EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...

Page created by Sandra Goodman
 
CONTINUE READING
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Industrial Cybersecurity

EOS.ii™ Monitoring
and Detection Platform
Intelligent Illumination for IoT Cyber Defense

About Our Practice
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Content

08   The Dawn of Industrial IoT

10   The Energy Industry’s Digital Revolution

12   The Complexities of Defending an IoT Environment

14   The IoT Monitoring and ­Detection Imbalance

16   Building a Fusion SOC to Illuminate Industrial IoT

19   Illuminating the Foundation for IoT Visibility and Context

21   Seeing Through the Fog with Monitoring and Detection

23   The Intelligence Behind Eos.ii™

27   Realizing the Vision of a Fusion SOC
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Eos.ii™ | IoT Monitoring and Detection

                              Executive Summary

                              Imbuing useful machines with network             detection capabilities to overcome the scale
                              ­connectivity and automated monitoring           and complexity of securing a hyperconnect-
                               offers tremendous power. We can envision        ed world from cyberattacks.
                               warehouses and retail stores with instant,
                               automatic inventory. Cities where traffic        To monitor and secure industrial IoT envi-
                               flows steadily because the lights change         ronments, CISO will need a new platform
                               when vehicles approach. Pipelines that self-     that can serve as the foundation of their
                               report signs of impending failure. ­Elec­tric    organization’s IoT SOC with the capabilities
                               grids that seamlessly shift between renew­       to address today ’s vulnerabilities and evolve
                               able sources of energy to provide afford-        to meet tomorrow’s threats. Leveraging its
                               able, reliable power with low or zero            legacy in engineering and securing energy
                               emissions during peak demand.                    and critical infrastructure industries for
                                                                                more than 170 years, Siemens Energy has
                              These visions are already just expansions         developed a new Security Information
                              of fundamental changes in our economy,            and Event Management (SIEM) platform,
                              currently underway. The reality of physical      ­Eos.­ii™.
                              industrial equipment seamlessly integrated
                              with the digital world is already here and       Eos.ii™ is a scalable and flexible AI-based
                              poised to grow.                                  monitoring and detection platform designed
                                                                               to serve as the foundation for a next-gener-
                              Energy and critical infrastructure companies     ation fusion IoT SOC. By design, it enables
                              are aggressively building an industrial Inter-   rapid gathering, processing, and prioritizing
                              net of Things (IoT) to make operations more      of actionable intelligence within industrial
                              automated, more flexible and more efficient      operating environments. Eos.ii™ is the
                              by seamlessly linking operational technol-       first SIEM to unify IT and OT monitoring
                              ogy (OT) to control physical assets with         and detection capabilities through machine
                              information technology (IT) applications.        learning to prioritize high-consequence
                              Yet without IoT cybersecurity monitoring         alerts for human investigation – and enable
                              and detection, these ambitions will fail.        continuous, site-specific improvement.

                              Protecting energy and critical infrastructure    Eos.ii™ empowers CISOs and SOCs with
                              sectors run on industrial IoT technology puts    the platform and insights needed to scale
                              Chief Information Security Officers (CISOs)      up security to meet the demands of IoT
                              and their existing Security Operations Cen-      ­business models. It offers unmatched capa-
                              ters (SOCs) under significant strain. As the      bilities to build and maintain robust, adapt-
                              IoT business model increasingly integrates        able, and resilient defenses in a fast-moving
                              physical assets and digital networks, CISOs       and competitive IoT future.
                              need entirely different monitoring and

                                                              Leo Simonovich
                                                              Global Head,
                                                              Industrial Cyber and Digital Security
                                                              Siemens Energy

Page 4
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
An AI-based monitoring and detection platform
purpose-built to serve as the foundation of an
IOT fusion SOC for energy and critical infrastructure
in an era of persistent cyberattacks.
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Acronyms & Definitions

         AI                                                 Fusion SoC

         Artificial Intelligence is field of computer       A Fusion SoC is both a strategic and tactical
         science that uses algorithms to iteratively        Security Operations Center (SoC) capable of
         learn relationships between variables in           monitoring, detecting and acting on cyber
         large datasets.                                    threat intelligence on IT networks and physi-
                                                            cal assets controlled by OT systems.

         CISO                                               IT

         The Chief Information Security Officer is          Information Technologies are technologies
         responsible for assessing cyber risks              for storing, retrieving, or transmitting informa-
         and defending company assets against               tion. They include ­personal computers, servers,
         cyber­attacks. Modern CISOs often have             and communications ­networks.
         ­respon­sibility for digital security of people,
          devices and data.

         Context                                            IoT

         Context is the information necessary to            The Internet of Things is a term used to de-
         understand the operating status of a device,       scribe IT and OT devices that are networked
         its relationship to linked systems, and the        together to make an integrated whole, allow-
         operating status of those connected sys-           ing for automated feedback loops between
         tems.                                              multiple devices, automatic inventory, remote
                                                            management tools, and many other features.

