Security Experts:

Building a Successful OT SOC

OT Environments Need Security Monitoring that Provides Enhanced Visibility and Traceability Into OT Systems

As manufacturing ramps up digital transformation strategies to be more competitive, factories are now adding more sensors and connected devices than ever before. However, with increased connectivity comes increased risk. New and rapidly evolving threats are taking advantage of vulnerable operational technology (OT) systems to not only steal information, but to cause panic and chaos. Thus, as the OT environment evolves, security is key to thwarting attacks with the potential to cause large and costly disruptions.

The OT Security Threat

In order to adequately secure the OT environment, you first need to understand it. From a security perspective, both IT and OT systems are vulnerable to similar threats — botnets, script kiddies, viruses and other malware. The key difference between the two environments, however, has to do with human safety. OT is about the interaction between computerized devices and the outside world, such as traffic lights, the electrical grid, water systems and other critical infrastructure. So, while an OT environment has fewer exposure points than IT (i.e., less workstations, fewer integrations with cloud servers and fewer public facing web components), the ones it does have require more protection. And whereas an attack on IT infrastructure can result in costly data theft and reputation loss, an attack on industrial systems has the potential to cause widespread disruption and panic. Or even put people’s lives at risk.

If you think these threats are the stuff of a Hollywood disaster movie, think again. Sophisticated attackers launched a successful attack against the Ukrainian power grid in December 2015 sourced to the Russia-based BlackEnergy malware family, shutting down portions of its capital Kiev that represents about 20 percent of its total power capacity. 

Despite the potential for devastating attacks, OT environments often have gaping deficiencies when it comes to security defenses. The reason? With non-negotiable production deadlines, safety standards and financial metrics to meet, the overwhelming priority in manufacturing is availability and safety — keeping the systems running and the environment safe at all costs — not security. That means that in the event of a cyberattack, it’s unlikely that operators will close firewall ports, reboot servers or otherwise slow production, as the resulting financial losses and potential safety hazards would be more devastating than the risk posed by the threat itself.

Securing the OT Environment

There is some good news, though. While threats targeting OT environment become more numerous and sophisticated, there are multiple steps manufacturers can take to reduce risk of compromise and attack.

Perhaps not surprisingly, ensuring a successful security operations center (SOC) starts with the people. Security personnel need to know the differences between an OT and an IT environment, and the security defenses each will require, with the ability to answer three basic questions:

• What’s in your OT environment?

• What is it doing?

• What are the vulnerabilities?

However, getting the right people to understand the security environment addresses only part of the problem. From a technology perspective, the OT environment will need security monitoring that provides enhanced visibility and traceability into OT systems. Among other things, OT environments will require technology that can capture information from routers and endpoint protection devices, which in turn, allow administrators to identify when an issue occurs and pinpoint its source.

And finally, while it may increase costs in the short term, manufacturers will eventually need to update aging and legacy systems — many of which are decades old and contain numerous vulnerabilities that leave the door wide open for attackers.   

Looking Ahead

Going forward, it’s likely that both OT and IT environments will converge into a larger, more integrated SOC, with more integrations between IT and OT teams. And as OT threats continue to rise, organizations will eventually be more receptive to adopting an SOC that incorporates OT security. This will pave the way for better threat intelligence, and allow for newer technologies that can understand industrial protocols and their workings. 

As more critical infrastructure is put online, the manufacturing industry will soon face a growing number of attacks aimed squarely at OT systems. We’ve already seen a rising tide of stealthy  threats targeting OT infrastructure vulnerabilities, and they’re not about to go away any time soon. Organizations that have the foresight to evolve their SOCs to accommodate a rapidly evolving OT security environment will likely beat the odds of falling victim to attacks down the road.

Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Seema leads product marketing for Splunk’s emerging markets group and is responsible for Splunk’s Internet of Things (IoT) and Business Analytics solutions. In this role, she works closely with Splunk customers to help them understand how valuable insights from machine data can be applied to solve real-world business problems. Prior to Splunk, Seema served in product marketing roles at DataStax, Birst, and Actuate (OpenText). She has a Bachelors in Engineering from the University of Pune, India and a Masters in Computer Science from USC. Please don’t ask her to do basic math.