The Claroty Platform is a complete industrial cybersecurity solution powered by our Continuous Threat Detection (CTD) and xDome Secure Access solutions. The platform provides a full range of industrial cybersecurity controls that integrate seamlessly with existing infrastructure, scale effortlessly, and support the unique needs and priorities of both operational technology (OT) and information technology (IT) personnel alike. Further extending the value of these controls is the fact that The Claroty Platform is also the industry’s only such solution to offer fully integrated remote incident management capabilities that cover the entire incident lifecycle. The following use case demonstrates one example of how IT security operations center (SOC) and OT personnel can use the platform to more effectively detect, investigate, and respond to OT incidents across the broadest possible attack surface from any location.
Use Case Background
The respective roles and responsibilities of the IT SOC personnel and OT personnel in this example include:
IT SOC Personnel
OT cybersecurity risk management
Monitor & respond to OT remote access incidents
Uses CTD to detect anomalous activity on OT network
OT Personnel
OT availability, reliability, & safety
Uses xDome Secure Access to remotely access & service OT assets
Relies on IT SOC to detect anomalies on OT networks
Part 1
An OT engineer submits a management of change (MoC) ticket requesting authorization to connect to an engineering workstation to conduct maintenance on a programmable logic controller (PLC) via xDome Secure Access. The OT manager then receives the engineer’s MoC ticket and authorizes the request directly within the xDome Secure Access Center (SAC).
Part 2
While using xDome Secure Access to access the engineering workstation in order to conduct maintenance on a PLC, the OT engineer mistakenly downloads a new configuration to the PLC. Since this operation was not included in the MoC ticket and was not authorized, it immediately triggers a configuration download alert in CTD. As with all Claroty alerts, this alert contains contextual information including root-cause analysis, the associated indicators, assets, and xDome Secure Access session, as well as an alert score that reflects the level of risk posed to the OT environment in which the alert was triggered. This information helps reduce false positives and expedite triage and investigation processes.
Part 3
An IT SOC analyst quickly sees the alert within CTD. The alert includes the original MoC ticket, the specific xDome Secure Access session and user, and the unauthorized operation that triggered it. Upon reviewing this information, the IT SOC analyst chooses to escalate the alert to the IT SOC manager who then opts to monitor the OT engineer’s live xDome Secure Access session directly from CTD and immediately decides to disconnect the session and view the recording to investigate the event that triggered the alert.
Recognizing the abrupt termination of their xDome Secure Access session, the OT engineer tries to reconnect to the engineering workstation but is unsuccessful. The initial authorization granted for their session is no longer valid, so in order to reconnect to the workstation, the OT engineer must request authorization for a new session.
Part 4
After determining that the OT engineer’s download of a new configuration to a PLC during an xDome Secure Access session was an unintentional error, the IT SOC manager notifies the OT manager, who then chooses to authorize the OT engineer’s request to restart their original session – but only after further restricting their access controls accordingly.
The OT manager also opts to monitor this session in real-time to ensure it remains error- and risk-free.
