How a Dynamic, Contextual, Preventative Solution Can Deliver OT Security

How a Dynamic, Contextual, Preventative Solution Can Deliver OT Security

Having discussed many of the reasons why OT security is a challenge, the pressure being exerted by the business to extract more value, how it differs from IT security in key ways, and why some OT security solutions fall short.  Let's take a look at the characteristics that an ideal OT security solution would have.

Full Visibility

Many organizations have grown their technical infrastructure over a number of years and have accumulated various systems and devices.  In IT there is often a push every few years to move towards a new technology or “rip and replace” systems to ensure that the latest capabilities are available to the organization.

OT systems tend to have much longer lifespans, evolve much more slowly, and the old adage “if it ain’t broke, don’t fix it” is heavily subscribed to.  In addition, many of the legacy OT devices and systems are very proprietary in nature and may not be well documented as to the network communications that occur between and from them.

Recently, increasingly number chief information security officers (CISOs) have been tasked with adding the organization’s OT networks to their purview in an effort to have a more comprehensive assessment from which they can create strategies optimal for OT networks. 

In OT SCADA systems provide intense visibility into the process.  These systems provide no visibility into the security of the process. Many organizations do not realize the volume or variety of devices they have connected to their networks, the nature of those connections, or the condition of the security built around them. The old maxim “you can’t protect what you can’t see” holds true.

As a result, the ability to get full visibility into the OT infrastructure in order to understand exactly what systems and devices are communicating with each other and into and out of the OT network is crucial.  In many cases, organizations discover communication flows with no documentation of their existence.  Vendor access and traffic into the OT networks in particular can come as a surprise with the potential resellers, service providers, and partners being engaged to remotely monitor and manage devices.

This visibility also provides a strong foundation for making granular policies to prevent unwanted communications possible.


As discussed briefly in Part 3 of this blog series: How to Bridge the OT / IT Knowledge Gap contextualization is a key enabler in bridging the OT/ IT knowledge gap and providing OT personnel with a level of comfort in defining security policies that will support their mission of safety, reliability, accuracy, and performance.

By taking the full network traffic visibility available and being able to label all the participants with asset information with the security tool, OT personnel can decide how to further group and divide networks, systems and devices with their own taxonomy and categorizations that make the most sense to them.

But contextualization isn’t merely about labeling things in useful ways, it also plays a big role in ensuring the policies developed and the deception artifacts deployed take into account the additional context of the direction of communication.  North or south?  From or to?  Within normal levels or exceptional?  Too often security policies are blunt instruments that are overly broad or “dumb” to their context within the infrastructure.

Take IDS and IPS technology for instance.  Does this set of bytes match this other set of bytes that someone, somewhere labeled malicious?  No acknowledgement of what system those bytes are heading to or coming from…  Whether they are headed in or out of the network or are part of the east / west traffic flow.  And some wonder why IPS implementations typically get narrowed to a very small percentage of the signatures actually resulting in blocking versus merely alerting?

Zero False Positives

Speaking of IDS / IPS technologies, the subject of false positives has to be addressed.  These tools by their very nature have had and will continue to have some false positives.  To be sure they have improved over time, but not to the extent that OT personnel can trust an automated prevention decision to be made without the risk of a false positive.

Some of the more cutting edge tools that are pursuing the use of advanced AI or machine learning have the same potential for false positives.  Although there is significant potential value with these tools, no algorithm will ever be perfect.

It is the proper application of context and zero false positives that provides the confidence to pursue prevention.

Prevents / Contains Threats

In OT, similar to IT, there are measurable, substantial direct costs associated with process adulteration, interruption and downtime.  Unlike in IT, for the most part there can be direct health and safety impacts associated with these hurdles. 

There is a saying that safety rules are written in blood because in most cases they become rules due to the death or dismemberment of a person.  It is foreseeable that the same thing could happen with cyber security requirements in the OT space.

The very high stakes combined with the pressure to run these OT controlled processes and operations as efficiently as possible comes with often a very small staff of operating engineers and security personnel.  Therefore, such a situation highlights the need to have a solution that can not only detect malicious and unwanted activity but that can also respond to prevent further threat propagation or damage from being caused.

For example what happens if bad behavior is detected in a lift station several hours away? Consider the time the message is actually read, and a person is dispatched; it could be days before someone can investigate the problem.  While its true some tools can notify via an email, none provide the ability to act on the bad behavior

Being able to prevent at wire speed, attack propagation gives the limited personnel the comfort of knowing that the tool is working on their behalf 24x7x365 and will give them the resiliency to continue operations while addressing the root cause of the security issue at human speed.

