This is the first installment in a four-part blog series offering an in-depth breakdown of the four essential pillars of industrial cybersecurity: Reveal, Protect, Detect, and Connect. The objective of this series is to help security leaders understand the unique challenges of meeting these needs in an industrial context, as well as the time and resources Claroty has invested into cohesively addressing these challenges in an unparalleled manner.
As the first pillar of industrial cybersecurity, Reveal serves as a prerequisite for addressing the other pillars necessary to secure your industrial environment. You can’t protect what you can’t see—it’s a widely-cited adage among cybersecurity practitioners, and for good reason. Indeed, effective industrial cybersecurity starts with knowing what needs to be secured. This requires a comprehensive, detailed view of all industrial assets, processes, connections, network topography, and user activity.
While it’s widely understood that visibility is essential to defending industrial environments, organizations often have limited visibility into these assets due to the following factors:
Operational technology (OT) assets can remain in use for upwards of 25 years, an approach that predates digital transformation, and industrial cybersecurity. Legacy OT assets are commonly used alongside modern PLCs, engineering workstations, and IIoT technologies, and gaining visibility into the resulting mix of assets is far more complex than achieving the same feat within an IT environment where all assets run on the same operating system, for example. Complicating matters further, geography and other conditions often require operations to be widely dispersed in certain industries, particularly in natural resource-intensive sectors, such as energy and mining.
Given the fragility and limited bandwidth of many systems within industrial environments, the use of traditional asset-discovery tools can often cause these systems to malfunction or shut down entirely by trying to communicate with them by sending traffic they were not designed to be able to handle. To that end, IT-centric solutions for asset discovery are completely ineffective when dealing with OT.
The underlying cause of traditional asset-discovery solutions’ ineffectiveness within industrial environments is the wide array of proprietary, vendor-specific protocols that OT assets use to communicate. Given the sheer number of these protocols in existence, delivering a solution that offers unmatched compatibility and coverage across OT protocols requires substantial investment and effort on the part of vendors. As such, OT protocol coverage should be at the top of your list of criteria when evaluating vendors on their ability to provide such a solution.
The prominent role of third parties in maintaining many operational environments—as well as the geographically isolated nature of certain industrial activities—has long made remote access to industrial assets a necessity for many organizations. The COVID-19 pandemic greatly exacerbated this existing need by forcing a rapid pivot to a distributed workforce model, prompting an unforeseen increase in remote users accessing industrial networks across virtually all sectors.
Many traditional solutions for remote access offer little-to-no visibility into the actions of remote users. This is especially true of VPNs, which are ill-suited for dealing with industrial environments.
An all-too-common lack of visibility into remote users can have serious implications for industrial environments. For instance, if an issue transpires within your industrial network due to an error made by a remote user, incident-response teams may struggle to identify the root cause. This can greatly increase mean time-to-repair (MTTR), a key performance indicator widely used among OT and IT security staff that reflects how quickly issues are mitigated. Another major concern for many organizations is third-party access to industrial assets. Without the ability to view and monitor actions taken by external users, your organization cedes the ability to fully secure its industrial environment.
To effectively manage, monitor, and protect your environment, your team must overcome the challenges described above in a manner that reveals three core dimensions of industrial visibility:
Accurate, up-to-date visibility across all industrial assets is a must-have for managing and defending your industrial environment. To reiterate, you can’t protect what you can’t see, making asset visibility a crucial first step. Many vendors that claim to offer visibility into OT and other industrial assets only offer visibility into basic attributes, so when evaluating solutions, take care to consider the level of detail offered. Visibility into detailed asset attributes is often overlooked; for instance, the ability to capture granular attributes—such as model, firmware version, and configuration information—is a prerequisite for determining what vulnerabilities are present within your industrial environment.
