Support
No items found.

Let's Talk About Change

November 6, 2024

Change is a constant in our world - and at a faster pace every single day. That’s true for the industrial sector,  changes in energy demand, such as new power infrastructure to support AI and EV adoption; changes in regulation; shifts in workforce; and changes in how we work, with more remote options than ever before.

Whether or not we’re receptive to the change happening around us, most in the industrial sector would agree on where we do NOT want to see much change: inside our OT environments.

Longtime industrial operations professionals may hold a certain nostalgia for the era before increased connectivity and the merging of OT and IT systems—back when OT environments were genuinely air-gapped, physically separated from other networks and the internet. OT systems could be set up, configured, and then largely left untouched, with few unexpected changes and scheduled maintenance windows as the norm.

However, increased connectivity has changed that landscape. Today, true air-gapped environments are rare (if not practically nonexistent - several experts would challenge just how “air-gapped” any OT environment really is). OT networks are now part of cyberattack surface, and with this shift, we can no longer take the integrity of configurations for granted; vigilance is required to verify and maintain system reliability.

Availability and Integrity: The Closest of Siblings of within the CIA Triad

In critical infrastructure and OT sectors, availability is the top priority within the CIA (Confidentiality, Integrity, Availability) triad. With the essential nature of OT systems,  availability is closely intertwined with integrity. Unauthorized changes and misconfigurations directly impact availability, leading to reliability issues, unexpected downtime, and even safety risks. In OT, maintaining both integrity and availability closely together is essential to keep operations resilient.

So how do we increase vigilance on changes happening in our OT environment and ensuring our cyber assets remain in rescue, reliable states?

To maintain integrity and manage change in OT environments, it’s critical to achieve a complete understanding of all assets. From PLCs and SCADA systems to RTUs, network devices, and workstations, you need to ensure nothing is outside your oversight. Unknown assets and surprise connections in an OT environment introduce risk and exposure. It would be bad if an attacker were to compromise a system you didn’t have knowledge of or forgotten about.

Additionally, understanding the context of OT systems is vital. Categorizing assets by their impact allows for prioritization, especially when reviewing systems for changes, misconfigurations, and exposures. You may want to start by focusing on high-impact assets, areas of the network with the greatest operational significance, or sites with heightened risk. Organizing assets by high, medium, and low impact enables a structured response, directing efforts where they matter most.

Deeper System Details for Effective Change Management

Effective change management requires a granular view of system details, beyond what you think of in terms of basic OT asset inventory. Comprehensive inventories should capture not only high-level data (such as device type, manufacturer, and model number) but also finer details, like hardware specs, software versions, patch levels, network configurations, and precise physical or logical locations of assets.

Networking monitoring is an important practice, but on the OT asset management side, this alone won’t provide the detail required to manage configuration changes. Network-centric monitoring can infer device characteristics from network interactions, but this isn’t always accurate and often misses software versions and specific configurations. Information verified as the asset-level data is crucial for maintaining up-to-date, accurate information on the status and resilience of your OT systems.

When a change occurs, it’s not enough to know that it happened; you need context. Understanding when the change took place and the previous state or setting is essential, especially when troubleshooting or investigating potential incidents. Maintaining historical data allows for this context, making it easier to recognize patterns, identify issues, and respond proactively.

With comprehensive situational awareness, you can monitor for misconfigurations and exposures, including:

  • Default configurations that don't meet security standards
  • Outdated or unsupported software and firmware
  • Unnecessary open ports and services
  • Unsecured user accounts
  • Weak password policies
  • Events like unauthorized login attempts or new account creations
  • Improper management user and administrator roles
  • Specific tools, software and programs flagged in threat campaigns
  • Deviations from your baseline of normal configurations and activity

Harden Systems, Minimize Exposures, Monitor

As connectivity in OT increases, so do the threats. Managing these exposures, whether through misconfigurations or vulnerabilities, is fundamental to a layered defense strategy. Hardened systems are essential in a landscape where sophisticated attackers use “living off the land” techniques, blending into the environment by exploiting misconfigurations or minor changes rather than traditional malware. This approach enables attackers to bypass perimeter defenses and evade detection while maintaining persistence.

Hardening systems together with monitoring the OT network traffic is important to mitigate risk. Together, these proactive measures strengthen both cyber and operational resilience, reducing the risk of disruptions and maintaining the integrity of your OT environment.

This can be a tedious and complex task, but automation—when done right—provides ongoing assurance that your systems are securely configured and remain that way. By streamlining monitoring and hardening processes, automation makes it possible to maintain continuous resilience with fewer manual efforts.

To learn more about how Industrial Defender can support your journey to secure, resilient OT environments, explore our resource below.