- SOAR 101
According to the 2016 Cyber Security Intelligence Index performed by IBM’s X Force Research, manufacturing has moved up in the ranks to become the third most hacked industry second only to health care and information and communications.
Businesses of these types include those that produce textiles, pharmaceuticals, electronics and automobiles (which is the most highly targeted) have drawn the attention of cyber criminals en masse lately. It’s primarily because of the valuable intellectual property thieves want to get their hands on. In fact, over $400B of intellectual property has been lost already because of cybercrime targeting manufacturing companies.
In spite of drawing a high level of attention from cybercriminals, the manufacturing industry still faces some very particular challenges distinct to this industry that keeps production companies from staying ahead of the curve. In many ways cyber security for the manufacturing industry is lagging so far behind in keeping businesses safe that even past known attacks such as Heartbleed, Shellshock have recently affected critical infrastructure. Even common spearfishing techniques and SQL injection attacks expose vulnerabilities that allow open doors to cyber crime.
There are a quite few challenges facing manufacturing businesses that relegate them to late adopters to best cyber security practices. Many companies are employing older applications and programs that still rely on unsupported operating systems and remain susceptible to an attack that could either potentially disrupt critical infrastructure if they were upgraded or cannot be upgraded due to their interaction with reliable expensive machinery. A lack of industry compliance standards has further escalated the problem for manufacturing companies by ensuring best practices are observed encouraging companies to adopt better Incident Response (IR) protocols and technology.
Compounding the problem is the fact that many manufacturing facilities do not rely on a strictly pure IT environment to support their critical infrastructure. It’s a mix both cyber and physical components that are not easy to simply triage and reboot when an attack is detected. Managers that have production deadlines to meet are often remiss to allow the IT department to shut down machinery and wait while and incident response team looks into an attack. Physical safety also becomes a factor since machinery cannot be stopped on a dime without following a complete procedure to protect workers and their environment.
Production environments also rely heavily on Programmable Logic Controllers that cannot be treated like a traditional desktop with OS. This means that even though they are network controlled and operated they will not be reimaged or monitored the same way corporate workstations and are thus prime targets for a cyber attack.
In spite of some of the inherent challenges manufacturing companies face in the fight against cyber crime, security monitoring on Industrial Control Systems (ICS) or supervisory control and data acquisition (SCADA) as well as incident reporting can be implemented to give managers of physical machinery and IT infrastructure an advantage in protection. It requires proactive implementation of solutions that can make a huge difference in getting in front of attacks that can render ICS/SCADA useless or can affect public works like energy or utilities.
Incident Response (IR) requires a distinct strategy for manufacturing companies but can and should thrive in an environment that has all the complexities and challenges that come with ICS/SCADA and PLCs. It involves a well-crafted IR playbook, proper network monitoring, and easy intake of incidents to boost time to recovery from an attack.
Developing good IR techniques that employees are clear about and can follow in order to avoid attacks and know how to spot potential or realized breaches. An attack that goes undetected and unreported by production managers can still allow control systems to work for a time but will wreak havoc at the worst possible moment when the attack finally surfaces. By developing and instituting IR playbooks that all teams can understand and adhere to manufacturing companies can put themselves a better advantage to ward off and respond to attacks.
IR plans need to come from the top down and must include:
To keep ICS/SCADA safe from cyber attacks, incidents need to be quickly identified and escalated to the proper individuals who can begin evidence collection, analysis, and remediation with as little interruption as possible. This requires quick and efficient intake and response. Enabling employees to report suspicious activity to the proper security channels is paramount when attempting to keep ICS/SCADA environments safe. That’s why a good web intake system built around a security information and event management (SIEM) platform is important for these environments. A case requestor can specify keyword requirements, and any non-standard data sources that make it easier for responders to quickly automate workflows and remediate threats.
Finally, network flow controls and monitoring are critical to protecting ICS/SCADA. PLCs do not run traditional operating systems that can be monitored the same way corporate workstations are. But if key personnel are highly familiar with network activity and are trained to spot anomalies, they can be on the lookout for anything out of the ordinary. These employees need to also be equipped with tools that allow them to spot system failures, information theft and loss, DDoS attacks, third party breaches, rogue employees as well as malware that could affect critical infrastructure. With the right incident response software these alerts and workflows can be automated and keep ICS/SCADA safe from cyber attacks.
Click the button below to schedule your one-on-one demo of the D3 Incident Management Platform.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW