In part three of my OT visibility series, we’ll review what next steps OT and ICS organizations are taking once they have a foundation of visibility with a TAP and aggregation fabric. If you haven’t read my previous posts, I suggest starting there for some background.
It really is industry best practice to utilize a TAP and aggregation fabric as your access method for network traffic. Once you have the necessary TAPs in place, it becomes easier to start working on improving monitoring, operations, and cybersecurity practices.
Companies typically start by looking to see what is on their network, aka performing an accurate asset inventory. It’s very common to talk to manufacturing companies who think they have 3,500 assets on their network, only to realize later on, once a joint solution like Garland Technology and Dragos are deployed, that they actually have 4,500 assets on their OT network. It may seem obvious that companies are first utilizing their visibility to find out what’s on the network. Still, with many of these OT facilities, it’s impossible to look in every nook and cranny and find every piece of hardware that may or may not be connected to the network. It’s not like in the traditional data center where everything is nicely rack mounted and in cabinets. While a facility may have a list of assets from their integrator who first set up the facility, these are often out-of-date and not trusted. So the easiest way to get an accurate asset inventory is to rely on what the network traffic is telling you. That’s why it’s so important to use TAPs as the visibility method since relying on SPAN ports will likely leave you with incomplete data.
Another way OT environments are using their increased network visibility is to validate their network segmentations. Most organizations follow the Purdue Model for their network segmentation, which creates a defensible architecture. As an operator, the Purdue Model ensures you can have visibility across everything, but for some reason, if an attack happened and someone gained access to the network, they would have trouble going from Level 2 to Level 3. When you have the proper visibility, you can make sure that no one is going from substation A to substation B directly, without going to the control center in between, where security permissions are reviewed.
Capacity planning is critical for all organizations, to allow and plan for growth, but in OT environments, capacity optimization is even more important. In most manufacturing environments, we rarely see networks that are saturated with traffic, running near full utilization. More often than not we see plants that have been online for 20, or 30 years running the same equipment. Their capacity hasn’t grown to a level where they need to update and make changes, but there certainly is a need to optimize the capacity so each production line and piece of equipment is working at an optimal level. In order to do this, you need to have full visibility into all of the assets in the network.
It’s important to be able to see everything that goes on in the network, to tie it back to a source and destination system, and validate that the expected behavior matches what is actually being observed. When an operator can trust the data, because it’s delivered by a Network TAP and is 100% complete, they can then use that data to perform risk assessments and implement other proactive cybersecurity measures.
Watch our latest roundtable webinar with Dragos where we discuss tactics and strategies for strengthening your ICS/OT visibility.