Effective OT-level Cybersecurity Requires Accurate Asset Inventory

By Larry O'Brien

Category:
ARC Report Abstract

 Overview

A good cybersecurity strategy requires a good asset inventory.  Many end users in the manufacturing and critical infrastructure sectors invest in OT-level cybersecurity solutions precisely for their ability to create a more comprehensive asset inventory to provide a foundation for identifying and remediating cyber risks.  Cybersecurity management tools and applications can provide a deeper understanding of your installed assets, their many network connections, and their relationships to other assets in the enterprise.

Operational technology (OT), however, includes many assets that exist outside the realm of traditional information technology (IT) assets like switches and routers.  Industrial controllers like programmable logic controllers (PLCs) and distributed control system (DCS) controllers are just the beginning.  The scope of OT-level assets is broad, and not all these devices are readily detectable on IP-based networks.  Obtaining a detailed and accurate inventory in the OT sector requires greater knowledge of the comprehensive range of proprietary control systems, networks, and other products that exist below the level of traditional IT assets. 

Defining an OT asset can also be challenging.  A single PLC, DCS controller, or workstation PC could have multiple associated assets:  I/O cards, different types and versions of software and firmware, etc.  It’s critical to be able to include these in the asset inventory because software vulnerabilities are often version specific. A comprehensive OT asset inventory provides the foundation for other things crucial to operations, such as system configuration and change management.  The OT asset inventory can also provide the necessary context for more advanced functions like anomaly detection.   

The Value of a Good OT-level Accurate Asset Inventory

Having a comprehensive asset inventory is the foundation of a good cybersecurity strategy for any organization.  For those in the industrial and critical infrastructure sectors, however, distinctions must be made between IT-level asset inventory and OT-level asset inventory.  The lines between IT and OT technologies continue to blur, with more applications and even control products relying on standard IT- based technologies.  But the OT level contains many more non-IT-based assets, including older DCS, PLC, and other components and devices.  In addition, many IT-based systems used in OT environments have significant constraints in terms of the frequency and ability to patch them, which are not the case in non-industrial uses.

Most Inventories Do Not Go Deep Enough

Complex installations that change over long periods of time will almost always have large gaps in asset inventory.  This is true for any plant or facility in the process or discrete manufacturing industries, as well as building automation systems and critical infrastructure applications.  A continuously evolving mix of proprietary and legacy controls and instrumentation coexists alongside the new wave of IT-centric assets that utilize Ethernet-based and other standard technologies. 

accurate asset inventory

The intelligent device and sensor layer, referred to as Level 1 or Level 0 in the Purdue Enterprise Reference Architecture, is becoming more important as the range of digital instrumentation continues to expand.  Many if not most of the critical Level 1 and Level 0 assets in industrial applications are not connected to IT- level networks, and many are not connected to true networks at all.  Sensors and valves that control flow, pressure, and level are good examples.

Many OT Assets Are “Islanded”

Many OT assets in industrial environments do not connect to the network at all, compounding the discovery problem.  For example, a multinational oil and gas company that recently conducted an OT-level asset inventory found that 40-60 percent of its OT assets were “islanded,” or not connected to the network.  Even if these assets do communicate on a network, they usually do not pass the detailed OT asset inventory and configuration information required for a comprehensive OT asset inventory over the network.  Manual inventory is not feasible; manual efforts are inefficient, inaccurate, and incomplete.

Network-based Solutions Are Insufficient

Industrial companies are realizing they cannot rely solely on network traffic analysis to gather a complete inventory, even if a network-based solution uses an “active” component to query OT devices to discover inventory.  That’s because, for many OT assets, even with an active query you cannot retrieve all necessary detailed inventory (e.g., software and firmware version).  Additionally, the architecture at many facilities prohibits placement of devices and/or software required to gather inventory via network traffic.  Islanded systems (such as PLCs and safety systems), and DCS are particularly challenging for network-based inventory solutions. 

In most cases, an attempt to place a network packet capture solution on a DCS network will void the manufacturer’s warranty.  For many industrial companies, a better approach could be to collect a more complete inventory using configuration backup files as the primary source of data.  Collecting and interpreting these files also has the added benefit of bolstering a backup and recovery strategy which, in turn, improves resilience.

What Constitutes a Good OT-level Asset Inventory?

Basic asset inventories should include information such as model, make, manufacturer, and so on.  But a good asset inventory should include more than this.  A detailed inventory will include information related to I/O cards in a control system or PLC, information related to controllers, COM modules, operator and application stations, wireless I/O modules, and relationship and dependency information. 

There are also “assets within assets” to contend with.  Within assets such as operator workstations and controllers, for example, there will also be installed applications, firmware, and other subsegments of inventory that should be captured as they represent additional points of risk exposure.  Knowing that you have a workstation, for example, is not very helpful from an asset inventory perspective if you do not know the details about the operating system, installed applications, firmware, etc.  This applies to more than just workstations and controllers.  Good asset inventory for intelligent, microprocessor-based devices will also include this information. 

 

ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us  

Keywords: OT/ICS Cybersecurity, Asset Inventory, Response Plan, Cyber Integrity, ARC Advisory Group.

Engage with ARC Advisory Group