Parsing Protocols for Complete OT Visibility Threat Management

The hardest part about OT security is visibility. Unlike IT networks, operators can’t easily plug in network monitoring and/or scanning tools and wait while everything communicating on their networks filters in. You can’t monitor OT networks unless you can monitor the protocols running, and you can’t monitor the protocols unless you know what they are. What’s more, an OT network could be running thousands of different protocols, many of which are closed, proprietary, and invisible to traditional scanning and monitoring tools. And so the old adage applies: you cannot manage that which you cannot see.

This is the obstacle OT network security vendors are trying to master, and there are plenty of companies jumping into the fray. Many are coming at the problem from an IT/OT convergence angle, which makes sense, as OT networks are increasingly falling under the purview of chief information security officers. Claroty, founded in 2015 by a team of experts with backgrounds in industrial controls systems’ security and military intelligence, take a different point of view. Their marketing literature says their value proposition is that they’re “native OT speakers fluent in every protocol.”

Lab-based, research-focused

As the largest company in the OT security space, Claroty was “conceived to protect the world’s most critical infrastructure,” said Dave Weinstein, Chief Security Officer, during a recent call. He explained how the company evolved with the OT landscape, especially after NotPetya and Wanna cry hit ICS companies hard, and works closely with leading industrial automation and asset companies like Schneider Electric, Rockwell Automation, and Siemens, all of which are not only customers, but also investors.

A big part of the company’s success, Weinstein said, is that, due to the funding they’ve received and partnerships they’ve built, the company was able to operate in stealth mode for a year and a half, focusing entirely on lab research and testing. Access to such a vast array of protocols and the ability for the research team to discover and parse OT protocols, how they’re integrated, how they communicate, and what “normal” looks like gave Clatory a huge advantage once they emerged from stealth.

“Our customers are some of the largest discrete manufacturing, energy, and utilities companies in the world. Without the ability to conduct low-level research and learn the languages that these systems speak, it would have been hard to break ground. Companies like these have to be hesitant to work with startups—they’re critical infrastructure—but our labs, along with a robust professional services business, have allowed us to achieve near-perfect visibility of OT assets and awareness of unknown threats.”

Product growth derives from a large installation base in highly-complex, diverse ICS organizations around the world. The access the Claroty research team has to such a depth and breadth of protocols has resulted in high levels of visibility, both in terms of finding customers’ assets and in identifying the types of attacks and exploits used against them.

How it works

Once Claroty has been installed in a customer environment, the technology runs a deep packet capture to identify assets, how they communicate, and what communication paths and protocols are in use. From here, the platform monitors behaviors and builds a baseline profile for each asset. A centralized management console aggregates the information and gives operators a unified view of assets, alerts, and activities across OT environments. Claroty also offers a security posture assessment that uses information gleaned from data collection and monitoring and compares it known CVEs, common misconfigurations, and other known weaknesses in OT systems. Here again, Claroty’s research work benefits customer assessments.

When looking across the range of OT security products, Claroty stands out for its top-tier investors and backers, team, and research organization. The lab they maintain means that they’re able to identify a unique heartbeat for every protocol that might be present on an OT network. Bigger isn’t always better, but the research team’s size, in this case, along with access to marquee clients’ environments, is definitively advantageous here.

Claroty has assembled a first-class team to help customers achieve full network visibility, reliable correlation across assets, and quick identification of vulnerabilities and threats in hard-to-find places. Their fine integration ecosystem also allows system administrators to receive and remediate alerts on their own terms, which helps with IT/OT convergence (despite this not being a main value statement, Claroty does recognize its importance to customers).

Weinstein assured me that in bake-offs with other solution providers Claroty provides “as close to 100% coverage as you can get.” If you have governance over an OT network, request a demo and see what they can see...on your OT network.