Page 6
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
OT                                               SOC

Operating Technologies include equipment         A Security Operations Center is the centralized
with a mechanical or real-world output – for     hub of cyberdefenses for an organization.
example a turbine, pump, or robotic arm –        Analysts within a SOC investigate potential
often controlled by a computer processor         threats and take actions to protect assets or
built into the equipment.                        recover from attacks.

Precision Defense™                               Unified Threat Stream

Precision Defense™ is the use of monitoring      A Unified Threat Steam is a data feed that
to identify the extent of intrusions, enabling   collects information from every monitored
effective ­containment, eradication and          component of a system in a centralized and
recovery with the smallest possible collater-    standardized format, trans­lating from dispa-
al impact on business processes.                 rate source languages and formats as needed.

PSA                                              Visibility

Process Security Analytics is the proprietary    Visibility is the ability of an analyst or security
methodology Siemens Energy uses to ana-          operations center to pull real-time informa-
lyze IT and OT data to assess which security     tion about a device, its operating status, and
events will be consequential.                    its context within the larger system.

SIEM

Security Information and Event Management
is a category of software platform used to log
and analyze data and events relevant to
cybersecurity.

                                                                                              Page 7
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Eos.ii™ | IoT Monitoring and Detection

                                    The Dawn of Industrial IoT

                                    Seamless Integration of Digital                  Digitalization’s Achilles Heel
                                    and Physical Worlds
                                                                                     IoT is blurring that division. Energy and
                                                                                     critical infrastructure companies are inten­
                                    The “internet of things” (IoT) is bringing       tionally linking IT and OT to make their
                                    rapid change to the industrial world – fun-      operations more automated, more flexible,
                                    damentally and forever shifting all aspects      and ready to launch previously impossible
                                    of the economy into digital connectivity.        products and processes.

                                    At its core, IoT is the seamless integration     Over 8 billion industrial IoT devices are
                                    of operational technology (OT) – which is        already in use, and more than a billion are
                                    responsible for controlling and command-         expected to be added this year. As organi-
                                    ing physical equipment – with information        zations bridge the boundaries between the
                                    technology (IT) systems. This integration        physical and digital worlds, they are also
                                    allows companies to optimize, refine and         unavoidably exposing new vulnerabilities
                                    create efficiency through big data, tailor­      to physical assets that had previously been
                                    made apps and artificial intelligence (AI).      protected from many digital attacks.¹

                                    IoT brings big benefits to businesses across     The confluence of these factors means
                                    industrial sectors – and for cybersecurity,      that industrial IoT gives cyber attackers a
                                    it’s also a big change. Previously, digital OT   pathway – if successful – to cause physical
                                    commands running energy assets, heavy            damage that would bring huge and lasting
                                    machinery or infrastructure facilities were      consequences for millions of customers.
                                    typically sectioned off from network con­        This makes the energy and critical infra-
                                    nected IT systems, with a clear divide be-       structure sectors an attractive target for
                                    tween IT and OT assets and their respective      malicious actors, including some backed
                                    security procedures. This divide helped          by nation-states.
                                    protect OT assets from more frequent and
1 https://www.statista.com/
  statistics/1183457/iot-connect-   easily executed cyberattacks commonly
  ed-devices-worldwide/             launched against IT networks.

Page 8
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Intelligent Illumination to Secure Critical Infrastructure

Defending in the Dark                               But most CISOs and cybersecurity person-
                                                    nel come from IT backgrounds with a high
It is no secret that cybersecurity teams tasked     ­degree of expertise securing digital networks,
with defending industrial IoT environments           and the security of physical equipment was
now have more infrastructure to protect              left to engineers in the field.
against the backdrop of more frequent, more
ferocious attacks. The assets in need of protec-    For CISOs, their businesses, and their ever-­
tion have also changed as connectivity is now       changing assets, the future depends on
required for previously isolated devices, and       gaining expertise in physical asset security
mobility and variability are defining features of   with relatively new OT-specific cybersecurity
previously static assets.                           technologies and methodologies to get IoT
                                                    cybersecurity right. That means cybersecuri-
It should not be surprising that CISOs and their    ty teams need to master IT and OT monitor-
teams frequently find a mismatch between            ing and detection equally amid rapid change
their current cyber capabilities, their organi-     and increasing complexity.
zation’s demands to advance innovative IoT
business models – and that attackers seek to
exploit these gaps.                                 Illuminating an Ongoing Revolution

This forces the question: How does a CISO           IoT cybersecurity relies on a core concept:
overcome the technical obstacles and capa­          defenders must gain visibility and context
bility gaps needed to secure digital and            across an operating environment of physical
­physical assets from cyberattacks today and        and digital assets to monitor, detect and act
 in the future?                                     on potential cyberthreats before they exe-
                                                    cute across an interconnected system.

Hyperconnectivity Here to Stay                      To mitigate cyberattacks against digital and
                                                    physical assets, defenders need to see into
Slowing the pace of change isn’t an option.         each and every system. And CISOs need to
Companies have bet their businesses on              ensure their teams will have that capability
expanding IoT capabilities for a competitive        no matter what new technologies their
advantage in the industrial marketplace.            companies add in the future.

