EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Industrial Cybersecurity EOS.ii™ Monitoring and Detection Platform Intelligent Illumination for IoT Cyber Defense About Our Practice
Content 08 The Dawn of Industrial IoT 10 The Energy Industry’s Digital Revolution 12 The Complexities of Defending an IoT Environment 14 The IoT Monitoring and Detection Imbalance 16 Building a Fusion SOC to Illuminate Industrial IoT 19 Illuminating the Foundation for IoT Visibility and Context 21 Seeing Through the Fog with Monitoring and Detection 23 The Intelligence Behind Eos.ii™ 27 Realizing the Vision of a Fusion SOC
Eos.ii™ | IoT Monitoring and Detection
Executive Summary
Imbuing useful machines with network detection capabilities to overcome the scale
connectivity and automated monitoring and complexity of securing a hyperconnect-
offers tremendous power. We can envision ed world from cyberattacks.
warehouses and retail stores with instant,
automatic inventory. Cities where traffic To monitor and secure industrial IoT envi-
flows steadily because the lights change ronments, CISO will need a new platform
when vehicles approach. Pipelines that self- that can serve as the foundation of their
report signs of impending failure. Electric organization’s IoT SOC with the capabilities
grids that seamlessly shift between renew to address today ’s vulnerabilities and evolve
able sources of energy to provide afford- to meet tomorrow’s threats. Leveraging its
able, reliable power with low or zero legacy in engineering and securing energy
emissions during peak demand. and critical infrastructure industries for
more than 170 years, Siemens Energy has
These visions are already just expansions developed a new Security Information
of fundamental changes in our economy, and Event Management (SIEM) platform,
currently underway. The reality of physical Eos.ii™.
industrial equipment seamlessly integrated
with the digital world is already here and Eos.ii™ is a scalable and flexible AI-based
poised to grow. monitoring and detection platform designed
to serve as the foundation for a next-gener-
Energy and critical infrastructure companies ation fusion IoT SOC. By design, it enables
are aggressively building an industrial Inter- rapid gathering, processing, and prioritizing
net of Things (IoT) to make operations more of actionable intelligence within industrial
automated, more flexible and more efficient operating environments. Eos.ii™ is the
by seamlessly linking operational technol- first SIEM to unify IT and OT monitoring
ogy (OT) to control physical assets with and detection capabilities through machine
information technology (IT) applications. learning to prioritize high-consequence
Yet without IoT cybersecurity monitoring alerts for human investigation – and enable
and detection, these ambitions will fail. continuous, site-specific improvement.
Protecting energy and critical infrastructure Eos.ii™ empowers CISOs and SOCs with
sectors run on industrial IoT technology puts the platform and insights needed to scale
Chief Information Security Officers (CISOs) up security to meet the demands of IoT
and their existing Security Operations Cen- business models. It offers unmatched capa-
ters (SOCs) under significant strain. As the bilities to build and maintain robust, adapt-
IoT business model increasingly integrates able, and resilient defenses in a fast-moving
physical assets and digital networks, CISOs and competitive IoT future.
need entirely different monitoring and
Leo Simonovich
Global Head,
Industrial Cyber and Digital Security
Siemens Energy
Page 4
An AI-based monitoring and detection platform purpose-built to serve as the foundation of an IOT fusion SOC for energy and critical infrastructure in an era of persistent cyberattacks.
Acronyms & Definitions
AI Fusion SoC
Artificial Intelligence is field of computer A Fusion SoC is both a strategic and tactical
science that uses algorithms to iteratively Security Operations Center (SoC) capable of
learn relationships between variables in monitoring, detecting and acting on cyber
large datasets. threat intelligence on IT networks and physi-
cal assets controlled by OT systems.
CISO IT
The Chief Information Security Officer is Information Technologies are technologies
responsible for assessing cyber risks for storing, retrieving, or transmitting informa-
and defending company assets against tion. They include personal computers, servers,
cyberattacks. Modern CISOs often have and communications networks.
responsibility for digital security of people,
devices and data.
Context IoT
Context is the information necessary to The Internet of Things is a term used to de-
understand the operating status of a device, scribe IT and OT devices that are networked
its relationship to linked systems, and the together to make an integrated whole, allow-
operating status of those connected sys- ing for automated feedback loops between
tems. multiple devices, automatic inventory, remote
management tools, and many other features.
Page 6
OT SOC
Operating Technologies include equipment A Security Operations Center is the centralized
with a mechanical or real-world output – for hub of cyberdefenses for an organization.
example a turbine, pump, or robotic arm – Analysts within a SOC investigate potential
often controlled by a computer processor threats and take actions to protect assets or
built into the equipment. recover from attacks.
