The Solution to High False Positives

Process-Oriented OT Cybersecurity: The Solution to High False Positives

The dilemma: One of the most critical decisions a CISO will face is how to respond to an alert that is indicative of a potential cyberattack – initiate a shutdown that disrupts operations and incurs avoidable costs, or risk overlooking a genuine threat that could lead to catastrophic consequences.

The False Positive Phenomenon in OT Cybersecurity

In Operational Technology (OT) environments, Intrusion Detection Systems (IDS) are widely used for identifying potential threats.

Here’s the problem:  IDSs generate a high volume of false positives, leading to alert fatigue and costly downtime.  For instance, according to one study on a single U.S. oil refinery, out of approximately 27,000 IDS alerts, only 76 were legitimate OT cyber incidents. This implies that over 99% of the alerts were false positives.

Why Do IDS Generate So Many False Alarms?

Several factors contribute to the high rate of false positives in IDS:

Anomaly-based detection: IDS identify anomalous network behavior, relative to baseline norms. However, not all anomalies are malicious. For instance, a user forgetting their password and attempting multiple logins can trigger an alert for a brute-force attack, even though the action is benign.

Complexity of OT environments: The dynamic nature of OT systems makes it difficult from a technical perspective to establish a baseline for normal behavior, leading to frequent misclassifications.

Lack of context: Traditional Intrusion Detection Systems (IDS) often operate without insight into the actual state of physical processes. This disconnect makes it difficult to determine whether an alert signifies a genuine threat or is merely a harmless anomaly.

How SIGA Addresses the False Positive Challenge

SIGA offers a Process-Oriented approach to OT cybersecurity, focusing on the physical layer (Level 0) of the Purdue Model. By monitoring raw electrical signals directly from sensors, SIGA provides an unfiltered view of the physical processes, enabling more accurate detection of anomalies.

• Multi-level monitoring: SIGA’s solution, SigaML², integrates data from all levels (0–4) of the Purdue Model. As a result, cyber teams can identify discrepancies between the physical process and higher-level control systems.
• Real-time anomaly detection: By applying Machine Learning algorithms to Level Zero data, SIGA can identify and alert on genuine threats in real-time, reducing the likelihood of false positives.
• Decision support: The system provides critical decision-making capabilities during the expression phase of a cyberattack, enabling CISOs to make informed choices about whether to shut down operations or continue running.

In summary, by focusing on the actual state of physical processes, SIGA’s approach makes sure that alerts are grounded in reality, significantly reducing false positives and enhancing the overall security posture of industrial operations.

The Bottom Line

Traditional IDS in OT environments are susceptible to high false positive rates, leading to alert fatigue and potential oversight of real threats. SIGA’s Process-Oriented approach, focusing on the physical layer and integrating data across all levels of the Purdue Model, offers a more accurate and reliable method for detecting genuine cyber threats.

A significant step forward for OT Cybersecurity.