Introducing a New Splunk Add-On for OT Security

The lines Between IT and OT are blurring. With IT and Operational Technology (OT) systems converging, ensuring the security of devices, applications, physical locations and networks has never been more difficult or more important. There is a growing recognition by security professionals that they have a readiness and visibility problem in plain sight. A Siemens/Ponemon Institute Study surveying 1,700+ individuals in organizations with operational technology environments believe that cyber threats present a greater risk to their OT than their IT environment. Only 42% rated their cyber readiness as high, and only 31% rated readiness to respond to or contain a breach as high. 

There are a number of factors driving the growing OT security risk. The “air gap” many OT organizations have historically relied upon as a primary security mechanism is dissolving. Devices at all levels of the Purdue model are now routinely being connected to enterprise IT networks using a variety of communication technologies—wired, Wi-Fi and cellular, making them increasingly vulnerable. A SANS Institute survey from 2018 reported 37% of devices in the Manufacturing Zone (Purdue levels 0, 1, 2 and 3) were connected to enterprise networks. In addition, equipment that was once strictly mechanical is becoming digital, increasing the attack surface for threats and allowing for much more sophisticated attacks than were prior in view of deployed monitoring and cyber defense. Assets are built on top of common operating systems (Windows, Linux, Android, and VxWorks). This makes them susceptible to the same kinds of attacks used against IT devices. 

We’ve worked with customers on these challenges for many years, and are excited to share some additional capabilities available as of today to help organizations improve the security posture of their OT environments. We are introducing a new Splunk add-on for OT Security, to enable organizations that operate assets, networks and facilities across both carpeted (IT) and concrete (OT) environments to better apply Splunk® Enterprise Security to improve threat detection, incident investigation and response. This add-on expands the capabilities of Splunk’s data platform to monitor for threats and attacks, compliance, incident investigation, forensics and incident response across a broad spectrum of assets and topologies — from email servers to PLCs — that define modern manufacturing, energy and public sector organizations.

What is the Splunk Add-On for OT Security?

The Splunk add-on for OT Security expands existing Splunk Enterprise Security frameworks to improve security visibility in OT environments. This add-on provides capabilities in three primary areas:

  1. Expanded ability to ingest and monitor OT Assets 
  2. Improved OT and Application Vulnerability Management including defined applications of MITRE ICS Attack
  3. Interfaces and reports to support customer compliance and audit with NERC CIP

These capabilities are delivered in the new add-on now available on Splunkbase, including detailed documentation that outlines installation, related Technology Add-ons, a reference architecture and a number of knowledge objects that support enhanced OT security monitoring. Included objects span new and modified searches, dashboards and panels, reports, KSIs, lookups and extensions to Splunk Enterprise Security frameworks. 

The Splunk add-on for OT Security is built to enable improved integration with leading OT security technologies including inventory discovery and management systems, network monitoring and anomaly detection solutions, endpoint monitoring and patch management tools. We have worked closely with many leading OT security vendors, including Armis, Forescout, Langner, Nozomi and others to enable high value data access and visibility. 

To find out more about this add-on for OT Security, you can download our whitepaper, "Protecting Operational Technology With Splunk." You can also download the app yourself from Splunkbase, reach out to your Splunk account team or our OT security experts directly at

Ed Albanese

Posted by