The future of industrial threat intelligence

Abstract

Cyber ​​security increasingly infiltrates industrial and critical infrastructures. This is due to the IT / OT convergence and modernization procedures dictated by industry 4.0. These processes are characterized by providing previously closed and isolated systems with Internet access, in many cases without considering the security risk of this step. Wherever this cyber security exposure is expected, it should be known that the door can only be closed, up to 80–90%. This process sooner or later reaches significant parts of the systems, risking the water and electricity supply or the food supply chain, in which case we experience a partial or intermittent outage. Furthermore, the threats are also posed by state-backed attackers, AAPT (Advanced Persistent Threats) groups, political/environmental/religious extremists as well as terrorists and a whole ecosystem of organized cyber crime. Cyber ​​security must cover not just the control technology such as ICS / OT (Industrial Control Systems / Operational Technology), but also intelligent devices such as smart meters, smart devices, and smart cities.

Business and use cases of Cyber Threat Intelligence (CTI)

Cyber threat intelligence has two aspects, namely human readable and repository based. Human readable is like Twitter, a specific newsletter, vulnerability disclosures that inform you about trending attacks, tools, vulnerabilities, campaigns, and so on. A bunch of evidence use cases for this kind of CTI, like analyses, hardening, incident response and in some cases, we can speak about prevention as well, but reading unstructured, partial/unverified data and execute manual actions based on that is not enough anymore.

Figure 1: Business risk use cases
Figure 1: Business risk use cases
Figure 1: Business risk use cases
Figure 2: SecOps use cases

Technical solutions

ICS threat intelligence is a continuously increasing information channel that seamlessly integrates with cyber security platforms to put support analysis with context-enriched data regarding the attacks. Real-time alerts and vulnerability reports include detailed and feasible threat-based risk mitigation recommendations to support the effective response of cybersecurity analysts.