Practical Approaches to OT SOC Monitoring

A security operations center (SOC) is a formalized function in a company that is staffed with domain experts (either in-house or outsourced) and focuses on preventing, detecting, analyzing and responding to cybersecurity incidents. Developing a formal SOC is a typical step a company takes to improve the maturity and effectiveness of its cyber defense program. To do this, SOCs provide services ranging from threat prevention to incident detection and response capabilities. Having a SOC is not as simple as buying technology and hiring some security analysts. Developing the infrastructure to run an effective SOC is a challenge that security teams and managed security providers struggle with.

 

 

Image
figure-1

Figure 1: SOC operating model

 

The challenge of running a SOC is becoming even harder. Security teams are now overseeing, monitoring and responding to environments that don’t resemble traditional IT. Many companies that are in critical industries, such as food and beverage and pharmaceuticals, are told that the SOC needs to extend their coverage to the operational technology side of their environment. This new landscape is requiring SOCs to incorporate new technologies, interact with new people and rethink how to effectively provide SOC services to operational technology (OT).

 

 

What is an OT SOC?

If most organizations distill the core mandate of their SOC, it is to effectively detect and respond to cybersecurity vulnerabilities or threats in their environments. To do this, the SOC can provide many services, such as event monitoring or vulnerability management for enterprise resources. Unlike the enterprise environments, most OT environments are:

 

  • Distributed: End user has multiple facilities and dispersed networks
  • Antiquated: Legacy systems cannot handle modern security technology
  • Isolated: Limited relationship between asset owner and IT/security personnel

 

Image
Picture1

Figure 2: OT SOC monitoring zones against the Purdue model

 

The aim of an OT SOC is to combat that challenge by providing detection and response services to companies’ OT fleets. This is accomplished by effectively integrating telemetry and developing processes to monitor these bespoke environments. Companies have three choices when deciding to monitor OT environments:

 

Integrated IT/OT SOC

 

  • Strategy: The typical approach to OT monitoring is to make the SOC responsible for coverage of IT and OT assets.
  • Advantages: This strategy tends to be the most cost effective. Additional benefits include seamless response capabilities and reduced technology lifecycle management effort.
  • Disadvantages: There can be a higher requirement for employee upskilling and a lack of focus on OT monitoring.

 

Standalone Internal OT SOC

 

  • Strategy: A business has an internal SOC that runs entirely to handle OT detection and response capabilities. This approach is most often taken due to compliance reasons or insufficient capabilities to integrate more data sources or monitoring use cases to the IT SOC.  
  • Advantages: This strategy tends to have a more tailored response structure to OT use cases. It can be easier to manage many facilities and extend use cases beyond security to general operations. 
  • Disadvantages: This tends to be the most expensive strategy due to technology, infrastructure and resourcing spend. The level of effort to maintain and operate the OT SOC may be difficult to support in the long term. 

 

MSSP for OT SOC

 

  • Strategy: An external SOC runs entirely to handle OT detection and response capabilities. Many MSSPs and automation vendors are rolling out capabilities to provide OT monitoring for business' environments. This continues to be a growing trend as MSSPs mature their capabilities around OT monitoring. 
  • Advantages: This strategy tends to be more cost effective than it is to build a standalone OT SOC internally. Plus, this approach still maintains the focus of having a purpose-built SOC to maintain an organization’s facilities.   
  • Disadvantages: This strategy may be cost prohibitive to some organizations, and the business is reliant on third-party processes and knowledge to manage response capabilities. There can sometimes be poor communication between the external OT and internal IT SOC. 

 

Every company is unique and therefore has different requirements. When pursuing the OT SOC journey, it is important to take a practical approach to monitoring OT environments instead of moving too quickly toward a solution. 

 

 

A Practical Approach to an OT SOC

 

Image
figure-3

Figure 3: Sample OT SOC general response workflow

 

As cybersecurity expert Bruce Schneier wrote in his Schneier on Security  blog, “The worst enemy of security is complexity.” The same can be said for integrating OT within your SOC. So, what is a realistic approach to incorporate IT monitoring into your OT SOC?

 

  1. Understand current SOC capabilities and resources
  2. To determine where you are going, you must understand where you are. Examine your environment to better understand your current technology stack. How many resources do you have within your SOC? Do any have experience with monitoring OT environments? Most organizations have minimal capacity to monitor the additional OT data sources and limited understanding of the OT environments. Without strong knowledge of your current capabilities, it can easily become too ambitious to consider future-state possibilities.

     

  3. Define OT SOC vision and objectives
  4. Without clear objectives, most initiatives never actually get off the ground. Objectives can define desired coverage, functions provided, reporting requirements and more. These are essential to keeping your organization focused on what matters the most to your company, while also facilitating an effective balance of cost and risk mitigation. The NISTIR 8428 “Digital Forensics and Incident Response Framework for OT” publication provides a great framework to understand the basic phases of OT monitoring and may help you define the vision of your OT SOC. Clearly defined objectives will allow you to decipher whether an integrated IT/OT SOC, a standalone OT SOC or a managed security services provider (MSSP) for OT SOC is the best decision for your organization.

