Detección de amenazas internas: The Undiscussed, Under Reported OT/ICS Cybersecurity Challenge
Regístrese ahora
Passive network monitoring is the standard for asset inventory as well as threat and anomaly detection in industrial environments, namely because of their sensitive nature and criticality,. This is compounded by heavy reliance on legacy systems with insecure, proprietary protocols that active scanning could potentially exploit. OT systems often comprise critical infrastructure, controlling processes that can impact safety, security and delivery of essential services. Passive monitoring allows for visibility without any interference, whereas active scanning and probing techniques, common in IT environments, can be disruptive, potentially leading to operational failures or safety hazards.
Passive industrial network monitoring tools work by being connected to a SPAN or mirror port of a switch or router and observing network communications. The Nozomi Guardian security sensor passively observes local network traffic to provide comprehensive OT and IoT asset visibility and monitoring without using any agents or interrogation to identify devices. It continuously monitors activity to discover new assets communicating on the network, provide network visualizations for troubleshooting and research, identify critical vulnerabilities, and detect cybersecurity threats and operational issues.
Specifically, Guardian sensors use passive deep-packet inspection to automatically discover, in real time, the industrial network including its components, connections and topology. Its advanced learning capability then builds profiles specific to each ICS and uses behavioral analytics to monitor for anomalous, suspicious and malicious activity. The result is the rapid detection of cyberattacks and critical process anomalies.
Remote collectors are another form of passive monitoring designed to cover hard-to-reach and unmanned locations. These small, low-resource sensors that work in conjunction with network sensors to capture data from wilderness, offshore and other remote and distributed locations (such as an electrical substation or smaller plant within a larger campus) where a network sensor isn’t cost efficient or practical. The Nozomi Networks Remote Collector captures, deduplicates, compresses and encrypts this traffic before sending it to an associated Guardian sensor for processing.
Wireless sensors are another form of passive monitoring that should be leveraged in industrial environments, where wireless technology is now common nowadays. It’s difficult to detect wireless-specific threats such as bruteforce attacks, spoofing and bluejacking, and even more difficult to determine the location of the devices performing the attacks.
In addition to WiFi and Bluetooth, process control networks rely on specialized wireless protocols designed to facilitate reliable communication between sensors and controllers with low power consumption. These protocols play a crucial role in collecting, concatenating and transmitting data that enables both system operation and surveillance. For example, the IEEE 802.15.4 standard is used in smart buildings for real-time monitoring of HVAC and lighting systems and in farming for wireless irrigation system control to optimize crop yields.
The Guardian Air sensor is the industry’s first wireless security sensor purpose-built for OT and IoT environments, providing visibility into wireless assets, which until now were only detected once connected to a wired network. It continuously monitors wireless spectrum technologies operating between 800 MHz to 5895 MHz (WiFi, Bluetooth, IEEE802.15.4, LoRaWAN, Zwave, cellular and drones) and detecting and locating threats through triangulation to enable faster response.
Network sensors are cyber workhorses. But there will always be dozens of scenarios where adding a network sensor isn’t feasible or additional details are needed to understand and troubleshoot your environment. Today’s industrial environments can safely rely on a combination of passive network, remote collection and wireless monitoring as well as active polling and endpoint security techniques.The Nozomi Networks platform offers this full spectrum of methods to provide continuous visibility into all your assets and their risk levels, even when they aren’t actively communicating.
Active querying is an agentless, non-invasive technique that can be used to gather detailed information not available from passive sensors for specific assets of interest, included embedded OT/IoT devices. Referred to as Smart Polling in the Nozomi Networks platform, it interrogates devices based on knowledge of their protocols, leveraging special messages and instructions to return useful information without affecting device stability.
Smart Polling can be used to:
In IT security, endpoint agents are ubiquitous for anti-virus protection and patching. Unfortunately, negative experiences deploying IT-focused agents on OT devices have led to scarce adoption of much-needed endpoint monitoring. Traditional ICS network monitoring solutions monitor North-South traffic between Purdue levels or firewalls, but East-West communications between devices within a zone, especially at lower Purdue levels have long been a blind spot. Moreover, endpoint monitoring is the only way to correlate user activity and events as they happen.
In OT, malicious attacks involving credential theft and other malicious behavior certainly occur, but many threats involve inadvertent mistakes by employees or authorized third-party technicians who come and go, often remotely. Without endpoint security, there’s no way to know who’s plugging in when and what they’re doing until their commands have been executed on the network. That’s too late.
Released in 2023, Nozomi Arc is a safe, non-disruptive security agent purpose-built to protect the unique high availability requirements for OT endpoints. For example, it does not operate at the kernel level of the host operating system, will never reboot your machines and is very light on system resources.
