Automation is nothing new
Automation is sometimes thought of as a 21st century concept. Certainly in the context of artificial intelligence or machine learning, automation or automatons have touched our imaginations as something that the future holds for us, and that something is either to be revered or feared. In reality automation, or the effort to make processes automatic, have been around at least since Henry Ford first popularized the assembly line, and arguably pre-date even the industrial revolution itself. One of the first recorded or automated processes was a clock invented in the 3rd century BCE by Ctesibius, in which a float regulator (similar to what the standard toilet uses today) was used to report time based on the tide.
One of the aspects of automation that sometimes sparks our collective imagination — both in terms of fear and hope — is the concept of machines talking to other machines. Such communication, perhaps contrary to the popular imagination, has been around for decades. Energy companies, pharmaceuticals, chemical manufacturers, oil and gas refineries, nuclear plants, — all of these sectors, collectively referred to as “critical and industrial infrastructure”, rely on “Operational Technology” networks that are made up of sensors, PLCs, DCUs, HMIs, and engineering workstations that communicate with each other. Machines talk to machines in order to automate processes — and that is not necessarily a bad thing in and of itself.
Security automation — especially in OT and IoT environments — is relatively new
The challenge is that many if not all of these “OT” or, increasingly “IoT” devices can’t be monitored by endpoint agents, and thus, monitoring them for threats or keeping an up-to-date inventory of them is more complicated than it is for traditional IT endpoints. Automation is necessary in order to pull inventory for every device type and get as much information about that device as possible. In an industrial control system or any environment where disruption can result in not only loss of profits but even major safety or environmental incidents, the assets must be monitored with the least possible amount of intrusion.
The necessity of this kind of automation was top of mind in a recent conversation I had. I was talking to an agrosciences company. The risk tolerance for the “seed business” is zero, because there are so many chemicals that are mixed within the plant — meaning that an OT security incident could be not only extremely costly, but dangerous. I was surprised to hear the details of how much impact a cybersecurity incident could cause — along with the resulting corporate liability concerns –and that this company took security as seriously as some nuclear plants that I had talked to.
If you need to take security this seriously, then you need automation. Maintaining a high standard of IoT/OT safety and security is impossible without automation.
Think through, for example, the process of device inventory. First of all, it’s critical that your device inventory is continuously up to date as new devices enter or leave the network. Think of the damage that a random laptop joining the OT network, undetected, could do — this device introduces a portal through which malware and attackers could cause crippling damage to the OT environment, or worse, to the people that work there. Unfortunately, we see this scenario quite frequently, in which employees or outside contractors bring new devices into the OT environment — against policies but, too often, these unauthorized devices go undetected. You need to automate this device discovery because manual inventory is too prone to human error, too slow, and frankly, too unwieldy.
There are also hundreds of other ways that device changes could go undetected and put your environment at risk, especially as digitization and Industry 4.0 initiatives introduce increased internet connectivity into OT environments. Automation is critical when it comes to understanding how devices communicate in these complex environments, understanding device changes like firmware/version changes, and making sure that you’re proactively addressing vulnerabilities impacting your “crown jewel” assets. For example, if a device is discovered to be vulnerable because it is missing a patch, the owner of the asset needs to understand what patch is missing and needs to be able to prioritize which devices need which patches and in which order.
The next important step in automating the security of automated processes is not only to discover these devices and device details, but monitor changes in their behavior — such as changes in internet connectivity, programming changes to PLCs (which are even more alarming if they take place at abnormal times, such as outside of business hours), unusual PLC behavior (such as a PLC having more reads than it used to), or protocol violations indicating attempts to misuse the protocol. Detecting these changes in behavior allows you to find threats more quickly and accurately so you can stop the adversary before they cause material impact to your firm. And while theoretically you could hire enough people to manually monitor device inventory, firmware changes, and security logs, this kind of advanced analysis would not be practical in terms of the time, effort, and money it would cost to do so.
Though the concept of security automation in OT and IoT environments is new, it is already a necessity
The value of automation goes beyond asset inventory and threat detection though. Think about the sheer number of attack vectors in the modern enterprise. If you look at just 300 devices, capable only of being manipulated with each other, that results in over 90,000 possible threat vectors — and that’s for a small environment. If a human being were to address all of these threat vectors manually, even if it just took one minute per potential attack vector, it would take them the better part of a year.
While automation has endless potential, its value in asset discovery, vulnerability management, and threat detection alone is invaluable to today’s organizations. Doing this effectively with manpower alone is impossible in today’s complex environments.
If you’re trying to incorporate more automation into your IoT/OT security environment, IoT/OT-aware security technology can help. You can read about how CyberX tackles asset management, threat detection, and vulnerability management here. Or contact us directly to schedule a demo that helps you determine how to best automate the threat detection, vulnerability management, and the asset discovery in your environment.