EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Industrial Cybersecurity EOS.ii™ Monitoring and Detection Platform Intelligent Illumination for IoT Cyber Defense About Our Practice
Content 08 The Dawn of Industrial IoT 10 The Energy Industry’s Digital Revolution 12 The Complexities of Defending an IoT Environment 14 The IoT Monitoring and Detection Imbalance 16 Building a Fusion SOC to Illuminate Industrial IoT 19 Illuminating the Foundation for IoT Visibility and Context 21 Seeing Through the Fog with Monitoring and Detection 23 The Intelligence Behind Eos.ii™ 27 Realizing the Vision of a Fusion SOC
Eos.ii™ | IoT Monitoring and Detection Executive Summary Imbuing useful machines with network detection capabilities to overcome the scale connectivity and automated monitoring and complexity of securing a hyperconnect- offers tremendous power. We can envision ed world from cyberattacks. warehouses and retail stores with instant, automatic inventory. Cities where traffic To monitor and secure industrial IoT envi- flows steadily because the lights change ronments, CISO will need a new platform when vehicles approach. Pipelines that self- that can serve as the foundation of their report signs of impending failure. Electric organization’s IoT SOC with the capabilities grids that seamlessly shift between renew to address today ’s vulnerabilities and evolve able sources of energy to provide afford- to meet tomorrow’s threats. Leveraging its able, reliable power with low or zero legacy in engineering and securing energy emissions during peak demand. and critical infrastructure industries for more than 170 years, Siemens Energy has These visions are already just expansions developed a new Security Information of fundamental changes in our economy, and Event Management (SIEM) platform, currently underway. The reality of physical Eos.ii™. industrial equipment seamlessly integrated with the digital world is already here and Eos.ii™ is a scalable and flexible AI-based poised to grow. monitoring and detection platform designed to serve as the foundation for a next-gener- Energy and critical infrastructure companies ation fusion IoT SOC. By design, it enables are aggressively building an industrial Inter- rapid gathering, processing, and prioritizing net of Things (IoT) to make operations more of actionable intelligence within industrial automated, more flexible and more efficient operating environments. Eos.ii™ is the by seamlessly linking operational technol- first SIEM to unify IT and OT monitoring ogy (OT) to control physical assets with and detection capabilities through machine information technology (IT) applications. learning to prioritize high-consequence Yet without IoT cybersecurity monitoring alerts for human investigation – and enable and detection, these ambitions will fail. continuous, site-specific improvement. Protecting energy and critical infrastructure Eos.ii™ empowers CISOs and SOCs with sectors run on industrial IoT technology puts the platform and insights needed to scale Chief Information Security Officers (CISOs) up security to meet the demands of IoT and their existing Security Operations Cen- business models. It offers unmatched capa- ters (SOCs) under significant strain. As the bilities to build and maintain robust, adapt- IoT business model increasingly integrates able, and resilient defenses in a fast-moving physical assets and digital networks, CISOs and competitive IoT future. need entirely different monitoring and Leo Simonovich Global Head, Industrial Cyber and Digital Security Siemens Energy Page 4
An AI-based monitoring and detection platform purpose-built to serve as the foundation of an IOT fusion SOC for energy and critical infrastructure in an era of persistent cyberattacks.
Acronyms & Definitions AI Fusion SoC Artificial Intelligence is field of computer A Fusion SoC is both a strategic and tactical science that uses algorithms to iteratively Security Operations Center (SoC) capable of learn relationships between variables in monitoring, detecting and acting on cyber large datasets. threat intelligence on IT networks and physi- cal assets controlled by OT systems. CISO IT The Chief Information Security Officer is Information Technologies are technologies responsible for assessing cyber risks for storing, retrieving, or transmitting informa- and defending company assets against tion. They include personal computers, servers, cyberattacks. Modern CISOs often have and communications networks. responsibility for digital security of people, devices and data. Context IoT Context is the information necessary to The Internet of Things is a term used to de- understand the operating status of a device, scribe IT and OT devices that are networked its relationship to linked systems, and the together to make an integrated whole, allow- operating status of those connected sys- ing for automated feedback loops between tems. multiple devices, automatic inventory, remote management tools, and many other features. Page 6
OT SOC Operating Technologies include equipment A Security Operations Center is the centralized with a mechanical or real-world output – for hub of cyberdefenses for an organization. example a turbine, pump, or robotic arm – Analysts within a SOC investigate potential often controlled by a computer processor threats and take actions to protect assets or built into the equipment. recover from attacks. Precision Defense™ Unified Threat Stream Precision Defense™ is the use of monitoring A Unified Threat Steam is a data feed that to identify the extent of intrusions, enabling collects information from every monitored effective containment, eradication and component of a system in a centralized and recovery with the smallest possible collater- standardized format, translating from dispa- al impact on business processes. rate source languages and formats as needed. PSA Visibility Process Security Analytics is the proprietary Visibility is the ability of an analyst or security methodology Siemens Energy uses to ana- operations center to pull real-time informa- lyze IT and OT data to assess which security tion about a device, its operating status, and events will be consequential. its context within the larger system. SIEM Security Information and Event Management is a category of software platform used to log and analyze data and events relevant to cybersecurity. Page 7
Eos.ii™ | IoT Monitoring and Detection The Dawn of Industrial IoT Seamless Integration of Digital Digitalization’s Achilles Heel and Physical Worlds IoT is blurring that division. Energy and critical infrastructure companies are inten The “internet of things” (IoT) is bringing tionally linking IT and OT to make their rapid change to the industrial world – fun- operations more automated, more flexible, damentally and forever shifting all aspects and ready to launch previously impossible of the economy into digital connectivity. products and processes. At its core, IoT is the seamless integration Over 8 billion industrial IoT devices are of operational technology (OT) – which is already in use, and more than a billion are responsible for controlling and command- expected to be added this year. As organi- ing physical equipment – with information zations bridge the boundaries between the technology (IT) systems. This integration physical and digital worlds, they are also allows companies to optimize, refine and unavoidably exposing new vulnerabilities create efficiency through big data, tailor to physical assets that had previously been made apps and artificial intelligence (AI). protected from many digital attacks.¹ IoT brings big benefits to businesses across The confluence of these factors means industrial sectors – and for cybersecurity, that industrial IoT gives cyber attackers a it’s also a big change. Previously, digital OT pathway – if successful – to cause physical commands running energy assets, heavy damage that would bring huge and lasting machinery or infrastructure facilities were consequences for millions of customers. typically sectioned off from network con This makes the energy and critical infra- nected IT systems, with a clear divide be- structure sectors an attractive target for tween IT and OT assets and their respective malicious actors, including some backed security procedures. This divide helped by nation-states. protect OT assets from more frequent and 1 https://www.statista.com/ statistics/1183457/iot-connect- easily executed cyberattacks commonly ed-devices-worldwide/ launched against IT networks. Page 8
