A data analytical approach for assessing the efficacy of Operational Technology active defenses against insider threats

摘要

In recent years, the need for Operational Technology (OT) defenses has been recognized, serving as an additional line of defense when Information Technology (IT) defenses are bypassed. This is no longer considered an uncommon possibility when dealing with advanced persistent threat (APT) actors expected to be state-sponsored and receiving insider assistance. In these extreme adversarial situations, OT defenses aim to provide another layer of defense for the system, introduced directly at the physical process level, as described by the sensors data, the system model, and control actions. Just like IT defenses, two schools of thought, i.e., passive and active defenses, have emerged to address this challenge. In active defenses, representing the focus of this paper, known signatures, synthesized based on the system's unique characteristics, are inserted into the system. In contradistinction, passive methods rely solely on observing system behavior in search of patterns of normal behavior with deviations thereof representing abnormal behavior. In their most sophisticated implementations, both passive and active defenses rely on the use of data analytics to identify the patterns and synthesize the observed and/or inserted signatures. Past research has shown that passive defenses may be bypassed by APT actors relying on data analytics and their intimate knowledge of the system to evade detection by respecting the patterns identified by the defenders. Thus, this manuscript explores the use of active defenses under the assumption that the attacker has privileged access to the system, including access to the system's model and sensors data. Specifically, this manuscript assesses the ability of active defenses to remain invisible to the attackers, and discusses the associated challenges that must be addressed to ensure their resiliency against APT actors.