Operational Technology Visibility

Operational Technology Visibility

Operational Technology (OT) visibility is crucial for organizations to monitor, manage, and secure their industrial and critical infrastructure systems. OT visibility is a core component of critical infrastructure and, in turn, states’ national security.

The 21st century has seen dramatic technological advancements, known as the Fourth Industrial Revolution (Industry 4.0). Industry 4.0 centers on the development of cyber physical systems (CPS), the umbrella term of engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world. In short, cyber physical systems (CPS) automate the monitoring and control of Operational Technology through IT infrastructure. While physical systems (CPS) have brought significant advantages to industry, visibility challenges make managing such systems a difficult task and, with that, comes a host of potential cybersecurity risks.

Industrial Control Systems (ICS)

Cyber physical systems are comprised of different digital tools that all share the common trait of connectivity. Through connectivity, physical systems (CPS) automate industrial processes, thus allowing for better allocation of resources and increased productivity. Industrial Control Systems (ICS), which include Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control System (DCS), have been around for decades. Long before Industry 4.0 came into fruition. However, the development of physical systems (CPS) over the last few years saw the silo that Industrial Control Systems (ICS) once operated in begin to erode with the introduction of the Industrial Internet of Things (IIoT). Industrial Control Systems (ICS) are now connected to the “outside” world thanks to the convergence of IT and Operational Technology.

A survey conducted by the SANS institute found that nearly 40% of devices in the Manufacturing Zone (Purdue levels 0, 1, 2, and 3) are connected to enterprise networks.

Operational Technology is Becoming More Connected

By leveraging connectivity, cyber physical systems (CPS) have helped enterprises boost performance by enhancing efficiency and reducing downtime. Thereby improving material use and enriching customer experience, among other positive domino effects. Ultimately, the advantages of Industry 4.0 have lowered costs and increased returns on investments, demonstrating significant value across the entire enterprise.

However, as Operational Technology becomes more connected and reliant on technology, it is now more vulnerable than ever. A serious risk considering that physical processes rely on the continuous operability of OT assets. The need for robust cybersecurity is imperative. Yet, visibility challenges remain a fundamental obstacle to effective cybersecurity as blind spots allow vulnerabilities to go unaccounted for and security policies to lack comprehensive enforcement (APT Cyber Tools Targeting ICS/SCADA Devices).

Operational Technology Visibility

Asset visibility is the foundation of asset management. And asset management is a paramount component of cybersecurity. Countless devices get connected to Operational Technology networks and, maintaining reliability relies on competent asset management. Asset management, which is dependent on continuous visibility, provides insights into assets operating within the Operational Technology environment to assist decision making and ensure that security measures get appropriately applied. However, the use of legacy technology means Operational Technology was not built with cybersecurity in mind and. Thus, many visibility tools are not applicable to this domain. Agent-based solutions and network scanning are incompatible with Operational Technology devices. As such, a study found that nearly 90% of enterprises have extremely limited Operational Technology visibility into their environment.

The importance of Operational Technology visibility for cybersecurty extends beyond the Operational Technology environment. The adoption of IIoT technologies means Operational Technology is exposed to the entire threat landscape. Hence, complete Operational Technology visibility and management of assets on the IT environment is just as critical. Nevertheless, visibility into the IT domain is also limited. With reports that 75% of enterprises are experiencing widening visibility gaps into both end-user devices and IoTs (IoT Security).

The Need for Physical Layer Visibility

Asset Management

Asset management tools identify devices and provide an accurate and detailed asset inventory. However, enterprises suffer from a lack of physical layer visibility as existing security tools fail to cover this domain, thereby leaving the hardware level neglected. As such, the asset inventory is incomplete and, in turn, inaccurate. With extensive Operational Technology and IT supply chains, coupled with device heterogeneity, knowing the true identity of an asset is imperative and this requires physical layer visibility. Such data tells security teams more about a device than its network data, it provides them with electrical and physical specifications – simply knowing something exists is not enough. However, when a device is passive, enterprises even struggle with that.
physical layer visibility detects the presence of devices that do not emit traffic and would otherwise go unnoticed. Moreover, Physical Layer information provides necessary insights into IIoTs as these non-802.1x compliant devices currently get authenticated by their MAC address, which can easily get spoofed. Complete asset visibility allows enterprises to understand each device’s associated risk posture and handle them accordingly.