     

  5. Strategize IT/OT plans for detection and response for critical OT use cases
  6. Focus is important to efficiently achieve any goal. The same is true for your OT SOC. OT monitoring technologies can provide so much information that might be hard to digest in an organization. Defining critical use cases, such as rogue devices on a network or malware on the OT network, is key. Plus, it is important to develop workflows of how to respond to these cases with sites that help filter through the noise and increase the value of your investments. Ensure that operational technology resources are included in your strategy as one of the keys of IT/OT convergence is an IT/OT partnership.

     

    Common challenges that organizations encounter when developing these workflows involve insufficient security analyst knowledge to properly respond to alerts in OT, friction or a lack of communication between IT and OT resources and a lack of sufficient planning/testing response plans. For example, most organizations do not have clear plans in place on how to manage response for their OT environments if the IT environments become compromised. These challenges can be overcome by workshopping these plans and playbooks with resources across different domains of IT and OT.

     

  7. Develop technology and resourcing plan to incorporate OT
  8. With the process defined, defining the requirements for resourcing and technology is the next important step. For resourcing, many organizations either develop strategies to upskill their security analysts, hire or shift OT personnel to be SOC analysts or outsource that skillset for IR purposes. For the average organization, a successful resource model involves providing basic awareness and training to all SOC analysts, as well as having a dedicated resource that understands deeper details around OT assets. The goal with resourcing is to have a sufficient model to be able to minimize false positives. Therefore, the escalations that are brought to the site have a higher fidelity of threat to the OT environment. For additional information about the competencies needed in various OT roles, CSA Singapore has built a helpful competency framework. Core technology that supports OT monitoring includes cyber-physical protection platforms, endpoint solutions and firewalls. These can be augmented by other OT security technologies and OT logging. Technology can drive resourcing requirements, or technology requirements may be driven from resourcing.

     

    Common challenges from a technology standpoint include insufficient alert tuning, which creates alert fatigue, and insufficient budget to effectively monitor all sites with the same rigor. When developing your requirements, keep in mind that if you can factor facility criticality within your decision-making process, you can develop different requirements per site type. From a resourcing standpoint, security analysts often do not feel comfortable with OT telemetry data. Often, companies either create a training plan for a SOC analyst to become an OT expert for the SOC, or they actually onboard a resource from the facilities to become a SOC analyst.

     

  9. Test your plan with one site, tune your strategy and develop a methodology for scaling
  10. Perfection is the enemy of progress. As your OT SOC people, process and technology plans become more mature, there is an urge to perfect the strategy before rolling it out. But for most initiatives, it is better to have more of an iterative approach. This is because you will be constantly learning as you work with different sites. In most OT companies, no two sites are completely the same, and it is best to learn and adapt. As companies begin to onboard their OT environments, it is best to identify a partner with which you can effectively roll out a monitoring design. Rolling out the strategy at one facility will allow you to correct errors before you scale and build out a framework to roll out to other sites or business units.

     

  11. Onboard and initiate SOC services to your fleet of sites
  12. Embedding stronger OT security best practices through a fleet of sites truly makes OT a journey. The journey will encompass effectively budgeting capital, internal/external resources and other organizational priorities. It will also require buy-in, not just from the IT/security teams, but also from the operational teams across your sites. The best way to accomplish this is by effectively creating a rollout plan. Being able to communicate the what, when and why of this journey to various stakeholders is critical to success.

 

 

How to Get Started

Just like any journey, the only way to begin is by taking the first step. Understanding and mitigating risk within OT environments continues to be a growing concern to organizations. Building out effective monitoring is only one component of a holistic strategy. As a first step, have more conversations around understanding your cyber risk within your OT environments and what mitigating controls you have today. Here are some helpful suggestions to consider when starting your journey:

 

  • Think of this endeavor as a continuous journey, not a single project.
  • Find an OT advocate that can be your go-to for strategy conversations.
  • Excessive collaboration is important! If a group is not included, they will most likely be your blocker. At a minimum, the engineering, operations and SOC teams should be represented in discussions.
  • Work with trusted partners that can assist with OT considerations.

 

The journey may be long, but as the saying goes, the way to eat an elephant is one bite at a time.

 

Stephen Mozia
Senior Practice Manager | Optiv
Stephen Mozia is a strategic, risk-oriented OT advisor with experience in cybersecurity and OT asset management. Mozia has a proven track record advising and implement OT security programs across critical industries. Previously, Mozia spent his career working for major automation providers, Emerson and Rockwell, transforming organizations through supporting innovative technologies around asset management, data management, analytics, augmented/virtual reality and automation.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.