Intelligent Illumination to Secure Critical Infrastructure Defending in the Dark But most CISOs and cybersecurity person- nel come from IT backgrounds with a high It is no secret that cybersecurity teams tasked degree of expertise securing digital networks, with defending industrial IoT environments and the security of physical equipment was now have more infrastructure to protect left to engineers in the field. against the backdrop of more frequent, more ferocious attacks. The assets in need of protec- For CISOs, their businesses, and their ever- tion have also changed as connectivity is now changing assets, the future depends on required for previously isolated devices, and gaining expertise in physical asset security mobility and variability are defining features of with relatively new OT-specific cybersecurity previously static assets. technologies and methodologies to get IoT cybersecurity right. That means cybersecuri- It should not be surprising that CISOs and their ty teams need to master IT and OT monitor- teams frequently find a mismatch between ing and detection equally amid rapid change their current cyber capabilities, their organi- and increasing complexity. zation’s demands to advance innovative IoT business models – and that attackers seek to exploit these gaps. Illuminating an Ongoing Revolution This forces the question: How does a CISO IoT cybersecurity relies on a core concept: overcome the technical obstacles and capa defenders must gain visibility and context bility gaps needed to secure digital and across an operating environment of physical physical assets from cyberattacks today and and digital assets to monitor, detect and act in the future? on potential cyberthreats before they exe- cute across an interconnected system. Hyperconnectivity Here to Stay To mitigate cyberattacks against digital and physical assets, defenders need to see into Slowing the pace of change isn’t an option. each and every system. And CISOs need to Companies have bet their businesses on ensure their teams will have that capability expanding IoT capabilities for a competitive no matter what new technologies their advantage in the industrial marketplace. companies add in the future. Page 9
Eos.ii™ | IoT Monitoring and Detection The Energy Industry’s Digital Revolution Unlocking the Energy Transition Exploiting Connected Infra structure As the energy and critical infrastructure sectors increasingly depend on seam- less connections between physical and As the energy and critical infrastructure sec- digital assets, malicious actors are taking -tors increasingly depend on the seamless advantage of the inherent vulnerabilities connection between physical and digital as- in a digitally driven energy ecosystem. sets, malicious actors are taking advantage of the inherent vulnerabilities in a digitally Oil and gas companies are accelerating the driven energy ecosystem. digital connections between existing energy assets – such as pipelines and gas turbines – In 2021 – in the United States alone – ma- with cutting-edge digital sensors and IT licious actors have targeted a major oil systems to improve safety, performance and and gas pipeline, a wastewater treatment reduce emissions. Utilities already accus- facility, and food, manufacturing and critical tomed to balancing electric grids in real time infrastructure supply chains.2 Whether ran- are rapidly connecting smart devices and somware, supply-chain attacks, denial-of- distributed power sources with sophisticated service or zero-day threats, these attacks are software systems for variable time-of-use accelerating for a range of reasons – from pricing and to increase clean energy pene- collateral in broader geopolitical conflict tration. between nations to financial gain. These trends are only expected to increase While motivations differ, criminal gangs and as major oil and gas players announce plans state-supported cyber units understand that to shift away from fossil fuels and towards vulnerable IoT assets give them the power digital energy platforms, and the titan com to not only paralyze entire economies, but 2 https://cybermagazine.com/ top10/10-high-profile-cyber- bustion-engine carmakers plan for all-elec- also sow chaos for families and businesses attacks-2021 tric futures. across the world. Page 10
A Glimpse Into the Future: The Threat to Critical Infrastructure How a Cyberattack on an Oil and Gas Pipeline Exposed the World’s Vulnerability In mid-May, millions living up and down critical care services further stretched in The ransomware attack successfully the American East Coast experienced the the midst of a global pandemic, and the breached the organization’s IT network, chaos caused by a far-reaching cyberat- economic security threatened millions but luckily never infiltrated OT systems tack targeting critical infrastructure. of businesses and families. The price of or physical energy infrastructure.⁵ How- gasoline skyrocketed, and filling stations ever, the incident forced the company to A ransomware attack hit a major pipeline soon ran out of supply. In response, the shut down all operations on the suspi- company. Unsure if OT or IT systems federal government declared a state cion that malicious actors had access to were compromised, the company feared of emergency. State governments put sensitive OT infrastructure. The lack of that malicious actors could gain further in place policies to increase oil and gas visibility and context into the attack in- access to critical OT control systems. The supplies by tanker trucks and dissuaded flicted financial losses in the millions due infrastructure carrying gasoline and jet citizens from panic buying fuel. to the ransomware payment, more than fuel to nearly a third of the U.S. popula- seven days of system-wide downtime tion was at stake. Rather than operate The pipeline remained shut down for and significant reputational damage. with uncertainty, the company shut six days while teams of investigators down all operations, stopping all flow of diagnosed the problem and negotiated a fuel through the pipeline.³ ransom. In Congressional testimony, the 3 https://www.gao.gov/blog/colonial-pipeline- pipeline company’s executives revealed cyberattack-highlights-need-better-federal- and-private-sector-preparedness-infographic As industry leaders and government of- that the cause of the attack was a lack of 4 https://www.hsgac.senate.gov/hearings/ ficials responded to the unfolding crisis, cyber hygiene – an employee failed to threats-to-critical-infrastructure-examining- it only took a few hours for panic to set enact two-factor authentication to help the-colonial-pipeline-cyber-attack in – gas lines formed, emergency and protect the company’s software.⁴ 5 https://us-cert.cisa.gov/ncas/alerts/aa21-131a Page 11
