Blog title "Detecting Risk in OT Environments: The Basics"

Detecting Risk in OT Environments: The Basics

When it comes to industrial environments and maintaining operations, knowing what’s going on in your environment is a non-negotiable part of maintaining availability and staying ahead of potential problems.

Detecting potential risks is key, not only for cybersecurity, but for operational and safety risks as well. Utilizing different detection types and methods can identify a broad range of potential issues, making it easier to plan for preventative actions and respond quickly to existing problems.

This week’s blog goes over the basics of different risk and threat detection methods as well as their relevance and application in OT/ICS environments.

A (Non-Comprehensive) List of Detection Types

In (very) simplified terms, most detections can be broken down into one of two types: static and dynamic.

Static detections, as the name implies, rely on static techniques and methodologies for detecting threats. These typically don’t require interaction or execution of the files or items being investigated. Think along the lines of analyzing files, code, and configurations to identify indicators of potential threats and vulnerabilities.

Examples of static detection methods include:

  • Signature-based detection evaluates code, files, and other items to identify any predefined signatures indicating potential compromise.
  • Static code analysis examines the source code to identify potential vulnerabilities, errors, or insecure coding practices.
  • Configuration analysis evaluates files, system settings, devices, or even applications to search for misconfigurations, weak settings, or other deviations from prescribed standards.

Dynamic detection, on the other hand, involves actively interacting with or executing files, code, or whole systems to observe what happens. Analysts focus on observing specific behaviors or runtime of these executions.

Examples of dynamic detection methods include:

  • Sandboxing involves running files or code in isolated environments to observe any behavior and interactions to identify suspicious behavior or other unintentional effects.
  • Behavioral analysis focuses on analyzing behaviors of devices, applications, or systems for actions or deviations from normal behavior that could indicate misconfigurations or other issues.
  • Network traffic analysis examines traffic patterns, protocols, and communication flows for deviations from a baseline that could be caused by anomalies or other risks.

There can be some overlap in these detection types in terms of what analysts are looking for, and the distinction is often in the method they take to conduct that analysis.

Modeling is another method of risk detection that’s been getting a lot of attention recently. These can take the form of statistical models, machine learning models, and more. Essentially, modeling utilizes a mathematical approach to threat and risk detection by using a baseline and calculating the risk that any deviations from this baseline may present.

Do All Detection Types Work in OT?

Short answer: no. As with everything related to every unique industrial and OT-based environment, it depends on the nature of the environment.

Static risk detection methods, for example, are relatively quick and simple to implement if analysts have known signatures or other indicators available to them. Static methods are also typically non-intrusive, since interactions with systems aren’t usually required.

On the other hand, static methods are limited to any known threats and can produce a large number of false positives without the proper contextual information. What looks like a misconfigured PLC, for example, might just be part of the way that environment operates.

Dynamic detection methods can detect threats without prior knowledge based on behavior during analysis and can provide alerts to any actions happening in near real-time. But given the interactive method of dynamic risk detection methods, they might be slow or resource-intensive, making them difficult or even impossible to run in OT environments.

Modeling detection methods can proactively identify any deviations from baselines, making it easier to detect potential risks and anomalies early on. Models can also be updated and adjusted as needed based on changes in the environment. The problem, however, is that building an effective model can take a significant amount of time and historical data to establish and maintain an accurate baseline, making it unsuitable for smaller teams or those without a lot of domain-specific knowledge and resources.

There’s No Silver Bullet for Risk Detection

Despite what we all want, there is no single risk detection method that works all the time across the board. Whether your team needs to focus on static signature-based detection methods or dynamic behavior modeling largely depends on the complexity of your environment and what you’re hoping to do with this information.

In most cases, the most effective threat and risk detection approach would incorporate multiple techniques with the knowledge and awareness of their respective strengths and shortcomings. As your team begins to implement risk detection methodologies, it’s important to start with those that are simple to implement and utilize quickly.

Trying to build a model for the first go, for example, isn’t likely to be worth it. It’s going to take a significant amount of time, effort, and resources before the model can be utilized appropriately. OT environments are often so specialized to perform the operation they were built for that static detection methods could be more accurate more quickly than model-based detections.

We’ll go over the steps to implement risk detection methodologies in your environment in a future blog, but it’s important to note that any successful project requires visibility into your environment and an understanding of the OT assets you’re working with.