EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT An Insight Cyber White Paper Copyright Insight Cyber 2018. All rights reserved.
The Need for Expert Monitoring Digitization and external connectivity for industrial assets and production zones is a doubleedged sword. While ushering in a new era of operational and business efficiencies, they also open vectors for security problems in environments that have little or no resistance against them. Until recently, little had been done to cyber-harden industrial machines, ICS networks and emerging IoT devices. A new class of IoT visibility products including Free and Open Source Software, or FOSS products has emerged to address these challenges. These tools are now available to perform sorely need functions such as network-capture analysis, asset inventory, and event correlation for industrial controls equipment, SCADA environments, and connectedsensor networks. However, there are three critical gaps in IoT cybersecurity and risk management that these early tools fail to address: Analytics, Context and Skills & Knowledge. What these gaps have in common is that they can be addressed and resolved via customer domain-specific modeling by expert analysts. Filling the gaps also mandates extensive event monitoring and intelligent risk monitoring/management. Indeed, according to the ARC Advisory Group, organizations need to develop new integrated strategies and approaches that combine IT and OT security efforts and maximize use of all corporate cybersecurity resources. For these reasons, Insight Cyber augments IoT visibility tools with expert services, automated tools, consulting, and continuous monitoring. Our objective is to enable investments in OT assets and cyber technologies to succeed. Augmenting Tools with Experts Insight Cyber collects, correlates, and analyzes data from across the IoT environment using advanced automated tools. To complement this capability, our experienced expert teams work with IT and OT organizations to interpret the results, provide continuous monitoring, incident response and risk management. The combination of our automated tools with expert intelligence is delivered as a continuous scalable subscription service. One of the key advantages of combining tools and people is the ability to provide context. One of the critical gaps of visibility tools is that the IoT events they generate lack context for interpretation. Insight Cyber filters data through the Insight Cyber Context Engine, which incorporates customer domain-specific intelligence and converts both network and operational process event streams into actionable insights. 2
We have developed five generations of a proprietary context definition tool. This tool applies complex logic to dynamic data elements from network metadata, network data content, operational process data (e.g., SCADA, telemetry, historian, etc.) and general-purpose input/output data (when available), and provides a deeply-detailed filter over raw data flows to generate raw event streams. As shown in Figure 1, the Insight Cyber Industry Model, our unique context capability interprets analytic results in terms of actual process parameters. We not only inspect network data at a granular level, but we also look at process data to help organizations understand what should be happening. This capability requires a service rather than a product because every organization s processes and business rules are different. The Insight service looks at the actual process data in context rather than just looking for violations of security signatures. Cyber and operational teams face a critical skills and knowledge gap in Figure 1. The Insight Cyber Industry Model. managing risk for production assets. This makes it challenging to extend standard IT riskmanagement methodology to ICS, OT, and the industrial IoT. Our IoT security operations and risk experts dynamically augment the OT organization s data collection and analysis. Why OT Requires Experts Overall risk is a mathematical function of threat, vulnerability, and impact, integrated over a footprint of critical assets. In both IT and OT risk management, threats are often taken as near constant. In IT, the key business outcome is improved security, and methodologies focus on mitigating vulnerabilities. In OT, however, all of these factors are different. For instance, event correlation works differently in IT and OT. In fact, events themselves are different. After all, machines are not the same as computers. In OT, the key business outcome is to assure safe operation and 3
high availability. This dictates a focus on managing impacts rather than vulnerabilities. In addition, the standard vulnerability-management techniques (rotating passwords, patching systems, etc.) are not as effective in OT, where machines rather than computers provide the core business processes. Fortunately, the focus on continuous monitoring and visibility in OT allows the examination of different data sets. To be effective, this requires expert development of customer domain-specific context or process modeling. Monitoring and incident response for OT requires data collection and analytics that are based on customer domain-specific context. In this respect, IoT differs from IT, where a wide range of standard analytic approaches are available. This necessitates a service-based approach that works with the organization to develop the context and tune the analytics. When done properly, the resulting events are easy to integrate with existing enterprise SIEM/NOC/SOC solutions, and can even be correlated with IT event streams and Internet-based threat intel. The experts at Insight Cyber have knowledge of these industrial processes. You must have experts talking to your experts to figure out what the actionable events are. They are specific to your domain, your organization, and a different situation every day. Continuous Risk Assessment and Monitoring Figure 2. Insight Cyber experts augment automated tools to generate actionable insights. 4
