CISO Series: Detecting Threats in OT Environments

As I discussed at length in my previous blog post, having real-time, granular visibility into operational (OT) assets, networks, and processes is critical to identifying and protecting against cyber threats to your organization’s industrial environments. That being said, in order to leverage this visibility to mitigate OT cyber risk, you must also be able to quickly and accurately identify threats.

As with visibility, IT security teams face some OT-specific challenges when tasked with detecting threats within industrial environments:

 

Incompatibility with Traditional Tools

A substantial barrier to accurate threat detection in industrial environments is OT equipment’s use of proprietary, vendor-specific protocols that cannot be deciphered by  traditional threat detection tools. Nevertheless, many organizations persist in their efforts to deploy traditional IT threat detection tools in OT environments. As a result, security teams that attempt to use traditional IT tools to detect threats in their OT environment tend to be inundated with false positives and negatives, exacerbating challenges such as alert fatigue, while doing little to help protect the OT environment while giving a false sense of risk reduction.

Size and Complexity of OT Environments

While establishing a clearly defined behavioral baseline for all assets and OT processes is essential for identifying anomalies that could indicate threats, doing so is also typically resource-intensive given the vast size, complex composition, and visibility limitations common to OT networks. Complicating matters further, OT assets can have a useful lifespan that lasts several decades. Because of this long lifespan, most OT assets lack the security features we take for granted on IT assets. 

IT-OT Convergence

Digital transformation of industrial infrastructure has led to increased interconnectivity between IT and OT environments. And while this IT-OT convergence yields many benefits and efficiencies, it also introduces the dynamic, ever-changing world of IT cyber threats to OT networks, which had historically been isolated from such threats. Enabled by poor segmentation between IT and OT environments, there has been a rise in incidents where malware is able to spread easily to OT networks after infecting an organization’s IT network.

Sophisticated Adversaries

Given their critical economic purpose and predisposition to inadequate security, OT networks tend to be highly desirable targets for nation-state adversaries and advanced persistent threat (APT) groups—both of which are known for leveraging zero-day or unknown tactics in highly advanced, targeted attacks. In short, OT networks are critical, therefore valuable. And since most threat detection solutions are not capable of dissecting—and thus understanding—proprietary protocols within the OT environment, , these advanced adversaries could potentially wage an under-the-radar attack.

Limited Intelligence Resources

Threat intelligence is essential for OT threat detection. But the vast majority of this intelligence is geared toward IT network security, and signatures and IoCs aren’t always readily available for OT threats. Moreover, since OT cyber threats tend to behave differently than their IT counterparts, IT-focused cyber threat intelligence is often of limited use for defending OT environments. Together, these factors pose significant barriers to timely and actionable access to threat intelligence in a timely manner.

 

Continuous Threat Detection: The Foundation of the Claroty Platform

At Claroty, we understand the importance of overcoming these challenges in order to quickly identify and prioritize threats, to the extent that we’ve made Continuous Threat Detection (CTD) the foundation of the Claroty Platform. CTD leverages the following five detection engines:

 
  • Anomaly Detection: The Anomaly Detection engine identifies any changes in communication patterns. Based on CTD’s Deep Packet Inspection (DPI), this engine pinpoints any kind of unusual behavior, from different code functions being used by human-machine interfaces (HMI) to specific tag names or values.
  •  
  • Security Behaviors: The Security Behaviors engine identifies known techniques that have been used by attackers. It includes OT-specific security patterns, such as TAG/address scan or OT man-in-the-middle (MITM) attacks, in addition to IT-specific security patterns.
  •  
  • Known Threats: Powered by SNORT and YARA Rule engines, the Known Threats engine is equipped with an expansive database of known signatures and IoCs provided by Team82, Claroty’s research and development arm. It equips threat hunters and incident responders with the context needed to detect and prevent targeted attacks early in the kill chain and mitigate the consequences of malware infections.
  •  
  • Operational Behaviors: The Operational Behaviors engine identifies OT operations, including configuration download/upload, change mode, key state change and firmware upgrade, that occur in the network, over both proprietary and open-source protocols.
  •  
  • Custom Rules: The Custom Rules engine is responsible for detecting and identifying user-defined specific events, including out-of-range values or specific communications that users would like to be notified of.
  •  

When it comes to detecting threats, speed and precision are crucial to risk reduction. To weed out overwhelming and distracting false positives, CTD generates a nuanced baseline of typical behavior within your network. This allows security teams to rapidly identify and mitigate the threats that matter most, from anomalies to known and zero-day threats.

 

To learn more about how Claroty can deliver comprehensive security for OT environments, request a demo.