by Fernando Guerrero B., CyberSecurity ICS Architect
There are many ways to contribute to the cyber security of a company, either from a technological point of view or from a procedural point of view. This concept, translated into a company’s cyber security architecture must always be aligned with the strategic needs of the business and its risk appetite; otherwise you could be safeguarding assets that do not have much value for the company or leave critical assets without protection. In the same way, having a cyber security architecture coupled with strategic needs can lead to a reduction in costs of implementation, operation and maintenance, not only of the cyber security platform, but also for the assets it protects.
Main principles of an ideal industrial SOC
In this context, it is necessary to understand that no matter how complex or simple the security architecture is, it requires adequate orchestration and monitoring. This implies maintaining tools and procedures that allow obtaining the best of available protections, enabling a complete visibility of the processing and security environment, and helping to expedite the technical, tactical and strategic decision making process.
To achieve this comprehensive approach, there needs to be a “brain” for cyber security in every company. The Security Operations Centre (SOC) is just that. The SOC manages technology and processes that allow the analysis of data obtained from various controls and external sources of information, for threat prevention, anomaly understanding and incident response. One of the most valuable benefits that the SOC delivers is the generation of key performance indexes, which enables you to know the detail of how to safeguard the normal operations of the company and how to improve its security.
The SOC is therefore a complex system with both prevention and protection capabilities, which is composed not only of technology, but also of procedures, policies, relationships and above all people whose primary objective is to increase the reliability and security of daily operations.
It is necessary to take into account that in order to fulfill this mission, a SOC must first have state-of-the-art technology and methods; second it must be managed by experts with a holistic vision; and finally, it must maintain technical relationships on a global scope that allow it to perform intelligent analysis that adds value to its service and enables it to detect threats or prevent attacks.
Finding a solution or supplier (better, a business partner) that delivers all of the above can be a challenge, and it will be even more so if we take into account that, to be efficient and effective, a SOC must be tailored, making this “brain” a trusted agent for the organisation and the core of a sustainable cyber security strategy.
The need for convergence
Although the technological and procedural needs are similar for both the world of IT and OT, the priorities for the OT environment change radically.
In addition to using some of the same systems and equipment on which IT relies on, the OT world is composed of special equipment, electronic elements with different operating systems (many of them legacy), different logic programming, special protocols for industrial needs, industrial control systems, among other elements. As far as cyber security is concerned, the fundamental pillar for OT is the operation’s availability. This goes beyond a philosophical thought, it has to do with the consequences, often catastrophic, that an incident in the OT infrastructure can cause. It also has to do with knowledge: it is necessary to have professionals with experience both for IT and OT systems, a very scarce skillset.
Cyber criminals have already learnt to understand both worlds, and above all, they are aware of the sensitivity of OT networks and systems. They sense the devastating consequences that an industrial incident could have and hence the profits that they could make by threatening with a plausible attack.
For this reason, the most appropriate thing is to have a convergent SOC, with experience in the protection of both worlds, IT and OT, staffed with professionals speaking both languages and understanding the logic behind the technological management of industrial networks. Such a SOC in fact manages the priorities of the business and is not only focused on the company and its operations but also on end customers actually generating revenue and profit.
A convergent SOC must cover all levels of the protection model for industrial control systems, must maintain a high visibility into all layers and be able to perform multi-vector threat analysis and response. Above all, the work should not only be done with its own specialists, but should also provide facilities for collaborative work with the company’s expert operational personnel. The dialogue between security specialists and operators is essential for the development of a solid understanding of critical assets, how they work, how they are connected and how they could be fixed.
Trust is paramount
Having a convergent SOC with experienced personnel is very important, however it will not be able to fulfill its mission without trust and that is what we are aiming for. Like everything else in life, it’s easier to trust someone who has provided a quality service for several years, with high operational standards and relentless response to incidents in the industrial sector.
The SOC team must provide an uninterrupted service, handling several business models (in-house, as a service or hybrid), taking into account that, in most cases, a better return on investment will be provided by the “as a service” model.
The best way to protect the infrastructure of the industrial sector or the critical infrastructure of a country, to avoid “alert fatigue” and get a better return on investment is to have a specialised SOC. Airbus CyberSecurity maintains such a solution, which can be delivered as a standalone service or to complement other services covering the rest of the cyber security cycle.
Find out more about our SOC offering
With a rich heritage in the design, build and integration of complex inter-connected defence systems and secure communications, Airbus provides expert cyber security services to protect, detect and respond to cyber-attacks ensuring your organisation is resilient.
Our SOC’s operate 24/7, 365 days a year to provide constant monitoring of our customer’s environments across all industries including government, defence, aeronautics, energy, utilities, transportation,manufacturing and finance.Download the SOC brochure here