News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
June 8, 2023 strategysecurity

Industrial cybersecurity - The facts

By Roman Krasnov

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS
scada iot security

In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition.

Two years later, we still have no details on the malicious actor. However, recently Al Braithwaite, the former city manager of Oldsmar, Florida, stated that hackers did not cause this potentially world-altering episode. It was, in fact, a "non-event" sparked by a user error.

It may sound like you’ve been fooled around, and in real life, there is no sophisticated cyber-physical threat security companies keep telling us about for many years already. Is this so? If not, how to protect technology from being tampered with by adversaries? And how to avoid blind spots in the evidence?

Let’s find it out.

Long-lasting secure-over-technology supremacy

Operation Technology incidents are especially memorable because of their distinct cyber-physical impact. And that played a nasty trick on OT security.

All the hype began in 2010 with Stuxnet. The Stuxnet worm was as much a fascinating technological advancement as it was an act of political warfare. It wouldn’t have looked out of place in a Mission Impossible movie. Long story short: US/Israel intelligence agencies (as is supposed) created a sophisticated piece of Windows malware. It penetrated an Iranian nuclear plant’s network and caused uranium centrifuges to be damaged by tampering with their technical parameters. You can read more about Stuxnet in our previous blog post, The EU’s response to cyberwarfare.

The case is remarkable, and no wonder it triggered countless new cybersecurity offerings, followed by a wave of marketing materials all crying "You must control your OT parameters with exceptional OT security tools!". Fair enough, but there was a slight issue with the threat model.

Hypnotized by the buzz, many neglected to notice that the threat actor was a collection of nation-states with unlimited offensive resources; something that’s hard to compete with, having an average of 5-10% of IT spending for defense. Just like many closed their eyes on anti-virus overlooked the malware before its payload triggered at the cyber-physical edge. But the idea of cross-cutting cyber-physical protection based on technology process monitoring owned the minds.

The market has spent almost a decade trying to understand that technology process monitoring for security purposes costs a lot and eventually gets minimal effect on security posture.

Show me the real cyberattack on SCADA!

For many, it is still a surprise that no other such attack like Stuxnet has ever been registered. Instead, all the following well-known breaches against OT infrastructure had the primary goal of (or resulted in) making OT infrastructure access unavailable for personnel. But doesn’t that sound equally dangerous?

To achieve that goal, a hacker (surprisingly) needs no OT knowledge at all. A typical scenario for an OT or SCADA attack is:

  • The hacker gets access to a Windows computer inside an OT network

    • Option 1: default/weak password

    • Option 2: brute-force remote desktop software

    • Option 3: find credentials kindly stored in a spreadsheet

    • Option 4: ask for credentials via chat or e-mail :-)

    • Option 5: send a regular trojan

    • Option 6: and so on…​

  • The hacker logs onto the target computer with the acquired credentials

  • The hacker installs ransomware or wipes out the entire storage drive

  • PROFIT

That’s it. The technology process was disrupted, headlines were in the media, and the hackers used zero "SCADA skills". It may seem a bit simplified, but it’s easy to introduce additional malicious actions (like randomly clicking SCADA buttons on the operator’s dashboard), and that’s how the actual attacks go in real life. For example, check out the next famous cyberattack on Ukranian electric substations in 2014-2016 in another previous blog post.

As we’ve seen, causing industrial system damage oftentimes requires no specialized OT hacking knowledge at all. It makes sense that a hacker wanting to invest as little as possible to achieve the largest possible media furor should want to target OT environments.

Unfortunately, in the real world, many OT environments still lack the very basic and common security countermeasures that are prevalent in IT environments. This needs to change.

Industrial security aspects

While it’s a widely exaggerated theory that "SCADA is very different," it’s still got Ethernet, Windows, and TCP/IP - all the same IT technologies for hackers to turn against OT. From that perspective, building solid OT protection requires establishing a defense-in-depth strategy with all its well-known layers like Network, Software, and Hardware Security.

You may hear from a security perspective what you "can’t" do with OT:

  • Can’t re-segment OT network

  • Can’t install antivirus in OT

  • Can’t patch OT systems

  • Can’t update OT systems

  • Can’t etc

Thanks to these, passive network monitoring replaced first-choice security technology for OT, claiming it’s fast to deploy and safe for the industrial environment.

The problem is that network monitoring tools (NTA/NDR) alone have a natively limited number of actionable insights. And it was one of the reasons why technology parameter monitoring has been added to industrial NTA offerings, as an attempt to enhance product value. Still, it was the wrong direction, as we know now.

According to NIST SP 800-82 Industrial Controls guidelines, there are a lot of important log events that have to be continuously tracked in an industrial environment, like:

  • Multiple failed login attempts

  • Locked-out accounts

  • Unauthorized creation of new accounts

  • Unexpected remote logins (e.g., logons of individuals that are on vacation, remote login when the individual is expected to be local, remote logon for maintenance support when no support was requested)

  • Cleared event logs

  • Unexpectedly full event logs

  • Disabled antivirus or other disabled security controls

Being just a part of a SOC Visibility Triad (events management, evolved anti-malware, network detection), passive network monitoring cannot fulfill that alone and must be complemented with a SIEM system for the security team to get enriched and actionable insights throughout the whole kill chain.

Although, there are a couple of issues that stop SIEM adoption in OT:

  • SIEMs require heavy log collection agents installed (OT is not happy with this)

  • SIEMs lack industrial software/hardware logs support

Simply put, you must carefully design a log collection system while planning SIEM expansion to OT, and pass a FAT (Factory Acceptance Test) if necessary.

Compared to specific industrial network monitoring as a first-choice tool to secure an OT network (albeit, firewall and antivirus are the number one), SIEM has a good advantage. Security engineers are familiar with SIEMs and can start working with them immediately. As a part of an OT network security program covered by log collection and analysis, SIEMs can increase your security posture dramatically, leaving fewer blind spots for a real hacker to hide in.

And establishing industrial security events management and, at least, generic network monitoring (NTA-like) enables an insightful mechanism to detect a hacker before he starts tampering with technology parameters. Is this what we aim for?

How NXLog helps to secure operation technology

NXLog Enterprise Edition has the capabilities to help CISOs and security engineers in charge of OT security solve these challenges quickly:

  • Enables a lightweight log collection pipeline, proven to be used in OT networks based on various technologies from Siemens, Schneider Electric, and others.

  • Supports all the major SIEM and APM systems for log forwarding, like Splunk, IBM QRadar, Google Chronicle, Microsoft Sentinel, Microfocus ArcSight, Datadog, Graylog, and others.

  • Supports both agent-based and agentless collection, critical for heterogeneous environments like OT.

  • With its ultimate events processing system, NXLog Enterprise Edition allows filtration and routing of security events both from the system level (like Windows, Linux, AIX, etc., including legacy) and SCADA application level (like Siemens WinCC, Siemens Step7, Siemens SICAM, and others).

  • NXLog Enterprise Edition provides generic network monitoring capabilities to introduce insightful data for the security team without leaving the SIEM dashboard.

Need a log collection tool to help secure your OT environment? Try NXLog Enterprise Edition for free today, or get in touch to learn more.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • Cybersecurity
  • SCADA
  • OT
  • IIoT
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

NXLog in an industrial control security context
9 minutes | August 10, 2022
Using Raijin Database Engine to aggregate and analyze Windows security events
11 minutes | July 29, 2021

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us