Cyber-attacks are becoming increasingly common in today’s highly interconnected world. What was once the stuff of fiction novels and movies, is now an everyday reality. Critical infrastructure (CI) industries such as power, oil and gas, dams, mass transit, and water utilities have become major targets. Furthermore, complex geopolitical situations are resulting in rival nations or rogue actors constantly engaging in cyber-warfare. Major service disruptions caused by these attacks can cause severe outages for common citizens, which is a key driver for the attackers, more than a mere monetary payout.
“Critical Infrastructure is the new frontline for cyber warfare. Fortunately, there are sophisticated technologies to detect and mitigate the highly complex attacks that CI industries face“, said Krishna Chaitanya Tata, a senior Operational Technology (OT) cybersecurity architect from IBM. “Industrial Intrusion Detection Systems or IIDS is one such technology. There has been a proliferation of vendors offering these technologies over the past decade. AI and ML are an integral part of the threat detection engines of these tools, for detection, correlation, and mitigation of OT security incidents”
In this article, we will learn from Krishna how AI and ML models are helping in OT cybersecurity and the product suite that is considered integral in securing CI defenses.
Introduction: What is critical infrastructure and why is cybersecurity important?
Critical infrastructure industries often support essential services – water, power, oil and gas, and health care. They are critical pillars in supporting a nation’s economy and social order. The term “critical infrastructure” usually refers to industrial control systems (ICS) that are electromechanical in nature such as programmable logic controllers (PLCs), distributed control systems (DCS), supervisory control and data acquisition (SCADA), relays, and so on. They cover transportation networks, energy grids, signaling systems, and control communication systems.
Cybersecurity for critical infrastructure is extremely vital because it helps protect a nation’s core infrastructure from attack. For decades, the control networks where these devices operated were insulated from the overall corporate network of a company. However, with the proliferation of Internet-of-things (IoT), 5G, and cloud services, regular corporate networks are increasingly commingling with control networks.
This paradigm shift has substantially raised the risk profile of control networks, where they are now susceptible to remote hacking attacks via corporate networks or other ingress points into the control network. A cyberattack on critical infrastructure could cause widespread chaos and loss of life. For example, a cyberattack on a power grid could cause a blackout, while an attack on a water treatment plant could contaminate the water supply.
The landscape of security tools used for defending Critical Infrastructure
The landscape of security tools used for defending CI from cyberattacks has dramatically changed over the past decade. There are vendors in categories that previously did not exist. This is in part due to the high attention from governments across the world to prioritize the security of critical infrastructure industries.
Some of the technologies are discussed below:
- Network Segmentation and micro-segmentation: Products such as Cisco ISE, FortiNAC, Forescout, and others are extremely prevalent in the market today. They not only assist in device access control but also in segmenting networks based on zones and device types. Posture assessments of devices are another area provided by these tools
- Industrial Intrusion Detection Systems (IIDS): These products have become the centerpieces of the defense strategy of all organizations in the CI space. They rely on static rules such as YARA, STIX, and SNORT and heavily on AI and ML-based models for incident detection and response. There are several vendors in this space such as Nozomi Guardian, Forescout eyeSight, Claroty, Microsoft CyberX, and so on
- Secure Remote Access: These products allow role-based access control by limiting access to remote users such as operators, maintenance personnel, vendors, and even employees. Since the Covid pandemic outbreak, having personnel remotely manage end devices such as PLCs has become a necessity. Various products such as TDI ConsoleWorks and Bomgar BeyondTrust are leaders in this space
- OT Firewalls: OT devices such as PLCs, DCS, SCADA, and RTUs operate on a set of protocols completely different from regular IT infrastructure. Protocols such as Modbus, DNP3, Ethernet/IP, and so on are common. Also, a lot of these protocols are serial protocols making it difficult for regular commercial firewalls to detect and block that traffic. OT firewalls and containment tools are becoming extremely popular and helping secure control networks
- Deception/decoy technologies: Simulating real-life attack scenarios is of higher priority in OT networks versus IT networks. The threat vectors are vastly more complex and keep changing regularly. Technologies such as Attivo Botsink, Canary, and so on have become very common and are increasingly being used for deception technologies to train personnel in dealing with real-life attacks.
- SIEM tools: Security Incident and Event Management tools act as aggregators of data from all devices and security tools including IIDS and firewalls. Powerful correlation rules can be created to identify attack patterns. A secure operations center (SOC) addresses events coming out of a SIEM tool. Products such as Splunk, QRADAR, and ArcSight are leaders in this space.
It is also important to note that despite the tremendous progress made for all the technologies listed here, they are defensive mechanisms only. The overall security program and organizational commitment to security are what ultimately determine the success of these tools.
Artificial Intelligence and Machine Learning Models for critical infrastructure
Cybersecurity is still relatively a new field in OT networks, within critical infrastructure. That said, the defense-in-depth (DiD) approach using an onion peel model is still the best way to go. This approach treats security as multiple layers of defense before the attackers can access the core.
Artificial intelligence and machine learning have become extremely prominent in addressing security challenges, specifically within the context of OT. Each of the technologies discussed earlier uses artificial intelligence and machine learning models to some extent. This has proved extremely beneficial in triaging security incidents, and vulnerabilities and in finding the right solutions.
