- By Rick Kaun
Many industrial organizations seek an accurate asset inventory within their operational technology/industrial control system (OT/ICS) environments. But what should an OT/ICS asset inventory include? The answer depends on the objective. The common phrase used is “you can’t protect what you can’t see.” But this phrase and many inventory efforts miss the fact that an asset inventory should be the foundation upon which the whole ICS cybersecurity program rests.
In contrast to an asset inventory that provides a one-time or infrequent list of hardware, a robust foundation for OT/ICS security requires real-time visibility into all of the hardware, software, and firmware in your network, all of the users, accounts, patches, vulnerabilities, network device configurations, Windows settings, embedded device backplanes, and the status of various security elements such as application firewalls, whitelists, and antivirus software.In information technology departments, security practitioners are used to having robust asset information because of the many tools available to gather it. They use this data as a foundation of security in the following ways:
- patch management, which is impossible without a comprehensive software
- inventory secure configurations, which are essential to security
- robust recovery processes, which require visibility into the backup status of each device to ensure it is recent and accurate.
In OT/ICS departments, however, users typically do not have the tools to gather and maintain such an inventory. As a result, OT/ICS cybersecurity programs have historically relied on perimeter defenses and passive detection of anomalous events. Without comprehensive asset inventory management, OT organizations do not know the true security status of their environments and cannot conduct effective security management at scale.
The situation reminds me of the children’s book, If You Give a Mouse a Cookie. It is a fanciful tale of a boy and his pet mouse. The boy gives his mouse a cookie, which leads to the mouse wanting a glass of milk. The mouse wants to make sure the milk did not give him a mustache, so he asks to look in the mirror, which turns into a need for a trim. There is a series of things the mouse wants next until he is reminded again of milk, and then asks for another cookie.
A cybersecurity program is very much like giving a mouse a cookie. For example, if you start with a basic asset inventory to understand what you have, your next step is to gather vulnerability data about that inventory. The vulnerability information tells you to patch, which is not always possible in OT environments, so you will ask to see a report on compensating controls for those unpatched assets. But those compensating controls are always backstopped by the OT safety net—a full backup or restoration point. Now you realize the asset inventory view needs to include plans for restoration and recovery, bringing you back full circle to where you started. All the while, the world and the cyberrisks within it continue to evolve, which means the introduction of new vulnerabilities.
When a new vulnerability is discovered, you rely on your asset inventory to determine how many ICS assets are in scope for this risk, how many can be safely patched, and how many vulnerabilities can apply compensating controls. If there are too many nonpatchable assets, you will soon be asked if upgrading the assets is possible. The answer is yes, but how do you decide which assets to upgrade?A version of this article appeared in January 2022 on Automation.com.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.