Operational Technology (OT) environments are teeming with asset modifications and changes that, if not handled carefully, can have dire impacts on operations. Unmonitored events such as online edits, configuration tweaks, or mode changes, harbor the potential to disrupt productivity and inflict major financial repercussions.
Despite this potential for disruption, industrial asset owners often find themselves in the dark, grappling with the lack of real-time understanding of change operations, leading to delays in incident response and a heightened risk of security breaches. Recognizing the need for transparency and control into these types of events, Claroty has launched new alerting into OT asset activity.
While it’s critical to maintain a granular history for every OT asset, relying solely on historical data for visibility into OT activity falls short. You need proactive alerting on operational changes in real-time and to be able to analyze the contextual information quickly for an appropriate response.
The key to success lies in unmasking the unseen - gaining comprehensive visibility and alerting into change operations. Embracing a solution that provides a clear window into OT events and their impact on devices is not just a necessity, but a lifeline.
In this piece, we’ll highlight Claroty’s OT Activity Event alerting and how it helps OT security teams monitor, manage, and respond to specific OT asset changes.
OT Activity in Claroty xDome
Claroty xDome’s OT Activity Event page tracks a variety of OT-specific actions that can occur in an industrial environment and maps them back to specific assets grouped by event type or as a running list of all OT activity events, helping you better target your response to asset modifications. Through continuous asset monitoring Claroty xDome tracks the following OT-specific activities to help you ensure operational integrity through event transparency:
Claroty xDome OT Activity Events
Configuration Download
Configuration Upload
DCS Configuration Change
File System Change
Firmware Download
Memory Reset
Mode Change
Monitor Mode
Online Edit
Settings Change
What is an OT Activity Alert?
An OT activity alert is an alert that notifies you of specific events or changes that take place on an OT device in an industrial environment. Claroty xDome provides predefined alerts that give you a solid starting point for gaining visibility into the various event types shown in the above table. Every event is automatically linked to specific assets, including the source device and its subsequent destination devices.
In addition to the predefined alerts, you can get very specific on what OT activities matter to you by configuring custom OT Activity alerts. This flexibility allows you to reduce noise and alleviate alert fatigue, ensuring that you only receive relevant alert information.
For example, let’s say you only want to be notified if a configuration download on a PLC is initiated from outside the industrial network. You can configure an alert to notify you if a configuration download happens in the corporate network, filtering out alerts for the expected downloads that happen within the industrial network.
Within this alerting tool, you can customize alerts based on various parameters including event type, communication type, and attributes of both source and destination devices. Additionally, you can monitor systems from a specific manufacturer, VLANs within an environment, and communication protocols.
Exporting and Operationalizing Alert Info
Exporting OT Activity alerts needs to be simple so you can get your OT event data to relevant stakeholders and into your syslog feeds. You can easily share and report on event data by exporting as an XLS or CSV file format.
Learn more about Claroty’s OT Activity Alerts, or to see them in action, request a demo >>
Without a strong foundation of asset visibility, effective cybersecurity controls, such as OT Activity alerting, are impossible. You need critical asset discovery details, such as asset type, protocol usage, IP address, device manufacturer, firmware version, and more in order to respond to cyber threats. Employing the use of more than one asset discovery method will give you a complete picture of each individual device in an industrial environment.
Claroty offers five asset discovery methods in order to give fully enriched asset profiles and an accurate asset inventory of all your cyber physical systems within OT, IoT, and IT. These discovery methods are: passive, active, project file analysis, our patent-pending Edge technology, and third-party integrations.