Precision Defense™ Unified Threat Stream
Precision Defense™ is the use of monitoring A Unified Threat Steam is a data feed that
to identify the extent of intrusions, enabling collects information from every monitored
effective containment, eradication and component of a system in a centralized and
recovery with the smallest possible collater- standardized format, translating from dispa-
al impact on business processes. rate source languages and formats as needed.
PSA Visibility
Process Security Analytics is the proprietary Visibility is the ability of an analyst or security
methodology Siemens Energy uses to ana- operations center to pull real-time informa-
lyze IT and OT data to assess which security tion about a device, its operating status, and
events will be consequential. its context within the larger system.
SIEM
Security Information and Event Management
is a category of software platform used to log
and analyze data and events relevant to
cybersecurity.
Page 7
Eos.ii™ | IoT Monitoring and Detection
The Dawn of Industrial IoT
Seamless Integration of Digital Digitalization’s Achilles Heel
and Physical Worlds
IoT is blurring that division. Energy and
critical infrastructure companies are inten
The “internet of things” (IoT) is bringing tionally linking IT and OT to make their
rapid change to the industrial world – fun- operations more automated, more flexible,
damentally and forever shifting all aspects and ready to launch previously impossible
of the economy into digital connectivity. products and processes.
At its core, IoT is the seamless integration Over 8 billion industrial IoT devices are
of operational technology (OT) – which is already in use, and more than a billion are
responsible for controlling and command- expected to be added this year. As organi-
ing physical equipment – with information zations bridge the boundaries between the
technology (IT) systems. This integration physical and digital worlds, they are also
allows companies to optimize, refine and unavoidably exposing new vulnerabilities
create efficiency through big data, tailor to physical assets that had previously been
made apps and artificial intelligence (AI). protected from many digital attacks.¹
IoT brings big benefits to businesses across The confluence of these factors means
industrial sectors – and for cybersecurity, that industrial IoT gives cyber attackers a
it’s also a big change. Previously, digital OT pathway – if successful – to cause physical
commands running energy assets, heavy damage that would bring huge and lasting
machinery or infrastructure facilities were consequences for millions of customers.
typically sectioned off from network con This makes the energy and critical infra-
nected IT systems, with a clear divide be- structure sectors an attractive target for
tween IT and OT assets and their respective malicious actors, including some backed
security procedures. This divide helped by nation-states.
protect OT assets from more frequent and
1 https://www.statista.com/
statistics/1183457/iot-connect- easily executed cyberattacks commonly
ed-devices-worldwide/ launched against IT networks.
Page 8
Intelligent Illumination to Secure Critical Infrastructure
Defending in the Dark But most CISOs and cybersecurity person-
nel come from IT backgrounds with a high
It is no secret that cybersecurity teams tasked degree of expertise securing digital networks,
with defending industrial IoT environments and the security of physical equipment was
now have more infrastructure to protect left to engineers in the field.
against the backdrop of more frequent, more
ferocious attacks. The assets in need of protec- For CISOs, their businesses, and their ever-
tion have also changed as connectivity is now changing assets, the future depends on
required for previously isolated devices, and gaining expertise in physical asset security
mobility and variability are defining features of with relatively new OT-specific cybersecurity
previously static assets. technologies and methodologies to get IoT
cybersecurity right. That means cybersecuri-
It should not be surprising that CISOs and their ty teams need to master IT and OT monitor-
teams frequently find a mismatch between ing and detection equally amid rapid change
their current cyber capabilities, their organi- and increasing complexity.
zation’s demands to advance innovative IoT
business models – and that attackers seek to
exploit these gaps. Illuminating an Ongoing Revolution
This forces the question: How does a CISO IoT cybersecurity relies on a core concept:
overcome the technical obstacles and capa defenders must gain visibility and context
bility gaps needed to secure digital and across an operating environment of physical
physical assets from cyberattacks today and and digital assets to monitor, detect and act
in the future? on potential cyberthreats before they exe-
cute across an interconnected system.
Hyperconnectivity Here to Stay To mitigate cyberattacks against digital and
physical assets, defenders need to see into
Slowing the pace of change isn’t an option. each and every system. And CISOs need to
Companies have bet their businesses on ensure their teams will have that capability
expanding IoT capabilities for a competitive no matter what new technologies their
advantage in the industrial marketplace. companies add in the future.
