If you can’t see it, you can’t secure it.
That’s the problem every OT environment has. Various of devices, various of vendor system, not standard to IT protocol. Some system are poorly designed. No assets or inventory management. No one knows how many end-points are down the ground.
Nowadays, more and more cyber attackers are carried out through weak security protected IoT and OT environment. If we don’t know what we are using in the OT environment, we don’t know current security posture and the risk exposure, the OT system will definitely be the attacking target. Maybe some day, the hackers know your OT environment better than you.
I don’t want to put any advertisement for any brand or vendor. But in the new OT security market, there’s not much choice as we already have in traditional information Security space. We need to share the information and knowledge to better protect the OT area which we usually ignored.
There’s a company called Claroty which provides a solution of passive network monitoring of the OT network. The technology itself is not new. Very similar to IDS and network traffic analytic solution. The major difference I believe is Claroty more focus on the pattern and signature in OT industry. For example, it knows BMS system, it knows Electric & Distribution system, it also knows Automation & Production system. It knows their protocols, commands even behavior. So that it can provide visibility to those system and alerts security operation / system administrator of the abnormal behaviors.
The architecture of Claroty solution is also quite similar to IDS deployment. It is suggested to network switch spanning port (port mirror) or network taps to feed the traffic into Claroty box. In a large network environment, maybe Gigamon content switch can also help with Claroty solution a bit. Claroty just passively listens to all the traffic sending to it. Then build the baseline and filtered out the abnormal and malicious activities.
So the key value of this solution is the knowledge database of the OT industry. If any existing IDS vendor can just integrate signature of common OT system protocols, there’s no need to deploy another passive monitoring solution again.