“There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked.”
I heard these chilling words a couple years ago at an IoT conference. The implication is there may be bugs inside a company’s network that are laying low, collecting vital information and waiting for an opportune time to attack.
While much of the cybersecurity attention is focused on preventing unwanted entry, companies also need to scrub the inside of their networks to make sure they’re free of latent malicious threats that entered before the firewall was strong enough to withstand attack. To help with this effort, Rockwell Automation has introduced threat-detection services to monitor the insides of the control system for the presence of unwanted intruders.
The threat-detection effort rounds out the standard safety system that provides a safe parameter around the network. “We provide defensive capabilities across the attack continuum: before during and after,” Umair Masud, consulting services portfolio manager at Rockwell Automation, told Design News . “We’ve focused on the before side with firewall security. What we’re doing with threat detection is adding the capability of building a baseline of what’s normal and then detecting when something is outside of that normal.”
Scrubbing the Inside of the Network
In building firewalls, Rockwell partners with Cisco Systems . For threat detection, Rockwell brought in another partner. “We are utilizing technology from Claroty. They have software that enables detection capabilities,” said Masud. “We combine their services with our industrial expertise, our ability to implement, and our understanding how to deploy monitoring services.”
After it’s implemented, the detection technology scans the network to determine what’s healthy traffic and what’s anomalous. “Once the software is installed in the environment, it goes into learning mode and passively listens to the traffic and documents the traffic flows – it learns the baseline,” said Masud. “This is this process of scrubbing and validation. You need be able to understand how things are supposed to run in order to scrub that baseline.”
The process of developing the baseline is conducted is a manner that has no effect on network traffic. Once the baseline is in place, the company needs to develop a plan of action when something untoward occurs. “When we have the baseline, we are able to make recommendation to the customer on how to deal with any anomalies or events that may be potentially malicious or may be causing harm to the environment,” said Masud.
Removing Unwanted Visitors Without Shutting Down
While detection if one portion of the service, another part involves developing an alert system and a plan for action. “We utilize Clarity’s technology to announce issues on the network, and then we respond,” said Masud. “We create an incidence response plan. There is a set of five actions we can take without disrupting the availability of the network’s process.”
When an anomaly is detected, the actions that follow are designed to avoid the disruption of plant operations if at all possible. “The selections of courses you can take are wide, including shutting things