Developing OT Security Monitoring Use Cases

Security monitoring has been one area that vastly improves the overall security posture of most OT (Operational Technology) environment. No matter if your organization decides to conduct OT Security monitoring internally, using a hybrid model, or managed security services. Use cases for your industry is something that the organization must develop within each industry vertical.

What are use cases?

Use cases within security monitoring are criteria in the organization, which outlines what type of threats the organization is going to monitor. Use cases typically align with the most suitable threats that are likely to occur within the organization. Use cases typically outline what threats are being monitored, why, and what data is collected to detect each threat.

Developing OT use cases

When developing use cases for OT environments, the organization should typically leverage resources that outline threats to the organization. There are three primary resources that OT industries should use when developing OT security monitoring use cases:

·        MITRE ICS ATT&CK Matrix

·        Past Internal Incident Response Cases

·        Industry Related Threat Intelligence  

MITRE ICS ATT&CK Matrix

The MITRE ICS ATT&CK is a knowledge database of tactics and techniques used to attack and disrupt OT environments. The MITRE ICS ATT&CK matrix is a great reference to start with when developing OT security monitoring use cases. The matrix covers and explain all known attack techniques used to compromise OT environments. Typically, use cases are developed stringing attacks from left to right (Reconnaissance -> Impact). However, I strongly recommend for OT environments the ICS ATT&CK matrix should read from right to left (Impact -> Reconnaissance) when developing use cases. OT environments has different goals from the traditional enterprise IT environment. By starting with impact in the ICS matrix the security staff can collaborate with the engineers to understand how this impact can occur within the OT environment.

Past Incident Response Cases:

Past Incident response cases within the OT and enterprise environment is the best type of threat intelligence any organization can receive. Past incidents within the environment can automatically assume the following. 1) These attack tactics and techniques can 100% happen within the organization, and 2) The intelligence gathers from this incident are 100% related to your organization. Use cases can also be built around earlier Incident response cases because they contain a form of attack method utilized to impact IT and OT operations. Even if the OT environment was not directly breached, enterprise incidents can have an indirect impact on OT operations. OT security monitoring use cases can have dependency since the business is typically converged with the OT environment.

Industry Related Threat Intelligence

In this current environment cyber threat intelligences is shared from a number of mediums and platforms. Typically, the biggest challenge for most organizations is finding threat intelligence reports that are related to there industry. Not all intelligence is created and utilized equally, nevertheless this is not the point of this section. The main aim of this section is to outline that threat intelligence is another reference that OT environments can utilize to build use case for OT security monitoring. When handed a cyber threat intelligence report, focus on developing use cases from the techniques, not the indicators of compromise. While the indicators of compromise are of interest to threat hunt teams, understanding what technique were used to initially access, pivot, and gain access to systems are what effective use cases are built from. Tools utilized within an cyber threat intelligence report can also makes great security monitoring use cases. When developing use cases around attack tools, focus on the log and network evidence that is generated from the tool from both the attacker and victims end.

I understand there is much more to add to this piece, however this should get you started in developing great OT use cases. As always reach out if you, have any questions, concerns, comments, or feedback. I don’t know everything, and I don’t pretend to as well. There is always room for improvement, so I invite you to help me improve the community and myself.