Operators, analysts, and OT practitioners all know that defending and improving an industrial environment starts with an understanding of what you’re working with.
This blog will focus on creating and establishing a baseline of both your assets and network activity, which is one of many tools for gaining visibility. We’ll dive deep into what they are, why they’re important, and how best to use them to understand and improve your OT environment.
OT Assets and Network Baseline Basics and Why You Need Them
As its name implies, a baseline is often the result of an assessment that gives operators, analysts, and other teams an idea of what’s considered “normal” in an environment. Baselines often give information on the devices, software, and other assets over a given period of time to get a snapshot of what operations look like.
Baselines can focus on different types of information, such as device utilization, communications between devices and network segments, resource usage and performance, and more. They give teams an opportunity to compare these stats against how they expect the network to behave based on current policies and configurations.
For example, a baseline might identify communications between assets that shouldn’t be occurring. The security team might flag this as something that needs to be addressed. Certain network rules or other compensating controls can then be put in place to stop the communications. Even if these interactions don’t have any malicious intent and aren’t adversely affecting operations, it could increase the attack surface.
Baselines can also be used to evaluate and reduce MTTR (mean time to repair). By giving asset owners detailed insight into the firmware, serial number, and other data, they can use this information to decide which assets need updates in the next maintenance cycle or are approaching end of life.
While OT environments are often designed and built to last for a long time with continuous uptime and availability in mind, there are still many changes that could be occurring that baselines could identify. These include any changes in the third parties that are conducting maintenance on devices, the contractors that support the internal teams, and more.
What to Consider When Building a Baseline
You need two basic things to conduct an assessment of your environment to build a useful baseline: a definition of where and when you’ll be gathering relevant information, and the tools that will help you gather and consolidate it.
It’s important to keep the goal of the baseline in mind as well since this will impact what’s included in the scope and where your team should go looking for this information. When trying to establish a baseline for an OT network, detailed asset information and network performance are key pieces of information that can inform security, as well as operations and other teams.
One of the most challenging parts of gathering this information from industrial environments is often finding the right way to access it. The key is to identify the most likely place for this information to be found, and finding the tool that will extract that data in a useful way.
In a remote or air-gapped environment for example, it might be more difficult to access network traffic if there is no SPAN or TAP infrastructure already in place. In this case, leveraging access to a historian or other data sink might yield the data that teams are looking for.
If they’re already being gathered and stored somewhere in your environment, packet capture files (PCAPs) can be a valuable source of network traffic and detailed device information. With PCAP analysis tools like Wireshark or the OT PCAP Analyzer (OPA), these can contain a great deal of information, such as asset information and other data valuable for a baseline.
🎥Want more info on baselines and how you can use OPA? Check out the recording from our last webinar for a deep dive and demo!
What Comes After the Baseline?
Baseline assessments are a valuable first step in visibility and understanding what’s going on in your environment, and the results are often useful in pointing teams in the direction of the next steps.
Unexpected behaviors or gaps identified after a baseline assessment are good indicators of things that need to be examined.
If the baseline was created with the goal of improving security, for example, any indications of unauthorized or unnecessary communications, unexpected behaviors and device connections, or other things that don’t align with operational goals and policies should be evaluated for potential risks and vulnerabilities.
Once these gaps have been examined, there should be a process to examine the findings. Are these unexpected behaviors one-time exceptions? Or is this a violation of policy? Does a policy or process need to be updated to address it? Or do compensating controls have to be put in place?
Asset and Network Baselines Are Just the Beginning
Establishing a baseline for visibility into your OT assets and network is just the beginning.
Conducting a single assessment and establishing one baseline isn’t the end-all be-all for evaluating and securing an OT environment. As changes occur, new equipment is deployed, or policies are updated, the network should continue to be monitored to be sure that everything is working properly.
Ideally, organizations would be able to continuously monitor their environments for complete visibility into any changes that occur. Security is constantly changing, with risks, threats, and the next target susceptible to shifting with every hour.
But for organizations just getting started with their visibility journey, using a baseline as a snapshot in time can establish an understanding of your environment and identify the next steps that need to be taken to improve it.
If you’re looking for better visibility into your industrial environment, SynSaber’s purely software-based solution can give you near-complete visibility from the edge to the core. Purpose-built for OT, these sensors (Sabers) can monitor and detect changes on your network without disrupting normal operations.