Eos.ii™ | IoT Monitoring and Detection The Complexities of Defending an IoT Environment Securing A New Nonlinear Frontier Industrial IoT operating environments now rely on hyper- connectivity, an intermeshed network of connected legacy Before the rise of industrial IoT business models, cyber and digitally native assets, and extreme flexibility to allow security teams mostly knew and understood the threat network access to non-stationary and intermittent IT and landscape they were responsible for defending, and built OT technologies owned by a company, used by its custom- the right capabilities for that task. But the promise of ers and integrated with third parties. industrial IoT calls for an environment where every piece of equipment and software can connect with any other These same defining features of powerful IoT business equipment – and can trust that connection. models often leave organizations vulnerable to cyberat- tacks, and CISOs without the capabilities needed to defend Facilities that used to have centralized controls now use a typical industrial IoT portfolio. As the threat landscape remote access for routine workflows. Physical equipment changes dramatically, CISOs need to balance closing the that was previously air-gapped is now networked. Apps gaps between current capabilities, growing responsibilities and networked endpoints in the hands of consumers and to support innovative business models, and countering users must connect to company assets to fulfill their in- evolving threats. tended functions. A hyperconnected operating environment Industrial IoT fundamentally changes the need for humans to manage con- nections between physical and digital Mobile and variable assets as connected devices will assets automatically exchange information to optimize workflows. Market fore- Like the move from landlines casters project 25 billion industrial to cell phones, the IoT future IoT devices by 2030.⁶ means the devices connected 6 www.statista.com/statistics/1183457/ to an industrial network will iot-connected-devices-worldwide change from day to day – or even minute by minute. The business benefits of industrial IoT depend on supporting and defending this flexibility. A mix of legacy and new equipment Older systems retrofitted for IoT and integrated with newer, digitally native technologies will remain as infrastructure backbones. Both old and new equip- ment need cutting-edge defenses against evolving threats. Page 12
Intelligent Illumination to Secure Critical Infrastructure Page 13
Eos.ii™ | IoT Monitoring and Detection The IoT Monitoring and Detection Imbalance The foundation of IoT cybersecurity is understanding the The result is that most IoT SOCs can’t see a complete picture two-way relationship between the digital and physical of what’s happening in their systems – and can’t defend worlds, and then monitoring those relationships to detect what they can’t see. and act on threats. For most CISOs using existing SOC capa- bilities, gaining insight into all physical devices and digital networks that comprise an IoT operating environment is Fog Surrounds Defenders without Equal an overwhelmingly complex technical and capability chal- Detection Capabilities lenge. Most organizations seeking to expand monitoring and Poor Visibility and Unseen Threats Mask detection in IoT environments suffer from a capability Physical and Digital Assets gap when it comes to IT and OT technology deployment and expertise. While even organizations with a business model firmly grounded in owning and operating physical To monitor and detect threats in time to prevent an attack assets struggle with OT security, the vast majority of requires two key elements – visibility and context. Security CISOs struggle to apply IT cybersecurity methodologies teams need visibility into every physical and digital node to physical equipment in IoT environments. connected to their network. Then they need to combine billions of data points into a Imbalanced Maturity unified threat stream so analysts in a SOC can understand from context whether anomalous behavior poses a threat CISOs without a foundation in securing physical assets or is a benign change in production workflow. from cyberattacks often find themselves in one of several technological or capability gaps. Lacking a Unified Threat Stream In the least mature organizations, CISOs are asked to ex- pand security for IoT environments without deploying any Creating a unified threat stream is a significant technical new OT-specific monitoring capabilities; while others use challenge for most IoT SOCs because raw OT and IT IT monitoring approaches in the field as a solution to satisfy data speak separate languages that were never intended regulatory requirements or believe that more specialized to be analyzed together. Yet without unifying these data approaches are too costly or are unnecessary for complete streams, defenders can’t contextualize anomalies between defense. commands sent to OT controlling physical assets and IT software linked