The Opportunity for OT Security Teams to Fill the Gaps in Their Visibility Has Never Been Better
Most experienced security professionals have heard the axiom, “You can’t protect what you can’t see.” It’s admittedly a truism for cybersecurity… obviously the more you know and understand about your environment, the better equipped you are to detect and investigate suspicious behavior. But it also leads to a classic security conundrum: how do you implement discovery and monitoring in your environment while preserving operational stability? The question has driven a long-running debate in security circles: active vs. passive scanning, which approach is better for endpoint discovery and anomaly detection? Veteran security professionals are well-acquainted with the two options, but I frequently speak with operational personnel who are less familiar and primarily concerned with the potential negative impact on the operational technology (OT) process, so I’ll provide a very brief explanation:
Passive monitoring silently analyzes network traffic through a span port or tap to identify endpoints and traffic patterns. It creates no additional network traffic and has virtually no risk of disrupting critical processes by interacting directly with endpoints. However, passive monitoring can take more time to collect asset data as it must wait for network traffic to be generated to or from each asset to create a complete baseline profile. Also, in some cases, span ports are not available in all areas of the network which can limit the ability to passively monitor traffic across the entire OT environment.
Active monitoring works by sending test traffic into the network and polling endpoints with which it comes into contact. Active monitoring can be very effective in gathering basic profile information such as device name, IP and MAC address, NetFlow or syslog data, as well as more granular configuration data such as make and model, firmware versions, installed software/versions and OS patch levels. By sending packets directly to endpoints, active scanning can be faster in collecting data, but this also increases the risk of endpoint malfunction by pushing incompatible queries to them or saturating smaller networks with traffic. And active scanning typically does not monitor the network 24/7, so it may not detect transient endpoints or devices in listen-only mode.
Coming out of The Lost Decade, as industrial enterprises became more focused on securing their OT environment, they began to explore ways to develop better insight into what they needed to protect. Visibility into their industrial control system (ICS) endpoints was historically poor and security risks were increasing, so the need was clear. Initial efforts to use IT-centric active discovery technologies on ICS networks were largely a disaster. The lack of support for the wide variety of proprietary protocols found on the shop floor made these solutions ineffective and some caused costly disruptions in production lines. ICS assets such as programable logic controllers (PLCs) and safety instrumented systems (SISs), particularly legacy equipment, can be very sensitive to active scanning activity, and can become overwhelmed by multiple network queries or malfunction due to unexpected communication protocols.
As OT security solutions began to develop, we saw both active and passive technologies emerge and the same old debates occurring about which approach was more effective for endpoint discovery and monitoring. But for operations teams, the potential for disruption and downtime caused by actively crawling the OT network was a non-starter, so security teams largely erred on the side of caution, going the route of passive scanning. They may not always get the level of endpoint detail they want, but disrupting the revenue-generating processes on these operational networks was a cardinal sin, and likely an express ticket to the unemployment line.
More recently, we’ve seen the discussion moving away from an active vs. passive debate to one seeking a more balanced approach that integrates the right mix of detection technologies to achieve both broad and granular asset discovery while minimizing the risk of disrupting endpoint and network performance.
And as OT security solutions have continued to mature, the industry is better able to meet this need. The top asset discovery and monitoring solutions now blend elements of both active and passive technologies to maximize visibility into the ICS environment and enable OT security teams to deploy the right approach for each network segment. The best of these solutions also incorporates fail-safe technologies to reduce the risk of disruption. Examples of this include reducing the risk of an endpoint malfunction by passively monitoring the network and mapping which firmware versions and which communication protocols are present before sending active queries to gather more granular data. Another example is the ability to limit the number of concurrent queries made to avoid overloading lower bandwidth OT networks.
The point here is that the opportunity for OT security teams to fill the gaps in their visibility and safely implement endpoint discovery, monitoring and management has never been better. Certainly, there is no “one-size-fits-all” solution and security teams must stay aligned with their operations counterparts to understand the specific requirements and limitations of their various OT network segments. But the options today really leave no reason for asset owners to not see what they have to protect.