There’s a reason that virtually every vendor in the OT cybersecurity space has adopted some version of the catchphrase “you can’t secure what you can’t see”. After all, textbook risk management methodologies always begin with “identification”. You can’t proceed accurately through the remaining steps of analyzing and prioritizing risks – much less managing, monitoring or mitigating them – without first understanding what is at risk.
However, most risk management processes are built around financial risks, project lifecycle risks, or similar concepts. Thus, the process step known as “identify” focuses most on identification of “risks”, as the assets sought to be protected are usually well known. This is largely true of IT cybersecurity as well. IT risk assessment typically focuses on digital service interruptions and data loss. In OT environments, breach of an industrial control system can impact the movement of molecules. Disruption to operational processes can range from production losses to the devastation of an entire community and beyond. A fundamental difference in OT cybersecurity is that this critical first step to “identify” is focused on identifying “operational assets”. In a typical OT environment, the assets are not well known from a cybersecurity risk management standpoint. This is the very infrastructure that comprises industrial IoT and enables Industrie 4.0 and smart manufacturing.
The industry has come to appreciate this critical difference and the role that a comprehensive OT asset inventory must play in designing a cybersecurity risk management program. Unfortunately, an unsettling theme is emerging that seems to treat “good enough” as good enough when it comes to OT asset inventory. There are two major misconceptions associated with the adequacy of OT inventory. One is the idea that awareness of 80-90% of the assets in the OT network is acceptable. The other fallacy is that basic asset identifiers like make and version are sufficient for cybersecurity. One goes to the completeness of inventory for vulnerability management, and the other addresses risk through configuration and change management. An OT cyber inventory appropriate for identification and management of risk consists of much more.
“Good enough” isn’t a sound methodology for responsible risk assessment of any kind, and it can be particularly dangerous in the OT world. Many have compared risk assessment in OT cybersecurity to hazard and operability study (HAZOP) analysis in the chemical processing industry. A proper HAZOP requires identification and assessment of every asset in the process subject to risk. That is 100% of the assets. You never hear the words “good enough” from the mouths of safety practitioners. Why would OT cybersecurity practitioners view an incomplete inventory as “good enough”?
To put it differently, “what you can’t see is a hole in your OT cybersecurity posture”. In this case, what you can’t see can harm you. What you can’t see or manage is precisely the place for a bad guy to leverage cyber assets to create safety risks.
We recently asked 20 OT cybersecurity experts to weigh in from the field with their recommendations on how to secure industrial facilities. Visit www.pas.com/ebooks for a four-part eBook series comprised of their insights as well as on-demand webinars that analyze their responses. For a deeper dive into the above topic, watch the final webinar of the series where I discuss in conjunction with their advice.