By Peter Lund, Vice President Of Product Management at Industrial Defender
and Chris Duffey, OT/ICS Specialist at Splunk
We hosted a (CS)²AI Online™ seminar on August 18, 2021 that focused on Why Hasn’t SOAR Taken Off in ICS?.
Here is a bit about the event:
Besides the typical reluctance to embrace new technology in the ICS world, security orchestration, automation and response (SOAR) tools haven’t been as widely adopted as they probably should be because of the contextual data deficiency found in most security alerts. To create an appropriate automated response, you need to know exactly which devices are compromised and whether you can/should isolate them, which up until recently has been extremely difficult to do for industrial control systems.
Let’s say you’re alerted that an HMI has a banking Trojan. That’s not great, but not likely something you’d feel compelled to take offline. However, if there was ransomware in an HMI, you have a serious problem. So, what should you do? Well, if you have 7 HMIs, it’s likely fine to just disconnect the infected one to stop the spread, but if that’s your only one, then it’s definitely not ok. This is a prime example of why having access to contextual data about both the threat AND the affected asset is so critical to informing automated security management.
In this seminar, you’ll learn:
• Why security orchestration and automation reduce the risk of operational downtime from a cyberattack
• What type of contextual security information is critical to powering a next-gen program
• How feeding the right ICS asset data into your SIEM + SOAR helps demonstrate ROI across your security ecosystem
As always, we encourage our audience to participate throughout the event by contributing feedback and questions for our speakers. We weren't able to answer all of your questions, so we have asked some of our speakers to answer a few of them. Below, are some answers to a few questions posed during the event.
Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.
*******************
To view the full recording of their talk, please visit https://www.cs2ai.org/sponsored-seminars.
QUESTION:
Is it like SNMP Management/ Sniffer s/w ? Doesn’t interrogate the network devices to get the devices info ? Could it interrogate RTU that talks Modbus or other industrial protocol?RESPONDENT:
Pete
ANSWER:
We have numerous methods of active and passive data collection methods which do include SNMP, network traffic analyis, and interrogating via Modbus.
QUESTION:
How to make sure IDS system wouldn’t flag it as intrusion?
RESPONDENT:
Pete
ANSWER:
The SOAR/SoC team should be working in conjunction with the OT Secuirty team to ensure that the network path and traffic are allowed/whitelisted by the IPS Sensor. A test and check approach is already a good idea, espically if you have a QA/Sandbox enviroment.
QUESTION:
How does an organisation ensure that all devices are registered? Especially with a mobile (e.g. vehicles) or Work-From-Home workforce where things may be vulnerable and diffuse?
RESPONDENT:
Pete
ANSWER:
There are ways to monitor/instrument these types of devices and if for some reason that is not possible - monitoring the ingress point to your company network for all these devices.
QUESTION:
Would IT and OT incident response protocol come into play if a pen test session thats knocked equipment off line...?
RESPONDENT:
Chris
ANSWER:
It would depend on the scenario whether this should be involved. Typically in this use case you would want additional contextual data. For example, maintenance records so you could determine whether a device going off line is expected. In most cases, you would want to detect something like a network scan and if that combined with a device going offline happened, then it might be suspicious. In most use cases, it'll involve someone going "onsite" to fix the device.
QUESTION:
You've mentioned a little about this but I would image integrating SOAR in a live environment is difficult. How much does Sandboxing, Simulation and Virtual help the process work.
RESPONDENT:
Chris
ANSWER:
Implementing SOAR in live environments can be challenging, which is typically why there needs to be some kind of use case development and incident response plans in place first. This gives you a good place to start, but it has typically been validated and so there is minimal impact to operations. Sandboxing, Simulations, or Virtual Process could help during the testing scenario, but in OT environments that may be difficult to perform due to a lack of a true testing environment.
QUESTION:
We're using a tool that focuses on identifying devices by listening to traffic. Do you have any ideas for merging that with the CMDB that the IT guys maintain?
RESPONDENT:
Pete
ANSWER:
Yes, we at Industrial Defender do this for many of our customers. It's as simple as exposing the asset data and relevent changes via a method support by the CMDB. For modern systems its normally an API, older systems usually have file-based import methods.
QUESTION:
How does SOAR address securing physically separate legacy systems?
