Could you also have an engineer’s Security Operations Center (SOC) rather than an IT/OT SOC?

I recently watched a webinar on industrial control system security[1] and asked a question during the Q and A.  My question was „Could you also have an engineer’s SOC rather than an IT/OT SOC?“. My motive for asking this question was based on my understanding that the tradition enterprise SOC is IT oriented (office LAN/WAN, billing, accounting, etc.) and my not have the skillsets and knowledge required to investigate an industrial control system incident involving a physical process.  The presenter kindly replied with this answer: „Without being flippant, that is the control room or control center“.  The take-away for me was that the control center is already performing SOC functions or at least should be.

This at first made a lot of sense.  Yes the problems or issues reported by the devices monitoring what is going on in a physical process will be directed in some format and appear on an operators workstation in the control room.  However I went on to think about what the operator will do with that information.  Most likely he/she will make a judgement and take some corrective action if the automated system has not done so already.  However will the operator investigate any further beyond this quick reaction to address some incident?  For example if he judges the incident or reading to be unusual will he be able to stop what he is doing and investigate further? Or will he just continue working  normaly after executing his corrective measure and seeing that the problem has been addressed?  If this is the case then I wonder if  it is correct to say that the control room has an engineering SOC capability?  I do not think so.

It has often been said that there is a lack of forensic investigation capability on the industrial conrol system (ICS) side of the operation.  This kind of work is an additional task that requires additional resources. A good example of this is what happened to that petrochemical plant in Saudi Arabia that was a victim of an extensive cyber attack on its plant‘s network and in particular its safety systems.  It took two plant shutdowns before an investigation was performed that determined these were not normal control center addressable but intentional cyber attacks.  It could have been that the operators in the control room may have seen something suspicious at times. However either they decided that there was no real problem or even if they did there was no one with engineering knowledge available to take a deeper look.  As a result the operation of the plant went back to its usual business after the first surprise shutdown.  Outside teams of experts were later called in and it was they not the control center that determined there was a malicious cyber attack[2].

In the control rooms I have visited and meeting with senior plant engineers I never saw anyone dedicated to investigating something unusual beyond what the readings displayed on the big board or control room workstations.  I could tell from one senior engineer who had thousands of unaswered emails that he did not have that kind of time for anomaly investigation. No one for example  to look for consistency in what the devices were reporting on the state of the operation.  Do the facts all add up or do they not?  This is about process integrity of instrumentation and was one of the issues brought out by Stuxnet where false data was sent to the control room about the system state.  The operators in the control room looked at the screens and saw indications of normal operations when in fact things were not normal.  The reality of what was happening to the physical process they were monitoring was not presented to them.  In the case of Stuxnet and with similar incidents what seems to be missing is additional capability to look out for and investigate anomolous behaviour in the industrial operation.  I would call this capability an Industrial (engineering) Security Operations Center or ISOC.  One that works in tandem with the control center and addresses things the control center finds it difficult to divert attention to during normal operations (where there is enough to do already). To conclude I can agree that the SOC should be part of the control room or operations center.  However this requires additional resources in terms of additional engineering staff that is trained for investigating incidents in OT and ICS.  I have seen no evidence that ISOCS‘s are part of control center operations. Until that happens there will be very little capability for the operator to call on when something looks not as it should.

[1]  2020-07-15 CERIAS – Cyber Security of Control Systems: The Second Coming of the Maginot Line

[2] See Julian Gutmanis’s S4 presentation “Triton – A Report From The Trenches”

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.

Related posts