Tracking down malicious codes, industrial cybersecurity probes blend into factory networks, from the workshop to Scada stations, and interact more with the IT part for complete protection.
When in contact with IT (computer system), industrial processes are more exposed to cyberattacks. The threat is by no means theoretical: several malware, or malware, has already infiltrated sometimes critical installations. Like Triton, targeting the Saudi oil company Petro Rabigh in 2017, Industroyer, the source of a Ukrainian electrical infrastructure failure in 2016, or the infamous Stuxnet which, in 2010, infected Siemens PLCs on a nuclear site in Iran. The consequences are potentially dramatic, with sabotage motivating most attacks.
“In the most serious cases, the attacker can seek to cause physical damage to the industrial installation”, observe Vincent Strubel, the assistant director of expertise, and Mathieu Feuillet, the assistant assistant director of operations at the National Information Systems Security Agency (Anssi). Other purposes are espionage, cryptomining, which exploits the computing power of the industrial system, and recently ransom.
First benefit: visibility on the industrial network
“In 2013-2014, entrepreneurs seized the subject in Israel, France and the United States, reports Laurent Hausermann, the technical director of IoT security at Cisco. With the same approach: providing visibility and detection on industrial control systems. ” The birth of industrial cybersecurity probes was recorded. Among the companies specializing in their design, the most notable are Claroty, CyberX, Nozomi Networks and Sentryo, co-founded by Laurent Hausermann and Thierry Rouquet and sold to Cisco in 2019.
Visibility, the primary benefit of such a device, means that we obtain an overview of the machines and programmable logic controllers active on the industrial network (OT, operating technologies). Collecting data from field probes, monitoring software maps the network environment in hours or days, depending on the length of the industrial cycle. It draws up an inventory of the machines connected in order to identify vulnerabilities: obsolete software versions, non-existent network segmentation, etc.
“Knowing the state of the network is essential before going further in terms of security”, notes Vincent Dély, pre-sales director for Europe, the Middle East and Africa at Nozomi Networks. Certain indicators, revealing the quality of exchanges on the network or the presence of machines that no longer need to be, also have operational value. It is possible to clean up the OT network before even detecting threats from outside.
The probe represents the field detective, who plugs into an industrial switch or an intermediate TAP (test access point) box. The number of probes required is determined by the number of machines to be monitored, the number of listening points to monitor the entire network, the network bandwidth and its topology, local or global, and the possible distribution of the network over several sites.
On a single site, the implementation lasts only a few hours, if the network has been prepared (with in particular the configuration of port mirrors for listening). The production tool does not need to be interrupted. Once in place, the probe receives a copy of the traffic routed on the industrial network. She is then ready to inspect the communications, looking for an anomaly.
Two techniques are used, inherited from IT cybersecurity. Signature detection applies to malicious codes already listed. It has the merit of being reliable and its results are unambiguous. But unknown attacks, or “zero days”, are likely to go under the radar. Behavioral analysis, which distinguishes behaviors[…]