Nicolas Coppik, Marco Gärtler, Benedikt Schmidt, Sylvia Maczey, Abdallah Dawoud, Ragnar Schierholz ABB Corporate Research Ladenburg, Germany,
nicolas.coppik@de.abb.com, marco.gaertler@de.abb.com, benedikt.schmidt@de.abb.com,
sylvia.maczey@de.abb.com, abdallah.dawoud@de.abb.com, ragnar.schierholz@de.abb.com
Industrial systems are becoming increasingly connected. This connectivity offers many benefits, such as improved productivity and flexibility, but also increases the attack surface available to malicious actors, giving them more opportunities to exploit flaws and vulnerabilities. At the same time, convergence of OT and IT networks is driving an increase in the complexity of industrial setups, devices and protocols. If these sophisticated, interconnected systems are not secured, they become prime targets for cyber attackers →01. Indeed, in 2021, manufacturing became the most attacked sector amid a growing number of intrusions into OT-connected industries in general [1].
The impact of cyber incursions may include unwelcome disclosure of confidential information, extended production downtime, financial impairment or loss of property or even life. Affected organizations incur additional costs for remediation as well as reputational damage. Moreover, many organizations must meet certain cyber security requirements for regulatory or standards compliance and may be obligated to report any breaches and suffer associated penalties.
To respond to these risks and ensure compliance, proactive cyber security solutions that can monitor and detect threats to complex industrial setups are required. One prominent method used to counter cyber threats is security information and event management (SIEM).
Introduction to SIEM
The term SIEM was introduced by Mark Nicolett and Amrit Williams of Gartner in 2005 [2]. SIEM combines two concepts: Security information management (SIM), which involves the collation of security information at a central location for further analysis, and security event management (SEM), which is the real-time evaluation of event data.
The central idea of SIEM is the monitoring and evaluation of event data from various sources such as applications, network components, servers, or any other event-logging entities to discover patterns of potential security-related irregularities. The results of the monitoring and evaluation process can either be reported on alert-enabled dashboards or directly funneled into a security orchestration automation and response (SOAR) system to trigger automated responses to a threat.
SIEM tools collect event data at a central location and apply security rules to it. The evaluation of the event data happens in real-time, which means that the rules are permanently applied to find individual events as well as aggregations and correlations of events within given time frames. SIEM tools can be established as on-premise solutions or as cloud services.
SIEM rules are configurable – for instance, concerning parameters that are specific to the automation system they are applied to, such as user accounts, individual IP addresses or allow-listed external domains to which the system may connect. Safety-critical tags are also important parameters that contextualize the rules and these are also specific to each instance of the control system. Changes in critical tags can be monitored by SIEM tools.
Each commercial SIEM product has its own rule specification, which impedes rule-interoperability across vendors. An open-source initiative, SIGMA, tries to overcome this barrier by introducing a generic rule specification and offering conversion tools to translate the general rules for different target SIEM products.
Challenges for SIEM adoption
The benefits of digitalization are driving businesses to rethink OT and IT strategies, enabling previously disconnected systems to connect to enterprise networks and cloud services. Here, SIEM is essential to ensure that security is maintained by detecting malicious activity. Adoption of SIEM in OT environments is, however, currently uncommon – one of the challenges to its implementation being that lessons learned from the classic IT world often do not apply in the OT area. Moreover, each OT network is individual and assumes unique operating states that should not be interpreted as attacks. This dilemma results in a trade-off between the generality of SIEM rule sets, which implies maintainability, and customization, which ensures practicality.
A further complicating factor is that the OT umbrella also covers (resource-constrained) embedded devices that do not have monitoring capabilities.
Another obstacle impeding the application of SIEM technology to the OT domain is the potentially high rate of false alarms that results from the fact that OT systems have frequent changes in production setups and show recurring regular operator interventions. Maintenance and safety-oriented operator interventions might also share similarities with attacks. This complicates general monitoring rules that separate good and malicious activities. Judging these situations is time-consuming and requires plant familiarity and security knowledge.
