Choosing the Right SOC Model for Your OT Needs

Choosing the Right SOC Model for Your OT Needs

Cybersecurity monitoring has traditionally focused on internet-facing enterprise networks, with very little consideration of control systems environments. Today, the rise in control systems focused malware, such as Havex, BlackEnergy, CRASHOVERRIDE, and TRISIS, has forced companies to expand their cybersecurity visibility to include their control systems networks.

What Are Your SOC Options?

When considering your OT monitoring needs, it is important to adopt the right operational security model. Improving your SOC with the right people, processes, and technology serves the business, reduces risk, increases safety, and ensures properly maintained processes. Three common operational build models include: integrated IT/OT SOC, dedicated OT SOC, or a hybrid model. Each model has certain advantages and challenges, and the decision is ultimately determined by your needs, capabilities, and expectations. 

Compare operational build models:

 

Integrated Design

   

Advantages

Challenges

Considerations

  • Combined IT/OT SOC (shared physical space)
  • Shared dashboards for both IT and OT technologies
  • Cross-trained analysts
  • Processes tailored for both IT and OT incident response
  • Finding cybersecurity analysts with OT or control systems environment knowledge
  • Creating detailed processes for both IT and OT incident response
  • Information overload with combined IT and OT logging aggregation
  1. Hire OT talent and invest time and resources to train-up analysts’ cyber investigation skill set.
  2. Consider compliance restrictions and control system environments requirements when creating runbooks.
  3. Clearly document data sources, traffic flow, and fine-tune security appliances for reduced false-positive rates.

Dedicated Design

   

Advantages

Challenges

Considerations

  • Dedicated OT SOC physically and operationally separate from IT enterprise SOC
  • Separate dashboards, analysts, skill sets, tools, processes, etc.
  • Disparity in situational environment knowledge across IT and OT
  • Culture integration and delays in response times when an incident crosses the IT Infrastructure over to the OT environment
  1. Create and host brown bag learning sessions to address the gap in IT/OT domain knowledge.
  2. Design an analyst shadowing program.
  3. Include the other SOC in daily incident overviews, growth strategy sessions, and joint tabletop exercises.

Hybrid Design

   

Advantages

Challenges

Considerations

  • Combines certain monitoring and response functions based on client constraints
  • Analysts shadowing in the other SOC
  • Not a comprehensive approach to ensure holistic detection capabilities
  • Culture integration
  1. Note that if your organization can’t fully commit to the integrated or dedicated model, this combined approach might be the best option.

 

3 Reasons to Build an Integrated SOC

Enterprise security must address OT network defense as a critical component of a mature cybersecurity posture. We believe that the ideal solution is a holistic view of both OT and IT environments from a single dashboard monitored and managed by teams trained to recognize anomalies and identify exposure, with the appropriate context of the operating environments, across all systems and devices. Organizational and financial constraints often restrict companies from adopting the integrated operational model. No matter the restraints, we provide a fully customized solution to fit your needs.

For a truly holistic approach to enterprise defense, we believe you need an integrated operational model. In this model, all SOC operations, including incident response, forensics, investigations, and availability for both IT and OT environments, are monitored and responded to in a centralized location with co-located SMEs.

Three main advantages gained by combining OT monitoring into your existing IT-focused enterprise SOC are;

  1. Improved Situational Awareness – Aggregated detection sources, co-located IT and OT cybersecurity analysts, and domain knowledge of both enterprise and control system environments allow for faster event correlation and remediation.
  1. Quicker Response Times – An integrated model ensures co-located analysts intimately familiar with OT infrastructure are enabled to make immediate, informed incident response decisions to prevent remediation delays.
  1. More Cost Efficient - Everyone likes to save money! A combined IT/OT SOC will work to reduce management overhead, physical workspace cost, and your security stack.

6 Foundational Steps to Build an Integrated SOC

Combined IT/OT monitoring requires several strategic, technical, and process-related investments. We recommend a phased approach to achieve SOC operational model goals, as well as continuous long-term capabilities and growth.  Key foundational steps ensure a solid foundation that enables strong, consistent growth. The list below includes some initial steps:

  1. Define success – Have a clear objective and vision for what you want to achieve.
  1. Understand your baseline – Use a baseline assessment to define the current mission, roles, responsibilities, infrastructure, and technologies of both the IT and OT environments and identify existing gaps.
  1. Plan it out – Incorporate baseline assessment results to define the supporting processes, roles, and investments required to combine IT and OT monitoring and response functions. Prioritize and assign action items.
  1. Train your staff – Cross train specialized IT and OT staff to effectively monitor and respond to incidents in both environments. There is a market premium on OT infrastructure knowledge, so it is typically easier to hire personnel with OT knowledge and then teach them the cyber and incident response skillsets.
  1. Integrate technologyAddress the technical enablers needed to achieve the vision, mission, and requirements of the combined IT/OT SOC. Ideally, it includes the field instrumentation needed to provide visibility, as well as the security stack and back-office technology enablers to assist with day-to-day IT/OT SOC functions.
  1. Aggregate your logsCentralize aggregated logs for advanced correlation of events between the IT and OT environments. Examples of log sources can be HTTP proxy, endpoint activity, antivirus, ingress/egress network traffic, telecommunications, OS, application data, syslog, historian, and process data.

Get started. Use the SOC model options table above to vet the right solution for your organization. Define what success looks like and get buy-in from key stakeholders on the vision, mission, and requirements to mature your defense posture across the enterprise.



Need help getting started?

Revolutionary Security specializes in understanding your environment and developing plans to reach your monitoring requirements. Let's work together to build towards attaining IT/OT SOC maturity. Contact us today to schedule a meeting with our IT/OT security specialists.

Request a Meeting

Topics

Keep Your Plants On
Breaking the OT Log Jam: How to Effectively Leverage OT Security Logging