In today's interconnected world, operational technology (OT) systems are vital to the functioning of critical infrastructure, including power grids, manufacturing plants, and transportation networks. While it is encouraging to note that 82% of Australian CISOs and executives consider the implementation of some OT security as their top cybersecurity achievement in the past year, there remains a significant hurdle for them to overcome: the absence of comprehensive visibility into the complete asset inventory and the internal workings of these systems.
This knowledge gap leaves organisations exposed to cyber threats and hampers their ability to detect and respond effectively to cybersecurity incidents.
Manual techniques and spreadsheets are still commonly used by many security teams, but they provide no guarantee of data completeness and accuracy. Moreover, manual methods are time-sensitive and are only accurate for a limited time.
Passive network monitoring is a significant improvement over manual techniques. By monitoring the network, any communicating asset can be detected. With sufficient quality traffic, these assets can be partially or fully identified, establishing communication baselines and enabling the detection of vulnerabilities, commands and possible indicators of compromise.
However, passive techniques have limits. They can only identify assets that actively communicate within the monitored sections of the network, and specific traffic patterns are required to positively identify device types. Additionally, OT networks often operate in a "steady state" with infrequent or no traffic facilitating device identification for extended periods. Furthermore, passive monitoring cannot provide explicit details about the device, such as its code or firmware revision.
This raises the question: how can visibility into OT systems be attained?
The solution lies in adopting device querying, an approach that enables organisations to unlock unparalleled visibility into their OT systems. Device querying goes beyond passive monitoring, actively engaging with OT devices to extract detailed information and gain real-time insights. By leveraging this transformative technique, organisations can bridge the visibility gap, bolster cybersecurity posture, and enhance operational efficiency.
Why is device querying necessary for OT security?
Device querying plays a crucial role in enhancing OT security by addressing two fundamental challenges. Firstly, it provides a solution to the limited visibility into sections of the network that are not actively monitored. This comprehensive visibility allows security teams to discover otherwise unseen assets, allowing for the identification and assessment of otherwise unknown assets.
Secondly, device querying enables security teams to obtain all necessary information to understand the state and level of risk associated with each device within the OT environment. By actively engaging with devices and querying for specific information, security teams can assess device configurations, software versions, and potential unauthorised code changes. Armed with this knowledge, teams can effectively manage vulnerabilities, maintain secure configurations, and swiftly detect any unauthorised alterations. Device querying enhances the overall security posture of the OT network by enabling timely and targeted responses to potential threats, reducing the risk of operational disruptions, and ensuring the integrity and safety of critical infrastructure.
There’s no need to fear device querying
Device querying should not be feared as it offers numerous benefits and can be implemented in a controlled and cautious manner. Concerns about potential disruptions in operations can be mitigated through proper planning and coordination. Device querying can be scheduled during maintenance windows or plant shutdowns, minimising any impact on daily operations. Strategic timing of querying activities ensures acceptable reduction in perceived risks while allowing for gaining valuable insights into OT networks.
Institutional inertia and resistance to change among employees can also contribute to fears about potential operational disruptions caused by query. These concerns can be addressed through comprehensive training and education initiatives that highlight the benefits and importance of device querying for OT security. By involving employees in risk/benefit analyses and decision-making processes, organisations can foster a culture of understanding and collaboration. This proactive approach helps to alleviate fears and build confidence in the use of device querying as a valuable tool for enhancing OT security, ultimately leading to a more robust and resilient operational environment.
How organisations can deploy device querying without disruptions
Organisations should follow a systematic and cautious approach to deploy device querying without disruptions. Thoroughly plan and test the querying process outside of the production environment to identify and address potential issues before implementation. This will identify any unintended consequences and allow for the mitigation of the same.
Secondly, organisations can schedule device querying during maintenance windows or low-impact periods to minimize disruptions. Choose timeframes when system operations are less critical or are already scheduled for maintenance activities.
Device querying provides valuable insights into the OT network, including operating systems, firmware, configurations, and critical components. It delivers essential data on assets, vulnerabilities, and security risks, issuing meaningful alerts for detected changes. This proactive approach reduces false positives, improving security posture and mitigating cyber risk to safeguard critical operations.
The simple fact is both passive and device query are necessary to ensure complete coverage of any Operational Technology environment.
News From
TenableCategory: Security Profile: EMPOWER ALL ORGANIZATIONS TO UNDERSTAND AND REDUCE THEIR CYBERSECURITY RISK Cybersecurity is one of the existential threats of our time. New types of connected devices and compute platforms, from Cloud to IoT, have exploded the cyber attack surface. And more tools collecting more data doesn’t equate to actionable insight for the CISO, C-suite and Board of Directors. The old way of simply scanning on-premises IT devices for vulnerabilities is no longer enough. It’s time for a new approach. Toda ...
