By Walt Boyes
Now that you’ve torn out your hair, banged your head on your desk, and asked your boss to find somebody else to run OT asset management, he said no, and you find you’re stuck with it. Now you really have to figure out how to run an accurate real-time asset inventory.
You’ve figured out that the tools you’ve been trying to use (spreadsheets, databases, other tools) are worse than useless. They just don’t provide context.
If all you have is a list of IP addresses, model names, and numbers, and maybe physical data, you don’t have enough to identify an asset, track it, and maintain it.
I’ve already talked about the legacy OT Asset Inventory tools, like Excel and other spreadsheets, or Industrial Control System (ICS) Detection products.
We know that ICS Detection products are primarily designed to protect cybersecurity assets, not all assets. The basic workflow is manual and isn’t automated. This translates to increased hours and money spent on the ICS detection is passive and doesn’t provide real identity. Sniffing IP addresses is worth nothing in Operations Technology (OT) because there are often many duplicates. And the biggest problem: fieldbus devices are not covered at all. EthernetIP, Profibus, Profinet, ControlNet, DeviceNet, SERCOS, and others are simply not covered in traditional ICS Detection products. There is no network data either.
Of course, you can always buy a proprietary Asset Management Product. All the larger control system vendors have them, and they work extremely well on the vendor’s own products and networks.
That’s the issue, in a nutshell. They work with the automation vendor’s own product line. Some vendors will tell you that you can use other products and manually enter them into the proprietary database, but you never have time to do that. If you have more than one vendor’s products in the plant, a proprietary system isn’t enough.
They also don’t include PCs, network switches, and other devices. As far as a proprietary asset management system sees it, those devices don’t exist. There are more limits to the proprietary systems. If you use one, you’ll find out.
You see, it isn’t about the hardware, or the firmware, or even the software on your OT devices and control systems. It is about data, contextualized data. The most important thing you need to be able to see is CONTEXT!
Context (metadata) makes technical data in use cases make sense. Without a detailed and contextualized OT asset inventory, the use cases are flawed. You can’t do vulnerability management without precise configuration data, or OT obsolescence management, or workflow automation.
With data, you can locate all your devices, identify the networks they belong to, make sure they are compliant with configuration profiles, and your device data is accurate and reliable.
Technical data comes in two types: device data and network data. You need to have all the information you can get about each device, not just serial numbers. You need the technical data on the device itself, and how it connects to your OT network. Some OT asset management solutions provide the bare minimum of data. You might know that you have a device. You can’t do anything with the data. Another shiny flat spot on your forehead.
Network context is critical, too. You may have the IP and MAC addresses, but unless you have context, you don’t know what you have. Many OT environments have hundreds of private networks sharing the same network address. If you don’t know which network an endpoint device belongs to, the IP address doesn’t help you much. Another context you must have is location. Where is the device physically? You will want to use geolocation going forward. It helps to know which sites are plagued with cyber vulnerabilities or which sites have the most obsolete equipment.
In a single plant situation, you can usually know where to find a device, but that isn’t enough for use cases like determining how critical the asset is, or how cyber critical the asset is, or how critical the asset is to business continuity.
Now we are talking about describing a functional system in context, a work cell, a machine line, or a treatment plant. You need to know the product lifecycle status of each OT asset; that’s how you deal with obsolete products.
I bet you thought we would never get to cybersecurity!
Once you have the exact technical product data, you know every single known vulnerability that is tied to a specific product version. Once the versions of your OT products are known, your OT asset management system will inform you about known cyber vulnerabilities.
Next time, we will talk about how OTbase knows how to do all these things.