When asked why he robbed banks, Depression-era bank robber Willie Sutton purportedly replied, “Because that’s where the money is.” If Sutton had been a modern-day cybercriminal, the corollary would be, “Why do you attack endpoints? Because that’s where humans interact.”
In IT security, the biggest threat vectors are social engineering, credential theft and vulnerability exploits. In OT, there are certainly malicious attacks, but many threats involve inadvertent mistakes by employees or authorized third-party technicians who come and go, often remotely. Plant floors are abuzz with activity as internal and external teams work together to keep processes running smoothly.
Without endpoint security, there’s no way to correlate user activity and events. That is, there’s no way to know who’s plugging in when and what they’re doing until their commands have been executed on the network. That’s too late.
This has always been a challenge in OT. Passive network monitoring, remote collectors and even intermittent polling are great at spotting communications between workstations and PLCs, but not who’s on the machine.
Despite the usual concerns about installing agents on OT endpoints, customers’ attitudes are coming around. Instead of continuing to forego endpoint security for fear of the harm or disruption that agents may cause, we’re starting to hear this:
“It’s not enough to know that this HMI is talking to that PLC. I need to know User A was logged into the HMI at the time this command was sent out.”
Technology has finally evolved to meet the needs of industrial environments. Safe, non-disruptive agents — including Nozomi Arc, released in 2023 — are purpose-built for OT endpoints. Unfortunately, negative experiences deploying IT-focused agents on OT devices have only set the industry back. By causing massive worldwide outages on Windows devices on July 19, the now-notorious defective content update to CrowdStrike’s Falcon endpoint sensor didn’t help matters.
OT engineering and InfoSec teams looking for defense in depth should not be deterred by the CrowdStrike-related crash. However, this incident does highlight how critical it is to ensure endpoint security vendors engineer their products to protect the unique high availability requirements for OT endpoints. For example, Nozomi Arc does not operate at the kernel level of the host operating system, will never reboot your machines and is very light on system resources.
Why Don’t IT Agents Work for OT?
Endpoint security agents are a standard part of IT security deployments, not just on desktop computers, laptops and printers but on the explosion of IoT and remote devices. OT operators traditionally shy away from active monitoring due to concerns over system uptime and operational impact. Those concerns are well founded. Here are some of the main reasons traditional endpoint agents fall short in industrial environments:
1. Heavyweight and Disruptive
Many OT devices and controllers have limited computing power and memory designed to perform specific tasks. Even standard antivirus agents consume too many resources. IT endpoint security solutions also typically require a system reboot after installation, which means downtime.
2. Wrong Threats
Traditional vulnerability scanning and intrusion prevention systems are designed to detect IT threats using heuristics and machine learning models trained on IT environments. They don’t look for industrial threats, don’t understand industrial communication protocols and don’t recognize OT baselines. Some of the consequences include rendering engineering hardware unresponsive, flagging as malicious legitimate safety protocols or control-system commands, stopping a process or deleting a critical application it perceives as malware.
3. OEM Vendor Certifications
OT/ICS devices are typically certified by OEM vendors for specific configurations that installing an agent would invalidate. That’s a legitimate concern, but endpoint agents purpose-built for OT devices are winning over OEMs that realize industrial cybersecurity must move to the endpoint to protect critical assets, especially in critical infrastructure — if it does so safely.
Deep Asset Context for Troubleshooting and Forensics
OT endpoint sensors provide detailed data including device type, vendor, OS or firmware version, serial number, IP and Mac addresses, nodes, zones, protocols used, active accounts and suspicious user activity. They can analyze event patterns in host log files using SIGMA rules and spot in-progress events involving malware, credential theft, script downloading and more. This context is useful for both operators and security analysts.
Giving operators troubleshooting information they never had goes a long way toward building the case for cybersecurity – and trust. With endpoint sensors, they can see not just configuration changes and anomalies but also who’s logged onto a device, what other devices it’s communicating with and what protocols it’s using. Two big wins are visibility into East-West traffic and unauthorized USB connections.
