Cybersecurity Metrics: The Path To OT Security Maturity

In 2023, the cybersecurity challenges in the Operational Technology (OT) and Industrial Control Systems (ICS) landscape reached unprecedented levels. Ransomware, increasingly prevalent through new Ransomware-as-a-Service (RaaS) models, became a widespread and costly headache. While some might argue this exaggerates the risk, the growing demand for defenses is not overstated. 2024 continues to be a year full of formidable hurdles, marked by significant increases in both threats to OT systems and the countermeasures implemented by governments and organizations. This blog aims to guide organizations in the use of cybersecurity metrics and Security Key Performance Indicators (SKPI) to both improve OT security maturity levels and keep track of said improvements.

Despite the recognition among leadership within most manufacturing companies of the critical importance of OT/ICS cybersecurity, a persistent gap exists between awareness and action regarding investment in OT/ICS cyber defenses. When OT/ICS departments propose enhancements for security, executives often demand concrete evidence of increased protection—a challenge current cybersecurity technologies struggle to satisfactorily address due to the difficulty that lies in quantifying the Return on Investment (ROI) for cybersecurity measures. Executives expect OT/ICS security departments to establish success based on metrics similar to other operational organizations (manufacturing, distribution, pipelines, etc.), as boards, regulatory bodies, and insurance companies begin to demand measurable improvements within OT environments. Consequently, due to this unclear ROI, such proposals tend to be deprioritized and shelved. The gap persists as the need for action only increases.

Challenges in measuring OT cybersecurity improvements

Many industrial organizations recognize that their most critical systems—especially those involving networked and physical operations—are not given the same level of cybersecurity attention as their traditional IT counterparts. TXOne’s 2023 annual cybersecurity report reveals that in terms of security maturity, OT/ICS systems significantly lag behind IT systems, far more than initially anticipated.

There are numerous reasons for OT security trailing behind IT security. Many OT systems historically have fewer connections to the external world/internet compared to IT systems, with many industrial organizations still not fully appreciating the risks associated with IT/OT convergence. Operational demands make managing vulnerabilities and security weaknesses challenging, as changes can disrupt uptime and productivity. It’s common for IT security tools and practices to be either ineffective or pose higher risks when deployed in outdated or embedded OT systems. Furthermore, there is a significant knowledge and skill gap in deploying security within OT environments.

These factors underscore the urgent need for marked improvements in OT security posture. To counter the increasing threats, not only is increased spending necessary, but these investments also need to be measurable to satisfy boards, regulatory bodies, and insurance companies regarding the ongoing improvements made by OT organizations towards achieving their objectives.

In response to this challenge, the Cybersecurity and Infrastructure Security Agency (CISA) has published a set of voluntary cross-sector Cybersecurity Performance Goals (CPGs) aligned with the Cybersecurity Framework functions. These goals assist owners of Information Technology (IT) and Operational Technology (OT) from critical infrastructure sectors by providing a prioritized set of security practices, including standards for basic cybersecurity practices. They aim to enhance industrial cybersecurity posture, helping organizations define cybersecurity performance goals, appropriately allocate budgets and take action. Over the past few years, TXOne Networks has worked closely with clients in critical infrastructure sectors to rapidly demonstrate quantifiable improvements in OT security. This approach aligns with CISA’s CPG framework, integrating our unique OT cybersecurity solutions.

Enhancing OT/ICS security through key cybersecurity metrics

Human factors represent a vulnerable link within corporate security management frameworks. Governance, Responsibility Assignment (RACI), and user awareness are essential components of a Security Key Performance Indicator (SKPI) strategy. However, we advocate for a multi-layered protection and detection structure centered around assets, such as the CPSDR model, as a more fitting approach to risk management in OT/ICS environments, especially given the increasing automation within manufacturing lines. It is crucial to define and continuously monitor key cybersecurity metrics to thwart threats, review security postures for risk mitigation, and validate the effectiveness of security controls. The adage, “if you can’t measure it, you can’t manage it” holds particularly true in this context.

Beyond the CPG framework proposed by CISA, several cybersecurity performance goals should be taken into consideration when it comes to providing enterprises with a clear understanding of their security posture and trends. This understanding is vital for determining whether appropriate actions are needed to enhance their security maturity and for supporting secure management and sustainable operations. Metrics that can add to this understanding are as follows:

1. Asset inventory

Immediate asset management involves monitoring unauthorized hardware/software installations on machines and shadow devices within the network, reflecting the state of cyber hygiene. An up-to-date asset inventory is foundational to security management. Organizations are required to regularly update their inventory, at a minimum of once a month. This inventory should encompass all assets, including those that are air-gapped, across both IT and OT domains. Asset inventories can categorize assets into new assets, those nearing the End of Life (EOL), and those already at EOL. This categorization aids in quickly identifying assets that pose a high risk.

