How to improve OT network visibility
The Dragos 2021 Year In Review highlighted four key findings on: OT network visibility, poor security perimeters, external connections to the industrial control systems (ICS) environments, and separation of IT and OT user management.
This blog is the first in a series expanding on each of these findings. Dragos determined 86% of service engagements have a lack of visibility across OT networks, down from 90% in 2020 compared to 2021. Network visibility still hasn’t achieved maturity across the industry while being one of the quintessential cornerstones of a robust cybersecurity posture.
Network visibility: a first step to improve your security posture
Visibility plays a key role in most other cybersecurity controls providing information to scope and define the problems that need solving. Asset inventories, change configuration management, vulnerability management, detection of rogue access points, threat detection, etc. are all enabled through better visibility within an environment.
Increased visibility lends itself to the following efforts:
- Identifies baseline behaviors within an environment to enhance threat detection
- Empowers visibility through asset management, change configuration, and asset identification
- Validates the effectiveness of firewall rules and network segmentation
- Facilitates root cause analysis and incident response
- Enables the creation of metrics to justify security investments
- Highlights ingress and egress traffic between trust zones
- Increased internal monitoring for level 0/1/2 intrazonal communication
Visibility is the starting point for robust cybersecurity programs that evolves into a metric by which to develop more mature and secure environments.
Distinguishing where IT stops and OT begins
This past year, Dragos saw the impact interconnected IT and OT environments have on the operations of critical infrastructures. Multiple times threat actors have attacked enterprise networks with ransomware and because of fear that compromise could spread to OT networks, these enterprises chose to shut down operations. One of the reasons for these fears is lack of visibility, or not knowing the data flows between the IT and OT networks or the assets that bridge this gap.
Visibility is necessary for validating security controls used to define defensible architectures. Without full visibility, defenders are less likely to be certain of the effectiveness of other protective methods such as perimeter security, network segmentation, or role-based access controls. If the data flows between IT and OT networks are not clearly understood, it creates the potential for blind spots in the OT network’s attack surface. Knowing and monitoring connections between OT and IT assets is critical to prevent potential compromise.
Three key tenets of network visibility
Visibility comes in varied forms from asset visibility to data flow inspection, but it can be summarized as anything that increases the defender’s knowledge of their own environment. To ensure full visibility, security staff need to understand where they can gather network and asset information. A collection management framework documents and institutionalizes data sources that are available to defenders. It details the total breadth of data available to them and unveils lacking data sources that need to be cultivated to advance their organization’s visibility.
The primary data sources that contribute to increased visibility are:
- Network monitoring – A passive-network OT aware solution, like the Dragos Platform, monitors traffic across the network for malicious traffic or threat behaviors. OT aware monitoring can detect and alert on behaviors generated by OT assets such as PLCs, engineering workstations, or HMIs by dissecting ICS protocols.
- Logging – Capturing logs, where possible, improves organizational visibility into their network; however, not all OT devices are capable of generating logs. Internal east/west network monitoring or packet capture can ameliorate this flaw with increased monitoring near those OT assets that lack logging capabilities. Host event logs, firewall logs, and PLC alerts, alongside network monitoring provide a holistic view of the OT environment.
- Asset identification – Identifying the components of a network enables defenders to allocate their resources effectively. This is even more important after the completion of a crown jewel analysis when defenders can identify their networks crown jewels amongst logs and network traffic to create additional alerts and security controls to protect assets most critical to the organization’s mission.
Recommended steps forward
Developing full visibility is a difficult process. Taking steps forward based on available resources to eliminate blind spots and progress the organization’s maturity is the developmental process of cybersecurity.
- Identify all crown jewel assets within the network and document their behaviors (data flows, protocols, user and service access).
- Monitor network traffic at network segmentation points between trust zones, especially between IT and OT networks and any DMZ, and internal to each OT zone.
- Centralize all available data sources identified in the collection management framework and coordinate with a security operation center for greater effect.
Gathering more information and data is excellent in order to give context for network behavior to defenders. After cultivating additional data sources, the process of tuning logs and alerts out of network traffic into useful information is a process as dependent on people as it is technology. Cybersecurity expertise requires support from operation subject matter experts to shore up visibility gaps of critical processes.
Visibility creates the foundation for developing the rest of the security controls in an organization’s OT environment. Small advancements in visibility magnify into advancements in overall security posture maturity. Enumerating the gaps, visibility is the tool to showcase other areas that require remediation – such as the other three key findings of Dragos’s Year in Review: Poor security perimeters, external connections to the ICS environment, and lack of separate IT and OT user management.
Original content can be found at Dragos.