Debunking Myths: IT, OT, ICS Security from an Engineer's Perspective

Hi, Everyone!!! I know I'm not one of the usual geniuses you see posting these official Gravwell blog posts, so I apologize in advance if this doesn't cover all the technical deep dives or "how things work" examples you've come to expect. I had some thoughts that I felt needed to share with you, so I asked if I could write one of these, and, for some reason, they decided to let me.

First off, a little about me so you can understand my place here at Gravwell and whose voice you are about to hear. My name is Daryl, and I am one of the Resident Engineers who help ensure our customers' success while using Gravwell. I come from a strong IT background, having been around since the days of providing Dial-Up Internet Support, so I am absolutely a tech guy (not Sales/Marketing) who has seen a lot as IT has grown up over the past several decades and who has a pretty good understanding of the basics and rules around how Cybersecurity is done in 2023.

So, why did I want to mention my IT background? Because I recently had the privilege and opportunity to attend the SANS ICS Summit in Orlando, followed by the ICS Visibility, Detection, and Response training, and OMG, it was eye-opening. I had fully bought into the mainstream IT Security story like most people: “Keep your systems patched. Use Anti-virus Software. Run these latest Cybersecurity tools with all the circles and arrows with a paragraph in the comments telling you about what it found. Run fancy SIEM tools with all the preconfigured dashboards and detections built in so you can just hit that EASY Button to identify and stop all the threats and attacks on your systems.” I mean, this is what we've been told for decades now. We learned in the days of AIM and Yahoo Messenger not to click strange links. The basics remained the same, but the tools became more sophisticated. If we followed these "simple" recommendations and rules, then we would be protected. And by extension, if we got hit with a virus/attack, then it was our own fault because we didn't do what we were supposed to do to keep ourselves safe.

But the reality is, it's not always that simple. Antivirus software alone is notorious for messing with legitimate programs you are trying to run because they "act like xyz suspect behavior." In a regular IT environment, it can be annoying, but in an OT environment, it can be downright disruptive to the work you are trying to accomplish. It gets even worse when you look at a lot of other security practices that are common or becoming common within an IT environment. When I worked in Cable, we had issues when “Active scanning” applications ran across the network where the port probes would kill any number of control systems and set-top boxes in the field because they just didn’t have the memory or expectation to need to handle those random probes. This same problem exists in many ICS/OT environments, with serious operational, safety, or redundancy ramifications. And this doesn’t even get to the questions and issues around the false sense of security. Many of the tools out there have been trained in IT environments with IT threats and behaviors. Very few of them actually take a serious look at ICS/OT environments which legitimately have a very different set of threats and priorities than IT environments, so the tools will never catch something they haven’t been trained to look for. This also doesn’t delve into the issue of timescales where we’ve seen ICS/OT threats/attacks emerge over the span of months/years versus attacks in IT which tend to happen in a matter of days/weeks.

So, what is the solution here? How do we address these unique issues? And I’m sure by now you are wondering, how does this all tie into Gravwell since they let me throw this wall of text up here on company resources? To answer that last question, I’ll get there!

First, we need to acknowledge that ICS/OT Cybersecurity is a different animal than your traditional IT Cybersecurity. There is some overlap in ICS/OT systems that we can learn from and adapt from their IT brethren,  but we need to understand that what works in IT may not work in OT.   It may feel counterintuitive, but less can often be more effective in an OT environment due to the different priorities and the much longer time frames it can take for a major cyber incident to manifest itself.

The next thing is to look at our ICS/OT environment and determine how we want to lay out our defenses, keeping in mind our real priorities AND how to best spend our resources. For example, spending half our budget on the latest IT cybersecurity toolset, which has zero training or existing deployments within an OT environment, may not be the best use of our time and money. There are a few resources and general thoughts on this, but the SANS "5 Critical Controls" is a damn good starting point and blueprint on what should be done.

One of the biggest bangs for your buck within that framework is ensuring you have good visibility into your systems. You can't catch the bad guy if you can't see him. Also, when you are looking at adversaries that can move at a sloth's pace getting all the pieces in place and having a historical record easily accessible can be a huge help as well if you ever need to call in specialized help.

This ultimately brings us to Gravwell. I knew from working here and seeing how well it helps our customers that it was an amazing tool and something I was proud to be associated with, but wow, I had no clue until the summit how completely unique and well-suited for these ICS/OT environments when compared to some of our competitors Gravwell truly was.

1. The Cloud. In today's world of "everything in the cloud," having a tool that was designed to be self-hosted on-premises, and has the commitment from everyone from the CEO down to always remain available self-hosted, is incredibly rare. Why is this such a big deal? Well, when you are talking about ICS/OT environments, there are a ton of reasons why pushing something into the cloud is not ideal. It could be a legal issue that requires you to retain complete control over your data. Or maybe it’s a concern about sensitive intellectual property or business data that has you wanting to keep full control over the systems containing any of this data. This can even tie directly into the 5 critical controls via a "defensible architecture." If you need to punch a hole and connect your most sensitive and secure systems into a cloud network in order to record and retain some data, you may have to ask some questions about the risk/reward of collecting the data versus creating doors into that environment that could be exploited. In those situations, having something that can run, happily, in a completely isolated/internal network can be invaluable.
2. True Binary support. How many tools out there can store/keep your binary data within the tool, be it something like network traffic PCAPs, or custom file formats/logs/historical records/etc., that are unique within ICS/OT Environments? A prime example is: how many of your SIEM/Log Management tools can actually understand Modbus data natively?
3. Structure on read design. What does this mean in layman's terms? It means you don't have to normalize the data before you store it. Or in other words, you don't have to know the questions that you need answered before you store the data in the system. It also means you don't have to throw away potentially useful data simply because there is not a current use case for it. All the data is in the system in its original format. Again, in an ICS/OT environment, this can be a major deal because it makes it so much easier to be comfortable in the knowledge that you still have the complete logs from months/years ago when a new threat starts to come to light.
4. Non-Punitive pricing. I feel like this is a somewhat under-appreciated technical consideration. "But Daryl!" you say. “Pricing is a financial consideration. Not a technical one." To which I reply, True, pricing is often considered a financial matter. But here's why it's also a technical one in this context: when you are considering how much data you can afford to collect, analyze, and store, you're looking at a technical decision that's being driven by financial constraints. If your security tool charges by volume or speed of data ingestion, you may find yourself cutting corners on what data you're collecting or how long you're storing it, simply to keep the costs manageable. That could mean you're not collecting logs from every device you should be, or you're not keeping records as long as you might need to for a thorough investigation of a slow-moving threat.
   
