«

Mar
19

2017

Why we don’t use network traffic anomaly detection in OT-BASE

OT-BASE is our strategic software product that helps customers to build a reliable and safe IIoT, and to ensure that IT/OT convergence is efficient and smooth rather than a culture clash. In many respects, the technology that we use in OT-BASE is quite different from the offerings in the crowded market niche of OT network traffic anomaly detection (with companies such as Claroty, Nexdefense, SecurityMatters and Nozomi). This is based in a conscious design decision which is explained in this post.

What’s wrong with anomaly detection?

If you have studied OT anomaly detection technology like we have (as a matter of fact, we had introduced our own, now obsolete product to the market back in 2006) you are already aware that one of its biggest practical problems is false positives. But that’s only the surface. As any OT security expert can tell you, anomaly detection reduces the OT security problem to one tiny aspect: Trying to identify cyber attacks in live wire traffic.

Even if that would work with 100% accuracy (it doesn’t, for reasons that would deserve a blog post in its own right), would it be all you have to do as somebody responsible for OT security? Or wouldn’t you still want to identify and minimize vulnerable software products and configurations, infiltrations via USB sticks and laptops? Wouldn’t you want to reduce your attack surface by hardening systems and protocols rather than putting all eggs into the anomaly detection basket? And finally, wouldn’t you want to introduce cyber security aspects into system design when planning new installations?

Most likely you would, and so do we. That’s why we chose a different approach.

Context beats content

The National Security Agency (NSA) is the global leader in SIGINT. If this organization with their virtually unlimited technical capabilities moves away from content analysis (of intercepted communications), it should tell you something. Maybe they had found a new secret sauce that just produces better results, with less effort? That secret sauce is metadata, or context. It’s also what we use in OT-BASE.

Think of OT-BASE as a CMDB on steroids that allows you to analyze complex and hybrid relationships between digital devices, their network associations, installed software, users who interact with them, geolocation, and physical process characteristics (safety, logistics dependencies etc.). Or to put it differently, it allows human experts to develop and then analyze a high fidelity model of their digital OT infrastructure. While this comes with a wealth of tools for automation (software agents, network monitoring gear etc.), the ultimate resource in this game is not some collection of undocumented artificial intelligence algorithms but the human subject matter expert, both from the OT and the IT side. In the meantime, ICS engineers use the same data set for troubleshooting and system documentation. System designers use it to specify new OT architectures. Project engineers use it to verify conformance with the specs during FAT and SAT. And so on.

A more reliable way to detect cyber attacks

Such a system model also allows you to detect cyber-physical attacks as they unfold. We do this by focusing on the artifacts produced by an attack (unauthorized configuration change) rather than trying to identify “bad”, malicious packet content as it flies by. This way, we can eliminate false positives, because unauthorized configuration change is always something that needs to be acted on, no matter if it was caused by a cyber attack or by a sloppy engineer who didn’t bother to follow configuration change procedure.

The other benefit is that, since context is transparent, you know right away the criticality of the event AND can start processing indicators of compromise by collecting matching patterns from all other facilities in your fleet. A workflow for incident management is actually built into OT-BASE.

Beyond the drama

But OT-BASE does much more for you. Let’s be honest, cyber attacks against OT are completely overhyped. The recent frenzy of venture capitalists storming into OT security was not due to strongly increased market demand, it is due to the fact that the IT security market is largely taken. Therefore, venture capital is moving from downtown to the suburbs, producing a set of solutions for which few customers believe they have a matching problem.

What IS a quickly growing problem in the real world, and a market opportunity at the same time, is the rapid growth of the IIoT. And that’s where OT-BASE comes in again. Ask yourself what an organization needs to do if they plan to extend their number of digital devices on the plant floor by an order of magnitude, and as a consequence, face an exponential increase in data traffic. In a nutshell, such an organization which bets competitiveness and prosperity on the reliability of this hyper-complex infrastructure better have a solid plan on how to CONTROL all significant parts of it — hardware configuration, software configuration, network architecture, users, process and business criticality –, beginning in the planning stage. That’s what we do in OT-BASE.

To learn more about OT-BASE, ask for our comprehensive brochure and a web demo.