By Maureen Corley | May 12th, 2021
As far as legacy Industrial Control Systems (ICS) are concerned, level 0/1 serial communications monitoring isn’t just about network security; it’s also about utilizing the data as a “first step” to digital transformation. Whilst operational technology (OT) environments are increasingly adapting data-centric strategies, there is a curious lack of emphasis placed on capturing real-time data from legacy cyber-physical systems. It therefore comes as no surprise that many organizations cannot derive accurate insights, solve problems and make improvements to their operations as they are failing to collect reliable data from the outset.
While it is well documented that legacy equipment is a digital transformation inhibitor, equipment upgrades are simply not an option for most organizations. In a recent survey by AppDirect, 31% of respondents said the cost of upgrading legacy systems was their top digital transformation challenge.
Yet, with all the conversations around the challenges and cost of upgrades, there is little talk of a less obvious but more pragmatic solution. That is, tapping and leveraging the data that exists within the legacy devices. Tapping serial data is not only an effective network security monitoring solution, it also provides a means to capitalize on existing data to drive intelligence, enable interoperability and fundamentally, improve productivity.
Importance of Level 0/1 Serial Data in a Digital Age
Level 0/1 serial communications control field devices such as valves, motors, pumps, and relays etc. which in turn control the physical processes. The communications are the final phase in industrial automation – thus they represent critical operational data.
This data contains vital information on the legacy network’s behavior, trends and overall health. It is a valuable resource that can be used to improve situational awareness, avoid unplanned downtime, solve problems faster, and support digitalization.
Today, the status quo approach to serial data collection typically involves techniques that convert/encapsulate upstream data into TCP/IP packets, however these methods are extremely flawed as they don’t factor in potential lower-level interceptions and manipulations of the communications. Furthermore, TCP/IP-encapsulated serial messages miss out on important context such as the timing and direction of the communications, limiting the insights that can be derived for cyber anomaly detection and operational health optimization. Consequently, facilities should introduce tools that enable direct serial communication monitoring and data collection.
Not long ago, serial data from legacy field devices was either inaccessible or too time consuming to extract and interpret. This is not the case today, but it’s an area that is often unexplored nonetheless. Nowadays, secure technology like the SerialGuard AnalytICS Platform automates direct serial data collection from legacy ICS and contextualizes the datasets to turn it into actionable information.
Secure Data Extraction is the Key…
First and foremost, due to the serial network’s criticality and insecure nature, serial data collection must be done securely. Serial network taps should be passive so they don’t impact the flow of communications or introduce an attack vector to the network. Likewise, the taps need to be fail-safe by design so they don’t disrupt operations if they malfunction. This ensures the integrity of the communication is always maintained and operations are preserved.
Today, many organizations have integrated network connectivity to their serial devices through appliances such as Serial-to-Ethernet Converters/Gateways. The appliances enable two-way communications with field controllers (e.g. PLCs), but their communications are vulnerable to interceptions so they are an unreliable source of real-time serial data. Tapping the data at the final phase ensures the data is authentic i.e. it hasn’t been tampered with or exploited.
In order to gather reliable and real-time serial data, the data must be collected from the serial line/serial bus between the field controller and field device. For example, between a PLC and a valve.
Normalizing the Data
While securely extracting the data is a step forward, it is only a preliminary step to capturing its full value. In its raw state, you would require a specialized engineer to interpret serial data – which is both costly and time-consuming.
The data needs to be normalized so it can be understood and analyzed by a variety of business stakeholders. Furthermore, it needs to be integrable with third-party enterprise management systems to broaden the scope of application.
The Technology Exists
While there are a plethora of low-cost serial packet sniffers / serial data taps on the market today, they are not built to a high standard and are off limits to critical infrastructure as they are neither passive nor fail-safe – posing a threat to operations during failure and compromise situations. Moreover, they provide limited capabilities in terms of data analytics and integrations.
