Operational Technology (OT) Network and Physical Layer Monitoring: Why It Matters
When it comes to securing Operational Technology (OT) environments, organizations consider several functions of an OT security solution, such as: how can it manage vulnerabilities? How can it meet regulatory compliance? How can it provide deeper visibility into the OT environment to ensure operational safety, reliability and efficiency?
However, OT cybersecurity cannot be approached with a one-size-fits-all solution. Because of the complexity of the cyber threat landscape, OT security requires a collaborative effort where multiple OT security vendors work together to address the wide range of threats and challenges that cannot be adequately tackled by a single solution alone.
Let's look at network and physical layer monitoring tools. A network monitoring tool, such as a Network TAP and Deep Packet Inspection (DPI), offers several benefits, including real-time network monitoring, instant asset inventory and the ability to detect anomalies and potential threat activity. While these tools can address certain challenges in OT security, they do not tackle the challenges related to the physical system layer, such as configuration change management, interoperability and obsolescence. On the other hand, a physical layer monitoring tool is capable of addressing those specific challenges that a DPI solution cannot.
It's important to note that these solutions are not in direct competition with each other, but rather complement each other, creating a synergistic approach to securing OT environments.
Before we dive deeper into the importance of having both solutions in your environment, let’s first look at some of the OT security challenges organizations face.
OT Security Challenges
The OT cyber threat landscape is riddled with 0-day/N-day vulnerabilities, OT malware, ransomware, insider threats and the dark web proliferating and streamlining notorious cyber-attacks on critical infrastructure. While there are continuous attempts to address these threats to safeguard critical assets, it comes with its own challenges:
• Asset Inventory: Older critical infrastructure systems may have limited or outdated documentation regarding the assets present in the network environment. Over time, records may have been lost, not properly maintained or not accurately updated, making it difficult to have an accurate inventory of assets.
• Vulnerability Management: OT and Industrial Control Systems (ICS) have long lifecycles and legacy components, which may not receive regular security updates or patches. This presents a challenge because these systems are designed to run continuously without disruption, meaning that they cannot easily be taken offline for patching or updates.
• Configuration Change Management: OT systems may use different proprietary protocols and configurations that lack industry-wide standardization, which makes it challenging to develop unified processes and tools for configuration change management, as each system may have different requirements and procedures.
• Risk Management: risks. The complex nature of systems spanning multiple networks, protocols, and Original Equipment Manufacturers (OEMs), creates difficulties in identifying, evaluating and managing potential risks.
• Incident Response (IR): Organizations often face challenges in incident response due to the lack of real-time visibility into the status of OT systems. This includes deficiencies in asset inventory, configurations and ongoing activities, which consequently impede incident forensics efforts.
• Backup and Recovery: Given the above OT security challenges, organizations struggle to maintain a real-time understanding of the state of their OT infrastructure, hindering their ability to perform backups and plan for recovery effectively.
Monitoring OT Environments
Having a clear understanding of the Purdue Model, the placement of OT assets within the model and the extent of visibility provided by each monitoring solution is crucial in recognizing the capabilities of these two monitoring approaches.
Let’s do a quick overview of the Purdue Model, which categorizes different levels in an ICS architecture (Figure 1). At Level 0, there are physical devices such as sensors and actuators. Level 1 encompasses control devices like PLCs, DCS, and RTUs. The monitoring process takes place at Level 2, where the Supervisory Control and Data Acquisition (SCADA) system is located. The DMZ is situated at Level 3, while Level 4 and 5 involve enterprise and cloud systems.
Figure 1. OT security solutions’ visibility of assets per the Purdue Model
Communication between Level 1-0 devices occurs through the network, so a DPI tool can observe this communication. However, the tool may not have visibility into asset information that is not actively communicating over the network. In such cases, detailed device data must be extracted from configuration files using a physical layer security solution.
To delve into this topic further, let's start by providing an overview of network monitoring and physical layer monitoring methods, as well as the associated benefits and challenges.
Network Monitoring
Network monitoring involves continuously observing and analyzing network traffic to identify abnormal behavior, potential intrusions, or other security incidents. By monitoring network traffic, organizations can detect and respond to various cyber threats, such as malware infections, unauthorized access attempts, or data exfiltration.
Network monitoring can be either passive or active:
• Passive (Network TAP and DPI): Similar to a phone TAP where someone can listen in on a phone conversation without interjecting, a network TAP is passive and does not interject into the network traffic. Once the network traffic is copied, a Deep Packet Inspection is conducted on the network packets to identify the assets communicating on the OT network and conduct further analysis. In short, the TAP is used to gather data, and DPI is used to analyze the data, which creates a passive network monitoring solution for OT environments.
The Benefits of passive network monitoring is that it is non-evasive, provides basic information about the OT systems on the network relatively quickly, can detect anomalies associated with threat activity, and can even block malware or prevent data from being exfiltrated. Challenges to this type of solution, however, is that it has limited visibility into some OT assets that reside at level 1-0 of the Purdue Model. Some of these systems are legacy and/or are islanded, or disconnected, from the network and does not use the OT network to communicate.
• Active (Active Queries): While a passive solution takes copies of ongoing network traffic, an active solution is able to send a request or command to a device via the OT network, requesting additional information that may not be regularly communicated on the OT network. As the limitations of passive network monitoring solutions become better understood, there’s a growing market acceptance of utilizing active querying to achieve deeper visibility.
The benefits to active querying are that it can collect information beyond passive network monitoring and can even be used to supplement current DPI solutions. Some considerations for active querying are ensuring vendors are crafting queries in a way that does not disrupt the asset, limiting the number of queries being sent to not overwhelm the network, and ensuring the solution does not violate any OEM vendor warranties.
Physical Layer Monitoring
Monitoring the physical layer provides an extra level of visibility within the OT environment that network monitoring solutions cannot achieve. By having visibility into the physical environment, organizations can observe configuration changes made directly on the devices. This capability is especially valuable for supporting isolated, transient and air-gapped assets commonly found in OT environments, given the prevalence of legacy systems integrated into the environment.
Hexagon’s PAS Cyber Integrity® achieves this by pulling asset information from the backup configuration files. This method does not violate vendor warranties or interfere with the OT network, while establishing a trusted restore point from backups.
Now, let’s talk about why it’s important to encompass both solutions in your OT environment.
Why It Matters
Network monitoring and physical layer monitoring offer distinct approaches to OT security, but their combination provides organizations with complementary data attributes that can greatly benefit them.
For example, monitoring the OT network alone may overlook a malicious insider making configuration changes to a PLC on the plant floor. On the other hand, relying solely on physical environment monitoring may not be sufficient to detect intrusion attempts or malware on the OT network. Therefore, incorporating both network monitoring and physical layer monitoring solutions is essential to achieve comprehensive visibility into the security and reliable operations of OT systems.
Conclusion
By leveraging network monitoring, organizations can efficiently detect threat activities, manage vulnerabilities and acquire instant asset inventory information. In parallel, physical layer monitoring enables deeper insight into asset inventory by identifying islanded/legacy systems, highlighting redundancies and eliminating obsolete or underutilized assets. This integrated approach forms a powerful and comprehensive solution that can yield significant cost savings, improved productivity, better resource allocation, efficient operations and overall security of OT environments.
Ready to learn more? Discover What's New in OT/ICS Cybersecurity.