as the biggest threat facing OT security, but for the first time, that’s changing. There’s now an equal concern around external threats, whether from nation-states or ransomware.”
— Barak Perelman, vice president, OT Security, Tenable
Livingston points out another basic problem. Most OT endpoints are not “managed” as IT endpoints are with regular patching, configuration hardening, and user/access control. As a result, in many cases, the attackers do not need to be very sophisticated to gain access. For instance, as described earlier, during Super Bowl weekend this year, an attacker accessed the water department of Oldsmar, Fla. This “advanced attack” only required the hacker to find an internet-accessible port and leverage TeamViewer to access the control system HMI and change the settings of critical chemicals from 100 ppm to 11,100 ppm. Fortunately, the attacker wasn’t advanced enough to hide his/her actions, but this type of remote access insecurity is present in way too many industrial environments. Frankly, “yesterday’s” network security would be incredibly beneficial as step one in many industrial contexts, says Livingston
Are criminals smarter—or are hacking tools better?
Though hacking tools are quite prevalent, one way bad actors use technology is by sharing their techniques and growing their base, says Cisco’s Sylvester. “It’s less about the tools and more about the quantity of attacks that exist daily because of the ease of sharing in the hacker community. Many open-source tools, exposure to ‘how-to’ and attack infrastructure have brought about the industrialization of criminal intrusions and exploitation.”
How do you go up against this literal tsunami of attacks? “Our approach to protect against these attacks has to be tool driven and easily scaled across the ICS landscape,” says Sylvester. Another one of the gaps Cisco is focused on closing is the lack of discipline, training and head count at the ready to build out defenses and detect intrusions. It’s definitely a “cat-and-mouse” game, where Cisco teaches and trains a workforce to stay ahead of the bad actors who are also sharing their techniques. This is where a solution such as Cisco’s Talos Intelligence Group can play such an important role, helping customers to better understand the threats out there, how to identify and detect vulnerabilities more quickly and how to effectively protect themselves from those threats, adds Sylvester.
Fortunately, many of the same techniques that have proven effective on the IT side of the enterprise can also be applied to OT, says Tenable’s Perelman. Malware, worms and ransomware are all common methods of attack. For hackers, however, launching effective attacks on the OT network is more challenging and involves:
- Spending significant time in performing reconnaissance, gaining “red button functionality” and launching an attack at the time of their choosing
- Deception by using stolen credentials of a valid insider
- Launching attacks on the IT side and migrating to OT (or vice versa); essentially using the weakest link to get into the system and evading detection by operating in the security blind spots
Are criminals smarter… or is it their tools? “Smarter is a tough word to use; ‘more advanced’ certainly,” says Verve Industrial’s Livingston. On one hand, they have to become more advanced to keep up with the defenses in IT.
On the other hand, OT or industrial control systems pose a different reality for the attacker. In most of these environments, the defenses are lower than they would be in the IT world, says Livingston. “The sad reality is that our OT defenses have not kept pace. The advantage has been ‘security by obscurity.’ By this we mean that these systems are not well known by anyone. To learn how control systems truly work—and how to hide your behavior—is not easy. They are monitored regularly by operators with alarms and safety systems designed to stop the process in the event of anomalous behavior. While the true ‘cyber security’ defenses are low…the operational defenses are quite high.”
The fear, however, is that attackers are increasing their focus on OT and, therefore, their knowledge of these systems, says Livingston. One way of measuring this is the number of vulnerabilities that are published each year for ICS systems. In 2020, the number of vulnerabilities disclosed for ICS systems increased by almost 50%, over the previous year, and the criticality of those risks increased by 40-plus percent.
Also important, says Livingston, over two-thirds of these vulnerabilities were discovered by third-party researchers, not the vendors themselves; this is known as a zero-day vulnerability, when the vendor is not aware of the vulnerability nor has it been fixed. This means that hackers are out their researching, too. “If the ‘white [hats]’ are researching,” says Livingston, “we can be sure the ‘black hats’ are as well. As a result, we are in a race… can we add the necessary defenses before the defensive advantage of ‘obscurity’ goes away?”
“The sad reality is that our OT defenses have not kept pace. The advantage has been ‘security by obscurity.’ ”
— John Livingston, CEO, Verve Industrial
Can AI/ML be more effective than straight-ahead network monitoring tools?
AI and ML can be used when large enough sets of data reflecting network and application behaviors are available, says Cisco’s Sylvester. What they may add can vary according to the AI/ML models’ ability to reflect the threats in the monitored space. In cases where the OT intrusion is similar to that found in the traditional IT network, the same AI techniques can be used in-plant.
For more site-unique conditions, the use of pre-existing models and learning sets are developed, and then those models have to “learn,” adds Sylvester. Until those models are properly trained, evaluated and confirmed, traditional analysis will continue to provide the best benefit. For ICS systems, even adding basic “machine awareness” can increase security significantly. For example, the network “knowing” that a security camera should not talk to a drive motor could prevent some very real risks. This is true for both well-intentioned internal errors (e.g., a technician makes a PLC programming error) as well as bad actors.
