Traditionally, operational technology (OT) networks were architected almost entirely separate from information technology (IT) networks. As digital transformation efforts within organizations began to include the OT network infrastructure, these networks shifted to a more interconnected architecture, enabling cyber threats to reach beyond the traditional IT assets. Now cybersecurity teams are tasked to secure and manage networks that traverse their entire organization, requiring operational visibility to cover a wider variety of OT and IT devices on their networks.
This challenge impacts teams working to bridge the gap between legacy control system equipment and modern IT the most. Legacy ICS/OT networks were designed primarily with reliability in mind, not necessarily transferring data to a monitoring destination. So a common situation industrial teams are faced with when adding a security or asset inventory solution to a legacy system, is where to access the packets.
Most companies are deploying modern security systems like threat detection and asset visibility despite not having the budget to upgrade their entire infrastructure to update to new security frameworks and standards.
In part 1 of our 3 part ICS Village blog and video series on gaining visibility into your critical infrastructure, including aggregating distributed networks and deploying proof of concept solutions, we are going to review how to overcome legacy equipment challenges.
How to Add Asset Visibility to Your Legacy Environment
For organizations looking to improve visibility into level one and level two PERA model (Purdue Enterprise Reference Architecture), there are two options to access packet visibility – SPAN/mirror ports on a switch or a network TAP. When attempting to integrate security solutions within legacy environments that are 7, 10, or even 15 years old, challenges include unmanaged switches that do not have SPAN ports available, outdated cabling media, and unmodifiable infrastructure configurations.
Unmodifiable infrastructure configurations? This is a typical response we hear that is related to the networking infrastructure. Often, the switchgear does not have enough system resources to enable SPAN, or the OEM / system integrator prevents the organization from making any changes due to potential safety or reliability concerns.
In these situations, adding plug-and-play network TAPs and traffic aggregation allows the legacy infrastructure to remain in the original configuration to continue safe and reliable operations while providing the packet visibility needed to manage and secure assets without making device modifications.
The diagram below visually represents a basic legacy OT architecture scenario with either unmanaged switches (no SPAN option) or managed switches that lack the resources to support SPAN capabilities. By deploying network TAPs designed to support 10M/100M/1G between the two network segments, security solutions can now receive the data necessary for adequate asset inventory, vulnerability management, and threat detection in a single application, making cybersecurity secure teams more effective.
For new asset visibility, threat detection, vulnerability management, and response platform installations – as you can see on the image below from the Dragos Platform, no assets or communication paths are mapped. From a PERA model perspective, the sensor components of the solution are deployed at level three while another sensor is sitting down at level two. Consistent with the legacy infrastructure challenges, there is no option for gaining visibility into the network or the systems that are communicating inside that zone.
After deploying network TAPs between the two network segments, it replicates all traffic out of a single port, securely delivering it to the security sensor. As you can see in the image below, we can now see asset and communication details thanks to the network TAPs providing packet visibility, allowing teams to achieve complete asset visibility without modifying the switch configurations.
The improved asset and communication visibility means OT teams can now compare total asset counts, IP addresses, communication mappings, and more, helping to build a trusted baseline of what ports and protocols the systems use to communicate over the network infrastructure. The next step in their journey will be to analyze any notifications from the security solution for potential threats.
Having this level of visibility is an essential step for legacy networks. It helps an organization move from having minimal visibility, using static diagrams that catalog what assets exist and how they are supposed to communicate, and simply trusting what the OEM or system integrator has implemented. To now having a checks and balances system in place with the capability to obtain visibility from those different legacy network devices, understand communication paths, establish a trusted baseline, and set up notifications if changes occur outside of standard operating parameters, procedures, or time windows.
Next (2 of 3) in the blog and video series, we will review how to aggregate traffic in a distributed network and deploy network TAP solutions in a proof of concept to compare multiple security solutions simultaneously.
Watch the ICS Village demonstration ‘Overcoming Legacy Equipment Challenges To Gain Visibility Into Your Critical Infrastructure’
Want more information?
Click here to watch the full ICS Village demo ‘Gaining Visibility Into Your Critical Infrastructure.’ Or explore the Dragos and Garland Technology solution brief here.