Protecting Operational Technology (OT) environments
Operational Technology (OT) environments drive your critical business functions and generate revenue for your company, yet your organization has very limited visibility into its critical assets. You need to learn how to use out-of-the-box tools and content from Splunk to help your organization protect your operational environment, your workers, and your revenue.
How to use Splunk software for this use case
For organizations that operate assets, networks, and facilities across both traditional IT and industrial (OT) environments, the OT Security Add-on for Splunk enables them to use Splunk Enterprise Security to improve threat detection, incident investigation, and response.
The OT Security Add-on expands the capabilities of the Splunk platform to monitor for threats and attacks, compliance, incident investigation, forensics, and incident response across a broad spectrum of assets and topologies - from SCADA to programmable logic controllers (PLCs) - that define modern manufacturing practices. This solution can help you get started on your security journey by providing out-of-the-box dashboards and correlation rules regarding perimeter security, infrastructure monitoring, and integration with OT Security platforms. The OT Security add-on maps to traditional security frameworks such as MITRE ATT&CK, CIS 18, and Kill-Chain, as well as MITRE ATT&CK for ICS.
Components of the OT Security add-on include:
- OT security overview
- Perimeter monitoring
- Infrastructure monitoring
- Centralized view across partner technologies.
- NERC CIP compliance reporting
- Correlation rules including mapping to security frameworks like MITRE ATT&CK for ICS, CIS 20, and others
- Integration with Splunk Enterprise Security
- Mapping of use case content (analytics stories)
Some commands, parameters, and field names in the searches below might need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Detect unapproved media (USB Drive) on OT assets
Data required: Splunk Add-on for Microsoft Windows monitoring endpoint registry
This search detects USB mass storage usage based on Windows registry data. This is useful to detect and alert on the possibility of a USB device transferring unauthorized files into or from OT devices.
The SPL can be used within dashboards and alerts to show all USB activity. You must determine via allow lists which items to alert on and investigate.
sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*" registry_type=CreateKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S" | stats count BY Date, host, Vendor, Product, DeviceType | fields - count | sort - Date
Detect screen sharing
Data required: Data mapped to the Network traffic data model
This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. The search ignores common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.
To successfully implement this search, you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating Remote Desktop Traffic" to identify systems that originate the traffic and the search "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the "common_rdp_source" or "common_rdp_destination" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.
| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Network_Traffic WHERE All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND all_Traffic.action="allowed" BY All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`
Detect non-common ports of ICS
Data required: Data mapped to the Network traffic data model
This search looks for network traffic on all non-common ports of ICS. The default ports can be changed to fit your unique environment. Knowing your ports helps if new devices or exploits are introduced into the environment.
The SPL can be used within dashboards and alerts to show all network activity. You must determine via allow lists on which items to alert on and investigate.
Common ports you might want to add into this search include:
- BACnet/IP - UDP/47808
- DNP3 - TCP/20000, UDP/20000
- EtherCAT - UDP/34980
- Ethernet/IP - TCP/44818, UDP/2222, UDP/44818
- FL-net - UDP/55000 to 55003
- Foundation Fieldbus HSE - TCP/1089 to 1091, UDP/1089 to 1091
- ICCP - TCP/102
- Modbus TCP - TCP/502
- OPC UA Discovery Server - TCP/4840
- OPC UA XML - TCP/80, TCP/443
- PROFINET - TCP/34962 to 34964, UDP/34962 to 34964
- ROC Plus - TCP/UDP 4000
| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Network_Traffic WHERE All_Traffic.dest_port NOT IN (47808, 20000, 34980, 44818, 2222, 55000, 55001, 55002, 55003, 1089, 1090, 1091, 102, 502, 4840, 443, 80, 34962, 34963, 34964, 4000) AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND all_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`
Next steps
Other add-ons that you might need to work effectively with the OT Security Add-On for Splunk are:
In addition, these resources might help you understand and implement this guidance:
- .conf: How to secure operational technology environments with the new Splunk Add-on for OT Security
- Blog: Baselining and beyond: What’s new in OT Security Add-on v2.2
- Blog: Splunk for OT Security: Perimeter and vulnerability evolution
- Whitepaper: CISO’s guide to complete security for industrial control systems
- Feed: National Vulnerability Database NIST