“Known Good” or “Known Bad”: Choosing a Starting Point for OT Cybersecurity

 One way to characterize a cybersecurity strategy is by whether it takes action based on the definition of “known good” activity or “known bad” activity.

The “known bad” approach attempts to identify threats by monitoring activity (network requests, user actions, application behavior, etc.) and watching for anything that matches a predefined set of malicious or unsafe actions.

The “known good” approach starts by defining the expected behavior of users, devices, and applications, and treating any deviation from normal as a potential threat.

Any effective cybersecurity strategy will incorporate elements of both approaches. But when implementing policies (for example, policies that define when to generate alerts or block activity), organizations usually need to choose whether they are taking action based on “known good” or “known bad” activity.

In most cases, especially in OT and ICS environments, the “known good” approach to cybersecurity is actually simpler to implement and more effective at protecting critical systems.

The Never-Ending Fire Drill

The “known bad” approach to cybersecurity seeks to identify threats by watching for established malware signatures, network attack patterns, malicious user activity, and hardware or software vulnerabilities. All of these have a place in a defense-in-depth security posture. But putting a heavy focus on “known bad” activity tends to create an unhelpful state of affairs in OT cybersecurity. 

Some security researchers and analysts focus on publicizing every vulnerability they can find, regardless of whether the vulnerabilities could lead to serious consequences or could even be exploited in the real world. The continuous flood of new vulnerability reports makes it difficult for asset owners to know where to start–what is an operator supposed to do when their security provider tells them they have 20,000 known vulnerabilities to address?

Intrusion detection and prevention systems also have a tendency to create new work. Even the best IDS and IPS engines create lots of false positives, especially in OT environments where network traffic is fundamentally different from IT traffic and can confuse tools that were designed for the IT world. 

The need for continuous updates to signatures, vulnerability lists, and threat intelligence feeds–even when no action is likely to be taken on them–makes “known bad” focused solutions expensive and time-consuming. Most importantly, this approach is reactive by definition, designed to counteract the threats identified yesterday rather than anticipating the novel tactics under development for tomorrow.

Enter the "known good" approach, a strategy that promises not just simplicity and efficiency but also a proactive defense against the constantly evolving landscape of cyber threats in OT environments.

The Benefits of a "Known Good" Approach for OT Cybersecurity

Strategies that start with the "known good" can simplify the cybersecurity landscape by establishing a clear understanding of normal, expected behavior in the industrial environment. This simplicity translates to more effective threat detection and response.

In IT environments, defining normal activity can be challenging, because humans are unpredictable and often do unexpected things for good reasons. In OT environments, this is less of a concern. One day’s industrial activity is usually expected to be very much like the day before or the day after. Exceptions like maintenance windows are usually predefined as well and can be figured into the definition of normal. Establishing a baseline for normal activity becomes more achievable, making it easier to identify and respond to anomalies.

Basing OT cybersecurity policies on “known good” activity provides several benefits:

• Reducing False Positives: Focusing on "known bad" activity often results in a high number of false positives, especially in OT environments where network traffic patterns differ significantly from conventional IT setups. The "known good" approach minimizes false positives by concentrating on deviations from established normal behavior.
• Economic and Resource Efficiency: The constant updates required for threat intelligence and vulnerability management solutions, even when no immediate action is likely, can be resource-intensive and costly. By prioritizing the "known good" approach, organizations can streamline their cybersecurity efforts, reducing both time and financial investments.
• Proactive Security Posture: Unlike the reactive nature of the "known bad" approach, the "known good" strategy allows for proactive cybersecurity. Instead of safeguarding against yesterday's threats, organizations adopting the "known good" approach are better positioned to defend against emerging threats and those yet to be conceived.

Implementing a "Known Good" Strategy in OT Environments

Achieving a successful "known good" cybersecurity strategy in OT environments requires a deep understanding of the industrial landscape. Here are key steps to implementing this strategy effectively:

1. Detailed Asset Inventory: Begin by creating an accurate and comprehensive inventory of assets in your OT environment. This includes devices, software, and any components that contribute to the industrial processes.
2. Network Traffic Analysis: Understand the flow of network traffic between OT assets. Determine which protocols should be used between specific devices, the types of commands devices should send, and any external connections necessary for normal operations.
3. Define "Normal" Activity: Establish a detailed definition of "normal" activity based on the inventory and network analysis. This definition should cover expected behaviors for users, devices, applications, and even physical process signals from Level 0.
4. Guardrails for Anomalies: Set up guardrails that either alert or block activity deviating from the established norms. These guardrails act as the first line of defense against potential threats, making cybersecurity measures more focused and responsive.
5. Layering with Threat Intelligence: Treat vulnerability management and threat intelligence tools as additional layers of protection rather than the foundation of your cybersecurity posture. The "known good" approach aligns seamlessly with the concept of Zero Trust, reinforcing a holistic security strategy.

It goes without saying that cyber threats continue to multiply and grow more sophisticated. The question is, how can OT asset owners take meaningful action to protect their operations against those threats?

The "known good" mindset is key to developing a proactive and efficient strategy for safeguarding OT and ICS environments. By understanding and defining normal activities, organizations can reduce the complexity of cybersecurity measures, minimize false positives, and establish a resilient defense against emerging threats.

To find out how Mission Secure can help your organization implement efficient, effective OT cybersecurity, schedule a consultation today.