The First Step in Operational Technology(OT) Cybersecurity

Airgap Networks
5 min readSep 6, 2022

--

Legacy security controls, tools, and practices cannot address OT and IoT devices’ vulnerabilities. Visibility is a fundamental cybersecurity strategy to protect networks, transient assets, and information. In OT cybersecurity, asset management is the most critical part.

Understand the security challenges with OT asset inventory:

  1. Complex systems across OT asset inventory management
  2. Geographically separated among OT asset inventory management
  3. No security awareness of OT asset inventory management
  4. Lack of up-to-date security capabilities of accurate asset inventory within the product
  5. Lack of visibility into internal and external networks

Industrial organizations have developed asset registers and tracking systems to meet compliance and cybersecurity insurance mandates for OT ICS asset inventory management and control.

Knowing every device is critical to providing security protection for the enterprise. Rogue devices being introduced into the network could serve as a platform for hackers to launch internal cyber-attacks.

An asset inventory system is not only computers or workstations; the tool helps track processes, data communications, data flows, networks, and architectures.

Currently, most organizations have no accurate asset inventory solutions for maintaining the asset inventory of OT systems. Some might use passive- or agent-/host-based security solutions in place.

Since they just have mirrored traffic, passive asset monitoring systems can only show the transient assets and what is going through them. Sometimes it cannot show complete details of temporary assets because the traffic packet only captures minimal information.

Host/agent-based systems are mostly, not recommended by OEMs because these can downgrade system performance.

Onsite experience with a client

While performing a site survey on location at a petrochemical plant, we demonstrated how accessible their systems were to the public internet. Using the tool shodan.io , we showed the plant engineering team that their system info at devices was readily and freely available to the public.

OT/ICSs are complex, multi-vendor, industrial environments, often with geographically distributed resources and management systems. We need to ensure we have complete visibility of our networks and associated assets. Because networks are the most vulnerable parts of the environment. Networks allow hackers to gain access, penetrate the networks, and communicate with the Command and Control server (C&C).

Legacy asset management is not feasible for modern-day IT/OT environments.

Without comprehensive asset inventory management, organizations operate on quicksand: They don’t know the true security status of their environment and are unable to conduct effective security management at scale. In many cases, industrial organizations build a basic asset inventory only to find the information necessary for security.

Airgap Zero Trust Isolation acts as the gateway for the IT/OT networks. They used agentless network access control (NAC) with inline security for complete visibility and control. They use multiple passive and active techniques to ensure the asset inventory is unlimited and validated. It’s critical to understand OT assets and OT asset communication protocols.

Once the OT assets are identified, we can classify them based on their attributes, behaviors, or the level where they reside.

Using Machine Learning for autonomous OT asset discovery and device classification

Artificial intelligence and machine learning play very important roles in asset management to help organizations to achieve their compliance mandates with accurate and timely aggregation. Asset intelligence leverages AI and ML to better understand asset usage, productive time, and end-of-life disposition.

Asset intelligence comes with deep packet inspection(DPI) data for the network access control layer. DPI helps to identify and classify assets. So, when a packet passes, it gets to know a source and destination IP from the header. Then in the title, we have either Uid for Linux systems or SiD for windows systems. So the whole header is understood. This intelligence is coming from these technologies. Now even, this system and identify any ethernet-based PLC or RTUs. So when it detects a PLC, it puts it on the LEVEL 1 asset.

What are the best practices for asset tracking and inventory?

In a successful cyber security program or cyber security journey, asset inventory management is the first step towards robust asset inventory and device security.

It’s well known that you cannot protect what you cannot see. Timely asset inventory information on hardware and comprehensive software inventory data is critical and essential for OT security. The key asset inventory elements increase cyber security efforts and cyber security maturity to enable rapid physical discovery of endpoint asset data. Some design principles include:

  • Once the robust asset inventory assets are identified, a zone or zones should be created
  • The zone is defined as the asset sharing the exact security requirements in the same zones.
  • But, with the latest threat vectors and types of attacks, we also need to segment assets on the network.
  • Even the OT systems sharing the same VLAN should be segmented.

Value of Airgap Networks

Industrial organizations pursue the out-of-box asset inventory view without worrying about agent-based patch management or protection software status. Airgap takes the agentless and in-line approach without any inventory effort miss.

  • Deploy the most cost-effective and agentless micro-segmentation in your IT and OT environments
  • Reduce your flat network with granular defense in depth to meet NIST CSF and compliance audits, complete asset inventory, and gather vulnerability data
  • Preserve existing IT and network security hardware or software investment. Easy onboarding within minutes, not months
  • Leverage the industry’s first Ransomware Kill Switch for rapid incident response to reduce the Ransomware blast radius and improve vulnerability management

Only the starting point

Effective cyber security starts with robust asset information, timely aggregation and how many industrial control system environments, user access control, and applies zero-trust policy enforcement without exceptions across entire IT/OT environments. Digital transformation initiatives and the shift to a hybrid workforce create new risks. Due to a rapidly changing threat landscape, organizations are increasingly focusing on the security risks they face outside conventional enterprise IT. Airgap focuses on network-based security and asset visibility for IT and OT security environments. Security practitioners need to explore an agentless approach for all managed and unmanaged devices and possibly passive detection through network device configurations with full software inventory efforts to meet security initiatives.

For more information on how to adopt a unified and agentless approach in IT, OT, IoT, Internet of Medical Things(IoMT), and Industrial internet of things(IIoT) environments for accurate asset discovery, please visit https://airgap.io/.

The industrial internet of things refers to interconnected sensors, instruments, and other devices networked together with computers’ industrial applications, including manufacturing and energy management. Wikipedia

--

--

Airgap Networks
Airgap Networks

Written by Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io