This paper presents a modern challenge of defending an industrial system, using situational awareness to detect and understand if an attack exists against the environment.
Manufacturers have had to deal with sabotage since the dawn of the industrial revolution and the realities of the modern-day work environment. A changing cast of threats, technology, and human factors is compounding the forensics problem. Time to discover and unwind potential incidents can take weeks, if not months, of deep inspection by threat hunting experts and plant engineers.
One solution is to wait until the vendors’ product lines provide data sources that support forensic reconstruction. This is beginning to occur now; for example, audit logs are increasingly included in embedded devices such as PLCs where they did not exist before. Unfortunately, industrial environments have a life cycle of 15 or 30 years and benefits won’t be apparent for years or decades. Traditional security technologies such as firewalls, remote access solutions and managed environments, such as Microsoft Active Directory, are also becoming more accepted as good practices integrated by asset owners and vendors. This technology is essential and necessary, but also not sufficient in telling the entire story of an attack: impact to operations.
Another answer addressed here is to find novel data sources to evaluate and develop forensic timelines. There is a common phrase used in cybersecurity to explain how an attacker operates: “living off the land.” This phrase describes the typical practice where an attacker will rely on the native functionality of the operating systems and software in a victim environment, rather than bring tools with them. Living off the land gives them the advantage of not raising alarms or suspicions by using the hosts, rather than abusing the hosts. This evasion is vital if the attacker will be accessing the environments for weeks or months. Secondly, using native functionality of a system, such as Linux or Microsoft Windows, is a transferable skill set. It is familiar to many, if not all, potential victim environments and is more approachable than a custom malicious software implant (requiring investment resources) that can be suddenly mitigated across the world once identified by researchers or the security community.
Defenders can also live off the land with similar benefits. It lowers the investment required to have the ability to detect and repel an attack, while lowering the threshold of training to technology. For industrial environments, living off the land can tell a more accurate and complete story at host, network, device and process perspective all through using the capabilities of the industrial environment rather than extending them.