Industrial Cybersecurity

New Network Monitoring Technology Introduced at Homeland Security Event

Zane Blomgren

I recently had the honor of being invited back for the second time to speak at the semi-annual meeting sponsored by the Industrial Control Systems Joint Working Group (ICSJWG) within the U.S. Department of Homeland Security. I presented some exciting information on new network monitoring technologies, building significantly upon the information I presented last year.

ICSJWG holds an educational meeting in the spring and fall to address key topics in the fast-moving world of cybersecurity. As they describe themselves:


 "The Industrial Control Systems Joint Working Group (ICSJWG), a collaborative and coordinating body operating under the Critical Infrastructure Partnership Advisory Council framework, facilitates information sharing to reduce the risk to the Nation’s industrial control systems.


'The ICSJWG provides a vehicle for communicating and partnering across all Critical Infrastructure (CI) Sectors between federal agencies and departments, as well as private asset owners/operators of industrial control systems. The goal of the ICSJWG is to continue and enhance the collaborative efforts of the industrial control systems stakeholder community in securing CI by accelerating the design, development, and deployment of secure industrial control systems.”


Cybersecurity picture


To me, this group and the participants and speakers I hear at their meetings are simply among the best of the best when it comes to cybersecurity expertise. You can bet that every second I am not speaking, I am actively listening to what these leading experts have to say and discussing cybersecurity with fellow attendees. I suggest that all readers consider tapping into this incredibly valuable, free resource, which, in addition to this amazing conference, provides webinars, training, information products and more. A good way to start is to go to their website and subscribe to their newsletter. You’ll be among the first to know when the next meeting is announced.


Many ways of monitoring networks against cyber threats

My presentation, “Next-Generation Visibility for Industrial Cyber Risks: Beyond Active vs. Passive Monitoring”, was presented on April 24, 2019 in Kansas City.


As readers know, organizations of all sizes and in all industries are in increasing danger of cyber attacks, by hackers of all kinds, from disgruntled employees to random external attacks to highly targeted commercial or state-sponsored exploits. Even smaller industrial organizations that believe that they have nothing of value to hackers are being proven dead wrong. Fact is, hackers can attack simply for spite, even targeting safety systems, or work to enslave smaller networks as a way of launching widespread attacks on bigger fish.


Of course, monitoring your network is a key proactive step to take to stay ahead of hacking attempts, as well as track other common sources of cyber incidents, such as human error and equipment failures. As operators, you can select one of several methods of collecting network data, and then run the data through sophisticated analytics to help you identify any otherwise unseen threats the network might be experiencing so that you can promptly take the appropriate action.


As I pointed out, there are traditionally two methods of network monitoring that most operators are aware of: passive monitoring and active monitoring. Passive monitoring is basically “eavesdropping” on the network and sampling the information that happens to be passing by at that moment. It is low risk, and can give you a ton of good information, but you miss out on an enormous amount of data from devices that either don’t talk to another device, or don’t happen to be transmitting at that particular time. Active monitoring, which means scanning/polling the network directly for specific answers, is generally more efficient and comprehensive, but can cause adverse interactions with sensitive equipment in the OT environment, such as VFDs and PLCs, and must be used with caution and expertise.


Fortunately, with the increasing demand for network monitoring, there is a lot of innovation in the space, and Belden/Tripwire are proud to be at the forefront. Last fall, I was excited to present to the ICSJWG group the concept of hybrid monitoring, or, as I like to call it, “talking to the thing that talks to the thing.” This technology can get more information than pure passive monitoring because it queries the network, yet is safer than active monitoring because it queries other components that might be on the network and already talking to the endpoints, rather than querying the sensitive endpoints directly.


Introducing Integrated Network Monitoring

To this portfolio of possibilities, I was excited to add the concept of integrated network monitoring, an emerging technology that Belden/Tripwire and its partners are developing. The concept is to put a sensor into the firmware on the switch so that you can begin collecting data as you want, without having to separately reconfigure or impact the switch. Since it’s integrated into the fabric of the network, there is near zero risk and data fidelity is very high, with no interruption or latency. You don’t have to worry about plugging and unplugging devices, or the availability of intermediate points to query (as is necessary with Hybrid monitoring), or even whether there is an extra port available on a network switch! Integrated monitoring will be the wave of the future, and a major leap forward in network monitoring technology.


For proactive, visionary operators, it’s something to keep in mind as you are doing new projects or changing out infrastructure in the near future. I look forward to updating ICSJWG participants (and blog readers) on exciting developments around the emerging integrated monitoring technology. Watch this space, and talk to your Belden/Tripwire representatives to find out the latest.