                                                                                                                               Page 9
EOS.II MONITORING AND DETECTION PLATFORM - INDUSTRIAL CYBERSECURITY INTELLIGENT ILLUMINATION FOR IOT CYBER DEFENSE - SIEMENS ENERGY ...
Eos.ii™ | IoT Monitoring and Detection

                                  The Energy Industry’s
                                  Digital Revolution

                                  Unlocking the Energy Transition                  Exploiting Connected Infra­
                                                                                   structure
                                  As the energy and critical infrastructure
                                  sectors increasingly depend on seam-
                                  less connections between physical and            As the energy and critical infrastructure sec­-
                                  ­digital assets, malicious actors are taking     -tors increasingly depend on the seamless
                                   ­ad­vantage of the inherent vulnerabilities     connection between physical and digital as-
                                    in a digitally driven energy ecosystem.        sets, malicious actors are taking advantage
                                                                                   of the inherent vulnerabilities in a digitally
                                  Oil and gas companies are accelerating the       driven energy ecosystem.
                                  digital connections between existing energy
                                  assets – such as pipelines and gas turbines –    In 2021 – in the United States alone – ma-
                                  with cutting-edge digital sensors and IT         licious actors have targeted a major oil
                                  systems to improve safety, performance and       and gas pipeline, a wastewater treatment
                                  reduce emissions. Utilities already accus-       facility, and food, manufacturing and critical
                                  tomed to balancing electric grids in real time   infrastructure supply chains.2 Whether ran-
                                  are rapidly connecting smart devices and         somware, supply-chain attacks, denial-­of-
                                  distributed power sources with sophisticated     service or zero-day threats, these attacks are
                                  software systems for variable time-of-use        accelerating for a range of reasons – from
                                  pricing and to increase clean energy pene-       collateral in broader geopolitical conflict
                                  tration.                                         between nations to financial gain.

                                  These trends are only expected to increase       While motivations differ, criminal gangs and
                                  as major oil and gas players announce plans      state-supported cyber units understand that
                                  to shift away from fossil fuels and towards      vulnerable IoT assets give them the power
                                  digital energy platforms, and the titan com­     to not only paralyze entire economies, but
2 https://cybermagazine.com/
  top10/10-high-profile-cyber-­   bustion-engine carmakers plan for all-elec-      also sow chaos for families and businesses
  attacks-2021                    tric futures.                                    across the world.

Page 10
A Glimpse Into the Future:
The Threat to Critical Infrastructure

How a Cyberattack on an Oil and Gas Pipeline Exposed the World’s Vulnerability

In mid-May, millions living up and down      critical care services further stretched in   The ransomware attack successfully
the American East Coast experienced the      the midst of a global pandemic, and the       breached the organization’s IT network,
chaos caused by a far-reaching cyberat-      economic security threatened millions         but luckily never infiltrated OT systems
tack targeting critical infrastructure.      of businesses and families. The price of      or physical energy infrastructure.⁵ How-
                                             gasoline skyrocketed, and filling stations    ever, the incident forced the company to
A ransomware attack hit a major pipeline     soon ran out of supply. In response, the      shut down all operations on the suspi-
company. Unsure if OT or IT systems          federal government declared a state           cion that malicious actors had access to
were compromised, the company feared         of emergency. State governments put           sensitive OT infrastructure. The lack of
that malicious actors could gain further     in place policies to increase oil and gas     visibility and context into the attack in-
access to critical OT control systems. The   supplies by tanker trucks and dissuaded       flicted financial losses in the millions due
infrastructure carrying gasoline and jet     citizens from panic buying fuel.              to the ransomware payment, more than
fuel to nearly a third of the U.S. popula-                                                 seven days of system-wide downtime
tion was at stake. Rather than operate       The pipeline remained shut down for           and significant reputational damage.
with uncertainty, the company shut           six days while teams of investigators
down all operations, stopping all flow of    diagnosed the problem and negotiated a
fuel through the pipeline.³                  ransom. In Congressional testimony, the       3 https://www.gao.gov/blog/colonial-pipeline-­
                                             pipeline company’s executives revealed          cyberattack-highlights-need-better-federal-­
                                                                                             and-private-sector-preparedness-infographic
As industry leaders and government of-       that the cause of the attack was a lack of
                                                                                           4 https://www.hsgac.senate.gov/hearings/
ficials responded to the unfolding crisis,   cyber hygiene – an employee failed to           threats-to-critical-infrastructure-examining-­
it only took a few hours for panic to set    enact two-factor authentication to help         the-colonial-pipeline-cyber-attack
in – gas lines formed, emergency and         protect the company’s software.⁴              5 https://us-cert.cisa.gov/ncas/alerts/aa21-131a

