Chapter 5 – You Can’t Protect What You Can’t See: A Case for Comprehensive Network Visibility

As the saying goes, security leaders cannot protect what they cannot see. But seeing all devices in the world of critical infrastructure systems and operational technology (OT) is more challenging than in the case of enterprise IT.

Industrial environments do not deal simply with computers and web servers. From smart pumps and robotic arms to automated lighting systems and employees’ smartwatches, there is an array of devices that cannot be managed with traditional IT security tools.

IT/OT Integration Requires Full Network Visibility

With IT/OT convergence and the rise of the Internet of Things (IoT) and even the Industrial Internet of Things (IIoT), the number of devices connected to industrial companies’ networks is continuously growing. A study from GSMA Intelligence forecasts that IoT connections will reach nearly 25 billion worldwide by 2025, up from 10.3 billion in 2018. The GSMA report also indicates that smart manufacturing will be the fastest-growing segment.

Industry 4.0 initiatives drive the convergence of IT, OT and IoT devices, enabling data-driven decisions, increased operational efficiency, and cost savings for organizations. More digital assets also contribute to expanding the attack surface on industrial environments.

The Different Types of Assets in ICS and OT Networks

Traditional enterprise IT devices, such as PCs and servers, can be monitored through endpoint solutions because they can have security agents installed. However, ICS, OT and IoT devices do not take agents and are therefore unmanageable from a traditional security perspective.

OT and IoT devices might be connected directly to the internet via Wi-Fi. They might also be daisy-chained to other connected devices via protocols such as Bluetooth.

Examples of OT devices include programmable logic controllers (PLCs), human-machine interfaces (HMIs), barcode scanners, robotic arms on a production line, smart forklifts, and more.

The list of IoT devices is extensive. Some popular examples include:

• Smartphones, tablets, and smartwatches
• Smart TVs, lighting systems, and security cameras
• Printers and digital assistants such as Alexa
• Wireless keyboards, mouses, and headsets

A study commissioned by Armis suggests that 90% of the devices in industrial environments are unmanaged. Those assets are an easier target for cyberattacks, as the threats against critical infrastructure and manufacturers are on the rise, especially in the form of ransomware.

Bring your own device (BYOD) trends, in which employees are allowed to use personal devices to connect to corporate networks, and the adoption of cloud and virtual machines create even more blind spots.

Asset Management Challenges in the Industry 4.0 Era

Security teams need to identify activity and risk within managed and unmanaged devices, as well as cloud, multi-cloud, and hybrid environments. Here are some of the asset management problems in the industrial world:

• Endpoint protection is not effective for industrial environments where most devices cannot host an agent.
• OT and IoT devices are not designed with security in mind.
• Many devices do not have a simple method for automated firmware updates.
• Operational technology has a longer lifecycle. Legacy systems might no longer receive security patches from the developer.
• Traditional network security systems don’t see peer-to-peer wireless traffic.
• Network access control (NAC) does not monitor the behavior of devices.
• Scans are disruptive and can cause operational systems to crash, leading to downtime and safety concerns.

The Importance of OT and IoT Device Management

Such is the importance of visibility for effective cybersecurity that the Center for Internet Security (CIS) makes it a starting point for its CIS Controls. Currently in version 8, this framework offers a set of actions to secure companies and their data from known threats.

CIS Control 1 is precisely about the inventory and control of enterprise assets. With continuous asset discovery, security teams can identify unauthorized assets to remove from the network or remediate. CIS Control 2 deals with all software assets, such as operating systems and applications. This type of asset inventory helps to identify unauthorized and unmanaged software and prevent them from installation or execution.

You Can’t Secure OT Without Securing IT Along the Way

There is an increasing need for OT and IT teams to work closely together – especially now with the dissolution of the air gap that used to separate the ICS network from enterprise IT.

Highly publicized cybersecurity breaches affecting OT have started on the IT side of the house. The WannaCry malware, which spread through computers operating Microsoft Windows, has caused manufacturing disruptions across the world, as in the example of the chipmaker TSMC and Renault factories. LockerGoga, another ransonware targeting Windows, led aluminium maker Norsk Hydro to temporarily halt production and suffer losses of over $40 million.

