Cyber Security Monitoring Solutions for Industrial Control Systems

How to Select the Correct Cyber Security Monitoring Tool for Your Organisation

Critical National Infrastructure (CNI) typically relies on Industrial Control Systems (ICS) to provide the core operational function that our society relies upon. Previously, these control systems were isolated and run on special hardware and software, where cyber security was not considered in the design. In time these systems have become more complex, more connected, and use a high level of communication: this can increase their vulnerability and increase the likelihood they become a target for cyber-attacks. A typical industrial control system consists of Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) as well as IT assets such as Windows computers, Historian Databases, printers, etc. ICS are connected via different industrial protocols which were initially designed to achieve the communication task without considering the cyber security requirements.

In recent years, many cyber-attacks have targeted industrial sectors and critical infrastructure such as Stuxnet, BlackEnergy, Industroyer, and TRITON. The result of these attacks led to major impacts on safety, availability, operation, the organisations reputation and ultimately a financial impact. Thus, there is a pressing need to monitor and secure these critical infrastructures.

Many tools (or solutions) are available in the market to monitor the cyber security posture of ICS/OT infrastructure, where alerts are triggered in case of any threat or vulnerability detected. These tools are connected to the OT network using either hardware appliances (such as network sensors), or software agents in order to monitor all network traffic. This enables the tool to detect the anomalous activities and, in some cases, block the traffic to prevent a cyber-attack. However, selecting a suitable solution that meets all requirements for each specific industrial application is a very challenging task due to the wide variety of features and supplier vendors. Also, the way these features can be deployed at customer site to gain the full visibility and resiliency of all critical and non-critical assets requires specialist knowledge and experience.

Many criteria should be considered when selecting a cyber security monitoring tool. Noting that this blog focuses on the technical criteria only, these criteria are:

  • Asset and network discovery,
  • Real time network activity monitoring and threat detection,
  • Vulnerability management,
  • Alerting system, and
  • Tool interoperability.

The selected tool needs to be able to discover all OT assets and inventory passively without affecting the operation of the ICS; identify the network topology and extract the asset artefacts such as: model, part number or serial number, firmware version, OS version, IP or MAC address, open ports, and installed software. Furthermore, some tools can also model or arrange these assets to zones or layers which reflect the actual network architecture.

Additionally, the selected tools should have the capability to monitor and detect all threats and suspicious activities using detection techniques such as signature-based detection, statistical anomaly-based detection, protocol deep packet inspection detection, and operational risk detection. The tool also needs to detect all vulnerabilities for each asset, prioritize these vulnerabilities using a scoring system, alert the operator and provide a remediation recommendation. It should then be able to generate a report for all security measures and provide different Key Performance Indicators (KPIs) tailored to suit different stakeholders’ requirements. Finally, the tool needs to provide connectivity with other tools such as SIEM, backup server, Historian server, SCADA and other third-party service tools.

Regency IT Consulting can provide targeted research to customers in order to support them in selecting the most appropriate cyber security monitoring tool for their environment. Different tools can be recommended according to the industrial application requirements in energy, oil & gas, water and waste water, manufacturing, transportation, nuclear and other critical infrastructure. Regency’s methodology for selecting cyber security monitoring solution follows four phases:

  • Define end customer site requirements,
  • Perform market research and identify all tools (solutions) that fit customer requirements,
  • Conduct evaluation for each identified solution based on research, vendor meetings and test bed deployments.
  • Report the findings and propose recommendations based on the outcome of the study.

In summary, cyber security monitoring tools are recommended to be used to enhance the cyber security posture for CNI, the correct selection and implementation of these solutions can minimise the downtime and increase the overall cyber security resiliency of industrial plants. However, selecting the correct solution and tool is a crucial step to achieve these targets, and ensures the ICS system availability, integrity and confidentiality.

For more information on how Regency can help your organisation, please contact

Mohammad JBair

By Mohammad Jbair (Security Consultant – OT Cyber Consulting Team)