                                                                                                                                   Page 11
Eos.ii™ | IoT Monitoring and Detection

The Complexities of Defending
an IoT Environment

Securing A New Nonlinear Frontier                                   Industrial IoT operating environments now rely on hyper-
                                                                    connectivity, an intermeshed network of connected legacy
Before the rise of industrial IoT business models, cyber­           and digitally native assets, and extreme flexibility to allow
security teams mostly knew and understood the threat                network access to non-stationary and intermittent IT and
landscape they were responsible for defending, and built            OT technologies owned by a company, used by its custom-
the right capabilities for that task. But the promise of            ers and integrated with third parties.
­industrial IoT calls for an environment where every piece
 of equipment and software can connect with any other               These same defining features of powerful IoT business
 equipment – and can trust that connection.                         models often leave organizations vulnerable to cyberat-
                                                                    tacks, and CISOs without the capabilities needed to defend
Facilities that used to have centralized controls now use           a typical industrial IoT portfolio. As the threat landscape
remote access for routine workflows. Physical equipment             changes dramatically, CISOs need to balance closing the
that was previously air-gapped is now networked. Apps               gaps between current capabilities, growing responsibilities
and networked endpoints in the hands of consumers and               to support innovative business models, and countering
users must connect to company assets to fulfill their in-           evolving threats.
tended functions.

A hyperconnected
operating environment
Industrial IoT fundamentally changes
the need for humans to manage con-
nections between physical and digital                                                           Mobile and variable
assets as connected devices will
                                                                                                assets
automatically exchange information
to optimize workflows. Market fore-                                                             Like the move from landlines
casters project 25 billion industrial                                                           to cell phones, the IoT future
IoT devices by 2030.⁶                                                                           means the devices connected
6 www.statista.com/statistics/1183457/
                                                                                                to an industrial network will
  iot-connected-devices-worldwide                                                               change from day to day – or
                                                                                                even minute by minute. The
                                                                                                business benefits of industrial
                                                                                                IoT depend on supporting and
                                                                                                defending this flexibility.
                   A mix of legacy
                   and new equipment

                   Older systems retrofitted for IoT and integrated with
                   newer, digitally native technologies will remain as
                   infrastructure backbones. Both old and new equip-
                   ment need cutting-edge defenses against evolving
                   threats.

Page 12
Intelligent Illumination to Secure Critical Infrastructure

                                                   Page 13
Eos.ii™ | IoT Monitoring and Detection

 The IoT Monitoring and
­Detection Imbalance

The foundation of IoT cybersecurity is under­standing the         The result is that most IoT SOCs can’t see a complete picture
two-way relationship between the digital and physical             of what’s happening in their systems – and can’t defend
worlds, and then monitoring those relationships to detect         what they can’t see.
and act on threats. For most CISOs using existing SOC capa-
bilities, gaining insight into all physical devices and digital
networks that comprise an IoT operating environment is             Fog Surrounds Defenders without Equal
an overwhelmingly complex technical and capability chal-          ­Detection Capabilities
lenge.

                                                                  Most organizations seeking to expand monitoring and
Poor Visibility and Unseen Threats Mask                           detection in IoT environments suffer from a capability
­Physical and Digital Assets                                      gap when it comes to IT and OT technology deployment
                                                                  and expertise. While even organizations with a business
                                                                  model firmly grounded in owning and operating physical
To monitor and detect threats in time to prevent an attack        assets struggle with OT security, the vast majority of
requires two key elements – visibility and context. Security      CISOs struggle to apply IT cybersecurity methodologies
teams need visibility into every physical and digital node        to physical equipment in IoT environments.
connected to their network.

Then they need to combine billions of data points into a          Imbalanced Maturity
unified threat stream so analysts in a SOC can understand
from context ­whether anomalous behavior poses a threat           CISOs without a foundation in securing physical assets
or is a benign change in production workflow.                     from cyberattacks often find themselves in one of several
                                                                  technological or capability gaps.

Lacking a Unified Threat Stream                                   In the least mature organizations, CISOs are asked to ex-
                                                                  pand security for IoT environments without deploying any
Creating a unified threat stream is a significant technical       new OT-specific monitoring capabilities; while others use
challenge for most IoT SOCs because raw OT and IT                 IT monitoring approaches in the field as a solution to satisfy
data speak separate languages that were never intended            regulatory requirements or believe that more specialized
to be analyzed together. Yet without unifying these data          approaches are too costly or are unnecessary for complete
streams, defenders can’t contextualize anomalies between          defense.
commands sent to OT controlling physical assets and
IT software linked to this data – and subsequently will           In more sophisticated organizations, CISOs will monitor IT
miss attackers who are actively exploring the network             and OT assets side by side in a SOC built for IT security, and
in search of vulnerabilities.                                     manually analyze data streams. Finally, the most mature
                                                                  organizations have custom monitoring approaches where
Until now, creating a unified threat steam in a hypercon-         they analyze physical and digital relationships in a massive
nected environment has not been possible in most SOCs             data pool, but lack the rigorous methods to effectively
because OT-specific monitoring and detection technologies         apply insights.
were too immature and required specialized technical
expertise in physical assets. Even as emerging AI-based           While gaps between IT and OT monitoring and detection
solutions helped overcome many of these challenges, few           capabilities leave operating environments exposed to
have the capability to sync heterogeneous IT and OT data          ­cyberattacks, the true capacity gap most CISOs lack is an
streams.                                                           ability to equally understand – and act on – threats in both
                                                                   the physical and digital worlds under a unified platform.

