Using Extreme Visibility to Protect Industrial Control Systems.

What does it mean to have “extreme visibility” in an operational technology (OT) environment? According to Claroty, a New York-based company that offers cybersecurity products for industrial control systems, it’s having the ability to see all assets on a network, knowing what they are, and understanding what functions they perform. The company says the more organizations know about their OT network assets, the better equipped they will be to detect and investigate suspicious behavior.

“In order to really understand how to protect these networks, you really have to have your finger on the pulse of the threat landscape,” Dave Weinstein, Chief Security Officer with Claroty, said as a guest on The POWER Podcast.

“With respect to industrial control systems, nation-state actors continue to monopolize, if you will, the threat landscape. That is to say that the barriers to entry are sufficiently high enough at this point to prevent your average script kiddie or high school hacker from doing serious damage to, for example, the electrical grid,” Weinstein said. “But our observation is that those barriers to entry that I referred to are slowly but surely falling to the point where in the next couple of years we may start to see non-state actors penetrate this threat landscape, which of course is a troubling scenario because it’s much more difficult if not impossible to deter non-state actors.”

Weinstein said one of the main factors contributing to increased cyber risk is that OT networks, which have historically been isolated from the internet, are increasingly connected by way of corporate IT networks.

“Our assessment is that it’s only going to grow more connected with time, which compels organizations to think really proactively about how to deal with this phenomenon,” Weinstein said. “Quite frankly, the first step is gaining really deep visibility of the assets on the OT side of the house. What once was a trusted network can no longer be trusted,” he said.

Most of the traffic on OT networks involves machine-to-machine communications. That can actually be beneficial when it comes to threat detection. “When you’re dealing with industrial control systems, they are communicating in highly predictable ways. It’s repeatable. There are lots of patterns. Deviations from those patterns are typically indicative of either a malicious threat or some sort of operational anomaly,” Weinstein said.

“We perform something called deep-packet inspection on all the network’s communications. And by doing that, we’re able to—at a very granular level—understand the communications between all these devices and parse their protocols,” said Weinstein. The result is that end-users get the information needed to better understand security and operational events, so they can perform actions to mitigate risks.