How to do a Transparency Assessment
of your OT Environment
The process of a
In a previous article we described the benefits to industry of having full transparency of the OT environment.
In this article we will explain how you can execute a transparency assessment within your company.
Let’s get started by a quick summary of what it means to do a OT transparency assessment.
The Transparency Analysis
The purpose of a transparency analysis is to provide you with an overview of your OT environment.
This will provide you with the transparency for future decision making whether it is with regards to procurement planning or mitigating risks to your production environment.
The foundation of the transparency assessment is setting up network switches in strategic placements within your OT environment. This will enable you to collect traffic from any device communication in your environment.
By using the network traffic in the OT network it is possible to identify assets and their configuration, firmware, etc. With this information you can establish a baseline of all automation assets.
Doing this in an OT environment can be tricky, so here we will guide you through the basics of the setup to ensure a good result, which does not affect the availability of your assets.
1. Getting the approval
First of all you should ensure that the correct stakeholders within your organization are onboard with doing a transparent assessment.
They need to understand the many benefits to your organization as well as the potential risks.
Ideally a decision to scan your OT networks should be done by the responsible of OT Security and IT Security.
In most industries the head of OT Security is not clearly defined; some responsibilities are given to the head of production whereas everything IT related is the responsibility of the IT department.
In this case, it would be diligent to include the head of production in the decision making.
Smaller organizations should consider including the CEO in the decision making since OT Security is a necessity in complying with the NIS directive.
Risk 1) Active assessment
This risk is present if you do an active assessment of your OT networks where probing of devices is done.
This approach is normally used in IT environments, but is rarely recommended for scanning of OT environments.
If you do a passive scan of your OT environment this risk is mitigated.
Risk 2) False Conclusions
A one-time transparency assessment done at a single point in time will show you what you have communicated in your OT networks at this moment within the chosen networks. Furthermore, your assessment might be further limited by the approach you’ve chosen.
It is crucially important that you are aware of the kind of results that you are able to achieve given your assessment method.
A company might choose to run an assessment in 1 of 3 sites for a period of 2 hours. This assessment will provide you with great insight into your network structure and the communications of your assets. Though, it is important to know that you cannot extrapolate the results to the other 2 sites.
Risk 3) Inaction
Having written this the biggest risk you would be taking is not doing a transparency assessment.
The risk of an attack affecting operational technologies are very present according to the Danish Cyber Intelligence UNITs analysis from September 2020.
Anyone with a malicious intention will be able to hack their way into most IT networks. If you allow hackers to move around in your OT networks, then this will pose a threat to your ability to manage your plant.
Losing control of operational technologies would be detrimental to the safety of your employees and even your customers could get affected if you are responsible for critical infrastructure. Furthermore, it could have a substantial negative economic impact on your business.
Before you get ready to do the transparency assessment you should start by defining the scope.
The most important part of this is defining how you wish to utilize the results within your company. The end results will define your method of implementation.
Questions to guide the preparation:
- Which sites will be included?
- Which networks will be included?
- Date and time period for collecting data?
When you have settled on the scope of your transparency assessment you need to prepare the hardware and software needed for the assessment.
Depending on the scope of the transparency assessment ProjectBinder would choose one of the following software vendors; Claroty, CyberX (aka Microsoft), Nozomi Networks or Dragos. These software vendors are specialized in OT security assessments.
Hardware needed for the job would be switches, network taps, traffic sensors and servers.
The execution happens on a defined date. Network switches will be reconfigured in order to pass relevant network traffic to the hardware sensors ( using span, rspan, network tapping or mirroring ).
After confirming that all network switches / sites within the scope are actively sending traffic to the sensors, you will need to filter noise out of the received traffic, by excluding assets or protocols out of the capture.
If the preliminary results look promising enough, you leave the traffic sensors / servers in a learning state for at least 1-2 weeks in order to build an asset & communication baseline.
This baseline can give you now, the confidence to actively report on unusual traffic patterns and asset behaviour, by switching the sensors from learning into reporting/alarming.
You can leave now the sensors in alarming state for another 1-2 weeks and report on unusual behaviour and new assets joining the network.
You have executed the collection of data, and now it’s time to do an analysis.
The analysis you are able to do and benefit from depend on the data you chose to collect from the OT network.
Assuming that you covered the entire OT network then you would be able to build a complete asset inventory.
The vendor software will allow you to get a detailed network layout with its potential security gaps and a list of systems and devices found vulnerable.
This information will allow you greater insight into your OT environment and especially it’s need for security updates or a potential need for a network redesign.
Based on the asset inventory you will be able to make a procurement plan for your OT environment.
You could choose to keep your transparency assessment installation as a permanent installation and do a continuous monitoring of your network communications which would allow you to catch network attacks on your OT environment in real time.
Another benefit to this is that it would allow you to get real time analytics from your OT environment that could be used for optimizing your production operations.
7. How to Use the Transparency Assessment for Compliance?
The asset inventory and list of vulnerabilities will enable you to mitigate any security issues that you might have encountered in your OT environment.
Your mitigation efforts in this regard goes a long way in documenting your compliance to the following security frameworks:
- ISO27000 Series
- NIST – Cybersecurity Framework
- NIS – Security in Critical infrastructures.
- ANSI/ISA 62443