Page 14
Intelligent Illumination to Secure Critical Infrastructure

Defense Gap Leaves Assets in the Dark

Lacking Equal Expertise in Defending the Physical and Digital Worlds
Frequently Leaves IT Networks Protected and OT Assets Exposed

Most organizations seeking to expand monitoring and
detection in IoT environments suffer from a capability
gap when it comes to IT and OT technology deployment
and expertise.

                                                                                                            Page 15
Eos.ii™ | IoT Monitoring and Detection

                              Building a Fusion SOC to
                              Illuminate Industrial IoT

                              To overcome the obstacles of building ro­-      Analyzing Threats Under a Single
                              bust IoT monitoring, CISOs need to under-       Pane of Glass
                              stand if any singular command – out of
                              billions occurring between a given physical
                              and digital asset – represents a cyberattack.   For CISOs, building a single-pane-of-glass
                                                                              system to monitor and detect threats across
                              This type of real-time protection requires      their enterprise will require reimagining
                              solving several interlocking challenges         their existing SOCs.
                              simultaneously, including synthesizing
                              hetero­geneous data flows into a unified        A CISO can expect the assets and environ-
                              threat stream, equal expertise in IT and        ments under their defensive umbrellas to
                              OT systems to rapidly draw insight, and         change frequently as the digital revolution
                              acting on threat intelligence in the SOC        speeds along its exponential growth curve.
                              and in the field.                               Threats aiming to exploit this progress will

                                                                                                    EOS.ii

Page 16
Intelligent Illumination to Secure Critical Infrastructure

undergo similar rapid changes to adeptly maneuver around                  The Intelligent SIEM to Illuminate IoT
more sophisticated defenses. Rather than trying to adopt                 ­Cyberattacks
the latest cyber solution each time threats evolve, defend-
ers need a platform that can serve as an enduring founda-
tion for IoT security.                                                   Siemens Energy’s Eos.ii™ industrial cyber-defense platform
                                                                         enables CISOs to bridge this physical – digital divide, and
Any approach to IoT cybersecurity must integrate IT and OT               illuminate the IoT operating environment so defenders can
monitoring and detection within a fusion SOC. That means                 act on threats before they execute.
bringing together otherwise incompatible data sources,
empowering analysts to defend each layer of their organiza-              Eos.ii™ is a scalable AI-driven Security Information and
tion’s technology stack within a constantly evolving threat              Event Management (SIEM) platform that serves as the foun-
detection engine capable of accomplishing these tasks with               dation for a Fusion SOC, providing defenders with complete
speed and accuracy amid constant change.                                 monitoring and detection capabilities through a single-
                                                                         pane-of-glass interface that provides clear and in-depth
Fusion SOCs will bring together IT and OT cyber capabilities             insights to take action against cyberattacks.
to provide human analysts with efficient and powerful
tools to investigate and act on threats in ways that mini-               This gives CISOs and cyber analysts working in a fusion SOC
mize disruption to operations and adapt to evolving threat               the power needed to investigate suspicious events, and
environ­ments.                                                           permanently bolster defenses for their unique IoT operating
                                                                         environments.

        Automation at Scale

        Siemens Energy’s technical mastery combined
        with machine learning automates routine tasks
                                                                         Intelligence to Act
        to ingest, prioritize and present huge volumes
        of information. Analysts immediately hone in                     Eos.ii™ actively draws analyst attention to high-consequence
        on high-consequence events                                       events while giving analysts the scope of visibility and depth
                                                                         of context needed to identify and act on threats.

                          Illumination of
                          Physical-Digital Relationships

                          Siemens Energy’s OT knowledge base guides
                          design, enabling existing IT staff to understand
                          and investigate the context of anomalies
                          in the IT and OT ­foundations of industrial IoT.

                                                                                                                                          Page 17
Eos.ii™ | IoT Monitoring and Detection

                  SIEM with                  SIEM with OT
              IT Capabilities                and IT Capabilities

           Continuous Monitoring

    More data provides a basis for           Knowing which data sources and what
       anomaly detection across              data points is the first step – network,
       network and vulnerability             asset, control system, and process data
                                             sources

                                         Detection and Alerting

                                             Detection requires comprehensive
            Alerts are more frequent
                                             data collection across physical and
          and can be noisier than OT
                                             digital sources
                               alerts

          Triage and Investigation

        Prioritization is focused on         Every alert is critical and warrants
           scale and fewer mission           a deep investigation into potential
     critical functions are at stake         safety and reliability impacts

                                          Response and Recovery

               Digital responses are         Response can include
             usually well-defined to         physical and digital steps
          quarantine and neutralize          to protect operations
                             threats