Multiple Tactics and Techniques

Best-of-breed single function tools have been the norm within IT security programs for years.  The belief being that it’s better to buy a series of single function tools and combine them together in a layered approach to implement security controls.

In a large IT datacenter environment with centralized ingress and egress traffic, this strategy makes a lot of sense with no real space, power management, and environmental concerns plus a well defined place to put the stack of gear into the network.

But in OT infrastructure, particularly in remote, distributed locations (which may number in the hundreds or thousands) this kind of approach quickly runs into all those constraints, especially the biggest constraint of them all, cost.

When looking at multiple tactics and techniques, what you want are the capability to define policies that are solid and static.  Also, it is crucial to set policies that are dynamic, reactive, alerting, containing, preventative, and policies that identify active / passive threats along with policies that flush out the unknown threats that may be lurking.

You want the maximum security value that can be obtained for the least amount of cost and effort. 

Deceptive Techniques

One of the techniques for effective OT network and system security needs to be deception. Both the ability to define decoys on the network to respond to active probing and define sirens on the network to entice passive listeners to engage are must haves.

Deception has traditionally been the domain of sophisticated security and threat analysts that craft ever more believable and detailed honeypots to entrap attackers in order to study them and understand their TTP (tactics, techniques and processes) perhaps in order to build a case for attribution or to extract artifacts to be used in future threat intelligence.

There are several problems with this approach:

  1. It requires very expensive, highly trained security personnel engaged actively over long periods of time
  2. It requires additional systems, VMs, or agents in order to implement the decoys
  3. It doesn’t automatically permanently contain or prevent the attacker from continuing their exploit attempts

The answer is to take the good features of deception (turning the tables of the attacker - enabling them to self-identify by messing with the wrong system) and combining them with a light-weight, agentless deployment.  In addition, the ability to harvest the intelligence gathered in real-time and apply it at wire speed in order to immediately and permanently contain and prevent the threat must be critical practice. 

In the real world, we have found that both decoys (waiting for an active probe from a threat) and sirens (emitting traffic to entice a passive listener) only need to be “believable enough” to entice an attacker to touch them.  This initial touch, along with all the context around it, allows the policy creator to determine that they are performing unwanted activity on the network and should be contained and prevented from further actions.

Purpose-built for OT

We’ve mentioned throughout this blog series the challenges and limitations that exist within OT infrastructure and the unique requirements OT operators have to abide by.

For distributed, remote, often unmanned, OT locations there can be a number of environmental, power, network, communications, and real-estate considerations.

The best software in the world will be of no use if it can’t be applied where it is needed most.  Specialized, ruggedized, low-power hardware with or without it’s own NEMA certified enclosure ensures that security can be applied at a water lift station, ONG well site, or ITS toll booth.

In addition, the solution must be fully functional in a truly air gapped implementation with no Internet or cloud connectivity.  Updates to the solution must be as streamlined as possible in these instances.

Finally, the solution must be able to communicate alerts using existing OT communications standards and tools.  OPC-UA and MQTT style of communications allow OT operators to rely solely off the existing tools they use to monitor and alert within their infrastructures today.

Low on-going Personnel Load

The initial implementation and configuration of information security tools tends to follow two patterns:

  1. Low up-front efforts and costs, higher on-going running costs, low delivered value
  2. Higher up-front efforts and costs, lower on-going running costs, high delivered value 

Unfortunately there are no free lunches when it comes to information security tools.

The ideal OT security solution is no exception.  In order to make the proper decisions regarding the static and dynamic policies, the strategy around decoys and sirens, and to ensure as full of a context as possible, full visibility into the environment is required.  Thoughtful, experienced analysis of the system and device communications is required.

The good news is that depending on the desires of the organization this up-front work can be either consolidated into one concerted effort or spread out over time to allow gradual policy tightening and conformance to the infrastructure to be defined.

The pay-off of course is that the solution would present a low on-going drain on personnel time and effort.  The solution would do the work on their behalf, not create it.

PacketViper OT360 is a dynamic, contextual, preventative solution that can deliver OT security. It can work on the OT/ IT boundary of an organization's infrastructure, within plant facilities to provide protection internally and between the plant and distributed assets, and within remote OT locations to provide prevention and containment.