Page 9
Eos.ii™ | IoT Monitoring and Detection
The Energy Industry’s
Digital Revolution
Unlocking the Energy Transition Exploiting Connected Infra
structure
As the energy and critical infrastructure
sectors increasingly depend on seam-
less connections between physical and As the energy and critical infrastructure sec-
digital assets, malicious actors are taking -tors increasingly depend on the seamless
advantage of the inherent vulnerabilities connection between physical and digital as-
in a digitally driven energy ecosystem. sets, malicious actors are taking advantage
of the inherent vulnerabilities in a digitally
Oil and gas companies are accelerating the driven energy ecosystem.
digital connections between existing energy
assets – such as pipelines and gas turbines – In 2021 – in the United States alone – ma-
with cutting-edge digital sensors and IT licious actors have targeted a major oil
systems to improve safety, performance and and gas pipeline, a wastewater treatment
reduce emissions. Utilities already accus- facility, and food, manufacturing and critical
tomed to balancing electric grids in real time infrastructure supply chains.2 Whether ran-
are rapidly connecting smart devices and somware, supply-chain attacks, denial-of-
distributed power sources with sophisticated service or zero-day threats, these attacks are
software systems for variable time-of-use accelerating for a range of reasons – from
pricing and to increase clean energy pene- collateral in broader geopolitical conflict
tration. between nations to financial gain.
These trends are only expected to increase While motivations differ, criminal gangs and
as major oil and gas players announce plans state-supported cyber units understand that
to shift away from fossil fuels and towards vulnerable IoT assets give them the power
digital energy platforms, and the titan com to not only paralyze entire economies, but
2 https://cybermagazine.com/
top10/10-high-profile-cyber- bustion-engine carmakers plan for all-elec- also sow chaos for families and businesses
attacks-2021 tric futures. across the world.
Page 10A Glimpse Into the Future:
The Threat to Critical Infrastructure
How a Cyberattack on an Oil and Gas Pipeline Exposed the World’s Vulnerability
In mid-May, millions living up and down critical care services further stretched in The ransomware attack successfully
the American East Coast experienced the the midst of a global pandemic, and the breached the organization’s IT network,
chaos caused by a far-reaching cyberat- economic security threatened millions but luckily never infiltrated OT systems
tack targeting critical infrastructure. of businesses and families. The price of or physical energy infrastructure.⁵ How-
gasoline skyrocketed, and filling stations ever, the incident forced the company to
A ransomware attack hit a major pipeline soon ran out of supply. In response, the shut down all operations on the suspi-
company. Unsure if OT or IT systems federal government declared a state cion that malicious actors had access to
were compromised, the company feared of emergency. State governments put sensitive OT infrastructure. The lack of
that malicious actors could gain further in place policies to increase oil and gas visibility and context into the attack in-
access to critical OT control systems. The supplies by tanker trucks and dissuaded flicted financial losses in the millions due
infrastructure carrying gasoline and jet citizens from panic buying fuel. to the ransomware payment, more than
fuel to nearly a third of the U.S. popula- seven days of system-wide downtime
tion was at stake. Rather than operate The pipeline remained shut down for and significant reputational damage.
with uncertainty, the company shut six days while teams of investigators
down all operations, stopping all flow of diagnosed the problem and negotiated a
fuel through the pipeline.³ ransom. In Congressional testimony, the 3 https://www.gao.gov/blog/colonial-pipeline-
pipeline company’s executives revealed cyberattack-highlights-need-better-federal-
and-private-sector-preparedness-infographic
As industry leaders and government of- that the cause of the attack was a lack of
4 https://www.hsgac.senate.gov/hearings/
ficials responded to the unfolding crisis, cyber hygiene – an employee failed to threats-to-critical-infrastructure-examining-
it only took a few hours for panic to set enact two-factor authentication to help the-colonial-pipeline-cyber-attack
in – gas lines formed, emergency and protect the company’s software.⁴ 5 https://us-cert.cisa.gov/ncas/alerts/aa21-131a
Page 11Eos.ii™ | IoT Monitoring and Detection
The Complexities of Defending
an IoT Environment
Securing A New Nonlinear Frontier Industrial IoT operating environments now rely on hyper-
connectivity, an intermeshed network of connected legacy
Before the rise of industrial IoT business models, cyber and digitally native assets, and extreme flexibility to allow
security teams mostly knew and understood the threat network access to non-stationary and intermittent IT and
landscape they were responsible for defending, and built OT technologies owned by a company, used by its custom-
the right capabilities for that task. But the promise of ers and integrated with third parties.
industrial IoT calls for an environment where every piece
of equipment and software can connect with any other These same defining features of powerful IoT business
equipment – and can trust that connection. models often leave organizations vulnerable to cyberat-
tacks, and CISOs without the capabilities needed to defend
Facilities that used to have centralized controls now use a typical industrial IoT portfolio. As the threat landscape
remote access for routine workflows. Physical equipment changes dramatically, CISOs need to balance closing the
that was previously air-gapped is now networked. Apps gaps between current capabilities, growing responsibilities
and networked endpoints in the hands of consumers and to support innovative business models, and countering
users must connect to company assets to fulfill their in- evolving threats.
tended functions.
