If you’re working in security, you know the drill: visibility is non-negotiable.
This aligns with the SANS 3rd Critical Controls for ICS – Network Visibility and Monitoring, NIST CSF and ISA/IEC 62443 standards, which specifically outline visibility requirements.
However, it’s challenging to safely incorporate network visibility into OT and ICS environments for all teams who need it:
- IT and OT security teams need logs to monitor events.
- Incident responders need data to make informed decisions during attacks.
- Forensic analysts need data to understand how an attack in the OT environment occurred and the timeline of events.
- Even compliance teams need records to prove due diligence.
It’s not an issue of “how” to provide OT access to these teams; it’s an issue of providing access without accidentally leaving the door open to attackers.
This is where the OPSWAT MetaDefender NetWall comes in.
Instead of letting each of these teams reach into the OT environment, a MetaDefender NetWall one-way data diode pushes logs from OT to IT, allowing teams to see what’s happening without opening the door to threats.
Who needs OT Logs (and Why They Can’t Just “Log In”)
Frameworks like SANS 3rd Critical Controls for ICS, NIST CSF and ISA/IEC 62443 frameworks have clear visibility rules.
Visibility controls are essential for identifying assets, detecting vulnerabilities, and real-time threat monitoring, without disrupting critical, sensitive industrial processes.
There are different teams inside an organization, whose access to real-time OT data is non-negotiable.
SOC (Security Operations Center) Analysts
SOC analysts are in charge of monitoring, detecting, investigating, and responding to security alerts.
In a nutshell, their job is to spot threats before they become disasters. To do so, they need real-time OT logs to detect intrusions, malware, or abnormal traffic.
However, if an attacker gains direct access to the IT environment, they can quickly pivot into OT systems, creating a serious risk of an OT breach.
For that reason, SOC teams cannot rely on simple login methods to access real-time OT data for monitoring.
If the SOC system were compromised, an attacker could exploit that connection as a pathway into the OT environment.
OT Security チーム
OT security teams protect industrial control systems and OT technology such as SCADA, PLCs, and manufacturing robots, that manage physical infrastructure.
These teams need security logs for forensic analysis and anomaly detection.
Giving systems in the IT environment with ICS and OT specific security tools access into the OT environment is not a great idea either.
Similar to the SOC situation, if those IT systems are compromised, they could provide attackers with a direct pathway into OT operations.
Incident Response and Forensic Analysis Teams
If an anomaly or a breach is detected, teams for incident response and forensic analysis are called in to investigate and remediate.
They need logs to identify, contain and irradicate attacks on OT systems, providing a path for prevention and repeat incidents.
However, these teams are typically engaged after a compromise has already been confirmed, when risks are even higher.
If response tools or credentials are compromised, a login path into OT would hand attackers exactly what they need.
Therefore, incident response and forensic teams should not have direct login-based access into the OT environment.
コンプライアンス&監査チーム
If there are no logs, compliance standards aren’t met.
Compliance and audit teams require long-term log storage and reliable event tracking to meet regulatory and reporting requirements.
However, granting auditors direct access to the OT environment is neither necessary nor advisable.
It is far safer and more controlled to provide them with the required logs and reports externally, rather than opening a live access path into OT systems.
Why a Data Diode? Because Inbound Access is a Nightmare
At this point; it is clear that allowing enterprise systems to query OT logs directly creates high security risks.
A poorly secured connection is all an attacker needs to:
- Pivot from IT to OT.
- Exfiltrate sensitive OT and ICS environment data including control system information such as PLC make and models, process values, and more.
- Tamper with logs to cover their tracks.
MetaDefender Netwall eliminates these risks by hardware enforcing a unidirectional data flow.
Logs go out, but nothing comes back in.
Our teams get the data they need, and OT stays locked down and safe.
動作のしくみ
The OT Splunk instance collects security logs from across the OT environment.
- The collection includes firewall logs, IDS/IPS logs, Windows event logs, and even PLC events.
Rather than allowing enterprise users or systems to reach into OT, OPSWAT NetWall securely pushes the logs outward from the OT Splunk collector.
The enterprise Splunk instance then receives a Splunk-to-Splunk copy of those events.
Thus, security and compliance teams get the visibility they need, without creating inbound access paths that could expose the OT environment to risk.
Final Thoughts: Security Without Compromise
If your enterprise security teams are asking for OT logs, don't shut the door with a definitive “no.”
You can give them the access they need, just not in a way that exposes the entire environment.
The OPSWAT Netwall data diode gives them the visibility they need while keeping OT safe.
With no inbound access, there is no risk of compromise.
OPSWAT NetWall ensures the right data reaches the right hands, in the right way.
You don’t have to choose between visibility and safety.
With a data diode, you can get both.
Get in touch and see how OPSWAT NetWall keeps your security teams productive, and your OT environment safe and secure.
