As industrial organizations embrace industry 5.0, aiming for more sustainable and resilient business operations, they face the challenge of striking a balance between improving productivity and maintaining regulatory compliance on one hand, with reducing the cyber risk that comes with hyper-connectivity on the other.
The culprit is the unique complexity of cyber-physical systems (CPS) environments and the distinct requirements to protect them.
To begin, organizations must understand the need for dynamic discovery in their environment and why it is essential for successful network protection. Let’s dive into some key challenges of protecting CPS networks and discuss how a purpose-built CPS Protection Platform (PP) can help safeguard the mission-critical assets that span our cyber and physical worlds.
What is Dynamic Discovery?
Industrial organizations everywhere understand that gaining complete visibility of the assets across their CPS environment is essential to understanding what assets need protecting and what policies should be in place. However, it's not enough to just have a baseline understanding of what assets are located in your environment. Dynamic discovery takes things a step further, employing multiple collection methods to provide deeper visibility and a better foundation for CPS cybersecurity.
Dynamic Discovery methods provide a proactive approach to asset identification and profiling that is not solely reliant on passive monitoring of network traffic. With dynamic discovery, organizations can gain an in-depth understanding of each asset's purpose within the environment, which allows them to understand the areas of greatest risk before deploying passive monitoring technology. Beginning with non-passive discovery leads to a greater ROI as organizations can prioritize which sites are most critical for passive monitoring. With passive discovery deployed, they can then determine which network policies to define and how, as well as which technologies — whether firewalls, NACs, or others — to use to enforce those policies.
Different devices operate very differently within the OT environment, for example, PLCs communicate very differently than HMIs and both use very different protocols. By leveraging both non-passive and passive methods, you can gain a full picture of the assets in your environment. Combining a deep understanding of exposures and threats with visibility of network traffic communications allows your organization to proactively reduce risk. However, achieving an understanding of the assets within your environment can prove tricky for many organizations. Here are some of the challenges that may prevent you from keeping up with the changing conditions within your complex environment.
Challenges to Protecting CPS Environments
Combining connectivity with the unique complexities of CPS environments can have serious implications. Here are the top three challenges industrial organizations regularly face that can inhibit full asset visibility and comprehensive network protection in their environments:
Attempt to utilize existing IT tools for CPS-centric problems: Many organizations attempt to leverage their existing IT infrastructure in their CPS environment for cost savings and simplicity purposes. However, this can create operational risks and limit the usefulness of these tools for CPS security use cases.
Lack of complete visibility: The proprietary protocols and legacy systems in OT environments make it difficult for organizations to attain a real-time inventory of their CPS assets. In addition, historically, organizations relied heavily on passive-only discovery methods, which require time and resources to deploy.
Inadequate policy enforcement: Without a comprehensive asset inventory, you are unable to create policies that define how the assets should communicate. This may lead to policies that can block or allow the wrong traffic, potentially disrupting operations.
How Do I Overcome These Challenges?
By taking a phased approach to network protection, organizations can ensure a successful journey to achieving risk reduction, while maintaining compliance with regulatory requirements and industry standards, and ensuring cost savings. Here are our recommended phases:
Phase 0 – Discover Assets with Dynamic Discovery Methods:
Discovering all CPS assets in your OT environment is Phase 0 of your journey not only because it is foundational to ensuring network protection, but it is also essential to all other use cases, capabilities, and objectives during your entire CPS security governance journey. During this phase, organizations should establish which non-passive discovery techniques they would like to leverage based on their CPS visibility needs. These methods include:
Safe Queries: Safe queries provide a targeted discovery of assets in their native protocol.
Claroty Edge: Claroty Edge delivers speedy, host-based asset profiling through orchestrated queries.
Project File Analysis: Project file analysis provides asset enrichment by regularly ingesting offline configuration files.
Integrations: Integrations offer enriched visibility without any hardware or configuration changes.
Phase 1 – Employ Passive Monitoring Techniques:
Once non-passive discovery methods are leveraged for quick and easy asset identification, organizations can then leverage this granular visibility to determine which sites require passive monitoring. By establishing continuous monitoring of network traffic, organizations can begin to inform their segmentation strategy to best protect their highest risk assets.
Phase 2 – Define Segmentation Strategy:
Once an understanding of all assets within your environment is established through non-passive and passive means, it is essential that your organization considers its business objectives, outlines any regulatory requirements that must be met, and gathers insight from your newly established CPS inventory to define your segmentation goals. In addition, during this step, you should map out how your existing infrastructure will help to support your strategy.
Phase 3 – Create Zones & Policies:
Next, it is important to understand how assets are communicating, their operations, and their criticality to group them into network zones. Once zones are established, you can then successfully create policies for how the CPS in each zone should be communicating under normal circumstances.
Phase 4 – Monitor Policies:
Configuring alerting rules that align with each zone’s policies comes next. This will allow you to monitor all CPS and their baseline communications in the environment to determine if there are any deviations from the rules in place.
Phase 5 – Investigate, Tune, & Validate:
Next, organizations should investigate any deviations, identify those that require timely action, and prioritize remediations for the riskiest CPS in their environment. By then tuning and validating policies, you can ensure that, if enforced, none can negatively impact operations.
Phase 6 – Enforce & Optimize Policies
Finally, in phase 5, you can import zones into your firewall solution, mirror their respective policies within it, and then logically enforce those policies. From there, you can scale and enhance enforcement to continuously improve network protection over time.
By following this phased approach, organizations can successfully achieve network protection within their environment. However, you still may be wondering what tools you can leverage to get started. Here’s where a CPS PP can step in to help.
How Can a Purpose-Built CPS Protection Platform Help Me Achieve Asset Compatibility?
Recognizing that no two CPS networks are the same, there cannot be a one-size-fits-all approach to discovering them. At Claroty, our built-for-CPS protection begins with an intimate understanding of CPS networks and the assets within them. Our solution employs multiple discovery methods to identify all assets within the operational network, including those that use unique or proprietary protocols, are air-gapped, beginning with non-passive to kickstart your CPS protection journey and concluding with passive discovery to reach network protection goals.
This dynamic approach to asset visibility is why our solutions are able to help critical infrastructure organizations, like yours, reduce the cybersecurity risk that results from increased connectivity. Regardless of the scale or maturity of your CPS cybersecurity program, our precise and tailor-made discovery approach helps our users more quickly operationalize their asset inventory, achieving an overall faster time-to-value (TTV) and lower total cost of ownership.
Get started on your journey to network protection today by chatting with one of our experts.
%20Environment%20%7C%20Claroty&_biz_n=0&rnd=575327&cdn_o=a&_biz_z=1742333990876)
%20Environment%20%7C%20Claroty&rnd=375301&cdn_o=a&_biz_z=1742333990878)