OT Security
OT Network Transparency Assessment
With the increase in intelligent devices and networks, it’s not possible to effectively manage and protect your OT environment, without automated asset management capability. ProjectBinder’s vulnerability assessment is designed to give you a foundational OT security level. This is done by providing you with a detailed, actionable and visual overview of your OT Environment.
Benefits of the OT Network Transparency Assessment.
The benefits of the OT network vulnerability assessment can be broken down into 4 categories.
- Asset Management
- Segmentation
- Threat Detection
- Vulnerability Management
These benefits are described in detail below.
Asset Identification and Management.
It is difficult to protect what you don’t know you have. Therefore, asset identification in the OT environment is a great place to start with your OT Security efforts.
Identifying your assets will enable you to build an inventory that includes every sensor, valve, HMI, etc. within the production networks. This should be done so you have 100 % coverage of your assets, which is necessary for complete OT security in critical infrastructure.
By scanning your OT network, we can identify all your assets, configurations and the protocols they run. Even legacy devices are identified.
We can do this ‘passively’ or ‘actively’.
Passive Scanning of the OT Environment.
Passive scans are the gold standard of OT vulnerability assessments. This is due to the critical nature of the OT environment, which require constant uptime.
When ProjectBinder scans the OT networks will place vulnerability sensors on strategically important network locations to get full coverage of your OT environment.
These sensors will listen to the network traffic, and based on this we will be able to reverse-engineer the used communication protocol (i.e. Modbus, PROFINET). Hereafter we will be able to identify all active network assets (PLCs, RTUs, HMIs, Workstations and Servers).
These identified assets will then be validated against proprietary and public vulnerability databases. The result will be given to you in an actionable report and compliance ready (NIST / IEC) format.
Active Queries of Network Assets.
Our passive scanning falls short in networks that are not communicating often as it will be impossible to detect what is not being communicated in the network.
Therefore our vulnerability assessment holds the option of active querying to discover assets in the network. This is done using several approaches.
The approach starts with querying chosen sections of networks to discover if assets are connected, but haven’t communicated yet. When assets have been found we use native and proprietary protocols to get additional information about them such as model, state, firmware version, configuration, and more.
By using native and proprietary protocols we will add no or minimal risk to the OT environment as we use the vendor-approved methods i.e. we communicate with the asset as the vendor designed the asset to communicate. We will only query assets that have been validated to answer our query and validated to be queried at all.
Segmenting the OT Network.
Based on our scan of all the assets in your OT environment and their communication we can provide you with extensive visibility of your operational technologies.
Your OT networks will automatically be mapped and virtually segmented into virtual zones of logical clusters. The virtual zones are groups of assets that would communicate with each other under normal circumstances.
Having your network segmentation will increase your options of managing your OT security.
The new virtual zones will help administrators to understand how assets operate within the OT environment. Virtual zones are therefore a great aid for designing and architecting logical or physical network segmentation.
If you choose to continue with ProjectBinders permanent monitoring solution we will be able to implement a virtual segmentation scheme that can be used to highlight and prioritize alerts that may arise from potential malicious communication between the virtual segments of your network.
The alerts are automatically defined for each asset based on its placement in the virtual zones, which could also be changed manually.
Threat detection on your OT Network.
Several different approaches are used to detect threats in your OT networks, which provide a full spectrum threat detection.
We will scan for pattern changes i.e. anomalous behaviour in your network communications. Information on your OT assets and their protocols are key in detecting anomalous behaviour – along with the knowledge about your virtual zones.
Sometimes attackers will assimilate your operational behaviours, which would make it difficult to detect this behaviour as anomalous. Therefore our analysis needs to dig deeper to analyze the specific OT operations e.g. configuration download/upload.
We can identify previously known threats as well as techniques used by attackers by comparing your OT networks against databases of known incidents of compromise and known attacking techniques.
It is also possible to set up our own custom rules to detect and identify specific events or communications.
Vulnerability Management of the OT environment.
All assets found in the OT environment will be compared to a database of insecure protocols, configurations, and other vulnerabilities, as well as to the latest CVE data.
Based on this, you are given a prioritized list with actionable insights to improve your OT Security.
Furthermore, you will be given an analysis of the most likely scenarios an attacker could use to compromise your OT environment – along with recommendations.
This feature will help you to identify, prioritize, and fix vulnerabilities in an effective manner.
Vulnerability Assessment Models
ProjectBinder engineers can perform vulnerability assessments in different ways. The methodology will affect the final assessment’s price, timeline and result.
The Off-site Vulnerability Assessment with PCAP data consists of analysing your network traffic, which would be collected within a short time, e.g., 1 hour.
We will analyse your network traffic captured by a client in the PCAP file format. Our network engineers will guide your organization in the setup process from a distance.
Advantages
- Time efficient.
- Very fast feedback because data is collected within a short time span.
- There is no administrative overhead as the customer will do the setup.
- You can test and experience ProjectBinders methods and software
Disadvantages
- The quality of captured data can be limited, thus having limited results.
- Required manual work from the client.
In an on-site assessment within a production environment, we perform a vulnerability analysis with a live environment. Network sniffers will be installed to collect data during e.g. 1 week or 1 month.
Advantages:
- Highest quality of data.
- Real vulnerabilities will be found (if present).
- Long-term installation, which provides a better value of data.
Disadvantages:
- Difficult to change equipment settings (changes need to go through a change process).
In an on-site assessment within a lab environment, we perform a vulnerability analysis with isolated live equipment.
Advantages:
- It is more accessible to perform than within a live environment.
- Medium amount of administrative overhead.
- Possibility to change equipment settings on the fly (manageable).
- Test attack scenarios against equipment.
Disadvantages:
- Limited amounts of equipment in the lab environment will give limited test results.
How to perform the vulnerability assessment.
Performing a vulnerability assessment in the OT environment requires planning, the definition of scope and a pre-execution phase to make sure that it is done correctly.
The specific setup will depend on the type of vulnerability test
Before starting the vulnerability assessment it is important to plan it for your individual case. The rules and regulations for your specific sector need to be adhered to. Furthermore, it depends on the sites you run as well as the type of vulnerability assessment you choose.
- Exchange of NDA’s
- Agreement on the type of installation.
- Agreement on the schedule.
- Request for information.
- System & network layout analysis.
It is crucial to settle on which networks and devices should be part of the assessment and installation as the results depend on this, as well as the cost of the installation.
- Which devices/networks are part of the scope?
- What results can be expected?
- What is considered a success?
To execute the vulnerability assessment, we need to install hardware that we will ship to you if needed. Depending on the industry, we could also run the installation on-site, which could require mandatory onsite training or certifications.
- Packaging the requirements for the execution.
- Requesting changes
- Undergoing.
- Training/Certifications.
The assessment phase includes the setup, test and execution of the vulnerability assessment.
- Setup of scan environment.
- Limited functionality test.
- Full test (days or weeks).
You will get a complete overview of the findings of the vulnerability assessment. It will be hands-on and actionable.
- Vulnerabilities discovered with CVE reference and score.
- Detailed network layout and potential security gaps.
- A list of systems and devices found vulnerable.
- Detailed mitigation steps.
OT Security related services
OT Network real-time Monitoring
The basis for any real-time monitoring is the installation of the monitoring equipment need.
Malware Scanning
We test and clean your OT devices onsite in our lab environment.
Consultancy
ProjectBinder has a unique combination of OT / IT and security engineers with practical experience. We offer on-demand consultancy on OT Security.