As I discussed at length in my previous blog post, having real-time, granular visibility into operational (OT) assets, networks, and processes is critical to identifying and protecting against cyber threats to your organization’s industrial environments. That being said, in order to leverage this visibility to mitigate OT cyber risk, you must also be able to quickly and accurately identify threats.
As with visibility, IT security teams face some OT-specific challenges when tasked with detecting threats within industrial environments:
A substantial barrier to accurate threat detection in industrial environments is OT equipment’s use of proprietary, vendor-specific protocols that cannot be deciphered by traditional threat detection tools. Nevertheless, many organizations persist in their efforts to deploy traditional IT threat detection tools in OT environments. As a result, security teams that attempt to use traditional IT tools to detect threats in their OT environment tend to be inundated with false positives and negatives, exacerbating challenges such as alert fatigue, while doing little to help protect the OT environment while giving a false sense of risk reduction.
While establishing a clearly defined behavioral baseline for all assets and OT processes is essential for identifying anomalies that could indicate threats, doing so is also typically resource-intensive given the vast size, complex composition, and visibility limitations common to OT networks. Complicating matters further, OT assets can have a useful lifespan that lasts several decades. Because of this long lifespan, most OT assets lack the security features we take for granted on IT assets.
Digital transformation of industrial infrastructure has led to increased interconnectivity between IT and OT environments. And while this IT-OT convergence yields many benefits and efficiencies, it also introduces the dynamic, ever-changing world of IT cyber threats to OT networks, which had historically been isolated from such threats. Enabled by poor segmentation between IT and OT environments, there has been a rise in incidents where malware is able to spread easily to OT networks after infecting an organization’s IT network.
Given their critical economic purpose and predisposition to inadequate security, OT networks tend to be highly desirable targets for nation-state adversaries and advanced persistent threat (APT) groups—both of which are known for leveraging zero-day or unknown tactics in highly advanced, targeted attacks. In short, OT networks are critical, therefore valuable. And since most threat detection solutions are not capable of dissecting—and thus understanding—proprietary protocols within the OT environment, , these advanced adversaries could potentially wage an under-the-radar attack.
Threat intelligence is essential for OT threat detection. But the vast majority of this intelligence is geared toward IT network security, and signatures and IoCs aren’t always readily available for OT threats. Moreover, since OT cyber threats tend to behave differently than their IT counterparts, IT-focused cyber threat intelligence is often of limited use for defending OT environments. Together, these factors pose significant barriers to timely and actionable access to threat intelligence in a timely manner.
At Claroty, we understand the importance of overcoming these challenges in order to quickly identify and prioritize threats, to the extent that we’ve made Continuous Threat Detection (CTD) the foundation of the Claroty Platform. CTD leverages the following five detection engines:
When it comes to detecting threats, speed and precision are crucial to risk reduction. To weed out overwhelming and distracting false positives, CTD generates a nuanced baseline of typical behavior within your network. This allows security teams to rapidly identify and mitigate the threats that matter most, from anomalies to known and zero-day threats.