The ICS/OT Landscape: How CrowdStrike Supports Through Partnerships With Rockwell and Others

CrowdStrike and Rockwell Automation have announced a partnership to help joint customers secure the expanded threat surface of the industrial control systems (ICS) and operational technology (OT) controlling our energy, manufacturing our goods and operating our medical equipment. This has been a greenfield area for security due to the real-time nature of these systems and the need for continuous availability.

The Problem

 

Today, the need for extending security controls in the ICS/OT area is most evident in the manufacturing sector, based on the intersection of the threat landscape and the digital transformation of the business. According to the CrowdStrike 2021 Threat Hunting Report, CrowdStrike Intelligence found that the manufacturing sector was the second most targeted industry by ransomware attacks from July 2020 to June 2021. This unique vertical is being targeted by both state-sponsored and eCrime actors.

 

While destructive operations affecting ICS/OT environments that originate from select targeted intrusion adversaries are not likely to be aimed at manufacturing sector entities, these environments may be targeted in economic espionage campaigns that seek data repositories or other confidential business information — which can impact operational facilities. CrowdStrike Intelligence has identified several ransomware families used by eCrime adversaries that are capable of terminating OT processes in Windows systems, as evidenced by Ekans ransomware.

 

Compounding the threat landscape is the digital transformation of the factory through the promise of Industrial IOT (Internet of Things) bringing in machines, cloud computing and edge-driven analytics to enhance the performance of an industrial process. The shift toward these services has driven a change from a heterogeneous environment with disconnected proprietary embedded systems and protocols, to a homogeneous landscape with cloud platforms, modern operating systems and unified architectures. No longer can control system defenses hide behind the traditional air gap or security-by-obscurity due to the large amount of heterogeneous control system protocols and systems unique to each manufacturer. The combination of a homogenous attack surface, adversary targeting and an increased understanding of these systems has driven the need for increased comprehensive protection of these areas. The challenge for CISOs and CIOs is to architect a comprehensive, sustainable security program to bring visibility, detection, protection and response to their plant environments in response to board-level initiatives to secure the factory and enable the workforce. Many of the challenges have been in building the proper governance, with the proper alignment between the plant and security teams to ensure security aligns with the availability and uptime requirements of the plant teams. On the technology side, most of the effort in the past few years has been focused around ICS-specific visibility in the plant environment, enumerating human-machine interface (HMI) and programmable logic controller (PLC) asset identification, vulnerability management and threat intelligence through network solutions designed to understand the heterogeneous automation networks and their requisite proprietary protocols.

 

 

 

 

 

 

 

 

 

 

 

Organizations have traditionally been hesitant to introduce an endpoint technology into an OT security program. The conventional wisdom has been that the endpoint technology will interfere with a plant system, causing availability impact or potentially a lack of visibility to plant operations. This has resulted in plant teams demanding that their endpoint security technology be certified to interoperate with their automation equipment.

 

This has led to years of testing by automation manufacturers of legacy endpoint security vendors, where they have had to incur a significant cost to test every engine and update file, and often have had to exclude the process directory from being scanned because of system conflicts from the AV technology hooking into the file in having to scan the file. Other methods such as application allowlisting have been used to harden the systems, but the use has proven limited against current attacks such as Mimikatz, which utilized PowerShell scripts to harvest credentials for lateral movement to gain access to domain controllers or other endpoints.

 

 

 

The CrowdStrike Solution

CrowdStrike delivers the visibility and protection that organizations need to secure OT environments. The CrowdStrike Falcon® platform leverages real-time threat intelligence on evolving adversary tradecraft, indicators of attack and enriched telemetry from across the enterprise to deliver deep visibility, hyper-accurate detections and automated protection. The platform's cloud-native architecture and lightweight agent were purpose-built to scale across enterprise environments — delivering unprecedented efficacy against a wide variety of threats without impacting user or system performance.

 

As a result, customers can quickly deploy basic endpoint detection and response (EDR) in a matter of minutes and be able to stream important events such as network connections, registry information and system properties directly to the cloud upon detection for retention and analysis. Unique attacks are analyzed by machine learning and our threat intelligence team to aid in remediation. Falcon is designed as an extensible solution that ensures new security countermeasures can be added to the platform seamlessly. The Falcon agent requires minimal inbound connectivity, and deployments can support a full Purdue model in Level 2/3 or 3.5 with a proxied environment to handle this connection.

 

This gives our customers the ability to quickly move beyond basic visibility in their environment to real-time detection, protection and automated response. The technology can be deployed without impact to the HMIs and engineering workstations in the plant.

 

An automation vendor no longer has to go through the painful process of endless validation, and plant teams are able to rapidly deploy with no impact to production to “protect the crown jewels” of the key systems that operate their plants — thereby safely detecting, protecting and responding to attacks targeting the homogenous attack surface of modern industrial facilities.

 

 

Partnerships

 

We are excited to work with Rockwell to address the challenges in the manufacturing vertical as well as other key verticals that Rockwell supports. Rockwell has used CrowdStrike since 2020 as its corporate standard to test its products at the time of release. The partnership expands this relationship to deliver CrowdStrike products and services coupled with Rockwell’s industrial security services to give the customer a full breadth of protection to address the needs of security teams and also the operational teams responsible for the 24/7 availability of the plant.

 

This is a continued effort from CrowdStrike to work with manufacturers as they build out security products and services for their critical environments. We recently announced a partnership with Nihon Kohden, a global leader in precision medical products and service — it has validated and certified CrowdStrike and is providing a service to its customers to meet the needs of the healthcare industry.

 

Furthermore, we have built partnerships with several providers that Rockwell partners with to extend the use cases of the Falcon platform to allow customers to drive additional value from their CrowdStrike investment. Dragos offers a unique CrowdStrike Store application that leverages CrowdStrike endpoint telemetry data against the WorldView ICS-specific threat intelligence, allowing CrowdStrike customers to hunt for these specific indicators of attack. The combination of IT and OT threat intelligence allows end users to effectively threat hunt in their environment against both eCrime and state-sponsored attackers, who have demonstrated the sophistication to understand the unique nature of industrial environments. Claroty is able to push into the CrowdStrike Falcon® platform its unique intelligence and signatures in the plant networks for consumption. It leverages the Falcon agents deployed on the HMI and engineering workstations to pull the unique asset properties into its platform, and also the vendor-specific project files of its automation manufacturer that enumerate the PLC and I/O card information into the Claroty platform. This provides differentiated visibility without having to resort to active querying of the device itself, potentially impacting availability. This is an important use case that can further help our customers in their sustainability journey to secure their plants, moving from visibility to detection protection and response in their plant environments. Claroty is also participating in CrowdStrike’s XDR alliance, which brings Claroty’s network intelligence through an open framework.

 

Partnering for Success in ICS and OT environments

We are excited about our expanding partnerships that together bring our unique experience and solutions to help joint customers secure the expanding threat surface of ICS and OT environments against the continuously evolving threat landscape targeting this sector. The Falcon platform offers real-time protection and visibility across operational facilities, preventing attacks on endpoints on or off the network, and by partnering with Rockwell and other strategic partners in manufacturing and other verticals, we’re creating best-of-breed solutions that will meet the strident demands of the industrial IoT space.

 

 

Additional Resources

 

 

Breaches Stop Here