Further drivers for employing SIEM
The demand for better cyber security in industrial contexts has increased in the past few years and continues to do so. As well as the negative impacts of a cyber breach mentioned above, demand is also fueled by another significant consideration: emerging standards and laws. These include:
• The German Federal Security Information Act (BSIG). In its current form, the BSIG established the obligation, from May 2023, to use attack-detection methods that continuously and automatically record and evaluate suitable parameter characteristics from ongoing operations.
• The IEC 62443 set of security standards, which requires a business entity to have the ability to identify failed and successful cyber security attacks or breaches and the capacity to identify and respond to incidents. A further requirement is the capability to centrally manage a system-wide audit trail and make it available to an analysis instrument such as a SIEM tool.
• The ISO 27001:2013 and ISO 27019:2017 standards, which stipulate the necessity of event logging and assessments of events as well as the extent of the capability to respond to cyber incidents.
ABB’s approach to cyber security
Care and collaboration are part of ABB’s core values, which means ABB helps customers build and maintain safe and secure operations and supports them in meeting best practices and adhering to regulations. ABB also partners with established SIEM tool vendors to supply and build upon market-accepted solutions and ecosystems.
Cyber security at ABB is composed of four connected pillars: cyber security solutions, services associated with these services, cyber security consulting and intelligence – ie, ABB’s unique expertise as market leader in automation technology – that underpins this edifice →02. Bringing cyber security to the customer is based on six steps:
• Assessment of the cyber security situation.
• Planning the activities, tools and services needed.
• Implementation of tools and services, including activities such as system hardening, implementation of a security architecture and security training.
• Maintenance – for example, software patches or updates. Here, the ABB Ability™ Cyber Security Workplace™ can ensure patches against known exploits are installed as quickly as they become available. The operator is informed about update progress and told which systems are missing updates [3].
• Ongoing threat monitoring, detection and response.
→03 shows ABB’s risk reduction roadmap. In this process, ABB builds especially on its knowledge of control systems and their deterministic nature. By using the information in the control system, ABB can tailor cyber security to the specific needs of particular industrial facilities.
Ongoing research
Current cyber security offerings are comprehensive and follow established good practices. Nevertheless, there are still open questions and problems to be solved in this field. Two such aspects are actively studied at ABB.
Firstly, there is context and event annotation. As described above, the state of the OT environment can be very “colorful” due to factors such as on-demand adjustments to schedules, interventions by operators to return to the steady state, or maintenance activities. Judging cases without this context can be difficult and time-consuming. Adding annotations to events to contextualize them can simplify handling and facilitate automation that accommodates SIEM rule adjustment.
Secondly, devices, down to the smallest sensors, in converging OT/IT networks are becoming more complex and more capable. In the future, it will be important to monitor these devices for security-relevant information and integrate them into a SIEM tool, just like any other asset. This evolution brings several challenges as these devices are usually heavily resource-constrained and embedded and, as is commonly the case with existing devices, not designed to support monitoring functionality. ABB is investigating ways to integrate this type of device into SIEM structures. One potential approach is to deploy monitoring agents directly on the device itself and securely transmit the information they gather to a SIEM tool based on standard protocols, where possible, to ensure interoperability with existing security infrastructure. For legacy devices and heterogeneous environments, ABB is investigating ways to monitor and extract security-relevant information external to the devices, avoiding the need to modify them or the software or protocols they use.
These improvements can help obtain much more security-relevant information from industrial installations and annotate it, based on operational context – ultimately supporting ABB customers in making the right cyber security decisions when faced with threats.
References
[1] IBM, “X-Force Threat Intelligence Index 2022.” Available: https://www.ibm.com/downloads/cas/ADLMYLAZ. [Accessed March 14, 2023.]
[2] Williams A. and Nicolett M., “Improve IT security with vulnerability management,” Gartner Research publication, ID G00127481 (2005). Available: https://www.gartner.com/endocuments/480703. [Accessed March 14, 2023.]
[3] K. van Overveld and M. Virostek, “Safe cyber space – ABB Ability™ Cyber Security Workplace,” ABB Review, 02/2023, pp. 112 – 117.
