World-Class OT Cybersecurity: Utilizing Visibility and Monitoring

My name is Dillon Lee; I am a Principal Technical Account Manager at Dragos and a Key Volunteer at ICS Village. I have worked with hundreds of unique environments across all sectors at this point in my career. I hear and see the challenges of customers and students through my work. All views expressed in my articles are my own and not representative of Dragos or ICS Village.

A customer journey

The journey to becoming "World Class" is different for every company, which is fine as long as the goal remains the same, reducing risk and protecting our critical infrastructure. A company willing to work through the 5 Critical Controls is setting itself up for success, the foundation it builds is compounding for a cyber security team.

Along the journey to cyber resilience, network monitoring will become a critical pivot point in improving your cyber standing as a company. In the World-Class OT Cybersecurity: Intro to Building a Defensible Architecture, I talked about just getting started with physical segmenting and rolling out an OT to IT conduit using a firewall when possible. You are moving along your customer journey at your own pace, and that single phase at your employer may take a week's worth of work. On the flip side, starting the segmentation could be a full-year rollout. Once you feel confident in your segmentation or are even looking for help to identify more gaps in segmentation, you are ready to progress down your journey to network monitoring solutions.

Network monitoring solutions come in many different forms and flavors depending on which vendors you choose to implement. The most significant advice I will give anyone is to be ready to have everything on your network shown to you. These monitoring solutions will show you expected traffic besides erroneous connections that breach policies or expectations. Rolling this tool out is not meant to be a big brother of the users in your facility, but it might be eye-opening to see all the tools, protocols, and user connections on your network.

The 5 Critical Controls start with ICS incident response planning and defensible architecture because you will employ those learnings

immediately. Site contacts are subject matter experts on technologies in use at these facilities, and building and fostering those relationships that come from that work is about to start paying back in trust and support. Your new role in OT will be bridging the gaps, being brought in as the expert in your craft just as they bring in Safety for procedure changes and Human Resources for employment information.

From the Dragos, Inc. 5 Critical Controls for World-Class OT Cybersecurity Guide:

"You can't protect what you can't see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors traffic for potential threats. Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks. Additionally, monitoring can also identify vulnerabilities easily for action."

You can't protect what you can't see.

Breaking down the guide statement into digestible sections is relatively easy for network monitoring.

"Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture."

Utilizing that conduit previously created gives a perfect place to create a network feed link using a SPAN, port mirror, or a TAP. Garland has a great article on the differences between TAP and SPAN configurations; TAPs vs SPAN. To test the network connection, you can use a tool like Wireshark to collect a packet capture or PCAP. Once we have the PCAP, we can look through Wireshark to identify hosts based on IP, MAC, and expected traffic. All too common problems occur at this stage of monitoring a network; you might not see a device that you know is online, you might see internet-bound traffic still flowing North / South, or you might even see addresses and devices you do not recognize for the first time.

In the passive monitoring space for OT, a non-exhaustive list of focus points should be:

·?? Asset identification and enrichment

·?? OT protocol dissection for additional asset enrichment

·?? Threat-centric indicators of compromise

·?? Operational data reporting (key switch state change)

·?? Network communication mapping

·?? Investigation and response capabilities

·?? Flexible deployment models (all networks are unique)

North / South conduits are not all seeing.

North / South conduits are a fantastic place to start because you can see everything coming in and out of the network. With being able to see everything in that conduit, it is usually the most troublesome spot on the network for identifying misconfiguration and segmentation failures. The knowledge you can gain from seeing the assets talking incorrectly across this conduit gives you great information on segmenting. Company policies should be implemented to provide guardrails on how you want to segment the network. With those policies as a goal, you can identify internet-bound traffic, IT to OT traversals, PLCs talking to cloud or DNS services, or vendors remoting into the OT network.

While we see great information on that North / South conduit, we frequently only see some assets in the OT network. Moving down the network commonly referred to as East/West, it is gaining visibility on the lower networks where PLC, HMI, VFD, IO, and sensors reside. In this new layer of the OT network, the OT devices are constantly talking to each other, sometimes only layer 2, which means we have no expectation of seeing any traffic routing up through the conduit. The layer 2 protocols are the area where you will need trustworthy OT solutions to dissect the protocols often seen here:

·?? 西门子 typically uses Profinet, Modbus, or OPC

·?? 罗克韦尔自动化 typically uses EtherNet/IP

·?? 施耐德电气 often utilizes Modbus

Building out an asset inventory

OT network monitoring solutions will use the data they see to build out asset inventories to help give context. For example, Rockwell Controllers have a key switch on the front, which controls the controller's operation mode, remote, run, or program. When an operator turns the key switch, the controller, depending on the configuration, will send out that information over the wire, which a passive monitoring tool can pick up and identify not only what mode the controller is in but the make, model, firmware type and more based on the EtherNet/IP coms. See that layer 2 traffic holds a lot of valuable data around devices, which can enrich your asset inventory and give context to what you see in the network.

Some environments are old, modified from their original state, retrofitted with upgrades, or unknowns. Good network visibility can build your asset inventory for you. Countless times, as customers of mine roll out layer 2 visibility, they find devices that they thought were decommissioned, updated, or just for the first time. Finding these devices is okay, but it changes the model of risk, what needs to be considered for patching, and how you work with operations to build out an upgrade path for devices. The goal is to cover all North / South, then expand into East / West whenever possible to get proper network visibility.

Utilizing Indicators of Compromise

With proper visibility and a defensible architecture, the ability to visualize your environment should be possible. This also means you better understand what risks are proposed in your environment. With threat actors targeting specific vendors during a campaign and your ability to see what vendors are in your environment, you should be able to say with the current environment if you are at risk of exploitation.

Final Thoughts

While everyone should deploy network monitoring solutions, understanding that it takes people, processes, and technology to work in line with one another is an enormous feat. The maturity level of an organization at this phase in your customer journey is leaps and bounds above organizations that pick and choose scattered approaches to OT security. With all of the findings that your network monitoring solution may find, it is never about punishment; it is a learning opportunity for all to create a safer and more secure environment.

Quick Wins for Leadership

Working through control number one, ICS incident response plan, we were able to:

·?? Identified site contacts

·?? Understand your role in a disaster and next steps

·?? Site priority based on risk

Control number two, defensible architecture built the physical network segmentation and that foundational layer built:

·?? Reducing your risk by removing devices with internet access

·?? Started identifying OT devices

·?? Built the first conduit from IT to OT with firewalls or switches

Control number three, visibility, and monitoring, we started using learnings from both of our previous critical controls to drive security forward and found:

·?? Confirmation of defensible architecture

·?? Asset inventory of live environments

·?? Accurate risk profiles for the network