To be continually vigilant, asset-intensive organizations need to prepare for and prevent the possibility of physical and cyber attacks, and then quickly and accurately detect and respond to any attacks that do occur. Preparation for, prevention and detection of, and response to attacks each introduces degrees of complexity to the security challenge. The typical utility has many siloed systems independently evaluating security measures, making it difficult to connect isolated but possibly related events and making the security challenge even more complex. As a result, potentially dangerous situations may be ignored while investigation into false alarms consumes time and money
Preparing for and preventing attacks
When preparing for attacks a utility should assess both the likelihood of attack and the consequences of an attack on each asset. The probability of attack on organizational assets often comes down to motive and location.
- Are physical systems and assets safe from authorized field workers, contractors, and ex-employees?
- Are cyber systems and assets safe from third party and external threats such as denial-of-service (DoS) attackers?
- Is a physical asset easily accessible to those wishing to cause damage or disruption?
- Is a cyber asset – such as a computer, control system or communication network component – indicating unexpected connections, failed logins or uncharacteristically extended response times?
Organizations also need to assess the consequences should an asset be attacked. An asset might be very vulnerable to attack, but the consequence of losing that asset might be negligible, reducing the priority of safeguarding that particular asset over other, more important assets.
By correlating data from disparate assets across the organization to calculate the probability and consequence of attack, situational intelligence solutions provide an accurate ranking of security risks that can be proactively addressed.
The number of assets at large organizations can run from the tens of thousands to the tens of millions. Such scope means a huge area to patrol and lots of data to protect. To separate actual attacks from malfunctions or flukes, it is useful to correlate multiple data points that occur close to each other in both space and time.
In a large scale event, dozens of alarms may trigger at once. For instance, if an entire building is somehow damaged, all alarm-equipped assets in that building will send out signals. Instead of receiving dozens of individual notifications, operators would benefit from a system that correlates those individual items in real-time into a single, larger, more meaningful alert.
Using situational intelligence solutions, data and alarms from multiple, disparate sources can be correlated and presented to users in a single view, drawing attention to anomalous conditions and facilitating fast, informed decision-making.
Responding to attacks
Your situational intelligence system has detected an attack—now what? First, you need to understand exactly what has happened. Because situational intelligence correlates data across the dimensions of space, time and network node, operators can quickly close in on the root cause of an event. They can also see at a glance the network impact upstream and downstream of the event.
Next, you need to know who should be notified, which repair crews should be dispatched where, which first responders to contact, and what reports need to be filed. The period immediately following an attack is critical for controlling damage, preventing injury, collecting evidence and apprehending suspects.
Once an attack has been resolved, it’s good to review process and procedures, to improve security and prevention and to better prepare for the next possible attack. Situational intelligence systems can capture spatial-temporal-nodal information for later analysis. This helps operators, administrators and investigators study, assess and revise responses to attacks.
For more information about situational intelligence and security, see this white paper.