Page 18
Intelligent Illumination to Secure Critical Infrastructure

Illuminating the Foundation
for IoT Visibility and Context

Creating Visibility in a Hybrid Environment                        Using a proprietary method called Process Security Ana-
                                                                   lytics (PSA), Siemens Energy systematically standardizes,
The immediate need in most SOCs is to close the gap in OT          collates, and analyzes OT and IT data to reveal anomalous
capabilities, and then bring together OT and IT visibility and     behaviors and patterns that match known cyberattacks.
context within a fusion SOC to identify and evaluate anom-
alies. Unlike operating environments that rely on either IT        PSA methodology allows defenders to use context to dif-
or OT expertise, a fusion SOC must communicate in terms            ferentiate between normal fluctuations and active threats,
accessible to the people who need to take action on both           even when signals cut across hybrid environments. Work-
the physical and digital realms.                                   flows can draw on unified and expanded IoT visibility to pri-
                                                                   oritize high-consequence events for human investigation.
Eos.ii™ provides the needed foundation for an IoT SOC,
starting by mastering the daunting technical feat of creating      Each action attackers take to probe the IoT network offers
a unified threat stream. A unified threat stream illuminates       signals about what that attacker intends. In a fully success-
OT and IT data sources, giving analysts visibility into the full   ful IoT SOC personnel can recognize these signals, correctly
chain of cause and effect when IoT assets interact. While          predict how the attack will unfold, assess its potential
gathering and processing data for IT and OT goes through           impacts and – if needed – take action fast enough to block
similar stages, the mechanics of these workflows differ and        those impacts.
require analysis through separate algorithms before defend-
ers can fully understand the collated data.

Intelligence to Act with a Unified Threat Stream

Eos.ii™ gives analysts the scope of visibility and depth of context needed to
identify and act on threats

                                                                                                                             Page 19
Eos.ii™ | IoT Monitoring and Detection

Page 20
Intelligent Illumination to Secure Critical Infrastructure

Seeing Through the Fog with
Monitoring and Detection

 Moving from Visibility and                      malities that would be otherwise impercep­
 ­Context to Monitoring and                      tible to cyber analysts.
­Detection
                                                 In one real-world example, a SOC analyst
                                                 ­using Eos.ii™ detected a problem with
Monitoring and detecting threats requires         firewall hardware at a power plant. The
understanding current conditions, and             hardware was rated for 55 degrees Celsius,
then comparing them against past threats          but running above 70 degrees. This made
and normal baselines to illuminate what’s         the power plant’s control system vulnerable
suspicious.                                       to crashes when the firewall overheated.
                                                  If this system failed during power produc-
Comparing historical and current asset            tion, the company would not be eligible
conditions requires a built-for-purpose           for payment – a potential loss of millions
platform that uses AI, ML and predictive          of ­dollars per hour. Eos.ii™ helped analysts
analytics to identify anomalies within            determine this was not an attack, and
seconds of detection. Eos.ii™ illuminates         prompted corrective maintenance that
both the depth and breadth of an install          strengthened ongoing cyber readiness.
base, bringing together automation with
the incisiveness of human intelligence to
hunt for any trace of malware.                   Built to Adapt to Emerging Threats

                                                 When new threats are identified anywhere
 The Power of the Eos.ii™                        in the world, the Eos.ii™ detection engine
­Detection Engine                                automatically evaluates the vulnerability
                                                 of an organization’s install base and can
                                                 anticipate anomalous behavior. When these
With AI at its core, Eos.ii™ is designed to      threat signatures – known or novel – are
make sense of billions of data points that       detected, Eos.ii™ can identify asset expo-
comprise physical and digital relationships in   sure within an operating environment and
industrial environments, correlating abnor-      generate an alert for human attention.

                                                                                                                            Page 21
Eos.ii™ | IoT Monitoring and Detection

Eos.ii™ Platform

Platform modules provide the backbone to generate
insights and drive actionable intelligence

                                           Topology Search
                                           Quickly search for assets,
                                          anomalies, vulnerabilities,
                                         and other data across fleets

      Investigations                                                     Plant Data Visualizer
Use data search and correlation                                         Review data visualizations from
tools to ­conduct deep investiga-                                       physical and digital assets in one
    tions into specific assets                                            place for enhanced context

                                             EOS.ii

      Platform Tuner                                                      Threat Intelligence
 Easily build new rules, t une ML                                       Compare site activity to known
models, and e    nhance capabilities                                    signatures and review historic
   for s pecific sites and assets                                          data for new signatures

                                         Alert Management
                                           Automatically detect
                                         events and correlate them
                                             for analyst review
Page 22
Intelligent Illumination to Secure Critical Infrastructure

The Intelligence Behind Eos.ii™

Eos.ii™ brings together key capabilities in an integrated        like IoT, the combination is even more powerful than any
platform. Automation detects events, prioritizes potential       single feature.
threats and alerts analysts to investigate the most conse-
quential anomalies.                                              Eos.ii™ enables analysts in a IoT fusion SOC to move
                                                                 seam­­lessly from discovering a new threat to confirming
Combined, these modules make it easy for analysts to per-        its absence in protected networks to updating auto­-
form quick, deep analyses, relate their findings to the big      mated ­defenses. Its powerful detection engine and easy
picture, and adjust defenses to perform the same analysis        adaptability offer unprecedented ability to stay on top
automatically going forward. Each advances the state of          of changing circumstances – from new assets to new
the art for industrial IoT monitoring and detection – and        threats.

                                                         Automation on Scale

                                                         Manage alert prioritization to improve alert response
                                                         time and avoid alert fatigue.
                                                         Tailoring new rules – including machine learning
                                                         rules – continuously strengthens defenses.

