Implement security monitoring across OT, IIoT and cloud with AWS Security Hub
Industrial digital transformation can increase competitiveness and optimize processes and profitability through the use of big data, IoT, machine-to-machine communication, and machine learning. Continuous digitalization and progressive interconnectivity of the production environment is important to capturing value from industrial IoT (IIoT) solutions. While this new and expanding “physical meets digital” connectivity enables great rewards, it also introduces new risk, which needs to be properly managed.
Industrial organizations should be aware of the risks that come along with the benefits of this convergence and cloud adoption. As this SANS whitepaper recommends, organizations should establish strategies to prevent, detect, respond, and recover across the entire attack surface which includes Operational Technology (OT), edge and cloud, and on-site and off-site assets. Traditionally, OT and IT/cloud teams have worked on separate sides of the air gap as laid out in the Purdue Model. This can result in siloed OT, IIoT and cloud security monitoring solutions, creating blind spots bad actors could exploit. In order to realize the full benefits of IT/OT convergence and IIoT, IT and OT teams are better off if they join forces to mount the most effective defense and build trust.
In this blog, we describe a new approach to security monitoring across OT, IIoT and cloud by integrating OT security solutions with AWS. This provides visibility of security events to teams responsible for security monitoring of IIoT solutions without the costly and often time-consuming effort needed to integrate OT security solutions into existing Security Operations Center (SOC) solutions. Deploying security monitoring and centrally managing alerts across OT, IIoT and cloud is one of the ten security golden rules for IIoT solutions.
One of the many challenges in securing complex heterogeneous factory and cloud environments when implementing IIoT solutions is the lack of visibility into security events across factory and cloud. This poses problems since cyber events could originate in OT and move to IT, or vice versa. This creates the need for a security monitoring solution across the attack surface and threat landscape. To address this challenge, we are providing a custom solution to integrate security events from OT Intrusion Detection Solutions (IDS) like Dragos, Claroty and Nozomi into AWS Security Hub.
AWS Security Hub provides a centralized view of your security posture in AWS and helps check your environment against security standards and current AWS security recommendations. When combined with an OT IDS solution, you can get a centralized view of security events across OT and AWS, helping to improve your security posture across factory and cloud which is essential when implementing IIoT solutions.
AWS Security Hub ingests findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Systems Manager Patch Manager. Now with this solution to stream syslog data from OT IDS solutions, you can ingest security findings from your OT environment into AWS Security Hub. Findings from each service are normalized into the AWS Security Finding Format (ASFF), so that you can review findings in a standardized format and take action quickly. You can use AWS Security Hub to provide a centralized view of all security-related findings, where you can set up alerting and automatic remediation.
Customers using AWS IoT Device Defender to audit and monitor IIoT devices can import its findings into AWS Security Hub – learn how in this blog. With this, customers can correlate events across OT and IIoT devices. For example, if a new device is installed in the OT environment and discovered by the OT IDS solution, it is possible to cross check if this is an IIoT device provisioned by AWS IoT and monitored by AWS IoT Device Defender. This enables customers to quickly identify rogue devices present on the shop floor.
Fluentd is an open source data collector that unifies data collection and consumption for better use and understanding. Fluentd unifies logging with JSON, and this allows unification of processing, collecting, filtering, buffering, and outputting logs across multiple sources and destinations. Fluentd was selected for the solution based on its robust support for syslog as an input and Amazon Kinesis Data Streams as an output. For production workloads, we recommend enabling TLS (Transport Layer Security) for syslog input transport by modifying the Fluentd configuration file in the project file lib/syslog-security-hub-stack.ts.
Amazon Elastic Compute Cloud (Amazon EC2) is used to host Fluentd. The solution is configured by default with a t2.micro instance type, which is eligible for Free Tier. The t2.micro instance type offers 1 vCPU with 1 GiB Memory and is sufficient sizing for non-production workloads. An Elastic IP Address (EIP) is associated with the EC2 instance to assign a static public IPv4 address, which allows you to receive syslog events from any source permitted via the associated Amazon EC2 Security Group. By default, the Amazon EC2 Security Group only permits ingress traffic from the created Amazon Virtual Private Cloud (VPC). Production workload sizing will be based on the number of syslog events you stream to Fluentd, which is scalable up to 5,000 messages / sec with a single process. Review the following Fluentd performance tuning guide for more details.
Amazon Kinesis Data Streams is a serverless streaming data service that makes it easy to capture, process, and store data streams at any scale. The solution uses an AWS Solutions Constructs package, aws-kinesisstreams-lambda, to simplify our CDK Project and ensure AWS best practices are followed. This AWS Solutions Constructs creates a Kinesis Data Stream with one shard, and associates a Lambda function. AWS Lambda polls the Kinesis Data Stream, and when it detects new records in the stream it invokes the Lambda function to parse and transform the received event into AWS Security Finding Format (ASFF) needed by AWS Security Hub.
In order to get started, you will need an AWS account. We recommend testing this in a non-production environment. First, turn on AWS Security Hub in the AWS region you plan to deploy the solution. We recommend using AWS Cloud9 to eliminate the need to setup IAM permissions and install pre-requisites. AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. Cloud9 comes pre-configured with all the pre-requisites we require for this blog post, such as git, npm, and AWS Cloud Development Kit (CDK).
To get started, create a Cloud9 environment from the AWS console. Provide the required name for the environment, and select the appropriate values using the wizard. Once your Cloud9 environment has been created, you can open the IDE and access a terminal window.
To build and deploy the solution in your AWS account, follow the instructions provided in this aws-samples project to stream syslog from OT IDS solutions to AWS Security Hub. One thing to check is to make sure you are updating the company and product name fields to override the default values for custom integrations.
This project includes a sample syslog event from the Dragos Platform for testing purposes, and a custom AWS Lambda function for parsing and transforming ICS/OT/IIoT security events. Dragos is an industrial (ICS/OT/IIoT) cybersecurity company and is a member of the AWS Partner Network.
This sample is provided for demonstration purposes only, to serve as a starting point to help you customize for your source systems. To customize, you need a basic understanding of syslog and how the source system emitting syslog events maps its fields to syslog Common Event Format (CEF).
The cost to test the solution with sample security event/finding starts at approximately $2 USD / day, and more details on pricing can be found here: Amazon EC2, AWS Lambda, Amazon Kinesis Data Streams, and AWS Security Hub.
In this post, you’ve learned how to stream syslog from OT IDS solutions to AWS Security Hub to gain a centralized view of security findings across both your factory and cloud environments when implementing IIoT solutions. By ingesting OT security events into AWS, customers are able to combine OT telemetry data with security data to get additional context and deeper insights and situational awareness of their OT, IIoT and cloud security posture. The solution can be extended by using additional AWS services, including Amazon EventBridge, AWS Lambda, and Amazon DynamoDB to correlate AWS Security Hub findings from multiple AWS security services. To learn more, read Correlate security findings with AWS Security Hub and Amazon EventBridge.
About the authors
|Ryan Dsouza is a Principal Solutions Architect for industrial IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has more than 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, OT/IT convergence and IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.|
|Don Simpson is a Principal Solutions Architect at Amazon Web Services. Since the age of 12, Don has been completely immersed in realizing his dreams with code. Don’s journey to AWS involved multiple startups he co-founded, and thought leadership in the area of knowledge graphs, link analysis, discourse analysis, and real time analytics. Don enjoys working with customers to design well-architected solutions to help achieve their desired business outcomes. @don__simpson|