Heresy … Real-Time, Active Defense In ICS

I was blown away by Colin Parris’s Meet A Digital Twin presentation (see below) at the 2016 Minds + Machines conference. And I tried hard to get him to give this presentation at S4x17 and S4x18. Perhaps it was worth the disappointment and waiting, because we have Colin and Justin John from GE presenting Digital Ghost, the cybersecurity addition to the Digital Twin, at S4x19. To give you an idea how important I believe this is, we placed it in the Day 1 keynote block.

To fully understand how a machine should operate, you must know the underlying physics and controls driving it. Embedding this information into a continuously learning model called a Digital Twin provides the ability to understand how a machine should perform under any operating conditions. Digital Twins can be used to understand performance, degradation and predict failures. This knowledge also can be used to understand if a machine is being improperly operated due to a cyber threat. We are seeing many, or even most, of the vendors developing a Digital Twin and services around it. The security of the Digital Twin can be easily addressed with pushing data from the actual system to the twin through a one-way device.

In his S4x19 keynote, Colin and Justin will introduce the concept GE calls Digital Ghost that “uses sensors and controls to detect, locate and neutralize threats much like the body responds to viruses.” The key word in that sentence is “neutralize”. The Digital Ghost is actively changing the ICS or process to prevent or limit the impact of the attack or incident. It is real-time, active and automated defense in ICS.  Collin and Justin will show how this works and why they believe it is an important step forward in making ICS resilient from cyber attacks and incidents.

The idea of actively changing a process based on cybersecurity analysis is heresy in the ICS community. Even active scanning to understand status with legitimate protocol commands is still considered too risky, but this is changing quickly as the value is easily demonstrated. Heck, back in 2006 passive monitoring was considered heresy, so asset owner acceptance does change.

Vendors that sell the physical equipment, such as a turbine in GE’s case, and the control system have a big advantage in the Digital Twin and Digital Ghost concept. The vendor knows the entire cyber-physical environment which will help with identifying incidents and in determining what action can be taken safely. The vendor can also change the design of the physical system to add resilience measures that could be leveraged by the Digital Ghost and active changes.The ICS vendors are often implicitly trusted and relied on by asset owners. It will likely take longer for an integrated, multi-vendor solution to get confidence from the asset owner to allow active defense.

The second issue Digital Ghost raises is the remote operations the asset owner must allow through the cybersecurity perimeter. A one-way device no longer is an option. The typical vendor pitch is a VPN and a strong security policy to cover the vendor’s site. However even with a least privilege firewall ruleset, what must be allowed through the firewall typically provides everything an attacker would need for complete control of the process. Last week DHS discussed this issue with their Alert on Trusted Network Exploitation. These vendor and third party services to ICS are high value targets to adversaries. Why bother attacking one power plant if attacking a vendor service can provide access to 100’s or 1000’s?

I addressed this issue in a S4x17 session Securing ICS in an IIoT World … the Simple Solution. Cybersecurity perimeters will need to be smarter, and this can be provided with existing deep packet inspection (DPI) technology. As an asset owner, I might want a vendor to provide some control services remotely, but I don’t want it to be an all or nothing decision. I want the vendor to provide me with a list of services and assets that I can select from, and then not allow anything I haven’t selected through the cybersecurity perimeter. To date, vendors are loathe to do this. It adds complexity, and it reduces what the vendor can offer and do. It will take an asset owner push, much like the use of one-way devices required, for this to be considered.

Check out Colin’s Digital Twin video below and the Digital Ghost at S4x19. Help create the future of  ICS security.