Safeguard OT Environments from Cyber Attacks

By Gary Southwell, General Manager and VP of HPPD, ARIA Cybersecurity Solutions

Finding attackers in operational technology (OT) environments can feel like chasing ghosts. For years, operations have sunk money into building a defense that could keep attackers out by limiting the way in. Unfortunately, 700-plus successful OT attacks over the past three and a half years show that the most dangerous attackers have figured out how to get in without being detected by current cybersecurity solutions.

One of the simplest approaches to defending and protecting against attacks is the NIST Cybersecurity Framework (CSF). Both Rockwell Automation and its Technology Partner, ARIA Cybersecurity, are proponents of using the NIST CSF to prepare organizations to deal with cybersecurity challenges.

The NIST CSF can be thought of as two sides of a coin: on one side, steps to prevent harm, and on the flip side, steps to manage the aftermath of an attack.

The Aftermath of an Attack

Let’s start by looking at firefighting and cleanup. This investigative response involves tools, people and services that hopefully identify and contain the problem quickly.

However, people and services are extremely expensive, with retainers paid in advance just to secure their time. Paying for the aftermath, companies incur millions of dollars out-of-pocket for the average attack. And that doesn’t include loss of production, dealing with compliance reporting, or trying to get your insurance company to pay out. Just look at Merck’s OT attack — five years and $1.4 billion in losses later, the pharmaceutical giant finally wins against insurers in court.

Prevention First

This is why NIST focuses on prevention first. If done effectively, it reduces an attack’s level of impact. This can reduce risk-associated costs by millions per year, possibly more if the value of impacted lost production is high.

As you can see in the figure, NIST starts with creating a risk management strategy. However, the NIST CSF is not specific on how to do this. So, start with the basics, such as limiting the paths into the environment where your critical applications run and limiting who has access and how, such as through proper challenge authentication.

Finally, and perhaps most importantly, organizations need to implement proper countermeasures to stop any attackers that do get in, ideally before harm is done, thereby minimizing remediation and compliance reporting efforts.

To achieve this, ARIA has worked with Rockwell Automation to provide a simple-to-deploy means to protect critical applications and the Windows or Linux OS on which they run.

The NIST Cybersecurity Framework outlines a risk management strategy to help identify risks and protect against cyber threats. [click image to enlarge]

How Countermeasures Work

Unlike other active approaches that run as applications that can be bypassed, ARIA’s AZT PROTECT™ is a kernel-level driver connecting in at Ring 0 of the kernel. When positioned at this level, the software monitors everything that executes in memory, continuously, in real time.

The software learns every application that runs on your devices and how they’re executed. The program creates an immutable ID for each application and monitors them as they run to see if the ID changes. If it does, you have an imposter application or an exploit attempt on the application’s code. The platform stops both automatically.

Unfortunately, at any given moment, there are typically hundreds of common vulnerabilities and exposures (CVEs) for every OT environment that aren’t patched, or a patch is not yet available. And those are just CVEs that the industry knows about. AZT stops both known and yet-to-be-identified vulnerabilities because it’s configured to stop anything that does not have an approved TrustID from executing.

The software also includes countermeasures designed to detect the sophisticated attack techniques used in living-off-the-land (LOTL), advanced persistent threats (APTs), and other attacks that use the operating systems’ process to execute the attack, or once in, raise privileges to get control. A reactive artificial intelligence (AI) runs in the AZT driver to trigger the appropriate countermeasure response to automatically stop these attack processes as they appear.

The platform is designed to stop attacks on supply chains, utilities, pharmaceutical and healthcare sites, critical infrastructure and more. For more details, read our recent white paper, “What Is Critical Infrastructure – and How Can Attacks Against It Be Stopped?”

ARIA Cybersecurity Solutions, based in Lowell, Massachusetts, is a Rockwell Automation Technology Partner that offers complete network and data security solutions. Its ARIA Zero Trust PROTECT (AZT PROTECT™) AI-driven defense system is designed to protect OT endpoints from all cybersecurity threats.

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

_{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}

Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration

Manufacturing Case Study

Protecting a Multi-Site OT Environment

In this case study, learn how ARIA Cybersecurity Solutions and Rockwell Automation protect one of the world’s largest pharmaceutical manufacturers.

You can also learn more about this case and how Rockwell Automation and ARIA work together to protect manufacturing environments in their on-demand webinar, “CyberRx: How to Automatically Protect Rockwell OT Customers from Today's Cyberattacks.”

Download the Case Study Watch the Webinar