Recent headlines have been abuzz with ICS experts warning of grid vulnerability to hacking. Digital threat actors have become exceptionally skilled at infiltrating every type of computer network. Industrial Control Systems (ICS) are no different: While these networks were generally thought to be more secure due to not communicating outside of the corporate network or on the internet, attackers have managed to compromise them and steal valuable production data.
Some of the most effective tools in combating this threat are the emerging technologies in Machine Learning and Artificial Intelligence. By combining real-time data monitoring with orchestration and automated response, AI/ML solutions are proving their value when compared to legacy systems and human-intervention driven response times.
Real-World Example: Data Exfiltration from “Air-Tight” ICS/SCADA Network
At the last Black Hat Europe conference, security research firm CyberX demonstrated how data exfiltration was possible from a supposedly air-gapped ICS network. By delivering a payload of specific ladder logic code into Programmable Logic Controllers, the attack was programmed to send out copies of data through encoded radio signals which can be received by AM radios and analyzed by special-purpose software. As the communication channel is outside the TCP/IP stack, there is no encryption to safeguard the data once it’s captured.
How does AI respond to this threat? In this case, Machine Learning can be used to craft an algorithm which establishes a “normal” state and monitors traffic and configurations to compare against that state. This baseline can include network traffic, equipment settings, and even the source code of PLCs. With its continuous heartbeat checks, the algorithm can detect when the system deviates from the baseline and immediately alert security staff of the change.
Another real-world example comes very recently from the ransomware attack on Atlanta’s municipal infrastructure, which involved encrypting city files, locking access to online services, and blocking the city from processing court cases and warrants. This is just the latest in a string of attacks on American cities. Previously, hackers gained access to Dallas’s tornado warning system and set off sirens in the middle of the night. In the case of Atlanta, an AI cybersecurity layer would have been able to spot irregularities in system access and lockdown channels before the hackers could manipulate the permissions.
AI and ICS: Adding Value to Existing Systems
Where does AI fit into your existing ICS security program? You already have the ICS equipment sectioned off on its own VLAN(s), firewalled, monitored, and protected by IDS/IPS, SIEMs, and other security tools. Where does it make sense to insert AI/ML into the equation? The biggest advantage to implanting an AI solution is its real-time response and orchestration. AI tools don’t need to wait for security staff to make a decision. They don’t see a black and white picture of firewall rules which often miss malware traffic flying under the radar, masquerading as “normal” network signals. Machine algorithms can detect abnormal data exchanges and immediately respond to the threat, long before a SOC resource would be alerted. Some AI offerings can even monitor devices that don’t communicate over TCP/IP, creating powerful visibility into non-networked equipment.
A particularly interesting tool to protect industrial control systems is Cyberbit’s ScadaShield, a layered solution to provide full stack ICS detection, visibility, smart analytics, forensics and response. ScadaShield performs continuous monitoring and detection across the entire attack surface for both IT and OT components, and can be combined with SOC automation to trigger workflows that accelerate root cause identification and mitigation.
Large scale processes operating at critical power generation, electrical transmission, water treatment, and refining sites, as well as major manufacturing plants are more at risk than ever. The good news is that new developments in Artificial Intelligence and Machine Learning have created new ways to protect these systems.
If you haven’t already done so, this is a good time to consider adding an AI/ML solution to your security perimeter to take your prevention and response times to the next level.