360° Awareness

Modern networks generate data that describe current and change of status within a device. Un-configured this data remains hidden, simply logged away internally until over written.

Operational ‘OT’ Technology Network Monitoring

The most effective tool an Operational Technology (OT) manager has is awareness of change. Understanding and visualizing what represents normal operation allows the abnormal to stand out. A Control System mimic offers an insight into application availability - the outcome of change. Network devices can provide independent notification of events, performance degradation, compromise and misuse. These are the causes of application failure and they need to be captured and addressed fast if high availability is to be maintained. Reliance on Anti Virus (AV) and Malware for defence, whilst useful, protect against only 36% of known threats; in many control systems AV is not used. It should be considered as part of the plan not the plan itself.

Assets

Awareness starts with knowing what is on your network. There are the obvious PCs, servers, network switches and routers and the less obvious specialist devices that may gather or convert signals to benefit from the site-wide Ethernet. The aim is to determine your security position; this asset discovery phase builds a picture of the estate and allows plans to be developed that will either maintain or improve this position. Maintaining the asset database allows changes to be detected quickly - AWARENESS.

Events

With an asset list in place the next step is to configure the integrated monitoring options that exist within the equipment you have, possibly using the opportunity to up date firmware, configure useful services such as NTP and turn off insecure protocols that make your system less secure. Depending upon the size of the network brining all these events back to a central point will result in more events arriving than a human can hope to analyse. Also many events relate to normal operation and for purposes of this activity can be ignored. Investment into a Log and event management tool that can capture a wide range of event types and filter them in order of importance is a huge benefit, being able to trend the occurrence of these events is a further major step forwards in developing your AWARENESS.

Performance

Determination of performance requires an understanding of what 'good' looks like and a service able to notify the Event Management system when thresholds are exceeded. Performance issues could result from a wide range of issues, from poorly terminated cabling to misconfigured firewall - all fairly normal. Performance threshold can also be an indicator of Compromise if a backbone server link starts getting thrashed at 03:00 for an hour - perhaps your database has been compromised? Whilst frustrating wouldn’t you like to know? Adding this level of insight is a further step forwards in AWARENESS.

Alerts

Alert data is specifically linked to security related matters. Invalid logins, dropped firewall packets, change of passwords, clearing of log files, are some generic alerts that can identify an attack is in place or has taken place. The more real time the defences become the greater the investment required. Tools such as DarkTrace use machine language and maths to identify, in real time, changes in network activity, possibly even closing the port that is causing the anomaly. DarkTrace and tools like it fall into the category of Intrusion Detection Systems that look at live traffic flows to determine whether an attack or anomaly is active at any moment in time.

These approaches develop awareness and generate indicators of compromise that OT managers need to respond to. IT4A works with industry partners either building local monitoring capabilities (where remote access is not an option - e.g. Nuclear) and competence. Alternatively, IT4A Network Operations Centre (NOC) in Surrey can connect into the site and take responsibility for monitoring the events that arise and managing the remedy of these events.

Automation networks rely upon 5 key technology areas:

"I can honestly say that with IT4A working alongside us we assembled the right team managed to achieve all our goals successfully"

Nuclear Sector,
Project Manager