It's been seven years since the game-changer Stuxnet worm was unearthed and thrust the industrial control sector to a new reality where cyberattacks could sabotage even air-gapped physical plant operations.
Siemens, whose whose process control systems were targeted in the attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran, was among the first of the traditional ICS/SCADA vendors in the wake of Stuxnet to step up and build secure software development programs as well as roll out new products with built-in security features.
Now meet the next big thing for Siemens and other major ICS/SCADA equipment vendors: managed security services. Siemens today kicked up a notch its existing network monitoring and security services with the addition of anomaly detection technology from PAS that monitors all brands of industrial and computing equipment – not just its own - on a plant network.
Leo Simonovich, vice president for global cyber security for Siemens, says the newly enhanced managed security service – which includes monitoring, incident response, and management – is just the beginning, with more features on the horizon. The network monitoring capability in Siemens' service that launched earlier this year comes via its partnership with Darktrace.
"We have a vision to bring the best of breed technologies together" for visibility of OT [operational technology] networks, Simonovich says. "That means we have to monitor the network, monitor the control layer, and the assets themselves, like turbines," for example, he says.
"Control-level coverage solves a core problem for customers: they can't protect what they can't see."
It's been a long road for Siemens since Stuxnet. The firm in the wake of Stuxnet Siemens doubled down on patching its older and security flaw-ridden ICS/SCADA systems software and launched an internal CERT, as well as focusing on secure software development. In 2012, Siemens launched a new generation of ICS systems with built-in firewall and virtual private network features, the Simatic CP and Scalance communications processors, as well as a new secure router.
"Unfortunately, we were hit by Stuxnet, and since then our journey has been to more secure products" as well as security service offerings "irrespective of the vendor. That's what our customers are asking of us," Simonovich says.
Some of its counterparts also are expanding into cloud-based security services for ICS/SCADA operations. Rockwell Automation late last week launched new threat detection services that include similar features to what Siemens is now offering: real-time monitoring as well as asset management. The ICS/SCADA vendor built the service with with threat-detection software from startup Claroty.
Schneider Electric offers a cybersecurity protection service that automatically updates Schneider's products as well as third-party operating systems and endpoint security products with patches.
Security experts expect more of these traditional large ICS/SCADA vendors to roll out managed security service offerings, as the industrial sector faces new and more advanced threats that many of these organizations don't have the expertise nor experience to thwart.
Dale Peterson, founder and CEO of ICS firm Digital Bond, has been watching major ICS/SCADA vendors start to build more secure products since Stuxnet's discovery. Cloud services from these vendors could be the next trend, he notes, as these vendors look for new sources of revenue.
OT: Security Newbies
Many industrial, aka operational technology (OT), teams are still new to cybersecurity. "For many of them, OT is the core focus on on operations of that plant. Cybersecurity is not their day-to-day job," Siemens' Simonovich says. That's where Siemens hopes to step in with its managed security services, he says.
Not unlike IT's challenge, staying on top of all of the devices and software configurations and updates in an OT network has made these plant networks more vulnerable to attack.
Human error accounts for 70% of incidents in the OT environment, says Eddie Habibi, founder and CEO of PAS. "These systems are wide open to external attacks as well as internal human error," he says, which ups the ante for better visibility and management of them.
PAS's technology includes asset discovery and inventory, patch management, vulnerability assessment and recovery, and configuration and change management control, he notes, as well as analytics and visualization of all types of vendors' systems.
Proprietary ICS/SCADA systems not only are engineered differently, but often configured specifically for a certain plant environment based on operational performance requirements and other parameters, notes Siemens' Simonovich. "That's been a hard nut to crack," he says. "The network-level [monitoring] doesn't tell you if a PLC is behaving in a particular way to turn on or off a valve, for example," he says. That's something PAS's technology and Siemens' analytics features do via the new security service, he notes.
Meanwhile, anomaly detection vendors and products for the ICS/SCADA realm have exploded over the past year or so, with some 20-plus vendors crowding this space, notes Digital Bond's Peterson, who has tracked them. It's unclear whether industrial operators will go with these third-party vendors or their traditional ICS/SCADA vendors, he says.
"How successful [traditional ICS/SCADA vendors] will be is too early to know," Peterson says.
"Do you pick an ICS vendor or a traditional monitoring vendor, or some new specialized ICS monitoring vendor?" he says. "That's a harder choice" for operators than choosing ICS/SCADA equipment vendors, he says. "A lot of times smaller vendors have more expertise because it's all they do but they don't have access to … who engineered those [ICS/SCADA] products," for example, he says.
- Stuxnet Five Years Later: Did We Learn The Right Lesson?
- Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered
- Anatomy Of A 'Cyber-Physical' Attack
- Stuxnet's Earlier Version Much More Powerful And Dangerous, New Analysis Finds
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.