Visibility into East-West Traffic and USB Connections
In the pervasive Purdue Model used in OT environments, information can flow up between layers, but firewalls restrict anything from going down. And East-West visibility within a layer is a black hole. Customers have been craving this, especially OT operators who need to see what’s communicating with what within a zone.
In IT security, USB use has drastically waned due to the ease of transferring files via the cloud. In OT environments, however, they are still commonly used to move files between restricted Purdue levels. While most file transfers are routine, the practice is risky. Worst case, a BadUSB attack can reprogram the USB to execute malicious commands on a victim’s computer. Endpoint security sensors, like Arc, detect when and where a USB is plugged into the environment and any non-human behavior involving commands, scripts or data movement.
Spotting Cyber Risks with OT Endpoint Visibility
Here are several specific scenarios involving either unintentional harm or malicious intent where endpoint visibility makes a difference:
1. Infected Third-Party Laptop
A systems integrator is performing maintenance on a PLC. Unbeknownst to them, their laptop is infected with a piece of malware, and when they plug in, it makes its way to the PLC. With network monitoring alone you would discover the malware once it hit the network, which may be too late.
2. Operator Error
A newly hired engineer accidentally changes an HMI configuration or issues a nonsensical command. Real-time device monitoring would alert the operator to the error before it causes harm. Instead of an incident you have a training opportunity.
3. Malicious Insider Threat
A disgruntled employee intentionally changes the setpoint on an HMI. A security analyst would be alerted that the value is outside of normal parameters, but an operator with intimate knowledge of operations — and team members — would know whether to panic.
4. Stolen Credentials
An alert indicates an authorized person is logged into two places at the same time, but in time zones 3,000 miles apart. A user’s credentials were certainly breached, but when and on what machine?
Top Use Cases for OT Endpoint Sensors
Passive network monitoring is the standard for industrial environments. But there will always be dozens of scenarios where adding a network sensor isn’t feasible. Network sensors are cyber workhorses, but implementation is labor intensive and requires planned downtime. Remote collectors and smart polling can help cover hard-to-reach and unmanned locations, but nothing is better than endpoint detection.
Here are common situations where endpoint detection makes the most sense.
1. Strategic Deployment on Crown Jewels
Suppose network monitoring is overkill for your environment, but you still have critical assets to protect. Endpoint sensors enable you to deploy agents only on those assets, to monitor what matters most. They can be installed on hundreds of key endpoints with a few clicks and no reboot.
2. Speedier, No Hassle Deployment
Suppose you have a remote substation where switches can only be reconfigured during a one-hour annual outage — next February. Or maybe you’re dealing with a 12-year-old line switch with no free ports. Again, just install endpoint sensors with no reboot.
3. Low Bandwidth, High-Latency Network
Cargo ships are prime candidates for endpoint sensors. They depend on satellites for connectivity, and It’s almost impossible to deploy cabling.
4. One-Time or Short-Term Monitoring
Say you just want to monitor that contract technician while he’s plugged in. You can install an endpoint sensor to monitor the machine he’s connected to and configure it to delete itself when he logs out.
5. Monitoring Offline Devices
Nozomi Arc collects data locally even when the host device is not sending or receiving traffic and sends it upstream when the user connects to the network. This is a great way to get detailed audit trails from field devices and mobile workers.
Defense in Depth Where It’s Needed Most
Detecting and alerting on abnormalities in real time when the user is active is the key to preventing harm. Purpose-built endpoint sensors for OT devices are defense in depth at its best. They shed light on once unreachable, unmonitored areas of your environment where network sensors aren’t practical or are insufficient to detect East-West traffic, USB ports, log files, local network traffic and user activity.
Nozomi Arc allows endpoints to initiate all data collection locally and push it upstream, and it can laterally discover devices in the same subnet or zone without requiring a network sensor or remote collector. This is tremendously valuable at Purdue Level 2 to see if and how HMIs and EWSs are communicating with each other. The next frontier is in-depth visibility at Purdue Level 1 and 0… and that’s just around the corner.