3. Detect: Three Main Functions
Per the Framework:
● Detect Anomalies and Events (in a timely fashion)
● Continuous Monitoring (threats are always there)
● Maintain Processes and Procedures (exploits are always changing)
These need to be done at different levels:
● Different types of attacks and detection methods are needed at different
levels
● Requires cross-functional Team approach
Defense in Depth
4. Detect: What to Detect?
Similarities with IT/OT Systems:
● Malware installed or being executed
● Multiple failed attempts to login
● Unusual traffic patterns or user activity
● Attempts to cross segmented network boundaries
Differences for OT Systems:
● Attacks use much less data
● Attacks use small commands to do big (and BAD) things
Need To Know How The System Specifications and Requirements
5. Detect: Continuous Monitoring
Automated Tools:
● Keep everything up to date
● Insure configuration is correct
● Use the right tool for the right job
Automanual Tools:
● Audit log inspection
● Verification of Process Results
Security Detection Also Helps to Verify Operations
6. Detect: Maintaining Security
● On-Going Commissioning
● Additions & Changes to the
System Require Security
Reviews
● Continual Training
7. Detect: Questions
● Experience involving IT & OT together?
● Experience with other types of
attacks/exploits?
● Experience with on-going commissioning
or analytics?
● What logged items are helpful?
● Aware of Automated Tools?