francesco sole le donne archiviano Dedicated Probes : a new comer not yet widely accepted

The notion of cherche homme musulman pratiquant probes for detecting intrusion in control systems is now more than 10-years-old (refer to SINARI project for example) and has also been officially requested in the Critical Infrastructure French Law (LPM) for Critical Infrastructure operators in 2016. 

However they are rarely used and this is due to several reasons:

1 – Market maturity

2 – Alert treatment

3 – Products differences and availability. 

Market Maturity

The process of securing an industrial system requires many activities and technical measures which are commonly accepted (IEC 62443 for example) as higher priorities. A risk analysis is a first cornerstone, followed by an architecture segmentation, then the control of remote access, identification / authentication systems; hardening devices, installing EDR, supervising the administrator actions, setting up updates and tracking new vulnerabilities etc. Altogether, it is something still new in the industry and it brings significant changes in the technical culture, with additional obstacles to the projects with respect to usual way of designing, deploying and operating control systems. 

With respect to such a change, the addition of a probe cannot be seen as a must. When most control systems consist of unsupervised networks, with data flows neither monitored nor known except at the top entrance, the traffic analysis that a probe will present is far too advanced. At this point, most operators will be fully satisfied to only monitor the global parameters, such as hosts numbers, IP addresses, services used and traffic volume. 

This is reinforced by the perception that most probes use attack-pattern detections, which is not very different from what a firewall can do. 

Alert treatments

For industrial systems already protected, the question of a probe raises another difficulty, linked to exactly what the probe will deliver, and how it may be inserted in the global cybersecurity posture. Unlike IT systems, the cyber supervision is mostly weak in personal and innovation. To date no SIEM or SOC are interested in coping with industrial specific aspects. 

Seen from an IT current perspective, a probe falls into the category of IDS (Intrusion Detection System). IDS produce syslogs, mainly associated with attack-pattern detection (Bro, Suricata). It is known and processed by the SOC with all the tools of Threat Analysis and delivers a high-level posture. 

For Industrial Systems (OT, Operational Technology), probes are more than that because they often are the only network monitoring system. It means that the network consistency and integrity relies on the probe much more than any other technical system, even though the probes are passive and are limited to devices “talkative” on the network. This is the reason why probes specifically dedicated to industrial systems generate their own network map (DarkTrace, Nozomi, Cypres by Cybelius for example).

The trouble is that this map, which is real-time and where the alerts are reported in addition to the network topology and characteristics, requires a specific HMI, mostly local to the industrial site (even though remote access is possible, the HMI server is local). Who in the organization is responsible of operating the probe HMI, what role is it associated to ? this is at the moment not defined, as it is something in-between SIEM and local network monitoring; with the restrictions of use linked to security devices. 

Even the alerts generated by industrial probes may be unfamiliar objects. Advanced probes do not rely only on attack-pattern research but behavioral analysis. The behavioral analysis is really interesting because attack-pattern can be done by firewalls, and do not cover new or unknown attacks. When your system is critical enough to deserve a probe, then unknown attacks and 0-day exploits are exactly what you want to detect. And this has to be done by behavioral analysis. 

The detection of a suspicious behavior, let it be traffic changes, CPU load, new communication patterns (as CyPRES probe detect them) is not easy to process by a SIEM, because these are not usual objects for automatic treatment. In addition, it is recommended to associate site operators to the alert analysis. For example an equipment failure or a maintenance action may have generated the alert if the probe was not correctly configured. In this case, initiating the alert chain makes little chance. 

Such a coordination between behavioral probes, SIEM for automatic treatment and correlations, and local analysis has never been formalized so far. For an operator willing to install probes, this means a dedicated approach. 

Product differences

Industrial probes fall into the IDS category as already said. However it is more than that, due to its privileged position to offer network supervision. The set of function is not clearly defined in the literature and, as a consequence, each product is different. 

It is worth mentioning an ANSSI Guide “Doctrine de Détection pour les Systèmes Industriels » ref PA-084. The ANSSI has made the effort to list all points and devices where an IDS should be used, based on the Purdue model. In addition, each use case is indicated with pattern detection or behavioral detection. To date it is the only comprehensive guide for industrial probes. It is not a standard and expert views may differ, but it offers a solid ground on the matter. 

The only probe which is “pure” behavioral” is CyPRES from the French company Cybelius. CyPRES uses the industrial system traffic, with a lot of details, as the main indicator. If the traffic is affected on its metrics (several dizains) without a context cause (maintenance mode, operator change, emergency functions…) then CyPRES raises a so-called symptom, which can be processed or not by the connected SIEM. Then a second stage associates the symptoms to create a diagnosis. The two-stages is based on the fact that network characterization, which is more easy to do for industrial systems as they present a lot of regularities, is still not perfect. Small deviations must be detected and recorded as they may be the precursor of real troubles. But only correlated precursors (through a rule engine) lead to a symptom, such as a new machine with specific services and traffic patterns out of normal use, are valid enough to trigger the alert chain. 

This example related to CyPRES is clear enough to see how the manufacturer is addressing the detection algorithm. Claroty, Dragos are different. 

Additionaly, Cybelius is now associated with Sesame IT to integrate CyPRES algorithms in Sesame IT probe called Jizô. Jizô is an IT IDS, ANSSI-qualified, so the CyPRES-Jizô next generation probe will be both pattern and behavioral, and will be applied on both IT and OT systems. This is unique and it shows how different the products are and will be in a near future. 

The massive adoption of probes in the industrial domain is facing several challenges and, out of strong regulation, or a product becoming distributed and adopted at a sufficient scale, the adoption as a “normal” technical measure will take several years. 

Categories: Uncategorized