Automated threat detection improves OT cybersecurity

A South-East Asian oil and gas industry firm’s security, engineering and executive personnel all recognised that preserving the availability, integrity and safety of its hydrocarbon production operations required a robust operational technology (OT) cybersecurity program. However, the company’s head of OT cyber operations also knew it would not be possible to achieve this alone.

Like most critical industrial organisations, the company had historically struggled to maintain a comprehensive, up-to-date inventory of the diverse range of assets that underpin operations at each of its plants and production sites. This meant the company’s security and engineering personnel were limited in their ability to not only identify and mitigate vulnerabilities affecting industrial assets, but also to monitor for and respond to threats to its hydrocarbon production operations.

The OT cyber operations head recommended the company deploy a cybersecurity solution capable of delivering the visibility, risk management and monitoring capabilities required to protect the company’s entire OT environment. The chosen solution would need to satisfy the following key criteria:

The chosen solution would need to provide comprehensive asset and risk visibility, enable centralised management and actionable reporting, and be powered by OT purpose-built technology.

After consulting with industry experts and rigorously evaluating multiple options based on the above criteria, the firm selected Claroty’s Continuous Threat Detection (CTD) solution to bring visibility and security to its more than 100 industrial sites.

Before deploying Claroty CTD, the company had handled asset inventory the old-fashioned way: with spreadsheets. Personnel not only had to manually account for each asset at each site, but they also had to manually visit each asset’s vendor’s website, look up whether any new vulnerability disclosures or other advisories had been published, determine which advisories were relevant and then decide which actions were warranted. The tedious, time-consuming nature of this process meant it was only undertaken every 8–10 years. In the intervening years, their asset inventory would become increasingly inaccurate and the risk of blind spots became increasingly prevalent as more assets were added and more vulnerabilities went unaddressed.

Since deploying Claroty CTD, with fully automated asset discovery and vulnerability correlation, the company has gained full, real-time visibility into all of its assets and all relevant vulnerabilities without the need for time-consuming site visits, error-prone manual processes or unwieldy spreadsheets.

“Our engineers don’t have to manually make and maintain that asset inventory anymore,” said the Head of OT Cyber Operations. “Everything is retrievable online, and we have the latest version from the asset inventory perspective. That’s very useful for day-to-day operations.”

Beyond granting full visibility into the OT environment, Claroty CTD has also helped synergise the long-siloed (and often geographically disparate) security, engineering and executive functions supporting the company’s hydrocarbon production operations at its more than 100 sites. By serving as the single source of truth for all asset, system, process and risk information, the system now ensures such information is accessible, consistent and actionable to all personnel, workflows and decisions that depend on it.

One example shared by the company is the receiving of and responding to alerts specific to the complexities of industrial networks, such as when a given process goes beyond established parameters after an update or configuration change. Another is the ability to pinpoint unusual activities in real time before potential damage occurs, such as an attempt to “access an asset via remote desktop protocol (RDP) at night when we don’t usually work and maintenance windows aren’t usually scheduled”.

The tool also gives granular risk scoring to understand and prioritise the order and extent to which vulnerabilities should be remediated or otherwise compensated for.

“The insights CTD provides often save me from having to get in touch with a device’s vendor to look into issues,” said the Head of OT Cyber Operations. “More often than not, all the details I need to understand what’s going on and what to do are right there in the system. This translates to considerable operational cost savings due to a lowered reliance on third-party vendors for troubleshooting and drastically reduced mean-time-to-respond overall.”

Claroty CTD’s adaptability, ease of deployment and non-proprietary hardware requirements were among many reasons why it was selected as the solution initially. Due to the use of non-disruptive sensors, Claroty CTD is designed such that the industrial asset inventory and monitoring scope can scale to support new or expanded production sites as the company — and its OT environment — grow and evolve over time.

“Having this solution means that I can clearly see everything from the asset perspective, what changes have been done to particular networks or equipment over time and — most importantly — where my biggest gaps are in terms of security,” he concluded.

Image: iStock.com/pichitstocker