To prevent or to detect… this is the question

Tring to detect threats is a complex task, a lot of considerations come into play, software configuration and modelling, evaluation of action indicators and statistical analytics. This results in a complex scenario where the effectiveness of threat detection is more related to faults and errors of hackers rather than the ability of the IT department.

But luckily, sometimes complex questions have simple answers, in fact talking about IoT security we have already argued in other posts how the determinism of the industrial communication can help to design a traffic communication matrix which is used to allow work to continue while employing network nodes to block stray traffic.

This switches your defence objective to avoiding threats rather than detecting threats. This new approach completely changes the security perspective by creating a planned and measurable defence strategy, with a defined security level.

The security level is defined in the planning and implementation phase, and the control of the achieved security level is subjected only on the correct system working condition. If the system is operating properly the planned level of security is what is achieved regardless of correct or incorrect user actions, which means that user actions must have a negligible effect on the total security of the system shielding operative inefficiencies or deficiencies.

Define the security target

The first step to climb is to define a security level in line with the security requirements. This is one of the most important problems to be faced- the security target– once the objective is clear and measurable its own implementation will be easier. Nowadays there are many security standards to refer to such as ISA/IEC 62443, NIST 800-82 just to mention the two main ones, but I don’t want to go too far, so talking about a predefined security level we can assume that it is the results of a security assessment that cannot be referred to any predefined level of the IEC 62443 standard.

In fact, the choice of where to place the rod of security is up to you, it can be in compliance with a predefined Security Level or just some directives, what needs to be clear is the set of actions, users and mandatory procedures.

What you want to avoid is defining generic objectives more related to technology acquisition rather than solving security issue. Try asking yourself, do I need a padlock or to keep the door closed? Rather than buying security devices your objective must be to “buy” security, and this means to be able to not only reach the security goal you have in mind but to maintain it over time, hopefully with the lowest effort possible.

How to implement it

Once the security target has been defined, planning and implementation activity comes into play, this is the right time to make technological choices. It is straight forward to understand that complex problems such as keeping a system secure can only be solved by paying attention to all those resources, tools, and users who are part of it. So, beware, following are some simple but common mistakes to avoid:

• Do not establish any security procedure that cannot be easily maintained. It seems strange, but it is quite common to find operational procedures more devoted to a pure correct formalism rather that a practical utility. It is quite easy to find a widespread slackness towards incorrect procedures and policies.
• Keep in mind everyone’s different goals. It does not matter what is important for you, people are driven by personal goals therefore everyone has different objective to reach. Allow everyone to reach their working goals in a secure way.
• Technology and Tools must be wisely dosed, do not hide procedure issues behind the provision of new technology and do not cover your staff with tools to obsessively command and control everything. Keep your strategy simple. OT operators are your allies to prevent security issues while the IT department is there to detect any malicious activities, it is clear that both halves of the apple need different technology and tools.
• Check, verify, inspect without being intrusive. Once you have found the way to reach a predefined security level, without the awareness that it is constantly maintained there cannot be any real protection. Security procedure can be effective only if they are maintained. Resilience must be your security mantra.

Detection is good, prevention is better

To conclude, implementing an effective security industry strategy means to create a security layer on top of the current activities of your company.

It must be the most effective, clear and understandable for your operators, which means minimizing the impact with any current operating procedures in your company and giving operators as little work as possible.

Let’s look at two fundamental parts, detection and prevention, and try to summarize what better fit with industry sector.

Threats Detection is quite effective in a perimeter network in which internal hosts have their own security countermeasures. This is for sure the case of IT networks, that have known boundaries. The network perimeter is generally protected by means of a Firewall while hosts are protected by their own firewall and antivirus. The defence strategy is to detect threats as they attempt to enter or spread and use automatic remediations to quarantine the threats. The effectiveness of this strategy, in IT domains, comes from the informatic nature of the protected assets, a cyber threat is fought by cyber means and in the case of a defeat during a battle, it is better to switch off the compromised resource in order to win the war.

Obviously, threat detection results in an automatic resource disconnection and affects business continuity. This is the standard remediation, a bitter but necessary remedy to preserve the propagation of the threat to the rest of the network.

But this is not the case of industrial IoT network, in fact I have already explained the lack of defined perimeter as well as the impossibility to protect internal hosts, due to the obsolescence, heterogeneity and the nature of the industrial asset. Try installing an antivirus or a firewall on a PLC if you can. Moreover, a fault in business continuity is not acceptable and the idea of leaving the “cyber battlefield” by switching off an industrial asset, affecting business continuity, should not be the goal.

The OT needs to have an alternative strategy that is devoted to prevention rather than focusing its effort on detection, and this is easily achieved due to the deterministic nature of industrial communications.

In fact, it is fairly easy to outline the communications necessary for the correct working of the industrial assets, leaving out the rest of the traffic that is not needed and that can be an issue, conveying dangers, without bringing any benefit.

Some may argue that mapping communications between industrial assets i may be difficult and expensive. This is certainly true if we want to make a complete mapping of communications, but this is not the case. The goal is to define only and exclusively the communications that are functional to  factory operations and, as complex as a machine or asset can be, in most cases it has few and selected connections.

Of course, surely there are different operating conditions in which the communication matrix can change, but if you carefully look at the industrial world, you will find more deterministic and pragmatism than you think.

But who will be our defenders? Can a firewall do the job correctly and efficiently? Well, I don’t think so, you cannot have a single point of defence, remember there are no clear perimeters, and disseminating security black boxes can seriously affect operational continuity with the opposite result.

So, take a look on the first line of defence, your industry network, the switches are the ones that convey the traffic throughout the whole network, so you must be certain that only the traffic used for production is on the way and not stay or malicious traffic that is not useful for production.

The Software Defined Network technology has brought in standard switches, remarkable forwarding, and management functionalities able to cope with the critical objective of industrial IoT security. Edge SDN has exactly this purpose, to create a defence line exploiting the functionality of switches  to provide a resilience layer of threat prevention and detection.