Integrating Operational Technology security products into Splunk

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Operational Technology (OT) environments commonly use specific ports and protocols when communicating with industrial control systems (ICS) and industrial OT devices like programmable logic controllers (PLCs) and remote terminal units (RTUs). Identifying and labeling this traffic can be helpful to understand communications across the network and can also help you remove ambiguity around the intent of the traffic.

Since many OT protocols lack authentication mechanisms, most OT devices allow any device to read values from these devices or issue commands. Identifying industrial protocols can help organizations to identify the nature of the traffic and could also be used to detect unauthorized communication to an OT device.

Data required

It is strongly recommended to use official add-ons for these security products. Leveraging vendor supported add-ons makes implementation of these use cases significantly easier.

How to use Splunk software for this use case

Stage 1: Update the `get_ot_products` macro for OT Security data

In this stage, we want to update a macro which points to any OT Security product data. This macro also is foundational to the additional macros we will configure in later stages and must be implemented for any of the other macros to work correctly. The macro get_ot_products_data is preconfigured for common OT security products source types. However, you should double check the existing macro to ensure it captures any source types with data from an OT security product.

To do this, you can:

In the Settings menu in the Splunk platform, go to the Knowledge Section, Advanced Search.
Type or copy and paste the macro get_ot_products_data into the text filter.
Verify that the Definition section matches the data in your environment.
If it does not, click the name of the macro to open the editor.
Update the macros Definition to match the appropriate source types and save it.
Run this macro in a search bar to ensure it returns the appropriate data.

Stage 2: Update the `get_ot_products_assets` macro for OT Security Asset data

The get_ot_products_assets macro needs to be updated to point only to data that contains information on assets or devices detected by the OT security product.

In the Settings menu in the Splunk platform, go to the Knowledge Section, Advanced Search.
Type or copy and paste the macro get_ot_products_assets into the text filter.
Verify htat the Definition section is set up to only point to data sources containing OT assets.
If it is not, click the name of the macro to open the editor.
Update the macros Definition to match the appropriate source types and save it.
Run this macro in a search bar to ensure it returns the appropriate data.

Stage 3: Update the `get_ot_products_security_events` macro for Security Events

The get_ot_products_security_events macro needs to be updated to point only to data that contains security events from the OT Security Product.

In the Settings menu in the Splunk platform, go to the Knowledge Section, Advanced Search.
Type or copy and paste the macro get_ot_products_security_events into the text filter.
Verify that the Definition section is set up to only point to data sources containing OT product security events.
If it is not, click the name of the macro to open the editor.
Update the macros Definition to match the appropriate source types and save it.
Run this macro in a search bar to ensure it returns the appropriate data.

Stage 4: Update the `get_ot_products_vulns` macro for vulnerabilities

The get_ot_products_vulns macro needs to be updated to point only to data that contains information on vulnerabilities detected by the OT Security Product.

In the Settings menu in the Splunk platform, go to the Knowledge Section, Advanced Search.
Type or copy and paste the macro get_ot_products_vulns into the text filter.
Verify that the Definition section is set up to only point to data sources containing vulnerabilities detected.
If it is not, click the name of the macro to open the editor.
Update the macros Definition to match the appropriate source types and save it.
Run this macro in a search bar to ensure it is returns the appropriate data.

Next steps

After implementing these searches and macros, you might be interested in exploring more ways to monitor data coming in from OT Security Products. Each of these macros can be used to build dashboards such as shown below:

MFG - Integrating OT Security Products.png

These additional resources might help you understand and implement this guidance:

Splunk Lantern Article: Identifying high-value assets and data sources
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.