2. Proactive risk management

These measures aim to proactively identify vulnerabilities and threats and diminish the risk of exploitation.

• Risk Assessment Using Threat Intelligence: This involves evaluating critical vulnerabilities (based on severity and impact) and threats by using both external and internal threat intelligence sources. Ideally, real-time scanning should be conducted before deploying new devices and during maintenance activities when changes occur. This is crucial for understanding the current threat landscape and identifying the vulnerabilities that pose the greatest risk to the organization.

• Mitigation of Critical Vulnerabilities by Patching or Segmentation: Key vulnerabilities are mitigated by applying patches or implementing isolation measures on assets accessible to the internet, as recommended by the CISA Known Exploited Vulnerabilities (KEV) catalog. For OT assets where traditional patching is not feasible or poses a threat to operational safety, alternative measures such as network segmentation, virtual patching, and monitoring are utilized and recorded. This step is vital for protecting against known threats and minimizing potential exposure.

3. Inbound traffic management with OT/ICS perimeter defense

In the intricate domain of OT and ICS security, managing inbound traffic is critical to safeguarding against malicious transactions/accesses. The perimeter defenses of an OT/ICS network play a pivotal role in this endeavor, acting as gatekeepers to filter out unwarranted activities and ensuring that only essential communications are permitted. This approach includes specifying which IP addresses and ports are allowed and meticulously controlling inter-network communications between IT and OT through intermediaries. These intermediaries, such as firewalls, bastion hosts, ‘jump boxes’, or Demilitarized Zones (DMZs), are essential for maintaining a secure bridge between the networks, subject to rigorous monitoring and logging to permit entry only to approved assets.

Furthermore, organizations are advised to vigilantly track all failed login attempts, with an automated alert system for security teams in cases where multiple unsuccessful attempts were made within a short timeframe, such as five within two minutes. This protocol not only prevents unauthorized access but also contributes to a comprehensive security analysis by logging these incidents for future review.

• Events Captured by Firewalls: This refers to the incidents identified and logged by firewall systems. Firewalls act as a first line of defense by inspecting incoming and outgoing traffic based on predefined security rules. This component plays a critical role in preventing unauthorized access and mitigating potential threats before they can penetrate deeper into the network.

• Events Captured by Intrusion Prevention Systems/Intrusion Detection Systems (IPS/IDS): These incidents are identified by systems designed to detect and prevent malicious activities within the network. IPS/IDS systems analyze network traffic to identify potentially dangerous patterns indicative of cyber threats. By capturing and analyzing these events, organizations can respond to real-time threats and enhance their security posture against attacks.

• Continuously Establishing a Baseline of Regular Activity Patterns: The basis for analyzing potential threats lies in understanding what constitutes ‘normal’ traffic within a network. This process involves establishing a baseline of regular activity patterns, which can then be used to identify deviations. By continuously monitoring the behavior of data flows, OT network defense systems can detect unusual patterns that may indicate malicious activities. These could include an unexpectedly high volume of data being transferred to an unknown destination, unauthorized attempts to access sensitive resources, or patterns suggesting an attempt at data exfiltration.

4. Implementing endpoint protection to enhance threat detection and response

Firewalls in OT environments can also fail due to vulnerabilities, misconfigurations, or malfunctions, posing significant risks to assets and normal operations. In such cases, deploying endpoint security solutions becomes essential for detecting malicious activities. TXOne Networks advocates that industrial organizations should enhance their detection and response capabilities for Cyber-Physical Systems (CPS) by establishing system policies based on behavioral baselines to disable unnecessary features—such as disabling programs, DLL files, drivers, and scripts that are not explicitly included in the approved application list. Detection and response ensure robust defensive resilience against potential threats. For situations where specific services need to be enabled under certain conditions, a unique policy allows authorized users to maintain operational flexibility while ensuring cybersecurity by allowing them to activate these services on specified assets:

• Time Span from Threat Inception to Detection: This metric measures the duration between when a threat initially appears within the system and when it is successfully detected by security measures. Minimizing this time span is critical for reducing the potential damage caused by threats and improving the overall responsiveness of cybersecurity protocols.

