Network Monitoring: Keeping an Eye on IIoT

Wednesday, July 27, 2016 @ 04:07 PM gHale


By Gregory Hale
Every industry has its price point for an unplanned shutdown where some may be in the thousands of dollars per hour to others being in the millions of dollars per hour.

Any kind of unplanned shutdown whether it is accidental or malicious is expensive, and add on top of that with an attack surface about to get that much larger with the adopting of the Industrial Internet of Things (IIoT), it means security professionals and the executive suite will need to get on the same page.

RELATED STORIES
Network Monitoring Partnership
Network Monitoring Tool Updated
HUG: Threats Hike, but there are Solutions
The Wireless Edge
ICS Components Still Connected to Internet

That is why one of the latest trends moving through the manufacturing automation sector right now is network monitoring.

The idea of increased network visibility only makes sense with more sensors bringing in more data and more connections coming from multiple locations. IIoT adoption is going to happen sooner or later because the benefits far outweigh the negatives. Manufacturers want the business to become more productive, easier to manage and more cost-effective to operate. In addition, IIoT will allow moving ancient legacy systems into a more modern era to take advantage of all things new technology and connectivity bring to the table.

The negative, though, means the manufacturer could be a cyber security sitting duck if they don’t see – and understand – what is coming at them.

“The OT side is babes in the woods with the network of things,” said Frank Williams, chief executive at Statseeker. “With all the different devices connected to the network and the network becoming connected to the enterprise, the network today is another piece of technology.”

Williams pointed out currently, numbers of sensors at typical process plants cluster around 40,000 sensors. IIoT will increase those numbers to something over 250,000 sensors per plant. Each of those sensors will produce near real-time data at an update rate of four times a minute, or 250 milliseconds per datum. That means each sensor will produce over 5,000 data points per day. That’s 1.44 billion data points per plant, per day. Each of those sensors needs to end up monitored and diagnostically checked for proper operation as part of the network.

Business Enabler
“We are starting to see what could happen if you connect your industrial environment to different areas on the Internet,” said Yoni Shohet, co-founder and chief executive at SCADAfence. “Take the example of the German nuclear plant in April, where they didn’t have a direct or constant connection to the outside world, they just connected once in a while, and still malware was able to penetrate into the control systems. There is definitely a need to monitor inside all industries.

“We talk to customers and they are surprised at what they have on their networks and they quickly understand they need to monitor their facilities worldwide because they don’t really know what is running on their networks. They don’t have any real time or up to date information on the assets running inside their network.”

Having that information at your fingertips can prove to be valuable as not only a way to prevent any kind of attack, but also providing data to analyze where it could act as an enabler of new activities, new technologies and new capabilities within the industrial environment.

“More companies are seeing cyber security as an enabler for new business opportunities and new technology capabilities in the industrial environment and not as a threat to the productivity of the production,” Shohet said. “Companies must understand that to truly adopt it or else they will not invest budget in a productivity solution.

IT-OT Working Together
Network monitoring has been thriving very well in the IT environment for years and it is now time the OT side can learn from their security brothers and sisters in IT.

“Manufacturers need to learn networking topology,” Williams said. “They can learn it from the IT folks.”

For a secure manufacturing enterprise in the IIoT environment, IT and OT will have to work together.

“We are seeing in general the trend of the IT-OT convergence; we are starting to see tools used in both environments in order to have some kind of a standard and similar platforms in order to integrate cyber security organization-wise and not technology-wise in the existing organizational processes. It is only natural,” Shohet said.

“I think the general, if the IT and OT teams are communicating properly, it could exist. If they are not communicating properly, they probably won’t be installing cyber security at all because the OT personnel are skeptical of it. The only way sometimes to install cyber security at all is to combine the expertise from the IT side and the expertise from the OT side in order to employ both the roles in securing industrial networks. The OT people provide their expertise in process and automation in the industrial environment. The IT people will provide their expertise cyber security and the networking and the infrastructure and the Ethernet infrastructure.”

Visibility is key when it comes to IIoT, but the monitoring tool at that point becomes much more.

“It is not even about network visibility at that point,” said Johnnie Konstantas, who heads Gigamon’s security solutions marketing and business development. “It is about intelligent traffic forwarding. Once you have sensors in the thousands and tens of thousands in an industrial controls environment you are looking at a deluge of data. It is one thing to be retrieving packets from the network that represents communications between large machines and other large machines. It is quite another thing to have sensors 24 x 7 sending you data and trying to understand whether you have someone who is riding on that communication with bad intent. In other words, if one of those sensors has become a lever for an attack. What do you do then? You have an enormous mismatch between the amount of traffic you have to sift through and what security instruments can handle and ingest in order to analyze.”

That is when a network monitoring tool can analyze traffic either on the IT side or the OT side and ensure the operator knows what is good and what could be suspect.

“Hackers don’t ask permission before they take control,” said Eric Knapp, chief cybersecurity engineer at Honeywell Process Solutions (HPS) at the 2016 Honeywell Users Group Americas conference in San Antonio, TX. “Cyber attacks happen all the time. We need to understand how attacks work to protect (users’) networks.”