Industrial control systems security with Elastic Security and Zeek

NIST defines ICS as information systems that control industrial processes like manufacturing, product handling, production, and distribution. They consist of a combination of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve industrial objectives. These systems run the primary critical infrastructure sectors, such as communication, energy, transportation, chemical industry, and nuclear.

ICS are categorized into different types depending on their mission, scale, and geographical dispersion. The most common type is Supervisory Control and Data Acquisition (SCADA), which controls geographically dispersed assets, such as oil and gas pipelines, electrical power grids, and telecommunication networks. 

ICS are typically a mixture of information technologies (IT) and operational technologies (OT), which are scattered on the different system levels starting from the field networks, to the ICS operation centers, to the corporate networks, and even to the cloud. These technologies generate large data volumes with different formats and structures, which have to be searched, correlated, and visualized promptly across subsystems, processes, assets, regions, plants, and so on, to support the ICS operation and security.

In addition to being the backbone of critical national infrastructure, which makes them a principal target for cyber attacks, ICS can also involve high physical exposure of their assets and networks, which makes their security monitoring and defense much broader and more complex.

Furthermore, ICS security has more specific requirements than enterprise security, which makes the application of common enterprise security mechanisms to an ICS particularly negative on the system functionality and safety. 

For example, the Confidentiality, Integrity, Availability (CIA) triad of IT security is upside down in OT, making the goals of IT and ICS security programs very different. The operational nature of the environments also brings other challenges such as legacy and discontinued software, and the inability to patch or upgrade to fix vulnerabilities immediately. This can leave large systems at risk for months or even years without bespoke security mechanisms that combine both, security and functionality.

Elastic Security can be the basis of such a mechanism to deliver these requirements with high performance, scalability, and exceptional visual experience.

Keeping track of all ICS asset history and accurate status in a global inventory is critical not only for purposes like maintenance, cost management, and environment optimization but also for the system's security. Well-implemented and maintained inventories are key to ICS security programs, since you can’t protect what you don’t know about. Knowing what is on the ICS network, and what should normally be there at any instant, is very important to take action toward any unexpected events.

The ICS inventory should contain all the OT assets with their basic attributes, such as the static information about the manufacturer, model, serial number, etc., as well as the dynamic information, such as the physical location and geo-location, IP and port configuration, alarm settings, software update version and patch status, and so forth.

The inventory should also include metadata that can provide more context about the assets, to be used for maintenance and security such as known deficiencies, possible compatible replacements, known vulnerabilities and exploits, and related threat intelligence. This information reduces the investigation time — especially in ICS field networks, which are usually operated by small teams that may have IT or OT knowledge gaps — and increases response efficiency in emergency cases.

Creating the ICS inventory in Elastic makes it possible to search and find relevant information about the assets we want to secure quickly and at scale and in the same place where security data is being ingested and alerts are triggered. It also enables an exceptional graphical view in Kibana via Maps, Graphs, and Canvas.

It is usually impossible to build and maintain the ICS inventory manually. The more effective method is to use the data flowing to Elastic, particularly the network data, to capture any new assets and update the information of the existing ones. Elastic can transform time-series data into an entity-centric view that helps track each asset and summarizes its configuration — for example, to automatically list a device's open ports and the source and destination IPs it is trying to communicate with. This way, the inventory also automatically stays up to date.

The inventory information can be also automatically enriched with other data from various internal and external sources (e.g., other data indices, external databases, CMDB). Below is a screenshot of an entity-based view of the sample Modbus data. This view summarizes critical information, such as all destination IP addresses and ports that the device communicates with, and the protocol addresses for the Modbus communications. This information is continuously updated by the transform job and can be used to create alerts in case of pattern changes.

Most attacks against the ICS utilize the networks on which they are connected. This makes network security monitoring one of the key aspects of the ICS security programs. However, combining IT and OT technologies and protocols makes this aspect a challenging one.

Enterprise networks are the most common entry points for adversaries targeting the ICS. Elastic supports network packet capture from servers and endpoint machines and provides a long list of integrations for the most common enterprise network technologies like Cisco, Palo Alto Networks, and F5.

