Blog

Automating Cybersecurity and Operational Risk Analysis for OT Networks

Damiano Bolzoni | October 14, 2019

Too Many Tools, Even More Alerts

The evolving threat landscape of industrial networks, and the various tools used to manage them, have forever changed the job of the average CISO and cybersecurity analyst. Many organizations have responded to this challenge in one of two ways: either burying their head in the sand and hoping for the best or investing money in numerous cybersecurity and operational management tools without a sound method of aggregating and orchestrating the data that these tools provide. Information technology (IT) and operational technology (OT) analysts alike are inundated and often overwhelmed with the plethora of alert information gathered from these numerous cybersecurity and operational management tools.

Too Much of a Good Thing

For most cybersecurity analysts responsible for thousands of devices, alerts indicating potential areas of risk, like changes in communication behavior, profiled security and operational threats, and insecure protocol communications, are a daily occurrence. The daunting task of aggregating both identified operational and cyber threats, as well as prioritizing them amidst a continuously evolving threat landscape is incredibly resource-intensive and challenging.

At a certain point, the tools that present the most accurate operational and cybersecurity data can reach a point of diminishing return if you do not have the means of accurately prioritizing risk or a staff to field alerts. Sifting through them can be a complex and time-consuming task that security and operations teams just can’t afford. Security teams need to be able to filter out the noise and distill exactly which data points they should be looking at to measure their risk, including:

  • Network and communication behavior changes
  • Potential security and operational threats
  • Devices with the highest probability of being compromised
  • Vulnerabilities and insecure protocols down to the device level
  • Connectivity with external networks
  • Impact on business if a specific device or network is compromised

Tell Me What I Need to Know. Fast.

With the latest release of SilentDefense, analysts now enjoy a reduced workload with the Asset Risk Framework. This impact-based, automated risk scoring matrix combines multiple factors to deliver two intuitive risk scores, the security risk score and the operational risk score. These scores empower cybersecurity and operational stakeholders to quickly evaluate their OT network’s risk posture and better prioritize risks and remediation actions.


The Asset Risk Framework quickly identifies devices at risk and lets users filter them for deeper analysis

The security risk score enables security analysts to immediately identify assets that have a high potential of being compromised, accounting for data like critical vulnerabilities affecting a device or direct Internet connection, and/or for which there is actual evidence that a potential attack is ongoing, including indicators like port scan activity and exploit attempts.

Similarly, the operational risk score enables OT engineers to quickly spot assets that need immediate attention, including devices exhibiting signs of misconfiguration or malfunction that could cause unexpected downtime.

How Does It Work?

Through the Asset Risk Framework, SilentDefense considers multiple relevant device status and communication data points to determine the security and operational risk for an asset. It automates the calculation of the likelihood of an incident occurring, such as a cyberattack and/or operational failure that would result in downtime. It then weighs these risk factors according to the potential impact that the corruption of a specific device might have on the network, factoring in things like the criticality of the device, its connections and the network where it resides. This impact-based and intuitive approach to security and operational management is a huge improvement in the way users approach OT network monitoring.

Users no longer need to separately analyze alerts, vulnerabilities, and statistics to connect the dots on their own. Now, they can simply access their asset inventory pages and investigate. The Asset Risk Framework is available both on the SilentDefense Enterprise Command Center (ECC) and the Command Center (CC), extending this beneficial risk-based approach to all management levels.


The Asset Risk Framework on the ECC

A risk chart on the Enterprise Command Center (ECC) assets page gives immediate insight into the overall risk posture of multi-site or geo-distributed OT networks, so CISOs and other security stakeholders can sort assets based on their risk to determine whether something requires urgent attention. Within the user interface, security analysts can initiate a detailed investigation to understand why an asset is at risk and what can be done to reduce the risk.


Quickly and easily focus on alerts and vulnerabilities that matter most without diving into each one individually

For example, if a high risk score is due to the number of alerts, users can zoom in on recent alerts about that asset to make informed remediation decisions. Similarly, if the high risk is because of critical vulnerabilities or direct Internet access, users can quickly analyze these two factors from the same panel, saving time and improving operational efficiency. This feature empowers users to quickly and easily focus on the alerts and vulnerabilities that matter most without diving into each one individually.

Analysts can also customize the risk calculations based on issues they care most about, giving them full flexibility and control over the weight of each factor. These risk scores can also be exported with asset information via CSV or an open REST API.

The Asset Risk Framework saves time, improves analyst effectiveness, and boosts cybersecurity posture by automating cybersecurity and operational risk analysis.

To learn more about impact-based risk scoring and the other exciting new features included in SilentDefense 4.1, check out our launch page.