Topics:
As budgets tighten, security teams need a grasp on whether they’re getting full value from the tools protecting their operational technology (OT) and cyber-physical systems (CPS). One of the first steps in making that determination is the generation of usable process data in order to test the efficacy of security tools.
That is easier said than done.
Dan Gunter, CEO and founder of Insane Cyber, presented on the topic at last week’s S4 Conference in Miami, laying out the challenges—and sometimes steep costs—of generating data that’s truly representative of the production environment rather than exclusively relying on a lab environment or emulation.
“It's a big challenge,” Gunter said on this episode of the Nexus Podcast. “Especially with OT, we're in a market where—especially with security companies—we've written detections, we're doing all this great analytic work. Maybe we've generated enough data to prove that it roughly works. But, oftentimes you need more data when you're working on detection.”
Collecting representative OT data is inherently challenging, Gunter said.
“How can folks get more representative data? Obviously, operational and live data is great, but you still often need to emulate that data or generate it out, whether you're testing MITRE ATT&CK techniques or really just testing out rules,” Gunter said.
Data emulation, meanwhile, is helpful to a point, especially with an off-the-shelf PLC or vendor-supplied software. But with complicated industrial processes, emulation is much more challenging because the process is a lot more complex than simple HMI-to-PLC communication.
Gunter shared an example during his talk at S4 using a Schneider Electric PLC running the Modbus protocol; function code 90 is primarily used by Schneider PLCs to define data fields as UMAS (Unified Messaging Application Services). It’s not enough to just identify function code 90 in traffic, Gunter said.
“If you don't parse below, if you don't generate data, you don't get to the stop-PLC, start-PLC command, or some of the other management behaviors: sending firmware, uploading logic,” he said. “All of that sits at that layer below. So again, from a detection perspective, if you're focused on improving your MITRE ATT&CK approach, that's when generating that data is key.”
Gunter said that there’s a glaring gap when it comes to OT data generation, and a demand for such data to test products and other research.
“There's a big demand we see kind of for that data. There's nothing worse than buying a product and thinking it's going to detect, and then when you start to pull data and throw it through, this should detect and it's not,” Gunter said. “All kinds of vendor claims are tested best through that generated data.
Gunter says he sees the relationship between OT security and operations within the enterprise as a positive as teams focus on ensuring reliability and availability of assets that keep processes up and running.
“What stands out to me is still the hunger and the desire to push toward that,” Gunter said, something that’s being supplemented by bringing operations folks such as engineers to the table for security discussions.
“What I like hearing is when the OT security teams or the IT security teams have built a great relationship with the ops side and the folks responsible there,” Gunter said. “Both stick out to me and it's also one where I'm excited as we step into new ways of doing detections.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