to this data – and subsequently will In more sophisticated organizations, CISOs will monitor IT miss attackers who are actively exploring the network and OT assets side by side in a SOC built for IT security, and in search of vulnerabilities. manually analyze data streams. Finally, the most mature organizations have custom monitoring approaches where Until now, creating a unified threat steam in a hypercon- they analyze physical and digital relationships in a massive nected environment has not been possible in most SOCs data pool, but lack the rigorous methods to effectively because OT-specific monitoring and detection technologies apply insights. were too immature and required specialized technical expertise in physical assets. Even as emerging AI-based While gaps between IT and OT monitoring and detection solutions helped overcome many of these challenges, few capabilities leave operating environments exposed to have the capability to sync heterogeneous IT and OT data cyberattacks, the true capacity gap most CISOs lack is an streams. ability to equally understand – and act on – threats in both the physical and digital worlds under a unified platform. Page 14
Intelligent Illumination to Secure Critical Infrastructure Defense Gap Leaves Assets in the Dark Lacking Equal Expertise in Defending the Physical and Digital Worlds Frequently Leaves IT Networks Protected and OT Assets Exposed Most organizations seeking to expand monitoring and detection in IoT environments suffer from a capability gap when it comes to IT and OT technology deployment and expertise. Page 15
Eos.ii™ | IoT Monitoring and Detection Building a Fusion SOC to Illuminate Industrial IoT To overcome the obstacles of building ro- Analyzing Threats Under a Single bust IoT monitoring, CISOs need to under- Pane of Glass stand if any singular command – out of billions occurring between a given physical and digital asset – represents a cyberattack. For CISOs, building a single-pane-of-glass system to monitor and detect threats across This type of real-time protection requires their enterprise will require reimagining solving several interlocking challenges their existing SOCs. simultaneously, including synthesizing heterogeneous data flows into a unified A CISO can expect the assets and environ- threat stream, equal expertise in IT and ments under their defensive umbrellas to OT systems to rapidly draw insight, and change frequently as the digital revolution acting on threat intelligence in the SOC speeds along its exponential growth curve. and in the field. Threats aiming to exploit this progress will EOS.ii Page 16
Intelligent Illumination to Secure Critical Infrastructure undergo similar rapid changes to adeptly maneuver around The Intelligent SIEM to Illuminate IoT more sophisticated defenses. Rather than trying to adopt Cyberattacks the latest cyber solution each time threats evolve, defend- ers need a platform that can serve as an enduring founda- tion for IoT security. Siemens Energy’s Eos.ii™ industrial cyber-defense platform enables CISOs to bridge this physical – digital divide, and Any approach to IoT cybersecurity must integrate IT and OT illuminate the IoT operating environment so defenders can monitoring and detection within a fusion SOC. That means act on threats before they execute. bringing together otherwise incompatible data sources, empowering analysts to defend each layer of their organiza- Eos.ii™ is a scalable AI-driven Security Information and tion’s technology stack within a constantly evolving threat Event Management (SIEM) platform that serves as the foun- detection engine capable of accomplishing these tasks with dation for a Fusion SOC, providing defenders with complete speed and accuracy amid constant change. monitoring and detection capabilities through a single- pane-of-glass interface that provides clear and in-depth Fusion SOCs will bring together IT and OT cyber capabilities insights to take action against cyberattacks. to provide human analysts with efficient and powerful tools to investigate and act on threats in ways that mini- This gives CISOs and cyber analysts working in a fusion SOC mize disruption to operations and adapt to evolving threat the power needed to investigate suspicious events, and environments. permanently bolster defenses for their unique IoT operating environments. Automation at Scale Siemens Energy’s technical mastery combined with machine learning automates routine tasks Intelligence to Act to ingest, prioritize and present huge volumes of information. Analysts immediately hone in Eos.ii™ actively draws analyst attention to high-consequence on high-consequence events events while giving analysts the scope of visibility and depth of context needed to identify and act on threats. Illumination of Physical-Digital Relationships Siemens Energy’s OT knowledge base guides design, enabling existing IT staff to understand and investigate the context of anomalies in the IT and OT foundations of industrial IoT. Page 17
Eos.ii™ | IoT Monitoring and Detection SIEM with SIEM with OT IT Capabilities and IT Capabilities Continuous Monitoring More data provides a basis for Knowing which data sources and what anomaly detection across data points is the first step – network, network and vulnerability asset, control system, and process data sources Detection and Alerting Detection requires comprehensive Alerts are more frequent data collection across physical and and can be noisier than OT digital sources alerts Triage and Investigation Prioritization is focused on Every alert is critical and warrants scale and fewer mission a deep investigation into potential critical functions are at stake safety and reliability impacts Response and Recovery Digital responses are Response can include usually well-defined to physical and digital steps quarantine and neutralize to protect operations threats Page 18
