The OSI Model for OT Visibility

The OSI (Open Systems Interconnection) model describes how different devices and systems communicate with each other. The model splits up a communication into seven abstract layers that build on top of each other. Each layer has a specific job that feeds into the layer above it.

That said, the specific layers of the OSI model aren’t strictly followed across OT or ICS environments and communication systems. But the model still offers a valuable reference point that helps operators better understand an OT environment or industrial network, especially as it relates to visibility and identifying relevant assets and devices.

Orienting Yourself with the OSI Model Layers

Here is a high-level breakdown of the seven OSI model layers and their primary functions:

• Layer 1 – The Physical Layer: Responsible for transporting bits of data using electrical, mechanical, or procedural interfaces. This layer describes the physical equipment involved in the data transfer, such as cables and pins.
• Layer 2 – The Data Link Layer: Handles moving data in and out of the physical link in the network between two devices on the same network. This layer is responsible for flow and error control over the network. It takes packets and breaks them into frames.
• Layer 3 – The Network Layer: Facilitates data transfer between two different networks. The network layer looks for the best physical route across which to send data, which is also called routing.
• Layer 4 – The Transport Layer: Transfers data between two devices by taking data from the session layer and breaking it up into segments before sending it to layer 3. This layer also handles the flow of data, determining how much data to send, where to send it, and at what rate to avoid overloading slower connections.
• Layer 5 – The Session Layer: Responsible for setting up, coordinating, and terminating conversations between applications. This layer ensures that the session is open long enough to verify that the data is transferred, and then closes it.
• Layer 6 – The Presentation Layer: Prepares data into a format that the application layer can understand. This is the layer where data is compressed for transport, encrypted, or decrypted.
• Layer 7 – The Application Layer: This is the layer that the user directly interacts with and initiates communications, such as a web browser or email service.

Focusing on just a few specific layers of the OSI model can help you gain visibility into an OT environment, as well as give you a better understanding of the assets and devices on your network.

Navigating the OSI Model for OT Visibility

Layer 2 (the data link layer) is essential to gaining OT environment visibility. Focusing on this layer offers opportunities to monitor discrete edge networks such as substations or water treatment facilities.

The majority of the traffic in industrial networks consists of east-west traffic between devices across the same local network. Monitoring this type of communication can reveal a wealth of information, such as which devices are communicating and which protocols they’re communicating in.

The data link layer also has the media access control (MAC) sublayer. This could refer to its ability to determine who can access the media at any given time, or it can refer to a frame structure delivered based on the MAC addresses.

Layer 3, the network layer, is where the data passed between two networks is routed and sent to the appropriate place. Visibility into this layer provides an understanding of where and what information from the edge is being routed to a different part of the network, or north-south traffic.

Depending on how heavily regulated the environment is, or how sensitive the overall system is, data at this layer may be largely telemetry. While this doesn’t give much information about specific devices, the data is still valuable, since observing it can establish a baseline for normal traffic patterns.

Another layer of interest is Layer 4, the transport layer. This layer is responsible for transferring data between devices by taking the data from the session and splitting it up for transport and delivery through the network layer.

Visibility across these layers can reveal different protocols that can span multiple layers. Modbus and TCP/UDP, for example, can be present in the ethernet frame in layer 2 or in layer 4. The functions of each protocol and which part of the OSI model they transition affect which layer they might be found in.

Monitoring the data and protocols across OSI model layers makes it easier to identify and flag any unexpected communications, whether from a misconfigured machine, bad actor, or other underlying issues.

Knowing the Lay of the Land in Operational Environments

The OSI model may not map neatly to OT environments and their unique configurations and regulations, but thinking about data across these conceptual layers is still valuable. Doing so can reveal data across the environment that bolsters an operator’s understanding of what specifically needs more or better protection.

Ultimately, using the OSI model as a guide to implement a data-oriented approach to understanding and protecting your OT environment enables more comprehensive visibility into the system as whole, which is a crucial component for knowing exactly what devices, assets, data flows, and systems need to be procted.