Anomaly detection in industrial networks. Compliance with IEC62443 to minimize cybersecurity risks.

Industrial automation is present in all types of industries, infrastructures, and buildings (the OT world). As in any company that uses computing systems, these systems are not immune to cyberattacks.

In recent decades, there has been a shift from proprietary systems, rigid systems that hardly communicated with each other, to systems composed of multiple devices that interact with each other. To measure quality, performance, and analyze improvement options, other satellite systems have been integrated into the process, which study possible improvements and, at the same time, evolve the processes. The way to implement these ecosystems and their communications has been strongly based on IT technologies, such as TCP/IP communications, the use of virtualized infrastructures, and the use of conventional operating systems such as Windows or Linux.

All this has generated a boom in computing applied to industry, but also the incorporation of a series of vulnerabilities inherent in these technologies that increase the risk. If we add to these vulnerabilities the fact that industrial control systems are normally insecure (they have a life cycle of decades and a low rate of updates).

These devices are usually built and designed to provide reliability and robustness, rather than to be secure, typically running operating systems and communication protocols without protection, which exposes them to almost any network attack. In conclusion, we have a mixture of the incorporation of new technologies and their modern risks with devices that are not designed to implement security features.

Requirements to Calculate Risks Objectively with CIARA

Normally, the CISO (Chief Information Security Officer) is in charge of defining the information security governance and therefore identifying and managing the risks. Calculating a risk objectively is not an easy task and requires at least:

• An updated inventory of assets.
• Understand the status of these assets.
• Identify vulnerabilities of the assets.
• Identify threats, old and new.

To help the CISO calculate risk objectively, at Becolve Digital, we have CIARA, a solution that automates the process of examining hundreds of security countermeasures, the simulation of hundreds of possible threats, all against the digital image of the network that is obtained from the real physical infrastructure.

CIARA Features

Automatically manages the following data:

• Assets, protocols, messages, IP addresses, MAC addresses, firmware versions, criticality, zones, conduits, etc.
• Potential vulnerabilities of the assets present in the network (CVEs)
• Simulation of attacks based on Mitre ICS and Radiflow’s own
• Analysis of network behavior and appearance (or disappearance) of network communications.
• Knowledge of current threats in the area/sector based on Mitre Att&ck
• Detection of changes in industrial equipment.

With all this data, CIARA is able to simulate how effective the cybersecurity controls implemented are against known attacks and threats that are occurring and, thus, be able to evaluate in a few minutes what the level of risk to which it is really exposed based on objective data.

Based on the result of the evaluation, CIARA will propose a series of actions to mitigate the risk and will offer different criteria to balance the proposals between protection, compliance with standards and budget.

Depending on these criteria, CIARA automatically prioritizes the security requirements (SR) to be implemented with the aim of maximizing the ROI in cybersecurity. Currently, some of the optimization criteria included are:

• Zone Impact: What is the economic impact if a zone fails?
• Tolerable risk: Which zone has the least tolerance to risk?
• Compliance gap: Which zones have the greatest discrepancy between the measures implemented and what the standards dictate?