A hyperconnected
operating environment
Industrial IoT fundamentally changes
the need for humans to manage con-
nections between physical and digital Mobile and variable
assets as connected devices will
assets
automatically exchange information
to optimize workflows. Market fore- Like the move from landlines
casters project 25 billion industrial to cell phones, the IoT future
IoT devices by 2030.⁶ means the devices connected
6 www.statista.com/statistics/1183457/
to an industrial network will
iot-connected-devices-worldwide change from day to day – or
even minute by minute. The
business benefits of industrial
IoT depend on supporting and
defending this flexibility.
A mix of legacy
and new equipment
Older systems retrofitted for IoT and integrated with
newer, digitally native technologies will remain as
infrastructure backbones. Both old and new equip-
ment need cutting-edge defenses against evolving
threats.
Page 12Intelligent Illumination to Secure Critical Infrastructure
Page 13Eos.ii™ | IoT Monitoring and Detection
The IoT Monitoring and
Detection Imbalance
The foundation of IoT cybersecurity is understanding the The result is that most IoT SOCs can’t see a complete picture
two-way relationship between the digital and physical of what’s happening in their systems – and can’t defend
worlds, and then monitoring those relationships to detect what they can’t see.
and act on threats. For most CISOs using existing SOC capa-
bilities, gaining insight into all physical devices and digital
networks that comprise an IoT operating environment is Fog Surrounds Defenders without Equal
an overwhelmingly complex technical and capability chal- Detection Capabilities
lenge.
Most organizations seeking to expand monitoring and
Poor Visibility and Unseen Threats Mask detection in IoT environments suffer from a capability
Physical and Digital Assets gap when it comes to IT and OT technology deployment
and expertise. While even organizations with a business
model firmly grounded in owning and operating physical
To monitor and detect threats in time to prevent an attack assets struggle with OT security, the vast majority of
requires two key elements – visibility and context. Security CISOs struggle to apply IT cybersecurity methodologies
teams need visibility into every physical and digital node to physical equipment in IoT environments.
connected to their network.
Then they need to combine billions of data points into a Imbalanced Maturity
unified threat stream so analysts in a SOC can understand
from context whether anomalous behavior poses a threat CISOs without a foundation in securing physical assets
or is a benign change in production workflow. from cyberattacks often find themselves in one of several
technological or capability gaps.
Lacking a Unified Threat Stream In the least mature organizations, CISOs are asked to ex-
pand security for IoT environments without deploying any
Creating a unified threat stream is a significant technical new OT-specific monitoring capabilities; while others use
challenge for most IoT SOCs because raw OT and IT IT monitoring approaches in the field as a solution to satisfy
data speak separate languages that were never intended regulatory requirements or believe that more specialized
to be analyzed together. Yet without unifying these data approaches are too costly or are unnecessary for complete
streams, defenders can’t contextualize anomalies between defense.
commands sent to OT controlling physical assets and
IT software linked to this data – and subsequently will In more sophisticated organizations, CISOs will monitor IT
miss attackers who are actively exploring the network and OT assets side by side in a SOC built for IT security, and
in search of vulnerabilities. manually analyze data streams. Finally, the most mature
organizations have custom monitoring approaches where
Until now, creating a unified threat steam in a hypercon- they analyze physical and digital relationships in a massive
nected environment has not been possible in most SOCs data pool, but lack the rigorous methods to effectively
because OT-specific monitoring and detection technologies apply insights.
were too immature and required specialized technical
expertise in physical assets. Even as emerging AI-based While gaps between IT and OT monitoring and detection
solutions helped overcome many of these challenges, few capabilities leave operating environments exposed to
have the capability to sync heterogeneous IT and OT data cyberattacks, the true capacity gap most CISOs lack is an
streams. ability to equally understand – and act on – threats in both
the physical and digital worlds under a unified platform.
