An 800-pound gorilla eyes the Operational Technology security space
Creating a unified threat stream of raw OT and IT data is a significant challenge.
Plumb more "traditional" operational assets like gas turbines, pipelines, or water treatment plants into digital networks and you are going to face more security issues. The benefits of this convergence of Information Technology (IT) and Operational Technology (OT) -- as part of a "fourth industrial revolution" that fuses the physical and digital -- have been widely discussed. So have its cybersecurity consequences; some 2021 examples include the Colonial Pipeline outage and the news of an attempted poisoning of urban water supplies.
The IT/OT integration trend has triggered a drive by cybersecurity companies into the space; specialist startups like Forescout and Nozomi Networks competing with larger security providers like Orange Cyberdefense that have set up dedicated OT security arms for a slice of critical infrastructure cybersecurity real estate.
Follow The Stack on LinkedIn
Arguably few have had access to as much critical infrastructure data as German conglomerate Siemens Energy however; and the €55 billion (by 2020 revenue) industrial powerhouse is now pushing hard into the cybersecurity space too, including via its Eos.ii platform -- which it describes as "the first AI-based monitoring and detection platform to serve as the foundation of an IOT fusion SOC for energy and critical infrastructure."
IOT fusion SOC? AI detection? Standardised data flows? Single pane of glass? Siemens Energy fits a healthy smogasbord of jargon and industry cliches into its communications about the new platform, so The Stack sat down for a flying chat with project mastermind Leo Simonovich, global head of industrial cyber and digital security, to try and unpack precisely what Siemens Energy is up to, who it is targeting, and what it thinks makes Eos.ii stand out.
Leo, what was the genesis of Eos.ii?
"As an automation and an engineering company, we have been on a journey since Stuxnet to secure ourselves and our products -- but also to innovate and to help secure our customers [based on our experience with] operational technologies. The number and the frequency of attacks targeting critical infrastructure is increasing exponentially. We have developed a practice over the last six years focused on this space. This is our latest innovation: one which provides the foundation for Security Operation Centres to monitor and detect threats in the physical and digital worlds."
"AI visibility" is a pretty ubiquitous claim. What's different about Eos.ii?
"We are able not only provide visibility -- that's everybody's buzzword in security -- but we help understand what's happening operationally; we ingest data from assets and control systems to understand the impact on production. There are lots of monitoring platforms out there. Splunk has one, IBM has one. But none of them take this approach of creating the unified threat stream between physical and digital worlds.
"We've built a detection engine that allows us to alert [users to] malicious behaviour and map it back to specific assets, specific processes, so that analysts can take more prescriptive and well-informed decisions.
(As Siemens puts it in a whitepaper for the platform: "Creating a unified threat stream is a significant technical challenge for most IoT SOCs because raw OT and IT data speak separate languages that were never intended to be analyzed together. Yet without unifying these data streams, defenders can’t contextualize anomalies between commands sent to OT controlling physical assets and IT software linked to this data – and subsequently will miss attackers who are actively exploring the network in search of vulnerabilities.")
"Going back to the Colonial Pipeline incident: the CEO decided to pull the plug on [their systems] on a suspicion that their operational technology networks were being impacted. Yep; they were operating blind.
"What we are enabling with Eos.ii is the ability to take informed action. We have taken 5,000 of our best control engineers and said 'what do you know about plants, compressor stations, pipelines, their behaviour, and operational alerts?' (because attacks can also start in the physical world, not just digital.) We have put [their knowledge] into a proprietary rule set, applied AI and machine learning to correlate between these different data sets and data strings... We have 25 different ML models that act in concert together with a rule set in our detection engine to provide context."
OT environments are exceptionally heterogeneous... Where did you source the data from to train these models?
"So, we already run a managed detection and response service: we already collect operational data, because we monitor control systems and plants. That gives us a unique vantage point to train ML models.
"If you're an IT provider trying to come into the space, you're missing most of the data sets required to build out this threat intelligence -- the content and context to get the insights. But we've been collecting this data on behalf of customers to ensure operational integrity for decades.
What's the go-to-market model here?
"We sell this in three ways. One is, if you're mature, you can buy the platform and we'll just maintain the machine learning models and the logic, deployed at scale. The second way is if you're just getting started, and you want to start with just a couple of plants or a couple of compressor stations, we can do that too. Then there's some [customers] that want to monitor deep into their technology stack and there we charge on throughput.
"I think what's unique about us is that no only do we go out and install the stuff in the field -- which most IT providers won't do -- but we also have our security engineers on standby to support the tuning, the baselining of the platform.
Are you only focussing on energy right now?
"We're starting in energy because it's so pressing: it's the backbone of the economy. But we are hyper-focused on IoT... [and] going to expand out to other utilities, other critical infrastructure sectors. So oil & gas, mining and, and petrochemicals and heavy manufacturing."
A footnote...
Creating a unified threat stream of raw OT and IT data is a significant challenge. Yet, Siemens argues, without unifying these data streams, defenders can’t "contextualise anomalies between commands sent to OT controlling physical assets and IT software linked to this data." The creation of what amounts to a unified IT/OT SIEM, it thinks, will help not just with identifying security issues, but generally improve operational resilience.
The company gives the "real world" example of an analyst that "detected a problem with firewall hardware at a power plant. The hardware was rated for 55 degrees Celsius, but running above 70 degrees. This made the power plant’s control system vulnerable to crashes when the firewall overheated. If this system failed during power produc-tion, the company would not be eligible for payment – a potential loss of millions of dollars per hour. Eos.ii helped analysts determine this was not an attack, and prompted corrective maintenance that strengthened ongoing cyber readiness.")
Can Siemens persuade perenially software-sceptical energy infrastructure providers to buy in to yet another interface, even if it is designed to stop things falling over abruptly? The jury's out, but few companies have as big an OT footprint as Siemens and the proposition of a genuinely integrated IT/OT SIEM for SOCs is an intriguing one. Watch this space.