Intelligent Illumination to Secure Critical Infrastructure Illuminating the Foundation for IoT Visibility and Context Creating Visibility in a Hybrid Environment Using a proprietary method called Process Security Ana- lytics (PSA), Siemens Energy systematically standardizes, The immediate need in most SOCs is to close the gap in OT collates, and analyzes OT and IT data to reveal anomalous capabilities, and then bring together OT and IT visibility and behaviors and patterns that match known cyberattacks. context within a fusion SOC to identify and evaluate anom- alies. Unlike operating environments that rely on either IT PSA methodology allows defenders to use context to dif- or OT expertise, a fusion SOC must communicate in terms ferentiate between normal fluctuations and active threats, accessible to the people who need to take action on both even when signals cut across hybrid environments. Work- the physical and digital realms. flows can draw on unified and expanded IoT visibility to pri- oritize high-consequence events for human investigation. Eos.ii™ provides the needed foundation for an IoT SOC, starting by mastering the daunting technical feat of creating Each action attackers take to probe the IoT network offers a unified threat stream. A unified threat stream illuminates signals about what that attacker intends. In a fully success- OT and IT data sources, giving analysts visibility into the full ful IoT SOC personnel can recognize these signals, correctly chain of cause and effect when IoT assets interact. While predict how the attack will unfold, assess its potential gathering and processing data for IT and OT goes through impacts and – if needed – take action fast enough to block similar stages, the mechanics of these workflows differ and those impacts. require analysis through separate algorithms before defend- ers can fully understand the collated data. Intelligence to Act with a Unified Threat Stream Eos.ii™ gives analysts the scope of visibility and depth of context needed to identify and act on threats Page 19
Eos.ii™ | IoT Monitoring and Detection Page 20
Intelligent Illumination to Secure Critical Infrastructure Seeing Through the Fog with Monitoring and Detection Moving from Visibility and malities that would be otherwise impercep Context to Monitoring and tible to cyber analysts. Detection In one real-world example, a SOC analyst using Eos.ii™ detected a problem with Monitoring and detecting threats requires firewall hardware at a power plant. The understanding current conditions, and hardware was rated for 55 degrees Celsius, then comparing them against past threats but running above 70 degrees. This made and normal baselines to illuminate what’s the power plant’s control system vulnerable suspicious. to crashes when the firewall overheated. If this system failed during power produc- Comparing historical and current asset tion, the company would not be eligible conditions requires a built-for-purpose for payment – a potential loss of millions platform that uses AI, ML and predictive of dollars per hour. Eos.ii™ helped analysts analytics to identify anomalies within determine this was not an attack, and seconds of detection. Eos.ii™ illuminates prompted corrective maintenance that both the depth and breadth of an install strengthened ongoing cyber readiness. base, bringing together automation with the incisiveness of human intelligence to hunt for any trace of malware. Built to Adapt to Emerging Threats When new threats are identified anywhere The Power of the Eos.ii™ in the world, the Eos.ii™ detection engine Detection Engine automatically evaluates the vulnerability of an organization’s install base and can anticipate anomalous behavior. When these With AI at its core, Eos.ii™ is designed to threat signatures – known or novel – are make sense of billions of data points that detected, Eos.ii™ can identify asset expo- comprise physical and digital relationships in sure within an operating environment and industrial environments, correlating abnor- generate an alert for human attention. Page 21
Eos.ii™ | IoT Monitoring and Detection Eos.ii™ Platform Platform modules provide the backbone to generate insights and drive actionable intelligence Topology Search Quickly search for assets, anomalies, vulnerabilities, and other data across fleets Investigations Plant Data Visualizer Use data search and correlation Review data visualizations from tools to conduct deep investiga- physical and digital assets in one tions into specific assets place for enhanced context EOS.ii Platform Tuner Threat Intelligence Easily build new rules, t une ML Compare site activity to known models, and e nhance capabilities signatures and review historic for s pecific sites and assets data for new signatures Alert Management Automatically detect events and correlate them for analyst review Page 22
