It’s sort of ironic that the sector with the most 24x7 control rooms, still struggles with monitoring for cyber attacks.  However, the critical infrastructure sectors, for the most part, change slowly.  And while they have always appreciated the need to monitor operations around the clock, those operations had been largely self-contained with limited exposure to outside networks.  Consequently, cyber attacks within these networks have been minimal.  While that is still largely the case for truly air-gapped networks, very few truly air-gapped networks exist anymore.  Moreover, as Stuxnet demonstrated, air gaps are not always enough.  Within the realm of connected networks, the number of attacks of some flavor and the security alerts that are generated by modern security detection platforms are enormous.  For example, a recent FireEye survey found that 37% respondents faced more than 10,000 security alerts each month.  Many are doing reviews manually and even where technology is employed to help with correlation and analysis, the workload is daunting, requiring several full-time people in even small and medium-sized organizations.  And while control system networks don’t experience anywhere near these amounts of alerts, the lack of visibility within control system networks means that if one of these 10,000 alerts is missed on the enterprise side and finds its way into a control network, the attacker is much more likely to both operate undetected and to achieve his objective.

However, the challenges presented are more than just forwarding alerts on to a security information and event management (SIEM) system or a centralized dashboard.  The most relevant data, the operational state of the actual pumps, switches, motors, and related devices, is often the most difficult to obtain.  As Stuxnet demonstrated, actual operational states can be masked by layers of software vulnerable to attack.  Pealing back that abstraction and reporting actual operational anomalies is both more accurate and involves a lot less data. 

As the diagram above demonstrates, one must be creative to obtain the required information, but it is possible to get relevant and actionable operational data from a control environment.  Ultimately that data can be integrated with enterprise data to provide a clearer picture of the threats the organization is facing.  The next question is whether there are “eyes on the glass.”  While SIEMs and workflow tools can offer a lot of automation, they can still never replace human analysts.  And for any medium and large organization, those human analysts need to be watching 24 hours a day to cull down events from both the enterprise and operations side to effectively gauge the ongoing threats to the organization.  While it may be tempting to assume that security engineers can just add reviewing and responding to alerts as one of many job responsibilities, the reality is that a human being can only multi-task so much.  An outsourced or in-house security operations center is no longer a luxury for those hoping to have any chance of detecting and responding to a major breach in a timely fashion.  The attacks are too frequent, sophisticated, and dangerous to do it any other way.