Access Management

Asset visibility and asset management lay the groundwork for access management and policy enforcement. Effective cybersecurity depends on the enterprise’s ability to control user and device access to critical resources.
The interconnectedness of IT/OT environments means access management and policy enforcement are more necessary than ever. Maintaining Operational Technology visibility and reliability means heavily controlling access to such resources. Pre-defined policies determine, under what circumstances, an entity can access a resource. In other words, security policies address “who, what, where, when, how, or why”. Access management tools enforce these pre-defined policies by assessing a device and comparing it with the policy’s requirements. Naturally, this is where the importance of an accurate asset inventory comes into play. A flawed asset inventory, due to the Physical Layer blind spot, undermines policy enforcement and access management – a significant risk as all it takes is the exploitation of a single weak spot to jeopardize the entire enterprise.

Rogue Device Mitigation

Attackers know enterprises suffer from a Physical Layer blind spot and exploit this weakness using rogue devices. These hardware attack tools intentionally deceive existing security solutions (Man in the Middle Attack). By hiding their presence or spoofing their identity by using the same VID/PID/Class ID parameters as legitimate devices, thereby raising no alarms. In turn, access controls, such as network segmentation and Zero Trust – which are often relied on as robust defense mechanisms against the cybersecurity risks associated with Industry 4.0 – are futile in preventing these perilous devices from penetrating and moving laterally across the network. This is a significant risk to Operational Technology visibility as Industry 4.0 has expanded the attack surface considerably.
An interconnected environment that lacks effective access controls means any asset can act as an entry point. In which the first point of compromise gets used as a gateway to more sought-after resources. Hardware-based attackers simply need to attach a rogue device to the most accessible endpoint or network switch.
For enterprises that continue to maintain an air-gap, Operation Technology is still not immune to hardware-based attacks. A recent study by ESET found that 100% of attacks compromising air-gapped networks did so using a bad USB device. And with a 30% increase in USB usage in production facilities in 2021, the risk is considerable. The value of rogue USB devices has not gone unnoticed by bad actors. With 37% of threats specifically designed for removeable media in 2021, nearly double than the previous year.

Sepio Solution for Operational Technology Visibility

Operation Technology visibility is a core component of critical infrastructure. It is highly vulnerable thanks its convergence with IT and the development of IIoT. To improve the security posture of cyber physical systems and maintain their continuous operability, enterprises need to get to the root cause of the problem. Visibility.
Sepio’s platform provides a panacea to the gap in device visibility by offering protection on the Physical Layer.
By going deeper than any other security solution, Sepio uses Physical Layer information to calculate a digital fingerprint of all IT, OT, IoT and IIoT assets – managed or unmanaged. No device goes undetected. Sepio accurately identifies devices and their associated risk posture based on multiple Physical Layer parameters and a unique machine learning algorithm to provide visibility like never before. Traffic monitoring can only tell you so much. Sepio’s ultimate visibility means unmanaged switches, passive taps and out-bound devices no longer fly under the radar. The solution continuously monitors all hardware assets to account for any anomalies. Issuing an alert when there are any chances to a device’s risk posture.

Physical Layer Visibility for Operational Technology Cybersecurity

Sepio asset risk management allows the system administrator to define granular hardware access policies for the system to enforce dependent on a device’s role or characteristics and its associated risk score, creating a Zero Trust Hardware Access approach. Sepio verifies and continuously validates the identity of all hardware assets to enhance policy enforcement. The solution integrates with other access control platforms through specific APIs to provide comprehensive access management.
Physical Layer visibility, augmented by the internal threat intelligence database, enables the immediate detection of rogue devices. Spoofed peripherals get identified for what they truly are. Not what they claim to be. Hidden network implants are instantly visible. When a rogue device gets detected, or a device breaches the pre-set rules, Sepio automatically blocks the unauthorized device through seamless third-party integration. The Rogue Device Mitigation feature of Sepio prevents unwanted and malicious assets from gaining access to the network and potentially causing damage to Operation Technology.

Operational Technology Visibility (pdf)
July 25th, 2022