Intelligent Illumination to Secure Critical Infrastructure The Intelligence Behind Eos.ii™ Eos.ii™ brings together key capabilities in an integrated like IoT, the combination is even more powerful than any platform. Automation detects events, prioritizes potential single feature. threats and alerts analysts to investigate the most conse- quential anomalies. Eos.ii™ enables analysts in a IoT fusion SOC to move seamlessly from discovering a new threat to confirming Combined, these modules make it easy for analysts to per- its absence in protected networks to updating auto- form quick, deep analyses, relate their findings to the big mated defenses. Its powerful detection engine and easy picture, and adjust defenses to perform the same analysis adaptability offer unprecedented ability to stay on top automatically going forward. Each advances the state of of changing circumstances – from new assets to new the art for industrial IoT monitoring and detection – and threats. Automation on Scale Manage alert prioritization to improve alert response time and avoid alert fatigue. Tailoring new rules – including machine learning rules – continuously strengthens defenses. Intelligence to Act Illumination of Physical- Automate proactive decision making Digital Relationships with intelligence, domain specific playbooks and threat hunting workflows. Context driven intelligence means active Quickly search and understand the threat hunting becomes a larger share of relationships between devices – their loca- analyst time. tion in the plant, and how they link up physically and digitally. Search by time and attribute lets analysts immediately scrutinize relevant devices when new threats are discovered. Page 23
Eos.ii™ | IoT Monitoring and Detection The Detection Engine for Industrial IoT Although most alerts don’t require cyberse- staff needed and exposure to alert fatigue, curity responses, defenders need to quickly while enhancing the expertise and capabili- home in on those that do. SOC analysts can ties of analysts on the detection team. rely on Eos.ii™ to automatically sift through volumes of security events and alerts that occur in industrial IoT systems, using its Threat-Hunting – Getting Ahead library of asset attributes, topology, and of Attackers known threat profiles to assess which events will be high consequence. This means Eos.ii™ can distinguish between similar alerts – Defenders equipped with a detailed and giving low priority to a single wind turbine constantly updating understanding of their wearing out its bearings, but high priority systems get to shift from a reactive stance to a wind farm inadvertently infested with to a predictive, prescriptive stance. Instead malware during a site visit. of waiting for an attack where the impacts are unmistakable, defenders can hunt for subtle signs of intrusions underway. Defend- AI Insights and Tuning ers can use Eos.ii™ to identify the intent of a probing attacker earlier in their attack The core of Eos.ii™ is a rules-based detec- process, when a SOC has more options to tion engine drawn from OT knowledge and limit the extent of intrusions and strengthen sophisticated machine learning. Pre-built preventive measures. rules leverage generations of Siemens Energy engineering knowledge to alert SOC personnel of suspicious or dangerous OT Eos.ii™ Makes Threat-hunting conditions. Meanwhile, Eos.ii’s machine Faster and More Powerful learning detection engine teaches itself the normal pattern of relationships between variables based on real-world operating Instead of needing to log into several sys- data, automatically tailoring anomaly de- tems or call OT workers to check on condi- tection to the specific sites and assets under tions, analysts can examine all the attributes protection. and status of assets within a single pane of glass. Visualizations and easy navigation In the event that a company is hit with a allow analysts to rapidly toggle between completely novel attack that does not match deep-dive investigations and their big-pic- known IT signatures, Eos.ii’s automatic ture implications. detection engine would alert human investi gators as soon as the attack begins to affect With Eos.ii, the previously difficult process OT assets – and would aid analysts in diag- of correlating security, process, and control nosing the events. system data becomes easy. Along with IT forensics and signature-based detection, The combination of powerful investigative Eos.ii™ enables a digital twin comparison – tools, prioritized alerts, and automated, comparing a virtual model of the worksite scalable tuning reduces the number of SOC against real-world data. Page 24
Intelligent Illumination to Secure Critical Infrastructure Page 25
Eos.ii™ | IoT Monitoring and Detection Insights into Action with Precision Defense™ Stopping Threats Before They Execute The value of an AI-powered detection engine is its ability to provide actionable intelligence in time for defenders to get ahead of attackers. This means analysts get to act on threats they have discovered, interrupt attacks under- way and adapt defenses in real time. Page 26