Passive network monitoring is the standard for asset inventory as well as threat and anomaly detection in industrial environments, namely because of their sensitive nature and criticality,. This is compounded by heavy reliance on legacy systems with insecure, proprietary protocols that active scanning could potentially exploit. OT systems often comprise critical infrastructure, controlling processes that can impact safety, security and delivery of essential services. Passive monitoring allows for visibility without any interference, whereas active scanning and probing techniques, common in IT environments, can be disruptive, potentially leading to operational failures or safety hazards.
Passive industrial network monitoring tools work by being connected to a SPAN or mirror port of a switch or router and observing network communications. The Nozomi Guardian security sensor passively observes local network traffic to provide comprehensive OT and IoT asset visibility and monitoring without using any agents or interrogation to identify devices. It continuously monitors activity to discover new assets communicating on the network, provide network visualizations for troubleshooting and research, identify critical vulnerabilities, and detect cybersecurity threats and operational issues.
Specifically, Guardian sensors use passive deep-packet inspection to automatically discover, in real time, the industrial network including its components, connections and topology. Its advanced learning capability then builds profiles specific to each ICS and uses behavioral analytics to monitor for anomalous, suspicious and malicious activity. The result is the rapid detection of cyberattacks and critical process anomalies.
Remote collectors are another form of passive monitoring designed to cover hard-to-reach and unmanned locations. These small, low-resource sensors that work in conjunction with network sensors to capture data from wilderness, offshore and other remote and distributed locations (such as an electrical substation or smaller plant within a larger campus) where a network sensor isn’t cost efficient or practical. The Nozomi Networks Remote Collector captures, deduplicates, compresses and encrypts this traffic before sending it to an associated Guardian sensor for processing.
Wireless sensors are another form of passive monitoring that should be leveraged in industrial environments, where wireless technology is now common nowadays. It’s difficult to detect wireless-specific threats such as bruteforce attacks, spoofing and bluejacking, and even more difficult to determine the location of the devices performing the attacks.
In addition to WiFi and Bluetooth, process control networks rely on specialized wireless protocols designed to facilitate reliable communication between sensors and controllers with low power consumption. These protocols play a crucial role in collecting, concatenating and transmitting data that enables both system operation and surveillance. For example, the IEEE 802.15.4 standard is used in smart buildings for real-time monitoring of HVAC and lighting systems and in farming for wireless irrigation system control to optimize crop yields.
The Guardian Air sensor is the industry’s first wireless security sensor purpose-built for OT and IoT environments, providing visibility into wireless assets, which until now were only detected once connected to a wired network. It continuously monitors wireless spectrum technologies operating between 800 MHz to 5895 MHz (WiFi, Bluetooth, IEEE802.15.4, LoRaWAN, Zwave, cellular and drones) and detecting and locating threats through triangulation to enable faster response.
Network sensors are cyber workhorses. But there will always be dozens of scenarios where adding a network sensor isn’t feasible or additional details are needed to understand and troubleshoot your environment. Today’s industrial environments can safely rely on a combination of passive network, remote collection and wireless monitoring as well as active polling and endpoint security techniques.The Nozomi Networks platform offers this full spectrum of methods to provide continuous visibility into all your assets and their risk levels, even when they aren’t actively communicating.
Active querying is an agentless, non-invasive technique that can be used to gather detailed information not available from passive sensors for specific assets of interest, included embedded OT/IoT devices. Referred to as Smart Polling in the Nozomi Networks platform, it interrogates devices based on knowledge of their protocols, leveraging special messages and instructions to return useful information without affecting device stability.
Smart Polling can be used to:
In IT security, endpoint agents are ubiquitous for anti-virus protection and patching. Unfortunately, negative experiences deploying IT-focused agents on OT devices have led to scarce adoption of much-needed endpoint monitoring. Traditional ICS network monitoring solutions monitor North-South traffic between Purdue levels or firewalls, but East-West communications between devices within a zone, especially at lower Purdue levels have long been a blind spot. Moreover, endpoint monitoring is the only way to correlate user activity and events as they happen.
In OT, malicious attacks involving credential theft and other malicious behavior certainly occur, but many threats involve inadvertent mistakes by employees or authorized third-party technicians who come and go, often remotely. Without endpoint security, there’s no way to know who’s plugging in when and what they’re doing until their commands have been executed on the network. That’s too late.
Released in 2023, Nozomi Arc is a safe, non-disruptive security agent purpose-built to protect the unique high availability requirements for OT endpoints. For example, it does not operate at the kernel level of the host operating system, will never reboot your machines and is very light on system resources.