                                                              Intelligence to Act

        Illumination of Physical-
                                                              Automate proactive decision making
        Digital Relationships                                 with intelli­gence, domain specific
                                                              playbooks and threat hunting workflows.
                                                              Context driven intelligence means active
        Quickly search and understand the                     threat hunting becomes a larger share of
        relation­ships between devices – their loca-          analyst time.
        tion in the plant, and how they link up
        physically and digitally. Search by time and
        attribute lets analysts immediately scrutinize
        relevant devices when new threats are
        discovered.

                                                                                                                           Page 23
Eos.ii™ | IoT Monitoring and Detection

                               The Detection Engine for
                              ­Industrial IoT

                              Although most alerts don’t require cyberse-      staff needed and exposure to alert fatigue,
                              curity responses, defenders need to quickly      while enhancing the expertise and capabili-
                              home in on those that do. SOC analysts can       ties of analysts on the detection team.
                              rely on Eos.ii™ to automatically sift through
                              volumes of security events and alerts that
                              occur in industrial IoT systems, using its       Threat-Hunting – Getting Ahead
                              library of asset attributes, topology, and       of Attackers
                              known threat profiles to assess which events
                              will be high consequence. This means ­Eos.­ii™
                              can distinguish between similar alerts –         Defenders equipped with a detailed and
                              giving low priority to a single wind turbine     constantly updating understanding of their
                              wearing out its bearings, but high priority      systems get to shift from a reactive stance
                              to a wind farm inadvertently infested with       to a predictive, prescriptive stance. Instead
                              malware during a site visit.                     of waiting for an attack where the impacts
                                                                               are unmistakable, defenders can hunt for
                                                                               subtle signs of intrusions underway. Defend-
                              AI Insights and Tuning                           ers can use Eos.ii™ to identify the intent
                                                                               of a probing attacker earlier in their attack
                              The core of Eos.ii™ is a rules-based detec-      process, when a SOC has more options to
                              tion engine drawn from OT knowledge and          limit the extent of intrusions and strengthen
                              sophisticated machine learning. Pre-built        preventive measures.
                              rules leverage generations of Siemens
                              Energy engineering knowledge to alert SOC
                              personnel of suspicious or dangerous OT          Eos.ii™ Makes Threat-hunting
                              conditions. Meanwhile, Eos.ii’s machine          Faster and More Powerful
                              learning detection engine teaches itself the
                              normal pattern of relationships between
                              variables based on real-world operating          Instead of needing to log into several sys-
                              data, automatically tailoring anomaly de-        tems or call OT workers to check on condi-
                              tection to the specific sites and assets under   tions, analysts can examine all the attributes
                              protection.                                      and status of assets within a single pane of
                                                                               glass. Visualizations and easy navigation
                              In the event that a company is hit with a        allow analysts to rapidly toggle between
                              completely novel attack that does not match      deep-dive investigations and their big-pic-
                              known IT signatures, Eos.ii’s automatic          ture implications.
                              de­tec­tion engine would alert human inves­ti­
                              gators as soon as the attack begins to affect    With Eos.ii, the previously difficult process
                              OT assets – and would aid analysts in diag-      of correlating security, process, and control
                              nosing the events.                               system data becomes easy. Along with IT
                                                                               forensics and signature-based detection,
                              The combination of powerful investigative        Eos.ii™ enables a digital twin comparison –
                              tools, prioritized alerts, and automated,        comparing a virtual model of the worksite
                              scalable tuning reduces the number of SOC        against real-world data.

Page 24
Intelligent Illumination to Secure Critical Infrastructure

                                                   Page 25
Eos.ii™ | IoT Monitoring and Detection

Insights into Action with Precision Defense™

Stopping Threats Before They Execute

The value of an AI-powered detection engine is its ability
to provide actionable intelligence in time for defenders
to get ahead of attackers. This means analysts get to act
on threats they have discovered, interrupt attacks under-
way and adapt defenses in real time.

Page 26
Intelligent Illumination to Secure Critical Infrastructure

Realizing the Vision of a
Fusion SOC

Acting on Intelligence                           IT systems, which readily withstand abrupt
                                                 shutdowns, pulling the plug on physical
The pipeline ransomware attack described         assets is typically a costly measure reserved
earlier forced a tough choice on the com-        for last resort. A precision defense approach
pany moving nearly half of fuel needed to        seeks to address exactly the affected sys-
power the eastern United States. Unsure          tems – no more and no less. If an intrusion
whether the attack had spread from its IT        reached only one pumping station, or only
networks to affect pipeline infrastructure       breached a sales database, there’s no need
and controls, the company chose to halt fuel     to shut down an entire pipeline.
deliveries, leading to gas-pump shortages.

