Skip to main content
Lantern Home
 
 
Splunk Lantern

Solution Accelerator for Operational Technology (OT) Security

  1. Last updated
  2. Save as PDF

 

If you're responsible for security within Operational Technology (OT) environments, you're probably asking yourself questions like:

  • Are you sure that your operational environments are being protected at the perimeter?
  • Are vendors, contractors, and others accessing your OT environment safely, or could this access be compromised?
  • Are malicious actors or third parties using external media devices like USB drives to bypass your security protections?
  • Do you really understand the industrial protocols used in your network?

Many common security security strategies, such as air gaps, are not enough to completely protect your OT environment. That's why Splunk has created the Solution Accelerator for OT Security, available for free on GitHub, designed to help you answer these questions and create robust security practices to protect your OT environment.

OT Security 101

Challenges

Protecting an OT environment comes with a number of problems that are different from traditional IT environments. For instance, the use of agents as collectors isn’t always an option when you are running critical systems, or systems that have been running for multiple decades. In addition, any security technologies need to ensure that they don’t jeopardize the safety, resilience, or result in downtime for critical systems.

The Solution Accelerator for OT Security helps you to get started with common use cases for OT environments and ensure your security controls are working. It also provides detailed information on architecture, data collection methods, and installation guides to help you overcome these OT-specific challenges.

The Perimeter

Many organizations try to protect OT systems and networks with perimeter security appliances. Often they use firewalls, but other technologies, like data diodes, as well. However, managing perimeter devices can become more complicated over time with acquisitions, new technologies, and vendor requirements, resulting in a confusing and often error-prone process.

Ensuring that traffic crossing your network perimeter aligns with your expectations is critical to effective security controls. Many organizations discover unknown traffic when auditing the traffic going in (ingress) and out (egress) from their OT environments. The Splunk platform can be used to ensure your security perimeter controls are working by validating the traffic that traverses the perimeter, rather than relying solely on assumptions about ACL and firewall rule effectiveness.

Remote access

Allowing remote access for support staff, vendors, and contractors helps organizations improve system support efficiency and reduce costs. While organizations can manage access for their own employees, third-party users, like contractors and vendors, might introduce additional risks. By monitoring remote access activity—such as RDP connections—into OT environments using the Splunk platform, you can gain visibility into who is accessing your critical systems, from where, and when. These insights enhance your understanding and control over these remote interactions.

Bypassing the perimeter

A well-maintained security perimeter can help block many attacks on OT systems. However, real incidents have shown that controls can be bypassed with external media devices like USB drives. These devices might be used as part of a targeted attack, or introduced unintentionally by a contractor with a compromised device. Regardless of intent, such devices can cause significant harm, especially on poorly segmented and flat networks. They can lead to system outages, environmental damage, or financial losses. The Splunk platform can help by monitoring these devices directly on hosts, or by utilizing data from other tools your organization might already use.

Monitoring industrial protocol traffic

In OT systems, device communication paths and assets are typically well-defined. For example, it would be unusual for a domain controller to communicate with a PLC using Modbus traffic. However, OT devices often lack authentication, meaning any device can issue commands or read data from them. Using the Splunk platform, you can monitor network traffic specific to industrial protocols and proactively detect unusual activity, helping you protect critical systems from untrusted sources.

Use cases for OT security

The Solution Accelerator for OT Security supports a wide array of use cases designed to help you monitor and protect your OT environment. These include:

  • OT security perimeter monitoring
  • Remote access into OT
  • Use of external media devices
  • Identify industrial protocols leveraged in OT

How the Solution Accelerator for OT Security delivers results

The Splunk Solution Accelerator for OT Security is designed to help organizations monitor and protect their OT environments. The Solution Accelerator delivers a powerful set of tools and information to show you how to protect your critical operations, deploy the Splunk platform safely and securely into your OT environment, and help you understand how you can get critical data into the Splunk platform. Here's what the Solution Accelerator offers:

  • Reference architecture: Proven architectures for implementing the Splunk platform in OT environments, whether on-premises, shared, hybrid, or in the cloud.
  • OT Security Solution Accelerator app: A Splunk app that can be deployed in Splunk Enterprise or Splunk Cloud Platform.
  • Analysis queries and searches: Ready-made searches for each security use case designed to be used out-of-the-box with the Splunk platform.
  • Dashboards and knowledge objects: Comprehensive visual dashboards and knowledge objects that can be customized to your OT environment.

introduction_mainpage (1).png

Next steps

Visit the Solution Accelerator for OT Security on GitHub. If you need help or assistance with the Solution Accelerator, reach out to your Splunk Sales Team or contact otsecurity@splunk.com.