{"id":31165,"date":"2021-03-08T19:56:57","date_gmt":"2021-03-08T19:56:57","guid":{"rendered":"https:\/\/www.dvirc.org\/insights\/detecting-abnormal-cyber-behavior-before-a-cyberattack\/"},"modified":"2023-03-08T14:01:32","modified_gmt":"2023-03-08T14:01:32","slug":"detecting-abnormal-cyber-behavior-before-a-cyberattack","status":"publish","type":"post","link":"https:\/\/www.dvirc.org\/insights\/detecting-abnormal-cyber-behavior-before-a-cyberattack\/","title":{"rendered":"Detecting Abnormal Cyber Behavior Before a Cyberattack"},"content":{"rendered":"

The promise of advanced manufacturing technologies \u2014 also known as smart factories or Industry 4.0 \u2014 is that by networking our machines, computers, sensors and systems, we will (among other things) enable automation, improve safety and ultimately become more productive and efficient. And there is no doubt that manufacturing has already benefited from that transformation.<\/p>\n

Connecting all of these sensors and devices to our industrial control systems (ICS), and the increase in remote work and monitoring, results in manufacturing networks with greater vulnerabilities to cyberattack. This is an increasingly challenging dynamic as manufacturers sort out how to adopt commercial information technology (IT) standards that are compatible with their operational technology (OT) standards.<\/p>\n

New Standards-Based Capabilities Will Help Manufacturers<\/h2>\n

NIST\u2019s National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST\u2019s Engineering Laboratory, recently\u00a0released a report\u00a0<\/a>that demonstrated a set of behavioral anomaly detection (BAD) capabilities to support cybersecurity in manufacturing organizations. The use of these capabilities enables manufacturers to detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data.<\/p>\n

In other words, manufacturers will be able to continuously monitor systems in real-time or near real-time for evidence of compromise. The development of standards-based cyber controls is an important aspect of security requirements of manufacturers.<\/p>\n

How BAD Monitoring Translates to Early Detection of Cyber Threats<\/h2>\n

Behavioral anomaly detection involves the continuous monitoring of systems for unusual events or trends. The monitor looks in real time for evidence of compromise, rather than for the cyberattack itself. Early detection of potential cybersecurity incidents is key to helping reduce the impact of these incidents for manufacturers. Cyber breaches are typically detected after the attack.<\/p>\n

BAD tools are implemented in ICS and OT environments and could be monitored by a human control interface, which many manufacturers use to monitor their operations. The operator would be able to see network traffic and be alerted to the addition of any authorized or unauthorized device or connection.<\/p>\n

For example, the system would know what communications are authorized with a programmable logic controller (PLC), so any new contact would generate an alert. Likewise, any abnormal talking between connected machines, modifications in human-machine interface (HMI) logic or other anomalies would be noted.<\/p>\n

The BAD solution is a relatively inexpensive modular approach and an efficient way to detect anomalies, however BAD alerts are passive in nature and would not necessarily take remedial actions such as shutting down the production process.<\/p>\n

Manufacturers Remain a Target for Cyberattacks<\/h2>\n

According to the U.S. Department of Homeland Security, manufacturing was\u00a0the most targeted industry<\/a>\u00a0for infrastructure attacks in 2015, and small and medium-sized manufacturers (SMMs) continue to be prime cyber targets.<\/p>\n

There is greater demand for cybersecurity because of manufacturers\u2019 growing dependence on technology and data as drivers of productivity and efficiency. SMMs traditionally have been challenged in how to manage cybersecurity concerns for a variety of reasons:<\/p>\n