This attack illustrates the need for Precision   Rapid Responses and Perpetual
Defense™ capabilities. Monitoring and            Improvements
detection that can determine the extent of
a breach can guide narrowly targeted
responses. Without such capabilities, com-       In these investigations, speed and quality
panies are left blind. Leaders end up being      both matter. Rapid, early detection can
forced to choose between doing nothing –         limit intrusions to a few isolated systems.
leaving worker safety and critical equip­ment    Thorough, high-quality monitoring gives
exposed to ongoing malicious ­actions –          leaders the confidence that small, precise
or deploying brute-force solutions like a        interventions will strike the right balance
sweeping shutdown.                               between eradicating threats and minimizing
                                                 operational disruption.
The value of an AI-powered detection
engine is its ability to provide actionable      Eos.ii™ empowers analysts to rapidly detect
­in­telligence in time for defenders to get      and understand an attack anywhere in the
 ­ahead of attackers. This means analysts        IoT portfolio, mapping its scope and tracing
  get to act on threats they have discovered,    the timing and attack vector – the informa-
  ­interrupt attacks underway and adapt          tion needed for high-confidence precision
   ­defenses in real time. With each threat      defense.
    mitigated, the fusion SOC becomes better
    prepared to block attacks.                   Eos.ii™ immediate adaptability – to novel
                                                 attacks, to threats observed elsewhere, and
                                                 to site-specific equipment – means that SOC
Precision Defense™ for Right-                    personnel can take prescriptive, preventive
Sized Interventions                              action to block future attacks and scour
                                                 systems looking for intrusions previously
                                                 overlooked.
The unparalleled ability to investigate IoT
with visibility into both OT and IT sub­         Full visibility and forward modeling of
systems enables greater precision for threat     digital-­physical interactions turn IoT com-
detection – and the insights needed for          plexity into a home-field advantage for
proportionate action.                            defenders. When SOC personnel analyze
                                                 the real-time status and logged histories
Determining the source and scope of              of any aspect of the digital or physical
a ­problem is a key step in selecting a          assets under their protection, attackers
­corrective response in IoT systems. Unlike      have nowhere to hide.

                                                                                                                            Page 27
Eos.ii™ | IoT Monitoring and Detection

                              A SOC Greater than
                              the Sum of its Parts

                              Eos.ii™ transforms the interlocking challeng-     Eos.ii™ provides CISOs with the foundation
                              es of industrial IoT cybersecurity into core      needed to begin building a predictive SOC,
                              strengths. It tames the tangle of mismatched      and to strive for continuous improvement.
                              languages, provides visibility into obscure       As Eos.ii™ learns the baselines for work sites,
                              corners of OT, and illuminates the meaning        and as IT staff become proficient in under-
                              of OT data for IT analysts.                       standing IoT interactions and diagnosing
                                                                                attacker intent, defenders will be increasing-
                              Automating routine tasks and prioritizing         ly able to predict the behavior of assets and
                              alerts based on expected consequences             attackers alike.
                              leverages human analyst time. Eos.ii™ adapts
                              readily to new asset bases and ever-evolving      Companies that deploy Eos.ii™ will enjoy re-
                              threats. With Eos.ii™, CISOs can build a fusion   duced cyber risk, at a lower cost than hiring
                              SOC, overcome the challenges of today, and        expertise or developing solutions in-house,
                              create the stable foundation needed for IoT       and with support to keep Eos.ii™ current.
                              industrial cybersecurity in the future.           Forward planning can proceed with better
                                                                                cost-benefit assessments, and crisis response
                              Done well, robust industrial IoT cybersecurity    can more precisely tailor eradication and
                              builds trust with other parts of the orga-        recovery efforts when breaches occur.
                              nization. Instead of constantly bothering
                              OT personnel for assistance, the SOC adds         For the energy sector, securing the IoT is an
                              value by accurately flagging maintenance          essential step in ensuring that innovation
                              concerns.                                         can continue without sacrificing reliability.
                                                                                Siemens Energy’s Eos.ii™ will help organi-
                              The SOC gains credibility and the reputa-         zations of all sizes address their IoT security
                              tion for accuracy needed to call for – and        needs – strengthening the overall energy
                              get – sudden shutdowns when a true crisis         sector by hardening more links in the value
                              occurs. With a mature IoT SOC, CISOs can          chain.
                              better quantify the magnitude of threats and
                              vulnerabilities the SOC discovers, can better     Industrial IoT is clearly part of the energy
                              demonstrate the value their teams add to          sector’s future. At Siemens Energy, we’re
                              the business, and can better keep up with         committed to giving CISOs and SOCs the
                              the changes needed to secure the modern           tools they need to make IoT a source of
                              energy sector.                                    strength, not a hidden liability.

Page 28
Intelligent Illumination to Secure Critical Infrastructure

                                                   Page 29
Eos.ii™ | IoT Monitoring and Detection

Page 30
Intelligent Illumination to Secure Critical Infrastructure

                                                   Page 31
Published by

Siemens Energy Inc.

15375 Memorial Drive
Houston, TX 77079
United States

Subject to changes and errors. The information given in this document
only contains general descriptions and / or performance features which
may not always specifically reflect those described, or which may
undergo modification in the course of further development of the pro-
ducts. The requested performance features are binding only when they
are expressly agreed upon in the concluded contract.

Siemens Energy is a trademark licensed by Siemens AG.
You can also read