“The big problems are where people don’t realize they have one in the first place.”
– Edward Deming
Deming’s observation seems obvious enough. When you apply this to ICS cybersecurity, what are the “big problems” that companies don’t realize? In the power, petrochemical, and oil & gas industries, the stakes are high. These big problems – especially ones unrealized – can lead to lost production, safety risks, or worse.
For many companies today, an incomplete or outdated cyber asset inventory represents the biggest problem or blind spot in ICS cybersecurity. A comprehensive cyber inventory is foundational to tackling the bigger challenges of good ICS cybersecurity. How can you catch unauthorized changes to control assets if you have not yet identified those assets and are not monitoring them?
As an example, many companies gather configuration data for Microsoft Windows® and network devices, which are easily interrogated via WMI or SNMP. While a good start, this approach does not sufficiently capture enough proprietary control network (PCN) data. It is missing information on controllers, I/O cards, firmware, ladder logic, and much more – roughly 80 percent of needed inventory data in fact. Getting at this data and manipulating it are the ultimate goals of cyber attacks, and it is where inadvertent engineering changes can go unnoticed.
So, we know where the big problem is, which is half the battle. Now, what do we do about it? Here are three top considerations when developing or improving an inventory management approach to the PCN layer:
- Manual versus Automated: Many plants start with a manual inventory tracked on a Microsoft Excel® spreadsheet as their asset monitoring solution. This may meet a regulatory requirement, but best practices show this is not optimal for good cybersecurity. Manually gathered inventory data has specific challenges including the possibility of data errors, incomplete data, and staleness over time. Automating inventory gathering and updates – particularly for the high value/risk assets such as SIS and DCS – provides information critical to cybersecurity monitoring and analysis. The data is also kept up-to-date and is more accurate.
- Network and Proprietary: An attack can alter configuration parameters. These changes can be difficult to detect due to the proprietary and complex nature of the data – a problem exacerbated by the heterogeneous nature of the systems within a PCN. For instance, configuration data pulled from an SIS must include the entire control strategy, customer programs/templates, standard programs/templates, and more. Without this data, an operator would never know that a malicious attack altered these parameters and consequently compromised plant safety.
- Real or Near-Real Time: Not all configuration data changes at the same rate. Understanding frequency of change will help with tradeoffs in frequency of data imports. The more critical an asset and the more its configuration changes, the frequency of inventory updates can occur daily.
When inventory is done right and sufficient proprietary control system data is at your fingertips, Deming gets quoted much less and replaced with a more appropriate quote from the late, great baseball icon.
“You can observe a lot by just watching.”
– Yogi Berra
When it comes to ICS cybersecurity, what are your big problems?