Best Practice Recommendations to Create the Best Operational Technology Rule Set

Tenable leverages industrial control systems (ICS) security expertise to secure your converged IT/OT environments.

While operational technology (OT) is not a new target, many experts say 2019 is the year of industrial cybersecurity. 

A confluence of factors has put OT networks online and made them more susceptible to cyberattacks. 

In fact, industrial control system (ICS) networks often lack the kinds of security protocols that have been used in IT networks for more than two decades. Moreover, the mantra of “set it and forget it” in OT networks results in obsolete and unsupported Windows versions and more, making it infinitely easier for attackers to exploit them.

For example, attackers launched Shamoon, a weaponized virus, and targeted specific oil and energy companies. It focused on an old Windows kernel secured in IT networks from many months, if not years, before. 

Many claim this attack was more destructive than the industry previously saw and directly impacted the ICS environment. 

Without addressing threats targeting the OT network, any manufacturing facility, industrial operation or critical infrastructure can be ground zero for a devastating attack.

Like they do in IT environments, OT attackers use similar stages, including reconnaissance, mapping, weaponization, installation and execution. 

In many cases, the first two stages may occur over a period longer than the attack itself. This is typical because it takes time to find a vulnerability to exploit and attackers are careful not to trigger alarms by engaging in heavy probing.

Rule set curation

The ICS threat landscape may include scans and port knocking on the reconnaissance side and denial of service, malware, ransomware and special ICS targeting on the attack side. 

When tasked with creating rule sets optimized for ICS environments, security experts must consider some key areas. They must find a balance between creating quality rules that catch probing and reconnaissance, even during extended periods of time, and eliminating the generation of false positives or negatives at the same time.

Building these types of rule sets requires vast knowledge and expertise, both on the security and OT infrastructure side, so you can alert on relevant threats to your network. 

Rules are created and collected from many sources. They are tested and implemented into ICS security products and solutions to provide necessary protection for the new security realities that exist in OT environments today. 

To ensure the network is protected from new developments and campaigns that are constantly evolving, you must keep rules updated. Each environment is different, so part of the art is fine-tuning rule sets for each specific environment to find every attempted attack while still conducting business as usual.

Tenable’s unique ICS rule set

To create and deploy these sophisticated rule sets, Tenable leverages the power of the community, combined with ICS security expertise. Through our threat detection engine, we provide customers with a unique ICS rule set to protect them from the ever-growing threats. We update this rule set frequently to keep up-to-date with new threats as they emerge and evolve.

Using rules groups

Below are four primary rules groups worth exploring: 

1. Malware and ransomware: Over the years, attackers have hit ICS environments with many variants of malware and ransomware. They use these methods to collect data, wipe out files, execute additional attack stages and continue to propagate to other devices and assets. This rules group alerts on a wide range of computer numerical control (CnC) communications, suspicious domain name system (DNS) requests, indicators of compromise, propagation of malware, file encryption requests and file lockdowns. Examples of threats detected by this rule set include: Locky, Cerber, Delf, VPNFilter, Gh0st and Emotet, among many others.
2. Exploits and attacks: Detecting attacks and exploits is challenging. The attacks and exploits rules group emphasizes unique properties of attacks aimed at ICS environments, including known exploits, suspicious SSL certificates, malicious traffic to and from servers, corrupt payloads, phishing attacks and more. Detection should address the widest range of attacks, including but not limited to: Heartbleed, Eternal Blue, Eternal Romance, Spectre, Reverse Shell attacks and Metasploit-based attacks, among others.
3. ICS attacks: ICS attacks are unique in the equipment they attack, how they propagate and the complexity of their detection. This unique and curated rules group detects ICS-specific attacks using multiple sensors and indicators of compromise to detect attacks as early as possible — including Stuxnet, BlackEnergy, Shamoon, Havex, Industroyer, as well as potentially dangerous traffic in the ICS environment, based on attack groups that operate and attack ICS environments.
4. Scans and denial of service: This rules group detects hundreds of different types of network scans that can indicate pre-attack reconnaissance. A wide range of tools can generate these scans and then collect data from different devices to lay the foundation for the next stage of an attack. This rules group also protects from Denial of Service (DoS) attacks. Such attacks can have a massive effect on your network and your operational processes, including downtime and loss of production. These include the detection of NMAP scans, operating systems probing, RDP and VNC scans and a large range of denial of service and buffer overflow traffic and behavior.

Integrating these capabilities and rules to your security program can take threat detection to the next level by improving the range of threats you can detect, as well as near real-time updates to protect your organization from ongoing attacks. 

With the range of threats growing and evolving so quickly, it is essential that ICS security vendors contribute to and leverage the power of the security community. More eyes can catch more threats and that rising tide of protection will protect all participating industrial organizations against the industrial cybersecurity threats.