By Walt Boyes
You can’t protect what you don’t know you have. OT Cybersecurity is directly linked to your asset inventory, as well as the control systems you are running. If you don’t know what you have in your plant, you cannot guard against vulnerabilities in your assets, hardware, firmware, and software. You are guessing. You are whistling in the dark. You are hoping nothing bad happens.
Of course, you can run around screaming and shouting every time a new vulnerability is discovered or publicized. That’s what the cybersecurity vendors want you to do. They get new clients by ratcheting up the FUD (Fear Uncertainty and Doubt) level in plant and enterprise management teams. You can do your best to install patch after patch, but it just doesn’t work to improve your security position. Why? Because you don’t know if the patch you just installed applies to any of the devices you actually have.
Ever since you were handed the responsibility of OT Asset Management and OT Cybersecurity, you have been collecting data on what it is that you actually have. You have some data on the devices, from network-managed switches to sensors and actuators. But you don’t have all the data that you need on these devices. And neither do the cybersecurity vendors, who want to sell you detection tools and software.
Often attributed to Albert Einstein, “the definition of insanity is doing the same thing over and over and expecting different results.” Maybe what you need is to flip what you’re doing on its head and come at the problem of CVEs (Common Vulnerabilities and Exposures) from a completely different angle. Instead of patching for all CVEs that are reported, it is much easier to develop a highly detailed asset inventory and only deal with the CVEs that belong to the devices you actually have. Every known vulnerability is directly tied to a specific device and product version. If you don’t have that device, or the product version and firmware are different, you don’t have to worry about the vulnerability, no matter how scary the potential of the vulnerability is.
You have to have a complete and thorough evergreen listing of the technical details of each of your assets. You can’t do that manually, as you’ve already found out. The as-builts don’t have accurate information. The database or spreadsheet-based inventories don’t have enough information and may also be inaccurate. Any manual record-keeping will be inaccurate because it must be updated manually. The level of detail in a manual database or spreadsheet will be sparse as well.
Here’s the hard part to get over—you need active discovery to keep your asset database evergreen. The cybersecurity vendors will tell you that active discovery is terrible and dangerous and can crash industrial control systems easily. This doesn’t have to work that way. If you probe your OT devices, including network switches, routers, PCs, PLCs, sensors, actuators, and barcode readers, but you do it using legitimate credentials and protocols, your control systems don’t crash. What you are doing is a legitimate function of the protocols you are using. Every protocol in the OT space is able to query metadata from product identity over firmware to layer 2 connectivity.
The other important thing to do is to decentralize your discovery, not run it from a centralized server. Your discovery works with your control system doing active probing with legitimate industrial protocols, like Ethernet/IP or Modbus, or DeviceNet, Profibus, and so forth.
It is important to use a distinct two-tier architecture, with one central server that does not do any discovery on its own. That happens, as an example, in the OTbase Discovery software, standalone, and deployed in a decentralized manner. This is important, too, because a decentralized architecture carries very little risk when it comes to asset discovery. Unlike centralized discovery, it doesn’t carry access credentials, and you can locate it behind a security wall.
So now, we have a realistic approach to asset management that removes the inaccuracies and inefficiencies of manual-entry databases and spreadsheets, and also removes the whirling fire drill that trying to patch for every CVE that comes down the path becomes, because one of your assets might be vulnerable. You can relax because you are handling both asset management and security in a much more straightforward manner, logically and coherently, with a detailed plan.
Now, sometimes you may need to add OT assets manually to your inventory, so a well-designed OT asset inventory manager must also have manual addition capability. You might need to add a device that can’t be discovered because it is on an isolated network that can’t be routed into, or it is a standalone device, or a device that is connected by serial point-to-point. So your asset management software must have the ability to add and maintain device details manually. If you already have asset data that you believe is accurate and it is in some digital format, you need to have the ability to import this data. You might be talking about thousands of devices that are in spreadsheet tables.
If you think that this is a much more logical and straightforward way to handle asset management and vulnerability control, you might want to talk to the people at OTbase for answers to your specific needs.