_5: First Step in OT Cybersecurity: Network Assessment

Stop with all your Cybersecurity Initiatives. First things first: Network Assessment.

10/2/20244 min read

a close up of a server's nameplates on the side of a
a close up of a server's nameplates on the side of a

You as the OT Security or OT team member got a budget to improve your company's cybersecurity posture, and you're excited to get a consultant onboard to begin the work.  You want to put in firewalls, secure remote access and start monitoring the traffic in your OT environment.  Your CISO is eager to have reports from the network monitoring platform so he/she can begin presenting to the board about the great progress the team has made.  No matter if you have a budget or trying to gain traction to get a cybersecurity budget, just pump on the brakes where ever you are in your cybersecurity initiative.  

First things first, these are some initial questions you need answers to before you start any cybersecurity project :

  • What assets are in your OT environment? 

  • What OT servers are you running? Are these OT software patched? What patch level?

  • What versions of Windows/Linux are these OT software installed on? When was the latest Windows Patches?

  • What OT brands do you have installed in your plant?  Allen-Bradley?  Schneider Electric? General Electric? Siemens?

  • What version of firmware are these OT assets?  Are there any vulnerabilities associated with these versions?

  • What assets are communicating with one another?

  • How is the system network architecture compared with the Purdue Model?

  • What are some up and coming scheduled downtime the plant has planned, and how can you utilized them to catapult your security posture?

  • Where should you invest your money first to give you the best bang for your buck?

  • What are the top 3 business use cases for OT data/monitoring i.e. MES, reporting?

  • What backup and restoration solution do you have?  How often are the OT assets backed up?  How often are these backups tested?

  • Do you have enough network bandwidth for future plant expansion?

  • Does the current IT infrastructure utilize SNMP for management and monitoring, DNS Filtering, Proxy, etc.?

To get these questions answered, most likely you will need the help of your controls automation team, process engineering team, operations team, IT Team and vendors to help you get the answers that you need.  Similar to getting your car diagnosed before getting it fixed, you need someone who can diagnose or perform a network assessment before fixing or improving your OT system.  If you have internal resources that can complete the network assessment, AWESOME DO IT.  If you don't have the resources, hire a vendor with extensive experience in OT and IT environments.  A benefit of hiring a third party is that they do this for a living and more than likely they can complete this assessment in a quarter of a time than what it'll take your internal team.  One thing to consider is that onsite resources' highest priority is to keep the plant running, which keeps the light on and also funds your initiative.

So what deliverables should you expect from a great OT network assessment?  Should at least include the following, check this out:

  • List of OT assets, brands and possibly their mac addresses.

  • List of OT assets within each Networks/Subnets and their associated IP Addresses.

  • List of OT VMs including operating system, SCADA software, etc.

  • Lists of vulnerabilities per OT assets including Windows/Linux OS vulnerabilities and OT Hardware vulnerabilities.

  • Communication map of what assets are talking to what.  This includes internal or external IPs, ports, OT/ICS protocols, etc.

  • Network Architecture/Diagram, includes routing information, firewalls, trunk ports - interconnectivity of a network, etc.

  • Roadmap of the recommended OT Cybersecurity Remediation, starting with the most impactful, best bang for your buck.

In order for vendors or your internal team to put together these documentation, there are quite a handful of things that must be coordinated (meaning your job) to help with these efforts. See below for some items to start thinking about:

  • Obtain any recent network documentation and give as much information as possible to vendors or team performing the network assessment.  You want the vendor or the team to be prepared going into the assessment and spend time where it is needed to be most effective.

  • Identify core network switches and set up SPAN ports or RSPAN for passive scanning.

    • This may require IT's involvement if IT manages the OT network switches.

  • If there's an opportunity for active scanning, utilize it to gain detail insights into the OT assets.  This should only be performed during non-operational periods.

  • Provide access to your systems including virtual environments like vCenter Server, backup and restoration solution, OT Windows VMs, SCADA applications, etc.

At the very least, this assessment should take at least one week of being onsite.  Of course, actual time really depends on how big your network is and what hoops you/vendor/team needs to jump through to get information from IT or operations.  Once onsite tasks are completed, allow up to two weeks for the vendor or internal team to put together the report and deliverables.  If you received a 80 page report with the majority of the document explaining general cybersecurity jargon and general business risks, you probably paid too much for a network assessment.  You should expect a short report with straight to the point findings and plan of action to get your OT network remediated.  These are the individuals who will get behind the CLI and harden your security system and not their waste time on the sales/marketing jarson.