Threat Hunting in the OT

OT security expert Oliver Jaeckel-Bender defines threat hunting from an OT perspective. He differentiates the discipline from the IT and talks about the minimum and maximum requirements for cybersecurity in OT networks.

Duration:

26 min

Guest in this episode:

Oliver Jaeckel-Bender

Product Owner Cybersecurity for Digitalization of Production and Technology BASF

Transcript

Keywords

Threat hunting, OT, anomaly detection, segmentation, visibility, complexity vs simplicity, security vs manageability

‍

Summary

‍

Takeaways

Threat hunting actively searches for existing indicators of compromise in networks and systems.

The scope of threat hunting often is strongly muddled.

A typical IT-type threat hunting would be too late in the OT.

In the OT, threat hunting involves anomaly detection because malicious activities might not be so clearly defined.

In the OT, there are many corners where operators don’t really know what’s happening there why and how.

The security of a system can only be warranted when you understand the working and functionality of each involved component.

Of course, this sounds utopian but is feasible if one starts with knowing and understanding the meta information of who is communicating with whom why and in which way.

Segmentation and anomaly detection are the cornerstones of OT security.

A too complex cybersecurity makes us skip important steps in daily routines.

‍

Sound Bites

People have put all things in this one bucket and have sprayed Threat Hunting on it.

Threat hunting is often viewed with the same indifference as OT security—and that leads to misunderstandings.

In OT, I don’t really need to understand each and every payload but at least I should understand the meta information.

At the very least I want to know from somebody, if my systems’ communication is correct the way it is.

‍

Chapters

00:00 Introduction

01:31 What is classic threat hunting?

05:30 Does classic threat hunting work in OT?

10:53 What does effective threat hunting look like in OT networks?

15:09 What are the odds to really understand ones digital infrastructure?

17:43 Do you need to know every detail to secure your OT?

19:44 How far can you actually go with securing your OT?

23:50 The conundrum of complexity in cybersecurity

25:37 Conclusion and Best Practice

Threat Hunting in the OT

How can vendors proactively act on the CRA?

How Bosch Rexroth addresses the Cyber Resilience Act (CRA)

What about OT security in the water sector?

OT risk analysis

OT security monitoring & NIDS

Building OT cybersecurity know-how

SIEM Integration

Security compliance

Asset detection & inventory

Condition monitoring

Mitre Att&ck for ICS integration

Log integration in SIEM systems