The technology does exist however, and is embodied by Cynalytica’s SerialGuard AnalytICS Platform. The platform is an all-in-one serial network security and operational health monitoring tool for serial-connected ICS devices. In addition to secure data collection, the platform offers scalable data analytics capabilities that can be utilized across the organization.
SerialGuard AnalytICS Platform
How The SerialGuard AnalytICS Platform Supports Digital Transformation
- Centralizes Serial Data Collection: The SerialGuard AnalytICS Platform is comprised of SerialGuard sensors and the AnalytICS Engine. Together, they automate and centralize serial data collection from multiple legacy ICS devices. The technology is a one-platform solution for an entire inventory of serial-connected field devices. Furthermore, the platform is designed to easily integrate serial data with third-party enterprise management systems such as SIEMs to optimize visibility and streamline event correlation.
- Contextualizes Serial Communications so it is easy to comprehend and analyze – even for non-OT operators. It segments the data according to the serial communications’ message attributes and allows users to filter data, and customize and export reports according to their individual needs.
- Provides Real-time Data of Physical Events: Offers the unique ability to see and understand what is happening in the final phase of cyber-physical events. It provides more clarity on aspects such as operational health and productivity.
- Data Reliability: Normalizes and presents serial data in its truest form. It is not tampering with it or converting it like Serial to Ethernet Converters/Gateways.
- Reduces Noise: The platform triggers alerts based on pre-defined rules to enhance event correlation and to reduce noise. Rulesets are flexible and can be configured to trigger alerts for anything from misconfigurations to cyber intrusions.
- Situational Awareness: Promotes accurate situational awareness of operational health and cybersecurity posture of legacy infrastructure.
- Enterprise-Wide Visibility: Normalized data enables enterprise-wide visibility into operational output and overall productivity.
- Easily Integrated: Does not require modification of ICS equipment or network for installation.
Value Across the Organization
While the collective value of a data-driven approach may be obvious, how executives unlock value from the SerialGuard AnalytICS Platform will vary according to their core business functions:
The SerialGuard AnalytICS Platform normalizes ICS serial data so it is easily understood and analyzed. This reduces costs as it eliminates the need for specialized engineers to gather, compile and interpret information and helps solve problems faster. Additionally, it decreases the need for specialized personnel to carry out troubleshooting and diagnostics, helping to accelerate response times and reduce downtime.
The technology promotes enterprise-wide digital transformation and streamlines IT/OT network security by consolidating serial network intelligence and helping to stimulate IT/OT collaboration and interoperability. Furthermore, it builds reliable datasets for advanced digital strategies such as Asset Performance Management (APM), Overall Equipment Effectiveness (OEE), and Predictive Maintenance.
The SerialGuard AnalytICS Platform enables OT operators to securely monitor multiple serial-connected field devices from a centralized location – helping to improve situational awareness and prevent unplanned downtime. The platform contextualizes serial communications to allow operators to easily baseline normal operations and securely monitor for abnormal network behavior. Furthermore, it helps pinpoint the precise location of operational faults to accelerate response times and increase uptime. Its user interface enables operators to create alert rulesets to automate legacy network security and operational health monitoring and allows operators to distinguish between cyber-events and misconfigurations.
The SerialGuard AnalytICS Platform normalizes serial data so it can be easily interpreted by non-OT operators. It helps IT/OT event correlation by integrating alerts and metrics with third-party SIEMs. Fundamentally, the platform enables IT/OT interoperability by broadening the scope and accessibility of serial data as well as mitigating the risks posed by increased interconnectivity.
Tapping and monitoring data from your serial-connected field devices is not only a means to improving your cybersecurity posture, it is also a cost-effective method to generating value from your existing assets. Rather than waiting for the right opportunity to replace your legacy equipment, you should be leveraging the data that is already at your disposal. In today’s data-driven world, your serial data will prove to be an invaluable resource that will help drive your digital transformation efforts, and ultimately, improve your overall business performance.