At PAS, we advocate industrial companies create a comprehensive inventory of their OT/ICS assets. Without a comprehensive understanding of your OT assets, effectively managing cybersecurity risk and ensuring reliable operations is just not possible.
According to the SANS 2019 State of OT/ICS Cybersecurity Survey, asset identification was the No. 1 concern among respondents. Unfortunately, despite its importance, OT asset inventories in many organizations continue to be unreliable and incomplete.
A new whitepaper from SANS, ICS Asset Identification: It’s More Than Just Security (June 2020), examines the different approaches for asset identification, such as physical inspection, passive discovery, active discovery, and configuration analysis.
When using physical inspection to create an OT asset inventory, the time, cost, scalability, depth, and currency limitations are well understood. In response, some organizations have experimented with using passive discovery (via network packet analysis) to identify OT assets. However, the growing recognition of passive discovery limitations in OT environments (e.g. devices that do not regularly communicate on process control networks) has raised questions regarding “if and how” active OT asset discovery can be used to try and “fill the gaps” inherent in a passive-only network detection approach to OT asset inventory.
Active methods on OT networks have their own set of challenges and limitations. For example, improper targeting can disrupt OT services. Active discovery can cause negative interactions with older equipment with non-compliant protocol implementations. Existing control system network designs may severely constrain active data collection or prohibit it entirely. Active discovery can miss devices configured to respond only under specific circumstances, as well as introduce additional latency into the environment, which can have negative process consequences in low-bandwidth, high-latency networks. And active methods are also not well suited to islanded OT systems unconnected to the network.
OT asset configuration analysis is a more accurate and detailed method for collecting asset inventory information than what can be provided from physical inspection and by both passive and active network packet analysis.
According to the new SANS whitepaper, “Configuration analysis is one of the best ways to get comprehensive OT information into your asset inventory and can provide a great baseline and contextual process information that cannot be obtained by other asset identification techniques.”
And as the report goes on to state, “Using the OT system configuration information is the most economical way to get discovery information from Level 1 and Level 0 devices to ensure a comprehensive inventory.”
Configuration analysis takes existing configuration data from process control systems, networking devices, and other sources to create a comprehensive inventory of OT assets. Configuration analysis is also typically the only way to obtain comprehensive inventory information from (1) isolated or air-gapped OT systems, (2) OT systems in disconnected environments, such as safety systems, and (3) control systems that produce limited, if any, network traffic during normal operations. Configuration analysis also enables teams to keep their OT asset inventory information up to date without putting additional load on the network.
Also, while OT asset inventory is foundational to OT cybersecurity, having a comprehensive OT asset inventory does more than improve security. It can also improve operational reliability and profitability. For example, a comprehensive OT asset inventory allows engineers to:
"One day of extra uptime might pay for the entire program."
Mark Bristow, SANS Analyst, ICS Asset Identification: It’s More Than Just Security, June 2020
- Recover operations more quickly in the event of a failure
- Identify assets requiring maintenance or replacement before they impact the process
- Reduce the risk of regulatory non-compliance
- Position the organization to better understand and manage cybersecurity risk
For a more in-depth look at OT/ICS asset inventory methods and the important role OT system configuration analysis plays in establishing a comprehensive OT asset inventory, download the ICS Asset Identification: It’s More Than Just Security whitepaper from SANS, complimentary from PAS.