Debunking the Most Dangerous Myth in Industrial Security
Active monitoring is not only safe and reliable – it's the only way to capture a full view of every connected asset across your industrial network.
Organizations involved in industrial or critical infrastructure are faced with a security challenge like never before. Whether it is the traditional hack, the insider threat or an accidental security lapse, what was once an isolated and fully secured operational technology (OT) infrastructure is more at risk than ever before. This inflection point has heralded a new industrial cybersecurity initiative which includes many new security vendors (as well as much noise and confusion).
Why passive detection is no longer enough
For the past several years, new entrants with limited experience have downplayed the benefits of “active” detection. The truth is that active detection is important because it provides detection of threats that do not run over the network, such as a technician that physically connects to the network. Furthermore, active querying digs deeper including the ability to track configurations down to an extremely granular level; it can find code changes and even check dormant devices that do not regularly communicate on the network. Active threat hunting provides a crucial view into the OT environment that passive detection simply cannot perform.
Some of the newbies to the industrial control system (ICS) security market have even said that active querying is harmful because it can “destabilize” the OT environment. This is the type of misinformation that confuses the market and ultimately does a disservice to organizations looking to properly secure their OT environments. It is in fact possible and preferred to query each asset without affecting the network, by querying devices through their native protocol. Industrial controllers expect these types of queries and are more than suited to responding to them without any of the supposed “dangers.” So, device querying (or “active detection”) is not only preferred from a security perspective – done properly, it is also completely safe.
What should you look for when it comes to active technology?
In order to separate the myths from reality, here a few things to consider when launching your own active monitoring efforts.
Query depth variance and configuration
It is essential that administrators have the power to create the depth of the query as well as its configuration such that you can decide which queries are run at which time. Furthermore, you should have the option to perform on-demand queries to validate the details that are important. This yields the most security, power and control when implementing active detection in your OT environment. For example, an administrator should be able to automatically map the controller’s physical module connections to show full paths of configurations and architectures, as well as query over serial networks to get to the deepest devices.
Holistic approach
Administrators can extend the use of active querying beyond basic asset discovery and details. A holistic approach should enrich alerts and check configurations after changes are detected. This gives the user the most comprehensive and deep understanding of what is happening on the industrial network.
Validation
Active querying also provides the administrator with an additional security check. In the case of a variance or change there is a second virtual “set of eyes” that can verify that these changes are expected and/or not harmful. These validations should include:
- Performing code validation and comparison after observing a code download in the network.
- Periodically probing assets to validate that the physical configuration has not changed and no modules on the programmable logic controller (PLC) backplane were physically removed or damaged.
After years of leading the way and gaining experience in the active querying field, Tenable has the knowledge and battlefield experience in providing the most robust, safe and deep active component on the market. The peace of mind that Tenable provides to top manufacturing and critical infrastructure companies activates the right security to keep top organizations safe from unacceptable security threats. And that is no myth.
To learn more about the industrial security benefits of proactive monitoring, check out the Tenable.ot guide to active querying.
Related Articles
- SCADA
- Threat hunting