5 monitoring strategies for cyber security in OT

 Originally published on September 08, 2021 by Shaun Behrens
Last updated on September 08, 2021 • 7 minute read

There is no doubt that the most secure OT environment is an isolated network, which does not necessarily need special security measures. However, with the convergence of IT and OT, many OT networks now need to be integrated with external systems and networks. And for these OT networks, it is crucial that comprehensive cyber security strategies are in place. As in IT, monitoring infrastructure, devices, and systems forms a vital part of such strategies. Here are five ways that monitoring can form part of an OT cyber security strategy. 

Certificate monitoring

In IT, certificate monitoring forms a part of any good cyber security plan, and the same should apply to OT. Industrial standards like OPC UA employ certificate-based X.509 encryption, and these certificates need to be header-OPC-UA-industrial-automationmaintained and kept up to date. Monitoring can be used to ensure certificates are always valid, thus preventing downtime or lapses of security caused by expiring certificates (for more information on this, read my blog post about monitoring OPC UA certificates).

The downside of using certificates is that it raises the complexity and administration efforts required, and so it may be more convenient to use other approaches in non-encrypted environments.  

Anomaly detection

An anomaly in a network is any deviation from the norm – things like spikes in bandwidth usage that cannot be explained, unusual traffic, or unexpected new connections in the network. While an anomaly might not always mean a malicious attack, it could be an indicator of one.

The ability to spot an anomaly implies that there is a base state – or the “norm” that is known. Monitoring plays two roles here: firstly, it can be used to identify the “normal” state over a period of time, and secondly, it can be deployed to look for any deviations from this normal state. With monitoring, you can define alerts and notifications that are triggered when defined thresholds are exceeded, thus keeping you aware of any suspicious activity in your network.

Defense in depth

To protect OT networks, several specialized defense layers are required. This concept, known as “Defense in Depth”, operates on the assumption that if you have multiple layers Industrial-Icons_628x628of security, you keep your core network safer. For OT, industrial firewalls commonly provide a layer. Another possibility is network segmentation, where the OT network is either separated from the IT network by an industrial demilitarized zone (vertical segmentation), or where the OT network itself is separated into several zones (horizontal segmentation). Monitoring can form a critical part of a defense in depth approach by watching over the industrial firewalls, the interfaces between segments, and factors like open ports.

Deep Packet Inspection (DPI)

This is a mechanism where the contents of data packets are examined, from the packet header down to payload, to identify the protocol and the functions associated with that data packet. The data can also be checked against a set of rules to ensure that it is not anomalous. This allows more complex and detailed rules to be applied than what a firewall can manage.

DPI forms the basis for two specific cyber security strategies for OT: Industrial Intrusion Prevention Systems, and Industrial Intrusion Detection Systems. In an OT environment, both IPS and IDS are devices or systems that operate within the network and are intended to either prevent or trigger a notification when anomalous data is discovered, depending on the system in use. Monitoring can be used alongside IPS and IDS solutions to provide a full picture of what’s happening in the OT network.

Comprehensive alarms and notifications

In the case of a malicious attack, timeous reaction is of utmost importance. This means that not only is detecting a cyber-attack important, but so is alerting the teams that need to take action. Alarms should be triggered when thresholds are exceeded, or when defined criteria are met, and notifications of these alarms sent directly to the responsible teams.

Monitoring industrial IT with Paessler PRTG

PRTG monitoring software from Paessler can form part of a good cyber security strategy. Aside from monitoring various elements of IT and OT, it can also monitor for anomalous activity in industrial networks. Additionally, it works together with other popular cyber security solutions out there, such as Rhebo and Moxa, to form a vital piece of an ever-changing cyber security puzzle.

How do you use monitoring in your OT environment? Let us know in the comments below!