Intelligent Illumination to Secure Critical Infrastructure Realizing the Vision of a Fusion SOC Acting on Intelligence IT systems, which readily withstand abrupt shutdowns, pulling the plug on physical The pipeline ransomware attack described assets is typically a costly measure reserved earlier forced a tough choice on the com- for last resort. A precision defense approach pany moving nearly half of fuel needed to seeks to address exactly the affected sys- power the eastern United States. Unsure tems – no more and no less. If an intrusion whether the attack had spread from its IT reached only one pumping station, or only networks to affect pipeline infrastructure breached a sales database, there’s no need and controls, the company chose to halt fuel to shut down an entire pipeline. deliveries, leading to gas-pump shortages. This attack illustrates the need for Precision Rapid Responses and Perpetual Defense™ capabilities. Monitoring and Improvements detection that can determine the extent of a breach can guide narrowly targeted responses. Without such capabilities, com- In these investigations, speed and quality panies are left blind. Leaders end up being both matter. Rapid, early detection can forced to choose between doing nothing – limit intrusions to a few isolated systems. leaving worker safety and critical equipment Thorough, high-quality monitoring gives exposed to ongoing malicious actions – leaders the confidence that small, precise or deploying brute-force solutions like a interventions will strike the right balance sweeping shutdown. between eradicating threats and minimizing operational disruption. The value of an AI-powered detection engine is its ability to provide actionable Eos.ii™ empowers analysts to rapidly detect intelligence in time for defenders to get and understand an attack anywhere in the ahead of attackers. This means analysts IoT portfolio, mapping its scope and tracing get to act on threats they have discovered, the timing and attack vector – the informa- interrupt attacks underway and adapt tion needed for high-confidence precision defenses in real time. With each threat defense. mitigated, the fusion SOC becomes better prepared to block attacks. Eos.ii™ immediate adaptability – to novel attacks, to threats observed elsewhere, and to site-specific equipment – means that SOC Precision Defense™ for Right- personnel can take prescriptive, preventive Sized Interventions action to block future attacks and scour systems looking for intrusions previously overlooked. The unparalleled ability to investigate IoT with visibility into both OT and IT sub Full visibility and forward modeling of systems enables greater precision for threat digital-physical interactions turn IoT com- detection – and the insights needed for plexity into a home-field advantage for proportionate action. defenders. When SOC personnel analyze the real-time status and logged histories Determining the source and scope of of any aspect of the digital or physical a problem is a key step in selecting a assets under their protection, attackers corrective response in IoT systems. Unlike have nowhere to hide. Page 27
Eos.ii™ | IoT Monitoring and Detection A SOC Greater than the Sum of its Parts Eos.ii™ transforms the interlocking challeng- Eos.ii™ provides CISOs with the foundation es of industrial IoT cybersecurity into core needed to begin building a predictive SOC, strengths. It tames the tangle of mismatched and to strive for continuous improvement. languages, provides visibility into obscure As Eos.ii™ learns the baselines for work sites, corners of OT, and illuminates the meaning and as IT staff become proficient in under- of OT data for IT analysts. standing IoT interactions and diagnosing attacker intent, defenders will be increasing- Automating routine tasks and prioritizing ly able to predict the behavior of assets and alerts based on expected consequences attackers alike. leverages human analyst time. Eos.ii™ adapts readily to new asset bases and ever-evolving Companies that deploy Eos.ii™ will enjoy re- threats. With Eos.ii™, CISOs can build a fusion duced cyber risk, at a lower cost than hiring SOC, overcome the challenges of today, and expertise or developing solutions in-house, create the stable foundation needed for IoT and with support to keep Eos.ii™ current. industrial cybersecurity in the future. Forward planning can proceed with better cost-benefit assessments, and crisis response Done well, robust industrial IoT cybersecurity can more precisely tailor eradication and builds trust with other parts of the orga- recovery efforts when breaches occur. nization. Instead of constantly bothering OT personnel for assistance, the SOC adds For the energy sector, securing the IoT is an value by accurately flagging maintenance essential step in ensuring that innovation concerns. can continue without sacrificing reliability. Siemens Energy’s Eos.ii™ will help organi- The SOC gains credibility and the reputa- zations of all sizes address their IoT security tion for accuracy needed to call for – and needs – strengthening the overall energy get – sudden shutdowns when a true crisis sector by hardening more links in the value occurs. With a mature IoT SOC, CISOs can chain. better quantify the magnitude of threats and vulnerabilities the SOC discovers, can better Industrial IoT is clearly part of the energy demonstrate the value their teams add to sector’s future. At Siemens Energy, we’re the business, and can better keep up with committed to giving CISOs and SOCs the the changes needed to secure the modern tools they need to make IoT a source of energy sector. strength, not a hidden liability. Page 28
Intelligent Illumination to Secure Critical Infrastructure Page 29
Eos.ii™ | IoT Monitoring and Detection Page 30
Intelligent Illumination to Secure Critical Infrastructure Page 31
Published by Siemens Energy Inc. 15375 Memorial Drive Houston, TX 77079 United States Subject to changes and errors. The information given in this document only contains general descriptions and / or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the pro- ducts. The requested performance features are binding only when they are expressly agreed upon in the concluded contract. Siemens Energy is a trademark licensed by Siemens AG.
You can also read