The concept of visibility was introduced to most of us at an early age. The message was clear. Seeing is important.

Watch where you’re going!  Steer clear of danger!  Look before you leap!

But while this may have done little to actually protect us from danger, we inherently understood, even as children, that visibility was an essential component of safety and security. Without visibility, protecting yourself from attack is nearly impossible.

As professionals then, it’s expected that we understand what the White House means when they say, ”We cannot address threats we cannot see” in the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems[1]. And we do. Understand.

Or do we just think we understand[2]?

What is Network Security Monitoring and Visibility for IT

     If you’ve been to an airport in recent years, you’ve likely seen the proliferation of self-serve check-in kiosks. Maybe you even caught one roaming around the airline ticket counter. If you insert your credit card, the kiosk retrieves and displays your flight information, allows you to change your seat, check your bags, and one day might offer you a cup of coffee. When you’re finished, the kiosk transmits your check-in status to the airline, prints your boarding pass and luggage tags, and tells you where to pick up your coffee.

IT data includes everything sent over the internet to retrieve your flight information, like keystrokes, your credit card number, or biometric data. OT data includes the control signals sent along an internal ‘network’ used by components inside the kiosk, like the display screen, the printer, and the computer that instructs them.

Cybersecurity for IT and OT have a lot in common in that they both require the ability to inspect data to ferret out hackers and malware. The devices and systems used in the collection and handling of network data for threat analysis are commonly referred to by IT as Network Security Monitoring aka Visibility.

 What is Network Security Monitoring for Critical Infrastructure?

FERC recently issued a Notice of Public Rulemaking (‘NOPR’) directing NERC to develop Reliability Standards for Internal Network Security Monitoring (‘INSM’)[3] for Critical Infrastructure. Existing NERC CIP Reliability Standards[5] focus on defending the network perimeter. NERC CIP Standards for INSM will focus on improving visibility inside your network.

Patrick Miller, CEO of Ampere Industrial Security[4], explains Network Security Monitoring for Critical Infrastructure as something akin to the flight data recorder, or black box, used on airplanes to collect and record information about the flight. Stuff like fuel, altitude, heading, and air speed are collected by sensors and stored in a crash-survivable medium used for accident and incident investigation.

When something goes wrong, the 25 hours of data recorded onto the data recorder can often provide insight into what went wrong. But even the best recording device is only as good as the inputs it receives. And that’s where Visibility comes in.

Visibility/Monitoring for critical infrastructure (and OT), typically begins with the addition of network TAPS at the Control System level. Network TAPS are purpose-built devices that capture and send vast amounts of hidden bits and bytes to packet brokers and security tools that inspect and respond to abnormal or malicious activity.

Once TAPS are installed, network packet brokers filter, aggregate, regenerate and efficiently route network traffic to security tools, and are useful for mitigating the challenge of examining vast quantities of network data. Systems that capture all network packets, especially while under attack, create a complete historical archive of required data to meet strict NERC CIP audit requirements. The addition of TAPS creates a tightly integrated, compliant, security solution for critical infrastructure. They give you ready access to data from critical infrastructure systems without adding to the compliance footprint or the need to reprogram network switches. So, when the next supply chain attack happens or new reporting regulations are enforced, you’ll have the ability to see whether or not you’re affected.

Join me in this short video interview with Patrick Miller, as he explains why Internal Network Security Monitoring (‘INSM’) begins with Visibility.

Footnotes:

1  www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

2 The Sense of Style, by Steven Pinker

3https://www.federalregister.gov/documents/2022/01/27/2022-01537/internal-network-security-monitoring-for-high-and-medium-impact-bulk-electric-system-cyber-systems

4 https://www.amperesec.com/

5https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2022/03/18/nerc_cip_standardsforthreatvisibilitydetecti-LMo4.html