So how do AI/ML techniques fit in? Verve Industrial’s Livingston likes to use a football analogy. Attackers understand the keys to avoid being observed in a traditionally secured network. For years, they have had to fight against the best defenses in the world. As a result, their offensive skills get better and better. “It is as if your offense had to play against the Chicago Bears 1985 Super Bowl defense every day,” says Livingston. “You will find new ways to do things to fool the defense. This is why we now have the spread offense or the run-pass option. Offenses evolve to find ways to beat the best defenses, etc.”
So, in IT, traditional network and endpoint protections have been in place for years, adds Livingston. “Offenses have learned how to adapt. In OT, many of those traditional defenses aren’t in place…think of the Bears during the 2000s rather than 1985.
“So, how can you use AI/ML to defend something that is not defended well today? You use what is unique about OT to secure OT, and that is the physical process itself,” says Livingtston. Most of these industrial processes are built to operate in particular ways with very specific set points, flows, etc. Where AI/ML can be most useful is in combining the monitoring of these physical processes as well as the network and endpoint behavior to draw linkage between the control system and the physical process behavior to identify when actions on the controls create unwanted results in the process.”
“Certainly, we should deploy network protections… both traditional and more advanced AI/ML network protections,” says Livingston.” But the real power of AI/ML for OT is to combine that with the process data and use the ‘process to protect the process.’”
With all the emphasis on network security, Livingston reminds us not to forget the endpoint. “Our view is that [network security] is too limited of a view. This is really a system security that includes endpoint as well. Too often industrial leaders think ‘we can’t really do anything to protect the endpoints because they are embedded, or the OEM doesn’t allow us to do endpoint protection or patching.’ The reality is that you can…and we have proven it with the Verve Security Center. If you said to IT security people that you can only use “network security,” they would fight a losing battle. If we are to defeat the attackers, OT leaders need to employ both network and endpoint security to get there.”
AI/ML: Hardware, software, services and more
To thwart nefarious hack attacks manufacturers will need—to use football jargon—a playbook that consists of several and varied defensive and offensive measures. So if you ask where AI/ML should be deployed, a good answer might be here, there or anywhere—wherever the need arises. This is where you need expert coaches who’ve seen it all and can anticipate the next hacker offensive tactic. At the same time, you need all your team members on board and in the huddle. Beating hackers and depraved criminal minds won’t happen with a single star quarterback—it takes a team.
“Security is about people, process and technology—in that order,” says Sylvester. “Much of what we focus on is ‘how’ to address customer security challenges instead of a product-first approach. Technologies succeed only when the people can apply them in a proper process.”
“We invest heavily in the creation and deployment of Cisco Validated Designs—a thorough and evolving set of documents which go into great detail on what to do and how to do it,” adds Sylvester. “There are no magic technology shortcuts—you must establish the basics and apply them vigorously. From there you can grow into more sophisticated solutions but without the basics, the foundation will crumble and your defenses with it.”
Typically, says Sylvester, Cisco’s AI/ML based offerings are cloud hosted where a larger variety of training data sets can be applied. On-premise solutions can be provided as well, and some models learned from the cloud can be brought to on-premise deployment. The more unique the environment, however, the less likely it is be reflected in prior “learnings.” Services can be applied to help detect traffic of interest more rapidly but it does suggest that the AI is less artificial and the ML has reduced machine influences.
Perelman’s team provides flexible options that are dependent and recommended, based on each manufacturer’s situation. It’s not likely that any two operations will be the same. So, cybersecurity systems need to be tailored to fit the operation.
“In our view, the right combination is software and services,” says Verve Industrial’s Livingston. “Hardware itself is less critical as much of it can be virtualized today. But when people tell you that software will magically detect everything without humans, they are lying. At a minimum you need to tune the AI/ML to the particular environment. But on an ongoing basis, you need services that understand the OT process. These service personnel will help both build the right signatures, but also ensure that the response to any true threat takes into consideration the operational reality of the industrial process.”
In terms of services, Cisco has network security services for design, deployment and ongoing support. There are also incident response services. It very much depends on where the manufacturer is in its industrial security lifecycle, says Sylvester.
“Our company has been around for nearly 30 years as a control systems integrator,” says Livingston. “This means that we have been helping customers across a range of industries in designing and securing their systems—well before we were a software company. As a result, our team brings this deep process knowledge to the deployment and management of OT security.”
References and links
For a complete list of references and links to this article, scroll to the end of this article and click the “NEXT” button.
For more information:
Cisco Systems, https://www.cisco.com/
Claroty, https://www.claroty.com/
Tenable, www.tenable.com
Verve Industrial, www.verveindustrial.com