BSI CS 134: Monitoring and detection of anomalies in plants

Standards and specifications do not always fill the heart of an operator with joy. With the BSI CS 134, however, an important step in the right direction of IT / OT Security was made.

The Federal Office for Information Security named BSI announced the standard BSI CS 134. The core topics described therein include monitoring – the systemic surveillance and observation of communication, anomaly detection in communication with corresponding archiving, logging and analysis, as well as attack detection (intrusion detection) with alarming in case of need.

Imagine if we wanted to manufacture products in process plants today without a control or Scada system: no visibility, no control over the process. The automation is running, but nothing can be said about the condition of the plant. Such a situation would hardly be conceivable today, but in the field of OT-Security it is state of the art.

In the course of digitalization, companies are striving for an ever-increasing degree of networking with devices and systems related to automation. The consequence is an increasing dependence on their availability. The number of Ethernet participants is increasing significantly, as is the communication itself. However, hardly anyone knows who is communicating with whom – authorized or not. The situation is further complicated by the fact that several system components are often installed by different suppliers. The increasing complexity in the network and the implementation of devices that do not always fully conform to IP standards repeatedly leads to side effects in the network that are not noticed at first and can eventually turn into an incident.

With a continuous monitoring of the network traffic this would have been noticed and avoidable.

However, in the area of OT Security, most investments are made in network segmentation and firewalls, which means that the system and the control over communication are not visible. Certainly, investments in the classic sense of security are necessary, but in no case are they sufficient. Because once a network has been attacked unnoticed, for example by an infected programming computer, the attacker can continue to run wild. Even the reloading of malicious code would not be prevented by a firewall, since the connection to the Internet is established from the internal zone. From an IT security point of view, the BSI has given an important impulse in favour of the operator with the BSI CS 134, a game of hare and hedgehog between the attacker and the protector.

The advantages of passive monitoring in addition to the possibility of detecting attacks are many and varied.

Here is just a short excerpt: Every system operator has all participants immediately in view and external service providers can be precisely controlled via the access points. In addition, IT receives important information for fine-tuning the firewall – an important point in defence against attacks. The service area can usually be optimized and costs saved by alerting in the attack detection.

The different views of active and passive asset queries are very simple from an automation perspective. The sensitive structure of the automation devices with their different generations is no playground for active interrogations in 24/7 operation. The greatest asset of OT is availability – only the passive variant can cope with this.

Keeping control of the process on the basis of risk management, visibility of current assets and an alarm in case of communication irregularities are the important building blocks for safe production. This is already not only a recommendation of the BSI, but state of the art.

Security must be clear, easy to use and simple.

This claim also applies to the OT Security division of the provider VIDEC in the development department – for over five years in product development. The result is the complete fulfilment of the specifications of the BSI CS 134.

You can find the complete article here (German): BSI CS 134: Monitoring und Erkennung von Anomalien in Anlagen, 05|2019

Published on, 29.05.2019, Dieter Barelmann