Nov 18, 2021
By Sarah Czarnowski

Why Device Security, Context, and Monitoring Are More Important Than Ever

The Internet of Things (IoT) is growing quickly, both for personal use and commercial applications. That means more devices than ever are connected to the Internet—a trend that has far-reaching effects on the way we live and work.

Recently, increased use of these connected devices for critical infrastructure have put them in the spotlight as possible weak spots for organizations. Hackers can infiltrate networks and obtain access to such devices—broadly known as operational technology, or OT—which include industrial control systems (ICS), HVAC systems, sensors, cameras, and other crucial technology used in businesses, factories, and hospitals.

This has already happened in several high-profile situations.

For example, in 2021, Colonial Pipeline, the company responsible for the largest pipeline system in the U.S., was very publicly impacted by a cyber-attack. The attackers were only able to exploit IT systems like laptops and servers, but the company was forced to take OT devices offline as a safeguard, leading to massive temporary fuel shortages in the U.S.

Also in 2021, security startup Verkada was victimized by hackers who gained access to thousands of video feeds through administrator accounts using valid credentials found online. According to The Verge, this included cameras in hospitals, jails, schools, police stations, and more.

And in 2016, the Mirai botnet—created by a small group of college students—took advantage of insecure OT devices by scanning the Internet and attempting to gain access to the devices with default passwords. The result was thousands of compromised OT devices being used to send a flood of traffic to overwhelm and disrupt servers. At one point, more than 900,000 Deutsche Telekom customers in Germany had their Internet service disrupted due to the Mirai botnet.

These events make it obvious that OT-related hacks can be devastating. So, why are many organizations so vulnerable to them?

Some primary reasons are that OT devices have stripped-down operating systems, lack a built-in ability to be patched remotely, and are in physically remote or inaccessible locations. Plus, some organizations simply don’t understand their level of threat exposure, and they don’t have the in-house resources to help get it under control.

That being said, organizations wishing to fortify their OT security can do so by taking a few key steps. Let’s take a look at those now.

4 Key Capabilities for OT Security

Here are some of the most crucial parts of a comprehensive OT security program:

  • A single, trusted inventory: Since they usually lack a centralized inventory of all their devices, equipment, and facilities, it’s difficult for most organizations to make basic decisions during and after a cyber-attack—like determining if a security event was targeting a specific device. That’s why having a comprehensive database that includes all equipment and devices is vitally important. Organizations need to be able to quickly see every device in their network (including manually-added devices with network connection capabilities) when a cyber-attack occurs.
  • Full device context: When a device is purchased and added to the network, the technician should input the device details into the inventory—including make, model, serial number, location, owner name, latest software patches, and owning department. The ability to reference this information is key during a cybersecurity event because it enables security personnel to make faster and more effective decisions.
  • Passive monitoring: Devices need to be passively monitored, since most OT is not designed to have active monitoring software installed. Passive monitoring software understands device behavior and compares the real-time device state and behavior to “known-good” baselines for similar devices. Ideally, these comparisons should be tracked in a crowdsourced model so that there’s a knowledgebase with information on millions of devices.
  • An integrated system of action: Beyond monitoring, there must also be a security orchestration, automation, and response system of action so all teams can work together to enable rapid remediation of security events. When a security event takes place, the security team should be able see the full context of the affected device(s)—including the device owner and the appropriate remediation process. Then, a trackable work order can be automatically dispatched to the appropriate technician(s). This system of action should also be fully integrated with the passive monitoring software so teams can get the full picture—including which devices are being affected, where they are, and exactly what needs to be done.

How Nuvolo OT Security & Armis Can Help

Nuvolo’s OT Security solution—the industry’s first OT security solution built on ServiceNow—provides security, equipment, and device teams with the visibility and capabilities they need to identify and address threats quickly and accurately.

It works by matching security, utilization, and discovery events against OT asset data—like MAC and IP address, serial number, location, and owner—to drive actions that remediate a security threat quickly and accurately. These processes can even be automated through remediation-related workflows.

And now, Nuvolo has partnered with Armis to further enhance our OT Security solution. Armis brings in device discovery, security event, and vulnerability information, helping to maintain the integrity of Nuvolo’s cloud-based single inventory of devices, equipment, and facilities systems. Plus, Nuvolo adds context from this inventory to security events identified by Armis, enabling a system of action (like we discussed above) to help correct device security issues.

Learn more about the capabilities of Nuvolo OT Security here.