Visibility is the first step towards awareness, and it’s just as important for cybersecurity as it is for other tasks.
Matt Smith, network architect at E Tech Group, reports it’s seeing an increase in adoption of operations technology (OT) security logs and tools into organizations' extended detection and response (XDR) equipment. This is being done to allow third parties or information technology (IT) teams to offer easy ways to increase risk visibility into OT environments in a repeatable and modular fashion. E Tech is a system integrator in West Chester Township, Ohio, and certified member of the Control System Integrators Association.
Get your subscription to Control's tri-weekly newsletter.
“This change introduces greater visibility into the OT network, and while it might feel intrusive initially, it quickly becomes a welcome development,” says Smith. “The added monitoring and support can greatly benefit OT teams, which often operate with limited resources and focus on non-IT tasks. By integrating OT security tools into broader organizational systems like XDR, OT teams can now rely on their IT counterparts for critical assistance in managing risks and securing their environments. This collaboration ensures that OT systems remain secure without overburdening already stretched OT teams, allowing them to continue focusing on their core operational responsibilities.”
DMZ for clear separation
Smith reports that maintaining clear separations between IT and OT networks is crucial for ensuring uninterrupted operational access for end users. By keeping OT networks behind a demilitarized zone (DMZ), IT can implement necessary changes and improvements without directly impacting OT operations. The DMZ boundary allows the OT team to remain in control of their environment, deciding what changes are made within their network. Striking a balance between these updates, and maintaining open collaboration between IT and OT, ensures that both teams can achieve the shared goals of enhanced security and consistent operational stability.
“Smaller OT environments often face difficulties in identifying the right resources and approaches to effectively assess and remediate risks. Even in larger organizations, there can be a disconnect, where security is prioritized but ongoing infrastructure support may fall behind,” explains Smith. “Overcoming these challenges requires designating specific resources, such as key support engineers, who can consistently focus on maintaining both security and operational needs. Regular communication between OT teams and internal leadership is essential, ensuring that risks and operational concerns are addressed promptly and constructively. This approach helps ensure that security and infrastructure support receive balanced attention, fostering a more resilient environment.”
Risk assess for a good roadmap
To begin addressing OT cybersecurity challenges, Smith adds that organizations should conduct comprehensive risk assessments (RA). This process helps identify all assets within networks, and documents associated risks in a risk register. Examples of findings from an OT vulnerability assessment may include:
"This asset is end of life and no longer receiving security updates," "This device has 10 critical vulnerabilities," or "This PLC allows Modbus traffic from any source." These insights provide the foundation for developing a security improvement roadmap, enabling teams to prioritize actions that will mitigate risks and enhance overall security.
Read the latest installment of this cover story: OT tools catch up to secure multiple plants
“We often advise against placing security sensors below the PLC at Level 0 of the Purdue Model. This is due to the challenges posed by the isolated nature of downlink PLC networks, making it difficult to deploy and manage sensors effectively,” adds Smith. “However, placing a sensor at Level 1—just above the PLC and below HMI/SCADA devices—can still provide valuable security insights. This position allows for the detection of potential issues without the complexities associated with Level 0, ensuring that key vulnerabilities are identified and addressed without disrupting critical operational processes.
“Network security will continue to evolve, and while long-term predictions can be uncertain, in the short term (1-2 years), we anticipate increased adoption of OT security tools and sensors. Also, IT’s security information and event management (SIEM) software, security operations centers (SOC) and XDR tools are becoming more capable of pulling logs from OT networks and correctly parsing the data. As these tools improve, we expect a growing trend of organizations adopting them, leading to enhanced visibility and protection across both IT and OT environments.”
