5 Benefits of Automated Asset Inventory Management for Operational Technology
Boost your OT cybersecurity with real-time automated asset inventory management – 5 key benefits for protecting industrial assets.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
In today’s OT environments, there are unprecedented challenges in maintaining cybersecurity and operational integrity. Traditional IT SIEMS often fall short, leaving critical OT assets vulnerable.
If you are familiar with traditional enterprise or IT cyber security frameworks, then logging and event management capabilities through a technology called SIEM should be familiar. The NIST, COBIT, ISO, and even PCI standards refer to it as a necessary capability at some level.
This blog will provide IT and OT Security managers with the following insights regarding Security Information and Event Management (SIEM) technology:
Security Information and Event Management is a system that aggregates, parses, and analyzes various sources of cyber information (security and otherwise) for storage, alerts, response, and reporting. Its true power lies in its ability to correlate disparate data sources and provide the context to identify and prioritize genuine threats. Analysts, automated systems, and security teams process alerts, alarms, events, and baselines to detect and respond to cyber risks. This correlation is crucial for reducing alert fatigue and enabling security teams to focus on actionable insights.
A SIEM typically has several key functions:
These triggers or thresholds are inherited from the generating application or system, leverage machine learning, statistics, or heuristics, but also human or framework–defined use cases.
Ultimately, a SIEM’s purpose is to receive messages (often in the format of Syslog, and Windows Event formats), make them available for cyber security functions, and alert upon them so security teams can effectively execute defined procedures and processes to manage the threat. This is best illustrated as an example:
Imagine you have a small or medium-sized business that has a convergent infrastructure. There are Windows systems used for accounts payable, as well as processing and distributing the shop floor’s orders and related tasks. Both of those functions are critical, but one is IT-related and the other is OT-related.
Now let us imagine that the individual at the helm of the accounts payable computer opens a phishing email, an attacker drops malware onto that system, and fortunately, that system’s anti-virus detects it while generating an alert.
This is a simple example, but in the case of commodity malware, and an organization managing their resources, it is advantageous to have their systems forward logs to a secure system for analytics, dispatch work and training. In this case, the malware was caught (e.g., no massive ransomware attack), but the accounts payable person may need phishing awareness training or a visit from their manager.
There is a good deal of debate around the need for an OT security operations center (SOC) to monitor, tune, and use the SIEM. There is a separate question on the value of an OT SIEM and what the difference would be from an IT SIEM.
While both IT and OT SIEMs aggregate and analyze data, their focus and priorities differ significantly. In OT, the emphasis is on safety, reliability, and availability. This requires specialized data and analysis capabilities. Key differences include:
Regardless of the origin, there are overlapping SIEM use cases and cyber threats such as commodity malware, but the impacts and events affecting either side of the spectrum (IT vs. OT) are different the farther you traverse in either direction.
IT frequently faces threats from malware, phishing, data disclosures/breaches, and a variety of threats delivered straight from the Internet. For OT environments, threats are the compromise of specialized process control equipment, safety systems, and production lines. For both IT and OT, there are varying skill sets with different priorities based on the type of work performed and the events generated.
In IT, if an alert stating X user is doing Y, or Z malware alert has gone off, cyber security handling for those situations is reasonably understood. But in OT, a variety of proprietary vendors and technologies span decades, resulting in an overwhelming amount of alarms or alerts for teams focused on keeping a facility operational (and safe).
There is often a need for both IT and OT SIEM within one environment. In fact, in almost all industrial cyber attacks, the actor pivoted from IT into OT by first gaining a foothold on the IT side and traversing protections existing between the two environments.
A single view to oversee asset management, reporting, and SIEM functionality is required for effective cyber risk reduction across IT and OT.
The question that remains is how best to achieve that integrated view. When does it make sense to have an OT SIEM that provides specific data aggregation, analysis, incident response and reporting for OT and then forwards critical alerts and information into the enterprise SOC?
Those are questions where the approach and strategy are specific to the organization. For some organizations, a single SIEM, with no specific OT functionality makes sense. For others, having a robust OT SIEM will be critical.
The answer is not as straight-forward as it may seem on the surface, and the complexities are derived from the amount of legacy equipment, and amount of process control and regulations in the environment. After all, who would want to pollute their enterprise environment with X compliance bureaucracy & overhead? Probably few.
IT frequently faces threats from malware, phishing, data disclosures/breaches, and a variety of threats delivered straight from the Internet. For OT environments, threats are the compromise of specialized process control equipment, safety systems, and production lines. For both IT and OT, there are varying skill sets with different priorities based on the type of work performed and the events generated.
