Real-time Security Event Discovery
Critical Infrastructure security is of paramount importance in protecting systems and services that are essential to society and the economy: power and water distribution networks, transport and communications grids. The real-world, high profile consequences of a cyber-attack could include service disruption, environmental damage, financial loss and personal injury on a large scale. Alongside this, there is the often mammoth task of managing a large number of customers, handling data relating to usage, payments and connection status, as well as dealing with geographically diverse legacy systems.
If you sit within, or lead a security team working in these sectors you know that your operations must be high performing, resilient and secure. A strong cyber security posture is fundamental to your operation.
Legislation and Government recommendations
There is considerable pressure on critical infrastructure, from advisory groups and national governments – for example through Centre for Protection of National Infrastructure (CPNI) in the UK, the Australian Government’s Critical Infrastructure Centre (CIC) and via the North American Electric Reliability Corporation (NERC) in the US.
Australian Energy Sector Cyber Security Framework (AESCSF)
The Australian Energy Sector Cyber Security Framework (AESCSF) was developed in 2018 through collaboration with industry and government stakeholders, including the Australian Energy Market Operator (AEMO), Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC), and the Cyber Security Industry Working Group (CSIWG). Based on the US Department of Energy’s ES-C2M2 cyber security capability model, it has been developed and tailored for the Australian energy sector. Its purpose is to enable the assessment of cyber security capability and maturity of Australian energy market participants. You can discover more by downloading Huntsman Security’s guide here.
NIS Directive (EU) 2016/1148
New legislation includes EU Directive 2016/1148 on the security of network and information systems (NIS) which took effect across Europe and in the UK in May 2018. This Directive places requirements on providers of essential services in a number of critical national infrastructure sectors and aims to enhance the security and resilience of networks and IT systems across the EU.
UK Government – High Level Security Principles
The 14 high level security principles proposed by the UK government to meet the security requirements of the NIS Directive include an effective security monitoring strategy and proactive security event discovery. Operators of essential services in the UK are currently encouraged to start analysing their systems and existing security measures to identify control gaps and plan any necessary remediation.
North America – Cybersecurity Capability Maturity Model (ES-C2M2)
The C2M2 is a voluntary public-private partnership program, the development of which is not associated with any compliance requirements. The C2M2 model was identified, organised, and documented by US energy sector subject matter experts from both public and private organisations. The C2M2 is designed to measure both the sophistication and sustainability of a cyber security program. You can discover more by downloading Huntsman Security’s guide here.
How to protect your critical infrastructure
First things first, check that your organisation’s chosen mitigation strategies have been properly implemented, have the correct level of coverage and are operating effectively – at a maturity level that fits with your risk tolerance. In a dynamic environment with constantly changing threats, what is cyber resilient one day may be vulnerable the next. It is important that your security team and senior management have visibility of the business’s current exposure to enable appropriate remediation and informed decision making.
Proactive monitoring & Event Discovery
The UK Government’s National Cyber Security Centre guidance includes two key cyber security principles, Security Monitoring and Proactive Security Event Discovery. Whether your organisation is a UK, Australian or American operator of Critical Infrastructure, these principles are absolutely critical in defending your enterprise:
C.1 Security Monitoring
The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the on-going effectiveness of protective security measures.
C.2 Proactive Security Event Discovery
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployed).
Within the networks and systems supporting the delivery of your essential services there are some key areas to consider:
- Industrial Control Systems
- Building Management Systems
- Networks & IT Systems
Industrial Control Systems
Industrial Control Systems (ICS) are widely used in the Industrial and Power sectors such as Energy, Water, Manufacturing and Pharmaceuticals. They include:
- Programmable Logic Controller (PLC)
- Systems Control and Data Acquisition (SCADA)
- Distributed Control Systems (DCS)
There are particular challenges to securing these control systems and the networks on which they are hosted due to significant differences in their purpose and operation. Tackling these challenges effectively requires high level visibility of the control system’s infrastructure. Having current, relevant information about the status of the infrastructure system and its operation, allows risks to be properly identified and effectively managed. SCADA monitoring solutions provide the required level of monitoring.
Building Management Systems
Building Management Systems (BMS), also known as Building Automation Systems, are a type of Control System used to control and monitor the mechanical and electrical equipment in most modern buildings such as ventilation, lighting, power, fire and security systems. They are common to all business sectors, however they are particularly crucial in an industrial production environment; a continuous supply of these services is essential to business continuity and the health and safety of staff.
Network and IT Services
The security and resilience of your networks and IT systems is important. There will be occasions when networks and IT systems are affected by factors relating to personnel and physical security. Protecting personal and sensitive customer information has never been more important, as strict regulations such as the EU GDPR demonstrate.
UEBA – the importance of anomaly detection
Proactive security event discovery involves identifying insiders who may, knowingly or unknowingly, misuse legitimate access to commit a malicious act or damage their employer. It also includes being alert to patterns of network activity, system behaviour or the presence of systems, flows or applications that are not part of the normal operating model.
According to Verizon’s 2020 Data Breach Investigation Report, 30% of data breaches are caused by insiders. Enterprise wide security monitoring capabilities that include UEBA (User and Entity Behaviour Analytics) to identify insider precursors and behaviour anomalies are essential.
How Huntsman Security technology can help
Huntsman Security’s Next Gen SIEM is proven in meeting the high security, real-time visibility and assurance requirements of critical infrastructure. Protective security monitoring and proactive security event discovery is what we do.
Our customers manage complex network structures, deal with extremely high data volumes and monitor a wide variety of data types and sources. Next Gen SIEM’s suitability for these highly critical environments is proven and acknowledged in The Forrester Wave™ 2018 for Security Analytics platforms. Huntsman Security’s Next Gen SIEM provides:
- Volume and Speed: Effective, real-time collection from a range of standard and bespoke data sources – including specific systems that support ICS, SCADA and other related technologies;
- Anomaly Detection: Visibility of anomalous activity within the network, operating system and application layers;
- Visibility: Business and technical dashboards to deliver ‘at a glance’ security and compliance status for operators, technicians as well as senior management;
- Management of multiple environments: Data separation capabilities allow different security domains or operational environments to co-exist within the same monitoring solution;
- Inbuilt compliance standards support: to track how you are performing against major government, national and international standards e.g. Australia’s ACSC Essential 8, EU GDPR, PCI-DSS, ISO 27001.
Security Control Measurement
Huntsman Security’s Essential 8 monitoring tools systematically measure the effectiveness of your security controls, against the Australian Cyber Security Centre’s ACSC Essential Eight Framework; eight key controls found by the Australian Signals Directorate (ASD) to mitigate 85% of targeted cyber attacks. The Essential 8 Auditor executes an immediate audit of your environment, whereas the Essential 8 Scorecard provides a continuous monitoring capability that alerts system users to any changes in status.