Page 14Intelligent Illumination to Secure Critical Infrastructure
Defense Gap Leaves Assets in the Dark
Lacking Equal Expertise in Defending the Physical and Digital Worlds
Frequently Leaves IT Networks Protected and OT Assets Exposed
Most organizations seeking to expand monitoring and
detection in IoT environments suffer from a capability
gap when it comes to IT and OT technology deployment
and expertise.
Page 15Eos.ii™ | IoT Monitoring and Detection
Building a Fusion SOC to
Illuminate Industrial IoT
To overcome the obstacles of building ro- Analyzing Threats Under a Single
bust IoT monitoring, CISOs need to under- Pane of Glass
stand if any singular command – out of
billions occurring between a given physical
and digital asset – represents a cyberattack. For CISOs, building a single-pane-of-glass
system to monitor and detect threats across
This type of real-time protection requires their enterprise will require reimagining
solving several interlocking challenges their existing SOCs.
simultaneously, including synthesizing
heterogeneous data flows into a unified A CISO can expect the assets and environ-
threat stream, equal expertise in IT and ments under their defensive umbrellas to
OT systems to rapidly draw insight, and change frequently as the digital revolution
acting on threat intelligence in the SOC speeds along its exponential growth curve.
and in the field. Threats aiming to exploit this progress will
EOS.ii
Page 16Intelligent Illumination to Secure Critical Infrastructure
undergo similar rapid changes to adeptly maneuver around The Intelligent SIEM to Illuminate IoT
more sophisticated defenses. Rather than trying to adopt Cyberattacks
the latest cyber solution each time threats evolve, defend-
ers need a platform that can serve as an enduring founda-
tion for IoT security. Siemens Energy’s Eos.ii™ industrial cyber-defense platform
enables CISOs to bridge this physical – digital divide, and
Any approach to IoT cybersecurity must integrate IT and OT illuminate the IoT operating environment so defenders can
monitoring and detection within a fusion SOC. That means act on threats before they execute.
bringing together otherwise incompatible data sources,
empowering analysts to defend each layer of their organiza- Eos.ii™ is a scalable AI-driven Security Information and
tion’s technology stack within a constantly evolving threat Event Management (SIEM) platform that serves as the foun-
detection engine capable of accomplishing these tasks with dation for a Fusion SOC, providing defenders with complete
speed and accuracy amid constant change. monitoring and detection capabilities through a single-
pane-of-glass interface that provides clear and in-depth
Fusion SOCs will bring together IT and OT cyber capabilities insights to take action against cyberattacks.
to provide human analysts with efficient and powerful
tools to investigate and act on threats in ways that mini- This gives CISOs and cyber analysts working in a fusion SOC
mize disruption to operations and adapt to evolving threat the power needed to investigate suspicious events, and
environments. permanently bolster defenses for their unique IoT operating
environments.
Automation at Scale
Siemens Energy’s technical mastery combined
with machine learning automates routine tasks
Intelligence to Act
to ingest, prioritize and present huge volumes
of information. Analysts immediately hone in Eos.ii™ actively draws analyst attention to high-consequence
on high-consequence events events while giving analysts the scope of visibility and depth
of context needed to identify and act on threats.
Illumination of
Physical-Digital Relationships
Siemens Energy’s OT knowledge base guides
design, enabling existing IT staff to understand
and investigate the context of anomalies
in the IT and OT foundations of industrial IoT.
Page 17Eos.ii™ | IoT Monitoring and Detection
SIEM with SIEM with OT
IT Capabilities and IT Capabilities
Continuous Monitoring
More data provides a basis for Knowing which data sources and what
anomaly detection across data points is the first step – network,
network and vulnerability asset, control system, and process data
sources
Detection and Alerting
Detection requires comprehensive
Alerts are more frequent
data collection across physical and
and can be noisier than OT
digital sources
alerts
Triage and Investigation
Prioritization is focused on Every alert is critical and warrants
scale and fewer mission a deep investigation into potential
critical functions are at stake safety and reliability impacts
Response and Recovery
Digital responses are Response can include
usually well-defined to physical and digital steps
quarantine and neutralize to protect operations
threats
Page 18Intelligent Illumination to Secure Critical Infrastructure
Illuminating the Foundation
for IoT Visibility and Context
Creating Visibility in a Hybrid Environment Using a proprietary method called Process Security Ana-
lytics (PSA), Siemens Energy systematically standardizes,
The immediate need in most SOCs is to close the gap in OT collates, and analyzes OT and IT data to reveal anomalous
capabilities, and then bring together OT and IT visibility and behaviors and patterns that match known cyberattacks.
context within a fusion SOC to identify and evaluate anom-
alies. Unlike operating environments that rely on either IT PSA methodology allows defenders to use context to dif-
or OT expertise, a fusion SOC must communicate in terms ferentiate between normal fluctuations and active threats,
accessible to the people who need to take action on both even when signals cut across hybrid environments. Work-
the physical and digital realms. flows can draw on unified and expanded IoT visibility to pri-
oritize high-consequence events for human investigation.
