One of the most common questions we are asked at Splunk is how we work together with technologies like Industrial Defender. The discussion normally revolves around what it really means to protect and secure an operational technology (OT) environment. While in some cases, individuals may be focused on OT equipment like programmable logic controllers (PLC), remote terminal units (RTU) or safety instrumentation systems (SIS), it is vital to understand that it is just as important to monitor the IT and OT infrastructure and systems. The lack of visibility into these environments makes it nearly impossible to know how to secure the entirety of the OT system.
The primary focus of most OT environments is running a process safely and reliably. The introduction of new technologies can directly affect the safety and reliability of these systems, as has been shown in the past. For example, scanning software has been shown to negatively affect PLC’s, supervisory control and data acquisition (SCADA) systems and other equipment.
In some cases, scanning technology has resulted in system instability, causing devices to go offline and, in the worst case, rendering them inoperable. As a result, many OT operators focus on system hardening to keep malicious actors outside the system but most have limited visibility to the OT environment itself. If an organization is going to secure their OT environment, it is essential that operators have visibility not only at the perimeter, but also within the infrastructure and OT devices themselves.
Why contextual data is important
Traditionally safety and reliability have been considered key pillars for OT environments, while security has been an afterthought. Also, the mixture of both legacy and modern technology makes security even more challenging when you are running an OT system, which was likely put into production during an era when cybersecurity was not even a consideration. However, with the introduction of new technologies, the ability to gain insights into, harden, baseline and monitor OT systems is now possible in many real-life production environments.
At the same time, it is important that operators gain visibility by leveraging existing enterprise security investments to centralize monitoring of their OT environments. Unfortunately, adding more data can create obstacles due to the volume and variety of the data. To help filter through this data to provide actionable insights, technologies like security informatoin ande event management (SIEM), security orchestration, automation and response (SOAR) and user behavior analytics can be applied, but access to contextual data is vital when using these tools for incident response in OT environments.
Information such as the site, asset owner, operational status and asset type all can directly affect who needs to be involved in an incident response, as well as what kind of response is possible. Integrating the alerts, vulnerabilities and asset information into Splunk using a technology like Industrial Defender helps security analysts not just understand when a potential incident may be occurring, but also have the necessary contextual information to respond to a security incident.
How contextual data can help in SOAR
SOAR is a group of technologies used to automate parts of the security investigation process. SOAR is often used due to the large number of alerts that security operations center (SOC) teams receive daily, which are time consuming, often repetitive and could be automated. By automating common scenarios, incident response teams can focus on critical issues that require their expertise. Some common responses using SOAR technologies may include actions such as disabling accounts, blocking firewall ports and quarantining assets. While these automations are unlikely to automatically occur in an OT environment, there are other automations that can help reduce the mean time to resolve incidents.
For example, understanding whether new applications or vulnerabilities have been detected on an asset may be key to knowing the criticality of the incident for a particular asset and scope of a potential attack. These automated validation checks joined together with asset criticality, information and contact information for an asset help reduce the mean time to resolution (MTTR) and, at the same time, help protect other parts of the OT environment.
Leveraging incident response (IR) workbooks helps define the IR process and the possible automations that can be leveraged (including when to involve a person in the decision-making process). At the same time, workbooks can make incident response more consistent and help prevent an incident responder from missing critical steps in the process. Once again, this contextual information helps the SOAR platform know which workbooks and processes should be executed, since responding to a critical alert from your SIEM might vary based on asset type, location and asset owner.