Where to Start: A How-To for Improving Your OT Security Posture (Part Three)

Larry Grate, EOSYS Director of Business Development OT Infrastructure & Security, shares the six key steps we recommend to guide clients as they begin to build a powerful cyber defense in this three-part article.

CS Network Monitoring

This section is primarily focused on detecting adversarial activity within your ICS/OT environment. As a part of creating your Incident Response Plan, you identified at least two scenarios in which you created plans to respond. As a part of creating your network monitoring function, you should make certain that you can identify the threats you created response plans for, as well as identifying threats to zones within your network that you considered to have the highest level of consequence to your business.

Network monitoring has two primary components. The first is the aggregation of the log traffic created by network and host devices within the environment. This requires that you install a Security Information and Event Management (SIEM) server and forward all system logs to the server. You will need to configure every endpoint which supports syslog traffic to forward its log messages to your syslog server. You should install agents onto your windows and Linux devices and forward their log messages. If your security budget will not support the use of solutions like SPLUNK, there are open-source solutions which can be deployed. Two examples of open source or free solutions are ELK Stack basic version, or Wazuh.

The second component of network monitoring is the use of a network security monitoring tool. These tools require that you span traffic from your ICS/OT network to sensors which pre-process and forward data to centralized servers. There are several commercial solutions in this space like the DRAGOS Platform, as well as open-source solutions like the INL’s MALCOM. These tools use machine learning to understand what normal traffic looks like on your network and can generate alerts if new traffic patterns occur. These tools will also help you keep your asset inventory current, by identifying all assets represented within the network traffic that they ingest. 

Depending on the sophistication of the tool and their understanding of the underlying protocol, they can also provide rich details on the ICS/OT endpoints within your environment. This can include the manufacturer, hardware part number, serial number, firmware, and vulnerabilities which can be invaluable in keeping your asset inventory current.

CS Vulnerability Management

Like most other aspects of ICS/OT security, managing vulnerabilities is much different than managing them within IT environments. Depending on the process, finding downtime to patch devices can be difficult, and testing environments which patches can be validated in prior to deployment are uncommon. The CrowdStrike incident that occurred on July 19, 2024, is a perfect example of why we do not want to indiscriminately install patches in OT environments. Assistance in developing vulnerability management procedures can also be found within IEC-TR62443-2-3. One thing to keep in mind, like much of cybersecurity, this is a cyclical process that must be repeated on an interval defined by your budget and risk appetite.

The first challenge to managing vulnerabilities in ICS/OT is knowing what vulnerabilities exist on a per asset basis. Most of the commercial network security monitoring tools do some or all of this for you. Some have active discovery capabilities which will allow them to fully enumerate the operating system and software installed on an endpoint using a credentialed scan. An example of a tool that can do this with only an executable on the host would be the Nozomi Guardian Arc solution. This is of benefit in some environments because there is no need to install an agent.

Before you install a patch in ICS/OT environments you must reduce the risk associated with an unexpected outcome from the installation. As noted previously, we often do not have a test environment, so we must rely on a combination of patch validation by the control vendor, and then test it by deploying it to a less impactful part of your production environment. Finally, prior to installation you should make certain that you have a good backup of the host or endpoint and can recover that backup if necessary.

The next challenge is deciding whether to patch the vulnerability. It is reasonable to assume that for some ICS/OT assets, the risk associated with patching a vulnerability will outweigh the risk of operating with the vulnerability. This risk must be evaluated based upon where the asset lives within the environment and the nature of the vulnerability. As an easy example, if the endpoint can be exploited by an adversary without using the vulnerability, there is little value in patching it. Likely, we have already mitigated the risk by the choice of network segmentation deployed within the environment.

The final challenge is when to patch the vulnerability. This is also a risk-based decision and should result in one of two options. The first option would be to patch it now. This choice would be for edge devices which have minimal to no impact on production and have been observed to have been exploited in the wild. The closer you get to those two conditions, the higher the priority for patching the vulnerability now. The second option is to schedule the patch installation for the next production outage. Art Manion of CERT did a presentation on this topic at S4 in 2019 which would be a useful resource to consider in developing your process.

Conclusion

While we have attempted to provide significant guidance in this paper, it will not cover every scenario associated with securing Operational Technology. Cybersecurity is a journey, best taken as a team. Dragos has a free resource community for manufacturing you can sign up for called OT-CERT. We are also available to help you, as are a number of other companies. While OT/ICS security is a challenge, to quote DRAGOS CEO Rob Lee, “Defense is doable!”

Read the full article in our white paper Where to Start: How to Improve Your OT Security Posture here.