For the OT part of the network, Elastic integrates with network detection frameworks like Zeek, which currently supports the majority of ICS protocols including Modbus, DNP3, Ethernet/IP, S7comm, MQTT, and more. Zeek also provides the Spicy Framework, which simplifies and accelerates the generation of customer parsers for other protocols that are not currently supported. 

Zeek unobtrusively observes network traffic, which makes it fit the requirement of OT networks not to disrupt control data flow. It uses this traffic to generate compact, high-fidelity, and richly annotated metadata that shows sessions and protocol transactions in a curated and logical way.

Ingestion of this metadata on Elastic allows for better analysis and correlation with the enterprise network data to enable better threat detection and incident response.The below screenshots show the Zeek metadata generated from an ICS packet capture containing multiple control protocols like Modbus, DNP3, Ethernet-IP, and other IT protocols.

At the ICS endpoints level, an endpoint detection and response (EDR) solution should replace the traditional anti-malware solutions for multiple reasons: 

• The majority of ICS endpoints do not have internet access, particularly on the field networks, which require them to have an active solution that works efficiently offline. 
• There is no reliable signature database for ICS malware. Even with the available signatures, the ICS assets remain unprotected against zero-day attacks, particularly for aged or discontinued platforms or software.
• ICS patch management can be very delicate for production servers. First, vulnerability scans are usually so infrequent because they can disrupt the industrial operation during the process. Also, if the vendors are still maintaining the software (which might not be the case for 10–15 year environments), patching the discovered vulnerabilities can cause operational errors and adversely affect the system's operation. 

Elastic provides Elastic Defend, an Endpoint Security solution, which can work offline to maintain deeper visibility on the endpoint level, thereby providing detection and prevention capability for known and unknown threats. Elastic Defend includes ransomware protection, memory threat prevention, malicious behavior prevention, attack surface reduction protection, and more. This EDR solution also streamlines centralized response actions, such as isolating infected endpoints to prevent damage from spreading across the ICS network and suspension and killing of processes, among others. 

The Elastic Agent also provides the capacity to run on-demand and scheduled OSquery on hosts. The OSquery integration can also run on-demand YARA scans using the YARA table. This is beneficial in the case of new ICS threats or campaigns where the threat signatures can be available early in the threat intelligence feeds.

Anomaly detection with machine learning (ML) is a very efficient detection strategy for ICS threats. This is because the behaviors of these systems are steady and consistent over time. This simplifies the creation of accurate and reliable baselines for the different processes, assets, users, and more to detect any anomalies with high confidence.  Elastic ML provides both supervised and unsupervised techniques to create customized jobs fitting the exact system needs. These jobs can take into account scheduled events like regular maintenance to ensure that the ML model runs with higher fidelity and focuses more on unexpected events.

Creating these jobs in Elastic also allows system operators to quickly identify or predict risky situations by examining abnormal behaviors in their systems, even if no alarms are triggered by the field assets themselves. This makes it possible to overcome situations where attackers attempt to prevent safety functions from engaging and operators attempt to respond to failures using response function inhibition techniques.

Machine learning also plays an important role in detecting ICS malware variants given the lack of reliable signature databases.

Threat intelligence can provide knowledge about how an ICS could be compromised, who can target it, and why and how. It can also provide context, detections, and mitigations, the information that plays a timely vital role in protecting the systems and preventing the disruptions or incidents that security threats may cause.

In 2020, MITRE released the ICS ATT&CK matrix, a focused matrix that introduced ICS-specific adversary TTPs. It presents a joint between enterprise techniques and ICS techniques, helping to bridge the gap between IT and OT security within an ICS environment. The matrix provides information about the data to collect and from which sources to create efficient detections and mitigations. This matrix can be used in integration with other internal and external threat feeds to embody global intelligence and increase the maturity of the ICS security program.

Elastic Security integrates with many threat intelligence data sources, which allows for:

• Enrichment of the ICS inventory with the threat intelligence data
• Creation of indicator match detection rules mapped with MITRE techniques
• Analysis of the MITRE techniques coverage across both the matrices for Enterprise and ICS to make an overall assessment
• Use of the threat intel information for threat hunting in the ICS environment 

The figure below is an example of the overall solution architecture with network and endpoint security and integrated threat-intelligence illustrated on a typical oil and gas SCADA system.