As Gartner notes in its Market Guide for Operational Technology Security, recently observed tactics include the use of spear phishing to get initial access to the IT network before moving to the OT network. An effective cybersecurity strategy needs to offer device visibility across both IT enterprise and the factory floor. In other words, the security solution needs to work with all assets, both managed and unmanaged.

Enter the Armis Agentless Device Security Platform. When deployed, our solution discovers all assets in your environment and performs a risk assessment to identify all vulnerabilities and threats. This information is crucial to developing a plan to mitigate exposure.

Why Organizations Need Network Device Visibility

Organizations don’t know what they have in their networks. In many cases, they get surprised by our findings. Here are some examples of vulnerabilities discovered by Armis:

• Employee smartphone scanning multiple corporate networks
• Security cameras that were part of a botnet
• Amazon Echo in the CEO’s office was continuously listening and transmitting data
• Printers with an open hotspot, which could have been used to circumvent NAC
• Credentials being stolen due to corporate laptop connected to a rogue network
• A thermostat was transmitting a large amount of data every night at 4 am

Thanks to the breadth, depth, and accuracy of our asset inventory and device discovery, our customers say that they see 50% to 70% more devices after deploying Armis.

The Armis platform works with all devices because it is agentless. That means that it does not require any hardware installation or network changes. No intrusive probes are performed either because it is a completely passive solution.

How to Achieve Real-time Asset Management With Armis

The Armis platform discovers, identifies and classifies all devices connected to your network or in your airspace, generating a rich data repository, including:

• Device details such as device type, manufacturer, IP address, MAC address and user name
• Software information such as operating system, applications, and versions
• Connection information such as connection type, traffic volume and time, and internet domains accessed

Our platform analyzes traffic and device behavior, including device-to-device behavior and data transmissions via wireless protocols such as Bluetooth and Zigbee. Examples of risks might include manufacturer reputation, malicious domains visited, and software vulnerability history. The Armis platform knows:

• What each device is
• What data, applications and network resources each device needs to access
• What software vulnerabilities and other risks each device contains
• Whether each device is behaving normally for the context of the device

Our solution is able to identify anomalies and take action because it understands the context of each device thanks to our Device Knowledgebase – the largest in the world, tracking over 1 billion devices.

Roadmap to Effective Cybersecurity Asset Management

1. Start with Asset Discovery

Asset discovery is the first step to a successful cybersecurity strategy in the Industry 4.0 era. Security teams need to know what they have across the operational and enterprise environments in order to manage both OT and IT assets.

2. Know How Assets in Your Inventory Behave

Organizations also need to identify when devices behave unexpectedly, which might indicate they are compromised. The Armis platform calculates a risk score for each device, helping your team prioritize vulnerabilities and take proactive steps to minimize your attack surface.

3. Never Stop Monitoring Your Assets But Do it Passively

Real-time monitoring of assets and traffic is crucial to active threat discovery. Passive monitoring ensures that your network, systems and devices are continuously tracked without disruption.

4. Manage Risks with Automated Enforcement and Segmentation

Organizations also need real-time policy enforcement and automated remediation to isolate devices, trigger alerts and initiate software updates. The Armis platform can automatically generate segmentation policies to reduce exposure to threats.

To see what the Armis Agentless Device Security Platform can find in your industrial environment, request a risk assessment.

Check out all IT OT Convergence Playbook Chapters:

1. Chapter 1 – Industry 4.0: OT Security Challenges
2. Chapter 2 – A Roadmap to Comprehensive ICS Security
3. Chapter 3 – The Urge for Infrastructure Protection
4. Chapter 4 – How to Secure Industrial Environments
5. Chapter 5 – Complete Network Visibility: Find All Assets 👈 you are here
6. Chapter 6 – Operational Downtime and Passive Monitoring 👉 read next chapter
7. Chapter 7 – Protecting industrial Assets with Network Segmentation
8. Chapter 8 – ICS Risk Assessment
9. Chapter 9 – Top Security Security Frameworks for OT environments
10. Chapter 10 – Zero Trust Security Framework for ICS
11. Chapter 11 – Armis Role on CIS controls
12. Chapter 12 – ICS/OT Mitre Att&ck Framework
13. Chapter 13 – 2021 The Year of Ransomware Attacks
14. Chapter 14 – Guide to I/OT Integration