I recently watched a webinar on industrial control system security[1] and asked a question during the Q and A. My question was „Could you also have an engineer’s SOC rather than an IT/OT SOC?“. My motive for asking this question was based on my understanding that the tradition enterprise SOC is IT oriented (office LAN/WAN, billing, accounting, etc.) and my not have the skillsets and knowledge required to investigate an industrial control system incident involving a physical process. The presenter kindly replied with this answer: „Without being flippant, that is the control room or control center“. The take-away for me was that the control center is already performing SOC functions or at least should be.
This at first made a lot of sense. Yes the problems or issues reported by the devices monitoring what is going on in a physical process will be directed in some format and appear on an operators workstation in the control room. However I went on to think about what the operator will do with that information. Most likely he/she will make a judgement and take some corrective action if the automated system has not done so already. However will the operator investigate any further beyond this quick reaction to address some incident? For example if he judges the incident or reading to be unusual will he be able to stop what he is doing and investigate further? Or will he just continue working normaly after executing his corrective measure and seeing that the problem has been addressed? If this is the case then I wonder if it is correct to say that the control room has an engineering SOC capability? I do not think so.
It has often been said that there is a lack of forensic investigation capability on the industrial conrol system (ICS) side of the operation. This kind of work is an additional task that requires additional resources. A good example of this is what happened to that petrochemical plant in Saudi Arabia that was a victim of an extensive cyber attack on its plant‘s network and in particular its safety systems. It took two plant shutdowns before an investigation was performed that determined these were not normal control center addressable but intentional cyber attacks. It could have been that the operators in the control room may have seen something suspicious at times. However either they decided that there was no real problem or even if they did there was no one with engineering knowledge available to take a deeper look. As a result the operation of the plant went back to its usual business after the first surprise shutdown. Outside teams of experts were later called in and it was they not the control center that determined there was a malicious cyber attack[2].
In the control rooms I have visited and meeting with senior plant engineers I never saw anyone dedicated to investigating something unusual beyond what the readings displayed on the big board or control room workstations. I could tell from one senior engineer who had thousands of unaswered emails that he did not have that kind of time for anomaly investigation. No one for example to look for consistency in what the devices were reporting on the state of the operation. Do the facts all add up or do they not? This is about process integrity of instrumentation and was one of the issues brought out by Stuxnet where false data was sent to the control room about the system state. The operators in the control room looked at the screens and saw indications of normal operations when in fact things were not normal. The reality of what was happening to the physical process they were monitoring was not presented to them. In the case of Stuxnet and with similar incidents what seems to be missing is additional capability to look out for and investigate anomolous behaviour in the industrial operation. I would call this capability an Industrial (engineering) Security Operations Center or ISOC. One that works in tandem with the control center and addresses things the control center finds it difficult to divert attention to during normal operations (where there is enough to do already). To conclude I can agree that the SOC should be part of the control room or operations center. However this requires additional resources in terms of additional engineering staff that is trained for investigating incidents in OT and ICS. I have seen no evidence that ISOCS‘s are part of control center operations. Until that happens there will be very little capability for the operator to call on when something looks not as it should.
[1] 2020-07-15 CERIAS – Cyber Security of Control Systems: The Second Coming of the Maginot Line https://www.youtube.com/watch?v=B04JtQVhufs
[2] See Julian Gutmanis’s S4 presentation “Triton – A Report From The Trenches” https://www.youtube.com/watch?v=XwSJ8hloGvY
