18 September 2016

A few weeks ago, we started a small project to attach a production site to the central SIEM system.

Operational IT (OT) groups, which run the production IT systems, are traditionally not very happy when it comes to a close collaboration with Information Technology (IT) groups which run the ‘Office’ IT systems. OT groups are always afraid of negative impacts of Office IT systems and procedures to the availability and the safety of the production facilities.

Thus we started with a minimal invasive approach. Our goal was to keep the impact of the local SIEM components on the production active directory, systems and firewalls at a minimum.

The result was remarkable: Within a few days we attached some Windows systems, switches and firewalls to the central SIEM system. No technical users were installed in the production active directory, and only 3 ports were opened on the firewall for a point to point connection from the local SIEM component to the central system. More important, no reboot of whatever system was required! The OT group was positively impressed.

Unfortunately, to keep the local SIEM software up-to-date patches must be applied 6 to 8 times a year. Patching requires always a new installation and configuration of the local SIEM components. This will keep the OT groups busy, in particular at large production sites with lots of network partitions.

To reduce this effort, a management system can be set up which automates the local installation and configuration of the SIEM software components. But for the operation of the management system, we have to open additional firewall ports for communication from outside the production network to SIEM components in all network partitions inside the production network. This renders our network security concept invalid. In the worst case, attackers can use these connections to get access to the production systems from the office network.

SIEM is starting to become a security nightmare for the OT groups. Even though it would be quite simple for the vendor of the SIEM software to turn this into a really smart and secure process:

• Change the software patching process such that the configuration of local SIEM components is retained
• Introduce an offline management mode, e.g. admit the application of predefined configurations

With this, the impact of the SIEM software on the production network is minimized, and the overall security level is retained. Unfortunately, vendors of security software are often not interested in the overall security level …

Have a good weekend.