OT Security - Choosing tools wisely

If the cost is the same or less, would you hire an armed security guard or use an intruder alarming system that is running cloud to protect your critical assets?

policeman-vs-security alarm system.png

Let us get to some basics!

An armed security guard is better protection – if you can afford it.

All most all critical installations and facilities that are of national interest and pose a security risk if compromised, are protected by armed guards despite the availability of sophisticated surveillance technology.

The reason being, the security guard is always on-premise and therefore mean time to respond (MTTR) during an intrusion is small. Also, Security guard can be given prior information (via training) on whom to be allowed access, and what form of access is permitted and thru which gates, and what valid credentials are required to get into the facility. This knowledge of who is alien and who is confidant will allow a security guard to stop an intruder at the gate. Being on location gives the security guard the full visibility of all the possible entry points to the asset.

The ability to identify and immediately respond & alert on noticing faulty windows, open back doors due to employee negligence or malfunctioning entry systems allows proactive response to prevent an intrusion from occurring.

Summing up, a security guard is context-aware – aware of the surrounding.

Alarm systems, on the other hand, can be programmed to operate starting from a simple Boolean mode (on or off) to a very sophisticated model using advanced heuristics for intrusion detection. They can be trained using deep learning to build effective threat detection models but what is limiting is that they may not be context-aware. This can often result in false alarms (false positives and false negatives).

 The effectiveness of an alarm system is often determined by the number of sensors protecting each entry point to the asset. Cost is a decisive factor when installing the sensor, motion detection cameras, etc. Moreover, they are reactive – they alert in the event of an intrusion and may have to depend on other actors to take remedial action. The mean time to respond is often determined by external players and third-party integrations.

If the above analogy can be applied to a security workflow in an OT infrastructure, we can easily compare the security guard to a device that is offering a 1-1 protection to a critical OT endpoint using behavioral-based firewalling and that can also routinely look for back door entries using localized pen-testing.

The best form of protection is generally from security systems that use behavioral model by learning operational signatures (that is context-aware) to create baselines and have proximity to the OT endpoint to reduce noise factor and thereby eliminates false positives.

The knowledge of operational workflows such as IP addresses reached out, ports opened, protocols used, MAC signatures learned can be used to create a whitelist baseline. Any deviation from this baseline can be flagged as an anomaly, which can be blocked and reported. Routine localized pen-testing (if allowed), can proactively detect open backdoor ports accidentally left open during a software upgrade or user error.

Context-awareness and localized protection plays a critical factor when modeling security measures for Industrial Control Systems or other OT systems. For example, a cyberattack at a chemical plant Industrial Control system will have very severe consequences, and therefore, able to react locally at the source of the problem and a reduced detection deficit will be a decisive factor in containing the damage and possible lives lost.


It is therefore imperative to consider the following when evaluating and implementing a security solution for OT environment:

  1. Understand the potential impact of a successful cyber-attack – operational impact, safety and cost due to an unplanned outage. This would help to prioritize on OT assets based on the above attributes. Periodic risk assessment gauging the probability and consequence of a threat is also critical.

  2. When an outage occurs, the capability to rapidly isolate the problem and perform remediation without losing time is crucial.

  3. Deploy defense-in-depth tactics. This involves identifying the actors that interact within your ICS network. Understand and build your baselines based on normal operating behaviors and context. Periodically look for vulnerabilities such as backdoor channels, in the least intrusive manner.

  4. Prioritize and implement a security workflow that involves behavioral whitelisting.

  5. Regularly re-learn and update the baseline.

There is no doubt that timeliness and the ability to respond immediately are often deciding factors in the event of a breach.

Therefore, the first line of defense when adopting a multi-layered defense-in-depth strategy is to implement a solution that can perform behavioral whitelisting closer to the endpoint and has fewer moving parts when executing enforcement.

 After-all having a security guard at the gate protecting your assets is not a bad idea!