Artificial intelligence (AI) and machine learning (ML) have been increasingly used as product marketing buzzwords. Nevertheless, I feel certain that AI is an integral part of how we approach cybersecurity in the future, with particular applications for securing manufacturing environments.
See John’s earlier article on Securing the Industrial Internet of Things.
Machine learning is a functional subset of AI. With large data sets, and expert training, machine learning can help to identify cybersecurity threats in the same way your GPS app can identify the best route home, during rush hour. In the cases where ML has proven its ability to accurately distinguish known and unknown threats across the stages of the kill chain, it can help you to detect and respond to threats faster and better. ML can provide meaningful insights and even actionable information to cybersecurity analyst, to aid in incident triage and reduce the impact of incidents on your organization.
The manufacturing floor in a factory is often filled with special purpose equipment, legacy systems and industrial Internet of things (IIoT) devices. Automation is leveraged for moving parts down the production line. Robots cut metal, assemble parts and spray paint. As opposed to the office environment, which is more likely to follow IT standards for the configuration of computers and printers and applications, the manufacturing environment is usually less well understood and less easily managed, due to the variety of systems in use.
In the manufacturing environment, specialized IIoT devices may communicate using special, non-IT protocols. Compared to office computers, they will often lack the security, management and ability to be patched. If they can be patched, it may require local access. These devices may not have unique passwords, or they may require passwords be changed manually with special equipment. Often times, a factory will not have a detailed inventory of all manufacturing assets.
In addition to the variety and manageability of manufacturing systems, they may sometimes have special requirements. They may require unauthenticated Internet access, or require support by external vendors. They may run software which requires older and sometimes unsupported OS versions. They may be specialized or embedded systems, without the ability to run requisite desktop security software. They may be turned off for months at a time, or they may reboot every time a piece of equipment is turned on and not have persistent memory. Another factory consideration is often the agreed upon rules for wage employees using manufacturing systems and software. Production line computers may be forced to use shared passwords or rely on auto-logon.
The factory environment can be quite different than the office environment, however, a manufacturing company cannot afford for their production line to go down. They need to manage the environment, and still prevent viruses, attacks and misconfigurations which could stop production. Of course, the CISO needs to protect the entire large, complex enterprise network, of which the factory is just a subset.
There are two ways to do this. The first is to segment the network, to allow legitimate traffic to flow, but to isolate systems so a specialized or legacy system that is attacked will not affect other factory or corporate systems. When you are dealing with a large, legacy network (with perhaps many other factories around the world), that is easier said than done.
You may be able to implement policies (often manually configured) and IP segmentation, to reduce the risk of abuse (e.g. malicious USB, downloads from Internet). Network segmentation with firewalls is probably untenable, so another approach relying on the ability to monitor, detect and respond may be the most effective. This relies on the ability to collect network data, establish what is normal traffic and detect inappropriate or malicious behavior and misconfigurations. [pullquote]Visibility to existing data sources, such as Netflow, proxy and DNS can be used to identify attacks that would otherwise fly under the radar, or be lost in the noise.[/pullquote]
Anomaly detection alone can be very noisy. Potentially devastating threats could fly under the radar. It seems the best way to deal with a diverse environment and unique and unexpected traffic is to additionally leverage machine learning to look for the specific East-West traffic indicative of malicious actors, viruses and misconfigurations which could bring your production line to a grinding halt. Along with automation and orchestration, the impact can be minimized and the extent of an attack can be presented to more quickly quarantine systems and recover.
This solution needs to be scalable, across factories and across the large and complex enterprise network. This means the ability to aggregate and analyze network data across silos is a much more scalable and affordable solution, compared to purchasing and deploying hardware.
While there is no doubt that many CISOs will roll their eyes when they hear certain buzzwords, the manufacturing environment is unique and would benefit from an AI solution to monitor logs and traffic, and uncover malicious activity which might otherwise be lost in the noise. When you are not able to simply segment and isolate systems, the ability to intelligently monitor their communications and provide detailed, actionable information to security analysts seems the best approach to securing the manufacturing environment.