As shown in Figure 2, IoT risk management doesn't end with static surveys and assessments. Once the organization obtains the data from SCADA, historians, telemetry and sensors the three gaps still have to be filled. To constantly monitor the environment, organizations need: Automatic data feeds from their IIoT/IoT environments to populate their risk models and convert data into actionable events (which fills the Analytics Gap). Dynamic risk models that are custom built for their enterprise and tailored to how they manage their mission critical industrial processes (which fills the Context Gap). And they need to monitor the resulting dynamic models continuously with experts who can respond to incidents (which fills the Skills & Knowledge gap). Insight Cyber experts have expertise in time-dependent machine learning/deep learning. This helps to drive anomaly detection and continuous asset management in raw event streams from across very large enterprise footprints. We convert raw event streams into actionable information, reducing noise, and we generate edge-deployable models. Insight Cyber tools help protect organizational investment in IoT assets. Our advanced continuous data collection tools provide deeply granular views of process and SCADA data and advanced visibility that easily detects security and production issues. The combination of dynamic risk scoring and expert analysis enables informed management of the organization s IoT investments. Insight Cyber services extend an organization s existing knowledge base with aggregated results, timely reporting and expert analysis. The table in Figure 3 shows the business and technical benefits of Insight Cyber services. Business benefits: Maximum uptime of IoT processes, increasing productivity and eliminating lost revenue. Proactive defense of the IoT production environment Generation of actionable events Reduced costs stemming from problem remediation and process inefficiencies Standards and regulatory compliance Continuous assessment and scoring of IoT risks. Technical benefits: Augmented technical staff Reduced cyber exposure and improved operational efficiencies Semantic analysis of IoT protocols and correlation of continuous network metadata, telemetry, SCADA, Syslog and historian data Generation of complex rules to apply to network flows (process modeling) Deployable models and actionable events via customer domain-specific Deep Learning analytics. Figure 3. Business and technical benefits of Insight Cyber services. 5
Engaging with Industry Cyber Experts Insight Cyber services contain a full range of cyber management and incident-response capabilities designed specifically for industrial operations in enterprises. Our Deep-Learning models incorporate deep process know-how from our team of experts. This enables us to pinpoint cyber issues affecting specific process zones and equipment. But uniquely, it also discovers possible operational problems using the same analytics. This provides IoT organizations with the broadest and most actionable analysis of SCADA and process data available in the market. Insight Cyber services is an always-on subscription service. It starts with an easy initial consultation by our experts. We then custom-tailor a continuous data-collection, monitoring, event management and incident response program, for the organization s needs and budget. We leverage the organization s existing tools and technologies and fill in areas where they may have gaps. Our experts are on call to tell you what's important in your production networks and what's not, today and every day. Unfortunately, hiring, training and retaining SMEs in industrial cybersecurity is perhaps the toughest challenge of all, even for the most sophisticated enterprises. Insight Cyber services fill this Skills & Knowledge Gap with expert interpretation, consulting, and incident response. Depending on their needs, organizations can scale from periodic automated reports, to expert consultations and integration with their own SIEM solution, all the way to 24/7/365 event monitoring and incident response. We know how tough it can be to manage cyber and operational risk for your critical assets. We help you fill the trust gap and validate the claims of your OT product vendors by people with extensive industry credibility. Our experts were among the early pioneers in industrial cybersecurity, so the Insight Cyber service isn't just an extension of standard IT security. Rather, it was designed from the ground up to address the distinctive security, performance and safety requirements of converged IT/OT environments. We are changing the way people think about risk management, from something you do on a questionnaire twice a year to something that is continuously monitored. 6
About Insight Cyber Group Insight Cyber Group provides a portfolio of services that deliver continuous, real-time cyber risk management and improved operational efficiencies of industrial IoT assets. Our services combine advanced visibility and expert analytics with proprietary automated tools. Insight Cyber supports the entire lifecycle of risk monitoring and incident response capabilities required by. today s industrial enterprises. We are a unique team of practitioners with decades of experience in both cybersecurity and industrial process management. Our technology stack incorporates best of breed and best practices concepts, integrated with event correlations, risk scoring and continuous monitoring delivered as a subscription service. For CISOs, we offer a reduction of cyber risk, one of the most expensive problems in corporate America. For OT managers, we improve operational efficiencies. 7