In IT, if an alert stating X user is doing Y, or Z malware alert has gone off, cyber security handling for those situations is reasonably understood. But in OT, a variety of proprietary vendors and technologies span decades, resulting in an overwhelming amount of alarms or alerts for teams focused on keeping a facility operational (and safe).
There is often a need for both IT and OT SIEM within one environment. In fact, in almost all industrial cyber attacks, the actor pivoted from IT into OT by first gaining a foothold on the IT side and traversing protections existing between the two environments.
A single view to oversee asset management, reporting, and SIEM functionality is required for effective cyber risk reduction across IT and OT.
The question that remains is how best to achieve that integrated view. When does it make sense to have an OT SIEM that provides specific data aggregation, analysis, incident response and reporting for OT and then forwards critical alerts and information into the enterprise SOC?
Those are questions where the approach and strategy are specific to the organization. For some organizations, a single SIEM, with no specific OT functionality makes sense. For others, having a robust OT SIEM will be critical.
The answer is not as straight-forward as it may seem on the surface, and the complexities are derived from the amount of legacy equipment, and amount of process control and regulations in the environment. After all, who would want to pollute their enterprise environment with X compliance bureaucracy & overhead? Probably few.
In the IT SIEM figure, it appears that it might work. The problem though is that most enterprise solutions do not have access to a number of important sources, but rather receive an alert, determine where to assign and send it to the best of a traditional IT analyst’s ability.
With minimal information or context, it is “thrown over the fence to OT.” Assuming there is a ticket or work system linking the two domains and acting as the IT/OT convergent glue, the work lands on the OT individual(s) or team, and they attempt to triage an often trivial one line message such as:
<date> Cryptographic Certificate Expired UseCase Triggered on Asset ABC – Remediate, HIGH priority.
If the OT receiver is lucky, guidance is in place with appropriate procedures for the environment. Unfortunately, this isn’t enough information for even IT to make sense of, and the priority and remediation are a challenge due to operational constraints in OT.
In other words, unless the alert is provided with adequate context, and supporting information, this approach of using a SIEM by itself begs for complete asset visibility and adequate expertise for the asset or deployed environment.
Let’s take a common occurrence in IT/Enterprise land: out of date SSL/TLS certificates. In the enterprise domain, any alert, report, alarm that stated that a system has expired certificates will set off a flurry of events such as:
Again, this is a very simple example, but in OT, issuing a certificate warning is not a direct cyber security threat. In addition, the following conditions need to be understood before re-issuing a certificate:
There are additional concerns, but these are the top reasons why an OT SIEM is important. It must be manned by individuals that know their environments vs. teams in a completely different division (although for a convergent infrastructure, multiple eyes on is not a bad idea). An alert does not specifically equate to an issue that needs immediate changes, and it also requires visibility and presence by the right individuals in the OT environment.
As with any theoretical concept, how does one get the most value out of it or determine if it works in the real world vs. theoretical exercises? The idea is that:
An OT SIEM differs from IT by aggregating, analyzing and visualizing a different set of data with a different set of lenses. The result is a set of security and reliability insights that are not available from traditional IT SIEMs.
A typical OT SIEM architecture involves data collection from OT devices via secure zones and conduits, analysis within a dedicated OT security zone that is often behind a demilitarized zone, and integration with the enterprise SIEM for centralized visibility.
There is no absolute answer that every industrial company needs one, but several factors drive increased value from a separate OT SIEM.
The use of secure zones and conduits is critical in OT environments. Zones segment the network into logical areas based on risk and function, while conduits control and monitor the flow of data between these zones. This approach minimizes the attack surface and limits the impact of potential breaches.
An OT SIEM acts as a clearinghouse for the most critical alerts and events to forward to the IT SIEM for an enterprise-wide view that is critical to IT OT converged security. Data flows from the OT SIEM to the IT SIEM, providing critical alerts and contextual information that enables a holistic security posture. This integration allows IT security teams to understand the impact of OT events on the overall enterprise.
An OT SIEM must be tied into the tools used within an OT environment. API integrations with OT tools, such as historians, HMI systems, and asset management platforms, are essential for comprehensive monitoring and response. These integrations enable the OT SIEM to correlate data from various sources, providing a more accurate and complete picture of the operational environment.
If it is not, in an action-focused environment, the application of remediations may be missed, or worse, non-relevant alarms cannot be tuned, and vital security events may go unnoticed. It’s about getting the most out of your investments and multiplying their risk reduction and effectiveness.
Boost your OT cybersecurity with real-time automated asset inventory management – 5 key benefits for protecting industrial assets.
Learn MoreSee where Verve Industrial has been recognized as a top OT cyber security vendor and why the Verve Security Center has accelerated momentum in ICS security.
Learn MoreLearn why OT systems management is a better solution than passive anomaly detection for managing OT security environments.
Learn More