Is “Level 0″​ Monitoring Essential for OT Cyber Security? – 10 Points To Consider



The following article is written by Hadas Levin, VP Sales & Marketing:

After intensive discussions in the industry over the past year I wanted to share a number of my conclusions regarding the essential need for “Level 0” based monitoring for OT Cyber Security.

1.  The transition to Industry 4.0 is expected to improve efficiency and productivity, as well as introduce many changes in the way industrial processes work.  McKinsey reports that the worldwide number of IoT-connected devices is projected to increase to 43 billion by 2023, an almost threefold increase from 2018 and Mordon Intelligence reports that the ICS Security Market is growing at a CAGR of 20% from 2018 to 2024.

Following “9/11” and the assignment of cyber security responsibility to “IT,” CIOs & CISOs are responsible for OT Cyber Security. While the OT Cyber Security industry speaks of IT/OT “convergence,” the need for better integration is glaring. However, there are very few instances that I have witnessed so far of such “convergence.” In fact, during recent meetings with a large government authority with over 8,000 employees, the 2 departments (IT & Operations) rarely collaborate let alone “converge” in either their thinking or in operations.

2. It seems that IT may be a bit over-optimistic regarding their abilities to completely protect and defend ICS/OT networks. IT’s orientation to find solutions are usually limited to network programming, trying to build higher and higher “digital walls” / barriers to intruders in their efforts to provide OT cyber security, but this may not be the answer.

3. Perhaps it may behoove IT CIO & CISO leaders responsible for OT cyber security to entertain the fact that all PLCs can and will eventually be hacked and pirated, especially with the adoption of cyber warfare by governments around the world.

Siemens S7 Simatic PLC Hacked at Black Hat 2019 USA4. The most glaring example of PLC compromise was recently presented at “Black Hat USA” in August, 2019 by ethical hackers. As part of the “attack” the “hackers” analyzed and identified the code elements of the Siemens S-7, Simatic PLC, its proprietary cryptographic protocol. Based on their analysis they created a fake engineering station, an alternative to Siemens’ official station. The fake engineering station was able to command the controller according to the will of the attackers. They were able to turn the controller on and off, download rogue command logic according to their wishes, and change the operation and source codes. They also succeeded in creating a situation in which the engineer operating the controller did not recognize their “hostile intervention.”

5. Since Stuxnet astounded the world in 2010, followed by Irongate Malware in 2016 and recently Black Hat USA in 2019 – nearly 10 years of endless efforts have been invested to invent network level solutions to prevent pirating of PLCs. However, it is irrefutable that as of this moment such has not been accomplished. Critical processes, infrastructure and critical devices remain exposed and vulnerable to any perpetrator with enough motive and resources who will eventually take control of the PLC and the critical processes it controls.

6. IT is not equal to OT. In IT, the assets are the data, the protocols, the network and their communication. In OT the assets are the devices providing a process. These are two very different orientations and worlds, which probably will never really “converge” but it is clear that as more devices are connected to the ever expanding IIOT we need to find effective defenses to prevent new avenues of communication from being abused.

SIGA OT Solutions Unique Level 0 Anamoly Detection

7. Communication in the upper levels (1+) of the Purdue model from the PLC and above is in the language of bits and bytes, data packets and internet protocols. Communication in Level 0, where electro-mechanical devices reside, especially in legacy systems and the vast majority of existing critical infrastructure and processes, is in the language of electricity i.e. volts and amps. electrical signals between the sensors, actuators and the PLC. They speak the language of electricity not of data.

8. Level 0 monitoring of the electrical signals between the device sensors, actuators and the PLC provides an essential means to insure accurate, real-time situational awareness of device and process health. The electrical signals are physics, unhackable and provide vast amounts of information regarding device and process health.

9. SIGA’s Level 0 monitoring is a hardware & software solution. Uni-directional Isolators (I/Os) are easily installed to copy the electrical signal between the device (Level 0) and the PLC (Level 1) without interfering with the ICS process. The copy of the electrical signal is sent “Out-Of-Band” for advanced analytics to detect any process anomalies regardless if cyber or process induced. Unsupervised Machine Learning is employed to provide additional, critical, unanticipated insights for process optimization. Monitoring of only 3-7% of the critical process I/Os provides complete, independent verification and validation of processes. This technology can be implemented on-premises or cloud, depending on owner preference and is legacy equipment compatible, component / protocol agnostic and is complementary to all network based cyber security systems.

SIGA was named a 2018 Gartner “Cool Vendor”, received the EU Seal of Excellence and is ISO/IEC 27001 certified.

Level 0 Monitoring

No alt text provided for this image

A National Power Utility recently remarked: “SIGA’s ability to precisely identify the exact location and character of operational faults, coupled with complete out-of-band monitoring providing authentication of sensor readings, was proven to be a significant contribution to our OT infrastructure. I strongly recommend using the SIGA platform to anyone who wants to ensure cyber security and operational reliability within their critical infrastructure.”



No alt text provided for this image

During the 2019 i-Trust Hackathon sponsored by the Singapore Government, SIGA was the only IDS technology to detect all anomalies and demonstrated the critical and essential importance of Level 0 protection.





No alt text provided for this image

10. Inspired and set in motion by the 2015 cyber-attack on Ukraine’s power grid, where suspected Russian hackers crashed a portion of the country’s power supply and left more than 225,000 Ukrainians without power on Christmas Eve, the U.S. Security of Energy Infrastructure Act (SEIA) addresses technical vulnerabilities in Supervisory Control and Data Acquisition Systems (SCADA). The bill advocates analog and non-digital control systems, purpose-built control systems, and physical controls in a move to provide alternative means to protect the grid from a cyber attack. It seems that a hybrid approach may provide optimal OT-Cyber Security through Level 0 monitoring combined with a NIST compliant network based solution. This hybrid solution successfully bridges the gaps between IT & OT, provides independent verification and validation of process health, unsurpassed anomaly detection, process optimization insights and likely the Best Available Technology (BAT) for OT Cyber Security today.

A quick recap on Level 0 Asset Protection by Joe Weiss & Amir Samoiloff: