5 monitoring strategies for cyber security in OT<\/strong><\/strong><\/h2>\nThere is no doubt that the most secure OT environment is an isolated network, which does not necessarily need special security measures. However, with the\u00a0convergence of IT and OT<\/a>, many OT networks now need to be integrated with external systems and networks. And for these OT networks, it is crucial that comprehensive cyber security strategies are in place. As in IT,\u00a0monitoring infrastructure, devices, and systems<\/a>\u00a0forms a vital part of such strategies. Here are five ways that monitoring can form part of an OT cyber security strategy.<\/p>\nCertificate monitoring<\/h3>\n
In IT, certificate monitoring forms a part of any good cyber security plan, and the same should apply to OT. Industrial standards like\u00a0OPC UA<\/a>\u00a0employ certificate-based X.509 encryption, and these certificates need to be\u00a0![\"header-OPC-UA-industrial-automation\"](\"https:\/\/blog.paessler.com\/hs-fs\/hubfs\/2019\/visuals\/header\/header-OPC-UA-industrial-automation.png?width=260&name=header-OPC-UA-industrial-automation.png\")
maintained and kept up to date. Monitoring can be used to ensure certificates are always valid, thus preventing downtime or lapses of security caused by expiring certificates (for more information on this,\u00a0read my blog post about monitoring OPC UA certificates<\/a>).<\/p>\nThe downside of using certificates is that it raises the complexity and administration efforts required, and so it may be more convenient to use other approaches in non-encrypted environments.<\/p>\n
Anomaly detection<\/h3>\n
An anomaly in a network is any deviation from the norm \u2013 things like spikes in bandwidth usage that cannot be explained, unusual traffic, or unexpected new connections in the network. While an anomaly might not always mean a malicious attack, it could be an indicator of one.<\/p>\n
The ability to spot an anomaly implies that there is a base state \u2013 or the \u201cnorm\u201d that is known. Monitoring plays two roles here: firstly, it can be used to identify the \u201cnormal\u201d state over a period of time, and secondly, it can be deployed to look for any deviations from this normal state. With monitoring, you can define alerts and notifications that are triggered when defined thresholds are exceeded, thus keeping you aware of any suspicious activity in your network.<\/p>\n
Defense in depth<\/h3>\n
![\"Industrial-Icons_628x628\"](\"https:\/\/blog.paessler.com\/hs-fs\/hubfs\/2021\/Visuals\/Body\/Industrial-Icons_628x628.jpg?width=176&name=Industrial-Icons_628x628.jpg\")
<\/p>\n
To protect OT networks, several specialized defense layers are required. This concept, known as \u201cDefense in Depth\u201d, operates on the assumption that if you have multiple layers of security, you keep your core network safer. For OT, industrial firewalls commonly provide a layer. Another possibility is network segmentation, where the OT network is either separated from the IT network by an industrial demilitarized zone (vertical segmentation), or where the OT network itself is separated into several zones (horizontal segmentation). Monitoring can form a critical part of a defense in depth approach by watching over the industrial firewalls, the interfaces between segments, and factors like open ports.<\/p>\n
<\/h3>\nDeep Packet Inspection (DPI)<\/h3>\n
This is a mechanism where the contents of data packets are examined, from the packet header down to payload, to identify the protocol and the functions associated with that data packet. The data can also be checked against a set of rules to ensure that it is not anomalous. This allows more complex and detailed rules to be applied than what a firewall can manage.<\/p>\n
DPI forms the basis for two specific cyber security strategies for OT:\u00a0Industrial Intrusion Prevention Systems, and Industrial Intrusion Detection Systems<\/a>. In an OT environment, both IPS and IDS are devices or systems that operate within the network and are intended to either prevent or trigger a notification when anomalous data is discovered, depending on the system in use. Monitoring can be used alongside IPS and IDS solutions to provide a full picture of what\u2019s happening in the OT network.<\/p>\nComprehensive alarms and notifications<\/h3>\n
In the case of a malicious attack, timeous reaction is of utmost importance. This means that not only is detecting a cyber-attack important, but so is alerting the teams that need to take action. Alarms should be triggered when thresholds are exceeded, or when defined criteria are met, and notifications of these alarms sent directly to the responsible teams.<\/p>\n
Monitoring industrial IT with Paessler PRTG<\/h3>\n
PRTG monitoring software from Paessler<\/a>\u00a0can form part of a good cyber security strategy. Aside from monitoring various elements of IT and OT, it can also monitor for anomalous activity in industrial networks. Additionally, it works together with other popular cyber security solutions out there, such as\u00a0Rhebo<\/a>\u00a0and\u00a0Moxa<\/a>, to form a vital piece of an ever-changing cyber security puzzle.<\/p>\nHow do you use monitoring in your OT environment?<\/p>\n
Certificate monitoring<\/h3>\n
In IT, certificate monitoring forms a part of any good cyber security plan, and the same should apply to OT. Industrial standards like\u00a0OPC UA<\/a>\u00a0employ certificate-based X.509 encryption, and these certificates need to be\u00a0 The downside of using certificates is that it raises the complexity and administration efforts required, and so it may be more convenient to use other approaches in non-encrypted environments.<\/p>\n An anomaly in a network is any deviation from the norm \u2013 things like spikes in bandwidth usage that cannot be explained, unusual traffic, or unexpected new connections in the network. While an anomaly might not always mean a malicious attack, it could be an indicator of one.<\/p>\n The ability to spot an anomaly implies that there is a base state \u2013 or the \u201cnorm\u201d that is known. Monitoring plays two roles here: firstly, it can be used to identify the \u201cnormal\u201d state over a period of time, and secondly, it can be deployed to look for any deviations from this normal state. With monitoring, you can define alerts and notifications that are triggered when defined thresholds are exceeded, thus keeping you aware of any suspicious activity in your network.<\/p>\n To protect OT networks, several specialized defense layers are required. This concept, known as \u201cDefense in Depth\u201d, operates on the assumption that if you have multiple layers of security, you keep your core network safer. For OT, industrial firewalls commonly provide a layer. Another possibility is network segmentation, where the OT network is either separated from the IT network by an industrial demilitarized zone (vertical segmentation), or where the OT network itself is separated into several zones (horizontal segmentation). Monitoring can form a critical part of a defense in depth approach by watching over the industrial firewalls, the interfaces between segments, and factors like open ports.<\/p>\n This is a mechanism where the contents of data packets are examined, from the packet header down to payload, to identify the protocol and the functions associated with that data packet. The data can also be checked against a set of rules to ensure that it is not anomalous. This allows more complex and detailed rules to be applied than what a firewall can manage.<\/p>\n DPI forms the basis for two specific cyber security strategies for OT:\u00a0Industrial Intrusion Prevention Systems, and Industrial Intrusion Detection Systems<\/a>. In an OT environment, both IPS and IDS are devices or systems that operate within the network and are intended to either prevent or trigger a notification when anomalous data is discovered, depending on the system in use. Monitoring can be used alongside IPS and IDS solutions to provide a full picture of what\u2019s happening in the OT network.<\/p>\n In the case of a malicious attack, timeous reaction is of utmost importance. This means that not only is detecting a cyber-attack important, but so is alerting the teams that need to take action. Alarms should be triggered when thresholds are exceeded, or when defined criteria are met, and notifications of these alarms sent directly to the responsible teams.<\/p>\n PRTG monitoring software from Paessler<\/a>\u00a0can form part of a good cyber security strategy. Aside from monitoring various elements of IT and OT, it can also monitor for anomalous activity in industrial networks. Additionally, it works together with other popular cyber security solutions out there, such as\u00a0Rhebo<\/a>\u00a0and\u00a0Moxa<\/a>, to form a vital piece of an ever-changing cyber security puzzle.<\/p>\n How do you use monitoring in your OT environment?<\/p>\nmaintained and kept up to date. Monitoring can be used to ensure certificates are always valid, thus preventing downtime or lapses of security caused by expiring certificates (for more information on this,\u00a0read my blog post about monitoring OPC UA certificates<\/a>).<\/p>\nAnomaly detection<\/h3>\n
Defense in depth<\/h3>\n
<\/p>\n<\/h3>\n
Deep Packet Inspection (DPI)<\/h3>\n
Comprehensive alarms and notifications<\/h3>\n
Monitoring industrial IT with Paessler PRTG<\/h3>\n