Protect Your Operations with Proactive Threat Hunting

December 12, 2018

By: Pascal Ackerman, Rockwell Automation

You have a strong industrial security program in place. You’ve cleaned up with good cyber hygiene and have implemented intrusion detection systems to avoid future incidents. But in the complex world of cybersecurity, you can’t stop there.

Despite all your efforts, latent advanced persistent threats (APTs) are still a concern. They are slowly at work trying to find chinks in your armor and exfiltrate data, bogging down your operations. And intrusion detection isn’t going to catch this activity.

You’re Ready for Threat Hunting

Threat hunting is one of the next logical steps in your cybersecurity program. In its simplest form, you are searching the network for external threats or intrusions that went undetected by automated security systems. It is a very scalable exercise and can be done with varying degrees of automation, including none at all.

It can not only further protect your proprietary recipes and information, but it also has great potential for improving operational efficiencies as well. While this practice isn’t entirely new to the IT space, it is making its way into OT environments. And this is where beverage and food production can benefit the most.

Threat hunting is proactive, and takes a step back from the scanning tools, traps and future-focused infrastructure already in place. In an age of technology, it uses gray matter to uncover malicious activity and infiltrations that have been hiding in your network for months, maybe years. And further, it can find correlations not otherwise detectable between network activity and production inefficiencies.

Infestations Wreaking Havoc in Unexpected Ways

Have you noticed your mixer acting up? Are HMIs locking down? A label printer flashing errors?

It can start with an operator charging their unprotected phone in an open USB port on the network. Months later, your oven starts acting up and won’t maintain set parameters, even though mechanically, there’s nothing wrong.

Careful review of network logs uncovers that each time the oven acts up, there are beacons going to an outside IP address. This correlation is otherwise undetectable, and is what makes the human factor critical, and threat hunting so valuable. 

I went into a plant once that was experiencing repeated network slowdowns on a certain shift. Proactive hunting led to the discovery that one employee’s workstation was running an undetected Bit Torrent. So, each day when they logged in at the beginning of their shift, the entire network was impacted.

Learn about managing cybersecurity risks in the food and beverage industry with smart manufacturing. Download the eBook for more (PDF).

Why Aren’t Intrusion Detection Systems Catching All of This Hidden Malware?

Most of what threat hunting uncovers appears innocent, and without context and correlation, passes detection systems as business as usual. A piece of malware can communicate with an unknown IP address, but will look similar to intended internet traffic.

There also could be SYN scans going on in the peripheral, outside the boundaries of what your security software is looking for. They sit quietly and slowly look for a hole in the network. They’re not getting refused and haven’t established outside connections yet, so they remain undetectable.

In a threat hunting exercise, you may discover that an outbound connection is coming from a process that shouldn’t be going out to the internet. Or you may find a system that wasn’t being used at the time the communication was made, indicating an infected source.

The thing is, these APTs were probably already there when you implemented your cybersecurity system. That’s because most intrusion detection and prevention programs rely on a known, good state. If the baseline it starts from has poor traffic or malware activity, it becomes part of the norm. Many publicized security breaches have fit into this category. It is only years after a breach occurred that it’s detected and the scope off the damage realized.

Getting Started

The good news is, you likely have what you need to get started. Threat hunting is easy to implement with the right partner and can be a one-time activity, or become part of an ongoing security program. Your HMIs and servers are already creating activity logs you can gather and analyze offline so there’s no stress on the network or production interruptions.

So stop relying solely on endpoint protection and virus scanners to detect if you’re vulnerable. Go hunting for infiltrations before they impact your plant floor.

Source

Related Articles

Changing Scene

  • Intralec Announces Leadership Transition in Northern GTA Sales Region

    Intralec Announces Leadership Transition in Northern GTA Sales Region

    Intralec has announced an upcoming leadership transition as Cameron Slade, currently Warehouse Supervisor, steps into the role of Outside Sales Representative for the Northern GTA region and North Ontario. Cameron will be filling in for Beverly Pisco, who will be beginning her maternity leave this June. Cameron brings a strong foundation in the electrical industry,… Read More…

  • Specialized Power Solutions Welcomes Jonathan Udy as New Sales Manager

    Specialized Power Solutions Welcomes Jonathan Udy as New Sales Manager

    Specialized Power Solutions is excited to welcome Jonathan Udy to their team! Jonathan joins Specialized Power Solutions with over a decade of experience in the electrical industry, beginning his career as a Journeyman Electrician working across commercial and industrial projects. He later transitioned into power distribution sales with ABB, where he spent over six years… Read More…

Sponsored Content
The Easy Way to the Industrial IoT

The way to the Industrial IoT does not have to be complicated. Whether access to valuable data is required or new, data-driven services are to be generated, Weidmuller enables its customers to go from data to value the easy way. Weidmuller’s comprehensive and cutting-edge IIoT portfolio applies to greenfield and brownfield applications. Weidmuller offers components and solutions from data acquisition, data pre-processing, data communication and data analysis.

Visit Weidmuller’s Industrial IoT Portfolio.

ADVANCED Motion Controls Takes Servo Drives to New Heights (and Depths) with FlexPro Extended Environment Product Line

Advanced Motion Controls is proud to announce the addition of six new CANopen servo drives with Extended Environment capabilities to their FlexPro line. These new drives join AMC’s existing EtherCAT Extended Environment FlexPro drives, making the FlexPro line the go-to solution for motion control applications in harsh environments.

Many motion control applications take place in conditions that are less than ideal, such as extreme temperatures, high and low pressures, shocks and vibrations, and contamination. Electronics, including servo drives, can malfunction or sustain permanent damage in these conditions.

Read More

Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More

Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

Tri-Mach Elmira Facility

Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers.

Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. The building will also be the new home to their Skilled Trades Centre of Excellence.

Read More

JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More

Latest Articles

  • Festo: Machine Safety – Why It Matters & How to Achieve It

    Festo: Machine Safety – Why It Matters & How to Achieve It

    For OEMs, machine builders, engineers, and plant managers, machine safety is more than regulatory compliance; it’s a responsibility to workers, a commitment to customers, and a strategic advantage. Every machine on the factory floor has two sides: its potential to drive productivity, and its potential to cause harm. Striking the right balance between performance and… Read More…

  • What Does Being a Gold Level Rockwell System Integrator Mean for Actemium Canada Clients?

    What Does Being a Gold Level Rockwell System Integrator Mean for Actemium Canada Clients?

    What does being a Gold Level Rockwell System Integrator mean to Actemium Canada clients? The obvious answer is that Actemium Canada brings a high level of expertise, knowledge, and experience to every project. But it also means added value in ways many people may not realize, including cost savings on hardware and an extended 3-year… Read More…