Cb Connect 2018 | Power of You | Register Now


A Condition-Monitoring Approach to Cyber Security

transformer (1)
March 23, 2015 / Dave Brown

To a plant maintenance engineer, the chance that a project might “blow up” is more than just a figure of speech—it’s a real-life risk. So we can be sure that these maintenance managers take their jobs very seriously. In this blog series we will explore some of the lessons we can learn from the approach plant maintenance engineers take in doing their jobs.

Lesson 1: Detect it before it explodes

Scenario: Locals reported seeing a bright flash accompanied by a very loud pop. A couple hundred houses were without power for a few hours but it could have been a lot worse. Thankfully nobody was hurt and the blown transformer would be easy to repair. In the meantime, any danger caused by the condition was past. The situation had corrected itself.

The term “self-correcting” is what maintenance engineers use as a tongue-in-cheek description of electrical components that are on the verge of failing. Granted, failures of this type might result in an explosion, fire, property damage, or injury. In the end, however, the contacts will melt and the circuit will break, thereby “correcting” the condition.

Unfortunately, in the world of IT, we have no such circuit breaker fail-safes. Vulnerabilities will never become less severe and the number of attacks we face will never lessen over time. That said, there are a couple of lessons we can learn from our counterparts in the field of condition monitoring.

Condition monitoring is the practice of identifying conditions among electrical or mechanical components that may be indicative of a developing fault. A typical manufacturing floor might contain hundreds or thousands (or even tens of thousands!) of electrical and mechanical components, every one susceptible to possible failure. Depending on the nature of the business, many of these components may be critical to its operation, making its very survival dependent on uptime.

The traditional approach to maintenance was very systematic—a schedule of periodic maintenance based on manufacturer specifications. Wheel bearings would be lubricated, valves purged, and brushes replaced, all whether they needed it or not.

This approach parallels the use of traditional antivirus and firewalls as malware protection—a scattershot, check-the-box approach that worked fine in simpler times but, like traditional plant maintenance, was soon determined to be both inefficient and ineffective.

In the case of plant maintenance, businesses soon realized that not only did many of the bearings not need to be greased so frequently, but greasing them strictly on the basis of a set schedule did little, if anything, to reduce the number of failures. They needed a way to better target the potential problem areas.

Enter condition monitoring, a new approach and a new set of tools that helped organizations focus their resources on problem areas; tools such as vibration analysis to see if a high-speed impeller might be out of date; ultrasound to detect problem bearings; or oil analysis to determine whether an oil-filled transformer might be failing, etc.

All of these tools have corresponding analogs in the world of cybersecurity—detection tools. These include a variety of tools on both the network and endpoints that watch for both static (such as IP addresses or file hashes) and, in some cases, dynamic (such as process behavior) indicators of threat. Detected events can be viewed in a list in a product console or, in some cases (such as with Bit9 and Carbon Black) sent to Splunk or your SIEM, or even emailed as alerts.

Detection events are the equivalent to the plant engineer’s ultrasound alarm or vibration warning. The next step is to leverage whatever tools we have at our disposal to respond accordingly (more on response in a future article).

The use of any one of these tools in isolation is a step toward a more targeted approach to security, but any consultant of merit will strongly advise (as do we at Bit9 + Carbon Black) that the best approach is one that leverages many layers, often referred to as “defense-in-depth.” These days, nearly all organizations have adopted some level of detection in order to become more responsive to the advanced threat. As important as it is, however, detection should be viewed only as a first step on the path to security.

In the next post in this series, I will delve a bit deeper into how the field of condition monitoring teaches why having 100 percent visibility into your enterprise is even more important than having detection capabilities.