• Unauthorized Software/Hardware Installations and Policy Violations: This component addresses incidents such as unauthorized software/hardware being installed on devices, compromised devices within the network, or attempts to illegally access restricted networks. Monitoring and managing these incidents are vital for maintaining system integrity and preventing unauthorized access or breaches.

• OT Security with Behavioral Detection and Zero-Trust Principles: CPSDR (Cyber Physical Systems Detection and Response) goes beyond merely setting which applications are allowed to run; it encompasses understanding the normal behavioral patterns of programs, also referred to as fingerprints. This approach, by establishing system policies based on behavioral baselines, aims to disable unnecessary features—such as programs, DLL files, drivers, and scripts. The advantage of this methodology is that it requires only a description of the expected behavior for legitimate applications, without the need to define the negative behaviors associated with malicious applications. This multi-layered detection mechanism can block the attack process even if an application is compromised with shellcode due to a vulnerability, aligning with the zero-trust methodology of OT security.

• Total Number of True Threats Detected by Antivirus Software: This metric refers to the total number of threats identified by antivirus software, distinguishing between true positives (actual threats) and false positives (incorrectly identified as threats). Tracking these numbers helps in assessing the accuracy and efficiency of the threat detection system, facilitating continuous improvement and optimization of security measures.

5. Securing outbound traffic

In the realm of cybersecurity, securing outbound traffic from organizational assets, especially those accessible via the public internet, is paramount to preventing exploitation and abuse. This critical aspect of security management involves ensuring that assets do not offer services vulnerable to exploitation without implementing appropriate countermeasures. Furthermore, it emphasizes the importance of deactivating non-essential operating system applications and network protocols on internet-facing assets and restricting OT assets’ connection to the public internet strictly to operational necessities. Any deviations from these best practices must be thoroughly justified, documented, and equipped with enhanced security measures to deter exploitation attempts.

• Events Captured by Firewalls (e.g., Port Scanning): This component involves the detection of incidents by firewall systems, such as unauthorized port scanning activities. Firewalls serve as a critical line of defense, monitoring and controlling inbound and outbound network traffic based on predetermined security rules. Identifying such events allows organizations to preemptively address potential threats and vulnerabilities, reinforcing the security of their network infrastructure.

• Events Captured by Proxies: This category pertains to incidents detected through proxies, such as suspicious or malicious web traffic patterns. Proxies act as intermediaries between users and the internet, providing additional layers of filtering and security. By capturing these events, organizations can further mitigate the risk of data exfiltration, malware distribution, and other security threats facilitated by outbound traffic.

6. Addressing false-negative threats discovered through external network scanning tools

Utilizing external network scanning tools and honeypots for threat detection represents an approach to addressing unknown malicious activities by employing tools and perspectives external to industrial organizations, especially when malicious actors successfully evade internal defense mechanisms. These indicators—honeypot detection, new release URLs/public IPs, and internal client information (source high ports)—serve as key metrics for assessing an organization’s security posture and resilience against network threats. These metrics play a pivotal role in identifying attacks driven by unknown malware and the exploitation of zero-day vulnerabilities, thereby significantly enhancing the organization’s security posture.

• Honeypot Detection: Honeypots are decoy systems designed to mimic real network assets. They are strategically deployed within the network infrastructure to lure attackers, thereby diverting them from legitimate targets. The detection metric associated with honeypots refers to the capability of these systems to attract and identify malicious actors or malware. This metric is crucial for understanding the types of threats an organization faces and the tactics employed by attackers. By analyzing interactions with honeypots, security teams can gain insights into attack patterns, vulnerabilities being exploited, and potentially, the identity of the attackers. This intelligence is instrumental in fortifying defenses, tailoring incident response strategies, and enhancing overall cybersecurity measures.

• New Release URL / Public IP: This metric pertains to the tracking and analysis of new URLs or public IP addresses introduced into an organization’s digital environment, whether through web services, external communications, or software updates. Monitoring new releases of URLs and public IPs is essential for several reasons. Firstly, it helps in assessing the security of newly deployed services or applications, ensuring they do not introduce vulnerabilities. Secondly, it aids in the early detection of unauthorized or rogue services that could expose the network to cyber threats. Finally, by keeping a vigilant eye on new digital introductions, organizations can prevent potential data leaks or breaches stemming from insecure or unintended exposures.