Due to the challenges listed in the section above, comprehensive asset-discovery often necessitates the use of multiple techniques. Claroty employs three asset-discovery techniques, detailed in-depth in a recent blog post, that collectively deliver the most thorough and detailed inventory of any solution on the market:
Passive Monitoring: This method is generally this first-choice option for OT-asset inventory and network mapping, as it provides a safe and simple way to gain a large amount of visibility. This method works by reconfiguring a switch within the industrial network to copy data and send it to Claroty for processing in a passive, one-way data transfer that has little to no impact on operations.
Active Queries: Claroty delivers visibility into deeper and more complex layers of an organization’s industrial environment that are ill-suited to passive monitoring with active queries. These queries leverage our unparalleled OT protocol coverage to identify assets and extract granular data from them using the specific protocol a device is designed to accept. Active queries communicate with assets in a precise, non-disruptive manner that does not encumber the network with unnecessary traffic.
AppDB: The AppDB discovery method delivers visibility into industrial assets that cannot be discovered using passive monitoring or active queries such as disconnected or air-gapped assets. By ingesting backup configuration files for these assets, Claroty is able to provide immediate visibility into these assets without the need to connect to them. This asset-discovery method is unique to Claroty, with no other vendor on the market offering comparable capabilities.
By utilizing a mix of the three asset-discovery techniques described above, organizations can quickly and comprehensively create and maintain a constantly up-to-date asset database, complete with enriched asset information, behavioral baselines, unpatched CVEs, and configuration files.
Without full visibility into the industrial network—including user activity within the network—there is no benchmark or baseline to serve as a comparison to help identify misconfigurations, traffic overloads, and other issues which may pose risks to reliability, availability, and safety. With the dramatic increase in remote user activity since the onset of the COVID-19 pandemic, it’s crucial for the scope of this visibility to cover remote user activity. Claroty provides multiple ways to monitor user activity on industrial networks, whether on-site or remote.
Network visibility is also crucial to strengthening your industrial network architecture. More often than not, ineffective or simply nonexistent network segmentation is the root cause of cyber threats permeating industrial environments. But without visibility into your network topography, it is difficult to know where to start when it comes to segmenting your network in accordance with the Purdue Model. Claroty addresses this need by not only revealing your industrial network architecture, but also leveraging AI to segment your entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one other under normal circumstances.
Being able to easily monitor industrial process values—such as temperatures, chemical composition, and product formulas (e.g., food/beverage ingredients, pigment ratios for paints, etc.)—can not only help your organization ensure the quality and consistency of its output. To cite a timely example, COVID-19 vaccines must be stored within a specific temperature range in order to remain effective.
Visibility into process values can also enable teams to quickly identify anomalies indicative of an early-stage attack, reliability issues, or other potential risks. This dimension of industrial visibility is a key enabler of predictive maintenance, enabling your team to implement preemptive measures to prevent failures.
Boasting the largest library of proprietary protocols within the industrial cybersecurity space, Claroty empowers our customers by revealing an unmatched level of asset visibility, network visibility, and process visibility. The Claroty Platform fully reveals and contextualizes our customers’ industrial environments, offering a centralized, easy-to-manage, and always up-to-date inventory of all industrial assets, processes, and connectivity paths. Claroty leverages this visibility to offer definitive insight into what “normal” looks like within your environment—thus enabling accurate and rapid detection of anything unusual that may be of concern.
Within the market for industrial cybersecurity solutions, Claroty is the only vendor whose caliber of visibility is proven and endorsed by the world’s top three industrial automation leaders: Rockwell Automation, Schneider Electric, and Siemens—all of which are our longtime investors, partners, and customers. These three companies are part of an extensive list of industrial automation vendors and research organizations whose close relationships with Claroty enable us to rapidly adapt as necessary to support your organization’s visibility requirements.
In this blog, we described the unique challenges associated with revealing visibility into industrial environments, as well as the specific types of visibility needed to address the remaining three pillars of industrial cybersecurity: Protect, Detect, and Connect. In subsequent installments of this series, we will offer insight into the importance of these pillars, challenges in achieving them, how they interrelate with one another, and how Claroty supports them.