In recent years, the awareness for securing industrial control systems (ICS) has greatly increased. Since around 2014, many companies have started implementing cyber security solutions to protect their ICS networks from potential cyber incidents. In most companies, however, the implementation of ICS security has been limited to critical and medium-sized assets, such as critical substations, desalination facilities and large-scale production lines. Small assets, such as electric power low impact sites or unmanned small water pumping stations, are usually left unprotected due to scalability challenges such as managing hundreds of sites and network overloading.

In this blog post, I will demonstrate two ways to secure small distributed assets (i.e. assets with less than 20 devices).

Securing ICS networks can be challenging from many aspects: which technology to use, e.g. Industrial IDS, Industrial Firewall or other; defining the impact of a damage in each asset; mapping the normal baseline of the operation; and understanding the side effects of each security measure.

As of today, for most operators, their small sites are “blind spots”—the operator has no way to know in real time which devices are operable on those small local networks, and no way to monitor the network traffic at each site. The first step to secure an unmanned remote site, then, is to be able to see what’s going on there. This requires learning the network and creating a network activity baseline. Once the baseline is defined, the operator is able to detect unfamiliar devices or sessions within the network. (A few months ago, I spoke with the security manager at one of Europe’s largest electricity suppliers who told me that an open session to other country had been running without anyone’s knowledge.) Once the network is stabilized the operator is able to monitor the network activity using smart tools for detecting network anomalies, and to manage maintenance tasks at remote assets.

There are two options to monitor small remote assets: implement an Industrial IDS at each site, or implement an Industrial IDS at a central location, which analyzes the traffic sent from remote sites.

Since sending all network traffic from each remote site to the central IDS may greatly tax or even overload the company’s network, the main advantage of implementing an Industrial IDS at each site is preventing network overloads. This method, however, has two drawbacks: first, you need to manage a huge number of IDSs and alerts; and second, the cost of each IDS may be prohibitive.

The good news is that network overloads can be reduced in systems that utilize a centrally-installed IDS. This is done using smart agents, installed at each site. The agents compress each asset’s traffic by filtering non-industrial traffic before it sends it to the central IDS. Basically, the smart agents process locally the data and create optimized data streams for the anomaly detection of the industrial IDS.  This architecture allows the operators to effectively analyze the traffic and manage the alerts from each site by a central IDS, while preventing network overloads. All that, at a much lower cost than installing an IDS at each site.