Cyber Security update: Dynamic Endpoint Modeling vs. Network Intrusion Detection

This audio was created using Microsoft Azure Speech Services

As industrial control systems connect to the Internet they allow for greater business efficiency (e.g., remote process monitoring, predictive system maintenance, process control and production data analysis). However, at the same time, they also make businesses more vulnerable to cyber threats. According to the U.S. Department of Homeland Security ICS Cyber Emergency Response Team, a 20% increase in Integrated Control System (ICS)-related attacks was observed in 2015, across a wide range of US industry sectors.

Protection from cyber attacks can come in many different flavors. Most casual observers are familiar with firewalls that protect the outer perimeter (threats from outside) of the network. This blog focuses on two methods that are not firewalls and may be less familiar:  Network Intrusion Detection Systems (NIDS) and Dynamic Endpoint Modeling systems.  Both of these systems play an important role in protecting control systems environments such as power grids, water networks, manufacturing SCADA systems, and building management systems.

NIDS are network security systems that monitor the network and focus on the attacks that come from authorized users inside of the network. NIDS systems perform pre-emptive analysis by searching for anomalies and signatures on the network. Once detected, an alert is forwarded to a security analyst for review. The analysts’ role is important to determine which alerts are false positives and which alerts are legitimate attacks. Some NIDS also have a defensive capability (prevention) that enables them to block an anomaly or signature before it can cause damage.

NIDS are deployed at key entry points on a network and report their information to a central server where all alerts appear on a console. Analysts who are trained in viewing such alerts monitor network traffic to determine if the alert and signatures are legitimate attacks. In the event of an attack, appropriate action is taken by the network defense team to resist the attack according to the organizations internal process and procedures.

Dynamic Endpoint Modeling, on the other hand, is a newly emerging technology that provides an additional layer of control system network cyber security. Dynamic Endpoint Modeling learns and models the behavior of all devices on the network and triggers alerts when algorithms detect changes in learned behavior. Any changes that divert from the baseline will alert that a possible compromise or malicious activity has occurred on an endpoint.  These systems also know when a new device appears on the network or accesses the Internet for the first time.

Dynamic Endpoint Modeling Systems utilize the following five analysis dimensions to build their behavioral models:

1. Device role –  For example, sensor “A” reads motor power consumption information, stores it, and then forwards it every 12 hours to the energy management server.
2. Device group – Sensor “A” is compared to other like devices to see if it is behaving in the same way.
3. Device consistency –  Algorithms detect when sensor “A” has changed from its known traffic stream and access behavior
4. Rules deviation –  Algorithms detect changes in protocols, ports, and other end point statuses
5. Forecasted behaviors – Algorithms forecast learned behavior from past behavior and analysis.

Endpoint Modeling offers a quick and cost-effective deployment in a passive mode without any impact to network performance. Unlike traditional intrusion detection preventions systems, the skill sets needed to deploy and maintain the system are not demanding, and the costs for implementing are comparatively low.

As a Schneider Electric business partner, an entire suite of cyber security related best practices can help you to grow revenues at existing customers and to expand into areas that offer new business opportunities. Click here for more information.