Eos.ii™ provides the needed foundation for an IoT SOC,
starting by mastering the daunting technical feat of creating Each action attackers take to probe the IoT network offers
a unified threat stream. A unified threat stream illuminates signals about what that attacker intends. In a fully success-
OT and IT data sources, giving analysts visibility into the full ful IoT SOC personnel can recognize these signals, correctly
chain of cause and effect when IoT assets interact. While predict how the attack will unfold, assess its potential
gathering and processing data for IT and OT goes through impacts and – if needed – take action fast enough to block
similar stages, the mechanics of these workflows differ and those impacts.
require analysis through separate algorithms before defend-
ers can fully understand the collated data.
Intelligence to Act with a Unified Threat Stream
Eos.ii™ gives analysts the scope of visibility and depth of context needed to
identify and act on threats
Page 19Eos.ii™ | IoT Monitoring and Detection Page 20
Intelligent Illumination to Secure Critical Infrastructure
Seeing Through the Fog with
Monitoring and Detection
Moving from Visibility and malities that would be otherwise impercep
Context to Monitoring and tible to cyber analysts.
Detection
In one real-world example, a SOC analyst
using Eos.ii™ detected a problem with
Monitoring and detecting threats requires firewall hardware at a power plant. The
understanding current conditions, and hardware was rated for 55 degrees Celsius,
then comparing them against past threats but running above 70 degrees. This made
and normal baselines to illuminate what’s the power plant’s control system vulnerable
suspicious. to crashes when the firewall overheated.
If this system failed during power produc-
Comparing historical and current asset tion, the company would not be eligible
conditions requires a built-for-purpose for payment – a potential loss of millions
platform that uses AI, ML and predictive of dollars per hour. Eos.ii™ helped analysts
analytics to identify anomalies within determine this was not an attack, and
seconds of detection. Eos.ii™ illuminates prompted corrective maintenance that
both the depth and breadth of an install strengthened ongoing cyber readiness.
base, bringing together automation with
the incisiveness of human intelligence to
hunt for any trace of malware. Built to Adapt to Emerging Threats
When new threats are identified anywhere
The Power of the Eos.ii™ in the world, the Eos.ii™ detection engine
Detection Engine automatically evaluates the vulnerability
of an organization’s install base and can
anticipate anomalous behavior. When these
With AI at its core, Eos.ii™ is designed to threat signatures – known or novel – are
make sense of billions of data points that detected, Eos.ii™ can identify asset expo-
comprise physical and digital relationships in sure within an operating environment and
industrial environments, correlating abnor- generate an alert for human attention.
Page 21Eos.ii™ | IoT Monitoring and Detection
Eos.ii™ Platform
Platform modules provide the backbone to generate
insights and drive actionable intelligence
Topology Search
Quickly search for assets,
anomalies, vulnerabilities,
and other data across fleets
Investigations Plant Data Visualizer
Use data search and correlation Review data visualizations from
tools to conduct deep investiga- physical and digital assets in one
tions into specific assets place for enhanced context
EOS.ii
Platform Tuner Threat Intelligence
Easily build new rules, t une ML Compare site activity to known
models, and e nhance capabilities signatures and review historic
for s pecific sites and assets data for new signatures
Alert Management
Automatically detect
events and correlate them
for analyst review
Page 22Intelligent Illumination to Secure Critical Infrastructure
The Intelligence Behind Eos.ii™
Eos.ii™ brings together key capabilities in an integrated like IoT, the combination is even more powerful than any
platform. Automation detects events, prioritizes potential single feature.
threats and alerts analysts to investigate the most conse-
quential anomalies. Eos.ii™ enables analysts in a IoT fusion SOC to move
seamlessly from discovering a new threat to confirming
Combined, these modules make it easy for analysts to per- its absence in protected networks to updating auto-
form quick, deep analyses, relate their findings to the big mated defenses. Its powerful detection engine and easy
picture, and adjust defenses to perform the same analysis adaptability offer unprecedented ability to stay on top
automatically going forward. Each advances the state of of changing circumstances – from new assets to new
the art for industrial IoT monitoring and detection – and threats.
