Navigating the complex landscape of industrial cybersecurity can be challenging. With a growing number of tools and acronyms, choosing the right controls to build or strengthen your security program is more critical than ever. Whether you’re focused on threat hunting or bolstering your overall security posture, understanding the specific strengths and weaknesses of each solution is the first step.
This guide, based on a Tech Talk by Dan Gunter from Insane Cyber, provides a comprehensive survey of six essential industrial cybersecurity controls. We will break down what each technology is, what it does best, and where its limitations lie.
Extended Detection and Response (XDR) is a security solution designed to provide a unified view of your security posture by integrating and correlating data from multiple sources. In industrial environments, this typically means bringing together data from both host-based endpoint detection (EDR) and network monitoring tools.
For example, you might have an EDR solution like CrowdStrike Falcon on your endpoints and a network monitoring tool like Dragos, Nozomi, or Claroty on your network. XDR acts as the central hub that ingests data from both, correlating events to provide a more complete picture of a potential threat.
Key Strengths: Its primary advantage is its comprehensive visibility across different security vectors. By combining host and network perspectives, XDR can identify complex threats that might be missed by a siloed tool that only sees one side of the story.
What it Isn’t: XDR is not a standalone security program. It relies on the data fed into it from other host and network tools. Its effectiveness is directly tied to the quality and coverage of its data sources.
Data Sources:
Endpoint Data: Logs, process activity, and behavioral data from EDR agents installed on hosts.
Network Telemetry: Network flow data, connection logs (like Zeek logs), and protocol-level analysis from network sensors.
Industrial passive network monitoring involves capturing and analyzing network traffic without interacting with or interfering with the operational technology (OT) network. This non-intrusive approach is highly popular in industrial control system (ICS) environments where uptime and stability are paramount. Tools from vendors like Dragos, Nozomi, and Claroty are placed on the network via a network tap or SPAN port to “listen” to all communication.
Key Strengths: Because it is completely passive, it is considered very safe for sensitive industrial networks. It provides a non-intrusive way to monitor for security events, diagnose network issues, and ensure data integrity. Its greatest value lies in its ability to decode and analyze proprietary industrial protocols (e.g., protocols used by a GE turbine or an Emerson Ovation control system) that standard IT tools cannot understand.
What it Isn’t: This is not an active defense tool. It only observes; it cannot intervene, block traffic, or take direct action. Its effectiveness is limited by its placement (it can only see traffic that passes its tap point) and its protocol knowledge. If it encounters an unknown proprietary protocol or encrypted traffic, its analysis capabilities are reduced to metadata and heuristics.
Data Sources: Raw network traffic, including deep packet inspection (DPI) of both standard IT and proprietary OT protocols, as well as network metadata.
While passive monitoring waits for traffic to come by, active network monitoring takes a more direct approach. Tools from vendors like Industrial Defender or Hexion safely and actively query devices on the network to gather information. This can involve using standard IT protocols like SNMP or ICMP, but its real power in ICS environments comes from using native industrial protocols.
For example, many industrial protocols have specific “identity” function codes. An active monitoring tool can send a query asking, “What are you?” and the device (like a PLC) will respond with its model, firmware version, configuration details, and more. Some tools can even request Windows Event Logs directly from an endpoint using a vendor’s proprietary protocol.
Key Strengths: Active monitoring can often provide a deeper and more comprehensive asset inventory than passive tools, especially in complex or segmented networks. It can fill visibility gaps where deploying passive sensors is architecturally or financially unfeasible.
What it Isn’t: While designed to be safe, any active tool introduces an element of interaction with the live control system. Care must be taken during deployment and configuration. The major vendors test their tools extensively for safety, but asset owners must still proceed with caution.
Data Sources: It analyzes responses from direct queries using industrial and IT protocols. It can also parse device configuration files to extract asset information.
Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) are solutions for aggregating security alerts in real-time and orchestrating an automated response. Tools like Splunk Phantom or Swimlane ingest logs and alerts from all your other security tools into a central platform. From there, you can build automated “playbooks” that trigger actions based on specific conditions.
For example, a playbook could be: “If a high-priority alert comes from my passive network monitor, automatically correlate it with endpoint data and, if certain criteria are met, apply a new firewall rule to isolate the affected host.”
Key Strengths: SIEM & SOAR offer powerful detection and orchestrated response capabilities. By correlating data from threat intelligence feeds, logs, and alerts, they can automate routine tasks, freeing up analysts and enabling faster response times.
What it Isn’t: These tools are only as good as the data they receive. They are primarily log-based and do not perform deep, forensic-level analysis of raw data like disk or memory images. Furthermore, using automated response actions in an ICS network carries significant risk. An incorrect action could have serious operational consequences, and many asset owners are hesitant to implement fully automated responses in their OT environments.
Data Sources: System logs, application logs, endpoint and network security alerts, and threat intelligence feeds.
Managed Detection and Response (MDR) is an outsourced service where a third-party provider monitors and manages your security events and incidents. This is a popular option for organizations that lack the in-house staff or expertise to run a 24/7 security operations center (SOC). The MDR provider may use your existing tools or deploy their own sensors to pull data into their own SIEM for analysis by their team of experts.
Key Strengths: MDR provides access to a team of security professionals who handle alert triage and threat investigation. This can significantly augment a smaller internal team and provide expertise that is difficult to hire and retain.
What it Isn’t: It’s not an in-house solution. You are relying on an external team that may not understand the specific nuances of your network as well as your own engineers. It’s also crucial to understand the service level agreement (SLA). Many MDR services are focused on “managed detection,” meaning they will alert you to a problem. The “response” portion is often limited to recommendations, with full incident response (IR) services requiring a separate—and often expensive—retainer.
Data Sources: Varies by provider. Some specialize in network data from passive monitoring tools, while others offer a more XDR-like service by ingesting both network and endpoint data.
This is an emerging category of tools designed to automate the complex, deep-level tasks traditionally handled manually by incident responders and threat hunters. While SOAR automates actions based on logs and alerts, industrial cybersecurity automation goes deeper, automating the collection and analysis of forensic data like full memory images and disk images.
Attackers know how to test their malware against common EDR and network tools to evade detection. However, hiding from a deep memory or disk analysis is exponentially more difficult. Automation makes it feasible to perform this level of analysis at scale, both proactively for threat hunting and reactively during an incident.
Key Strengths: It significantly reduces the need for manual analysis, leading to faster and more accurate results during an incident. For an industrial facility, this can be the difference between days of extra downtime during a human-led response versus a much faster recovery with an automation-driven one. It raises the bar for attackers, making it much riskier for them to operate in your environment.
What it Isn’t: It is not a complete replacement for human judgment. Just as we don’t have fully autonomous cars, these systems are not fully autonomous security solutions. They are powerful tools that accelerate data processing and analysis, but a human expert is still needed to interpret nuanced findings and make critical decisions.
Data Sources: Deep forensic data, including host memory images, disk images, and granular network and endpoint data streams that go beyond standard logs.
No single tool is a silver bullet for industrial cybersecurity. Each of the controls discussed here offers unique advantages and comes with its own set of limitations. The most resilient security programs employ a layered, defense-in-depth strategy, leveraging the right combination of tools to achieve comprehensive visibility, rapid detection, and effective response.
By understanding what each of these solutions can—and cannot—do, you can make more informed decisions to protect your critical operations.
Ready to strengthen your industrial security program? Contact Insane Cyber today to learn how our expertise can help you build a more resilient defense.
Our products are designed to work with
you and keep your network protected.