Engineering workstations are a critical security boundary. They run legitimate engineering software with deep system access, communicate with control devices, and connect to IT networks. If compromised, they provide attackers a bridge between worlds. Endpoint Detection and Response tools can detect compromise, but tuning them for engineering environments is challenging. Too aggressive, and engineers disable the tools to work around false positives. Too lenient, and attackers operate freely.
The key to successful EDR deployment on engineering workstations is understanding what legitimate engineering activity looks like on that machine, then building detection logic that tolerates that activity while flagging genuine anomalies.
Legitimate Engineering Activity That EDR Must Tolerate
Engineers create custom scripts and tools to interact with control systems. They may use legitimate utilities like Telnet, SSH, and custom applications that EDR tools might flag as suspicious. They download engineering software, datasheets, and configuration files from various sources. They use code editors, compilers, and debugging tools that perform system-level operations. EDR rules built on generic security assumptions will conflict with all of this activity.
The solution is whitelisting and context-aware detection. Allow engineering tools and scripts to run, but monitor for command patterns that suggest compromise: sudden credential theft, unexpected network communications, unauthorized file deletion.
Effective EDR Tuning for Engineering Workstations
- Whitelist engineering tools: Identify all legitimate engineering software and tools. Exclude them from aggressive detection rules.
- Script allowlisting: Establish trusted script repositories and only allow execution of signed scripts or scripts from known developers.
- Behavioral detection focus: Rather than blocking activity, focus on detecting behavioral indicators of compromise: credential theft, unauthorized network access, unusual file operations.
- Incident response over prevention: Accept that some attacks will succeed, but ensure rapid detection and response. Emphasize speed of isolation over speed of blocking.
Maintaining Engineering Productivity
The goal is detection and response, not prevention through frustration. If EDR tools make engineering work difficult, they will be disabled. Work with engineering teams to understand their workflows and optimize detection around those workflows. If you'd like to discuss EDR tuning, behavioral detection, or engineering workstation hardening for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.