Borja Pérez, country manager of Stormshield Iberia.
Cyberattacks against operational infrastructures are increasingly sophisticated. Sequenced in different stages, they become aggressive and difficult to detect for different protection systems. Thus, and although most organizations claim to be aware of cyber risks and their consequences (loss or theft of data, production interruptions, etc.), they often they are in greater danger than they suspect.
With the appearance in the last years of the Industrial Internet of Things (IIoT), cyberattacks are now directed against companies in sectors vital to society (aeronautics, nuclear energy, electricity or health), and although, in some cases, these actors know where the weaknesses of their systems lie, they don’t have the means to replace the applications and / or the equipment in question. This is common in operational (OT) and mission critical networks, as in the health or industrial sector, that use applications supported only by outdated operating systems, which makes them a target for cybercriminals, who have been exploiting these vulnerabilities for years.
“The industrial sector must move forward in order to provide a real response to the challenges associated with network security”
In view of this reality, and in accordance with the increasing hyperconnectivity of industrial networks, marked by IT / TO convergence or the use of Edge / Cloud Computing, there is no doubt that the industrial sector must advance in order to give a real response to the challenges associated with network security and guarantee the availability and integrity of its systems
A proactive response: DPI
Given the increase in cyberattacks directed against OT infrastructures, some industrial organizations and experts in the field have published good practice guides for the proper management of control systems. Among others, they mention the need to segment the network, control access, acquire reinforced systems, implement antivirus and IPS-type intrusion prevention engines.
A Intrusion Prevention System (IPS) is an active protection tool that allows to identify and block possible malicious flows on the network. Its main function is to monitor network packets and their content in real time to apply predefined rules based on the attack detected and the intended target.
“IPS systems identify and block possible malicious flows on the network”
IPS systems are installed online on the network that protect, and analyze network packets, initially to verify protocol compliance and monitor commands. They then search for network packets that contain a set of data matching the signature of known malware to block attack attempts. Some IPS systems are even capable of identifying abnormal behaviorIn addition to analyzing the information in great detail, hence the frequently used term “Deep Packet Inspection (DPI)”, which allows to reinforce the security level of the operational infrastructure to reduce the commitment of network assets.
What IPS solution to use?
Given that some malicious programs can evolve, as has been demonstrated in recent years, it is advisable to use an IPS solution that is capable of:
• Protect and control proprietary OT protocols with signature customization
• Actively monitor the network and ensure data integrity and availability
• Reduce false positives, through the analysis of specific protocols
• Protect against unknown attacks thanks to the detection of new abnormal behaviors and / or attack variants
• Prioritize Stateful DPI, to perform contextual analysis to better identify the context in question
• Ensure operational continuity in the event of malfunction: on-board safety function (bypass mode)
• Maximize team productivity. An all-in-one IPS solution that is easy to deploy and easy to use will not increase network latency. Similarly, a clear graphical interface will improve IPS integration and management by providing more visibility into the systems to be protected.