Establishing Visibility with OT Asset and Network Baselines

Operators, analysts, and OT practitioners all know that defending and improving the operations of an industrial environment starts with a deep understanding of the specific assets you’re working with and the environment itself.

We’ve previously written about the importance of visibility across your environment, from the edge to the core.

This article focuses on creating and establishing a baseline of both your assets and network activity. A trustworthy baseline is one of many tools that help achieve actionable visibility into environments and systems. We’ll cover what baselines are, why they’re important, and how to leverage them to understand and improve your OT environment.

OT Assets and Network Baseline Basics

As its name implies, a baseline — usually the result of an initial assessment — gives operators, analysts, and other teams an idea of what’s considered “normal” in an environment. Baselines can include information on the devices, software, and other assets’ activity or functions over a given period of time, thus creating a snapshot of what normal/typical operations look like.

Different baselines focus on different types of information, such as device utilization, communications between devices and network segments, resource usage and performance, and more. They give teams an opportunity to compare the baseline statistics against how operators expect the network to behave based on current policies and configurations.

For example, a baseline might identify communications between assets that shouldn’t be occurring. The security team might flag this as something that needs to be addressed, perhaps with certain network rules or other compensating controls that stop the communications. Even if these interactions don’t have malicious intent and aren’t adversely affecting operations, they can still widen the attack surface. 

Baselines can also be used to evaluate and reduce MTTR (mean time to repair). By giving asset owners detailed insight into the firmware, serial number, and other device data, operators can use the baseline information to decide which assets need updates in the next maintenance cycle or what assets may be approaching end of life.

While OT environments are often designed and built to last for a long time with continuous uptime and availability in mind, there are still many changes that could be occurring that baselines help identify. These include any changes in third parties that perform device maintenance, the contractors that support the internal teams, and more.

What to Consider When Building a Baseline

For a baseline to be useful, you must first conduct an assessment of your environment. That assessment needs to define where and when you’ll gather relevant information, and what tools will help you gather and consolidate that information.

It’s important to keep the goal of the baseline in mind. This will impact what’s included in the scope of the baseline and where a team should look for that information.

When establishing an OT network baseline, detailed asset information and network performance are key pieces of information that can inform security, as well as operations and other teams.

Often, one of the most challenging parts of gathering this information from industrial environments is finding the right way to access it. The key is identifying the most likely place this information will be found, and finding the tool that will extract that data in a useful way.

In a remote or air-gapped environment, for example, accessing network traffic if there is no SPAN or TAP infrastructure already in place may be more difficult. In this case, leveraging access to a historian or other data sink might yield the data that teams are looking for.

Packet capture files (PCAPs) can also be a valuable source of network traffic and detailed device information, especially if they’re already being gathered and stored somewhere in your environment. With the use of PCAP analysis tools like Wireshark or the OT PCAP Analyzer, these files can contain a great deal of valuable information for a baseline, including asset information and other valuable data.

What Comes After the Baseline?

Baseline assessments are a valuable first step in visibility and understanding what’s going on in your environment, and the results are often useful in pointing teams in the direction of the next steps.

Unexpected behaviors or gaps identified after a baseline assessment are good indicators of things that need to be examined.

If the baseline was created with the goal of improving security, for example, any indications of unauthorized or unnecessary communications, unexpected behaviors and device connections, or other things that don’t align with operational goals and policies should be evaluated for potential risks and vulnerabilities.

Once these gaps have been examined, there should be a process to examine the findings. Are these unexpected behaviors one-time exceptions? Or is this a violation of policy? Does a policy or process need to be updated to address it? Or do compensating controls have to be put in place?

Asset and Network Baselines Are Just the Beginning

Establishing a baseline for visibility into your OT assets and network is just the beginning.

Conducting a single assessment and establishing one baseline isn’t the end-all be-all for evaluating and securing an OT environment. As changes occur, new equipment is deployed, or policies are updated, the network should continue to be monitored to be sure that everything is working properly.

Ideally, organizations would be able to continuously monitor their environments for complete visibility into any changes that occur. Security is constantly changing, with risks, threats, and the next target susceptible to shifting with every hour.

But for organizations just getting started with their visibility journey, using a baseline as a snapshot in time can establish an understanding of your environment and identify the next steps that need to be taken to improve it.

If you’re looking for better visibility into your industrial environment, EmberOT’s purely software-based solution can give you near-complete visibility from the edge to the core. Purpose-built for OT, these sensors (Embers) can monitor and detect changes on your network without disrupting normal operations.