   With Gravwell's 'non-punitive' pricing model, you pay for the number of nodes (devices) you're collecting data from rather than the volume of data they generate. This means that you don't need to worry about the financial implications of collecting more detailed logs or keeping them for longer periods. It allows you to make your data collection decisions based purely on what's best for your security posture without having to worry about cost overruns.
5. Scalability and performance. As you add more devices to your ICS/OT environment, or as those devices generate more data, you need a solution that can keep up. Gravwell is designed to be highly scalable, so it can handle the increasing data loads without breaking a sweat. Additionally, it's capable of ingesting, analyzing, and searching data in real-time, which is crucial for identifying and responding to threats as quickly as possible.
6. Customizability and flexibility. Every ICS/OT environment is unique, and the tools you use need to be able to adapt to your specific needs. Gravwell's query language is highly flexible, allowing you to tailor your searches and analytics to suit the data you're working with and the questions you need to answer. Furthermore, Gravwell can ingest data from a wide range of sources, including not only standard log files, but also network traffic, binary files, and more.
   
   A successful cybersecurity strategy for ICS/OT environments requires a clear understanding of your priorities and resources, robust data collection and visibility, and a toolset that's designed to meet the specific challenges of these environments. Gravwell offers a unique combination of features that make it well suited to this task, including on-premises hosting, true binary support, a structure-on-read design, non-punitive pricing, scalability, performance, and customizability.
7. Forensic capabilities. Industrial Control Systems (ICS) and Operational Technology (OT) environments often need strong forensic capabilities to investigate incidents when they occur. Gravwell provides a strong suite of forensic tools, allowing you to review historical data, reconstruct events, and identify root causes. With non-punitive pricing, you can afford to keep more data for longer, thereby enhancing your forensic capabilities. As the data is also stored in its original form, and we support raw exports, your ability to perform true forensic investigations isn’t hampered by choices you made to support your daily monitoring. 
8. Integration. Gravwell is designed to integrate with a wide range of other tools, allowing you to create a comprehensive security ecosystem. Whether it's other monitoring tools, threat intelligence feeds, incident response platforms, or automation tools, Gravwell can work in harmony with them, enhancing their value and creating a more holistic view of your security posture.
9. Compliance. Many ICS/OT environments have to comply with various industry regulations and standards, and demonstrating compliance often requires detailed logging and reporting. Gravwell's comprehensive data collection and powerful analytics can help you meet these requirements more easily.
10. Support and community. Last but not least, Gravwell has a strong support team and a growing community of users who can provide assistance, share their experiences, and help you get the most out of the tool. Having this kind of support can be invaluable, especially when you're dealing with the complex and unique challenges of securing ICS/OT environments. Please join our discord! https://discord.gg/gravwell

Gravwell's unique approach and capabilities make it a strong contender in the field of cybersecurity for ICS/OT environments. It's not just about the tool itself but about how it fits into your overall strategy, how it helps you achieve your goals, and how it adapts to your specific needs. With its focus on flexibility, scalability, affordability, and strong support, Gravwell is well-positioned to help organizations protect their critical ICS/OT infrastructures.

Gravwell stands out as a powerful tool to help you achieve your security goals in these environments, providing the necessary features and flexibility to ensure comprehensive protection. By offering on-premises hosting, true binary support, structure-on-read design, non-punitive pricing, scalability, performance, and customizability, Gravwell is tailored to the specific needs of ICS/OT security.

To fully leverage Gravwell's capabilities, it's important to combine them with well-defined security policies, continuous monitoring, and a skilled team that can act on the insights generated by the platform. This comprehensive approach will not only help you detect and respond to threats more effectively but also reduce the likelihood of successful attacks and minimize the potential damage to your critical infrastructure.

In the ever-evolving landscape of cybersecurity, staying ahead of threats is essential. By utilizing tools like Gravwell and implementing a robust cybersecurity strategy, you can protect your ICS/OT environments and ensure the ongoing safety, reliability, and efficiency of your operations.

Experience the power of Gravwell for yourself by trying it for free in your workplace or even in your home lab. We're confident in the value and flexibility our platform provides, and we're excited to offer a free community edition to help you get started. Visit us at https://www.gravwell.io/community-edition to claim your free license. 

Moreover, to show our appreciation for your time and effort in reading this entire blog post, we have a special treat for you. Email us at marketing@gravwell.io, and we'll send you a swag pack full of cool, reflective Gravwell stickers. It's our way of saying 'thank you' and helping you showcase your dedication to the cause! Don't wait. Start your Gravwell journey today!