How to do a transparency assessment
of your OT environment
The process of a
transparency assessment
In a previous article, we described the industry benefits of having full transparency of the OT environment.
In this article, we will explain how you can execute a transparency assessment within your company.
Let’s get started with a quick summary of what it means to do an OT transparency assessment.
The transparency analysis
The purpose of a transparency analysis is to provide you with an overview of your OT environment.
This will provide you with transparency for future decision making, whether it is with regard to procurement planning or mitigating risks to your production environment.
The foundation of the transparency assessment is setting up network switches in strategic places within your OT environment. This will enable you to collect traffic from any device communication in your environment.
By using the network traffic in the OT network, it is possible to identify assets and their configuration, firmware, etc. With this information, you can establish a baseline of all automation assets.
Doing this in an OT environment can be tricky, so we will guide you through the basics of the setup to ensure a good result, without affecting the availability of your assets.
1. Getting approval
First of all, you should ensure that the correct stakeholders within your organisation are onboard with doing a transparency assessment.
They need to understand the many benefits to your organisation, as well as the potential risks.
Ideally, a decision to scan your OT networks should be made by the person responsible for OT security and IT security.
In most industries, the head of OT security is not clearly defined: some responsibilities are given to the head of the production, whereas everything related to IT is the responsibility of the IT department.
In this case, it would be prudent to include the head of the production in the decision-making process.
Smaller organisations should consider including the CEO in the decision-making process since OT security is a necessity for complying with the NIS directive.
2. Risks
Risk 1) Active assessment
This risk is present if you do an active assessment of your OT networks where devices are probed.
This approach is normally used in IT environments but is rarely recommended for scanning OT environments.
If you do a passive scan of your OT environment, this risk is mitigated.
Risk 2) False Conclusions
A one-time transparency assessment done at a single point in time will show you what you have communicated in your OT networks at this moment within the chosen networks. Furthermore, your assessment might be further limited by the approach you have chosen.
It is crucially important that you are aware of the kind of results that you are able to achieve given your assessment method.
Example
A company might choose to run an assessment in one of three sites for a period of two hours. This assessment will provide you with great insight into your network structure and the communications of your assets. Although it is important to know that you cannot extrapolate the results to the other two sites.
Risk 3) Inaction
The biggest risk would be not doing a transparency assessment.
The risk of an attack affecting operational technologies is very present according to the Danish Cyber Intelligence UNIT analysis from September 2020.
Anyone with a malicious intention will be able to hack their way into most IT networks. If you allow hackers to move around in your OT networks, then this will pose a threat to your ability to manage your plant.
Losing control of operational technologies would be detrimental to the safety of your employees, and even your customers could be affected if you are responsible for critical infrastructure. Furthermore, it could have a substantial negative economic impact on your business.
3. Preparation
Before you get ready to do the transparency assessment you should start by defining the scope.
The most important part of this is defining how you wish to utilise the results within your company. The end results will define your method of implementation.
Questions to guide the preparation:
- Which sites will be included?
- Which networks will be included?
- Date and time period for collecting data?
When you have settled on the scope of your transparency assessment you need to prepare the hardware and software needed for the assessment.
Depending on the scope of the transparency assessment, ProjectBinder would choose one of the following software vendors: Claroty, CyberX (aka Microsoft), Nozomi Networks, or Dragos. These software vendors specialise in OT security assessments.
Hardware needed for the job would be switches, network taps, traffic sensors and servers.
4. Execution
The execution happens on a specific date. Network switches will be reconfigured in order to pass relevant network traffic to the hardware sensors (using SPAN, RSPAN, network tapping or mirroring).
After confirming that all network switches/sites within the scope are actively sending traffic to the sensors, you will need to filter noise out of the traffic received by excluding assets or protocols.
If the preliminary results look promising enough, you can leave the traffic sensors/servers in the learning state for at least 1-2 weeks in order to build an asset and communication baseline.
This baseline can now give you the confidence to actively report on unusual traffic patterns and asset behaviour by switching the sensors from the learning to the reporting/alarming state.
You can now leave the sensors in an alarming state for another 1-2 weeks and report on unusual behaviour and new assets joining the network.
5. Analysis
You have collected the data, now it is time to do an analysis.
The analysis you are able to perform and benefit from depends on the data you chose to collect from the OT network.
Assuming that you covered the entire OT network then you would be able to build a complete asset inventory.
The vendor software will allow you to obtain a detailed network layout with potential security gaps and a list of systems and devices found to be vulnerable.
This information will provide you with greater insight into your OT environment and will inform you of the need to update security or re-design the network.
Based on the asset inventory, you will be able to make a procurement plan for your OT environment.
You can choose to keep your transparency assessment installation as a permanent installation and continually monitor your network communications, which would allow you to catch network attacks on your OT environment in real-time.
Another benefit of this is that it would enable you to receive real-time analytics from your OT environment that could be used to optimise your production operations.
7. How to Use the Transparency Assessment for Compliance?
The asset inventory and list of vulnerabilities will enable you to mitigate any security issues that you might have encountered in your OT environment.
Your mitigation efforts in this regard go a long way in documenting your compliance with the following security frameworks:
- ISO27000 Series
- NIST – Cybersecurity Framework
- NIS – Security in critical infrastructures
- ANSI/ISA 62443