Recent ransomware attacks that shut down a US gas pipeline and global food processor have raised board-level awareness about IoT and Operational Technology (OT) risk, including safety risks and lost revenue from production downtime.
We're seeing that CISOs and SOC teams are now increasingly responsible for new threats from cyber physical systems (CPS) and parts of the organization they never traditionally worried about.
What has changed? Pervasive IT/OT connectivity to support digital business and optimize operations – such as monitoring production in real-time and sharing information with ERP and CRM systems – has removed the air-gap that once existed between IT and OT.
It’s also made it easier for adversaries to move laterally from IT to OT (and vice-versa), as you’ll see in the TRITON attack example below. This may also explain why many organizations proactively disable connectivity between IT and OT in case of a ransomware attack — even when the ransomware appears to initially only affect IT assets.
By bringing rich telemetry into Microsoft Sentinel from our agentless IoT/OT security monitoring solution, Microsoft Defender for IoT (formerly Azure Defender for IoT ), Microsoft enables SOC teams to detect and respond faster to the entire attack timeline, across all domains — including IT assets, applications such as SAP, and network devices — making life easier for both security analysts and OT personnel.
In this blog post we’ll describe a new Sentinel solution for IoT/OT threat monitoring that includes IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, plus incident mappings to MITRE ATT&CK for ICS (industrial control systems), an OT-specific version of the MITRE ATT&CK framework.
IoT/OT security risks are often overlooked because security departments have traditionally lacked the visibility and expertise to monitor IoT/OT networks for compromise.
This is despite the potentially significant business impacts of OT attacks, which include:
Security Operations Center (SOC) teams face several challenges in monitoring IoT/OT networks, including:
When we look at what’s available today to protect our customers’ OT environments, we find that there are either traditional SOC solutions focused only on IT security – but without OT telemetry and context – or point solutions focused exclusively on OT security, but lacking deep integration with existing SOC tools and workflows.
In addition, many teams are struggling with a flood of fragmented security data across multiple point solutions — resulting in missed detections and frustrated analysts.
Modern multi-stage attacks often cross IT/OT boundaries – so detecting and responding to them requires an enterprise-wide, bird’s eye view of the entire attack chain.
This is illustrated in the TRITON attack chain below, which was used in the recent MITRE ATT&CK for ICS evaluation. (Learn how Microsoft achieved the #1 score for threat visibility coverage in the MITRE ATT&CK for ICS evaluatio...
You can see that detecting and responding quickly to this type of attack requires “connecting the dots” between IT and IoT/OT events. With the new solution we’re introducing today, our goal is to bring the power of cloud-based AI and automation to help SOC teams more easily address these challenges.
Taking a step forward in protecting our critical OT assets requires a unified SOC experience that brings IT and OT together for the first time.
The new IoT/OT-focused solution for Sentinel includes a workbook collection and set of analytics rules that enable SOC teams to quickly incorporate detailed OT threat and contextual asset data into Sentinel, while minimizing noise and allowing them to focus on what matters most. This data is continuously obtained from Defender for IoT, Microsoft’s agentless OT security monitoring solution, which incorporates IoT/OT-aware asset discovery, vulnerability management, and behavioral analytics from Microsoft’s acquisition of CyberX in 2020.
The workbook collection provides a guided investigation for OT entities based on open incidents, alert notifications, and activities for OT assets. This workbook also provides a hunt across MITRE ATT&CK for ICS tactics and is designed to enable analysts, security engineers, and MSSPs to gain situational awareness of their OT security posture.
Sentinel alert workbook showing alerts by type (policy violation, protocol violation, malware, etc.); severity; OT device type (PLC, HMI, engineering workstation); OT equipment vendor; and alerts over time.
Sentinel incident workbook showing efficiency metrics (Mean Time to Respond, Mean Time to Resolve) plus reasons for closing. Also shows breakdown of OT incidents by severity, IP addresses, OT protocols, device types, and equipment vendors.
MITRE ATT&CK for ICS workbook showing the result of mapping alerts to MITRE ATT&CK for ICS tactics, plus the distribution of tactics by count and time period.
Here are some examples of rules that cover potential IoT/OT incidents automatically created in Sentinel from alerts generated by Defender for IoT:
You can also find a number of OT-specific SOAR playbooks in GitHub (search for “AD4IoT”), and we expect these to grow over time. The current list includes playbooks to automatically:
Here are some of the other exciting capabilities we’re developing:
IoT/OT incidents classified by site, zone, and sensor.
IoT/OT equipment entity page showing details such as device type, manufacturer, associated alerts, remote connections, communication with external IP addresses, etc.
IoT/OT incident investigation graph enriched with additional contextual data such as network connections associated with an IoT/OT entity.
Call to action: Check out the new solution in the Sentinel Solutions Marketplace. Join our Public Preview program as a design partner and help us shape the modern SOC.
Special thanks to Hesham Saad and Meir Sawdayee for their help in developing the MITRE ATT&CK for ICS mapping.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.