Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Extend Your SOC Team with 24/7 Remote OT Security

Christina Hoefer | November 17, 2022

Some economic sectors may be hitting the brakes, but the cybersecurity talent shortage persists across all industries and shows no signs of abating – not while sophisticated cyberattacks continue to rise in number and complexity. The 2022 (ISC)2 Cybersecurity Workforce Study found that even as the global cybersecurity workforce is at an all-time high, it is still short by 3.4 million workers. For industries that require special device and domain expertise, the challenge to recruit and retain qualified staff is even greater. That’s certainly the case with security professionals who understand operational technology (OT) environments. Industrial digitalization, whether in manufacturing, critical infrastructure or another cyber physical process (CPS) environment, has introduced efficiencies but also greater operational and cyber risks.

A key challenge is that OT, industrial control system (ICS) and Internet of Things (IoT) devices are typically unmanaged; they don’t support agents, so their security posture is largely unknown. These devices are often invisible to IT security teams, who may be reluctant to onboard OT environments because of the special techniques and knowledge they require. Instead, industrial assets are typically “owned” by OT engineers, who are more focused on day-to-day issues that may threaten safety and productivity: misconfigurations, resource usage spikes, unstable values, incorrect measurements and other anomalies. These highly skilled professionals, often rooted in process control engineering, may have little cybersecurity training and be unaware that many OT assets are insecure by design.

For organizations that lack the resources to protect their OT environment, augmenting your internal operations with an external team focused specifically on these vulnerable, unmanaged assets is a cost-effective way to reduce cyber risk and scale your capabilities without adding headcount.

Remote cybersecurity support for OT environments

Forescout eyeInspect delivers complete visibility of connected OT/IoT assets through deep packet inspection of all industrial network protocols and assesses connected assets and communications, with thousands of OT-specific threat indicators and powerful patented anomaly detection. For each asset, it calculates dual, impact-based risk scores that consider both cybersecurity risk and operational risk. The scores are continuously evaluated using detected events associated with the asset, proximity to other potentially infected assets, communication links and behavior, known vulnerabilities and other details. These risk scores enable you to focus limited resources on those that present the greatest risk to your business.

Unfortunately, OT asset owners are often so focused on the operational risks that security risks go unattended. Manufacturers, as well as power, utilities, oil and gas operators, typically have their own process operations center running 24/7 to avert downtime. But operators have their hands full just with alerts from process systems – there’s no time to analyze detected events and correlate them with other sources that may indicate an attempted security breach.

Forescout Assist for OT/ICS is a 24/7 subscription service designed for OT operators and IT security teams that lack the resources to maximize the inherent value in eyeInspect or that want to make their SOC teams more effective. ​It provides continuous security monitoring and alert correlation as well as advanced threat detection, hunting and response for industrial environments. Our experts work as a virtual extension of your IT/security team, leveraging eyeInspect data to monitor, analyze and triage detected threats and escalating to you only the highest-priority threats that require attention, along with remediation guidance.

With and without remote security monitoring

What kinds of cybersecurity issues often go unaddressed in industrial environments? Many involve weak security practices, such as the use of default credentials, insecure authentications, unwanted connectivity between systems, etc. Without remote assistance, strapped resources are unable to engage the networking or plant teams to schedule remediation. Eventually – not if, but when – one of these vulnerabilities is exploited. For example, an attacker could exploit a vulnerable IP camera to enter the OT network and then use default credentials to shut down the human-machine interface (HMI) used to control a critical process. Result: downtime until operators can revert to manual operations.

With remote assistance, the Forescout Assist team tracks even these seemingly mundane issues around-the-clock and prioritizes them for follow-up, coordinating with stakeholders to close them one by one or recommending broader remediation measures. When an attacker tries to exploit the IP camera, they get no further than that one device because the system is segmented properly. Attempts to use default credentials on other connected assets also fail. Most importantly, the Assist team spots the intruder early in the attack, quarantines the system and collects all evidence for further investigation. Result: no disruption.

Close security gaps to vanquish cyber threats

One of the best ways to ensure you stay ahead of true threats is to have a team of threat hunters and incident investigators at your service. But highly trained specialists are difficult to find and expensive, particularly ones with knowledge of OT environments.

A shared analyst model for these functions makes sense. You don’t need dedicated resources, just the right remote skill sets available to supplement your in-house team, help close security gaps and surface true threats before they can cause harm.

Get a tour of the cloud-native platform Forescout Assist analysts rely on to help investigate and triage threats

SPEAK TO AN EXPERT