Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/19/2017
10:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Siemens' New ICS/SCADA Security Service a Sign of the Times

Major ICS/SCADA vendors are entering the managed security services business with cloud-based offerings for energy and other industrial sectors.

It's been seven years since the game-changer Stuxnet worm was unearthed and thrust the industrial control sector to a new reality where cyberattacks could sabotage even air-gapped physical plant operations.

Siemens, whose whose process control systems were targeted in the attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran, was among the first of the traditional ICS/SCADA vendors in the wake of Stuxnet to step up and build secure software development programs as well as roll out new products with built-in security features.

Now meet the next big thing for Siemens and other major ICS/SCADA equipment vendors: managed security services. Siemens today kicked up a notch its existing network monitoring and security services with the addition of anomaly detection technology from PAS that monitors all brands of industrial and computing equipment – not just its own - on a plant network.

Leo Simonovich, vice president for global cyber security for Siemens, says the newly enhanced managed security service – which includes monitoring, incident response, and management – is just the beginning, with more features on the horizon. The network monitoring capability in Siemens' service that launched earlier this year comes via its partnership with Darktrace.

"We have a vision to bring the best of breed technologies together" for visibility of OT [operational technology] networks, Simonovich says. "That means we have to monitor the network, monitor the control layer, and the assets themselves, like turbines," for example, he says.

"Control-level coverage solves a core problem for customers: they can't protect what they can't see."

It's been a long road for Siemens since Stuxnet. The firm in the wake of Stuxnet Siemens doubled down on patching its older and security flaw-ridden ICS/SCADA systems software and launched an internal CERT, as well as focusing on secure software development. In 2012, Siemens launched a new generation of ICS systems with built-in firewall and virtual private network features, the Simatic CP and Scalance communications processors, as well as a new secure router.

"Unfortunately, we were hit by Stuxnet, and since then our journey has been to more secure products" as well as security service offerings "irrespective of the vendor. That's what our customers are asking of us," Simonovich says.

Some of its counterparts also are expanding into cloud-based security services for ICS/SCADA operations. Rockwell Automation late last week launched new threat detection services that include similar features to what Siemens is now offering: real-time monitoring as well as asset management. The ICS/SCADA vendor built the service with with threat-detection software from startup Claroty.

Schneider Electric offers a cybersecurity protection service that automatically updates Schneider's products as well as third-party operating systems and endpoint security products with patches.

Security experts expect more of these traditional large ICS/SCADA vendors to roll out managed security service offerings, as the industrial sector faces new and more advanced threats that many of these organizations don't have the expertise nor experience to thwart.

Dale Peterson, founder and CEO of ICS firm Digital Bond, has been watching major ICS/SCADA vendors start to build more secure products since Stuxnet's discovery. Cloud services from these vendors could be the next trend, he notes, as these vendors look for new sources of revenue.

OT: Security Newbies

Many industrial, aka operational technology (OT), teams are still new to cybersecurity. "For many of them, OT is the core focus on on operations of that plant. Cybersecurity is not their day-to-day job," Siemens' Simonovich says. That's where Siemens hopes to step in with its managed security services, he says.

Not unlike IT's challenge, staying on top of all of the devices and software configurations and updates in an OT network has made these plant networks more vulnerable to attack.

Human error accounts for 70% of incidents in the OT environment, says Eddie Habibi, founder and CEO of PAS. "These systems are wide open to external attacks as well as internal human error," he says, which ups the ante for better visibility and management of them.

PAS's technology includes asset discovery and inventory, patch management, vulnerability assessment and recovery, and configuration and change management control, he notes, as well as analytics and visualization of all types of vendors' systems.

Proprietary ICS/SCADA systems not only are engineered differently, but often configured specifically for a certain plant environment based on operational performance requirements and other parameters, notes Siemens' Simonovich. "That's been a hard nut to crack," he says. "The network-level [monitoring] doesn't tell you if a PLC is behaving in a particular way to turn on or off a valve, for example," he says. That's something PAS's technology and Siemens' analytics features do via the new security service, he notes.

Meanwhile, anomaly detection vendors and products for the ICS/SCADA realm have exploded over the past year or so, with some 20-plus vendors crowding this space, notes Digital Bond's Peterson, who has tracked them. It's unclear whether industrial operators will go with these third-party vendors or their traditional ICS/SCADA vendors, he says.

"How successful [traditional ICS/SCADA vendors] will be is too early to know," Peterson says.

"Do you pick an ICS vendor or a traditional monitoring vendor, or some new specialized ICS monitoring vendor?" he says. "That's a harder choice" for operators than choosing ICS/SCADA equipment vendors, he says. "A lot of times smaller vendors have more expertise because it's all they do but they don't have access to … who engineered those [ICS/SCADA] products," for example, he says.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
martin.george
50%
50%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:13:23 AM
Serious?
That is really serious news, what can i say 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...