As digital transformation continues to reshape the way industrial organizations operate, it’s also changing the game for security. For many of these organizations, the traditional concept of airgapped operational technology (OT and industrial control systems (ICS) that was kept isolated from online connectivity is no longer reality. And while this newfound connectivity has massive upside, it also comes with security challenges that affect everything from operational resilience and regulatory compliance to risk management and worker safety
All of this has made choosing the right cyber-physical systems (CPS) security provider a huge priority. With the right provider in place to protect the human-machine interfaces (HMIs), programmable logic controllers (PLCs), and other critical assets within an OT environment, industrial organizations in critical infrastructure sectors get the protection they need against a sophisticated threat landscape.
But what exactly should CISOs and high-level decision-makers look for when evaluating CPS security solutions? This post will examine key factors to consider.
Purpose-built Solutions for Cyber-Physical Systems Security
First and foremost, prioritizing a vendor that features purpose-built solutions for an OT environment is a must. With digital transformation changing so much of the security landscape, traditional security tools such as jump servers, VPNs, and firewalls won’t protect previously airgapped equipment and assets.
It’s also crucial for an organization to develop a thorough understanding of the complex web of assets that might be going unnoticed throughout their enterprise network. It goes without saying that you can’t protect what you can’t see. However, a surface-level understanding of these assets isn’t enough when it comes to how to best protect them. It’s also necessary to understand their configurations, communication pathways, how they communicate with each other, and any other dependencies that might not be immediately apparent.
There are a few ways to discover these assets, but not all approaches to visibility are created equal.
Passive Collection Methods for OT Asset Discovery
Traditionally, passive collection through deep packet inspection is the starting point for OT visibility. This approach analyzes traffic at network chokepoints to identify assets and communication methods without interacting with the systems themselves. With the complexities of CPS, however, passive collection has its limitations, including:
Costly Hardware
The hardware required for this is expensive, especially for geographically dispersed organizations.
Periodic Downtime
Making intricate configuration changes on associated firewalls and switches requires coordination and planning across distributed enterprises. And in most industrial organizations, the costs of taking down a production line is costly, financially and operationally.
Legacy OT Protocols
Many legacy OT protocols come with inherent limitations that prevent information from being fully gathered. For example, MODBUS doesn’t send any information about models or firmware, and CIP queries typically only include main communication NIC cards for asset information, and could easily miss information from other cards.
Encryption
Encrypted traffic is a growing blind spot for asset collection, as it can limit the information that can be extracted from passive collection.
Active Collection Methods for OT Asset Discovery
In contrast to passive collection methods, active collection queries CPS assets in their native protocols. This offers the ability to request a more expansive amount of information related to each asset, providing a more holistic view of all devices throughout an OT environment.
Here are some other advantages of active collection methods:
More Comprehensive Asset Information
Active collection enables more comprehensive asset information to be gathered by requesting specific details directly from each device, such as unique network and physical identifiers, location, and network role.
Reduced Hardware Deployment
Queries can be conducted more broadly across the entire CPS network to targeted systems.
Increased Accuracy of CPS Asset Identification
In addition to device identification accuracy, active collection enables more accurate identification of firmware versions, configurations, and any associated vulnerabilities with each.
Active collection does come with its own set of challenges, however. The primary challenge is that effective implementation of active queries requires some degree of prior knowledge of the target systems. This ensures that communication uses the correct protocol for the targeted asset. Active collection can also hinder performance of daily operations within an OT environment.
It’s important to take all these factors into consideration when evaluating a CPS security solution. Leading providers use a hybrid approach of passive and active data collection methods to identify asset types.
CPS Threat Detection and Response
WIth a threat landscape rife with evolving risks, a CPS security solutions provider should also offer powerful threat detection and response capabilities. Ideally, these features would be fed by threat intelligence, in which the solution would proactively monitor the enterprise network for anomalous behavior. Threat detection should also include:
Real-time Monitoring and Anomaly Detection
Technology in an existing environment such as security information and event management (SIEM) and endpoint detection and response (EDR) should integrate with a CPS security solution. SIEM and EDR help monitor data and network traffic in real time, identifying unusual behavior that could be malicious.
Purpose-built for OT Environments
As mentioned above, IT-specific solutions aren’t meant for use with the complexities of an OT environment. That’s why it’s nothing short of imperative to use a CPS security solution to ward off threat actors before they can successfully breach a network. This also minimizes false positives that security teams would spend too much time chasing down.
The best solutions continuously update their threat detection capabilities based on the evolving tactics used by threat actors that specifically target industrial systems and critical infrastructure.
Network Segmentation
Segmenting a network into isolated zones to prevent lateral movement from attackers is also key. This practice not only enhances network security by a large margin, but it also offers an assortment of other benefits to industrial organizations.
Improved Network Performance
When network traffic is contained within specific subnets, it can reduce congestion and improve overall network performance. This is especially important in OT environments that have such little tolerance for operational downtime.
Isolate Threats
If an enterprise network is like a house, then think of network segmentation as the locked doors that help keep thieves from valuables. Lateral movement in a cyberattack can be especially damaging to an organization, especially if the most critical systems are left unprotected.
Secure Remote Access
A recent analysis revealed that of more than 125,000 OT assets, 13% were insecurely connected to the internet, and 36% of those contained at least one confirmed vulnerability that had been exploited. Needless to say, secure remote access is a favored attack vector for threat actors. This underscores the importance of choosing a CPS solution provider that emphasizes secure remote access.
Here are some key outcomes of secure remote access solutions:
Reduced Complexity
The complexities within CPS demand a solution that simplifies protecting them. A secure access solution that offers features such as identity and access management (IAM) to simplify administration and access is key. Granular access controls and strict policy governance are also must-haves.
Support for Varied Access Controls
It’s not just employees that log into most industrial enterprise networks—it’s contractors, vendors, and a host of others that log in for routine maintenance or other basic job functions, either remotely or on-premise. For that reason, additional security measures such as multi-factor authentication (MFA) and least privilege access using a zero trust framework are necessary additions.
Protecting CPS with the Claroty Platform
It can be difficult to find a CPS security provider that fits the bill for all of the above criteria. With so many features to guard against so many possible attack vectors, it can be easy to rely on multiple solutions to cover enough ground in a complex environment.
However, this can quickly lead to other issues if the solutions don’t integrate properly with an existing infrastructure. Solutions that don’t communicate well with each other can leave the door open for unseen attackers to make their move using techniques such as living-off-the-land, zero-day attacks, ransomware, and more.
The Claroty Platform is a holistic solution that combines asset discovery, threat detection, network segmentation, exposure management, and secure remote access to protect critical infrastructure. By leveraging real-time threat detection, it keeps an eye on unusual network behavior and flags anything that looks suspicious, allowing security teams adequate time to respond. It also provides industry-leading asset discovery abilities that map out every device throughout an enterprise network, and uses secure remote access with zero trust to prevent any unauthorized access.
Explore more about the platform or schedule a live demo with one of our experts to learn more.
