@hacks4pancakes good to know, thanks. I should probably push more detailed recommendations than I have been on that front (monitoring is something I've been slacking on in general; I'm behind on it).
any pointers on specifics I should direct them towards, beyond the basic "suricata and snort are free and well supported"? are there any good baseline rulesets for ICS environments? any guides you tend to poke clients towards? (I appreciate that this subject is an entire job's worth of complexity)
@gsuberland sadly, most IT / enterprise security monitoring solutions like ET rules do very little with lower level industrial protocols or device manipulation, but something is better than nothing.
@hacks4pancakes @gsuberland fwiw, I concur on this. Even industrial-specialized monitoring systems aren’t going to be all that great out of the box for a random environment and basic architecture along with asset inventories are far more crucial to start with.
Some systems basically need a customized SIEM that’s kept tuned to the specific environment month to month to actually give any value on monitoring how it runs just because not all systems even manage meaningful logs.
For perspective, there are actively used code bases where the lower levels don’t have the concept of a user. Fundamentally they have all the cybersecurity and access control of a manual valve you’ve got your hand on.
@whereisthespai @hacks4pancakes yeah I'm thinking I should probably just tackle it from the perspective of having any view at all beyond the most basic AV/EDR, since the orgs I generally work with don't have the security maturity to be spinning up and operating a full custom SIEM with all the trimmings. I do tend to recommend pushing middleware alerts to off-site syslog so they've got some backup in case of ransomware or wipers.
@gsuberland @hacks4pancakes honestly just getting most places being onboarded to the point where they know what they have, where it is, and why they have it has been the biggest consistent payoff I’ve seen.
Then getting them to where they know how the things actually do what they do is a whole other kettle of fish. But that also all feeds into being able to benefit from stuff like monitoring systems and IR/professional services retainers.
@gsuberland @whereisthespai @hacks4pancakes I have Seen quite sensible requirements from shipyards handed to contractors/Tier 1+ manufacturers. But most of this falls with the essential non-existence of physical security while a ship is in harbour.
With land-based OT, these do a lot of good research: https://www.tha.de/en/Computer-Science/HSA-innos.html
@wamserma @whereisthespai @hacks4pancakes the IMO also created new regs as of January 2023 to try to ensure remote monitoring has sufficient isolation and security assurance.
