How does one tell if unusual traffic on the network originated from a malicious insider, a malware or some rogue device attached to the network?
And can you tell whether a legitimate maintenance personnel entering and exiting a facility only performed the task he was supposed to do and not something “extra” because he has been bribed, threatened or simply made a mistake?
Kayato Sekiya, Principal Researcher at NEC, argues that answering the above types of questions is difficult since two critical properties are missing from most security systems:
Integration of cyber security and physical security
Conventionally, IT cyber security, control system cyber security and physical security has been monitored by separate departments using independent systems which has resulted in lack of situational awareness and of strict policy enforcement.
Segregation in monitoring of automated processes and human-intervened tasks
Automated processes and human-intervened tasks intrinsically have very distinct security requirements. Automated processes even if suspicious should never be blocked. However, each human-intervened task should be authorized before execution and any suspicious activities in general should be escalated to higher authority and blocked until explicit security clearance.
The approach of Automated Processes Monitoring & Human-Intervened Task Monitoring
At the EE-ISAC Expert Seminar in Athens, Mr Sekiya will be discussing the above and explaining how to deal with these challenges following the approach of
- Automated Processes Monitoring: Automated learning of “benign process” model and detection of “malicious processes” through network / application anomaly detection.
- Human-Intervened Task Monitoring: Continuous monitoring, recording and restriction of workers’ behaviors across physical and cyber space based on identity and authorization.
For human-intervened task monitoring, a case study will be discussed in which security administrators were able to view and control a worker’s activities across physical and cyber. Workers were then enforced follow a specific sequence of activities that is defined by the work order.
EE-ISAC Expert Seminar on 7 September (Athens)
Mr Sekiya is presenting during the EE-ISAC Expert Meeting. On behalf of all EE-ISAC Members, ENISA is welcoming European utilities in Athens to join this free-to-attend seminar on trusted cyber security information sharing within the European energy landscape.
Please note: registration is open to utilities only.