How to Perform Non-Destructive OT Security Assessments with Digital Image-Based APT Breach Simulations

Cyber security threats on OT networks have become increasingly prevalent and dangerous by the day. The coinciding transition to Industry 4.0 and the digitization of industrial operations calls for a new approach to securing industrial networks.

To meet the challenge, Radiflow introduces CIARA OT-BAS, a digital image-based automatic APT breach and attack simulation. OT-BAS is a data-based, non-intrusive method of performing OT security assessments for assessing OT network threats and prioritizing their corresponding mitigation measures, toward optimizing and maximizing the user’s cyber-security ROI.

TI (Threat Intelligence)-based risk assessment

Industrial network risk is defined broadly as the probability/likelihood of a debilitating cyber-attack times the impact (financial or other) of the attack. Risk scoring is a useful method for decision makers to benchmark their network security vis-à-vis similar organizations, and to weigh different mitigation options.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

Radiflow’s methodology of assessing OT risks and determining the most effective mitigation controllers is supported by hard data: threat intelligence for assessing attackers’ capabilities and tactics, knowledge of network & device vulnerabilities, and knowledge of the efficacy of installed mitigation controllers.

Using attack simulations to assess risk, and the inherent problem with different simulation methods

Various breach and attack simulation tools are used to assess the likelihood and effect of cyberattacks, including auto-pen tests, IT-BAS and VA Scanning, just to name a few. And while these methods differ in terms of their level of intrusiveness, i.e. the potential damage to the network as a result of the simulation itself.

Radiflow CIARA’s OT-BAS: Using the digital network as preferred simulation test-beds

Digital network images (twins) are self-learned network models that include devices & device properties, device-specific vulnerabilities, connections and ports, communication protocols and any other network characteristics. Radiflow’s iSID (iSID uses mirrored streams of all network data over a representative period to self-learn the network, and uses the resulting model for threat detection and alerting).

Digital network images are also deterministic: As the properties of industrial networks remain constant unless a change is made to the network, the digital image can be used as an accurate representation of the network for prolonged periods of time, enough for running a thorough breach simulation. This makes CIARA digital image-based BAS a preferable option to other simulation methods, as it poses no danger whatsoever to the network, while producing accurate results.

Digital image-based BAS also allows for flexibility to perform both unmitigated (i.e. not accounting for mitigation measures) and mitigated breach simulations, to test the effectiveness of mitigation controls.

Radiflow’s OT-BAS algorithm is embedded in the CIARA risk assessment and management platform. CIARA is fully IEC62443-compliant and is able to exceed the fundamental requirement of IEC 62443 with additional threat types not included in the standard, such as Supply Chain attacks.