RESPONDENT:
Chris
ANSWER:
How much can be done in a legacy environment will often depend on what is possible with OS, equipment interfaces, etc. A good example is the logging of USB devices is much easier and verbose in newer OS'es. Making sure you have some way to get that data in and make it usuable is typically the larger challenge as not all products may support older operating systems and equipment. What you automate may only be limited to information gathering to help an analyst make a decision faster.
QUESTION:
In distributed environments (pipelines, water treatment, power distribution) the bandwidth to the facility may be very limited. In some cases older equipment may have limited communication throughput capacity before device operability starts to be affected. What "levers" are available to be able to control traffic?
ANSWER:
This question was answered during the seminar. Please watch the recording to learn more..
QUESTION:
Any best practise and expierence that you can share on implementing SOAR on legacy systems?
RESPONDENT:
Chris
ANSWER:
There are several best practices: 1) Make sure you can actually gather data from those systems, 2) Have well-defined use cases that you know on those legacy systems, and 3) Try to leverage existing tools or scripts you may have. Gathering data from legacy systems is often a challenge, but teams will usually have existing scripts to handle problems beforehand. For example, one customer had a service from a legacy system that would simply stop logging which was the only indication there was a problem (service would continue running). The customer has already deployed a script that would run when this even occured, but it was very ad-hoc and cludgey and they were never sure whether it succeeded. Running this same kind of action in Phantom allowed them to get feedback from the script so they could validate the script succeeded and then perform an additional step to make sure the service was actually functioning correctly. In this case, it made an after-hours call out only necessary if things did not restart appropriately.
QUESTION:
Is it safe to say that the 'safety' concern with SOAR has to do more 'what' you automate vs. whether or not you deploy a SOAR solution at all? In other words, the implementation dictates the safety 'risk' more than the technology itself?
RESPONDENT:
Chris
ANSWER:
Yes, in most cases it depends on what is the potential impact or effect of the action that SOAR platform takes. One exception though would be a SOAR workflow could not be properly implemented and then cause an issue. For example, say a second action should only occur if the first succeeded and this was never validated which then resulted in a second command causing a problem. However, validating that an automation won't impact safety should be part of building workflows and playbooks in the SOAR solution.
QUESTION:
Can there be a problem where the IOT is vendor provided on a proprietatary basis insofar as they may "drag their feet" on providing some of the asset inventory information because they consider that their proprietary business information?
RESPONDENT:
Pete
ANSWER:
Yes, this is a scenario that can happen when dealing with an OEM. Don't be afraid to push back, as the equipment owner and operator you are the one that is resposbile for the risks related to not knowing your asset's inventory and vulnerability posture. We have helped customers through these types of conversations, often ending in mutal benefits of all parties.
QUESTION:
Are procurement contracts now including provisions that third-party vendors be required to participate actively in their customers/ SOAR efforts?
ANSWER:
This question was answered during the seminar. Please watch the recording to learn more.
QUESTION:
Isn't it a problem to start with SOAR given Chris said you need to know everything on the network and Paul said often that ppl had retired and left systems running on the network nobody understands... seems it'd be difficult to get started?
RESPONDENT:
Chris
ANSWER:
This partly depends on the purpose of the SOAR. In most cases, SOAR is implemented with known scenarios and use cases; hence you need to know what systems you want to use SOAR on. Using SOAR on an unknown asset or system could be risky and affect safety and operations. However, many platforms like Splunk might be able to do some detection of unknown systems so you can at least identify their presence (especially if they are networked). In almost all the deployments I have been involved with, we found systems and interfaces that were not properly documented. So making sure you know about an asset's characteristics should be considered when implementing the workflow and be adjusted based on that information. For example, your SOAR platform could do something as simple as create a ticket about an unknown asset and then not perform any additional actions.
QUESTION:
For the asset owners currently using SOAR, can we get an idea of what industries they are in (e.g. electric utilites or O&G) and what they are throwing into Splunk currently?RESPONDENT:
Chris
ANSWER:
Personally I have seen SOAR most often deployed in Power Utility and Oil and Gas industries. I think those industries have been high profile and a heavy focus in the past (either regulation or in the media) so their security practices tend to be more mature, and as a result, they are looking at how to extend their capabilities. Manufacturing has a heavy interest but I would say are generally less mature.
QUESTION:
Please pardon my rather mundane question, but coming from an academician's perspective, do you foresee a time at which we might transfer/transition this concept to home-based IoT (security automation) applicability?
ANSWER:
This question was answered during the seminar. Please watch the recording to learn more..