CISO Series: Understanding Barriers to OT Visibility
By Galina Antova | Apr 6, 2020
Like all cybersecurity initiatives, effective industrial cybersecurity fundamentally comes down to implementing controls that reduce risk. But in order to reduce risk in your organization’s industrial environment, you need a comprehensive inventory of your network, complete with granular details for all assets, communications, and processes.
While all of this is fairly straightforward, one of the fundamental challenges CISOs face in defending their industrial environments against cyber threats is that gaining visibility into operational technology (OT) networks is uniquely difficult due to myriad factors:
Non-Standardized Technology: In strong contrast with IT software and hardware, OT equipment can have a lifespan of several decades. As such, businesses tend to amass an idiosyncratic set of industrial assets at their production sites over the years. In many cases, companies use a mix of old and new equipment, as well as equipment from different vendors. Complicating matters further, many organizations’ OT environments are widely distributed across dozens—or even hundreds—of physical sites or plants.
Proprietary Protocols: OT equipment communicates using the proprietary protocols of the vendor who makes the equipment, and these protocols cannot be deciphered using traditional IT security tools only capable of parsing open IT protocols. As such, the common misconception that organizations can use IT security monitoring tools to gain visibility into their OT networks couldn’t be more false.
Cost of Potential Disruptions: Since OT networks tend to be fragile with limited bandwidth, the use of traditional vulnerability scanning systems designed for IT networks can cause OT device failure, and in some cases, entire plants to go offline. Since many production environments rely on operational continuity to ensure profitability, the opportunity cost of conducting a comprehensive OT inventory is often deemed prohibitive. On the other hand, since the potential cost of turning a blind eye to OT security threats is equally prohibitive from the CISO’s perspective, this dynamic poses a dilemma for many organizations.
Remote Access Connections: Remote access connections are commonly used by in-house support staff or third-party vendors to service OT assets. Visibility into these remote sessions is essential for auditing, change management, and risk assessments, but traditional IT remote access solutions are not suitable for industrial environments.
Lack of Granular Data: In order to identify and assess threats and vulnerabilities with precision, IT security teams need visibility into granular attributes such as the exact model, firmware version, and configuration in order to match assets to CVEs. And while there’s a crowded marketplace for OT-specific asset inventory solutions, most can only identify assets by basic attributes. As such, CISOs and other IT decision makers should not assume a vendor offers meaningful OT visibility without looking into the specific attributes their solution is able to identify.
The Three Dimensions of OT Visibility
To effectively monitor and defend against threats to their organization’s OT environment, IT security teams need real-time, granular visibility into three integral dimensions:
Asset Visibility: Having detailed visibility into all devices on an OT network, covering extensive attributes, such as model number, firmware version, network card slots, etc., is essential for identifying and assessing vulnerabilities with precision.
Network Visibility: IT security personnel also need thorough visibility and monitoring of the bandwidth, actions, and changes made during all active and past OT network sessions. This visibility enables easy, rapid detection of misconfigurations, traffic overloads, and other issues which may pose risks to reliability, availability, and safety.
Process Visibility: Being able to track OT operations—as well as the code section changes and tag values for all processes which involve OT assets—is also crucial for identifying abnormal changes in OT process values or unusual behaviors indicative of an early-stage attack, operational reliability issues, or other potential risks within your industrial environment.
Having invested years of research and development into delivering the broadest, deepest level of visibility into OT environments, Claroty is the only vendor to fully cover each of these three dimensions. This extreme visibility is delivered within the user-friendly Claroty Platform, which allows IT security teams to filter and customize their view to zero in on the assets, processes, and network data most critical to their team to reduce OT-related risks with efficiency and effectiveness.
Claroty’s industry-leading caliber of OT visibility is complemented by other core facets of Continuous Threat Detection (CTD)—threat detection, vulnerability management, and triage/mitigation—as well as its Secure Remote Access (SRA) capabilities.
To learn more about how Claroty can deliver comprehensive security for OT environments, request a demo.