by Sebastian Weibler, Cyber Security Consultant
As a major European manufacturing company Airbus is constantly improving and boosting its industrial productivity by a variety of different efforts. To secure the recent activities on industrial connectivity and the convergence of IT/OT systems, Airbus has developed an industrial cyber security strategy with an integrated IT/OT Security Operations Centre (SOC) at the core of its strategy.
Following a successful pilot project, Airbus CyberSecurity is enhancing the company’s SOC with essential OT cyber security capabilities. Based on the following three pillars, Airbus CyberSecurity was able to extend the IT SOC to an integrated IT/OT one:
- Develop specialised OT SOC Use-Cases
- Integrate IT/OT Incident Response Processes
- Extend Detection Capabilities with new Technologies
These three elements together enable the SOC to detect, analyse and respond to cyber security incidents that originate from or extend to industrial perimeters.
1. Develop specialised OT SOC Use-Cases
To establish OT SOC use-cases, Airbus CyberSecurity first performed an analysis where existing use-cases were applicable to OT systems and networks. The resulting list of use-cases could already address major risks to central systems in the OT scope – i.e. use-cases to detect “Command & Control”, “Lateral Movement” and “Data Exfiltration” activities. From a technical perspective those use cases were easy to adapt. The relevant centralised server, antivirus and firewall logs were quickly onboarded to the Security Information and Event Management (SIEM) platform and ready for analysis in an early project state.
2. Integrate IT/OT Incident Response Processes
However, it was clear from the beginning that this technical onboarding would not be enough. Before the successful implementation of the identified use-cases, existing processes were integrated in both the IT Security and OT departments. During the integration process, Airbus CyberSecurity engaged with both IT and OT departments to identify gaps in the standard processes for incident response – for operational and cyber security incidents. The results of these interactions led to new investigation and response processes with specific interfaces and agreed decision points on IT/OT side. Fundamental parts of these processes are local OT security coordinators, a central OT asset database and specialised OT SOC analysts. The new processes will be accompanied with an OT security awareness program for the plant maintenance teams.
3. Extend Detection Capabilities with new Technologies
While major risks to central systems can be addressed with adaptions to existing technology and processes, many risks emerging from decentralised and advanced attacks are hard to be covered in this way. Such attacks include techniques documented in the MITRE ICS ATT&CK matrix. Deep insights into the industrial systems and their networks are required to identify these attacks. An ICS network sensor solution has been selected to deliver this level of insights and has been integrated in critical parts of the OT network to passively monitor them. By analysing Industrial Ethernet traffic the sensors can identify irregular behaviours and will report any event to the SIEM systems. Advanced OT SOC use-cases use this additional event source to provide extended detection capabilities for targeted attacks on OT equipment.
This initial project lays the corner stone for extensive security monitoring of the company’s industrial perimeter. It is the starting point to the continuous security enhancement process which includes an integrated feedback-loop into the incident response processes. With these combined and ongoing efforts, Airbus CyberSecurity constantly supports the protection of industrial assets and production lines.
Thanks to our industrial roots and a rich heritage in the design, build and integration of complex interconnected defence systems and secured communications, Airbus CyberSecurity provides cyber security solutions to identify, protect, detect and respond to cyber-attacks. Our IT/OT SOCs operate 24/7 across Europe to provide constant monitoring to our customers. In addition, we offer consulting services tailored to our customers´ needs where our experts support them at all stages of their cyber security journey. Airbus CyberSecurity protects critical infrastructure beyond the aviation industry including energy, utilities, transportation, manufacturing and finance to build the CyberResilience of tomorrow.