What is threat hunting?
Threat hunting refers to the processes and methodologies involved in seeking to identify threats in your network proactively. Threat hunters work by searching for signs of a breach or compromise (indicators of compromise) to indicate the presence of a threat.
In the case of industrial control systems and OT, the hackers can deploy multiple techniques to hide tracks and footprints and pass the digital divide between various systems to launch sophisticated attacks against ICS. While threat hunting in traditional systems is well established and follows a predictable path, in the case of ICS, there are many challenges to be overcome to make threat hunting more effective.
While MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework has been commonly used to identify tactics, techniques, and procedures (TTP) used by a hacker, the use of this framework for detecting threats related to ICS has not been a smooth affair. This is primarily due to the diverging nature of OT networks and controls as also the lack of visibility that IT network managers take for granted.
Further, the traditional threat hunting practices are designed for IT, and they cannot be extrapolated to cover OT and ICS without losing out on sophisticated actors and threats that may just sneak in.
ICS threat hunting challenges
In ICS, threat hunting should necessarily consider unique assets, logging facilities, devices, embedded firmware, and control systems that converse using traditional protocols. Further, a cyber adversary in an ICS environment would use a range of varied tactics (significantly different from that of an adversary targeting IT) for targeting ICS and OT. This will include tactics to degrade defenses, further network persistence, control manipulation, and damage to assets.
- ICS threat hunting can turn into a complicated exercise due to a lack of information at various levels (inventory, patch status, operational dynamics, etc.)
The primary security layer when it comes to ICS threat hunting should involve and cover anti-breach solutions (across network and endpoints), network-level security, tamper detection, and port analysis, the secondary layer is where ICS focus comes in. Programmable Logic Controllers (PLCs) or Remote Terminal Units (RTUs) and other control and coordination instruments and gears should come in for specific attention and these could bear the biggest brunt of a cyberattack.
Data collected from these sources should be used to devise a comprehensive threat hunting policy and execution game plan. Cybersecurity posture can be called robust when the infrastructure is protected using a robust and dynamic mechanism that responds to threats as they emerge. This includes active and passive defenses, inventorization of ICS inventory, patch logs, real-time security monitoring, event logging, and cross-facility coverage.
- Critical facilities and infrastructure (especially in manufacturing, oil and gas, and utility plants) linked to health and safety systems should get additional attention as their failure could turn into a catastrophic event
ICS threat hunters should have extensive knowledge of all OT systems, protocols, and security practices. Over the years, different facilities within the same organization separated by geography could have evolved different practices to secure their premises. Threat hunting should consider such variations and constantly evolve to cover new and dynamic threats.
- OT and ICS protocol coverage for threat hunting is a non-negotiable requirement.
Finally, ICS threat hunting needs to constantly evolve in line with the changing OT threat landscape in cyberspace. Episodes like the attacks on the Ukrainian power grid and on water treatment plants in Florida and San Francisco have clearly shown that hackers are aware of the gaps in OT and ICS cybersecurity and will stop at nothing to exploit these gaps.
Try our rich IoT and OT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence
Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio.
Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center