A security operations center (SOC) is the nerve center of a network, monitoring traffic, devices, anomalies and alerts so analysts can investigate and mitigate incidents and remediate issues. Whether in-house or through a managed security services provider (MSSP), the team comprises security analysts and engineers who protect essential assets and operations while ensuring compliance with industry and government regulations.
Traditional SOCs focused only on IT networks. As CISOs increasingly assume responsibility for managing enterprise risk, integrating ICS security into existing SOCs is becoming more common. According to the SANS 2024 ICS/OT Survey, 62.7% of responding organizations have a SOC, and 29.6% have a merged IT/OT SOC. Only 8.8% have an internal OT-only SOC.
Unfortunately, rather than a merged SOC, more often what you see is the traditional IT SOC team providing a service to a new customer: the OT business unit. Frequently this plays out as a textbook example of the service provider not understanding their customer. A major knowledge transfer needs to occur but doesn’t.
Here are some strategies for ensuring your merged SOC is both efficient and effective. In brief: Engage OT teams early, understand their critical systems and respect their operational constraints.
Benefits of a Unified IT/OT SOC
When done right, there are several benefits of a convergedS OC. Here are a few:
- Stronger security: By combining IT and OT expertise and resources into a single entity, the SOC provides a holistic approach to security that considers the unique characteristics and vulnerabilities of both environments.
- Increased efficiency: A converged IT/OT SOC can streamline the detection and response process by eliminating the need to transfer incidents between IT and OT teams and reducing the time it takes to resolve issues.
- Enhanced visibility: A merged SOC provides a unified view of threats and vulnerabilities, delivering the complete situational awareness needed to protect both the business and industrial sides of an organization.
- Better collaboration: By bringing IT and OT experts together in a single unit, a converged SOC encourages collaboration and communication between the two groups.
Foreigners in a Foreign Land
Merged SOCs are typically staffed by analysts steeped in IT cybersecurity, for whom OT security practices are foreign territory. Industrial cybersecurity is all about compensating controls. Oftentimes, all you can do is continuously monitor the environment to detect when something happens, without fixing it immediately or at all. That’s a completely foreign mindset for a traditional ITSOC. Moreover, in industrial environments, you’re always planning for your“worst day.” What catastrophic thing could happen that could impact thousands of people? Your average SOC analyst isn’t trained to think that way.
When it comes to incident response, IT teams are rewarded for rapid response, including automation wherever practical. The default response for most IT security events is to block them immediately, but that’s rarely the right response in an OT environment. Every component in an ICS network is part of a larger process in a very distributed environment. Removing one link can break the whole chain. OT responses must consider criticality as well as potential impact on physical processes and safety. As a result, playbooks often include manual intervention.
Walk the Production Floor
Creating a merged IT/OT SOC goes well beyond feeding data from your industrial environment into your security information event management system (SIEM) or similar IT security platform so the team can identify issues. Ideally you want an OT/ICS cybersecurity expert in the SOC, but that skillset is rare. Many teams find it easier to train IT people on OT sensitivities than to train OT people on IT cybersecurity skills.
Nothing beats spending time on the production floor talking to plant managers, engineers and operators who understand ICSs inside out, even if they’ve never heart of deep packet inspection (DPI), lateral movement or advanced persistent threats (APTs). Along the way analysts will come up close and personal with decades-old legacy devices that are insecure by design and industrial processes that run 24/7/365, with a narrow annual maintenance window that upgrades and patches must fit into.
Becoming a familiar face on the floor and being willing to learn goes a long way toward bridging the IT/OT cultural divide. Just as when a foreign traveler makes an effort to at least say “please” and “thank you” in the native language, perhaps even cracking open a phrasebook now and then, whenIT SOC members show a genuine interest in understanding of operational environments they open the door to effective collaboration.
Dial Down the Noise
Alert tuning is one of the best ways to ease tensions between IT or OT worlds — and get the most value out of your OT monitoring and threat detection platform. There are dozens of different types of alerts and severity levels in industrial settings. Many of the alerts that will catch an IT SOC analyst’s attention are just noise to an OT operator who knows their environment. Setting process variable-specific thresholds that effectively mute nuisance alerts saves the SOC team a lot of effort. If a device in an industrial process starts dropping 10 packets over time, that’s not a big deal. If the same process starts dropping hundreds of packets, that’s something to investigate.
Establish a Single Security and Risk Management Function
To properly protect OT systems, it takes both IT skills and OT knowledge. As far back as 2017, Gartner was recommending that organizations move to an integrated IT/OT SOC:
“In a continuously evolving threat landscape, a single established security and risk management function is better positioned to address these threats across both IT and OT. A single leader of this function can also be held accountable for the organization's overall digital risk. As an added benefit, scarce security resources can now be deployed to address both IT and OT."
Gartner, How to Organize Security and Risk Management in a Converged IT/OT Environment, 2017.
It has taken some time for organizations to heed this advice, and scant data is available regarding the pace of SOC integration. But a merged SOC is the de facto enforcement mechanism for managing enterprise risk. To work, SOC staff must be educated on the sensitivity and criticality ofOT networks and their mitigation constraints. They must also have the right tools, such as OT-specific solutions that safely monitor networks and devices and understand unfamiliar protocols, as well as OT-specific threat intelligence.A nd they must be willing to reach out to OT experts who can explain important context and collaborate on safe incident handling.
