Nozomi Networks - Quickly detect threats to OT security

Cybersecurity has never been a greater challenge for industrial companies. Recent attacks on critical security systems have shown that conventional defences cannot stop sophisticated attackers.

Growing political unrest increases the likelihood of more sophisticated attacks on industries that support daily life, such as electric utilities, transportation and manufacturing. The potential risks to security, operational performance and confidentiality of information require constant vigilance.

Digital transformation is adding to this firestorm. The use of unmanaged IoT devices expands the attack surfaces. Increased connectivity between IT, OT, cloud and third-party systems creates more opportunities for attackers to penetrate critical systems. Defending them against these new vulnerabilities is both critical and challenging, as these developments can occur without warning.

Industrial operators need broad and deep visibility

Security teams may not be able to fully defend systems against increasingly sophisticated cyberattacks. And they will continue to face challenges protecting the ever-growing threat surface created by digital connectivity. But visibility of these threats can help them minimise security risks. Those who know about new malware and attacks on other organisations can update their security policies and increase monitoring of vulnerable assets and users.

System-wide awareness of equipment and communication vulnerabilities can focus security efforts on the most critical issues. Identifying changes in devices and connectivity can trigger immediate reviews and responses to new vulnerabilities that arise in security defences and policies.

To be effective, visibility must be both broad and deep, covering all assets and connected systems. Visibility must also be comprehensive, providing defenders with the information they need to quickly assess risk and implement an appropriate response. Rapid change detection is also essential to give security personnel time to act before attackers can exploit new vulnerabilities.

While security teams have these capabilities for conventional IT systems, they often lack good visibility for OT systems and unmanaged IoT devices, increasing risks to all connected systems.

Continuous OT network monitoring can improve threat visibility

Continuous OT network monitoring solutions have become a key tool for security visibility within complex industrial control systems. The value of their visibility has been proven across a wide range of industrial operations.

The use of passive network traffic monitoring and deep packet inspection of proprietary protocols ensures that basic asset information is captured without violating the strict constraints of real-time 24×7 control systems. The solutions also quickly detect any changes that occur to system devices and normal network message flow.

Significant improvements have been made to continuous OT network monitoring technology in recent years. Advanced solutions, such as Nozomi Networks Guardian, include features that greatly expand security visibility across a wide range of IT, OT and IoT devices. These include devices with traditional and non-traditional operating systems, conventional and proprietary communications, and various levels of internal security capabilities.

New network monitoring options also enable cost-effective deployment of monitoring to more assets and deeper control system levels. These include a wide range of passive sensors with different capabilities and form factors, intelligent active sensing and virtual solutions embedded in popular network devices.

Improvements have also been made in information delivery and integration with other visibility tools. Early solutions provided limited contextual support to local, OT-centric command centres. Modern continuous OT monitoring solutions aggregate information from many systems, provide comprehensive alerts with support for contextual analysis, analyse devices for known vulnerabilities, and guide users in addressing vulnerable devices.

Published APIs and proven integrations with popular SIEMs and networking products have made it easy to integrate these products into popular IT visibility and SOC applications.

Today's risks require an integrated industrial IT-OT cybersecurity strategy.

Industrial organisations have traditionally viewed security from a silo perspective. This was based on the unique challenges of IT and OT systems that required different security staff, processes and technologies.

The benefits of managing similar technologies with similar security methodologies were disregarded in the belief that the unique concerns and constraints of the domain took precedence. While the differences between domains must be recognised, the inefficiency and ineffectiveness of current approaches can no longer be tolerated. Many OT systems remain at risk of serious incidents. Security inconsistencies between IT and OT systems enable cross-domain attacks.

To address these critical issues, organisations need to take a more logical, functional view of cyber security and recognise that the risks are the same regardless of where and how a cyber device is deployed.

Today, IT and OT systems require the same level of security support from people with specific expertise in PCs, servers, cloud applications, networks, mobile devices and embedded systems that underpin modern IoT devices. Experts in specific application areas, such as OT and cloud, can provide guidance on the appropriateness of various defences and practices. However, security management is best left to specialists.

Efficient and effective industrial cyber security requires a comprehensive strategy that includes:

• an overarching trained team of cybersecurity experts
• a common set of security management processes; and
• a common portfolio of security technologies that support cross-domain management of endpoint protection, network security, and threat detection and response.

Visibility of all resources is essential and requires solutions that respect domain constraints.

Implementing a modern, continuous OT network monitoring solution can help organisations meet these requirements and provide industry security teams with the broad AND deep intelligence they need to address today's and tomorrow's threats.