Automation on Scale
Manage alert prioritization to improve alert response
time and avoid alert fatigue.
Tailoring new rules – including machine learning
rules – continuously strengthens defenses.
Intelligence to Act
Illumination of Physical-
Automate proactive decision making
Digital Relationships with intelligence, domain specific
playbooks and threat hunting workflows.
Context driven intelligence means active
Quickly search and understand the threat hunting becomes a larger share of
relationships between devices – their loca- analyst time.
tion in the plant, and how they link up
physically and digitally. Search by time and
attribute lets analysts immediately scrutinize
relevant devices when new threats are
discovered.
Page 23Eos.ii™ | IoT Monitoring and Detection
The Detection Engine for
Industrial IoT
Although most alerts don’t require cyberse- staff needed and exposure to alert fatigue,
curity responses, defenders need to quickly while enhancing the expertise and capabili-
home in on those that do. SOC analysts can ties of analysts on the detection team.
rely on Eos.ii™ to automatically sift through
volumes of security events and alerts that
occur in industrial IoT systems, using its Threat-Hunting – Getting Ahead
library of asset attributes, topology, and of Attackers
known threat profiles to assess which events
will be high consequence. This means Eos.ii™
can distinguish between similar alerts – Defenders equipped with a detailed and
giving low priority to a single wind turbine constantly updating understanding of their
wearing out its bearings, but high priority systems get to shift from a reactive stance
to a wind farm inadvertently infested with to a predictive, prescriptive stance. Instead
malware during a site visit. of waiting for an attack where the impacts
are unmistakable, defenders can hunt for
subtle signs of intrusions underway. Defend-
AI Insights and Tuning ers can use Eos.ii™ to identify the intent
of a probing attacker earlier in their attack
The core of Eos.ii™ is a rules-based detec- process, when a SOC has more options to
tion engine drawn from OT knowledge and limit the extent of intrusions and strengthen
sophisticated machine learning. Pre-built preventive measures.
rules leverage generations of Siemens
Energy engineering knowledge to alert SOC
personnel of suspicious or dangerous OT Eos.ii™ Makes Threat-hunting
conditions. Meanwhile, Eos.ii’s machine Faster and More Powerful
learning detection engine teaches itself the
normal pattern of relationships between
variables based on real-world operating Instead of needing to log into several sys-
data, automatically tailoring anomaly de- tems or call OT workers to check on condi-
tection to the specific sites and assets under tions, analysts can examine all the attributes
protection. and status of assets within a single pane of
glass. Visualizations and easy navigation
In the event that a company is hit with a allow analysts to rapidly toggle between
completely novel attack that does not match deep-dive investigations and their big-pic-
known IT signatures, Eos.ii’s automatic ture implications.
detection engine would alert human investi
gators as soon as the attack begins to affect With Eos.ii, the previously difficult process
OT assets – and would aid analysts in diag- of correlating security, process, and control
nosing the events. system data becomes easy. Along with IT
forensics and signature-based detection,
The combination of powerful investigative Eos.ii™ enables a digital twin comparison –
tools, prioritized alerts, and automated, comparing a virtual model of the worksite
scalable tuning reduces the number of SOC against real-world data.
Page 24Intelligent Illumination to Secure Critical Infrastructure
Page 25Eos.ii™ | IoT Monitoring and Detection Insights into Action with Precision Defense™ Stopping Threats Before They Execute The value of an AI-powered detection engine is its ability to provide actionable intelligence in time for defenders to get ahead of attackers. This means analysts get to act on threats they have discovered, interrupt attacks under- way and adapt defenses in real time. Page 26
Intelligent Illumination to Secure Critical Infrastructure
Realizing the Vision of a
Fusion SOC
Acting on Intelligence IT systems, which readily withstand abrupt
shutdowns, pulling the plug on physical
The pipeline ransomware attack described assets is typically a costly measure reserved
earlier forced a tough choice on the com- for last resort. A precision defense approach
pany moving nearly half of fuel needed to seeks to address exactly the affected sys-
power the eastern United States. Unsure tems – no more and no less. If an intrusion
whether the attack had spread from its IT reached only one pumping station, or only
networks to affect pipeline infrastructure breached a sales database, there’s no need
and controls, the company chose to halt fuel to shut down an entire pipeline.
deliveries, leading to gas-pump shortages.
