Keysight Technologies: Why Internal Network Security Monitoring (‘INSM’) Starts with Visibility

The concept of visibility was introduced to most of us at an early age. The message was clear. Seeing is important.

Watch where you are going! Avoid danger! Think before acting!

But while that may not have done much to protect us from harm, we inherently understood, even as children, that visibility was an essential part of safety and security. Without visibility, protecting against attacks is almost impossible.

As professionals, therefore, we are expected to understand what the White House means when it says, “We can’t face threats we can’t see” in the National Security Memorandum on Cybersecurity Enhancement for Critical Infrastructure Control Systems[1]. And we do. To understand.

Or do we just think we understand[2]?

What is Network Security Monitoring and Visibility for IT?

If you’ve been to an airport in recent years, you’ve probably seen the proliferation of self-service check-in kiosks. Maybe you even caught one wandering around the airline ticket counter. If you insert your credit card, the kiosk retrieves and displays your flight information, allows you to change seats, check your luggage and, one day, maybe offer you a cup of coffee. When you’re done, the kiosk transmits your check-in status to the airline, prints your boarding pass and baggage tags, and tells you where to grab your coffee.

Computer data includes anything sent over the Internet to retrieve your flight information, such as keystrokes, credit card number or biometrics. OT data includes control signals sent along an internal “network” used by components inside the kiosk, such as the display screen, printer, and computer that instructs them.

Cybersecurity for IT and OT have a lot in common in that they both require the ability to inspect data to flush out hackers and malware. Devices and systems used in the collection and management of network data for threat analysis are commonly referred to by IT as Network Security Monitoring or Visibility.

What is Network Security Monitoring for Critical Infrastructure?

FERC recently issued a Public Regulatory Notice (“NOPR”) directing NERC to develop Reliability Standards for Internal Network Security Monitoring (“INSM”)[3] for critical infrastructure. Existing NERC CIP reliability standards[5] focus on defending the network perimeter. NERC CIP standards for INSM will focus on improving visibility within your network.

Patrick Miller, CEO of Ampère Industrial Security[4], explains Network Security Monitoring for Critical Infrastructure as something akin to the flight data recorder, or black box, used on airplanes to collect and record flight information. Items such as fuel, altitude, heading, and airspeed are collected by sensors and stored in a crash-resistant medium used for accident and incident investigations.

If something goes wrong, the 25 hours of data recorded on the data logger can often provide insight into what went wrong. But even the best recording device is only as good as the input it receives. And that’s where visibility comes in.

Visibility/monitoring of critical infrastructure (and OT) typically starts with adding network TAPS at the control system level. Network TAPS are specially designed devices that capture and send large amounts of hidden bits and bytes to packet brokers and security tools that inspect and respond to abnormal or malicious activity.

Once TAPS are installed, network packet brokers efficiently filter, aggregate, regenerate, and route network traffic to security tools, and are useful in mitigating the challenge of examining large amounts of network data. Systems that capture all network packets, especially when under attack, create a comprehensive historical archive of data required to meet strict NERC CIP auditing requirements. The addition of TAPS creates a tightly integrated and compliant security solution for critical infrastructure. They give you immediate access to data from critical infrastructure systems without adding to the compliance footprint or the need to reprogram network switches. So when the next supply chain attack happens or new reporting regulations come into effect, you’ll have the ability to see if you’re affected or not.

Join me in this short video interview with Patrick Miller as he explains why Internal Network Security Monitoring (‘INSM’) starts with visibility.

Footnotes :

1 www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

2 The Sense of Style, by Steven Pinker

3https://www.federalregister.gov/documents/2022/01/27/2022-01537/internal-network-security-monitoring-for-high-and-medium-impact-bulk-electric-system-cyber-systems

4 https://www.amperesec.com/

5https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2022/03/18/nerc_cip_standardsforthreatvisibilitydetecti-LMo4.html