Everybody's talking about IT/OT convergence, but what does this really mean from a security standpoint? And how can enterprises leverage and adapt their existing IT cybersecurity investments to meet this new challenge?
Previously isolated from other parts of the organization or network, today's OT networks in industrial and critical infrastructure facilities, can now be comprised of thousands of devices, that are connected to the enterprise and IT systems. This connectivity means that one weak link in the chain from an IOT or IIOT connected device is enough for a determined hacker to gain a foothold and create havoc for the enterprise.
As such, the attack surface for industrial environments has expanded; not just from the standpoint of traditional OT PLC and SCADA devices but from workstations, network devices, cameras, scanners, and various other connected devices which are part of manufacturing or safety systems. The increased exposure of industrial controllers and other critical equipment to malware, cyber attacks, insider threats, misconfigurations and even failed maintenance poses serious challenges for security teams. The attacks go beyond simple targeted attacks to stealthy multi-stage attacks that infiltrate the IT network and traverse to the OT network or go from the OT side to hit the IT systems.
Visibility to the OT Network Means More Value for Your SIEM
In the IT space, Security Intelligence and Event Management (SIEM) solutions are the most common tool used by enterprises to combat complex, multi-vector cyber attacks. SIEM solutions receive multiple feeds from a wide variety of security tools (AV, IDS/IPS, etc.), analyze mountains of data, and pinpoint the alerts/situations that require immediate attention from the security team. By monitoring real-time events and analyzing historical data, SIEMs discover anomalous patterns of usage, qualify possible security and compliance threats to reduce false positives, and alert security personnel when needed.
The challenge on the OT side is that the traditional AV, IDS IT security tools that the SIEM relies on for data do not work in the OT environment. Agents, scanning, and standard IP based network protocols don’t cover the landscape of devices within the industrial network. As such the SIEM and associated workflow as defined today cannot analyze and provide insight into attacks born or traversing the OT environment.
To address this cybersecurity gap, industrial organizations need a way to empower their SIEM systems to do more. Looking at only part of the attack surface will not detect all the attacks. They need to gain visibility into threats on the OT side, as well as those that penetrate the IT network and traverse to the OT network. To be effective, the data collected from the OT side needs to live in the same pane of glass as the IT data to ensure 360-degree visibility and detect potential threats across both environments.
Interoperability With Your SIEM Maximizes Effectiveness
By integrating their SIEM solutions with OT-specific cybersecurity tools, like the Indegy Industrial Cybersecurity Suite, industrial organizations can maximize visibility, security and control across both IT and OT operations.
The synergies between SIEM and OT cybersecurity serve to enhance the overall value of the SIEM system. By gaining visibility into the OT network, the SIEM analytics can discover more cyber threats (particularly those that traverse networks). Bringing all relevant data for IT and OT into one central repository helps to "desilo" network areas where potential security incidents may be lurking. This type of integration lets you leverage your current SIEM investment to accomplish more.
Seamless SIEM interoperability can be achieved through a critical feed or integration module for the relevant SIEM system, which is used to forward alerts, events and insights from the OT network into the SIEM system. Advanced OT security combined with the SIEM's native capabilities deliver the intelligence required to secure both the OT and IT environments.
You’ll Simply See More, Find More, Stop More
The integration of an ICS security platform with SIEM enables industrial and critical infrastructure organizations to:
- Effectively detect and mitigate threats to the safety, reliability and continuity of industrial processes using behavior and policy-based detection
- Achieve 360-degree visibility across IT and OT environments via a single pane of glass
- Perform automated asset tracking that goes as far as dormant devices and as deep as PLC backplane configurations
- Get alerts on every change to code, OS & firmware regardless of whether it is done through the network or locally
- Improve decision-making, reduce response times and perform proactive maintenance based on accurate and detailed information
The key value of an integrated ICS/SIEM solution is that it eliminates the IT-OT blind spot which can place both networks at risk. Such a cybersecurity solution helps industrial organizations achieve unified monitoring and detection of both IT and OT threats for faster remediation and response.