• Internal Client Information: This metric focuses on the analysis of internal network traffic, specifically examining the source ports of client requests. High source ports are typically associated with outbound connections initiated by internal clients to external servers or services. It is vital to monitor and analyze this traffic for several reasons. It can identify potential unauthorized data exfiltration or communications with malicious external entities. Additionally, it can uncover internal devices or systems that are compromised or acting maliciously. Understanding the flow of information from high source ports enables organizations to enforce network policies more effectively, restrict outbound connections to only verified and secure destinations, and enhance the overall security of internal networks against external threats.

Solutions for aligning industrial cybersecurity ROI

TXOne Networks offers cybersecurity solutions that ensure the reliability and safety of ICS and OT environments through adherence to the OT zero trust methodology. At TXOne, while we do not offer solutions for systems at Purdue model levels 4 and 5 and may not meet all the cybersecurity metrics previously mentioned, we provide a comprehensive OT zero-trust solution for defending systems at level 3 and below. We work together with both leading manufacturers and critical infrastructure operators to develop practical, operations-friendly approaches to cyber defense.

The OT zero trust-based technologies we’ve developed go beyond the limits of traditional cyber defense to streamline management, reduce security overhead, and quickly resolve challenges. We offer both network- and endpoint-based solutions that integrate with the layered arrangements and varied assets common to work sites, providing real-time, defense-in-depth cybersecurity to both mission-critical devices and the OT network as a whole.

• TXOne Element product line offers foolproof cybersecurity detection for assets entering and exiting the factory area, as well as for portable storage media. The product’s design logic closely aligns with existing operational processes, making it easy for general staff to adopt and effortlessly carry out cybersecurity maintenance and inventory tasks.

• TXOne Edge product line brings enhanced stability and resilience to industrial control network environments. Adhering to a zero-trust principle centered on packet detection, all data exchanges and command transmissions between devices are subject to precise management control. The mining technology developed for industrial control communication protocols plays a vital role in disaster prevention, detection, and repair, contributing to improved overall operational stability.

• TXOne Stellar provides a pure software endpoint protection solution rooted in industrial control systems. We break down the barriers between old and new equipment, using operational field normative baselines as references. Without disrupting operations, we proactively block unauthorized system changes and malicious activities.

• TXOne SageOne offers a multi-dimensional view of an organization’s cybersecurity posture through visual representations. It provides a holistic security perspective with granularity, including the proportion of protected/unprotected assets, asset health status and anomaly detection, asset exposure level assessment, and an overview of the asset lifecycle.

Conclusion

The OT cybersecurity metrics discussed above provide crucial insights for enhancing cybersecurity within industrial organizational contexts. Recognizing that each industrial organization may have distinct security objectives and requirements, customizing these SKPIs to align with specific organizational goals becomes imperative. Industrial organizations are encouraged to initiate this customization process by establishing an immediate and comprehensive asset inventory. Possessing a complete asset inventory enables IT and OT security teams to effectively manage available patches, track patch statuses, and identify missing patches, thereby strengthening their cybersecurity framework.

In the era of Zero Trust Architecture (ZTA), it is critical to reinforce perimeter firewall policies to adhere to the principle of least privilege, while also scrutinizing internal network traffic and endpoint behavior for any anomalies that could indicate security vulnerabilities. The investigation of policy violations goes beyond merely detecting threats such as emerging Advanced Persistent Threats (APTs), the top ten malicious software, or the Known Exploited Vulnerabilities (KEV) catalog by CISA, particularly within highly automated manufacturing facilities. It also involves a thorough analysis and response to the attack source, vector, and impacted areas.

By tailoring SKPIs to fit their unique security needs and diligently applying the principles of Zero Trust Architecture, industrial organizations can significantly enhance their defense mechanisms against complex cyber threats. This approach not only protects critical infrastructure but also ensures the continuity and integrity of manufacturing operations in an increasingly digitalized and interconnected world.

References

1. CISA, “Cross-Sector Cybersecurity Performance Goals”, Cybersecurity and Infrastructure Security Agency CISA, 2022.
2. James Tu, Dr. Winston Shieh, Dr. Terence Liu, Leon Chang, “Cybersecurity Reference Architecture for Semiconductor Manufacturing Environments”, SEMI, Oct. 1, 2023.
3. Livingston, J. “4 components to rapidly improve & measure OT security”, Verve Industrial, November 30, 2022.