The hallmark of this year’s attack on the Ukrainian power grid was the extensive reconnaissance, performed by attackers on their target’s control networks, used to maximize system disruption. Situational awareness, incident response and recovery all depend on an accurate understanding of control system inventories, including normal process behavior. The Ukrainian attack has led our community to a key question; do we know our industrial control networks as well as our adversaries?
Despite the emergence of technologies that monitor data flows of industrial control networks, ICS operators consistently cite inadequate real-time views to control system the topology, devices, and behavior as a fundamental obstacle to securing their operations. Historically, gathering and maintaining this information has proven incredibly labor intensive and disruptive to economic operations of industrial operations.
Dr. Carcano’s talk will explore case studies in which emerging technology and process-centric analytics have facilitated more automated, passive methods of inventory collection, network monitoring and characterization of normal process behavior of industrial control systems. These emergent technologies have enabled operators to baseline normal operational processes and measure network loading. Dr. Carcano will discuss the operational and safety benefits of automated inventory technologies such as improved visibility to misconfigurations and early detection of zero-day attacks, device failures, and other anomalies. While improving operability, these technologies also hold the promise of expedited detection of adversaries’ reconnaissance activities and improved recovery times.