Why Visibility Is Essential For OT Security

Ruth Lanigan

Ruth Lanigan

Why Visibility Is Essential For OT Security

It could be argued that the most critical infrastructure systems of our society today are sustained and somewhat fully dependent upon by Operational Technology (OT). As our systems are undergoing more and more digital transformation, they become more connected, which leaves them more vulnerable.Critical infrastructure and modern manufacturing facilities are a complex mix of OT and IT systems. In combination, they deliver the infrastructure that we all rely on and mostly take for granted until it stops working.

If you think about how damaging a single power cut could be to your organisation or workplace without any generators, electricity delivery grid procedures in place to assist – this is why OT security and visibility is so important. Our modern infrastructures are managed and controlled by IT backed Industrial Control Systems (ICS) as well as electronic systems. If these IT systems become compromised then all control of the infrastructure will be lost. Malicious activity is on the rise as we have all seen in recent times and it is evident that this increase from ICS attack groups and the emergence of ICS-specific malware, for example Triton or Trisys has highlighted the need for better security and ultimately better visibility.

When it comes to securing your OT environment, prevention is key. While a good incident response plan is important in any cyber defence strategy, preventing and eliminating threats before they become a reality is essential. The key to prevention, in turn, is gaining visibility and managing vulnerabilities.

The Importance of Asset Inventories

Keeping an accurate and up-to-date asset inventory is a vital first step in any comprehensive security program. Unfortunately, a lack of visibility into ICS assets is common across industries worldwide. By conducting an asset discovery and inventory review organisations can map vulnerabilities to assets and determine the severity and impact of any vulnerability.

Asset discovery: Active vs. passive

Even today, a majority of organisations attempt to maintain OT asset inventories using Microsoft Excel, which is a manual and tedious task. The reality is that no organisation has the resources to manually gather configuration data from reasonably sized OT environments; a task that needs to be repeated periodically in order to keep track of configuration changes.

Other organisations have tools for automatic discovery, which can be accomplished by two different approaches: active and passive. The passive approach, also called “passive scanning”, analyses network traffic in a particular subnet and infers device characteristics (such as make and model) from the packets flying by. The active approach, also called “active probing”, sends out targeted probes to devices on the network. It asks OT devices using legitimate industrial protocols about configuration details such as make and model, installed firmware, and so on.

Automatic asset discovery yields a wealth of information about individual OT assets and their configuration. This data becomes ten times more useful when enhanced with metadata that reflects contextual asset attributes, for example:

  • Physical location of a particular OT asset (such as site, building, floor, room, cabinet).
  • A brief description what an OT asset does; for example: “Vibration monitoring server”.
  • Association of an OT asset with an OT system, such as a particular production line, distributed control system etc.
  • Network names and network types as used by engineering and maintenance.
  • Asset criticality (which is very useful for vulnerability management)

Understand your risks

When you know where your OT assets are, what they are and their criticality, you can then begin to understand how vulnerabilities affect risk levels of the entire OT network and accurately set remediation priorities. To do so requires threat–centric vulnerability management (TCVM), which takes into account all vulnerabilities, correlating them with the network model and real–time threat intelligence to determine which vulnerabilities are most likely to be used in an attack. With this information, vulnerability management can accurately prioritise remediation to ensure critical patches are applied during scheduled OT downtime or compensating controls can be put in place until such time.

Attaining Visibility Through Monitoring

Continuous monitoring is key for security visibility within complex industrial control systems. Organisations need to go beyond simple network monitoring and include device-based security for significantly better situational analysis of their environments. For example, by employing a solution that addresses both network-based attacks and device active querying, you can see your entire industrial OT system, including converged IT/OT environments, rather than just a portion.

Moreover, most organisations do not need to set up a separate OT SOC. The majority of companies will find synergy and efficiency in combining their OT SOC into their IT SOC, and utilising their existing SIEM solution to analyse the logs from firewalls, routers, switches, servers, domain controllers, active directory and so on. To manage the threat life cycle within these environments, security teams should adopt a comprehensive threat management program that can provide proactive, managed and response services for threats specific to OT environments.

In conclusion, industrial control systems can have major impacts on society, organisations, and people’s lives. While they were once isolated from any other part of the organisation or network and were considered static systems, this is no longer the case. Today, they are vulnerable to malware, cyberattacks, insider threats, misconfigurations, and even failed maintenance. Organisations need visibility, security, and control for their industrial networks. In a nutshell:

  • Visibility into your OT networks contributes to understanding your risks so that they can be remediated before an attack occurs.
  • Visibility into your OT system is important in the early detection of attacks that may be in progress so that you can ensure safe shutdowns and initiate your IR plan.
  • Visibility into OT for forensic data to understand the timing of an attack, how t was carried out and how to prevent in the future.

So, how do you know what is exposed in your networks, which risks are the highest priorities and what assets are most likely to be compromised in an
attack? How can you get better visibility into what is happening across your entire environment in order to ensure security?

To gain more insights, check out our next enterprise security fireside chat with our partner Tenable on Thursday July 23rd at 3pm where Barak Perelman (VP of OT Security at Tenable), Andy Grzess (CTO, Smarttech247) and Michael Rothschild (Senior Director of Marketing at Tenable) will discuss how to increase your OT visibility and reduce security risk. Click below to register.

Ruth Lanigan

Ruth Lanigan