How Contextual Asset Data Makes SOAR Possible in OT Environments

July 26, 2021

One of the most common questions that we are asked at Splunk is how Splunk works together with technologies like Industrial Defender. The discussion normally revolves around what it really means to protect and secure an operational technology (OT) environment. While in some cases, individuals may be focused on OT equipment like Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), or Safety Instrumentation Systems (SIS), it is vital to understand that it is just as important to monitor the IT and OT infrastructure and systems. The lack of visibility into these environments makes it nearly impossible to know how to secure the entirety of the OT system.

The primary focus of most OT environments is running a process safely and reliably. The introduction of new technologies can directly affect the safety and reliability of these systems as has been shown in the past. For example, scanning software has been shown to negatively affect PLC’s, SCADA systems, and other equipment. In some cases, scanning technology has resulted in system instability, causing devices to go offline and in the worst case, rendering them in-operable. As a result, many OT operators focus on system hardening to keep malicious actors outside the system, but most have limited visibility to the OT environment itself. If an organization is going to secure their OT environment, it is essential that operators have visibility not only at the perimeter, but also within the infrastructure and OT devices themselves.

Why Contextual Data Is Important

Traditionally safety and reliability have been considered key pillars for OT environments, while security has been an afterthought. Also, the mixture of both legacy and modern technology makes security even more challenging when you are running an OT system which was put into production during an era when cyber security was not even a consideration. However, with the introduction of technologies like Industrial Defender, the ability to gain insights into, harden, baseline, and monitor OT systems is now possible in many real-life production environments. At the same time, it is important that operators gain visibility by leveraging existing enterprise security investments to centralize monitoring of their OT environments. Unfortunately, adding more data can create obstacles due to the volume and variety of the data. To help filter through this data to provide actionable insights, technologies like SIEM, SOAR, and user behavior analytics can be applied, but access to contextual data is vital when using these tools for incident response in OT environments.

When Industrial Defender is paired together with Splunk’s Enterprise Security and the OT Security Add-on, OT security teams can now leverage contextual data around assets and systems together with other technologies and Splunk’s SIEM analytics platform. Information like the site, asset owner, operational status, and asset type all can directly affect who needs to be involved in an incident response, as well as what kind of response is possible. Integrating the alerts, vulnerabilities, and asset information into Splunk helps security analysts not just understand when a potential incident may be occurring, but also have the necessary contextual information to respond to a security incident.

How Contextual Data Can Help in SOAR

Security Orchestration Automation and Response (SOAR) is a group of technologies used to automate parts of the security investigation process. SOAR is often used due to the large number of alerts that SOC teams receive daily which are time consuming, but which are often repetitive and could be automated. By automating common scenarios, incident response teams can focus on critical issues which require their expertise. Some common responses using SOAR technologies may include actions such as disabling accounts, blocking firewall ports, and quarantining assets. While these automations are unlikely to automatically occur in an OT environment, there are other automations which can help reduce the meantime to resolve incidents.

For example, understanding whether new applications or vulnerabilities have been detected on an asset, may be key to knowing the criticality of the incident for a particular asset and scope of a potential attack. These automated validation checks joined together with asset criticality, information, and contact information for an asset help reduce the mean time to resolution (MTTR) and at the same time help protect other parts of the OT environment.

Leveraging incident response (IR) workbooks help define the IR process and the possible automations that can be leveraged (including when to involve a person in the decision-making process). At the same time, workbooks can make incident response more consistent and help prevent an incident responder from missing critical steps in the process. Once again, this contextual information helps the SOAR platform know what workbooks and processes should be executed, since responding to a critical alert from your SIEM might vary based on asset type, location, and asset owner.