blog title "The OSI Model for OT Visibility"

The OSI Model for OT Visibility

The OSI (Open Systems International) model is a conceptual reference model used to describe how different devices and systems communicate with each other. The model splits up a communication into seven abstract layers that build on top of each other. Each layer has a specific job that feeds into the layer above it.

While the layers of the OSI model aren’t strictly followed across environments and communication systems, it can still be a valuable reference for understanding an OT or industrial network, especially as it relates to visibility and identifying relevant assets and devices.

Orienting Yourself with the OSI Model Layers

At a high level, here are the seven layers of the OSI model and their primary functions:

  • Layer 1 – The Physical Layer: Responsible for transporting bits of data using electrical, mechanical, or procedural interfaces. This layer describes the physical equipment involved in the data transfer, such as cables and pins.
  • Layer 2 – The Data Link Layer: Handles moving data in and out of the physical link in the network between two devices on the same network. This layer takes packets and breaks them into frames, and is responsible for flow and error control over the network.
  • Layer 3 – The Network Layer: Facilitates data transfer between two different networks. The network layer looks for the best physical route across which to send data, which is also called routing.
  • Layer 4 – The Transport Layer: Transfers data between two devices, taking data from the session layer and breaking it up into segments before sending it to layer 3. This layer also handles the flow of data, determining how much data to send, where, and at what rate to avoid overloading slower connections.
  • Layer 5 – The Session Layer: Responsible for setting up, coordinating, and terminating conversations between applications. This layer ensures that the session is open long enough to ensure the data is transferred, and then closes it.
  • Layer 6 – The Presentation Layer: Prepares data into a format that the application layer can understand. Compression of data for transport, as well as encryption and decryption, occur at this layer.
  • Layer 7 – The Application Layer: This is the layer that the user directly interacts with and initiates communications from, think web browsers or your email service.

For the purposes of gaining visibility into your OT environment and understanding the assets and devices on your network, there are only a couple of layers that you should focus on.

Navigating the OSI Model for OT Visibility

Starting from the bottom up, the first layer that is not only relevant but is key to visibility in OT environments is layer 2, the data link layer. Visibility into this layer provides a good opportunity to monitor discrete edge networks such as substations or water treatment facilities.

The east-west traffic between devices across the same local network makes up the majority of the traffic in industrial networks. Monitoring this type of communication can reveal a wealth of information, such as which devices are communicating and which protocols they’re communicating in.

The data link layer also has the media access control (MAC) sublayer. This could refer to its ability to determine who can access the media at any given time, or it can refer to a frame structure delivered based on the MAC addresses.

Layer 3, the network layer, is where data being passed between two networks is routed and sent to the appropriate place. Visibility into this layer provides an understanding of where and what information from the edge is being passed to another part of the network, or north-south traffic.

Depending on how heavily regulated the environment or the sensitivity of the system, data at this layer may be largely telemetry. While this wouldn’t yield much information about specific devices, this can still be a valuable area to observe when establishing a baseline for normal patterns of traffic.

Another layer of interest is layer 4, the transport layer. This layer is responsible for the transfer of data between devices, taking the data from the session and splitting it up for transport and delivery through the network layer.

Visibility across these layers can reveal the presence of different protocols, which can span multiple layers. Modbus and TCP/UDP, for example, can be present in the ethernet frame in layer 2 or in layer 4. The functions of each protocol and which part of the OSI model they transition affect which layer they might be found in.

Monitoring the data and protocols across OSI model layers makes it easier to identify and flag any unexpected communications, whether from a misconfigured machine, bad actor, or other underlying issues.

Knowing the Lay of the Land in Operational Environments

The OSI model may not map neatly to OT environments and their unique configurations and regulations, but thinking about data across these conceptual layers can reveal data across the environment that would be valuable in understanding what needs to be protected.

This data-oriented approach to understanding and protecting your OT environment enables the transition from asset invisibility to more comprehensive visibility, so you know what you need to protect in your environment.