No rationalization: we see very regularly how companies (through their security staff) go shopping and rush to spend. This is typically pushed by the pressure of the business, the inertia of the market, lack of knowledge, skill, and opportunism of suppliers, before performing a good risk assessment.
The cause of this error is because they are implementing cyber asset-centric security. Protect the cyber asset as the most important thing. This approach may be valid for in the field of Information Security (IT), however, in the field of industrial security this approach is incorrect and insufficient.
Many companies are implementing IDS-type solutions for monitoring, intrusion detection, and anomalies in industrial systems, generating an excess of security alerts, and then developing an analysis of all events. This is typically done, based on typical IT criteria, without first understanding what should actually be monitored, what the priorities are, and how to respond to each of the cyber events. There is no visibility of the potential consequences that really are what should focus decisions.
Put a little simplistically, the security of cyber assets is prioritized to protect them from people (man-made threats). While at the plant level we seek to protect people from cyber assets, when they can fail or be compromised, whatever the source of their threat. Wrongly, all event analysis is done after the tools are deployed.
Understand Plant Systems, Threats, Threat Actions, Consequences, Impacts and Risks, to invest … before … wrongly spending … jumping into monitoring systems, for alarming everyone, without a prioritized and rational meaningful incident and response solution plan to protect what really matters.
The correct approach for the industrial plant is to know how different events can affect (or not) the plant, and based on that knowledge, define what should be monitored and how it should be responded. This is called “Understanding Risk.” Before starting to generate events, based on the criteria of information security, through technical rationalities, the identified risks are mitigated. Then the monitoring system is designed, the alerts (without false positives), and a response plan is created with immediate and precise preventive actions.
All event analysis must be performed in advance of the implementation of the tools. In this way, the excesses of false positives are avoided and for each of the alerts, before implementing a tool, you already have a concrete response without wasting time. We call this “Alerts Rationalization”.
To achieve this goal, it is essential to start from the beginning. In plant safety, we must analyze the behavior of events first and then monitor what really matters without false positives. In the field of the industrial plant, we must evaluate the risk, mitigate it by modifying the design of the systems, and then monitor what makes sense, and thus be able to respond efficiently and effectively, without delays.
Said on other way, understand plant risks, to invest into systems, for a rational meaningful incident response solution to protect what really matters.
Conceptual design and detailed design are of fundamental importance, to implement solutions with adequate technical rationales and thus avoid creating a false sense of security. The answer to this problem is: rationalization.
Don't forget to subscribe to OT Connect Newsletter - The News That Matters.
Take advantage of the "Cybersecurity Awareness Month" exclusive discounts on training before October 31st.
Get Involved & Participate!
Comments