An important foundational capability for operational technology (OT) cybersecurity is an accurate and detailed OT asset inventory. Without such an inventory, it is impossible to have the visibility necessary to understand and reduce risk. Fundamental questions, such as the following, simply cannot be answered:
- Which of my OT assets has connectivity to the public internet (directly or indirectly)?
- Which systems and applications should I ensure have least privileged access?
- Which vulnerabilities are present in my OT environment? At which sites? For which industrial processes?
- How should I prioritize patching efforts to most effectively reduce risk?
- Which of my assets have reached obsolescence and I can no longer rely on vendors to provide patches for them?
- Have we documented our configuration settings sufficiently to detect deviations and support incident response, forensics, and recovery from a cyber attack?
This is why the US Cybersecurity Infrastructure Agency (CISA) says “Protecting your systems requires knowing which devices are connected to your network, which applications are in use, who has access to these, and the security measures in place.” In fact, the first “Essential Action” CISA recommends is to “Inventory all hardware and software assets so you know what is in-play and at-risk from attack.”
But what is a “good” OT asset inventory? If you ask 5 people, you are likely to get at least 5 answers. This is because organizations have developed their own, often-limited scope, policies for inventorying OT assets. What’s more, industry standards are not entirely prescriptive, although they do provide general guidance.
That’s why we, at PAS, have decided to offer an OT Inventory Assessment Service. This service, which is complimentary for qualified organizations, takes a snapshot of your current asset inventory for a site and then compares that against best practices to help you identify any gaps in your current approach. The service also documents the business value of addressing those gaps so you can justify the effort to address them.
Here’s a diagram of what we typically see in OT asset inventories (text shown in white) and the most common gaps (text shown in red):
The reality is that most vulnerabilities in OT are in components not tracked in current OT asset inventories. This means the process to understand and reduce risk often falls back on manual activities like emails and conference calls that go something like this, “There’s a new ICS-CERT for firmware running in vendor X’s system. Our spreadsheet inventory says your site has vendor X’s system. Can you confirm whether it has this specific firmware and version running on it? If so, please confirm the business criticality and process hazard risk for this system and let us know when your next shutdown / maintenance window would be to patch it.” (FYI -- here’s a real-world example for high-jacking of industrial TCP connections if you haven’t seen an ICS-CERT before). Sadly, the response to such activities is often lacking, with significant overhead for onsite staff to manually research local systems and emails that aren’t replied to for days, weeks, or at all.
There is a better way and that starts with an assessment of your current OT asset inventory. The PAS OT Inventory Assessment service follows the following steps:
- Request initiated by an asset owner
- PAS reviews and approves the request
- Non-disclosure / Confidentiality agreement signed (as needed)
- PAS gathers information from the asset owner about how they produce their inventory today
- Asset owner provides a sample of their existing asset inventory for a site (PAS can provide guidance on data collection as needed)
- PAS and the asset owner finalize the types of assets that will be used for the assessment
- PAS reviews the inventory information provided for the selected assets and compares against best practices
- PAS produces an inventory and gap analysis report, including vulnerabilities found, missing patches, and attack surface assessment as well
Assuming the asset owner is able to provide the sample site inventory relatively quickly (in a few days), the time to execute the service from start to finish should take no more than a couple of weeks.
Here is a sample of the level of best practice inventory information that is used to classify assets and compare attributes against the asset owner’s current OT asset inventory to identify gaps:
Here is the type of information about patch levels the assessment will take into consideration:
Including the characterization of known vulnerabilities for the systems assessed:
Along with an assessment of your related OT asset attack surface:
And the types of configuration concerns that can be tracked:
How effective is your OT asset inventory? If your answer is “not effective” or “we don’t know”, the PAS OT Asset Inventory Assessment Service will help you understand your gaps and the value of addressing them. Even if you think you have a pretty good handle on your inventory, you may be surprised at the gaps you find.