2024-03-13

Start of An Operational Security Operations Center

Lets discuss OT-SOC capabilities.

OT environments have become aware for the need of security in the production environments, making an operational SOC a possibility.
To start an security operations center out of the blue may result in to failure of protecting that what matters most, Production.

To get to the point of an Operational Security Operations Center,  there are a few prerequisites to make your own SOC a success.
Below are the first steps that should be taken in consideration.

Asset management
Lets start with the most important one Asset Management, as the most used quote goes “you can’t defend what you don’t know”.
Knowing where your assets are is the first step. Do you have a process in place to make sure the registry(CMDB) is up to date. When was the last time a check was performed, that made sure all the factory assets were registered.
If a vendor changed out a PLC, was the CMDB updated?
There are several ways to update the CMDB:

-SPAN (Switched Port Analyzer) is a dedicated port on a switch that takes a mirrored copy of network traffic from within the switch to be sent to a destination. The destination is typically a monitoring device, or other tools used for troubleshooting or traffic analysis.
This can help with the bulk of assets that broadcast mac op IP addresses, but does exclude the serial connected devices.
-Talk to the Site Engineers, they know more of a site and their input is extremely valuable in completing the asset list.
-Require vendors to provide the information of the changed asset.
-Registering the time of changes

Backups (in case of production disturbance)
First question, that needs to be asked: Where are your backups of the operational environment and when was the last time this was tested.

A good backup solution and execution starts with a risk and impact assessment on your environment i.e. Where are your crown jewels
What do we need,
Where do we store it,
What is the time frame,
How many backups do we need,

Now top down the exact the same for recovery
What do we need to recover,
Where is the backup coming from,
What is the time frame for recovery,
How old is the backup,
Therefor it is highly recommended to do regular testing and restoring to see the quality of your backups.

Firewalls

The firewall in the operational environment is the first line of defense, when was the last check performed on the current rule set and does it still apply?
It is advised to use only the ports an application needs, although in operational environments this can result in blocked connections if an application is using dynamic ports to connect to a system, therefor it is advised to monitor all incoming and outgoing connections before the rule set is put in place.

Firewalls can provide an wealth of information, to see which device is allowed to connect to certain area’s of a location. The output of the logs can be send to a collector which can be used to correlate with an SOC alert

Passive vulnerability management.

Passive vulnerability scanning is the process of monitoring network traffic at the packet
layer to determine topology, services and vulnerabilities.
It monitors for client and server vulnerabilities of a specific network through direct analysis of the packet stream. It “sniffs” the traffic much like a network IDS or protocol analyzer. In order to accomplish this, it must be deployed on a network hub, spanned port of a switch or off a network tap.
The monitoring solution can also assist with asset management, These tools are very useful in setting up the use cases for an OT-soc.
Also this output can be send to a collector which can assist an Soc analyst in investigations.

The Collectors.
Collectors are used to gather all data to one point and send it to a Security Operations center.
Especially when using a cloud platform (I.E Sentinel) it can save time and money if it comes from one source instead of multiple sources all connecting at the same time.
Logs and data collection are critical components of a Security Operations Center (SOC)’s ability to detect, investigate, and respond to security incidents.

The collector is used to bring all the info to one point before it is send to the SOC team.
This may include:
-Firewall logging
-Vulnerability management data,
-EDR(end point detection) output,
-User login credentials,
-Threat definition files

All of the above mentioned are needed in order to do an investigation, If i am missing an item let me know.

The Team itself

There are multiple tiers in a SOC team, this is not different from a IT-SOC.
The difference in tiers are:
T1: The analyst that logs the incident and raises a ticket, this can be an IT security engineer,
T2: these are the IT/OT security engineers who know how the handle operational security incidents.
T3: Full OT-Engineer or Security champion, the onsite engineers who have a security posture but also know the how the production location operates.

Now the most important part here is collaboration between the SOC and Engineers, by means of:
• Continuous Training of employees: Regular training programs are conducted to educate personnel on cybersecurity best practices, phishing awareness, and incident reporting procedures.
• Sharing knowledge and resources: The OT SOC actively engages with other departments and stakeholders to share information about security threats and best practices
• Overall Open Communication: Everyone on the site wants the same, to run production without issues, so if an engineer has questions help them out and listen to the information that is provided.

Once all this is in place the start the OT-SOC is a successful one.
Next step would be where do we want to place the SOC internal or external, but that is for the next post.
If you need any help in building your own OT-SOC please reach out and lets discuss possibilities.