The most common example of the use of artificial intelligence models is within intrusion detection systems (IIDS), where AI and ML models are used for the creation of a correlated incident from a list of seemingly unrelated security events. AI/ML models will take several seemingly unrelated events occurring on different devices and use modeling to correlate them into various threat scenarios. The scenarios are then ranked based on their likelihood and impact. The most probable scenarios or incidents can then be focused on by security analysts and engineers. For example, an SMB vulnerability might exist on a windows machine, that talks to a PLC that has been accessed at an odd hour using escalated privileges and has been shut down. PLC shutdown could result in catastrophic consequences such as explosions or loss of life if done unintentionally or as part of the sabotage.
SIEM tools use AI/ML models and user-behavior analytics (UBA) as well and take it one step further. Since SIEM tools have data feeding into them from multiple sources, such as IIDS tools and firewalls; they can correlate further to create actionable incidents for an entire network or a network zone.
Deception and decoy technologies have been extensively using artificial intelligence and machine learning as well. These tools have built-in models that take data from several different sources and simulate various threat vectors that security analysts can review, learn from them, and create action plans based on them. The complexity of a threat vector or attack scenario that the decoy tools create is directly based on the complexity of the AI algorithms running them. A likely scenario could be that existing malware in the corporate network is able to get into the control networks via an existing firewall rule, use escalation of privileges via rootkits and then cause SCADA systems to malfunction.
General overview of the Current State of Critical Infrastructure Security
Critical infrastructure security is currently a hot topic of discussion among government officials, private sector executives, and cybersecurity professionals. This is because the current state of critical infrastructure security is not adequate to protect against increasingly sophisticated cyber threats. In fact, a recent report by the National Institute of Standards and Technology (NIST) found that most businesses are not well prepared to defend themselves against cyber attacks.
This lack of preparedness is due in part to the fact that many organizations do not have a clear understanding of their cybersecurity risks. They also do not have sufficient resources or personnel dedicated to addressing these risks. As a result, they are unable to properly assess and manage their vulnerabilities.
In addition, many critical infrastructure systems are outdated and do not meet current security standards. For example, many industrial control systems were designed without cybersecurity in mind and are therefore particularly vulnerable to attack. Furthermore, these systems are often interconnected, which can amplify the effects of an attack.
The good news is that there has been an increase in awareness of the importance of critical infrastructure security in recent years. The bad news is that this awareness has not yet translated into actionable steps taken by most organizations. There is still much work to be done to improve the current state of critical infrastructure security.
The Need for Improved Cybersecurity
The need for improved cybersecurity has been stressed extensively in this article. While there are many steps that need to be taken to improve cybersecurity for critical infrastructure, according to Krishna some of the most important are:
- Strengthening perimeter security: This includes both physical and cyber security measures to prevent unauthorized access to critical infrastructure facilities.
- Improving detection and response capabilities: This means having the ability to quickly detect when an attack is taking place and then mount an effective response. AI/ML plays a major role in this as has been discussed in this article.
- Developing better intelligence: This will help agencies identify potential threats and take steps to mitigate them before they can cause harm.
- Enhancing international cooperation: Given the global nature of the threat, it is essential that countries work together to share information and best practices.
- Increasing funding for cybersecurity: This is essential to develop the necessary tools and capabilities to protect our critical infrastructure from increasingly sophisticated cyber-attacks.
Summary: How Artificial Intelligence and Machine Learning are bolstering defenses
As discussed above, AI and ML models are providing stellar help in bolstering the detection and response capabilities of the various tools used within OT cybersecurity. Tremendous research is going into AI/ML models for detecting and stopping security incidents.
The traditional approach of using signature-based detection such as YARA, STIX, or SNORT rules is no longer enough to detect security threats as the attacks themselves are getting increasingly complex. A common feature of the attacks these days is to have dormant malware or trojans within the control networks that stay dormant for extended periods of time and pass the information on to a command and control (CoC) center outside the victim’s networks and premises. Once sufficient information has been passed along, they “detonate” or run their scripts to cause the intended damage. These types of malware leave little to no signatures and generally don’t cause major changes in the resources used. Therefore, it is notoriously difficult to detect them using traditional signature-based methods. AI/ML models use behavioral analytics and heuristics to detect nuanced changes that can help detect them.
Similarly, malware such as ransomware is impossible to detect based on signature or traditional methods alone. AI/ML models and their applicability to various technologies are the only methods by which they can be detected within control networks. There are numerous examples of malware in recent times such as Triton, colonial pipeline hack, etc. where the detection has been heavily reliant on AI/ML models.
In conclusion, cyber security for critical infrastructure will soon be indispensable. With each passing day, it becomes more and more important to devote resources to protecting these infrastructures from malicious attackers and hackers who want to cause chaos in our interconnected world. As technology continues to evolve and create new threats every day, it’s up to us as individuals and organizations alike to do all we can to protect ourselves from potential cybersecurity vulnerabilities. And finally, artificial intelligence and machine learning will be invaluable in protecting critical infrastructure from cyber-attacks.
The post How AI and Machine Learning Help in Cybersecurity for Critical Infrastructure appeared first on Datafloq.