Using The Claroty Platform to Spot & Address Unauthorized Activity from OT Remote Users
By Shlomit Alon & Michal Erel | November 23, 2020
Between the surge in remote workers, economic uncertainty, and opportunistic adversaries spurred by the COVID-19 pandemic, it has never been more important and more challenging to keep threats and adversaries outside of your operational technology (OT) environments. Often overlooked, however, is that it’s just as crucial — and in many cases, just as challenging — to also be able to allow defenders and responders inside of those environments in a manner that is secure, controlled, and efficient.
Our recently announced enhancements to The Claroty Platform, which is now the industry’s first to offer fully integrated remote incident management capabilities that cover the entire incident lifecycle, aim to help organizations do just this. More specifically, we developed these enhancements to address the challenges and needs of two groups of remote users and the types of activities organizations now must enable. These include:
The OT managers and engineers, equipment manufacturers, and third-party contractors who need access to OT assets to service them and maintain OT availability, reliability, and safety.
The IT security operations center (SOC) personnel tasked with monitoring activity, detecting anomalies, and responding to OT incidents.
Since the first group — in addition to insiders and attackers — could make changes, intentionally or unintentionally, that impact OT process integrity, we felt it was important that our platform be able to alert the second group to these changes to help them spot and address problems as quickly as possible.
In this blog, we’re going to focus on one use case that demonstrates how OT and IT SOC personnel can work together in this context, using The Claroty Platform to more effectively detect, investigate, and respond to OT incidents across the attack surface from any location. There are lots of scenarios where this type of collaboration helps OT and IT teams better protect the OT networks that power the business. Here’s one example:
Unintentional Error Exposes an OT Asset to Risk
An OT engineer needs to conduct maintenance on a programmable logic controller (PLC) and requests a management of change (MoC) ticket requesting authorization to connect to the engineering workstation.
In the process, the OT engineer mistakenly downloads a new configuration to the PLC. Since the operation had not been previously approved by the OT manager and was not included in the MoC ticket, it immediately triggers an alert in CTD.
Image 1: The alert triggered by the OT engineer’s mistake is visible in CTD and includes a root-cause analysis, relevant indicators, associated assets, and risk score.
An IT SOC analyst quickly sees the alert within CTD, which reveals the OT engineer who performed the unauthorized download and links to a live, over-the-shoulder video feed of their SRA session. After reviewing this information and watching the session, the analyst chooses to escalate to the IT SOC manager who also decides to monitor the engineer’s still-active SRA session from CTD.
Image 2: All alerts related to an SRA session link to that session. All sessions can be monitored over-the-shoulder in real-time and are recorded in full for future audits and investigations. SRA administrators can also disconnect live SRA sessions when necessary.
Image 3: The IT SOC Manager monitors the OT engineers session over-the-shoulder in real-time. This functionality is easily accessible by clicking into the SRA session directly from the related alert in CTD.
The IT SOC manager disconnects the engineer’s session and views the recording to further investigate the event that triggered the alert.
Image 4: The IT SOC Manager immediately disconnects the OT engineer’s SRA session.
Unable to reconnect to the engineering workstation, the OT engineer requests authorization for a new session from the OT manager.
Meanwhile, the IT SOC manager Determines that the configuration download was an unintentional error and notifies the OT manager.
After applying further access control restrictions, the OT manager authorizes the OT engineer to restart their original session and opts to monitor it in real-time for peace of mind.
Image 5: The OT manager easily adjusts the OT engineer’s SRA privileges thanks to SRA’s granular and highly customizable access controls, all of which can be changed as necessary by administrators and support the principles of Zero Trust and Least Privilege.
Better prioritization of alerts and fewer false positives
Shorter response and remediation times
Reduced exposure to risk
More resilient operations
Put yourself in the seat of the OT and IT SOC managers in this scenario. Download the Claroty Use Case on Incident Response for Remote User Activity to view the highly customizable access controls, detailed alert information, and easily accessible investigation information The Claroty Platform provides OT and IT SOC managers at every step in the process.
We’re sure you can think of many additional scenarios where fully integrated remote incident management capabilities would help you efficiently and effectively strengthen your organization’s OT security posture. We’d love to speak with you about how to get started with Claroty CTD 4.2 and SRA 3.1.