This attack illustrates the need for Precision Rapid Responses and Perpetual
Defense™ capabilities. Monitoring and Improvements
detection that can determine the extent of
a breach can guide narrowly targeted
responses. Without such capabilities, com- In these investigations, speed and quality
panies are left blind. Leaders end up being both matter. Rapid, early detection can
forced to choose between doing nothing – limit intrusions to a few isolated systems.
leaving worker safety and critical equipment Thorough, high-quality monitoring gives
exposed to ongoing malicious actions – leaders the confidence that small, precise
or deploying brute-force solutions like a interventions will strike the right balance
sweeping shutdown. between eradicating threats and minimizing
operational disruption.
The value of an AI-powered detection
engine is its ability to provide actionable Eos.ii™ empowers analysts to rapidly detect
intelligence in time for defenders to get and understand an attack anywhere in the
ahead of attackers. This means analysts IoT portfolio, mapping its scope and tracing
get to act on threats they have discovered, the timing and attack vector – the informa-
interrupt attacks underway and adapt tion needed for high-confidence precision
defenses in real time. With each threat defense.
mitigated, the fusion SOC becomes better
prepared to block attacks. Eos.ii™ immediate adaptability – to novel
attacks, to threats observed elsewhere, and
to site-specific equipment – means that SOC
Precision Defense™ for Right- personnel can take prescriptive, preventive
Sized Interventions action to block future attacks and scour
systems looking for intrusions previously
overlooked.
The unparalleled ability to investigate IoT
with visibility into both OT and IT sub Full visibility and forward modeling of
systems enables greater precision for threat digital-physical interactions turn IoT com-
detection – and the insights needed for plexity into a home-field advantage for
proportionate action. defenders. When SOC personnel analyze
the real-time status and logged histories
Determining the source and scope of of any aspect of the digital or physical
a problem is a key step in selecting a assets under their protection, attackers
corrective response in IoT systems. Unlike have nowhere to hide.
Page 27Eos.ii™ | IoT Monitoring and Detection
A SOC Greater than
the Sum of its Parts
Eos.ii™ transforms the interlocking challeng- Eos.ii™ provides CISOs with the foundation
es of industrial IoT cybersecurity into core needed to begin building a predictive SOC,
strengths. It tames the tangle of mismatched and to strive for continuous improvement.
languages, provides visibility into obscure As Eos.ii™ learns the baselines for work sites,
corners of OT, and illuminates the meaning and as IT staff become proficient in under-
of OT data for IT analysts. standing IoT interactions and diagnosing
attacker intent, defenders will be increasing-
Automating routine tasks and prioritizing ly able to predict the behavior of assets and
alerts based on expected consequences attackers alike.
leverages human analyst time. Eos.ii™ adapts
readily to new asset bases and ever-evolving Companies that deploy Eos.ii™ will enjoy re-
threats. With Eos.ii™, CISOs can build a fusion duced cyber risk, at a lower cost than hiring
SOC, overcome the challenges of today, and expertise or developing solutions in-house,
create the stable foundation needed for IoT and with support to keep Eos.ii™ current.
industrial cybersecurity in the future. Forward planning can proceed with better
cost-benefit assessments, and crisis response
Done well, robust industrial IoT cybersecurity can more precisely tailor eradication and
builds trust with other parts of the orga- recovery efforts when breaches occur.
nization. Instead of constantly bothering
OT personnel for assistance, the SOC adds For the energy sector, securing the IoT is an
value by accurately flagging maintenance essential step in ensuring that innovation
concerns. can continue without sacrificing reliability.
Siemens Energy’s Eos.ii™ will help organi-
The SOC gains credibility and the reputa- zations of all sizes address their IoT security
tion for accuracy needed to call for – and needs – strengthening the overall energy
get – sudden shutdowns when a true crisis sector by hardening more links in the value
occurs. With a mature IoT SOC, CISOs can chain.
better quantify the magnitude of threats and
vulnerabilities the SOC discovers, can better Industrial IoT is clearly part of the energy
demonstrate the value their teams add to sector’s future. At Siemens Energy, we’re
the business, and can better keep up with committed to giving CISOs and SOCs the
the changes needed to secure the modern tools they need to make IoT a source of
energy sector. strength, not a hidden liability.
Page 28Intelligent Illumination to Secure Critical Infrastructure
Page 29Eos.ii™ | IoT Monitoring and Detection Page 30
Intelligent Illumination to Secure Critical Infrastructure
Page 31Published by Siemens Energy Inc. 15375 Memorial Drive Houston, TX 77079 United States Subject to changes and errors. The information given in this document only contains general descriptions and / or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the pro- ducts. The requested performance features are binding only when they are expressly agreed upon in the concluded contract. Siemens Energy is a trademark licensed by Siemens AG.
You can also read
